CN114372242A - Ciphertext data processing method, authority management server and decryption server - Google Patents
Ciphertext data processing method, authority management server and decryption server Download PDFInfo
- Publication number
- CN114372242A CN114372242A CN202111582858.XA CN202111582858A CN114372242A CN 114372242 A CN114372242 A CN 114372242A CN 202111582858 A CN202111582858 A CN 202111582858A CN 114372242 A CN114372242 A CN 114372242A
- Authority
- CN
- China
- Prior art keywords
- decryption
- server
- authorization code
- role authorization
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a ciphertext data processing method, an authority management server and a decryption server, which are used for improving data security. The method in the embodiment of the application comprises the following steps: receiving a first permission verification request sent by a service function server, wherein the first permission verification request comprises a user identifier; judging whether the user identification is bound with a role authorization code; and if the user identifier is bound with the role authorization code, sending a decryption request carrying the role authorization code to the decryption server, so that the decryption server decrypts the ciphertext data determined by the decryption request by using the decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server. In the embodiment of the application, the authority management and the data encryption are set for the data access at the same time, the role authorization code is used for controlling the access range, and when the database is directly attacked, the leaked data are ciphertext data, so that the security is high.
Description
Technical Field
The embodiment of the application relates to the field of data security, in particular to a ciphertext data processing method, an authority management server and a decryption server.
Background
Business requirements of different security level control exist in Enterprise Resource Planning (ERP) data of an enterprise. A common approach to implementing such security governance is to give the system authority to control accessibility.
For the design of system distribution, data is stored in a database, the positions for executing different services are divided into different roles, the authorization ranges of the different roles are different, and the positions can be seen in the authority range and cannot be seen outside the authority range.
The authority management only acts inside the system, and when the database is directly attacked, the data leakage risk is high, and the safety is low.
Disclosure of Invention
The embodiment of the application provides a ciphertext data processing method, an authority management server and a decryption server, which are used for improving data security.
A first aspect of the embodiments of the present application provides a method for processing ciphertext data, which is applied to an authority management server, and the method includes:
receiving a first permission verification request sent by a service function server, wherein the first permission verification request comprises a user identifier;
judging whether the user identification is bound with a role authorization code;
and if the user identifier is bound with the role authorization code, sending a decryption request carrying the role authorization code to the decryption server, so that the decryption server decrypts the ciphertext data determined by the decryption request by using the decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server.
In the embodiment of the application, the authority management and the data encryption are set for the data access at the same time, the role authorization code is used for controlling the access range, and when the database is directly attacked, the leaked data are ciphertext data, so that the security is high.
In an implementation manner of the first aspect of the embodiment of the present application, the method further includes:
generating a role authorization code in response to the received permission design request;
extracting a user identifier from the rights design request, and binding the user identifier and the role authorization code;
sending a key application request carrying a role authorization code to a decryption server so that the decryption server generates an encryption key and a decryption key according to the key application request and binds the decryption key with the role authorization code; the encryption key is used for encrypting plaintext data to obtain ciphertext data;
and receiving an encryption key returned by the decryption server, and binding the encryption key and the role authorization code.
In the embodiment of the application, the encryption key is stored by the authority management server, and the decryption key is stored by the decryption server, so that the encryption key and the decryption key are stored separately.
In an implementation manner of the first aspect of the embodiment of the present application, the encryption key and the decryption key are asymmetric keys, the encryption key is a public key, and the decryption key is a private key.
In the embodiment of the application, the key pair is generated based on the RSA asymmetric encryption strategy, and the safety is high.
In an implementation manner of the first aspect of the embodiment of the present application, the method further includes:
receiving a second permission verification request sent by the service function server, wherein the second permission verification request comprises a user identifier;
judging whether the user identification is bound with a role authorization code;
and if the user identification is bound with the role authorization code, acquiring plaintext data and encrypting the plaintext data by using the encryption key to obtain ciphertext data.
In the embodiment of the application, encryption and decryption are realized separately, encryption is provided by the authority management server, and the security is high.
In an implementation manner of the first aspect of the embodiment of the present application, before sending a decryption request carrying a role authorization code to a decryption server, the method further includes:
and acquiring the ciphertext data requested by the user corresponding to the user identification, and writing the ciphertext data into the decryption request.
In the embodiment of the application, encryption and decryption are realized separately, a decryption request is sent to a decryption server by a right management server, and decryption is hosted by the decryption server and only allows the right management server to access.
A second aspect of the present embodiment provides a method for processing ciphertext data, which is applied to a decryption server, and includes:
receiving a decryption request sent by a right management server, wherein the decryption request comprises a role authorization code and ciphertext data, the role authorization code is a role authorization code bound by a user identifier, and the user identifier is a user identifier carried in a first right verification request sent by a business function server and received by the right management server;
determining a decryption key corresponding to the role authorization code, and decrypting the ciphertext data by using the decryption key to obtain plaintext data;
and sending the plaintext data to the service function server.
In the embodiment of the application, the authority management and the data encryption are set for the data access at the same time, the role authorization code is used for controlling the access range, and when the database is directly attacked, the leaked data are ciphertext data, so that the security is high.
In an implementation manner of the second aspect of the embodiment of the present application, before receiving the decryption request sent by the rights management server, the method further includes:
responding to a received key application request sent by the authority management server, and generating a matched decryption key and an encryption key;
extracting role authorization codes from the key application request, and binding the decryption key and the role authorization codes;
and sending the encryption key to the authority management server so that the authority management server binds the encryption key and the role authorization code.
In the embodiment of the application, the encryption key is stored by the authority management server, and the decryption key is stored by the decryption server, so that the encryption key and the decryption key are stored separately.
A third aspect of an embodiment of the present application provides a rights management server, including:
the system comprises a receiving unit, a service function server and a processing unit, wherein the receiving unit is used for receiving a first permission verification request sent by the service function server, and the first permission verification request comprises a user identifier;
the judging unit is used for judging whether the user identifier is bound with the role authorization code;
and the sending unit is used for sending a decryption request carrying the role authorization code to the decryption server when the judging unit determines that the user identifier is bound with the role authorization code, so that the decryption server decrypts the ciphertext data determined by the decryption request by using the decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server.
A fourth aspect of an embodiment of the present application provides a decryption server, including:
the receiving unit is used for receiving a decryption request sent by the authority management server, wherein the decryption request comprises a role authorization code and ciphertext data, the role authorization code is a role authorization code bound by a user identifier, and the user identifier is a user identifier carried in a first authority verification request sent by a service function server and received by the authority management server;
the determining unit is used for determining a decryption key corresponding to the role authorization code, and decrypting the ciphertext data by using the decryption key to obtain plaintext data;
and the sending unit is used for sending the plaintext data to the service function server.
A fifth aspect of an embodiment of the present application provides a computer device, including:
a central processing unit, a memory;
the memory is a transient memory or a persistent memory;
the central processor is configured to communicate with the memory and execute the operations of the instructions in the memory to perform the method of the first aspect.
A sixth aspect of embodiments of the present application provides a computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of the first or second aspect.
A seventh aspect of embodiments of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first or second aspect.
An eighth aspect of embodiments of the present application provides a chip system, where the chip system includes at least one processor and a communication interface, where the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method of the first aspect or the second aspect.
Drawings
FIG. 1 is a schematic diagram of an architecture of a system for processing encrypted data according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of another architecture of a processing system for encrypting data according to an embodiment of the present application;
FIG. 3 is a flow chart of a method for processing encrypted data according to an embodiment of the present disclosure;
FIG. 4 is another flow chart of a method of processing encrypted data as disclosed in an embodiment of the present application;
FIG. 5 is a schematic diagram of a key generation process of a processing method for encrypted data disclosed in an embodiment of the present application;
FIG. 6 is a schematic diagram of an encryption process of a processing method for encrypted data disclosed in an embodiment of the present application;
FIG. 7 is a schematic diagram of a decryption process of a method for processing encrypted data according to an embodiment of the present application;
fig. 8 is an architecture diagram of a rights management server disclosed in an embodiment of the present application;
fig. 9 is a schematic structural diagram of a decryption server disclosed in an embodiment of the present application;
fig. 10 is a schematic structural diagram of a computer device disclosed in an embodiment of the present application.
Detailed Description
The embodiment of the application provides a ciphertext data processing method, an authority management server and a decryption server, which are used for improving data security.
The ERP data of an enterprise has different business requirements of security level control. ERP data such as bill of material (BOM), i.e. a file describing the structure of a product in a data format, is a data file of the structure of the product that can be recognized by a computer and is also a dominant file of ERP. Common physical data encryption methods are Data Encryption Standard (DES) encryption algorithm and RSA asymmetric encryption algorithm. The DES encryption algorithm is a symmetric encryption algorithm, and the encryption and decryption operations share the same key, so that the decryption can be completed only by publishing an encryption key, and the risk of key leakage exists. RSA asymmetric encryption: an asymmetric encryption strategy is characterized in that a pair of secret keys is generated by an RSA algorithm to form encryption and decryption functions, wherein a private key is used for decryption, a public key is used for encryption, and encrypted data are difficult to crack as long as the safety of the private key is ensured.
In the case of using only rights management, protection of data does not extend to the regulation of physical structures, and there is a possibility that data leakage or resource use is unauthorized, which may be caused by function expansion. The authority management only acts in the system, and does not extend to the control of physical table data, so that data leakage and resource use override exist for function expansion.
In the case of encryption using only physical data, the encryption keys are unified, and there is a risk that the global encrypted data is cracked once the keys are leaked.
As shown in fig. 1, a system for processing encrypted data according to an embodiment of the present application includes a service function server, a right management server, and a decryption server. The right management server is in communication connection with the decryption server. The client accesses the service function server through the network. And the service function server identifies the user identification of the client to distinguish different users. The business function server provides corresponding functions for different users, including ciphertext data access. When ciphertext data access is provided, the business function server communicates with the decryption server through the authority management server to obtain plaintext data obtained by decrypting the ciphertext data and send the plaintext data to the client.
The ERP system service is additionally provided with a key management service end, and provides key pair generation, private key dump and data decryption services. The overall service architecture is shown in figure 2. The processing system of the encrypted data of the embodiment of the application includes a client 201 and a cloud service cluster 202, where the cloud service cluster 202 includes a business function end 2021 and an RSA decryption server end 2022. The service function terminal 2021 includes a service function module 20211 and a rights management module 20212. The business function module 20211 may be a business function server, and the rights management module 20212 may be a rights management server; or the service function end 2021 is a service server, and is divided into a service function module 20211 and a right management module 20212 in the service server. The client 201 is used to perform function access. The business function module 20211 is configured to obtain confidential data, which may be represented by encrypted data and plaintext data, and business data, which is data related to a business associated with the confidential data. The right management module 20212 is configured to perform key management, where the right management module 20212 stores a right public key certificate library, and the right public key certificate library stores role authorization codes and public keys in a matching manner. The RSA decryption server 2022 is configured to perform key generation and decryption services, where the RSA decryption server stores a rights private key certificate library, and the rights private key certificate library stores role authorization codes and private keys in a matching manner.
As shown in fig. 3, the method for processing ciphertext data according to the embodiment of the present application includes steps 301 to 303.
301. And receiving a first permission verification request sent by the service function server.
The method comprises the steps that a right management server receives a first right verification request sent by a service function server, wherein the first right verification request comprises a user identifier. The user identification is used for uniquely identifying one user, and different users have different user identifications. The user identification may be a user ID, a user name, etc. The first permission verification request is used for requesting the permission management server to judge whether the user with the user identification has the right to access the ciphertext data. The first authority verification request can also carry ciphertext data so as to reduce the interaction times between the service function server and the authority management server.
302. And judging whether the user identification is bound with the role authorization code.
And the authority management server acquires the user identification from the first authority verification request. And the authority management server inquires a relation table of the role authorization code and the user identification and determines the role authorization code bound with the user identification. In the relation table of the role authorization codes and the user identifications, one role authorization code can only correspond to one user identification, and one role authorization code can also correspond to a plurality of user identifications; one user identifier may correspond to only one role authorization code, and one user identifier may also correspond to a plurality of role authorization codes. When one user identifier corresponds to only one role authorization code, the authority management server can determine the role authorization code bound with the user identifier according to the user identifier. When one user identifier corresponds to a plurality of role authorization codes, the authority management server needs to receive role selection information sent by the service function server, one role selection information corresponds to one role authorization code, and the role selection information can be written into a first authority verification request by the service function server and sent to the authority management server.
303. And sending a decryption request carrying the role authorization code to a decryption server.
After determining that the user identifier is bound with the role authorization code, the authority management server sends a decryption request carrying the role authorization code to the decryption server, so that the decryption server decrypts ciphertext data determined by the decryption request by using a decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server. If the decryption request can carry the ciphertext data, the decryption server acquires the ciphertext data from the decryption request and decrypts the ciphertext data; or the decryption request carries the ciphertext data identification code, the decryption server acquires the ciphertext data identification code from the decryption request, and acquires the ciphertext data from the database according to the ciphertext data identification code.
In the embodiment of the application, the authority management and the data encryption are set for the data access at the same time, the role authorization code is used for controlling the access range, and when the database is directly attacked, the leaked data are ciphertext data, so that the security is high.
The embodiment of the present application may be divided into three processes, which are a key making process, an encryption process, and a decryption process, specifically, as shown in fig. 4, the method for processing encrypted data in the embodiment of the present application includes steps 401 to 407.
401. And (5) starting the authority design.
And the authority management server receives an authority design request, wherein the authority design request carries the user identification. The authority design request is generally initiated by an administrator, the administrator can initiate the authority design request to the authority management server through an input device of the authority management server, and the administrator can also send the authority design request to the authority management server through a device with authority design permission. And the authority management server generates a role authorization code according to the authority design request. One role authorization code corresponds to one role, and the authorization range of the role is defined in the authority management server. The authority management server binds the user identification role authorization code. The operation types are various, such as writing, viewing, auditing, modifying and the like, the operations allowed and forbidden to be executed by different roles can be different or the same, and the operations allowed and forbidden by the same role are the same.
A user id may bind a role authorization code, indicating that a user only has a role, and the user enjoys the authorized scope of the role.
A user identifier can bind a plurality of role authorization codes to indicate that a user simultaneously has a plurality of roles and the user simultaneously has a plurality of role authorizations.
A role authorization code can bind a plurality of user identifications, which indicates that a plurality of users have the same role. The role authorization code and the user identification can be written into a table to obtain a user authorization table, and the user authorization table is generated and stored by the authority management server.
402. An encryption key and a decryption key are generated.
And the authority management server sends a key application request to the decryption server, wherein the key application request carries the role authorization code. And the decryption server receives a key application request sent by the authority management server and acquires the role authorization code from the key application request. The decryption server generates an encryption key and a decryption key from the application key request, the encryption key and the decryption key being a pair of keys. If the encryption key and the decryption key are asymmetric keys, the encryption key is a public key, and the decryption key is a private key; if the encryption key and the decryption key are symmetric keys, the encryption key and the decryption key are the same key. The decryption server binds the role authorization code and the decryption key. The decryption server sends the encryption key to the rights management server. And the right management server receives the encryption key sent by the decryption server and binds the encryption key and the role authorization code. Generally, the encryption key and the role authorization code are one-to-one binding, and the decryption key and the role authorization code are one-to-one binding, that is, one role authorization code corresponds to one encryption key and one decryption key. When updating the key, the role authorization code needs to be unbound with the old key, and then bound with the new key.
403. Plaintext data is encrypted into ciphertext data.
And the service function server sends a second permission verification request to the permission management server, wherein the second permission verification request carries the user identification. And the right management server receives a second right verification request sent by the service function server and acquires the user identifier from the second right verification request. And the authority management server judges whether the user identifier has the bound role authorization code, and if the user identifier has the bound role authorization code, the encryption key bound with the role authorization code is obtained. The right management server may send the encryption key to the service function server, and may also send the encryption key to the encryption service module, which is described below:
(1) the rights management server may send the encryption key to the service function server.
And after obtaining the encryption key, the authority management server sends the encryption key to the service function server. And the service function server receives the encryption key sent by the authority management server. And the business function server sends the encryption key and the plaintext data to the encryption service module. And the encryption service module receives the encryption key and the plaintext data sent by the service function server. And the encryption service module encrypts the plaintext data by using the encryption key to obtain ciphertext data. The encryption service module sends the ciphertext data to the business function server, and the business function server receives the ciphertext data and stores the ciphertext data in the database; or the encryption service module stores the ciphertext data in the database.
It should be noted that, in the case that the service function server already stores the encryption key, for example, the service function server obtains and stores the encryption key in the last encryption process, the right management server may send the encryption permission to the service function server instead of sending the encryption key to the service function server. And the service function server receives the encryption permission sent by the authority management server and encrypts the encryption permission by using the encryption key which is stored in the service function server. The encryption service module can be an encryption server or can be built in the authority management server.
(2) And the authority management server sends the encryption key to the encryption service module.
And after acquiring the encryption key, the authority management server generates an encryption key identification code. And the authority management server sends the encryption key and the encryption key identification code to the encryption service module and sends the encryption key identification code to the service function server. And the service function server receives the encryption key identification code sent by the authority management server, and sends the encryption key identification code and the plaintext data to the encryption service module. And the encryption service module receives the encryption key and the encryption key identification code sent by the authority management server, receives the plaintext data and the encryption key identification code sent by the service function server, and judges whether the encryption key identification codes received twice correspond to each other. And if the encryption key identification codes received twice correspond to each other, the encryption service module encrypts plaintext data by using the encryption key to obtain ciphertext data. The encryption service module sends the ciphertext data to the business function server, and the business function server receives the ciphertext data and stores the ciphertext data in the database; or the encryption service module stores the ciphertext data in the database.
It should be noted that, in the case that the cryptographic service module binds the cryptographic key identifier and the cryptographic key, the rights management server may send only the cryptographic key identifier to the cryptographic service module. The encryption key identification code can be valid for a long time, and can also be a time-sensitive random verification code. The encryption service module can be an encryption server or can be built in the authority management server.
404. Ciphertext data is obtained from a database.
The ciphertext data may be obtained from the database in a variety of ways, such as the business function server obtaining the ciphertext data from the database, the right management server obtaining the ciphertext data from the database, or the decryption server obtaining the ciphertext data from the database, which is specifically as follows:
(1) and the business function server acquires the ciphertext data from the database.
And the service function server sends a data acquisition request to the database. And the database receives a data acquisition request sent by the service function server, and the database determines ciphertext data according to the data acquisition request. And the database sends the ciphertext data to the service function server. And the business function server receives the ciphertext data sent by the database. And the business function server sends the ciphertext data to the authority management server. And the authority management server receives the ciphertext data sent by the service function server. And the right management server sends the ciphertext data to the decryption server. And the decryption server receives the ciphertext data sent by the authority management server.
(2) And the authority management server acquires the ciphertext data from the database.
And the business function server sends the ciphertext data identification code to the authority management server. And the right management server receives the ciphertext data identification code sent by the service function server and generates a data acquisition request according to the ciphertext data identification code. The authority management server can also determine the ciphertext data or the ciphertext data identification code according to the user identification and the role authorization code. And the authority management server sends a data acquisition request to the database. And the database receives a data acquisition request sent by the authority management server, and the database determines ciphertext data according to the data acquisition request. And the database sends the ciphertext data to the authority management server. And the right management server receives the ciphertext data sent by the database. And the right management server sends the ciphertext data to the decryption server. And the decryption server receives the ciphertext data sent by the authority management server. The ciphertext data identification code may be a ciphertext data address or a retrieval bit of the ciphertext data.
(3) The decryption server obtains the ciphertext data from the database.
And the business function server sends the ciphertext data identification code to the authority management server. And the authority management server receives the ciphertext data identification code sent by the service function server. The authority management server can also determine the ciphertext data or the ciphertext data identification code according to the user identification and the role authorization code. And the authority management server sends the ciphertext data identification code to the decryption server. And the decryption server receives the ciphertext data identification code sent by the authority management server and generates a data acquisition request according to the ciphertext data identification code. The decryption server sends a data acquisition request to the database. And the database receives a data acquisition request sent by the decryption server, and the database determines ciphertext data according to the data acquisition request. The database sends the ciphertext data to the decryption server. And the decryption server receives the ciphertext data sent by the database. The ciphertext data identification code may be a ciphertext data address or a retrieval bit of the ciphertext data.
It should be noted that the database may determine the ciphertext data and other service data according to the data obtaining request, and feed back the ciphertext data and other service data together.
405. A role authorization code bound with the user identification is determined.
The service function server sends a first authority verification request to the authority management server, wherein the first authority verification request carries the user identification. And the authority management server receives a first authority verification request sent by the service function server and acquires the user identifier from the first authority verification request. And the right management server judges whether the user identifier is bound with the role authorization code, and if the right user identifier is bound with the role authorization code, the role authorization code is obtained. The right management server generates a decryption request, wherein the decryption request comprises a role authorization code and ciphertext data, or the decryption request comprises the role authorization code and a ciphertext data identification code. The right management server sends a decryption request to the decryption server.
It should be noted that, when the business function server obtains the ciphertext data from the database in step 404, the time sequence between step 404 and step 405 is not limited; when the right management server obtains the ciphertext data from the database in step 404, the time sequence between step 404 and step 405 is not limited; when the decryption server obtains the ciphertext data from the database in step 404, step 405 is executed first, and then step 404 is executed.
406. And decrypting the ciphertext data by using the decryption key bound with the role authorization code to obtain plaintext data.
And the decryption server receives the decryption request sent by the authority management server. The decryption server acquires the role authorization code and the ciphertext data from the decryption request, or the decryption server acquires the role authorization code and the ciphertext data identification code from the decryption request and acquires the ciphertext data according to the ciphertext data identification code. The decryption server obtains a decryption key bound to the role authorization code. And the decryption server decrypts the ciphertext data by using the decryption key to obtain plaintext data. The decryption server sends the plaintext data to the authority management server, and the authority management server sends the plaintext data to the service function server; or the decryption server sends the plaintext data to the service function server.
407. Plaintext data is used.
And the service function server receives the plaintext data sent by the authority management server or the decryption server. The service function server uses the plaintext data, which may be to display the plaintext data, or to perform calculation using the plaintext data, or to modify the plaintext data.
The embodiment of the present application can be divided into three processes, which are a key making process, an encryption process, and a decryption process, and the following description will take fig. 5 to fig. 7 as an example.
Fig. 5 shows a key generation process according to an embodiment of the present application. The rights management server 501 receives a rights design request initiated by an administrator. The administrator may send the authority design request to the authority management server 501 through the network, or may generate the authority design request locally at the authority management server 501. The right management server 501 generates a role authorization code according to the right design request. The rights management module writes the role authorization code into the application key request and sends it to the decryption server 502. Decryption server 502 receives the application key request and obtains the role authorization code from the application key request. The decryption server 502 generates a public key and a private key, binds the private key with the role authorization code, and sends the public key to the right management server 501. The rights management server 501 receives the public key and binds the public key with the role authorization code. The public key and the authorization code are bound and stored in an ERP service database and used for encrypting data. And the private key is managed to the key management service for storage according to the corresponding structure of the ERP role authorization code and the private key.
Fig. 6 shows an encryption process according to an embodiment of the present application. The service function server 601 transmits a second rights verification request to the rights management server 602. The right management server 602 receives the second right verification request, and obtains the user identifier from the second right verification request. The right management server 602 determines the public key bound to the user identifier and sends the public key to the service function server 601. The business function server 601 sends the public key and the plaintext data to the right management server 602. Rights management server 602 receives the public key and the plaintext data and encrypts the plaintext data into ciphertext data using the public key. The right management server 602 transmits the ciphertext data to the business function server 601. The business function server 601 receives the ciphertext data and stores the ciphertext data in the database layer 603. The database layer 603 has one or more databases. The encryption service is built in the right management server 602, and after the right authentication is completed, the corresponding public key can be obtained, and then the service data can be encrypted. After the user completes the authority verification in the service layer, the user obtains the public key corresponding to the authorization information, and the public key and the encrypted service data which needs to be specified to be encrypted call the encryption service of the authority management server 602 to perform data encryption, and then separate storage of the service data is performed. The database layer 603 employs Object Relational Mapping (ORM).
Fig. 7 shows a decryption process according to an embodiment of the present application. The business function server 701 sends a data acquisition request to the database layer 704. The data acquisition request carries a data identification code of data to be accessed by the service function server 701. The data identification code may be a data address or a retrieval bit of the data. The database layer 704 determines the ciphertext data and the service data according to the data acquisition request, and the service data and the ciphertext data are matched. The service function server 701 receives the ciphertext data and the service data. The service function module sends the ciphertext data and the first permission verification request to the permission management server 702. The rights management server 702 receives the ciphertext data and the first rights verification request. The rights management server 702 obtains the user identifier from the first rights verification request and determines the role authorization code bound to the user identifier. The rights management server 702 sends the ciphertext data and the role authorization code to the decryption server 703. Decryption server 703 receives the ciphertext and the role authorization code. The decryption server 703 determines the private key bound to the role authorization code. The decryption server 703 decrypts the ciphertext data using the private key to obtain plaintext data. The decryption server 703 sends the plaintext data to the rights management server 702. The right management server 702 receives the plaintext data and then transmits the plaintext data to the service function server 701. The service function server 701 receives the plaintext data and displays the plaintext data. The decryption server 703 is separately deployed at the key management server, provides a unified decryption service to host and close the access request of the non-rights management server 702. After the service layer completes the authority verification according to the user identifier of the current login information, the service layer needs to initiate a decryption request to the decryption server 703 by the role authorization code and the ciphertext data provided by the authority management server 702, and return plaintext data that can be decrypted by the private key. And the service layer performs data decryption and then performs exhibition.
As shown in fig. 8, a rights management server according to an embodiment of the present application includes:
a receiving unit 801, configured to receive a first permission verification request sent by a service function server, where the first permission verification request includes a user identifier;
a determining unit 802, configured to determine whether the user identifier is bound with a role authorization code;
a sending unit 803, configured to send, when the determining unit 802 determines that the user identifier is bound with the role authorization code, a decryption request carrying the role authorization code to the decryption server, so that the decryption server decrypts, using the decryption key bound with the role authorization code, the ciphertext data determined by the decryption request to obtain plaintext data, and sends the plaintext data to the service function server.
As shown in fig. 9, a decryption server according to an embodiment of the present application includes:
a receiving unit 901, configured to receive a decryption request sent by a rights management server, where the decryption request includes a role authorization code and ciphertext data, the role authorization code is a role authorization code bound to a user identifier, and the user identifier is a user identifier carried in a first rights verification request sent by a service function server and received by the rights management server;
a determining unit 902, configured to determine a decryption key corresponding to the role authorization code, and decrypt the ciphertext data using the decryption key to obtain plaintext data;
a sending unit 903, configured to send plaintext data to the service function server.
As shown in fig. 10, an embodiment of the present application further provides a computer device 1000, including:
a central processing unit 1001, a memory 1002;
the memory 1002 is a transient storage memory or a persistent storage memory;
the central processing unit 1001 is configured to communicate with the memory 1002 and execute the operations of the instructions in the memory 1002 to perform the methods in the embodiments shown in fig. 3 to 7.
Embodiments of the present application also provide a computer-readable storage medium, which includes instructions that, when executed on a computer, cause the computer to perform the method in the embodiments shown in fig. 3 to 7.
Embodiments of the present application also provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the method in the embodiments shown in fig. 3 to 7.
The embodiment of the present application further provides a chip system, where the chip system includes at least one processor and a communication interface, the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method in the embodiments shown in fig. 3 to fig. 7.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Claims (11)
1. A ciphertext data processing method, applied to a rights management server, includes:
receiving a first permission verification request sent by a service function server, wherein the first permission verification request comprises a user identifier;
judging whether the user identification is bound with a role authorization code;
and if the user identifier is bound with the role authorization code, sending a decryption request carrying the role authorization code to a decryption server, so that the decryption server decrypts the ciphertext data determined by the decryption request by using a decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server.
2. The processing method according to claim 1, wherein before receiving the first right verification request sent by the service function server, the method further comprises:
generating the role authorization code in response to the received permission design request;
extracting the user identification from the permission design request, and binding the user identification and the role authorization code;
sending a key application request carrying the role authorization code to the decryption server, so that the decryption server generates the encryption key and the decryption key according to the key application request and binds the decryption key with the role authorization code; the encryption key is used for encrypting the plaintext data to obtain the ciphertext data;
and receiving the encryption key returned by the decryption server, and binding the encryption key and the role authorization code.
3. The processing method according to claim 2, wherein the encryption key and the decryption key are asymmetric keys, the encryption key is a public key, and the decryption key is a private key.
4. A method of processing according to claim 2 or 3, characterized in that the method further comprises:
receiving a second permission verification request sent by the service function server, wherein the second permission verification request comprises the user identification;
judging whether the user identification is bound with the role authorization code;
and if the user identification is bound with the role authorization code, acquiring the plaintext data and encrypting the plaintext data by using the encryption key to obtain the ciphertext data.
5. The processing method according to any one of claims 1 to 3, wherein before sending the decryption request carrying the role authorization code to the decryption server, the method further includes:
and acquiring the ciphertext data requested by the user corresponding to the user identifier, and writing the ciphertext data into the decryption request.
6. A method for processing ciphertext data is applied to a decryption server, and comprises the following steps:
receiving a decryption request sent by a right management server, wherein the decryption request comprises a role authorization code and ciphertext data, the role authorization code is a role authorization code bound by a user identifier, and the user identifier is the user identifier carried in a first right verification request sent by a service function server and received by the right management server;
determining a decryption key corresponding to the role authorization code, and decrypting the ciphertext data by using the decryption key to obtain plaintext data;
and sending the plaintext data to the service function server.
7. The processing method according to claim 6, wherein before receiving the decryption request sent by the rights management server, the method further comprises:
responding to a received key application request sent by the authority management server, and generating the matched decryption key and encryption key;
extracting the role authorization code from the key application request, and binding the decryption key and the role authorization code;
and sending the encryption key to the authority management server so that the authority management server binds the encryption key and the role authorization code.
8. A rights management server, comprising:
a receiving unit, configured to receive a first permission verification request sent by a service function server, where the first permission verification request includes a user identifier;
the judging unit is used for judging whether the user identifier is bound with a role authorization code;
and the sending unit is used for sending a decryption request carrying the role authorization code to a decryption server when the judging unit determines that the user identifier is bound with the role authorization code, so that the decryption server decrypts ciphertext data determined by the decryption request by using a decryption key bound with the role authorization code to obtain plaintext data, and sends the plaintext data to the service function server.
9. A decryption server, comprising:
a receiving unit, configured to receive a decryption request sent by a rights management server, where the decryption request includes a role authorization code and ciphertext data, the role authorization code is a role authorization code bound to a user identifier, and the user identifier is the user identifier carried in a first rights verification request sent by a service function server and received by the rights management server;
a determining unit, configured to determine a decryption key corresponding to the role authorization code, and decrypt the ciphertext data using the decryption key to obtain plaintext data;
and the sending unit is used for sending the plaintext data to the service function server.
10. A computer device, comprising:
a central processing unit, a memory;
the memory is a transient memory or a persistent memory;
the central processor is configured to communicate with the memory and execute the operations of the instructions in the memory to perform the method of any of claims 1 to 7.
11. A computer-readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111582858.XA CN114372242A (en) | 2021-12-22 | 2021-12-22 | Ciphertext data processing method, authority management server and decryption server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111582858.XA CN114372242A (en) | 2021-12-22 | 2021-12-22 | Ciphertext data processing method, authority management server and decryption server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114372242A true CN114372242A (en) | 2022-04-19 |
Family
ID=81139984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111582858.XA Pending CN114372242A (en) | 2021-12-22 | 2021-12-22 | Ciphertext data processing method, authority management server and decryption server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114372242A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884661A (en) * | 2022-07-13 | 2022-08-09 | 麒麟软件有限公司 | Hybrid security service password system and implementation method thereof |
| CN115544583A (en) * | 2022-10-08 | 2022-12-30 | 江南信安(北京)科技有限公司 | Data processing method and device for server cipher machine |
-
2021
- 2021-12-22 CN CN202111582858.XA patent/CN114372242A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884661A (en) * | 2022-07-13 | 2022-08-09 | 麒麟软件有限公司 | Hybrid security service password system and implementation method thereof |
| CN114884661B (en) * | 2022-07-13 | 2022-10-14 | 麒麟软件有限公司 | Hybrid security service cryptographic system |
| CN115544583A (en) * | 2022-10-08 | 2022-12-30 | 江南信安(北京)科技有限公司 | Data processing method and device for server cipher machine |
| CN115544583B (en) * | 2022-10-08 | 2023-05-05 | 江南信安(北京)科技有限公司 | Data processing method and device of server cipher machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110417781B (en) | Block chain-based document encryption management method, client and server | |
| US7587608B2 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
| KR101712784B1 (en) | System and method for key management for issuer security domain using global platform specifications | |
| US7802112B2 (en) | Information processing apparatus with security module | |
| US8856530B2 (en) | Data storage incorporating cryptographically enhanced data protection | |
| CN110264200B (en) | Block chain data processing method and device | |
| CN110489996B (en) | Database data security management method and system | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| US20100306530A1 (en) | Workgroup key wrapping for community of interest membership authentication | |
| CN111147432B (en) | KYC data sharing system with confidentiality and method thereof | |
| EP2251810B1 (en) | Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN109598104B (en) | Software authorization protection system and method based on timestamp and secret authentication file | |
| CN111310213A (en) | Service data protection method, device, equipment and readable storage medium | |
| WO2019082442A1 (en) | Data registration method, data decoding method, data structure, computer, and program | |
| CN109936546B (en) | Data encryption storage method and device and computing equipment | |
| CN113472720A (en) | Digital certificate key processing method and device, terminal equipment and storage medium | |
| CN114372242A (en) | Ciphertext data processing method, authority management server and decryption server | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| CN111917711B (en) | Data access method and device, computer equipment and storage medium | |
| EP4016921A1 (en) | Certificate management method and apparatus | |
| CN105279453A (en) | Separate storage management-supporting file partition hiding system and method thereof | |
| US8755521B2 (en) | Security method and system for media playback devices | |
| CN110602075A (en) | File stream processing method, device and system for encryption access control | |
| CN101729508B (en) | Method and device for managing contents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |