CN113553616A - Trusted data security service method, device, equipment and system - Google Patents

Trusted data security service method, device, equipment and system Download PDF

Info

Publication number
CN113553616A
CN113553616A CN202110823930.7A CN202110823930A CN113553616A CN 113553616 A CN113553616 A CN 113553616A CN 202110823930 A CN202110823930 A CN 202110823930A CN 113553616 A CN113553616 A CN 113553616A
Authority
CN
China
Prior art keywords
document
medical
data security
security service
institution terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110823930.7A
Other languages
Chinese (zh)
Inventor
蔡俊祥
施建安
庄一波
黄晶晶
冯斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yunhui Health Technology Co ltd
Original Assignee
Beijing Yunhui Health Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yunhui Health Technology Co ltd filed Critical Beijing Yunhui Health Technology Co ltd
Priority to CN202110823930.7A priority Critical patent/CN113553616A/en
Publication of CN113553616A publication Critical patent/CN113553616A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H10/00ICT specially adapted for the handling or processing of patient-related medical or healthcare data
    • G16H10/60ICT specially adapted for the handling or processing of patient-related medical or healthcare data for patient-specific data, e.g. for electronic patient records
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The embodiment of the invention provides a trusted data security service method, a trusted data security service device, equipment and a trusted data security service system, wherein the trusted data security service method comprises the following steps: receiving a storage request for medical documents initiated by a medical institution terminal; encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document; performing encryption operation according to the document information of the medical document, the mechanism information of the medical mechanism end and the time information to generate a document I D corresponding to the medical document, and storing the digital envelope and the encrypted document in a trusted library according to the document I D; receiving a document query request which is initiated by the medical institution terminal and comprises the document I D, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, thereby obtaining a plaintext medical document.

Description

Trusted data security service method, device, equipment and system
Technical Field
The invention relates to the field of medical data, in particular to a trusted data security service method, a trusted data security service device, equipment and a trusted data security service system.
Background
Medical health big data increasingly become the important basic strategic resource of the country, but face the problems that relevant laws and regulations are not sound, the risk of data and privacy disclosure exists and the like at present, and the safety protection is urgently needed to be strengthened. Most medical institution end utilizes the information-based means to carry out the collection, processing, analysis and storage of medical health data now, has brought the promotion of efficiency, has also buried the hidden danger of data security, and the revealing of medical health data takes place occasionally.
At present, a method for protecting data privacy mainly comprises the steps of carrying out safe storage on data, encrypting data storage and a digital signature of a trusted certificate through a trusted secure data exchange all-in-one machine, namely based on a standardized service interface, and preventing the data privacy of health records from being revealed. Through digital signature, the signature of a credible CA certificate can be used as the information for forensic programs. And safety data transmission and digital envelope transmission ensure that only specified people can read the content of the information, and health file data is prevented from being sniffed. A traceable log is also adopted, the retrieval records adopt a digital signature technology, and data such as retrieval party identification, health archive identification, time and the like are stored, so that the log is prevented from being tampered.
The trusted security data exchange integrated machine can meet the requirements of secure storage and trusted retrieval of data. However, there may still be problems, such as that the basic mechanism symmetric KEY, the access application asymmetric KEY is tampered by someone in a background writing manner, so that the related historical storage data is invalid, and the corresponding encryption and decryption work cannot be performed.
Disclosure of Invention
In view of the above, the present invention provides a trusted data security service method, device, apparatus and system to improve the above problems.
The embodiment of the invention provides a trusted data security service method, which comprises the following steps:
receiving a storage request for medical documents initiated by a medical institution terminal;
encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document;
performing encryption operation according to the document information of the medical document, the mechanism information of the medical mechanism end and the time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in a credible library according to the document ID;
receiving a document query request which is initiated by the medical institution terminal and comprises a document ID, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, and a plaintext medical document is obtained.
Preferably, the method further comprises the following steps:
receiving a key pair generation request sent by the medical institution terminal;
generating a key pair containing a public key and a private key according to the key pair generation request, and returning the key pair to the medical institution terminal;
and receiving the public key returned by the medical institution terminal.
Preferably, the document information comprises an electronic health card ID and a document number; the institution information comprises a medical institution terminal identification and an institution identity authentication key, and the time information is a timestamp;
the document ID is obtained by encrypting document information, institution information of a medical institution and time information by SM 4; the packet mode used for encryption is ECB mode.
Preferably, according to the saving request, the medical document is encrypted to obtain a digital envelope and an encrypted document corresponding to the medical document, and the method specifically includes:
encrypting the medical document by using a self symmetric key to generate an encrypted document;
and encrypting the symmetric key by using a public key of the medical institution end to generate a digital envelope.
Preferably, the method further comprises the following steps:
receiving a signature sent by a medical institution terminal, and storing the signature;
adding the signature to the medical document.
Preferably, the method further comprises the following steps:
and recording corresponding time, the record of the file information of the visitor and the visitor while sending the medical document to the medical institution, providing query records and providing statistical functions of the accessed records of the corresponding document.
The embodiment of the invention also provides a trusted data security service device, which comprises:
the storage unit is used for receiving a storage request for the medical document initiated by the medical institution terminal;
the encryption unit is used for encrypting the medical document according to the storage request to obtain a digital envelope corresponding to the medical document and an encrypted document;
the document ID generating unit is used for performing encryption operation according to the document information of the medical document, the mechanism information of the medical mechanism end and the time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in a credible library according to the document ID;
the return unit is used for receiving a document query request which is initiated by the medical institution terminal and comprises a document ID, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, and a plaintext medical document is obtained.
The embodiment of the invention also provides a trusted data security service platform, which comprises a memory and a processor, wherein a computer program is stored in the memory, and the computer program can be executed by the processor so as to realize the trusted data security service method.
The embodiment of the invention also provides a trusted data security service system, which comprises a medical institution terminal, a trusted library and the trusted data security service platform; wherein:
the medical institution terminal is used for sending a storage request for medical documents to the trusted data security service platform;
the trusted data security service platform is used for encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document, performing encryption operation according to the document information of the medical document, the mechanism information of a medical mechanism end and time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in the trusted library according to the document ID;
the medical institution terminal is also used for initiating a document query request to the trusted data security service platform; the document query request includes a document ID;
the trusted data security service platform is further used for returning a digital envelope and an encrypted document corresponding to the document query request to the medical institution terminal according to the query request;
the medical institution terminal is further used for decrypting the digital envelope and the encrypted document according to a local SDK packet, so that a plaintext medical document is obtained.
In summary, the trusted data security service method of the embodiment has the following advantages:
(1) and the data is safely stored, and even a hacker adopts a library dragging and colliding mode, the diagnosis and treatment data information of the core user cannot be mastered.
(2) And the medical document identification characters generated by using the national cryptographic algorithm realize the association and unification of core elements such as 'things, mechanisms, people, data, time' and the like.
(3) All the uploaded and registered documents are encrypted and stored in a FastDFS distributed file system in a one-file-one-secret mode, and a secret key of a certain medical document cannot act on another document to be decrypted.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a trusted data security service method according to a first embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a trusted data security service apparatus according to a second embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a trusted data security service system according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
the embodiment of the invention provides a trusted data security service method which can be executed by a trusted data security service platform to at least realize the following steps:
s101, receiving a medical document storage request initiated by a medical institution terminal.
In this embodiment, the trusted data security service platform may be a server located at a cloud end, and the server has various interfaces, so as to implement data interaction with an external client, for example, to provide management of access information for an accessed client, include management capabilities such as client access public key information submitted by the client, update own public key information, and download a service of accessing a public key of the trusted data security service system.
In this embodiment, the medical institution side may implement interaction with the trusted data security service platform through a corresponding interface, for example, it may upload a medical document that needs to be saved to the trusted data security service platform for saving, and the like.
S102, encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document.
S103, performing encryption operation according to the document information of the medical document, the institution information of the medical institution and the time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in a credible library according to the document ID.
In this embodiment, in order to ensure the privacy of the medical document, the trusted data security service platform does not store the medical document in a plaintext form, but stores the medical document after encrypting the medical document. The encryption steps are as follows:
firstly, a medical institution terminal initiates a key pair request to a trusted data security service platform, the trusted data security service platform returns a key pair to the medical institution terminal, and the key pair comprises a paired public key and a paired private key.
In the present embodiment, the key pair is implemented by a CA certificate. The CA is the issuing authority of a CA certificate, which is the core of a Public Key Infrastructure (PKI). The CA is the authority responsible for issuing certificates, authenticating certificates, and managing issued certificates. The CA has a certificate (containing a public key and a private key). A public user on the network trusts the CA by verifying its signature, and anyone can obtain the CA's certificate (including the public key) to verify the certificate it issued.
And secondly, the medical institution terminal sends the public key to a trusted data security service platform for storage.
Secondly, the trusted data security service platform encrypts the medical document of the plaintext by using a self symmetric key to generate an encrypted document, and encrypts the symmetric key by using a public key of the medical institution end to generate a digital envelope;
then, the trusted data security service platform obtains the document ID by encrypting the document information, the institution information of the medical institution and the time information by using SM 4.
The document information comprises an electronic health card ID and a document number; the institution information comprises medical institution terminal identification and an institution identity authentication key, and the time information is a timestamp. The packet mode used for encryption is ECB mode.
Therefore, the document ID identification realizes the association and unification of core elements such as 'things, organizations, people, data, time'.
And finally, the trusted data security service platform associates the document ID, the encrypted document and the digital envelope and stores the document ID, the encrypted document and the digital envelope in a trusted library.
The medical documents of the whole trusted data security service platform are required to be stored in a trusted library, the trusted data security service system performs a document operation process, and the system stores corresponding detailed logs. The trusted libraries are all encrypted for storage, and realize one file and one secret, and the cipher mechanism follows the national secret security system. The trusted library has mechanisms such as redundancy backup, load balancing, linear expansion and the like, and focuses on indexes such as high availability and high performance.
S104, receiving a document query request which is initiated by the medical institution terminal and comprises a document ID, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, and a plaintext medical document is obtained.
In this embodiment, if the medical institution terminal wants to acquire a medical document, it first sends a query request or a document outgoing request to the trusted data security service platform. The inquiry request comprises a document ID, the trusted data security service platform acquires a corresponding digital envelope and an encrypted document according to the document ID after receiving the inquiry request, and the medical institution decrypts the digital envelope according to a private key of the medical institution through a local SDK to acquire a symmetric key of the trusted data security service platform, and then decrypts the encrypted document according to the symmetric key to acquire a plain-text medical document.
The SDK is mainly used for designing required functions according to a process of issuing documents by external placement, simplifying access of a medical institution terminal and being capable of quickly accessing a trusted data security service system to extract documents. The SDK may also include the functions of generating a key pair, generating a digital envelope, parsing a digital envelope, and the like.
It should be noted that any data in the computer is stored according to ascii codes, and values between 128 and 255 of the ascii codes are invisible characters. When data is exchanged on the network, the data often passes through a plurality of routing devices, and different devices process characters in different ways, so that invisible characters can be processed incorrectly, which is not favorable for transmission. Therefore, in the present embodiment, the data encoded by the BASE64 is transmitted in the process of each data transmission environment, and therefore, the final plaintext medical document can be obtained only by decoding, which is not described herein again.
In summary, the trusted data security service method of the embodiment has the following advantages:
(1) and the data is safely stored, and even a hacker adopts a library dragging and colliding mode, the diagnosis and treatment data information of the core user cannot be mastered.
(2) And the medical document identification characters generated by using the national cryptographic algorithm realize the association and unification of core elements such as 'things, mechanisms, people, data, time' and the like.
(3) All the uploaded and registered documents are encrypted and stored in a FastDFS distributed file system in a one-file-one-secret mode, and a secret key of a certain medical document cannot act on another document to be decrypted.
Preferably, the method further comprises the following steps:
receiving a signature sent by a medical institution terminal, and storing the signature;
adding the signature to the medical document.
In this embodiment, the signature has the effect of improving the trust level of the user, the medical institution end can upload and update the signature of the medical institution end, and the trusted data security service can add corresponding signatures to the externally-placed medical documents, so that the documents have corresponding authoritativeness.
Preferably, the method further comprises the following steps:
and recording corresponding time, the record of the file information of the visitor and the visitor while sending the medical document to the medical institution, providing query records and providing statistical functions of the accessed records of the corresponding document.
Referring to fig. 2, a second embodiment of the present invention further provides a trusted data security service device, which includes:
a saving unit 210, configured to receive a saving request for a medical document initiated by a medical institution;
an encrypting unit 220, configured to encrypt the medical document according to the saving request, so as to obtain a digital envelope and an encrypted document corresponding to the medical document;
a document ID generation unit 230, configured to perform an encryption operation according to document information of the medical document, institution information of a medical institution and time information, generate a document ID corresponding to the medical document, and store the digital envelope and the encrypted document in a trusted library according to the document ID;
a returning unit 240, configured to receive a document query request including a document ID initiated by the medical institution terminal, and return a digital envelope and an encrypted document corresponding to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, thereby obtaining a plaintext medical document.
The third embodiment of the present invention further provides a trusted data security service platform, which includes a memory and a processor, where the memory stores a computer program, and the computer program can be executed by the processor to implement the trusted data security service method as described above.
Referring to fig. 3, a fourth embodiment of the present invention further provides a trusted data security service system, which includes a medical institution terminal 100, a trusted repository 300, and the trusted data security service platform 200 as described above; wherein:
the medical institution terminal 100 is configured to initiate a storage request for a medical document to the trusted data security service platform 200;
the trusted data security service platform 200 is configured to encrypt the medical document according to the storage request, obtain a digital envelope and an encrypted document corresponding to the medical document, perform encryption operation according to document information of the medical document, institution information of a medical institution and time information, generate a document ID corresponding to the medical document, and store the digital envelope and the encrypted document in the trusted repository 300 according to the document ID;
the medical institution terminal 100 is further configured to initiate a document query request to the trusted data security service platform 200; the document query request includes a document ID;
the trusted data security service platform 200 is further configured to return a digital envelope and an encrypted document corresponding to the document query request to the medical institution according to the query request;
the medical institution terminal 100 is further configured to decrypt the digital envelope and the encrypted document according to the local SDK packet, so as to obtain a plaintext medical document.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, an electronic device, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A trusted data security service method, comprising:
receiving a storage request for medical documents initiated by a medical institution terminal;
encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document;
performing encryption operation according to the document information of the medical document, the mechanism information of the medical mechanism end and the time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in a credible library according to the document ID;
receiving a document query request which is initiated by the medical institution terminal and comprises a document ID, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, and a plaintext medical document is obtained.
2. The trusted data security service method of claim 1, further comprising:
receiving a key pair generation request sent by the medical institution terminal;
generating a key pair containing a public key and a private key according to the key pair generation request, and returning the key pair to the medical institution terminal;
and receiving the public key returned by the medical institution terminal.
3. The trusted data security service method according to claim 2, wherein the document information includes an electronic health card ID, a document number; the institution information comprises a medical institution terminal identification and an institution identity authentication key, and the time information is a timestamp;
the document ID is obtained by encrypting document information, institution information of a medical institution and time information by SM 4; the packet mode used for encryption is ECB mode.
4. The method for trusted data security service according to claim 2, wherein the encrypting the medical document according to the saving request to obtain a digital envelope and an encrypted document corresponding to the medical document specifically includes:
encrypting the medical document by using a self symmetric key to generate an encrypted document;
and encrypting the symmetric key by using a public key of the medical institution end to generate a digital envelope.
5. The trusted data security service method of claim 2, further comprising:
receiving a signature sent by a medical institution terminal, and storing the signature;
adding the signature to the medical document.
6. The trusted data security service method of claim 2, further comprising:
and recording corresponding time, the record of the file information of the visitor and the visitor while sending the medical document to the medical institution, providing query records and providing statistical functions of the accessed records of the corresponding document.
7. A trusted data security service apparatus, comprising:
the storage unit is used for receiving a storage request for the medical document initiated by the medical institution terminal;
the encryption unit is used for encrypting the medical document according to the storage request to obtain a digital envelope corresponding to the medical document and an encrypted document;
the document ID generating unit is used for performing encryption operation according to the document information of the medical document, the mechanism information of the medical mechanism end and the time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in a credible library according to the document ID;
the return unit is used for receiving a document query request which is initiated by the medical institution terminal and comprises a document ID, and returning a digital envelope and an encrypted document which correspond to the document query request to the medical institution terminal according to the query request, so that the medical institution terminal can decrypt the digital envelope and the encrypted document according to a local SDK packet, and a plaintext medical document is obtained.
8. A trusted data security services platform, comprising a memory and a processor, wherein the memory stores a computer program, and the computer program is executable by the processor to implement the trusted data security services method of any one of claims 1 to 6.
9. A trusted data security service system, which is characterized by comprising a medical institution terminal, a trusted library and the trusted data security service platform as claimed in claim 8; wherein:
the medical institution terminal is used for sending a storage request for medical documents to the trusted data security service platform;
the trusted data security service platform is used for encrypting the medical document according to the storage request to obtain a digital envelope and an encrypted document corresponding to the medical document, performing encryption operation according to the document information of the medical document, the mechanism information of a medical mechanism end and time information to generate a document ID corresponding to the medical document, and storing the digital envelope and the encrypted document in the trusted library according to the document ID;
the medical institution terminal is also used for initiating a document query request to the trusted data security service platform; the document query request includes a document ID;
the trusted data security service platform is further used for returning a digital envelope and an encrypted document corresponding to the document query request to the medical institution terminal according to the query request;
the medical institution terminal is further used for decrypting the digital envelope and the encrypted document according to a local SDK packet, so that a plaintext medical document is obtained.
CN202110823930.7A 2021-07-21 2021-07-21 Trusted data security service method, device, equipment and system Pending CN113553616A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110823930.7A CN113553616A (en) 2021-07-21 2021-07-21 Trusted data security service method, device, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110823930.7A CN113553616A (en) 2021-07-21 2021-07-21 Trusted data security service method, device, equipment and system

Publications (1)

Publication Number Publication Date
CN113553616A true CN113553616A (en) 2021-10-26

Family

ID=78103729

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110823930.7A Pending CN113553616A (en) 2021-07-21 2021-07-21 Trusted data security service method, device, equipment and system

Country Status (1)

Country Link
CN (1) CN113553616A (en)

Similar Documents

Publication Publication Date Title
US11647007B2 (en) Systems and methods for smartkey information management
US11470054B2 (en) Key rotation techniques
US20240126895A1 (en) Data security using request-supplied keys
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US6678821B1 (en) Method and system for restricting access to the private key of a user in a public key infrastructure
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
AU2008344384B2 (en) Information distribution system and program for the same
US9300639B1 (en) Device coordination
US20080098214A1 (en) Encryption/decryption method, method for safe data transfer across a network, computer program products and computer readable media
CN114244508B (en) Data encryption method, device, equipment and storage medium
Mahalakshmi et al. Effectuation of secure authorized deduplication in hybrid cloud
CN102819695A (en) Authorization method and application server based on java archive (Jar)
CN113553616A (en) Trusted data security service method, device, equipment and system
KR20130004701A (en) A user-access trackable security method for removable storage media
JP2007080145A (en) Data management system, data processing method and data processing program
CA2923438C (en) Data security using request-supplied keys
Nadu MULTI AUTHORITY BASED INTEGRITY AUDITING AND PROOF OF STORAGE WITH DATA DEDUPLICATION IN CLOUD
CN116186756A (en) Device and method for realizing file security sharing by using threshold-like password technology
Moia et al. Cloud privacy guard (cpg): Security and privacy on data storage in public clouds
LOKESH et al. Secure Distributed Data Storage by using Proxy Servers
em Nuvens Vitor Hugo Galhardo Moia

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination