CN113992359A - Encryption control method and device for user information, computer equipment and storage medium - Google Patents

Encryption control method and device for user information, computer equipment and storage medium Download PDF

Info

Publication number
CN113992359A
CN113992359A CN202111157155.2A CN202111157155A CN113992359A CN 113992359 A CN113992359 A CN 113992359A CN 202111157155 A CN202111157155 A CN 202111157155A CN 113992359 A CN113992359 A CN 113992359A
Authority
CN
China
Prior art keywords
user information
current user
secret key
information
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111157155.2A
Other languages
Chinese (zh)
Inventor
黄成康
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Shuhe Information Technology Co Ltd
Original Assignee
Shanghai Shuhe Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Shuhe Information Technology Co Ltd filed Critical Shanghai Shuhe Information Technology Co Ltd
Priority to CN202111157155.2A priority Critical patent/CN113992359A/en
Publication of CN113992359A publication Critical patent/CN113992359A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Abstract

The application relates to a method and a device for controlling encryption of user information, computer equipment and a storage medium. The method comprises the following steps: intercepting current user information before a service server performs target operation on the current user information; identifying sensitive information in the current user information according to a preset field identifier; acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources; and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information. The method and the device can intercept the service server before the target operation of the current user information is carried out, and encrypt the sensitive information in the current user information, thereby realizing the protection of the sensitive information in the current user information and ensuring the safety of the user information.

Description

Encryption control method and device for user information, computer equipment and storage medium
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for controlling encryption of user information, a computer device, and a storage medium.
Background
At present, with the popularization of the internet, users increasingly rely on the network. When a user performs some operations on a network, the user information needs to be uploaded, and much user information may relate to the privacy of the user, so that the security of the user information becomes a concern.
In the conventional technology, after user information possibly related to user privacy is stored, roles of data query authorities of a database can be seen, which may cause great safety hazards for users.
Therefore, the traditional technical scheme has the problem of potential safety hazard of user information.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method and an apparatus for controlling encryption of user information, a computer device, and a storage medium.
A method for controlling encryption of user information, the method comprising:
intercepting current user information before a service server performs target operation on the current user information;
identifying sensitive information in the current user information according to a preset field identifier;
acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
In one embodiment, the target operation includes a log printing operation, and the method further includes:
when it is monitored that the service server receives a log printing request sent by a terminal, intercepting the log printing request;
before the service server performs target operation on the current user information, intercepting the current user information, including:
and before the service server prints the log information carried in the log printing request, extracting the current user information from the log information.
In one embodiment, the target operation includes an operation of writing the current user information into a database, and the intercepting the current user information before the service server performs the target operation on the current user information includes:
monitoring the writing operation of the business server to a database;
intercepting the current user information before the service server writes the current user information into a database.
In one embodiment, the identifying the sensitive information in the current user information according to the preset field identifier includes:
and identifying a field carrying the field identification from the current user information, and acquiring the sensitive information according to the field carrying the field identification.
In one embodiment, the obtaining a key from a target key source among a plurality of preset key sources and an encryption algorithm include:
determining the target secret key source according to the priority preset for each preset secret key source;
when the target secret key source is local, acquiring the secret key and the encryption algorithm from the local;
when the target secret key source is a third-party server, sending a secret key acquisition request to the third-party server;
receiving the key and the encryption algorithm fed back by the third-party server in response to the key obtaining request.
In one embodiment, the method further includes:
receiving notification information of key update sent by the third-party server;
and updating a local secret key and an encryption algorithm according to the notification information.
In one embodiment, the target operation includes a reading operation of the service server on a database, and the method further includes:
when it is monitored that the business server reads the database, intercepting current user information to be read;
decrypting the current user information according to the secret key;
and reading the decrypted current user information.
An apparatus for controlling encryption of user information, the apparatus comprising:
the intercepting module is used for intercepting the current user information before the business server performs target operation on the current user information;
the identification module is used for identifying the sensitive information in the current user information according to a preset field identifier;
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and the encryption module is used for encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
intercepting current user information before a service server performs target operation on the current user information;
identifying sensitive information in the current user information according to a preset field identifier;
acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
intercepting current user information before a service server performs target operation on the current user information;
identifying sensitive information in the current user information according to a preset field identifier;
acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
According to the encryption control method and device for the user information, the computer equipment and the storage medium, the current user information is intercepted before the business server performs target operation on the current user information; identifying sensitive information in the current user information according to a preset field identifier; acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources; and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information. The method and the device can intercept the service server before the target operation of the current user information is carried out, and encrypt the sensitive information in the current user information, so that the current user information is subjected to the target operation in a ciphertext mode, the sensitive information in the current user information is protected in the target operation process which may cause user information leakage, and the safety of the user information is ensured.
Drawings
FIG. 1 is a diagram showing an application environment of a method for controlling encryption of user information according to an embodiment;
FIG. 2 is a flowchart illustrating a method for controlling encryption of user information according to an embodiment;
FIG. 3 is a flowchart illustrating steps of obtaining a key from a target key source of a plurality of predetermined key sources and an encryption algorithm in one embodiment;
FIG. 4 is a block diagram showing an example of a configuration of an encryption control apparatus for user information;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Referring to fig. 1, fig. 1 is a schematic application environment diagram of a method for controlling encryption of user information according to an exemplary embodiment of the present application. As shown in fig. 1, the application environment includes a service server 100 and a terminal 101, and the service server 100 and the terminal 101 can be communicatively connected through a network 102 to implement the encryption control method for user information according to the present application.
The encryption control component on the service server 100 is configured to intercept current user information before the service server performs a target operation on the current user information; identifying sensitive information in the current user information according to a preset field identifier; acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources; and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information. The service server 100 is configured to receive a log printing request sent by the terminal 101, and the encryption control component on the service server 100 is further configured to intercept the log printing request when it is monitored that the service server receives the log printing request sent by the terminal, extract current user information to encrypt the current user information, and feed the encrypted log information back to the terminal 101 for display. The service server 100 may be implemented by a single server or a server cluster composed of a plurality of servers.
The terminal 101 is configured to send a log printing request to the service server 100, and receive and display encrypted current user information sent by an encryption control component on the service server 100. The terminal 101 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices.
The network 102 is used for network connection between the terminal 101 and the server 100, and in particular, the network 102 may include various types of wired or wireless networks.
In one embodiment, as shown in fig. 2, a method for controlling encryption of user information is provided, which is described by taking an example of an encryption control component applied to the service server in fig. 1, and includes the following steps:
and S11, intercepting the current user information before the service server performs target operation on the current user information.
The encryption control method for the user information may be executed in the encryption control component. The encryption control component is arranged on the service server. The service server is used for processing and storing the user information. The target operation may be an operation that may cause leakage of information of the current user. For example, the storage of the database and the printing of the log information containing the user information may also be other operations that involve the processing of the user information and may cause the user information to be leaked, and are not particularly limited herein.
Specifically, the encryption control component of the present application may monitor the database operation of the service server in real time, such as a read operation and a write operation of the database. Intercepting the current user information before monitoring that the business server performs writing operation on the current user information.
And S12, identifying the sensitive information in the current user information according to the preset field identification.
The field mark is preset mark information for marking sensitive information in the current user information. For example, fields such as the mobile phone number of the user, the bank card number of the user and the identification number of the user are preset as fields corresponding to sensitive information, field identifications corresponding to the fields are set, and the fields such as the mobile phone number of the user, the bank card number of the user and the identification number of the user are marked with labels by using the field identifications. And when fields of the mobile phone number of the user, the bank card number of the user and the identification number of the user uploaded by the user terminal are received, identifying the values of the fields according to the preset field identifications, and taking the values of the fields as the sensitive information.
In one embodiment, when identifying the sensitive information in the current user information according to the preset field identifier fails, the sensitive information may be identified according to a preset sensitive information identification algorithm.
S13, obtaining a key from a target key source of a plurality of preset key sources, and obtaining an encryption algorithm.
The application is provided with a plurality of secret key sources in advance. The key source is used for storing and managing a key, an encryption algorithm and a decryption algorithm corresponding to the service server. Specifically, the key source may interface with a plurality of service servers. The key source may store and manage keys, encryption algorithms, and decryption algorithms corresponding to a plurality of service servers. Further, the encryption algorithm and the decryption algorithm may be reversible algorithms such as AES (advanced encryption standard) and RSA (public key cryptosystem). Among them, AES is the most common symmetric encryption algorithm. Symmetric encryption algorithms use the same key for encryption and decryption.
And S14, encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
Specifically, taking the example of encrypting the current user information by using the AES encryption algorithm, the encryption control method for the user information may include the steps of:
intercepting current user information before an encryption control component monitors that a service application needs to perform target operation of storing the current user information into a database;
the encryption control component encrypts a plaintext P of the current user information by using the secret key K and an AES encryption function to obtain a ciphertext C;
the encryption control component stores the ciphertext C into the database.
The AES cryptographic function is the cryptographic algorithm.
In one embodiment, the target operation includes a log printing operation, and the method may further include:
when it is monitored that the service server receives a log printing request sent by a terminal, intercepting the log printing request;
the intercepting the current user information before the service server performs the target operation on the current user information may include:
and before the service server prints the log information carried in the log printing request, extracting the current user information from the log information.
Specifically, the desensitization encoder of the log is predefined and used for intercepting the log printing operation of the service server to obtain the log information to be printed, identifying the sensitive information of the current user information from the log information, encrypting the sensitive information, and feeding the encrypted ciphertext information back to the terminal for display.
Specifically, when identifying the sensitive information in the current user information according to the preset field identifier fails, identifying the sensitive information of the current user information from the log information may include:
and identifying the sensitive information of the current user information according to a preset identification algorithm of the sensitive information.
The above-mentioned identification algorithm of the sensitive information may include the following algorithms:
when the user information is a mobile phone number, the identification algorithm is as follows:
the consecutive 11 bits are only digital and the first bit is 1.
When the user information is a bank card number, the identification algorithm is as follows:
the continuous 10 bits, 16 bits, 18 bits or 19 bits are only digital and meet the check of bank card rules (Unionpay general rules).
When the user information is the ID card number, the identification algorithm is as follows:
15 or 18 continuous bits are only digital and meet the verification of the ID number rule (public security bureau general rule).
According to the method and the system, the log printing operation of the business server can be intercepted, the sensitive information of the current user information is obtained, the sensitive information of the current user information is encrypted according to the secret key and the encryption algorithm, the situation that the plaintext of the sensitive information of the user is directly displayed on the interface of the terminal is avoided, the problem of leakage of the user privacy information is solved, and the safety of the user privacy information is guaranteed.
In one embodiment, the target operation includes an operation of writing the current user information into a database, and the intercepting the current user information before the service server performs the target operation on the current user information may include:
monitoring the writing operation of the business server to a database;
intercepting the current user information before the service server writes the current user information into a database.
The encryption interceptor and the decryption interceptor are predefined in the present application. The encryption interceptor is used for intercepting user information needing to be encrypted, and the decryption interceptor is used for intercepting the user information needing to be decrypted.
Specifically, from the ecological perspective of the internet, most of the service server operation databases use two frameworks, mybatis and jpa (Java persistence API). Among them, MyBatis is an excellent persistent layer framework that supports customized SQL, stored procedures, and advanced mapping. jpa is JDK5.0 annotation or XML describes object-to-relation table mappings and persists run-time entity objects to the database. The encryption control component just needs to be seamlessly interfaced with mybatis and jpa, and can be unaware of encryption and decryption for upper-level users.
Specifically, the present application predefines MyBatis adapters and jpa adapters. The MyBatis adapter is used for realizing seamless butt joint with MyBatis, and the jpa adapter is used for realizing seamless butt joint with jpa. After the application is seamlessly connected with mybatis and jpa, the read-write operation of the service server on the database can be intercepted. When the business server needs to store the current user information into the database, the encryption interceptor intercepts the current user information, acquires the current user information to be stored, encrypts the current user information, and stores the encrypted ciphertext information into the database. When the business server needs to read the current user information from the database, the current user information to be read is intercepted through the encryption interceptor, and the current user information to be read is decrypted by utilizing the corresponding secret key and the decryption algorithm so as to read the decrypted plaintext information.
When the business server operates the database data, the role of the agent is silently added in the middle, and the role of the agent is the encryption control component. The encryption control component is responsible for encrypting and decrypting sensitive information in user information, can be in seamless butt joint with the existing application system through a corresponding adapter, and achieves the purposes of not invading the system and encrypting and decrypting the sensitive information. The encryption and decryption interception can be realized through the embodiment, the encryption and decryption are correspondingly carried out, and the safety of user information storage is realized so as to protect sensitive information in the user information.
In one embodiment, the identifying the sensitive information in the current user information according to the preset field identifier may include:
and identifying a field carrying the field identification from the current user information, and acquiring the sensitive information according to the field carrying the field identification.
Specifically, the method and the device set field identification for fields related to user sensitive information in advance. The fields related to the user sensitive information may be, for example, a user mobile phone number, a user bank card number, a user identification number, and the like. After the user uploads the current user information, the current user information may include information such as a user mobile phone number, a user bank card number, a user identification number and other user information such as a user name, and when the service server stores the uploaded current user information, the encryption control component intercepts the user information to be stored, identifies the user mobile phone number, the user bank card number and the user identification number in the user information according to field identification, and extracts corresponding field values of the user mobile phone number, the user bank card number and the user identification number, wherein the field values are sensitive information in the current user information.
For example, when the service server receives current user information uploaded by the terminal, the current user information needs to be stored. The current user information comprises a user mobile phone number A, a user bank card number B and other user information. Before the business server stores the current user information, the encryption control component intercepts the storage operation of the business server and acquires the current user information needing to be stored currently, and identifies that the user mobile phone number A and the user bank card number B in the current user information are sensitive information according to the field identification. The encryption control component acquires values corresponding to the user mobile phone number and the user bank card number, namely, acquires A and B as sensitive information of the value corresponding to the current user information.
According to the method and the device, the sensitive information of the user is identified from the current user information through the preset field identification, the sensitive information of the user is further encrypted, the encrypted ciphertext information is stored, and the safety of the sensitive information of the user is guaranteed.
In one embodiment, as shown in fig. 3, the obtaining of the key from the target key source of the plurality of preset key sources and the encryption algorithm may include:
s31, determining the target key source according to the priority preset for each preset key source;
s32, when the target secret key source is local, acquiring the secret key and the encryption algorithm from the local;
s33, when the target secret key source is a third-party server, sending a secret key obtaining request to the third-party server;
s34, receiving the secret key and the encryption algorithm fed back by the third-party server in response to the secret key obtaining request.
In the present application, a plurality of key sources are set in advance. The key source may be local to the service server or may be a third-party server. The third party server may interface with one or more business servers. The mapping relation between the identification information of each business server and the secret key, the encryption algorithm and the decryption algorithm is stored on the third-party server. When a business server acquires a secret key, an encryption algorithm and a decryption algorithm from a third-party server, sending a secret key acquisition request to the third-party server, wherein the secret key acquisition request carries identification information of the business server, and the third-party server acquires the secret key, the encryption algorithm and the decryption algorithm corresponding to the business server according to the mapping relation between the identification information of the business server and the secret key, the encryption algorithm and the decryption algorithm.
Furthermore, the priority can be set for each key source in advance, and when the key and the encryption algorithm are obtained, the corresponding key and the corresponding encryption algorithm are obtained from each key source in sequence according to the priority. Specifically, the encryption control component may send a key acquisition request to the key source with the highest priority, and after receiving notification information that the key acquisition failure fed back by the key source with the highest priority is received, acquire the key and the encryption algorithm from the key source corresponding to the next priority, and so on until the corresponding key and the encryption algorithm are acquired.
Further, the third-party server may be a key management server and a configuration center, or may be another server that can provide a key and an encryption algorithm, which is not limited herein. The configuration center may serve a component, and the specific configuration may be stored by a storage service such as a database, a file server, or the like. The key management server can manage keys and encryption and decryption algorithms applied to various services. According to the method and the device, the key sources can be expanded, a plurality of key sources are provided, and the flexibility of key acquisition is improved.
In one embodiment, the method may further include:
receiving notification information of key update sent by the third-party server;
and updating a local secret key and an encryption algorithm according to the notification information.
Specifically, the key management server may implement management of keys and encryption/decryption algorithms applied to each service. The key management server can receive an update request of the key sent by the key management console, and correspondingly updates the key on the key management server. The key management console may provide paged management. The user can trigger an update request of the secret key of the service server through a page provided by the secret key management console, the secret key management console submits the update request of the secret key to the secret key management server when receiving an update instruction of the secret key of the service server, and the secret key management server correspondingly updates the secret key and the encryption algorithm or the decryption algorithm of the service server. The update request may include a modification request, a deletion request, an addition request, and the like.
Further, when the key and the encryption and decryption algorithm on the key management server are updated, the key management server notifies the updated key and encryption and decryption algorithm to the corresponding service server, so that the service server modifies the local key and encryption and decryption algorithm correspondingly. According to the method and the system, management of the secret key of the service server, the encryption algorithm and the decryption algorithm is achieved, and flexibility of secret key management is improved.
In one embodiment, the target operation includes a reading operation of the service server on a database, and the method may further include:
when it is monitored that the business server reads the database, intercepting current user information to be read;
decrypting the current user information according to the secret key;
and reading the decrypted current user information.
Specifically, the user information needing to be decrypted is intercepted through the decryption interceptor and decrypted, so that the plaintext information of the user information is restored, and the privacy safety of the user information is ensured together with the encryption of the user information.
In one embodiment, as shown in fig. 4, there is provided an encryption control apparatus for user information, including: an interception module 11, an identification module 12, an acquisition module 13 and an encryption module 14, wherein,
the intercepting module 11 is configured to intercept current user information before a service server performs a target operation on the current user information;
the identification module 12 is configured to identify sensitive information in the current user information according to a preset field identifier;
an obtaining module 13, configured to obtain a key and an encryption algorithm from a target key source in a plurality of preset key sources;
and the encryption module 14 is configured to encrypt the sensitive information according to the secret key and the encryption algorithm, so as to perform the target operation on the encrypted ciphertext information.
In one embodiment, the target operation includes a log printing operation, the apparatus further includes a monitoring module (not shown) that intercepts the log printing request when it is monitored that the service server receives the log printing request sent by the terminal, and the intercepting module 11 may extract the current user information from the log information before the service server prints the log information carried in the log printing request.
In one embodiment, the intercepting module 11 may monitor a writing operation of the service server to the database, and intercept the current user information before the service server writes the current user information to the database.
In one embodiment, the identification module 12 may identify a field carrying the field identifier from the current user information, and obtain the sensitive information according to the field carrying the field identifier.
In one embodiment, the obtaining module 13 may determine the target key source according to a priority set for each preset key source in advance, obtain the key and the encryption algorithm from the local when the target key source is local, send a key obtaining request to a third-party server when the target key source is the third-party server, and receive the key and the encryption algorithm fed back by the third-party server in response to the key obtaining request.
In one embodiment, the apparatus further includes an updating module (not shown), where the updating module may receive notification information of key update sent by the third-party server, and update the local key and the encryption algorithm according to the notification information.
In one embodiment, the target operation includes a reading operation of the service server on the database, and the apparatus further includes a decryption module (not shown), where the decryption module is capable of intercepting current user information to be read when it is monitored that the service server performs the reading operation on the database, decrypting the current user information according to the secret key, and reading the decrypted current user information.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing data such as operation data of the intelligent household equipment. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a resource allocation method of a compiled virtual machine.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program: intercepting current user information before a service server performs target operation on the current user information; identifying sensitive information in the current user information according to a preset field identifier; acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources; and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
In an embodiment, the target operation includes a log printing operation, and the processor, when executing the computer program, further specifically implements the following steps:
when it is monitored that the service server receives a log printing request sent by a terminal, intercepting the log printing request;
the processor executes the computer program to realize the steps of intercepting the current user information before the service server performs the target operation on the current user information, and specifically realizes the following steps:
and before the service server prints the log information carried in the log printing request, extracting the current user information from the log information.
In an embodiment, the target operation includes an operation of writing the current user information into a database, and the processor executes a computer program to implement the following steps when the step of intercepting the current user information is performed before the service server performs the target operation on the current user information:
monitoring the writing operation of the business server to a database;
intercepting the current user information before the service server writes the current user information into a database.
In one embodiment, when the processor executes the computer program to implement the above step of identifying the sensitive information in the current user information according to the preset field identifier, the following steps are specifically implemented:
and identifying a field carrying the field identification from the current user information, and acquiring the sensitive information according to the field carrying the field identification.
In an embodiment, when the processor executes the computer program to implement the steps of obtaining the key from the target key source of the plurality of preset key sources and the encryption algorithm, the following steps are specifically implemented:
determining the target secret key source according to the priority preset for each preset secret key source;
when the target secret key source is local, acquiring the secret key and the encryption algorithm from the local;
when the target secret key source is a third-party server, sending a secret key acquisition request to the third-party server;
receiving the key and the encryption algorithm fed back by the third-party server in response to the key obtaining request.
In one embodiment, the processor when executing the computer program further specifically implements the following steps:
receiving notification information of key update sent by the third-party server;
and updating a local secret key and an encryption algorithm according to the notification information.
In an embodiment, the target operation includes a reading operation of the service server on the database, and the processor when executing the computer program further specifically implements the following steps:
when it is monitored that the business server reads the database, intercepting current user information to be read;
decrypting the current user information according to the secret key;
and reading the decrypted current user information.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of: intercepting current user information before a service server performs target operation on the current user information; identifying sensitive information in the current user information according to a preset field identifier; acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources; and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
In one embodiment, the target operation includes a log printing operation, and the computer program when executed by the processor further specifically implements the following steps:
when it is monitored that the service server receives a log printing request sent by a terminal, intercepting the log printing request;
when the computer program is executed by the processor to implement the step of intercepting the current user information before the service server performs the target operation on the current user information, the following steps are specifically implemented:
and before the service server prints the log information carried in the log printing request, extracting the current user information from the log information.
In an embodiment, the target operation includes an operation of writing the current user information into a database, and when the step of intercepting the current user information before the service server performs the target operation on the current user information is executed by the processor, the following steps are specifically implemented:
monitoring the writing operation of the business server to a database;
intercepting the current user information before the service server writes the current user information into a database.
In one embodiment, when the processor executes the step of identifying the sensitive information in the current user information according to the preset field identifier, the following steps are specifically implemented:
and identifying a field carrying the field identification from the current user information, and acquiring the sensitive information according to the field carrying the field identification.
In one embodiment, when the computer program is executed by the processor to implement the steps of obtaining a key from a target key source of a plurality of preset key sources and performing an encryption algorithm, the following steps are specifically implemented:
determining the target secret key source according to the priority preset for each preset secret key source;
when the target secret key source is local, acquiring the secret key and the encryption algorithm from the local;
when the target secret key source is a third-party server, sending a secret key acquisition request to the third-party server;
receiving the key and the encryption algorithm fed back by the third-party server in response to the key obtaining request.
In one embodiment, the computer program when executed by the processor further embodies the steps of:
receiving notification information of key update sent by the third-party server;
and updating a local secret key and an encryption algorithm according to the notification information.
In an embodiment, the above target operation includes a reading operation of the service server on the database, and the computer program when executed by the processor further specifically implements the following steps:
when it is monitored that the business server reads the database, intercepting current user information to be read;
decrypting the current user information according to the secret key;
and reading the decrypted current user information.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method for controlling encryption of user information, the method comprising:
intercepting current user information before a service server performs target operation on the current user information;
identifying sensitive information in the current user information according to a preset field identifier;
acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
2. The method of claim 1, wherein the target operation comprises a log print operation, the method further comprising:
when it is monitored that the service server receives a log printing request sent by a terminal, intercepting the log printing request;
before the service server performs target operation on the current user information, intercepting the current user information, including:
and before the service server prints the log information carried in the log printing request, extracting the current user information from the log information.
3. The method of claim 1, wherein the target operation comprises an operation of writing the current user information into a database, and the intercepting the current user information before the service server performs the target operation on the current user information comprises:
monitoring the writing operation of the business server to a database;
intercepting the current user information before the service server writes the current user information into a database.
4. The method of claim 1, wherein the identifying sensitive information in the current user information according to a preset field identifier comprises:
and identifying a field carrying the field identification from the current user information, and acquiring the sensitive information according to the field carrying the field identification.
5. The method of claim 1, wherein obtaining the key and the encryption algorithm from a target key source of a plurality of preset key sources comprises:
determining the target secret key source according to the priority preset for each preset secret key source;
when the target secret key source is local, acquiring the secret key and the encryption algorithm from the local;
when the target secret key source is a third-party server, sending a secret key acquisition request to the third-party server;
receiving the key and the encryption algorithm fed back by the third-party server in response to the key obtaining request.
6. The method of claim 5, further comprising:
receiving notification information of key update sent by the third-party server;
and updating a local secret key and an encryption algorithm according to the notification information.
7. The method of claim 2, wherein the target operation comprises a read operation of a database by the business server, and wherein the method further comprises:
when it is monitored that the business server reads the database, intercepting current user information to be read;
decrypting the current user information according to the secret key;
and reading the decrypted current user information.
8. An apparatus for controlling encryption of user information, the apparatus comprising:
the intercepting module is used for intercepting the current user information before the business server performs target operation on the current user information;
the identification module is used for identifying the sensitive information in the current user information according to a preset field identifier;
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a secret key and an encryption algorithm from a target secret key source in a plurality of preset secret key sources;
and the encryption module is used for encrypting the sensitive information according to the secret key and the encryption algorithm so as to execute the target operation on the encrypted ciphertext information.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN202111157155.2A 2021-09-30 2021-09-30 Encryption control method and device for user information, computer equipment and storage medium Pending CN113992359A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111157155.2A CN113992359A (en) 2021-09-30 2021-09-30 Encryption control method and device for user information, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111157155.2A CN113992359A (en) 2021-09-30 2021-09-30 Encryption control method and device for user information, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113992359A true CN113992359A (en) 2022-01-28

Family

ID=79737334

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111157155.2A Pending CN113992359A (en) 2021-09-30 2021-09-30 Encryption control method and device for user information, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113992359A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067700A (en) * 2018-06-22 2018-12-21 江苏科技大学 A kind of cross-platform information input output protection system
CN109241016A (en) * 2018-08-14 2019-01-18 阿里巴巴集团控股有限公司 Secure calculation method and device, electronic equipment
US20190190890A1 (en) * 2017-12-19 2019-06-20 International Business Machines Corporation Data sanitization system for public host platform
CN110427779A (en) * 2019-08-13 2019-11-08 威富通科技有限公司 A kind of the Encrypt and Decrypt method and data server of database table field
CN111756522A (en) * 2020-06-28 2020-10-09 中国平安财产保险股份有限公司 Data processing method and system
CN113285804A (en) * 2021-07-21 2021-08-20 苏州浪潮智能科技有限公司 Encryption and decryption method, device, equipment and storage medium for disk data of virtual machine

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190190890A1 (en) * 2017-12-19 2019-06-20 International Business Machines Corporation Data sanitization system for public host platform
CN109067700A (en) * 2018-06-22 2018-12-21 江苏科技大学 A kind of cross-platform information input output protection system
CN109241016A (en) * 2018-08-14 2019-01-18 阿里巴巴集团控股有限公司 Secure calculation method and device, electronic equipment
CN110427779A (en) * 2019-08-13 2019-11-08 威富通科技有限公司 A kind of the Encrypt and Decrypt method and data server of database table field
CN111756522A (en) * 2020-06-28 2020-10-09 中国平安财产保险股份有限公司 Data processing method and system
CN113285804A (en) * 2021-07-21 2021-08-20 苏州浪潮智能科技有限公司 Encryption and decryption method, device, equipment and storage medium for disk data of virtual machine

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
金华等: "《基于Docker的Redis入门与实战》", 机械工业出版社 *

Similar Documents

Publication Publication Date Title
CN110990407B (en) Block chain based data storage method and device, server and storage medium
CN109471844B (en) File sharing method and device, computer equipment and storage medium
WO2021003980A1 (en) Blacklist sharing method and apparatus, computer device and storage medium
US9122882B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
US9256499B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
US9064133B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
WO2019114137A1 (en) Password calling method, server, and storage medium
CN112632581A (en) User data processing method and device, computer equipment and storage medium
CN111917540B (en) Data encryption and decryption method and device, mobile terminal and storage medium
US11321471B2 (en) Encrypted storage of data
CN111666558B (en) Key rotation method, device, computer equipment and storage medium
CN114428784A (en) Data access method and device, computer equipment and storage medium
US9054864B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
CN109871698B (en) Data processing method, data processing device, computer equipment and storage medium
CN113992359A (en) Encryption control method and device for user information, computer equipment and storage medium
US20200304291A1 (en) Information management system and method for the same
CN114244519A (en) Password verification method and device, computer equipment and storage medium
CN114222288A (en) Equipment identifier generation method, equipment identifier verification method and device
CN113645183A (en) Data encryption transmission method, system, computer equipment and storage medium
CN109933994B (en) Data hierarchical storage method and device and computing equipment
CN112068779A (en) Data storage system
CN104915607A (en) Password data processing and exchanging method based on mobile terminal
CN113783847B (en) Message interaction method, device, computer equipment and storage medium
CN117955642A (en) Encryption configuration method, device, computer equipment and storage medium
CN117371029A (en) Sensitive data storage method, apparatus, device, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220128