CN113935049A - Fine particle data protection method based on security model - Google Patents
Fine particle data protection method based on security model Download PDFInfo
- Publication number
- CN113935049A CN113935049A CN202110981766.2A CN202110981766A CN113935049A CN 113935049 A CN113935049 A CN 113935049A CN 202110981766 A CN202110981766 A CN 202110981766A CN 113935049 A CN113935049 A CN 113935049A
- Authority
- CN
- China
- Prior art keywords
- data
- model
- security
- protection
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a fine particle data protection method based on a security model, which comprises the following steps: step 1, establishing a data model; step 2, generating a protection rule and binding the protection rule with the data model to generate a security model; step 3, establishing association mapping from the data to the security model; step 4, extracting data according to the incidence mapping relation of the data and the safety model to form safety model data; and 5, executing a protection rule through the security model to complete data protection. According to the scheme provided by the invention, a uniform protection measure is provided for the common data through the security model, the consistency of data protection strength is ensured, and the problem of data leakage caused by a certain short protection board condition is avoided; the security model is used for integrity and authenticity protection based on a cryptographic algorithm and has strong anti-tampering and anti-counterfeiting capabilities; the complexity of data security configuration management is greatly simplified, the professional technical threshold of the data security management is reduced, and the efficiency and the security of data protection are improved.
Description
Technical Field
The invention relates to the field of data protection, in particular to a fine particle data protection method based on a security model.
Background
Under the scenes of large data application and cross-domain data sharing, a large amount of structured and semi-structured data protection needs to be provided. The current method for protecting structured and semi-structured data mainly has two modes according to different data protection granularities: 1) and configuring the same data protection rule aiming at the same data, and performing data encryption and access control. Data can be processed in batches, but the data protection granularity is coarse. 2) And extracting structural information from the specified structured and semi-structured data, configuring a protection rule aiming at the structural information, and encrypting and accessing the structural information associated data according to the protection rule. The method has fine data protection granularity, but needs to configure rules separately aiming at data with different structural information, and has larger workload of configuration management.
In order to avoid data leakage, data protection strength and protection granularity meeting safety requirements are generally required, the protection rule configuration has high requirements on the level of an administrator, professional data security personnel are generally required to carry out operation and maintenance management, and in an actual production environment, the implementation is difficult due to factors such as cost and management.
Disclosure of Invention
Aiming at the problems in the prior art, a fine particle data protection method based on a safety model is provided, and the method mainly comprises the technical implementation of a model layer and a data layer. And on the model level, abstracting the common service data into a data model according to the service scene and the service requirement, and embedding a safety rule on the data model level to form a safety model. And in the data layer, the structured and semi-structured data to be protected are mapped to the security model in an associated manner, so that automatic data extraction and automatic data-to-model conversion are realized, and meanwhile, data protection is automatically performed according to an embedded rule. Through the design of a model layer and a data layer, the data security management is simplified, and the data protection level is improved.
The technical scheme adopted by the invention is as follows: a fine particle data protection method based on a security model comprises the following steps:
step 2, generating a protection rule and binding the protection rule with the data model to generate a security model;
step 3, establishing association mapping from the data to the security model;
step 4, extracting data according to the incidence mapping relation of the data and the safety model to form safety model data;
and 5, executing a protection rule through the security model to complete data protection.
Further, in step 1, the method for establishing the data model includes: forming a new data model by selecting an existing data model in a model library as a parent model, selecting a newly-built model as a sub-model and selecting one or more attributes of the parent model as the attributes of the sub-model; or through connecting the database, reading the structural information of the specified database table, and selecting one or more fields of the database table as attributes of the newly added model to form a new data model; or the header or the element of the semi-structured document is analyzed as the model attribute by importing the semi-structured document to form a new data model.
Further, the data model includes: model name, model attribute and the application field of the model.
Further, the substep of step 2 is:
step 2.1, HASH calculation is carried out on the data model through the SM3 algorithm to generate a HASH value of the data model;
step 2.2, splicing the version number of the protection rule, the encryption rule, the control rule and the data model hash value, generating a security model hash value by the splicing result through a cryptographic SM3 algorithm HMAC technology, and forming the protection rule by the splicing result and the security model hash value;
and 2.3, embedding the protection rule into the data model to form a security model.
Further, the encryption rules include one or more of AES, 3DES, national secret SM4, national secret SM3, protected encryption, conformal encryption, retrievable encryption, Paillier homomorphic encryption.
Further, the control rule includes an authorization mode based on a range, an authorization method based on time, or an authorization mode based on read-write permission.
Furthermore, when the encryption rules of various algorithms are configured, the execution sequence of the encryption algorithms is configured at the same time, and the extensible design is adopted to support the formation of the encryption algorithms.
Further, the substep of step 3 is:
step 3.1, reading the data structure information to be associated to form a source field list;
step 3.2, reading data model attribute information in the security model to form a target field list;
3.3, connecting the source field and the target field in a line drawing mode, wherein the starting point of the line segment is the source field, and the end point of the line segment is the target field;
step 3.4, allocating resource field filtering conditions;
step 3.5, if the data to be correlated is single data, completing correlation; otherwise, entering step 3.6;
and 3.6, matching fields with dependency, reference and association among a plurality of data to form the dependency among the data and complete association configuration of the data to the security model.
Further, the step 5 further includes:
and executing an encryption rule process: executing an encryption algorithm according to the configured encryption rule, and encrypting the input service data to form ciphertext data; for encryption rules with various encryption algorithms, sequentially executing encryption according to configuration;
executing a control rule process: and outputting access control information corresponding to the data according to the configured access control rule.
Compared with the prior art, the beneficial effects of adopting the technical scheme are as follows:
(1) through abstracting the safety protection of the same-grade and common business data into a safety model, providing unified protection measures for the common data through the safety model, ensuring the consistency of data protection force, and avoiding the problem of data leakage caused by conditions such as a certain protection short plate under the conditions of manual error and data circulation.
(2) The generated security model is integrity and authenticity protected based on a cryptographic algorithm, and has strong anti-tampering and anti-counterfeiting capabilities. On one hand, the data model hashing can prevent an attacker from forging and replacing other data models with the data model bound by the security model; on the other hand, the HMAC-based key management and control guarantee that only authorized legal users can generate a new security model, and the authority of the security model is guaranteed.
(3) The generated security model has universality and supports the association of the existing structured and semi-structured data and the subsequent newly added structured and semi-structured data, and managers only need to establish the association of the data to the security model without paying attention to the data protection problem, thereby greatly simplifying the complexity of data security configuration management, reducing the professional technical threshold of data security management and greatly improving the efficiency and the security of data protection.
Drawings
Fig. 1 is a schematic diagram of the security model proposed by the present invention.
Fig. 2 is a flow chart of a fine particle data protection method based on a security model according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The invention mainly solves the technical problems that:
1) according to the password-based security model generation method, the protection rule is embedded in the data model, and the problems that the data protection configuration management complexity is high, the professional requirement is high, and the data leakage is caused due to the fact that the protection strength is insufficient are solved. According to the method, common service data is abstracted into a data model, a professional security worker configures a protection method for the data model, protection rules are embedded into the data model, the protection rules and the data model are strongly bound based on a cryptographic technology, a security model with tamper resistance is formed, and management work of data protection is simplified.
2) The batch data protection technology carries out association mapping on data to be protected and a security model, automatically encrypts the data according to an embedded security rule, does not need to process single data, and greatly simplifies data security management work.
As shown in fig. 2, the present invention provides a fine particle data protection method based on a security model, which includes the following steps:
step 2, generating a protection rule and binding the protection rule with the data model to generate a security model;
step 3, establishing association mapping from the data to the security model;
step 4, extracting data according to the incidence mapping relation of the data and the safety model to form safety model data;
and 5, executing a protection rule through the security model to complete data protection.
Specifically, in step 1, the data model comprises: the method for establishing the data model comprises the following steps of:
(1) and expanding on the basis of the existing model: forming a new data model by selecting an existing data model in a model library as a parent model, selecting a newly-built model as a sub-model and selecting one or more attributes of the parent model as the attributes of the sub-model;
(2) and extracting a database table forming model: reading the structural information of the specified database table by connecting the database, and selecting one or more fields of the database table as attributes of the newly added model to form a new data model;
(3) forming a model by importing a semi-structured document: and importing the semi-structured document, and analyzing a header or an element of the semi-structured document to be used as a model attribute to form a new data model. In a preferred embodiment, the semi-structured document is an Excel document or an Xsd document.
As shown in fig. 1, the security model in this embodiment is composed of a protection rule and a data model, where the protection rule includes a version, an encryption rule, a control rule, a data model hash value, and a security model hash value. The method comprises the following steps of establishing strong binding of a data model and a protection rule through a data model hash value generated by a cryptographic technology to form a security model, and specifically comprising the following steps:
step 2.1, HASH calculation is carried out on the data model through the SM3 algorithm to generate a HASH value of the data model;
step 2.2, splicing the version number of the protection rule, the encryption rule, the control rule and the data model hash value, generating a security model hash value by the splicing result through a cryptographic SM3 algorithm HMAC technology, and forming the protection rule by the splicing result and the security model hash value;
and 2.3, embedding the protection rule into the data model to form a security model.
The encryption rules include one or more algorithms of AES, 3DES, national secret SM4, national secret SM3, protected encryption, conformal encryption, retrievable encryption, and Paillier homomorphic encryption, and in this embodiment, the encryption rules are configured graphically.
The control rule includes a range-based authorization mode, a time-based authorization method, or a read-write permission-based authorization mode, and in this embodiment, the control rule is configured graphically, and an extensible design is adopted, so that a new authorization mode can be supported.
In a preferred embodiment, when the encryption rules of multiple algorithms are configured, the execution sequence of the encryption algorithms is configured at the same time, and the extensible design is adopted to support the formation of the encryption algorithms.
In the step 3, a graphical means is adopted for association, associated data screening configuration and association of two or more data with different structural information to the same security model are supported, and the specific steps are as follows:
step 3.1, reading the data structure information to be associated to form a source field list;
step 3.2, reading data model attribute information in the security model to form a target field list; for example, in the social security data model, the attribute information comprises attributes such as a participant and a participant;
3.3, connecting the source field and the target field in a line drawing mode, wherein the starting point of the line segment is the source field, and the end point of the line segment is the target field;
step 3.4, allocating resource field filtering conditions;
step 3.5, if the data to be correlated is single data, completing correlation; otherwise, entering step 3.6;
and 3.6, matching fields with dependency, reference and association among a plurality of data to form the dependency among the data and complete association configuration of the data to the security model.
In the step 4, data is extracted according to the incidence relation from the data to the safety model to form model data; and for a plurality of data associated to the same safety model, extracting the data according to the data dependency relationship, and adopting a union set of the plurality of data during extraction.
The embodiment also provides an execution flow of the encryption rule and the control rule: the method comprises the following specific steps:
and executing an encryption rule flow: and executing an encryption algorithm according to the encryption rule, and encrypting the input service data to form ciphertext data. For the case where a plurality of encryption algorithms are configured, encryption is sequentially performed in the configuration order.
Executing a control rule flow: and outputting access control information corresponding to the data according to the embedded control rule, and exporting the access control rule in an xml file mode according to the requirement.
The invention provides a novel data protection scheme aiming at a big data and data sharing scene, and mainly comprises the technical realization of a model layer and a data layer. And on the model level, abstracting the common service data into a data model according to the service scene and the service requirement, and embedding a safety rule on the data model level to form a safety model. And in the data layer, the structured and semi-structured data to be protected are mapped to the security model in an associated manner, so that automatic data extraction and automatic data-to-model conversion are realized, and meanwhile, data protection is automatically performed according to an embedded rule. Through the design of a model layer and a data layer, the data security management is simplified, and the data protection level is improved.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed. Those skilled in the art to which the invention pertains will appreciate that insubstantial changes or modifications can be made without departing from the spirit of the invention as defined by the appended claims.
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
Claims (9)
1. A fine particle data protection method based on a security model is characterized by comprising the following steps:
step 1, establishing a data model;
step 2, generating a protection rule and binding the protection rule with the data model to generate a security model;
step 3, establishing association mapping from the data to the security model;
step 4, extracting data according to the incidence mapping relation of the data and the safety model to form safety model data;
and 5, executing a protection rule through the security model to complete data protection.
2. The fine particle data protection method based on the security model according to claim 1, wherein in the step 1, the method for establishing the data model is as follows: forming a new data model by selecting an existing data model in a model library as a parent model, selecting a newly-built model as a sub-model and selecting one or more attributes of the parent model as the attributes of the sub-model; or through connecting the database, reading the structural information of the specified database table, and selecting one or more fields of the database table as attributes of the newly added model to form a new data model; or the header or the element of the semi-structured document is analyzed as the model attribute by importing the semi-structured document to form a new data model.
3. The security model-based fine particle data protection method of claim 2, wherein the data model comprises: model name, model attribute and the application field of the model.
4. The security model-based fine particle data protection method according to claim 3, wherein the substeps of step 2 are:
step 2.1, HASH calculation is carried out on the data model through the SM3 algorithm to generate a HASH value of the data model;
step 2.2, splicing the version number of the protection rule, the encryption rule, the control rule and the data model hash value, generating a security model hash value by the splicing result through a cryptographic SM3 algorithm HMAC technology, and forming the protection rule by the splicing result and the security model hash value;
and 2.3, embedding the protection rule into the data model to form a security model.
5. The security model-based fine grain data protection method of claim 4, wherein the encryption rules include one or more of AES, 3DES, SM4, SM3, protected encryption, conformal encryption, retrievable encryption, Paillier homomorphic encryption.
6. The security model-based fine particle data protection method according to claim 5, wherein the control rule comprises a range-based authorization method, a time-based authorization method, or a read-write permission-based authorization method.
7. The fine particle data protection method based on the security model according to claim 5 or 6, characterized in that when configuring the encryption rules of multiple algorithms, the execution sequence of the encryption algorithms is configured at the same time, and the formation of the encryption algorithms is supported by adopting an extensible design.
8. The security model-based fine particle data protection method according to claim 6, wherein the substep of step 3 is:
step 3.1, reading the data structure information to be associated to form a source field list;
step 3.2, reading data model attribute information in the security model to form a target field list;
3.3, connecting the source field and the target field in a line drawing mode, wherein the starting point of the line segment is the source field, and the end point of the line segment is the target field;
step 3.4, allocating resource field filtering conditions;
step 3.5, if the data to be correlated is single data, completing correlation; otherwise, entering step 3.6;
and 3.6, matching fields with dependency, reference and association among a plurality of data to form the dependency among the data and complete association configuration of the data to the security model.
9. The security model-based fine particle data protection method according to claim 8, wherein the step 5 further comprises:
and executing an encryption rule process: executing an encryption algorithm according to the configured encryption rule, and encrypting the input service data to form ciphertext data; for encryption rules with various encryption algorithms, sequentially executing encryption according to configuration;
executing a control rule process: and outputting access control information corresponding to the data according to the configured access control rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110981766.2A CN113935049A (en) | 2021-08-25 | 2021-08-25 | Fine particle data protection method based on security model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110981766.2A CN113935049A (en) | 2021-08-25 | 2021-08-25 | Fine particle data protection method based on security model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113935049A true CN113935049A (en) | 2022-01-14 |
Family
ID=79274493
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110981766.2A Pending CN113935049A (en) | 2021-08-25 | 2021-08-25 | Fine particle data protection method based on security model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113935049A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305187A (en) * | 2023-01-14 | 2023-06-23 | 北京惠企易点通科技有限公司 | Decision flow model calculation method and device based on hybrid encryption |
-
2021
- 2021-08-25 CN CN202110981766.2A patent/CN113935049A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305187A (en) * | 2023-01-14 | 2023-06-23 | 北京惠企易点通科技有限公司 | Decision flow model calculation method and device based on hybrid encryption |
| CN116305187B (en) * | 2023-01-14 | 2023-09-01 | 北京惠企易点通科技有限公司 | Decision flow model calculation method and device based on hybrid encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108681966B (en) | Information supervision method and device based on block chain | |
| US9864868B2 (en) | Method and apparatus for process enforced configuration management | |
| EP2959631B1 (en) | Verification system and method with extra security for lower-entropy input records | |
| CN110957025A (en) | Medical health information safety management system | |
| CN109241753A (en) | A kind of data sharing method and system based on block chain | |
| CN110225095B (en) | Data processing method, device and system | |
| CN110910148A (en) | Block chain-based article authentication method and device and storage medium | |
| CN104219232B (en) | Method for controlling file security of block distributed file system | |
| US20220083936A1 (en) | Access control method | |
| CN110516417B (en) | Authority verification method and device of intelligent contract | |
| CN111597543A (en) | Wide-area process access authority authentication method and system based on block chain intelligent contract | |
| CN115270182A (en) | Power grid project closed-loop control file management system | |
| CN113935049A (en) | Fine particle data protection method based on security model | |
| CN110266653A (en) | A kind of method for authenticating, system and terminal device | |
| CN114239044A (en) | Decentralized traceable shared access system | |
| CN113591103A (en) | Identity authentication method and system between intelligent terminals of power internet of things | |
| CN110445765B (en) | Data sharing method based on block chain, terminal device and medium | |
| CN117076245A (en) | Trusted traceability system based on block chain implementation | |
| CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
| CN115906156A (en) | Data full life cycle safety management method based on data safety identification | |
| EP3485603B1 (en) | Token based authentication using a signed message | |
| CN115714645A (en) | Block chain-based data privacy and security protection method, device and equipment | |
| CN111587434A (en) | Adjustment of modifications | |
| CN114500103A (en) | Internet of things privacy data segmentation and encryption method and block chain system | |
| CN113672655A (en) | File collaborative checking method and device based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |