CN115225272A - Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm - Google Patents

Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm Download PDF

Info

Publication number
CN115225272A
CN115225272A CN202211140631.4A CN202211140631A CN115225272A CN 115225272 A CN115225272 A CN 115225272A CN 202211140631 A CN202211140631 A CN 202211140631A CN 115225272 A CN115225272 A CN 115225272A
Authority
CN
China
Prior art keywords
data
disaster recovery
encryption
ciphertext
encryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211140631.4A
Other languages
Chinese (zh)
Inventor
李翔宇
邓小宁
李凯
蔡路阔
柴亚林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
North Health Medical Big Data Technology Co ltd
Original Assignee
North Health Medical Big Data Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by North Health Medical Big Data Technology Co ltd filed Critical North Health Medical Big Data Technology Co ltd
Priority to CN202211140631.4A priority Critical patent/CN115225272A/en
Publication of CN115225272A publication Critical patent/CN115225272A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a big data disaster recovery system, a method and equipment based on a domestic commercial cryptographic algorithm, belonging to the technical field of disaster recovery, wherein the system comprises: a data subsystem and a disaster recovery subsystem; the first data disaster recovery device of the data subsystem is used for acquiring backup file data from the data lake and cutting the backup file data; the first encryption machine is used for generating a first encryption key of a first encryption algorithm and a second encryption key of a second encryption algorithm, encrypting the cut file data by using the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption key to obtain a first data signature; the first data disaster recovery device is also used for transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the first key management device is used for storing and synchronizing the key to the disaster recovery subsystem. The big data disaster recovery backup system can provide higher safety for remote data disaster recovery of different data centers.

Description

Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm
Technical Field
The invention relates to the technical field of disaster recovery, in particular to a big data disaster recovery system, a big data disaster recovery method and big data disaster recovery equipment based on a domestic commercial cryptographic algorithm.
Background
Data cannot be separated from various applications of the Internet and informatization, the data is blood and life of the Internet and informatization applications, and how to ensure data safety and avoid data loss caused by system faults, machine room power failure, natural disasters and other factors becomes the problem that almost all application manufacturers and related personnel cannot avoid. Therefore, data backup is crucial.
In the related technologies, data transmission is mostly performed between a backup disaster recovery server and an application server in most backup disaster recovery systems in a plaintext manner or in a soft encryption manner, which causes the system to be easily attacked, data leakage, key loss, ciphertext data cracking, and the like, so that an attacker can easily acquire related data. Therefore, it is highly desirable for those skilled in the art to implement a big data disaster recovery system with high security.
Disclosure of Invention
The invention provides a big data disaster recovery system, a method and equipment based on a domestic commercial cryptographic algorithm, and realizes a big data disaster recovery system with higher safety.
The invention provides a big data disaster recovery system based on a domestic commercial cryptographic algorithm, which comprises:
the system can provide a high-safety data subsystem and a disaster recovery subsystem for remote data disaster recovery of different data centers;
wherein the data subsystem comprises: the system comprises a first data disaster recovery device, a data lake, a first encryption machine and a first key management device, wherein the data lake, the first encryption machine and the first key management device are respectively connected with the first data disaster recovery device;
the first data disaster recovery device is used for: acquiring backup file data from the data lake, and cutting the backup file data to obtain cut file data; sending the cut file data to the first encryption machine;
the first encryptor is to: generating a first encryption key of a first encryption algorithm and a second encryption key of a second encryption algorithm, encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature, sending the ciphertext and the first data signature to the first data disaster recovery device, and sending the first encryption key and the second encryption key to the first key management device; the first encryption algorithm and the second encryption algorithm are domestic commercial cipher algorithms;
the first key management device is configured to: storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
the first data disaster recovery device is further configured to: and acquiring attribute information of the ciphertext as data tag information, and transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup.
Optionally, the disaster recovery subsystem includes: the system comprises a second data disaster recovery device, a disaster recovery database, a second encryption machine and a second key management device, wherein the disaster recovery database, the second encryption machine and the second key management device are respectively connected with the second data disaster recovery device;
the second data disaster recovery device is used for: matching the received ciphertext with the data tag information, and if the matching is successful, sending the ciphertext to the second encryption machine;
the second encryptor is for: sending request information to the second key management device, wherein the request information is used for requesting to acquire the first encryption key and the second encryption key; decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature; sending the second data signature to the second data disaster recovery device;
the second data disaster recovery device is further configured to: and matching the first data signature with the second data signature, and if the first data signature and the second data signature are successfully matched, storing the ciphertext to the backup database.
Optionally, the first data disaster recovery device is further configured to: storing the attribute information of the ciphertext, the first data signature and the backup file data; the attribute information of the ciphertext includes at least one of: file name and size of the ciphertext.
Optionally, the first encryption algorithm is an SM4 algorithm, and the second encryption algorithm is an SM3 algorithm; the first encryption equipment is specifically configured to: and encrypting the cut file data by using the CBC mode of the SM4 algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the SM3 algorithm and the second encryption key to obtain a first data signature.
Optionally, the second data disaster recovery device is further configured to: and if the first data signature and the second data signature are unsuccessfully matched, deleting the ciphertext, and sending a data request to the first data disaster recovery device for requesting to resend the ciphertext of the backup file data.
Optionally, the first data disaster recovery device is specifically configured to: and transmitting the ciphertext and the data tag information to the disaster recovery subsystem for backup by using a network special line between the data subsystem and the disaster recovery subsystem.
The invention also provides a big data disaster recovery method based on the domestic commercial cryptographic algorithm, which is applied to the big data disaster recovery system based on the domestic commercial cryptographic algorithm in any one of the first aspect, and the method comprises the following steps:
obtaining backup file data, and cutting the backup file data to obtain cut file data;
encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature;
storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the program to realize the big data disaster recovery method based on the domestic commercial cryptographic algorithm.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a big data disaster recovery method based on a domestic commercial cryptographic algorithm as described in any of the above.
The invention also provides a computer program product, which comprises a computer program, wherein when the computer program is executed by a processor, the big data disaster recovery method based on the domestic commercial cryptographic algorithm is realized.
According to the big data disaster recovery system, the method and the equipment based on the domestic commercial cipher algorithm, the backup file data are encrypted through the data subsystem and transmitted to the disaster recovery subsystem for backup, a first encryption algorithm is adopted to encrypt the backup file data to obtain a ciphertext, a second encryption algorithm is adopted to encrypt the backup file data to obtain a data signature, the first encryption algorithm and the second encryption algorithm are domestic commercial cipher algorithms, so that the backup safety is high, the risk of cracking is reduced, and the first key management device is used for realizing the unified management of encryption keys.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is one of the schematic diagrams of a big data disaster recovery system based on a domestic commercial cryptographic algorithm provided by the present invention;
FIG. 2 is a second schematic diagram of the big data disaster recovery system based on the domestic commercial cryptographic algorithm provided by the present invention;
FIG. 3 is an interaction flow diagram of the big data disaster recovery method based on the domestic commercial cryptographic algorithm provided by the invention;
FIG. 4 is a schematic flow chart of a big data disaster recovery method based on a domestic commercial cryptographic algorithm provided by the invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The big data disaster recovery system provided by the embodiment of the invention is mainly suitable for various big data application technical scenes.
The encryptor and the key management system adopted by the invention are domestic independently developed host encryption equipment which is identified and approved by the national commercial code administration department, and the big data disaster recovery system meets the national standard of GB/T397886-2021 basic requirements for information security technology information system code application and meets the relevant requirements for code algorithm use in the relevant regulations.
The technical solution of the embodiment of the present invention is described in detail with specific embodiments in conjunction with fig. 1-5. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 is a schematic diagram of a big data disaster recovery system based on a domestic commercial cryptographic algorithm according to an embodiment of the present invention. As shown in fig. 1, the big data disaster recovery system based on the domestic commercial cryptographic algorithm provided in this embodiment includes:
the system comprises a data subsystem and a disaster recovery subsystem which are deployed in different data centers;
wherein the data subsystem comprises: the system comprises a first data disaster recovery device, a data lake, a first encryption machine and a first key management device, wherein the data lake, the first encryption machine and the first key management device are respectively connected with the first data disaster recovery device;
the first data disaster recovery device is used for: acquiring backup file data from the data lake, and cutting the backup file data to obtain cut file data; sending the cut file data to the first encryption machine;
the first encryptor is configured to: generating a first encryption key of a first encryption algorithm and a second encryption key of a second encryption algorithm, encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature, and sending the ciphertext and the first data signature to the first data disaster recovery device; the first encryption algorithm and the second encryption algorithm are domestic commercial cipher algorithms;
the first data disaster recovery device is further configured to: and acquiring attribute information and a first data signature of the ciphertext as data tag information, transmitting the ciphertext and the data tag information to the disaster recovery subsystem for backup, and decrypting, integrating and recovering the ciphertext according to data recovery requirements at a later stage.
Specifically, as shown in fig. 3, in the backup process, the first data disaster recovery device reads file data in the data lake, then cuts the file according to a preset size (for example, the size of the cut file is smaller than or equal to 1G), calls an interface of the first encryptor to submit the cut file to the first encryptor (the encryption interface uses SSL to establish a secure channel with the first encryptor), and after receiving an encryption request, the first encryptor generates encryption keys of corresponding encryption algorithms, for example, encryption keys of SM3 and SM4 algorithms, encrypts the file by using the first encryption algorithm, and encrypts each file by using the second encryption algorithm to generate a data digest (for example, a 16-bit character string) as a first data signature;
after encryption is completed, the first encryption machine returns an encryption result (namely, a ciphertext and a first data signature) to the first data disaster recovery device, the first data disaster recovery device files and records attribute information (such as name, size and the like) of each encrypted ciphertext file, the first data signature and a corresponding plaintext file, and the attribute information of the ciphertext file is stored as data tag information of the file;
optionally, the data subsystem and the disaster recovery subsystem are connected by a network dedicated line, and the data subsystem transmits the encrypted ciphertext data, the data signature and the file tag to the disaster recovery subsystem for backup in a dedicated line manner.
The data lake can be built by Hadoop matched with hive architecture. For example, file data in the data lake may be read by a tool such as DBeaver integrated within the device.
Optionally, as shown in fig. 1 and fig. 2, the data subsystem further includes: a first key management device connected to the first encryption device; the first encryptor is further to: sending the first encryption key and the second encryption key to the first key management device, the first key management device being configured to: and storing the first encryption key and the second encryption key, and sending the first encryption key and the second encryption key to the second key management device for key synchronization.
Specifically, in the encryption process, the first encryption machine is responsible for generating an encryption key and encrypting the cut file, the encryption key is transmitted to the first key management device for storage, and the first key management device realizes the whole-period management of the key such as marking, storage, backup and destruction.
In the above embodiment, the key management device stores and synchronizes the keys, so as to realize unified management of the keys, and avoid the risk of loss or leakage of the keys stored in the data disaster recovery device itself.
Optionally, the first data disaster recovery device is further configured to: storing the attribute information of the ciphertext, the first data signature and the backup file data; the attribute information of the ciphertext includes at least one of: file name and size of the ciphertext.
In the embodiment, the first encryption algorithm is adopted to encrypt the backup file data to obtain the ciphertext, the second encryption algorithm is utilized to encrypt the backup file data to obtain the data signature, so that the security is higher, the risk of cracking is reduced, and the first key management device is utilized to realize the unified management of the encryption key.
Optionally, the first encryption algorithm is an SM4 algorithm, and the second encryption algorithm is an SM3 algorithm;
for example, the CBC mode using SM4 algorithm encrypts the data file, and the SM3 algorithm encrypts each data file and generates a data digest (e.g., a 32-bit 16-bit string) as a first data signature.
It should be noted that the first encryption algorithm and the second encryption algorithm may also be other cryptographic algorithms, or the first encryption algorithm is an SM1 algorithm, which is not limited in the embodiment of the present invention.
Optionally, as shown in fig. 2, the disaster recovery subsystem includes: the system comprises a second data disaster recovery device, a disaster recovery database, a second encryption machine and a second key management device, wherein the disaster recovery database, the second encryption machine and the second key management device are respectively connected with the second data disaster recovery device;
the second data disaster recovery device is used for: matching the received ciphertext with the data tag information, and if the matching is successful, sending the ciphertext to the second encryption machine;
the second encryptor is for: sending request information to the second key management device, wherein the request information is used for requesting to acquire the first encryption key and the second encryption key; decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature; sending the second data signature to the second data disaster recovery device;
the second data disaster recovery device is further configured to: and matching the first data signature with the second data signature, and if the first data signature and the second data signature are successfully matched, storing the ciphertext to the backup database.
Optionally, the second data disaster recovery device is further configured to: and if the first data signature and the second data signature are not matched successfully, deleting the ciphertext, and sending a data request to the first data disaster recovery device for requesting to resend the ciphertext of the backup file data.
Specifically, as shown in fig. 2, a second encryption device and a second key management device of the same specification as those in the data subsystem may be deployed in the disaster recovery environment, as shown in fig. 3, the first key management device and the second key management device may be configured to implement key synchronization, after receiving a ciphertext of the backup file data, the second data disaster recovery device deployed in the disaster recovery subsystem matches the received ciphertext with the data tag information, if the received ciphertext is matched with the data tag information, a request may be sent to the second encryption device, if the received ciphertext is matched with the data tag information, an interface of the second encryption device is called to introduce the encrypted ciphertext into the second encryption device, the second encryption device simultaneously sends a request to the second key management device to obtain an encryption key and decrypt the ciphertext, after decryption, the second encryption device encrypts the decrypted plaintext data by using the SM3 algorithm again to generate a new second data signature, and then feeds back the new second data signature to the second data disaster recovery device;
the second data disaster recovery device judges the integrity of the data by comparing the first data signature transmitted by the data subsystem with the newly generated second data signature, if the data is correct, the encrypted ciphertext is filed and stored, and if the data signatures are not matched, the corresponding ciphertext is deleted, and the retransmission is requested to the first data disaster recovery device.
And further, archiving the ciphertext of the plurality of cut files and importing the ciphertext into a backup database.
In the above embodiment, the data disaster recovery system meeting the requirement of the national cryptographic algorithm specification is implemented by using the interaction among the first data disaster recovery device, the first encryption machine and the first key management device of the data subsystem, and the interaction among the second data disaster recovery device, the second encryption machine and the second key management device of the disaster recovery subsystem.
In summary, the key synchronization and management process is as follows:
1. the data subsystem and the disaster backup subsystem are respectively provided with a key management device, the first key management device of the data subsystem acquires an encryption key of the first encryption machine through an interface, and the master-backup mode synchronizes the key to the second key management device of the disaster backup subsystem through a special line.
2. And the second encryption machine of the disaster recovery subsystem acquires the local key of the second key management device through the interface to decrypt the data and generate a data signature so that the second data disaster recovery device performs data signature verification.
The data disaster recovery system of the embodiment of the invention completes the operations of data encryption, transmission, decryption and restoration according to the flows of data reading, data segmentation, data encryption and signature, data transmission, data verification, data decryption and verification and data import.
The big data disaster recovery method based on the domestic commercial cryptographic algorithm provided by the invention is described below, and the big data disaster recovery method based on the domestic commercial cryptographic algorithm described below and the big data disaster recovery system based on the domestic commercial cryptographic algorithm described above can be referred to correspondingly.
Fig. 4 is a schematic flowchart of a big data disaster recovery method based on a domestic commercial cryptographic algorithm according to an embodiment of the present invention. As shown in fig. 4, the method provided by this embodiment includes:
step 101, obtaining backup file data, and cutting the backup file data to obtain cut file data;
102, encrypting the cut file data by using a first encryption algorithm and a first encryption key to obtain a ciphertext, and encrypting the cut file data by using a second encryption algorithm and a second encryption key to obtain a first data signature;
step 103, storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
104, transmitting the ciphertext, the data tag information and the first data signature to a disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
Optionally, the method further comprises:
matching the received ciphertext with the data tag information;
if the matching is successful, decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature;
and matching the received first data signature with the second data signature, and if the first data signature and the second data signature are successfully matched, storing the ciphertext to the backup database.
The specific implementation process and technical effects of the method of this embodiment are the same as those of the system embodiment, and specific reference may be made to detailed descriptions in the system embodiment, which are not described herein again.
The embodiment of the invention also provides a big data disaster recovery system based on a domestic commercial cryptographic algorithm, which comprises: the system comprises a data subsystem and a disaster recovery subsystem which are deployed in different data centers;
wherein the data subsystem comprises: the system comprises a first server, a first data server, a first encryption machine and a first key management server;
the first server is configured to: acquiring backup file data from the first data server, and cutting the backup file data to obtain cut file data; sending the cut file data to the first encryption machine;
the first encryptor is configured to: generating a first encryption key of a first encryption algorithm and a second encryption key of a second encryption algorithm, encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature, sending the ciphertext and the first data signature to the first server, and sending the first encryption key and the second encryption key to the first key management server;
the first key management server is configured to: storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
the first server is further configured to: and acquiring attribute information of the ciphertext as data tag information, and transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup.
Wherein, the disaster recovery subsystem includes: the system comprises a second server, a second data server, a second encryption machine and a second key management server;
the second server is configured to: matching the received ciphertext with the data tag information, and if the matching is successful, sending the ciphertext to the second encryptor;
the second encryptor is to: sending request information to the second key management server, wherein the request information is used for requesting to acquire the first encryption key and the second encryption key; decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature; sending the second data signature to the second server;
the second server is further configured to: and matching the first data signature with the second data signature, and if the first data signature is successfully matched with the second data signature, storing the ciphertext to the second data server.
The system of this embodiment is configured to execute the method of any embodiment in the foregoing method embodiments, and the specific implementation process and technical effects thereof are the same as those in the method embodiments, which may specifically refer to the detailed description in the method embodiments, and are not described herein again
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor) 810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. Processor 810 may invoke logic instructions in memory 830 to perform a big data disaster recovery method based on a domestic commercial cryptographic algorithm, the method comprising: acquiring backup file data, and cutting the backup file data to obtain cut file data;
encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature;
storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
In addition, the logic instructions in the memory 830 can be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, where the computer program product includes a computer program, the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute the big data disaster recovery method based on the domestic commercial cryptographic algorithm provided by the above methods, and the method includes: obtaining backup file data, and cutting the backup file data to obtain cut file data;
encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature;
storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform a big data disaster recovery method based on a domestic commercial cryptographic algorithm provided by the above methods, the method comprising: obtaining backup file data, and cutting the backup file data to obtain cut file data;
encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature;
storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, and not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A big data disaster recovery system based on domestic commercial cryptographic algorithm is characterized by comprising:
the system comprises a data subsystem and a disaster recovery subsystem which are deployed in different data centers;
wherein the data subsystem comprises: the system comprises a first data disaster recovery device, a data lake, a first encryption machine and a first key management device, wherein the data lake, the first encryption machine and the first key management device are respectively connected with the first data disaster recovery device;
the first data disaster recovery device is used for: acquiring backup file data from the data lake, and cutting the backup file data to obtain cut file data; sending the cut file data to the first encryption machine;
the first encryptor is configured to: generating a first encryption key of a first encryption algorithm and a second encryption key of a second encryption algorithm, encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature, sending the ciphertext and the first data signature to the first data disaster recovery device, and sending the first encryption key and the second encryption key to the first key management device; the first encryption algorithm and the second encryption algorithm are domestic commercial cipher algorithms;
the first key management device is configured to: storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
the first data disaster recovery device is further configured to: and acquiring attribute information of the ciphertext as data tag information, and transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup.
2. The big data disaster recovery system based on the domestic commercial cryptographic algorithm according to claim 1, wherein the disaster recovery subsystem comprises: the system comprises a second data disaster recovery device, a disaster recovery database, a second encryption machine and a second key management device, wherein the disaster recovery database, the second encryption machine and the second key management device are respectively connected with the second data disaster recovery device;
the second data disaster recovery device is used for: matching the received ciphertext with the data tag information, and if the matching is successful, sending the ciphertext to the second encryption machine;
the second encryptor is for: sending request information to the second key management device, wherein the request information is used for requesting to acquire the first encryption key and the second encryption key; decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature; sending the second data signature to the second data disaster recovery device;
the second data disaster recovery device is further configured to: and matching the first data signature with the second data signature, and if the first data signature and the second data signature are successfully matched, storing the ciphertext to a backup database.
3. The big data disaster recovery system based on the domestic commercial cryptographic algorithm according to claim 1 or 2, wherein the first data disaster recovery device is further configured to: storing the attribute information of the ciphertext, the first data signature and the backup file data; the attribute information of the ciphertext includes at least one of: file name and size of the ciphertext.
4. The big data disaster recovery system based on domestic commercial cipher algorithm according to claim 1 or 2, wherein the first encryption algorithm is SM4 algorithm, and the second encryption algorithm is SM3 algorithm; the first encryption equipment is specifically configured to: and encrypting the cut file data by using the CBC mode of the SM4 algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the SM3 algorithm and the second encryption key to obtain a first data signature.
5. The big data disaster recovery system based on the domestic commercial cryptographic algorithm according to claim 2, wherein the second data disaster recovery device is further configured to: and if the first data signature and the second data signature are unsuccessfully matched, deleting the ciphertext, and sending a data request to the first data disaster recovery device for requesting to resend the ciphertext of the backup file data.
6. The big data disaster recovery system based on the domestic commercial cryptographic algorithm according to claim 1 or 2, wherein the first data disaster recovery device is specifically configured to: and transmitting the ciphertext and the data tag information to the disaster recovery subsystem for backup by using a network special line between the data subsystem and the disaster recovery subsystem.
7. A big data disaster recovery method based on a domestic commercial cryptographic algorithm is applied to the big data disaster recovery system based on the domestic commercial cryptographic algorithm according to any one of claims 1-6, and the method comprises the following steps:
acquiring backup file data, and cutting the backup file data to obtain cut file data;
encrypting the cut file data by using the first encryption algorithm and the first encryption key to obtain a ciphertext, and encrypting the cut file data by using the second encryption algorithm and the second encryption key to obtain a first data signature;
storing the first encryption key and the second encryption key, and synchronizing the first encryption key and the second encryption key to the disaster recovery subsystem;
transmitting the ciphertext, the data tag information and the first data signature to the disaster recovery subsystem for backup; the data tag information includes attribute information of the ciphertext.
8. The big data disaster recovery method based on domestic commercial cryptographic algorithm according to claim 7, further comprising:
matching the received ciphertext with the data tag information;
if the matching is successful, decrypting the ciphertext by using the first encryption algorithm and the first encryption key to obtain a decrypted file, and encrypting the decrypted file by using the second encryption algorithm and the second encryption key to obtain a second data signature;
and matching the received first data signature with the second data signature, and if the matching is successful, storing the ciphertext to a backup database.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the big-data disaster recovery method based on the domestic commercial cipher algorithm according to any one of claims 7 to 8 when executing the program.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the big-data disaster recovery method based on domestic commercial cryptography algorithms according to any one of claims 7 to 8.
CN202211140631.4A 2022-09-20 2022-09-20 Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm Pending CN115225272A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211140631.4A CN115225272A (en) 2022-09-20 2022-09-20 Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211140631.4A CN115225272A (en) 2022-09-20 2022-09-20 Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm

Publications (1)

Publication Number Publication Date
CN115225272A true CN115225272A (en) 2022-10-21

Family

ID=83617633

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211140631.4A Pending CN115225272A (en) 2022-09-20 2022-09-20 Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN115225272A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
CN112685786A (en) * 2021-01-27 2021-04-20 永辉云金科技有限公司 Financial data encryption and decryption method, system, equipment and storage medium
CN112688784A (en) * 2020-12-23 2021-04-20 安徽中科美络信息技术有限公司 Digital signature and verification method, device and system
CN113132099A (en) * 2021-04-06 2021-07-16 鼎铉商用密码测评技术(深圳)有限公司 Method and device for encrypting and decrypting transmission file based on hardware password equipment
WO2022001689A1 (en) * 2020-06-29 2022-01-06 中兴通讯股份有限公司 User data recovery method and apparatus, terminal and computer storage medium
CN114036003A (en) * 2021-11-16 2022-02-11 中易通科技股份有限公司 Large file backup and recovery safety method based on hardware password equipment
CN114697122A (en) * 2022-04-08 2022-07-01 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium
WO2022160733A1 (en) * 2021-01-29 2022-08-04 统信软件技术有限公司 File signature method, computing device, and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022001689A1 (en) * 2020-06-29 2022-01-06 中兴通讯股份有限公司 User data recovery method and apparatus, terminal and computer storage medium
CN111818032A (en) * 2020-06-30 2020-10-23 腾讯科技(深圳)有限公司 Data processing method and device based on cloud platform and computer program
WO2022001418A1 (en) * 2020-06-30 2022-01-06 腾讯科技(深圳)有限公司 Data processing method and apparatus, and computer program and storage medium
CN112688784A (en) * 2020-12-23 2021-04-20 安徽中科美络信息技术有限公司 Digital signature and verification method, device and system
CN112685786A (en) * 2021-01-27 2021-04-20 永辉云金科技有限公司 Financial data encryption and decryption method, system, equipment and storage medium
WO2022160733A1 (en) * 2021-01-29 2022-08-04 统信软件技术有限公司 File signature method, computing device, and storage medium
CN113132099A (en) * 2021-04-06 2021-07-16 鼎铉商用密码测评技术(深圳)有限公司 Method and device for encrypting and decrypting transmission file based on hardware password equipment
CN114036003A (en) * 2021-11-16 2022-02-11 中易通科技股份有限公司 Large file backup and recovery safety method based on hardware password equipment
CN114697122A (en) * 2022-04-08 2022-07-01 中国电信股份有限公司 Data transmission method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
朱惠民等: "基于文件系统容灾备份数据的透明加密机制设计", 《科学技术与工程》 *
杨润东等: "基于国密算法的新型电子邮件加密系统研究与实现", 《信息安全研究》 *

Similar Documents

Publication Publication Date Title
US11647007B2 (en) Systems and methods for smartkey information management
CN110324143B (en) Data transmission method, electronic device and storage medium
US8661259B2 (en) Deduplicated and encrypted backups
CN110049016B (en) Data query method, device, system, equipment and storage medium of block chain
CN105681031B (en) A kind of storage encryption gateway key management system and method
US11831753B2 (en) Secure distributed key management system
CN112182609A (en) Block chain-based data uplink storage method and tracing method, device and equipment
US20140331062A1 (en) System and apparatus for securely storing data
JP2020510353A (en) Key encryption method, apparatus, and system
CN111385084A (en) Key management method and device for digital assets and computer readable storage medium
CN112400299B (en) Data interaction method and related equipment
CN110362984B (en) Method and device for operating service system by multiple devices
CN113347143B (en) Identity verification method, device, equipment and storage medium
CN112865965B (en) Train service data processing method and system based on quantum key
CN111181920A (en) Encryption and decryption method and device
CN112202808B (en) Data security management system based on cloud computing
CN111585998A (en) Audit data secure transmission method and system
CN115129518B (en) Backup and recovery method, device, equipment and medium for TEE (trusted execution environment) internal storage data
CN114363094B (en) Data sharing method, device, equipment and storage medium
CN116132041A (en) Key processing method and device, storage medium and electronic equipment
CN113890759B (en) File transmission method, device, electronic equipment and storage medium
CN113778749B (en) Data backup method and electronic equipment
CN115225272A (en) Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm
CN111865891B (en) Data transmission method, user terminal, electronic equipment and readable storage medium
JP4924477B2 (en) Detachable device, log collection method, program, and recording medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20221021