Ciphertext searching method, device and system based on security gateway
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a ciphertext search method, apparatus, and system based on a security gateway.
Background
With the development of the internet, cloud storage and cloud computing are favored by users by virtue of the advantages of remote access service, low cost, high reliability of data, easy expansion of storage space and the like, become more and more important in daily life, and individuals and enterprises store own data in the cloud. However, since the data management in the cloud is out of the supervision of the user, many sensitive information is easy to be leaked, and the security of the data in the cloud storage is also receiving more and more attention from the cloud service provider and the user.
In order to prevent private data from being revealed, the data owner generally encrypts the private data first and then stores the encrypted private data in the cloud, but this brings another problem that when a user needs to retrieve a ciphertext file, the cloud server can only retrieve the file name of the ciphertext of the user because the cloud server has no key of the user, and the method lacks protection of keywords of the ciphertext, and reveals some information of the user data to a certain extent.
At present, the ciphertext search scheme often needs to dissimilate and solidify a standard encryption algorithm, for example, in order to realize ciphertext matching, an initialization vector IV in a symmetric encryption algorithm is set to be a fixed value, so that random encryption is changed into deterministic encryption, and the cost is that the strength of the encryption algorithm is reduced. The standard general encryption algorithm is supported, and meanwhile, the ciphertext search function is supported, which is a contradictory problem, and even if the same plaintext is encrypted by the standard, the same plaintext becomes different ciphertexts, so that the ciphertext is difficult to search. In addition, the cloud performs searching, because no index is stored locally, the index is stored in the cloud in an encrypted mode, and search keywords are associated with ciphertext indexes of the cloud through inquiring the single-shot function, the single-shot function cannot be dynamically changed and expanded, and therefore complex search requests cannot be supported. Therefore, the searchability and security problems of ciphertext in cloud storage have become an urgent issue to be resolved.
Disclosure of Invention
In view of the problems existing in the background art, the invention aims to provide a ciphertext search method, a ciphertext search device and a ciphertext search system based on a security gateway, which solve the problems of searchability and security of ciphertext.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in a first aspect, the invention discloses a ciphertext search method based on a security gateway, which comprises the following steps:
Step 1, receiving an uploading request of a user side, extracting the content of application data, encrypting the application data, uploading an encrypted ciphertext to a first application server, and returning an encrypted ciphertext identifier by the first application server;
Step 2, extracting keywords of the application data, constructing a corresponding index, encrypting the index, storing an index ciphertext to the second application server, and returning an index ciphertext identifier after the second application server receives the index ciphertext;
step 3, associating the index with the index ciphertext identifier and the encrypted ciphertext identifier;
Step 4, receiving a query request of the user terminal, converting the search keyword into the corresponding index ciphertext, and initiating a search query request to the second application server;
Step 5, returning the corresponding index ciphertext identifier according to the second application server to obtain the corresponding encrypted ciphertext identifier;
and step 6, initiating a request to the first application server by using the encrypted ciphertext identifier to obtain the corresponding encrypted ciphertext, and returning the encrypted ciphertext to the user side.
Further, in the step 1, an encryption key set corresponding to the application data is obtained according to a preset encryption rule; the encryption key set includes one or more keys for encrypting one or more content data of the application data; and encrypting one or more content data in the application data by using the encryption key group according to a preset encryption rule to obtain the encrypted ciphertext.
Further, inputting a search keyword, converting the search keyword into the index, and obtaining a corresponding encrypted ciphertext identifier according to a mapping function between the index ciphertext and the encrypted ciphertext identifier if the index ciphertext corresponding to the index exists; if the search keyword is input, converting the search keyword into the index, and if the index ciphertext corresponding to the index does not exist, newly adding the corresponding index and the index ciphertext according to a mapping function between the search keyword and the index.
Further, the index supporting the multi-keyword ordering function is constructed, and the specific steps are as follows:
Step 101, segmenting an application data set to obtain a dictionary set containing all keywords;
102, calculating the occurrence frequency of each word in any one of the application data;
step 103, calculating the inverse document frequency of the application data;
104, obtaining a corresponding inverted list according to the keywords, and calculating the relevance scores of the application data and the search keywords;
and 105, selecting a plurality of application data corresponding to the high-correlation scores as the multi-keyword ordering encryption ciphertext.
Further, constructing an inverted index using the keyword as a directory by using the application data index using the application data as a directory, including:
Step 201, traversing an application data linked list to obtain a keyword set corresponding to each application data;
Step 202, constructing a keyword chain table for each keyword;
step 203, for each keyword, acquiring a corresponding application data set, and storing the application data set in a corresponding keyword linked list.
Further, the index with fuzzy keyword searching is constructed, and the specific steps are as follows:
Step 301, based on a finite state automaton, judging whether the search keyword is similar to the index keyword or not by using an editing distance to obtain a similar keyword set with the editing distance smaller than n, wherein the editing distance refers to the minimum editing operation times required from the search keyword to the index keyword;
And 302, inquiring the local index by using the similar keyword set to obtain the corresponding encrypted ciphertext identifier, and obtaining the encrypted ciphertext according to the encrypted ciphertext identifier.
Further, in the step 4, after receiving the query request sent by the user terminal, analyzing the query request to obtain user identity information, and verifying whether the user terminal has access rights according to the user identity information; and if the user side has the access right, sending the query request to the second application server.
In a second aspect, the present invention also discloses a ciphertext search system based on a security gateway, which comprises:
The receiving module is configured to receive an application data uploading request sent by a user side; receiving a data search request sent by the user side; receiving an encrypted ciphertext identifier returned by the first application server; receiving an index ciphertext identifier returned by the second application server; receiving an encrypted ciphertext returned by the first application server;
the analysis module is configured to analyze the application data uploading request to obtain application data;
The first encryption module is configured to encrypt the application data to obtain the encrypted ciphertext, and send the encrypted ciphertext to the first application server;
The index construction module is configured to extract keywords from the application data and construct corresponding indexes;
The second encryption module is configured to encrypt the index to obtain an index ciphertext and send the index ciphertext to a second application server;
an association module configured to associate the index with the index ciphertext identifier and the encrypted ciphertext identifier;
The search module is configured to analyze the data search request to obtain a search keyword, transform the search keyword into the corresponding index ciphertext and initiate a search query request to the second application server;
A forwarding request module configured to initiate a request to the first application server using the index ciphertext identifier;
And the first return module is configured to return the encrypted ciphertext to the user side.
Further, the ciphertext search system based on the security gateway further comprises a verification module, wherein the verification module is configured to analyze the application data acquisition request to obtain user identity information, and verify whether the user terminal has access rights according to the user identity information.
In a third aspect, the invention also discloses a ciphertext search system based on the security gateway, which comprises a user side, a first application server, a second application server and the ciphertext search device, wherein the user side is in communication connection with the ciphertext search device, and the ciphertext search device is respectively in communication connection with the first application server and the second application server.
Aiming at the scheme, the invention has at least the following beneficial effects:
When application data is uploaded to an application server, the method and the device enable the first application server to be incapable of checking the application data uploaded by a user by storing the encrypted ciphertext obtained by encrypting the application data to the first application server, and ensure the safety of the application data uploaded by the user; the key words of the application data are extracted, the corresponding index is constructed, the index is encrypted, and the index ciphertext is stored in the second application server, so that the second application server cannot check the key words of the application data uploaded by the user, and information leakage of the user can be avoided to a certain extent; the index is associated with the index ciphertext identifier returned by the second application server and the encrypted ciphertext identifier returned by the first server, so that the application data and the index can be in one-to-one correspondence, and complex search requests can be supported;
when a user inquires application data, the invention initiates a search query request to a second application server by converting the search keyword into the corresponding index ciphertext, so that the second application server can not know the keyword information of the application data, thereby avoiding information leakage; because the index ciphertext is associated with the index ciphertext identifier and the encrypted ciphertext identifier, the corresponding index ciphertext identifier is returned according to the second application server, and the corresponding encrypted ciphertext identifier can be obtained; and initiating a request to the first application server by using the encrypted ciphertext identifier to obtain a corresponding encrypted ciphertext, and returning the encrypted ciphertext to the user terminal, wherein the encrypted data is used in the whole process of uploading data and inquiring the data by the user, so that the safety and searchability of the user information are ensured.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a ciphertext search method based on a security gateway according to an embodiment of the present invention.
Fig. 2 is a block diagram illustrating an operation of an application of a ciphertext search apparatus based on a security gateway according to an embodiment of the present invention.
Fig. 3 is a block diagram of a security gateway-based ciphertext search system according to an embodiment of the invention.
Detailed Description
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
As shown in fig. 1, the present embodiment provides a ciphertext search method based on a security gateway, which includes the following steps:
S1, receiving an uploading request of a user side, extracting the content of application data, encrypting the application data, storing an encrypted ciphertext to a first application server, receiving the encrypted ciphertext by the first application server, and returning an encrypted ciphertext identifier;
S2, extracting keywords of the application data, constructing a corresponding index, encrypting the index, storing an index ciphertext to a second application server, receiving the index ciphertext by the second application server, and returning an index ciphertext identifier;
s3, associating the index with the index ciphertext identifier and the encrypted ciphertext identifier;
S4, receiving a query request of a user side, converting the search keyword into a corresponding index ciphertext, and initiating a search query request to a second application server;
S5, returning the corresponding index ciphertext identifier according to the second application server to obtain a corresponding encrypted ciphertext identifier;
s6, initiating a request to the first application server by using the encrypted ciphertext identifier to obtain a corresponding encrypted ciphertext, and returning the encrypted ciphertext to the user side.
Preferably, in S1, an encryption key set corresponding to application data is obtained according to a preset encryption rule; the encryption key set includes one or more keys for encrypting one or more content data of the application data; and encrypting one or more content data in the application data by using the encryption key group according to a preset encryption rule to obtain an encrypted ciphertext. The embodiment of the invention can directly use the currently commonly used general encryption algorithm, such as the international general encryption algorithm of AES, RSA and the like, and the national commercial passwords of SM2, SM4, SM9 and the like to realize encryption search without changing the encryption algorithm, thereby ensuring the encryption strength.
Preferably, a search keyword is input, the search keyword is converted into an index, an index ciphertext corresponding to the index exists, and a corresponding encrypted ciphertext identifier is obtained according to a mapping function between the index ciphertext and the encrypted ciphertext identifier; if the search keyword is input, the search keyword is converted into an index, and an index ciphertext corresponding to the index does not exist, the corresponding index is newly added according to a mapping function between the search keyword and the index, the newly added index is encrypted to obtain the corresponding index ciphertext, the index ciphertext is stored in a second application server, and the second application server returns an index ciphertext identifier. Since the previous extraction of the keywords is performed by a computer, the extraction is not perfect, and therefore, the search keywords can be perfected by newly adding the search keywords without index ciphertext to the index, and the search habit of the user is further complied.
There are some embodiments for constructing an index supporting a multi-keyword ordering function, which specifically includes the steps of:
Step 101, segmenting an application data set to obtain a dictionary set containing all keywords;
102, calculating the occurrence frequency of each word in any application data;
step 103, calculating the inverse document frequency of the application data;
104, obtaining a corresponding inverted list according to the keywords, and calculating the relevance scores of the application data and the search keywords;
And 105, selecting a plurality of application data corresponding to the high-correlation scores as the multi-keyword ordering encryption ciphertext.
When a user inputs a plurality of keywords to search, the computer can calculate the relevance scores of different keywords in the application data by adding a plurality of keyword ordering functions, so that the application data most relevant to the keywords are arranged, and the search of the user on the application data is saved.
Preferably, constructing an inverted index using a keyword as a directory by using an application data index using application data as a directory, includes:
Step 201, traversing an application data linked list to obtain a keyword set corresponding to each application data;
step 202, constructing a keyword chain table for each keyword;
step 203, for each keyword, acquiring a corresponding application data set, and storing the application data set in a corresponding keyword linked list.
There are some embodiments for constructing an index supporting fuzzy keyword searching, which specifically includes the steps of:
step 301, based on a finite state automaton, judging whether the search keyword is similar to the index keyword or not by using an editing distance to obtain a similar keyword set with the editing distance smaller than n, wherein the editing distance refers to the minimum editing operation times required from the search keyword to the index keyword;
and 302, inquiring the local index by using the similar keyword set to obtain a corresponding encrypted ciphertext identifier, and obtaining the encrypted ciphertext according to the encrypted ciphertext identifier.
The fuzzy index is constructed, so that a user can conveniently increase the search range, and the searched application data is perfect.
Preferably, in S4, after receiving the query request sent by the user terminal, the query request is parsed to obtain user identity information, and whether the user terminal has access rights is verified according to the user identity information; and if the user side has the access right, sending the query request to the second application server.
As shown in fig. 2, this embodiment further provides a ciphertext search system based on a security gateway, including:
the receiving module is configured to receive an application data uploading request sent by a user side; receiving a data search request sent by a user terminal; receiving an encrypted ciphertext identifier returned by the first application server; receiving an index ciphertext identifier returned by the second application server; receiving an encrypted ciphertext returned by the first application server;
The analysis module is configured to analyze the application data uploading request to obtain application data;
The first encryption module is configured to encrypt the application data to obtain an encrypted ciphertext, and send the encrypted ciphertext to the first application server;
The index construction module is configured to extract keywords from the application data and construct corresponding indexes;
the second encryption module is configured to encrypt the index to obtain an index ciphertext and send the index ciphertext to the second application server;
an association module configured to associate the index with the index ciphertext identifier and the encrypted ciphertext identifier;
The search module is configured to analyze the data search request to obtain a search keyword, transform the search keyword into a corresponding index ciphertext and initiate a search query request to the second application server;
A forwarding request module configured to initiate a request to a first application server using the index ciphertext identifier;
and the first return module is configured to return the encrypted ciphertext to the user side.
Preferably, the system further comprises a verification module, wherein the verification module is configured to analyze the application data acquisition request to obtain user identity information, and verify whether the user terminal has access rights according to the user identity information.
As shown in fig. 3, this embodiment further provides a ciphertext search system based on a security gateway, where the user side is communicatively connected to a ciphertext search device, and the ciphertext search device is communicatively connected to a first application server and a second application server respectively. The user side is in communication connection with the first application server and the second application server through the ciphertext search device, so that the information security of the user is ensured.
The embodiment does not bind the application data and the index and upload the application data and the index to the same application server as in the prior art, and does not use keywords to refer to the application server when searching the application data.
When the application data is uploaded to the application server, the encrypted ciphertext obtained by encrypting the application data is stored in the first application server, so that the first application server cannot check the application data uploaded by the user, and the safety of the application data uploaded by the user is ensured; the key words of the application data are extracted, the corresponding index is constructed, the index is encrypted, and the index ciphertext is stored in the second application server, so that the second application server cannot check the key words of the application data uploaded by the user, and information leakage of the user can be avoided to a certain extent; the index is associated with the index ciphertext identifier returned by the second application server and the encrypted ciphertext identifier returned by the first server, so that the application data and the index can be in one-to-one correspondence, and complex search requests can be supported;
When a user inquires application data, the search keyword is converted into the corresponding index ciphertext, and a search inquiry request is initiated to a second application server, so that the second application server cannot learn keyword information of the application data, and information leakage is avoided; because the index ciphertext is associated with the index ciphertext identifier and the encrypted ciphertext identifier, the corresponding index ciphertext identifier is returned according to the second application server, and the corresponding encrypted ciphertext identifier can be obtained; and initiating a request to the first application server by using the encrypted ciphertext identifier to obtain a corresponding encrypted ciphertext, and returning the encrypted ciphertext to the user terminal, wherein the encrypted data is used in the whole process of uploading data and inquiring the data by the user, so that the safety and searchability of the user information are ensured.
The functional modules in the embodiments of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present invention is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present invention.