CN114584378B - Data processing method, device, electronic equipment and medium - Google Patents
Data processing method, device, electronic equipment and medium Download PDFInfo
- Publication number
- CN114584378B CN114584378B CN202210213958.3A CN202210213958A CN114584378B CN 114584378 B CN114584378 B CN 114584378B CN 202210213958 A CN202210213958 A CN 202210213958A CN 114584378 B CN114584378 B CN 114584378B
- Authority
- CN
- China
- Prior art keywords
- data
- ciphertext
- check value
- plaintext
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 40
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 68
- 230000004044 response Effects 0.000 claims abstract description 57
- 238000012545 processing Methods 0.000 claims abstract description 32
- 238000006243 chemical reaction Methods 0.000 claims abstract description 17
- 238000012795 verification Methods 0.000 claims description 42
- 238000000034 method Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 20
- 230000006854 communication Effects 0.000 description 18
- 230000005540 biological transmission Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 16
- 230000015654 memory Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004806 packaging method and process Methods 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/062—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a data processing method, which can be applied to the technical field of cloud computing. The data processing method comprises the following steps: responding to the data conversion request, inputting the data from the first system into a pre-configured template engine, and generating data in a target format; converting the data in the target format into at least one piece of data with preset length, and carrying out data signature on the at least one piece of data with preset length by using an asymmetric encryption algorithm; and in response to receiving a symmetric key agreed with the second system and generated by the first system by adopting a symmetric encryption algorithm, encrypting at least one piece of data with preset length after data signing according to the symmetric key to obtain at least one piece of ciphertext data and a check value of the at least one piece of ciphertext data, and sending the at least one piece of ciphertext data and the check value of the at least one piece of ciphertext data to the second system. The present disclosure also provides a data processing apparatus, device, storage medium, and program product.
Description
Technical Field
The present disclosure relates to the field of cloud computing technology, and may be applied to the field of financial technology, and more particularly, to a data processing method, apparatus, device, medium, and program product.
Background
Currently, most of the front-end systems are built on physical machines, and the communication requests are processed by using middleware bearers. The data conversion is data transparent transmission or mapping of different message or file formats, which is required to be independently developed and realized according to different transaction interfaces; the safe transmission of the data is realized by adopting a special line, an SFTP transmission protocol and a virtual private network.
However, these approaches fail to meet the increasing user demands, both in terms of system cost and in terms of secure transmission of data.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a data processing method, apparatus, device, medium, and program product capable of simultaneously satisfying the need for improving data transmission security while reducing costs.
According to a first aspect of the present disclosure, there is provided a data processing method comprising: responding to the data conversion request, inputting the data from the first system into a pre-configured template engine, and generating data in a target format; converting the data in the target format into at least one piece of data with preset length, and carrying out data signature on the at least one piece of data with preset length by using an asymmetric encryption algorithm; and in response to receiving a symmetric key agreed with a second system and generated by the first system by adopting a symmetric encryption algorithm, encrypting the data with at least one preset length after data signing according to the symmetric key to obtain at least one ciphertext data and a check value of the at least one ciphertext data, and sending the at least one ciphertext data and the check value of the at least one ciphertext data to the second system.
According to an embodiment of the present disclosure, before the data received from the first system is input to the preconfigured template engine to generate the data in the target format in response to the data conversion request, the method further includes: and in response to detecting that the business transaction task starts to be executed, sending a symmetric key updating request to the first system so that the first system adopts a symmetric encryption algorithm to update the symmetric key agreed with the second system.
According to an embodiment of the present disclosure, the data from the first system includes a target second system; the method further comprises the steps of: carrying out identity authentication on the data from the first system to obtain a first identity authentication result; responding to the received response data from the second system, and carrying out identity authentication on the response data from the second system to obtain a second identity authentication result; and determining whether the second system is the target second system according to the first identity authentication result and the second identity authentication result.
According to a second aspect of the present disclosure, there is provided another data processing method, applied to a terminal, including: in response to receiving at least one ciphertext data and a first check value of the at least one ciphertext data, calculating the check value of the at least one ciphertext data by adopting an inverse algorithm of a symmetric encryption algorithm, and obtaining a second check value; under the condition that the first check value is consistent with the second check value, a symmetric key which is generated by the first system through a symmetric encryption algorithm and is agreed with the second system is called; decrypting the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and performing verification signature processing on the at least one plaintext data, and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data under the condition of passing the verification.
According to an embodiment of the disclosure, the verifying and signing the at least one plaintext data, and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the at least one plaintext data passes the verification, includes: invoking a public key agreed by the first system and the second system, decrypting the signature of the at least one plaintext data, and obtaining a first signature result; decrypting the signature of the at least one plaintext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second signature result; determining whether the at least one plaintext data passes verification according to the first signature result and the second signature result; and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the verification is passed.
A third aspect of the present disclosure provides a data processing apparatus comprising: the generation module is used for responding to the data conversion request, inputting the data from the first system into a pre-configured template engine and generating data in a target format; the data signing module is used for converting the data in the target format into at least one piece of data with preset length and signing the data with the preset length by using an asymmetric encryption algorithm; and the data encryption module is used for responding to the received symmetric key which is generated by the first system and is agreed with the second system by adopting a symmetric encryption algorithm, encrypting the data with at least one preset length after data signing according to the symmetric key to obtain at least one ciphertext data and a check value of the at least one ciphertext data, and sending the at least one ciphertext data and the check value of the at least one ciphertext data to the second system.
A fourth aspect of the present disclosure provides a data processing apparatus, applied to a terminal, including: the computing module is used for responding to the received at least one piece of ciphertext data and the first check value of the at least one piece of ciphertext data, and computing the check value of the at least one piece of ciphertext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second check value; the calling module is used for calling a symmetric key agreed with the second system, which is generated by the first system through a symmetric encryption algorithm, under the condition that the first check value is consistent with the second check value; the decryption module is used for decrypting the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and the verification module is used for carrying out verification signature processing on the at least one plaintext data and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data under the condition of passing verification.
A fifth aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the data processing method described above.
The sixth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described data processing method.
A seventh aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described data processing method.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a data processing method, apparatus, device, medium and program product according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a data processing method according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a schematic diagram of generating ciphertext data and a check value, in accordance with an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart of a data processing method according to another embodiment of the present disclosure;
FIG. 5 schematically illustrates a schematic diagram of data processing in a public cloud and target system according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a block diagram of a data processing apparatus according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a data processing apparatus according to another embodiment of the present disclosure; and
fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a data processing method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a data processing method and device, which are used for generating data in a target format by responding to a data conversion request and inputting the data from a first system into a pre-configured template engine; converting the data in the target format into at least one piece of data with preset length, and carrying out data signature on the at least one piece of data with preset length by using an asymmetric encryption algorithm; and in response to receiving a symmetric key agreed with the second system and generated by the first system by adopting a symmetric encryption algorithm, encrypting at least one piece of data with preset length after data signing according to the symmetric key to obtain at least one piece of ciphertext data and a check value of the at least one piece of ciphertext data, and sending the at least one piece of ciphertext data and the check value of the at least one piece of ciphertext data to the second system.
Fig. 1 schematically illustrates an application scenario diagram of a data processing method, apparatus, device, medium and program product according to an embodiment of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include terminal devices 101, 102, a network 104, and a server 103. The network 104 is the medium used to provide communication links between the terminal devices 101, 102 and the server 103. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 103 via the network 104 using the terminal devices 101, 102 to receive or send messages or the like. Various communication client applications may be installed on the terminal devices 101, 102, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, and the like (just examples).
The terminal devices 101, 102 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 103 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
The data processing method provided by the embodiments of the present disclosure may be generally performed by the server 103. Accordingly, the data processing apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 103. The data processing method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 103 and is capable of communicating with the terminal devices 101, 102 and/or the server 103. Accordingly, the data processing apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster different from the server 103 and capable of communicating with the terminal devices 101, 102 and/or the server 103.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The data processing method of the disclosed embodiment will be described in detail below with reference to fig. 2 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flow chart of a data processing method according to an embodiment of the present disclosure.
As shown in fig. 2, this embodiment includes operations S210 to S230, and the data processing method may be performed at a server in the public cloud.
In operation S210, data from the first system is input to a preconfigured template engine in response to a data conversion request, and data in a target format is generated.
In operation S210, the data exchange request refers to a request for source data conversion, such as converting request data of a service system (i.e., a first system) into a unified data format, and then generating data in a target format, such as data in a format required by a target system for communication, using a pre-configured template engine, such as a Freemaker transaction template, based on the data in the unified format, where the target system may include a second system.
In operation S220, the data in the target format is converted into at least one data of a preset length, and the at least one data of the preset length is data-signed using an asymmetric encryption algorithm.
In operation S220, for example, data in a target format of any length is converted into data of a specific length, such as the data is converted into binary and grouped, and compressed into a digest of a fixed length, such as the message digest using the cryptographic algorithm SM3, where SM3 is a message digest, and a message of any length can be output to a message of a fixed length and is irreversible. Meanwhile, an asymmetric encryption algorithm, such as an SM2 algorithm, is used for carrying out data signing, and the signing speed and the secret key generating speed of the SM2 algorithm are high.
In operation S230, in response to receiving the symmetric key agreed with the second system and generated by the first system using the symmetric encryption algorithm, the data with the at least one preset length after the data signing is encrypted according to the symmetric key, so as to obtain at least one ciphertext data and a check value of the at least one ciphertext data, and the at least one ciphertext data and the check value of the at least one ciphertext data are sent to the second system.
In operation S230, the symmetric key is generated by the requester (the first system), and the symmetric key is agreed with both sides of the target system (i.e., the second system); and the symmetric encryption algorithm, such as SM4 algorithm, is adopted to encrypt the data, and 16-system ciphertext data is output, and the security of data transmission can be greatly improved by adopting the encryption mode.
In operation S230, a check value of at least one ciphertext data is also determined, for example, an SM3 algorithm is adopted to generate a MAC value (i.e., a check value) for the whole ciphertext data, and the MAC value is sent to the second system, so that the second system knows the check value (e.g., the first check value) of the data originally sent, thereby calculating the check value (e.g., the second check value) of the data received by the system (the second system), comparing the first check value with the second check value to determine whether the received data is complete, thereby ensuring the integrity in the data transmission process and preventing data tampering.
The data processing method provided by the embodiment can be deployed in public cloud, the public cloud is service for providing resources for the public, the resources are not private, a user can use cloud service through the Internet, the cost is low compared with private cloud, and meanwhile, a network link from the public cloud to the user (second system) is realized, and compared with the network link from the public cloud to the private cloud to the user (second system), the network link from the public cloud to the private cloud to the user (second system) is simpler.
Fig. 3 schematically illustrates a schematic diagram of generating ciphertext data and a check value, according to an embodiment of the disclosure. Referring to fig. 3, a first system 310 sends data and a generated symmetric key agreed with a second system to a data processing device 320. The data processing apparatus mainly performs data signing and encryption, as shown in operations S210 to S230 in fig. 1, and then forwards ciphertext data and a corresponding check value (such as at least one ciphertext data and a check value of at least one ciphertext data) to the second system 330. After receiving the ciphertext data and the corresponding check values, the second system 330 may calculate the check value of the at least one ciphertext data by an inverse algorithm of the symmetric encryption algorithm in response to receiving the at least one ciphertext data and the first check value of the at least one ciphertext data, to obtain a second check value; under the condition that the first check value is consistent with the second check value, a symmetrical secret key agreed with the second system and generated by the first system through a symmetrical encryption algorithm is called; decrypting the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and performing verification signature processing on the at least one plaintext data, and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the verification is passed; thereby returning reply data to the first system 310.
By utilizing the data processing method provided by the embodiment, a complete safety authentication scheme is provided in the aspect of safety transmission of data, and the safety of data transmission among different systems is ensured.
According to the data processing method provided by the embodiment, the data from the first system is processed, such as the data from the first system is subjected to data signature, for example, the data subjected to data signature is encrypted by utilizing the symmetric key which is agreed by the first system and the second system and is generated by the first system, and the ciphertext data and the corresponding check value are sent to the second system together, so that the safety of data transmission is greatly improved, and the development cost is reduced.
The data processing method further comprises the following steps: before inputting data received from the first system to a preconfigured template engine to generate data in a target format in response to a data conversion request: and in response to detecting that the business transaction task starts to be executed, sending a symmetric key updating request to the first system so that the first system adopts a symmetric encryption algorithm to update the symmetric key agreed with the second system.
According to the data processing method, the symmetric key is automatically updated at any time in the transaction process by updating the symmetric key, so that a complete updating mechanism is provided, the symmetric key is prevented from being unchanged in the communication process of the first system and the second system, and the security of the key is improved.
For example, a first time of communication between a first system and a second system is initiated, a symmetric key is adopted as A, and data theft occurs in the first time of communication; if the symmetric key is unchanged, then each subsequent communication from the first system to the second system is stolen Fang Daoqu; if so, an updating mechanism of the data processing method of the embodiment is added, namely, a request for updating the symmetric key is sent to the first system in response to the detection of the start of execution of the business transaction task, so that the first system adopts a symmetric encryption algorithm to update the symmetric key agreed with the second system; in the subsequent communication process from the first system to the second system, the difficulty of data theft is increased, and each time the first system to the second system communication cannot be realized by the theft method, the data can be stolen Fang Daoqu.
The data from the first system includes a target second system; the data processing method further comprises the following steps: carrying out identity authentication on data from a first system to obtain a first identity authentication result; responding to the received response data from the second system, and carrying out identity authentication on the response data from the second system to obtain a second identity authentication result; and determining whether the second system is a target second system according to the first identity authentication result and the second identity authentication result.
For example, in the process of sending at least one ciphertext data and a check value of the at least one ciphertext data to the second system, the check value is intercepted by a pirate, and the pirate processes the data and returns response data to the first system; however, since the response data returned by the thief is not returned by the target second system, after the identity authentication is performed on the response data, the obtained authentication result, that is, the second identity authentication result, cannot be matched with the first identity authentication result, and the second system is determined to be not the target second system. And when the second system is determined not to be the target system, countermeasures such as stopping communication, updating a secret key and the like are taken, so that the safety of data transmission is further improved.
For another example, the data from the first system may be authenticated to obtain a first authentication result; responding to the received response data from the second system, and carrying out identity authentication on the response data from the second system to obtain a second identity authentication result; and comparing the first identity authentication result with the second identity authentication result, and determining that the second system is a target second system if the comparison result is matched or consistent, thereby ensuring the safe transmission of data.
According to the data processing method provided by the embodiment, by comparing the first identity authentication result with the second identity authentication result corresponding to the response data, whether the response data from the second system is from the target second system can be determined, so that a complete identity authentication mechanism is provided in the process of communication between the first system and the second system, and the safety of data transmission is improved.
Fig. 4 schematically shows a flow chart of a data processing method according to another embodiment of the present disclosure.
As shown in fig. 4, this embodiment includes operations S410 to S440, and the data processing method may be performed at the terminal.
In operation S410, in response to receiving the at least one ciphertext data and the first check value of the at least one ciphertext data, the check value of the at least one ciphertext data is calculated using an inverse of the symmetric encryption algorithm, resulting in a second check value.
For example, the inverse algorithm of the cryptographic algorithm SM3 is adopted to calculate the MAC values of all the received ciphertext data, and the second check value is used for comparing with the first check value, so as to ensure the integrity of the data transmission process and prevent tampering.
In operation S420, in case that the first check value is identical to the second check value, a symmetric key agreed with the second system generated by the first system using the symmetric encryption algorithm is invoked.
The use of a symmetric key agreed upon by the second system generated by the first system using a symmetric encryption algorithm facilitates further discovery of whether the received at least one ciphertext data is from the first system.
In operation S430, the at least one ciphertext data is decrypted based on the symmetric key to obtain at least one plaintext data.
For example, the decryption is performed by using a cryptographic algorithm based on the symmetric key, for example, the SM4 algorithm is used to decrypt at least one ciphertext data to obtain at least one plaintext data.
In operation S440, a verification signature process is performed on at least one plaintext data, and in case of passing the verification, response data corresponding to the at least one ciphertext data is generated from the at least one plaintext data.
For example, the SM3 algorithm is used to calculate the digest of at least one plaintext data, and the signature is decrypted using the public key, that is, the signature is verified, and in the case of verification, response data corresponding to at least one ciphertext data is generated from at least one plaintext data.
In some embodiments, the format of the reply data may also be changed to a data format required by the first system in the public cloud based on a pre-configured Freemaker transaction objective.
By utilizing the data processing method provided by the embodiment, a complete safety authentication scheme is provided in the aspect of safety transmission of data, and the safety of data transmission among different systems is ensured.
Performing verification signature processing on at least one plaintext data, and generating response data corresponding to at least one ciphertext data according to the at least one plaintext data in the case of passing the verification, including: invoking a public key agreed by the first system and the second system, decrypting the signature of at least one plaintext data, and obtaining a first signature result; decrypting the signature of at least one plaintext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second signature result; determining whether the at least one plaintext data passes verification according to the first signature result and the second signature result; and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the verification is passed.
In this embodiment, the signature verification process may be to decrypt at least one signature of plaintext data to obtain a first signature result for retrieving a public key agreed between the first system and the second system; decrypting the signature of at least one plaintext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second signature result; determining whether the at least one plaintext data passes verification according to the first signature result and the second signature result; and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the verification is passed.
According to the method provided by the embodiment, whether at least one plaintext data passes verification is determined by comparing the first signature result and the second signature result, if the first signature result and the second signature result are matched signature results, the at least one plaintext data passes verification, and by means of the verification of the signature results, tamper resistance and repudiation are facilitated, and the safety of data transmission is further ensured.
For a better understanding of the present disclosure, the disclosure is further illustrated below in connection with the following examples, but the disclosure is not limited to the following examples alone.
Fig. 5 schematically illustrates a schematic diagram of data processing in a public cloud and target system according to an embodiment of the disclosure. Referring to fig. 5, for example, one data processing method provided by the present disclosure is performed in public cloud 510, and another data processing method provided by the present disclosure is performed in target system 520.
For example, this embodiment includes operations S5001 to S5014, specifically:
in operation S5001, a data conversion request is initiated by a system (first system) of an initiator in public cloud 510.
In operation S5002, data from the first system is input to a preconfigured template engine, e.g., in response to a data conversion request, generating data in a target format.
In operation S5003, format conversion is performed to meet the requirements of the target system.
In operation S5004, for example, the data of the target format is converted into data of at least one preset length, and the data of the at least one preset length is signed using an asymmetric encryption algorithm.
In operation S5005, a symmetric key agreed with the second system generated by the first system using the symmetric encryption algorithm is received.
In operation S5006, in response to receiving the symmetric key agreed with the second system generated by the first system using the symmetric encryption algorithm, encrypting the data of the at least one preset length after the data signature according to the symmetric key.
In operation S5007, at least one ciphertext data and a check value of the at least one ciphertext data are obtained, and the at least one ciphertext data and the check value of the at least one ciphertext data are transmitted to the target system (second system).
In operation S5008, at least one ciphertext data and a check value of the at least one ciphertext data are received by the target system 520.
In operation S5009, the target system 520 calculates a check value of the received at least one ciphertext data, obtains a second check value, and compares the second check value to determine the integrity of the received data.
In operation S5010, a public key agreed upon by the first system and the second system is retrieved.
In operation S5011, the signature of at least one plaintext data is decrypted using the retrieved key, resulting in a first signature result.
In operation S5012, performing verification signature processing, such as decryption of at least one signature of plaintext data by using an inverse algorithm of a symmetric encryption algorithm, to obtain a second signature result; and determining whether the at least one plaintext data passes the verification according to the first signature result and the second signature result.
In operation S5013, in case that the at least one plaintext data passes the verification, response data corresponding to the at least one ciphertext data is generated from the at least one plaintext data.
In operation S5014, the response data is output, such as being transmitted to the public cloud.
Based on the data processing method, the disclosure also provides a data processing device. The device will be described in detail below in connection with fig. 6.
Fig. 6 schematically shows a block diagram of a data processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the data processing apparatus 600 of this embodiment includes a generation module 610, a data signing module 620, and a data encryption module 630.
A generating module 610, configured to input data from the first system to a preconfigured template engine in response to a data conversion request, and generate data in a target format; a data signing module 620, configured to convert the data in the target format into at least one data with a preset length, and perform data signing on the at least one data with a preset length by using an asymmetric encryption algorithm; and a data encryption module 630, configured to encrypt the data with the at least one preset length after signing the data according to the symmetric key in response to receiving the symmetric key agreed with the second system and generated by the first system by using the symmetric encryption algorithm, obtain at least one ciphertext data and a check value of the at least one ciphertext data, and send the at least one ciphertext data and the check value of the at least one ciphertext data to the second system.
In some embodiments, the apparatus further comprises an update module to generate data in a target format prior to the inputting the received data from the first system to the preconfigured template engine in response to the data conversion request: and in response to detecting that the business transaction task starts to be executed, sending a symmetric key updating request to the first system so that the first system adopts a symmetric encryption algorithm to update the symmetric key agreed with the second system.
In some embodiments, the data from the first system includes a target second system; the apparatus further comprises: the identity authentication module is used for carrying out identity authentication on the data from the first system to obtain a first identity authentication result; responding to the received response data from the second system, and carrying out identity authentication on the response data from the second system to obtain a second identity authentication result; and determining whether the second system is the target second system according to the first identity authentication result and the second identity authentication result.
Any of the generation module 610, the data signing module 620, and the data encryption module 630 may be combined in one module to be implemented, or any of the modules may be split into multiple modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the generation module 610, the data signing module 620, and the data encryption module 630 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the generation module 610, the data signing module 620 and the data encryption module 630 may be at least partially implemented as a computer program module which, when executed, may perform the corresponding functions.
Based on the data processing method, the disclosure also provides another data processing device applied to the terminal. The device will be described in detail below in connection with fig. 7.
Fig. 7 schematically shows a block diagram of a data processing apparatus according to another embodiment of the present disclosure.
As shown in fig. 7, the data processing apparatus 700 of this embodiment includes a calculation module 710, a retrieval module 720, a decryption module 730, and a verification module 740.
A calculation module 710, configured to calculate, in response to receiving at least one ciphertext data and a first check value of the at least one ciphertext data, the check value of the at least one ciphertext data using an inverse of a symmetric encryption algorithm, to obtain a second check value; a retrieving module 720, configured to retrieve a symmetric key agreed with the second system, generated by the first system using a symmetric encryption algorithm, if the first check value is consistent with the second check value; a decryption module 730, configured to decrypt the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and a verification module 740, configured to perform verification signature processing on the at least one plaintext data, and generate response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the at least one plaintext data passes through the verification.
In some embodiments, the verification module is configured to invoke a public key agreed by the first system and the second system, decrypt the signature of the at least one plaintext data, and obtain a first signature result; decrypting the signature of the at least one plaintext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second signature result; determining whether the at least one plaintext data passes verification according to the first signature result and the second signature result; and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data if the verification is passed.
Any of the computing module 710, the retrieving module 720, the decrypting module 730, and the verifying module 740 may be combined in one module to be implemented, or any of them may be split into a plurality of modules according to an embodiment of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the calculation module 710, the retrieval module 720, the decryption module 730, and the verification module 740 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of any of the three. Alternatively, at least one of the calculation module 710, the retrieval module 720, the decryption module 730, and the verification module 740 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a data processing method according to an embodiment of the disclosure.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.
In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 800 may also include an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM 803 and/or one or more memories other than ROM 802 and RAM 803 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (10)
1. A data processing method, comprising:
responding to the data conversion request, inputting the data from the first system into a pre-configured template engine, and generating data in a target format;
Converting the data in the target format into at least one piece of data with preset length, and carrying out data signature on the at least one piece of data with preset length by using an asymmetric encryption algorithm; and
and in response to receiving a symmetric key which is generated by the first system and is agreed with the second system by adopting a symmetric encryption algorithm, encrypting the data with at least one preset length according to the symmetric key to obtain at least one ciphertext data and a check value of the at least one ciphertext data, and sending the at least one ciphertext data and the check value of the at least one ciphertext data to the second system.
2. The method of claim 1, further comprising, prior to said inputting the received data from the first system into the preconfigured template engine to generate the data in the target format in response to the data conversion request:
and in response to detecting that the business transaction task starts to be executed, sending a symmetric key updating request to the first system so that the first system adopts a symmetric encryption algorithm to update the symmetric key agreed with the second system.
3. The method of claim 1, wherein the data from the first system comprises a target second system; the method further comprises the steps of:
Carrying out identity authentication on the data from the first system to obtain a first identity authentication result;
responding to the received response data from the second system, and carrying out identity authentication on the response data from the second system to obtain a second identity authentication result; and
and determining whether the second system is the target second system according to the first identity authentication result and the second identity authentication result.
4. A data processing method is applied to a terminal and comprises the following steps:
in response to receiving at least one ciphertext data and a first check value of the at least one ciphertext data, calculating the check value of the at least one ciphertext data by adopting an inverse algorithm of a symmetric encryption algorithm, and obtaining a second check value;
under the condition that the first check value is consistent with the second check value, a symmetric key which is generated by the first system through a symmetric encryption algorithm and is agreed with the second system is called;
decrypting the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and
and carrying out verification signature processing on the at least one plaintext data, and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data under the condition that the at least one plaintext data passes verification.
5. The method of claim 4, wherein the verifying the signature processing on the at least one plaintext data, and generating response data corresponding to the at least one ciphertext data from the at least one plaintext data if verified, comprises:
invoking a public key agreed by the first system and the second system, decrypting the signature of the at least one plaintext data, and obtaining a first signature result;
decrypting the signature of the at least one plaintext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second signature result;
determining whether the at least one plaintext data passes verification according to the first signature result and the second signature result; and
and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data under the condition of passing the verification.
6. A data processing apparatus comprising:
the generation module is used for responding to the data conversion request, inputting the data from the first system into a pre-configured template engine and generating data in a target format;
the data signing module is used for converting the data in the target format into at least one piece of data with preset length and signing the data with the preset length by using an asymmetric encryption algorithm; and
The data encryption module is used for responding to the received symmetric key which is generated by the first system and is agreed with the second system by adopting the symmetric encryption algorithm, encrypting the data with at least one preset length after data signing according to the symmetric key to obtain at least one ciphertext data and a check value of the at least one ciphertext data, and sending the at least one ciphertext data and the check value of the at least one ciphertext data to the second system.
7. A data processing apparatus, applied to a terminal, comprising:
the computing module is used for responding to the received at least one piece of ciphertext data and the first check value of the at least one piece of ciphertext data, and computing the check value of the at least one piece of ciphertext data by adopting an inverse algorithm of a symmetric encryption algorithm to obtain a second check value;
the calling module is used for calling a symmetric key agreed with the second system, which is generated by the first system through a symmetric encryption algorithm, under the condition that the first check value is consistent with the second check value;
the decryption module is used for decrypting the at least one ciphertext data based on the symmetric key to obtain at least one plaintext data; and
And the verification module is used for carrying out verification signature processing on the at least one plaintext data and generating response data corresponding to the at least one ciphertext data according to the at least one plaintext data under the condition of passing the verification.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-5.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-5.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210213958.3A CN114584378B (en) | 2022-03-04 | 2022-03-04 | Data processing method, device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210213958.3A CN114584378B (en) | 2022-03-04 | 2022-03-04 | Data processing method, device, electronic equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584378A CN114584378A (en) | 2022-06-03 |
| CN114584378B true CN114584378B (en) | 2024-04-02 |
Family
ID=81774513
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210213958.3A Active CN114584378B (en) | 2022-03-04 | 2022-03-04 | Data processing method, device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584378B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978573B (en) * | 2022-03-30 | 2024-02-20 | 潍柴动力股份有限公司 | Encryption method, device and system of OTA data |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112636916A (en) * | 2020-11-30 | 2021-04-09 | 捷德(中国)科技有限公司 | Data processing method, data processing device, storage medium and electronic equipment |
| WO2021198017A1 (en) * | 2020-03-31 | 2021-10-07 | Bundesdruckerei Gmbh | Personalised, server-specific authentication mechanism |
-
2022
- 2022-03-04 CN CN202210213958.3A patent/CN114584378B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021198017A1 (en) * | 2020-03-31 | 2021-10-07 | Bundesdruckerei Gmbh | Personalised, server-specific authentication mechanism |
| CN112636916A (en) * | 2020-11-30 | 2021-04-09 | 捷德(中国)科技有限公司 | Data processing method, data processing device, storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 浅谈数据加密技术;王江顺;科技信息;20111231(第1期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584378A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108540459B (en) | Data storage method, device, system, electronic equipment and computer readable medium | |
| CN114726643B (en) | Data storage and access methods and devices on cloud platform | |
| US10911538B2 (en) | Management of and persistent storage for nodes in a secure cluster | |
| CN112333198A (en) | Secure cross-domain login method, system and server | |
| CN114826733B (en) | File transmission method, device, system, equipment, medium and program product | |
| CN111698312B (en) | Service processing method, device, equipment and storage medium based on open platform | |
| US10686769B2 (en) | Secure key caching client | |
| CN114500093B (en) | Safe interaction method and system for message information | |
| US10158490B2 (en) | Double authentication system for electronically signed documents | |
| CN114584378B (en) | Data processing method, device, electronic equipment and medium | |
| CN113572763B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113094190B (en) | Micro-service calling method, micro-service calling device, electronic equipment and storage medium | |
| CN114329538A (en) | Single sign-on method and device | |
| CN113393239A (en) | Transaction processing method, system, device, electronic equipment and storage medium | |
| CN114640524B (en) | Method, apparatus, device and medium for processing transaction replay attack | |
| CN114095165B (en) | Key updating method, server device, client device and storage medium | |
| CN115001828A (en) | Secure access method, system, electronic device and medium for transaction data | |
| CN115599959A (en) | Data sharing method, device, equipment and storage medium | |
| US20210243036A1 (en) | Blockchain network communication management | |
| CN114491489A (en) | Request response method and device, electronic equipment and storage medium | |
| US20220255758A1 (en) | Systems and methods for protecting data | |
| CN113032810A (en) | Information processing method, information processing apparatus, electronic device, information processing medium, and program product | |
| CN114553570B (en) | Method, device, electronic equipment and storage medium for generating token | |
| CN114095254B (en) | Message encryption method, server device, client device and storage medium | |
| CN114785560B (en) | Information processing method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |