CN115426189A - Information security protection method and system based on big data - Google Patents

Information security protection method and system based on big data Download PDF

Info

Publication number
CN115426189A
CN115426189A CN202211083335.5A CN202211083335A CN115426189A CN 115426189 A CN115426189 A CN 115426189A CN 202211083335 A CN202211083335 A CN 202211083335A CN 115426189 A CN115426189 A CN 115426189A
Authority
CN
China
Prior art keywords
key
data
user
sub
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202211083335.5A
Other languages
Chinese (zh)
Inventor
孙娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202211083335.5A priority Critical patent/CN115426189A/en
Publication of CN115426189A publication Critical patent/CN115426189A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an information security protection method and system based on big data, wherein the method comprises the following steps: s1, a key management node generates a user characteristic key according to user characteristic information and transmits the user characteristic key to a user node; s2, the user node generates a data encryption key according to the received characteristic key and the own equipment encryption key; s3, the user node encrypts the target data by adopting a data encryption key to obtain encrypted data; s4, the user node generates a sub-key according to the data encryption key; s5, the user node integrates the first sub-secret key into the encrypted data to obtain an integrated data packet and transmits the integrated data packet to the cloud storage server; the user node transmits the second sub-key to the key management node; s6, the big data analysis module acquires the integration data packet from the cloud storage server, acquires a second sub-key from the key management node, and restores the data encryption key to decrypt the encrypted data to obtain target data. The invention is beneficial to improving the security of enterprise big data acquisition and storage.

Description

Information security protection method and system based on big data
Technical Field
The invention relates to the technical field of information security protection, in particular to an information security protection method and system based on big data.
Background
With the development of big data analysis technology, more and more enterprises can build or access big data analysis systems so as to further analyze and process the data of the enterprises by using the big data analysis technology, thereby realizing the effective utilization of data resources.
At present, most of big data analysis systems built for enterprises transmit data collected in the enterprises to an intermediate medium such as a unified cloud server for storage, and when model big data analysis is needed, relevant data are called from the cloud server to complete data analysis. However, in the prior art, the part of information transfer or storage such as a cloud server is generally managed by a third party, and the security protection performance of the part is lower than that of an enterprise internal device, and the part of information transfer or storage is a target of malicious attack or intrusion.
Disclosure of Invention
Aiming at the problem that a third-party data storage part such as a cloud server is easy to have the safety of big data information storage in the prior art, the invention aims to provide an information safety protection method and an information safety protection system based on big data.
The purpose of the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides an information security protection method based on big data, including:
s1, a key management node receives user characteristic information transmitted by a user node, generates a user characteristic key according to the user characteristic information and transmits the user characteristic key to the user node;
s2, the user node generates a data encryption key according to the received characteristic key and the self equipment encryption key;
s3, the user node encrypts the target data by adopting a data encryption key to obtain encrypted data;
s4, the user node generates two sub-keys according to the data encryption key, wherein the first sub-key and the second sub-key are added to obtain the data encryption key;
s5, the user node integrates the first sub-secret key into the encrypted data to obtain an integrated data packet, and the integrated data packet is transmitted to the cloud storage server;
the user node transmits the second sub-key to the key management node;
s6, when the big data analysis module needs to obtain original data, the big data analysis module obtains an integrated data packet from the cloud storage server, obtains a second sub-secret key from the secret key management node, restores a data encryption secret key according to the first sub-secret key and the second sub-secret key in the integrated data packet, and decrypts the encrypted data according to the data encryption secret key to obtain target data.
In one embodiment, step S1 comprises:
the user characteristic information comprises user identity information;
when target data is required to be uploaded, the user node sends identity verification information to the key management node;
the key management node extracts user identity information according to the received identity authentication information;
and the key management node calculates a corresponding hash value according to the extracted user identity information, acquires a corresponding user characteristic key according to the obtained hash value, and transmits the user characteristic key back to the user node.
In one embodiment, in step S1, the authentication information includes a user account and a corresponding user password;
and the key management node performs user identity authentication according to the received user account and the user password, and acquires corresponding user identity information after the authentication is passed.
In one embodiment, in step S1, a user node acquires a face image of a user in real time and transmits the face image to a key management node;
and the key management node performs identity recognition according to the received face image of the user to obtain user identity information.
In one embodiment, in step S2, the device encryption key is an encryption key corresponding to the smart device belonging to the user node.
In one embodiment, in step S3, the user node symmetrically encrypts the target data by using the data encryption key to obtain encrypted data;
the target data comprises target files, enterprise operation data, enterprise management data and enterprise human resource management data.
In one embodiment, step S4 includes:
the user node randomly generates two interference data, wherein the sum of the two interference data is zero;
the user node divides the data encryption key into two sub-key strings, wherein the sum of the two sub-key strings is zero;
generating two sub-keys according to the sub-key strings and the interference data, wherein the first sub-key is the sum of the first sub-key string and the first interference data; the second subkey is the sum of the second subkey string and the second interference data.
In one embodiment, in step S5, the user node performs Paillier homomorphic encryption according to the first sub-key and the second sub-key, respectively, to obtain an encrypted first sub-key and an encrypted second sub-key;
the user node integrates the encrypted first sub-key into the encrypted data to obtain an integrated data packet, and transmits the integrated data packet to the cloud storage server;
and the user node transmits the encrypted second sub-key to the key management node, and the key management node correspondingly records the encrypted second sub-key and the target data information.
In one embodiment, step S5 comprises: a user node generates a homomorphic encryption key and a homomorphic decryption key;
the user node performs homomorphic encryption on the first sub-secret key and the second sub-secret key based on the homomorphic encryption secret key, and transmits a decryption secret key to the big data analysis module;
in one embodiment, step S5 comprises: the user node receives the homomorphic encryption key transmitted by the big data analysis module,
and the user node performs homomorphic encryption on the first sub-secret key and the second sub-secret key based on the homomorphic encryption secret key to obtain the encrypted sub-secret keys.
In one embodiment, step S6 includes:
the big data analysis module acquires an integrated data packet of the target data from the cloud storage server and acquires a corresponding second sub-key from the key management node according to the target data information;
the big data analysis module performs a sum operation according to the first sub-secret key and the second sub-secret key to obtain an encryption secret key;
and performing homomorphic decryption according to the obtained encryption key to obtain a data encryption key; and decrypting the encrypted data according to the obtained data encryption key to obtain the target data.
In a second aspect, the invention provides an information security protection system based on big data, which comprises a user node, a key management node, a big data analysis module and a cloud storage server; wherein the content of the first and second substances,
the key management node is used for receiving the user characteristic information transmitted by the user node, generating a user characteristic key according to the user characteristic information and transmitting the user characteristic key to the user node;
the user node is used for generating a data encryption key according to the received characteristic key and the own equipment encryption key;
the user node is also used for encrypting the target data F by adopting a data encryption key to obtain encrypted data;
the user node is also used for generating two sub-keys according to the data encryption key, wherein the first sub-key and the second sub-key are added to obtain the data encryption key;
the user node is also used for integrating the first sub-secret key into the encrypted data to obtain an integrated data packet and transmitting the integrated data packet to the cloud storage server;
the cloud storage server is used for storing the integrated data packet corresponding to the target data;
the user node is also used for transmitting the second subkey to the key management node;
when the big data analysis module needs to acquire original data, the big data analysis module is used for acquiring an integrated data packet from the cloud storage server, acquiring a second sub-key from the key management node, restoring a data encryption key according to the first sub-key and the second sub-key in the integrated data packet, and decrypting encrypted data F' according to the data encryption key to obtain target data.
The invention has the beneficial effects that:
1) When target data is encrypted, the key management node generates a corresponding user characteristic key according to user characteristic information transmitted by the user node, and the user node adaptively generates a data encryption key according to the user characteristic key and the equipment encryption key to finish the encryption of the target data, so that the reliability of the encryption key is improved, and the data security problem caused by key leakage due to the fact that fixed key encryption is adopted in the traditional data encryption is avoided.
The user identity information is identified in a mode of a face image of the user, so that the key management node can accurately acquire the user identity information and extract a corresponding characteristic key, and further generate a data encryption key according to the characteristic key, and the security level of the data encryption key is improved.
2) The method is characterized in that a key management node is specially arranged to uniformly manage encryption keys adopted in the data encryption process, after data encryption is completed, a user node divides the encryption keys into two parts which are respectively stored in the key management node and a cloud storage server, when target data needs to be obtained, corresponding keys need to be respectively obtained from the key management node and the cloud storage server to be combined to obtain decryption keys, the data security problem caused when information leakage occurs in the cloud storage server or the key management node is avoided, the security of enterprise target data collection and storage is improved, and a foundation is laid for further performing big data analysis based on enterprise data.
3) The key division method based on homomorphic encryption is provided, the key is divided into sub-keys which are respectively stored in the key management node and the cloud storage server, the problem of key leakage is effectively avoided, and meanwhile the reliability of key storage management is improved.
Drawings
The invention is further illustrated by means of the attached drawings, but the embodiments in the drawings do not constitute any limitation to the invention, and for a person skilled in the art, other drawings can be obtained on the basis of the following drawings without inventive effort.
Fig. 1 is a flowchart of an information security protection method based on big data according to an embodiment of the present invention;
fig. 2 is a block diagram of an information security protection system based on big data according to an embodiment of the present invention.
Detailed Description
The invention is further described in connection with the following application scenarios.
Referring to fig. 1, an embodiment of the present invention provides a big data-based information security protection method, including:
s1, a key management node receives user characteristic information transmitted by a user node, generates a user characteristic key R according to the user characteristic information, and transmits the user characteristic key to the user node;
in a scene, a user node comprises intelligent equipment inside an enterprise, the data generated inside the enterprise is uploaded to a cloud storage server by the user node to build a database, target data are stored in the cloud storage server, and the target data are called when a big data analysis module analyzes big data.
The secret management node comprises a unified management server built in an enterprise, wherein the key management node is connected with each user node through an intranet respectively to complete key management work aiming at each user node and target data. In general, the key management node does not allow a common user to log in, and data stored in the key management node is provided with tamper-proof protection.
The cloud storage server is built based on a third-party data storage server, and the big data analysis module can be built based on the inside of an enterprise or a third-party big data analysis engine.
In one embodiment, step S1 comprises:
the user characteristic information comprises user identity information;
when target data is required to be uploaded, the user node sends identity verification information to the key management node;
the key management node extracts user identity information according to the received identity authentication information;
and the key management node calculates a corresponding hash value according to the extracted user identity information, acquires a corresponding user characteristic key R according to the obtained hash value, and transmits the user characteristic key back to the user node.
And the key management node calculates a corresponding hash value according to the user identity information of the user node, wherein the key management node stores corresponding information of the hash value and the user characteristic key, and returns the user characteristic key R to the user node according to the calculated hash value. By means of the mode of applying the user characteristic key to the user identity information hash value, when the user node encrypts the target data, the user node can be used as one of the factors for generating the encryption key according to the current user identity information, the target data is encrypted in a dynamic key mode, the data encryption safety is improved, and the safety problem caused by key leakage due to the fact that fixed key encryption is adopted is avoided.
In one embodiment, in step S1, the authentication information includes a user account and a corresponding user password;
and the key management node performs user identity authentication according to the received user account and the user password, and acquires corresponding user identity information after the authentication is passed.
In one embodiment, in step S1, a user node acquires a face image of a user in real time and transmits the face image to a key management node;
and the key management node performs identity recognition according to the received face image of the user to obtain user identity information.
The user identity information is identified in a mode of a user face image, so that the key management node can accurately acquire the user identity information and extract a corresponding characteristic key, and further generate a data encryption key according to the characteristic key, and the security level of the data encryption key is improved.
In one embodiment, the key management node performs identity recognition according to a received face image of a user, and includes:
the key management node preprocesses the received user face image;
the key management node extracts the features of the preprocessed user face image to obtain user face feature information;
and the key management node matches the obtained user face characteristic information with standard user face characteristic information prestored in a database to obtain user identity information corresponding to the user face characteristic information.
The key management node is also provided with an image processing module which is specially used for identifying and processing the face image of the user, so that the requirement of identifying the identity information of the user according to the face image of the user can be met.
In an enterprise office scene, the user face image acquired in real time through the user node is easily influenced by illumination of the using environment of the intelligent device or environmental noise, so that the problem that the acquired user face image is unclear is solved, and the accuracy of user identity identification is influenced. Therefore, when the key management node receives the face image of the user, the face image of the user is preprocessed firstly, so that the definition of the face image of the user can be effectively improved, and the accuracy and the reliability of the identity information of the user identified according to the face image of the user in the follow-up process can be improved.
In one embodiment, the key management node preprocesses a received user face image, and specifically includes:
performing wavelet decomposition on the received user face image for 1 time by adopting a set wavelet base db2 to obtain a high-frequency component image and a low-frequency component image of the user face image; the high-frequency component image is a high-frequency component image obtained by combining HL, LH and HH components;
sequentially traversing each pixel point in the high-frequency component image by adopting a 3 multiplied by 3 window, and calculating the noise characteristic value of each pixel point:
Figure BDA0003834097320000061
wherein Y (x, Y) represents the noise characteristic value of the central pixel (x, Y) in the 3 × 3 window, H (x, Y) represents the gray value of the pixel (x, Y),
Figure BDA0003834097320000062
representing the gray average of each neighborhood pixel in the 3 x 3 window, (a, b) representing the neighborhood pixels in the 3 x 3 window, H (a, b) representing the value of the neighborhood pixel (a, b),
Figure BDA0003834097320000063
expressing the gray value standard deviation of each neighborhood pixel point in a 3 multiplied by 3 window, wherein R, G and B respectively express R, G and B channels of the obtained user face image, R (x, y), G (x, y) and B (x, y) respectively express R, G and B pixel values of the pixel point (x, y) in the R, G and B channels of the obtained user face image, R (a, B), G (a, B) and B (a, B) respectively express R, G and B pixel values of the pixel point (a, B) in the R, G and B channels of the obtained user face image; omega a Denotes the edge detection factor, ω a ∈[0.3,0.5],ω b Indicates a specific detection factor, omega b ∈[0.3,0.5],ω c Denotes a color gamut detection factor, where ω c ∈[0.1,0.3]Wherein, ω is abc ∈[0.9,1.1];
The noise characteristic value Y (x, Y) of the pixel point and the set noise threshold value T are compared z Making a comparison, wherein T z =T 1z ×τ θ ,T 1 Indicating a set standard noise threshold, where T 1 ∈[50,100],τ θ Expressing the standard deviation of the gray value, omega, of each pixel point in the high-frequency component image z Denotes a variable adjustment factor, where ω z ∈[0.2,0.3]
When r (x, y) is not less than T z And when the pixel points (x, y) are marked as noise pixel points, and the gray values of the pixel points (x, y) in the high-frequency component image are adjusted:
Figure BDA0003834097320000064
in the formula, H' (x, y) represents the gray value of the pixel point (x, y) after the gray value adjustment,
Figure BDA0003834097320000065
indicating that the neighborhood pixels (a, b) do not belong to noise pixels, ω d Denotes the mean adjustment factor, where ω d ∈[0.8,1],ω e Denotes a variable adjustment factor, where ω e ∈[0.1,0.2];
After the gray value adjustment of each noise pixel point is completed in sequence, an adjusted high-frequency component image is obtained;
converting the low-frequency component image from an RGB color space to a Lab color space to obtain a brightness component L, a color component a and a color component b of the low-frequency component image;
sequentially traversing each pixel point in the brightness component by adopting a 3 multiplied by 3 window, and adjusting the brightness of the brightness component value of each pixel point:
Figure BDA0003834097320000071
wherein L' (x, y) represents a luminance component value of the luminance-adjusted pixel (x, y),
Figure BDA0003834097320000072
representing the mean value of the luminance components, L, of each pixel in a window centred on pixel (x, y) θ Expressing the average value of the brightness components of each pixel point of the low-frequency component image, L T Represents a set standard luminance component value, wherein L T ∈[66,72]Max (L) and min (L) respectively represent the maximum value and the minimum value of the brightness component of each pixel point of the low-frequency component image, L (x, y) represents the brightness component value of the central pixel point (x, y) in the 3 x 3 window, and omega (L) represents the brightness component value of the central pixel point in the 3 x 3 window f Denotes a window adjustment factor, where ω f ∈[0.7,0.9],ω g Denotes a global adjustment factor, where ω g ∈[0.1,0.2],ω h Denotes a local point adjustment factor, where ω f ∈[0.1,0.2];
Adjusting the brightness component values of the pixel points in sequence to obtain an adjusted brightness component L';
reconstructing according to the adjusted brightness component L', the color component a and the color component b to obtain an adjusted low-frequency component image;
and reconstructing according to the adjusted high-frequency component image and the adjusted low-frequency component image to obtain a preprocessed user face image.
In the above embodiment, a technical scheme is provided for preprocessing a user face image by a key management node, where the user face image acquired in real time by a user node is easily affected by ambient illumination or ambient noise used by an intelligent device, so that the acquired user face image is unclear, and the received user face image is divided into a low-frequency component image and a high-frequency component image based on wavelet decomposition, and for the problem of noise interference existing in the image, especially for the self-adaptive noise point detection of the high-frequency component image, especially for the technical scheme for detecting noise points by combining noise characteristic values with a dynamic threshold according to image change characteristics, so that high-frequency noise pixel points in the image can be accurately detected based on gray value change and RGB change characteristics in the high-frequency component image, and the noise pixel points are automatically adjusted and smoothed, thereby facilitating elimination of noise interference in the image. Meanwhile, aiming at the problem of overall unsharpness in the image, especially aiming at the low-frequency component image, the brightness component adjustment is carried out, and the brightness component of each pixel point can be adjusted in a self-adaptive mode according to the brightness component change of each pixel point and the overall brightness level of the image, so that the overall definition level of the image is improved, and the detail information of the face image of a user can be highlighted. The method combines the preprocessing mode of the face image of the high-frequency component image and the low-frequency component image, can effectively remove noise interference in the image and improve the definition of the image, and is favorable for improving the accuracy and reliability of subsequently identifying the user identity information according to the face image of the user.
S2, the user node generates a data encryption key K1 according to the received characteristic key R and the own equipment encryption key S;
in one embodiment, in step S2, wherein the data encryption key K1= R + S.
The device encryption key is an encryption key corresponding to the intelligent device belonging to the user node.
By combining the characteristic key corresponding to the user identity information and the equipment encryption key corresponding to the user node intelligent equipment to generate the data encryption key for finally encrypting the target data, the encryption key can be constructed based on the multi-dimensional characteristic information, and the security of data encryption is improved.
S3, the user node encrypts the target data F by adopting the data encryption key K1 to obtain encrypted data F' = Encrypt (K1, F);
in one embodiment, in step S3, the user node symmetrically encrypts the target data F by using the data encryption key K1 to obtain encrypted data F' = Encrypt (K1, F);
the target data comprises target files, enterprise operation data, enterprise management data, enterprise human resource management data and the like.
In one scenario, a user node arranged in an enterprise automatically encrypts target data generated by the user node and transmits the target data to a cloud storage server to continue uniform storage management.
S4, the user node generates two sub-keys according to the data encryption key K1, wherein the first sub-key and the second sub-key are added to obtain a data encryption key;
in one embodiment, step S4 includes:
a user node randomly generates a set of interference data { g1, g2}, wherein g1+ g2=0;
the user node divides the data encryption key K1 into two sub-key strings { K1, K2}, wherein K1+ K2= K1;
generating two sub-keys according to the sub-key string { k1, k2} and the interference data { g1, g2}, wherein the first sub-key 1= k1+ g1; the second subkey 2= k2+ g2.
After the target data is encrypted, the user node divides the data encryption key into two sub-keys for respective storage management, wherein in the processing process of the sub-keys, interference data are added to the sub-keys, and the problem of information safety caused by key leakage in the key storage process can be effectively avoided.
S5, the user node integrates the first sub-secret key into the encrypted data F' to obtain an integrated data packet P, and transmits the integrated data packet P to the cloud storage server;
the user node transmits the second sub-key to the key management node;
in one embodiment, in step S5,
the user node respectively performs Paillier homomorphic encryption according to the first sub-key 1 and the second sub-key 2 to obtain encrypted sub-keys keyp1 and keyp2;
the user node integrates the encrypted first sub-key keyp1 into the encrypted data F ', an integrated data packet P = { F', keyp1}, and transmits the integrated data packet P to the cloud storage server;
and the user node transmits the encrypted second sub-key keypad 2 to the key management node, and the key management node correspondingly records the encrypted second sub-key keypad 2 and the target data information.
In one embodiment, in step S5, the user node generates a homomorphic encryption key Et and a decryption key Kt;
the user node homomorphically encrypts the first sub-key 1 and the second sub-key 2 based on the homomorphic encryption key Et, and transmits the decryption key Kt to the big data analysis module.
In one embodiment, in step S5, the user node receives the homomorphic encryption key Et transmitted by the big data analysis module,
the user node homomorphically encrypts the first sub-key 1 and the second sub-key 2 based on the homomorphic encryption key Et to obtain encrypted sub-keys keyp1 and keyp2.
The two sub-keys are encrypted based on a homomorphic encryption mode and are respectively stored in the cloud storage server and the key management node, so that the problem of key leakage caused by the fact that the cloud storage server or the key management node is attacked can be solved, and the security of encrypted data is improved.
S6, when the big data analysis module needs to obtain original data, the big data analysis module obtains an integrated data package P from the cloud storage server, obtains a second sub-secret key from the secret key management node, restores a data encryption secret key K1 according to the first sub-secret key and the second sub-secret key in the integrated data package P, and decrypts the encrypted data F' according to the data encryption secret key to obtain target data.
In one embodiment, step S6 includes:
the big data analysis module acquires an integrated data packet P = { F', keyp1} of target data from the cloud storage server, and acquires a corresponding second sub-key keyp2 from the key management node according to target data information;
the big data analysis module performs a sum operation according to the first sub-key keypad 1 and the second sub-key keypad 2 to obtain an encryption key keypad = keypad 1+ keypad 2;
and performing homomorphic decryption according to the obtained encryption key to obtain a data encryption key K1; and decrypting the encrypted data F' according to the obtained data encryption key K1 to obtain the target data F.
When the big data analysis module needs to call the target data, the sub-keys of the target data need to be acquired from the key management node and the cloud storage server respectively, and the data encryption key of the target data is restored by adopting a homomorphic decryption mode to decrypt the target data, so that the original target data is obtained.
In one embodiment, the method further comprises:
and S7, the big data analysis module performs data analysis based on the big data analysis model according to the acquired target data to obtain a corresponding big data analysis result.
The big data analysis module can further analyze and process the big data of the target data according to the requirements, for example, a preset big data analysis model is adopted to further analyze the enterprise operation data, the enterprise management data and the like, and a big data analysis result is obtained, so that the requirements of enterprise big data analysis and management under different scenes are met.
Corresponding to the above proposed big data based information security protection method, referring to fig. 2, an information security protection system based on big data includes a user node, a key management node, a big data analysis module, and a cloud storage server; wherein the content of the first and second substances,
the key management node is used for receiving the user characteristic information transmitted by the user node, generating a user characteristic key R according to the user characteristic information and transmitting the user characteristic key to the user node;
the user node is used for generating a data encryption key K1 according to the received characteristic key R and the own equipment encryption key S;
the user node is further configured to Encrypt the target data F by using the data encryption key K1 to obtain encrypted data F' = Encrypt (K1, F);
the user node is also used for generating two sub-keys according to the data encryption key K1, wherein the first sub-key and the second sub-key are added to obtain a data encryption key;
the user node is also used for integrating the first sub-secret key into the encrypted data F' to obtain an integrated data packet and transmitting the integrated data packet to the cloud storage server;
the cloud storage server is used for storing the integrated data packet corresponding to the target data;
the user node is also used for transmitting the second subkey to the key management node;
when the big data analysis module needs to acquire original data, the big data analysis module is used for acquiring an integrated data packet from the cloud storage server, acquiring a second sub-key from the key management node, restoring a data encryption key according to the first sub-key and the second sub-key in the integrated data packet, and decrypting encrypted data F' according to the data encryption key to obtain target data.
It should be noted that, the information security protection system based on big data proposed above is also used to implement a specific embodiment corresponding to each method step in the information security protection method based on big data shown in fig. 1, and the description of the present invention is not repeated here.
Information security protection method and system based on big data provided by the invention
1) When target data is encrypted, the key management node generates a corresponding user characteristic key according to user characteristic information transmitted by the user node, and the user node adaptively generates a data encryption key according to the user characteristic key and the equipment encryption key to complete encryption of the target data, so that the reliability of the encryption key is improved, and the data security problem caused by key leakage due to the fact that fixed key encryption is adopted in traditional data encryption is avoided.
The user identity information is identified in a user face image mode, so that the key management node can accurately acquire the user identity information and extract a corresponding characteristic key, and further generate a data encryption key according to the characteristic key, and the security level of the data encryption key is improved.
2) The method is characterized in that a key management node is specially arranged to uniformly manage encryption keys adopted in the data encryption process, after data encryption is completed, a user node divides the encryption keys into two parts which are respectively stored in the key management node and a cloud storage server, when target data needs to be obtained, corresponding keys need to be respectively obtained from the key management node and the cloud storage server to be combined to obtain decryption keys, the data security problem caused when information leakage occurs in the cloud storage server or the key management node is avoided, the security of enterprise target data collection and storage is improved, and a foundation is laid for further performing big data analysis based on enterprise data.
3) The key division method based on homomorphic encryption is provided, the key is divided into sub-keys which are respectively stored in the key management node and the cloud storage server, the problem of key leakage is effectively avoided, and meanwhile the reliability of key storage management is improved.
It should be noted that, functional units/modules in the embodiments of the present invention may be integrated into one processing unit/module, or each unit/module may exist alone physically, or two or more units/modules are integrated into one unit/module. The integrated units/modules may be implemented in the form of hardware, or may be implemented in the form of software functional units/modules.
From the above description of embodiments, it is clear for a person skilled in the art that the embodiments described herein can be implemented in hardware, software, firmware, middleware, code or any appropriate combination thereof. For a hardware implementation, a processor may be implemented in one or more of the following units: an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a processor, a controller, a microcontroller, a microprocessor, other electronic units designed to perform the functions described herein, or a combination thereof. For a software implementation, some or all of the procedures of an embodiment may be performed by a computer program instructing associated hardware. In practice, the program may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. Computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the protection scope of the present invention, although the present invention is described in detail with reference to the preferred embodiments, it should be analyzed by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. An information security protection method based on big data is characterized by comprising the following steps:
s1, a key management node receives user characteristic information transmitted by a user node, generates a user characteristic key according to the user characteristic information and transmits the user characteristic key to the user node;
s2, the user node generates a data encryption key according to the received characteristic key and the self equipment encryption key;
s3, the user node encrypts the target data by adopting a data encryption key to obtain encrypted data;
s4, the user node generates two sub-keys according to the data encryption key, wherein the first sub-key and the second sub-key are added to obtain the data encryption key;
s5, the user node integrates the first sub-secret key into the encrypted data to obtain an integrated data packet, and the integrated data packet is transmitted to the cloud storage server;
the user node transmits the second sub-key to the key management node;
s6, when the big data analysis module needs to obtain original data, the big data analysis module obtains an integrated data packet from the cloud storage server, obtains a second sub-secret key from the secret key management node, restores a data encryption secret key according to the first sub-secret key and the second sub-secret key in the integrated data packet, and decrypts the encrypted data according to the data encryption secret key to obtain target data.
2. The big data-based information security protection method according to claim 1, wherein step S1 comprises:
the user characteristic information comprises user identity information;
when target data is required to be uploaded, the user node sends identity authentication information to the key management node;
the key management node extracts user identity information according to the received identity authentication information;
and the key management node calculates a corresponding hash value according to the extracted user identity information, acquires a corresponding user characteristic key according to the obtained hash value, and transmits the user characteristic key back to the user node.
3. The big data-based information security protection method according to claim 2, wherein in step S1, the authentication information includes a user account and a corresponding user password;
the key management node carries out user identity authentication according to the received user account and the user password, and acquires corresponding user identity information after the authentication is passed;
and/or the presence of a gas in the gas,
in the step S1, a user node collects a face image of a user in real time and transmits the face image to a key management node;
and the key management node performs identity recognition according to the received face image of the user to obtain user identity information.
4. The method for information security protection based on big data as claimed in claim 2, wherein in step S2, the device encryption key is an encryption key corresponding to the smart device belonging to the user node.
5. The information security protection method based on big data according to claim 4, wherein in step S3, the user node symmetrically encrypts the target data by using a data encryption key to obtain encrypted data;
the target data comprises target files, enterprise operation data, enterprise management data and enterprise human resource management data.
6. The big data-based information security protection method according to claim 5, wherein the step S4 comprises:
the user node randomly generates two interference data, wherein the sum of the two interference data is zero;
the user node divides the data encryption key into two sub-key strings, wherein the sum of the two sub-key strings is zero;
generating two sub-keys according to the sub-key strings and the interference data, wherein the first sub-key is the sum of the first sub-key string and the first interference data; the second subkey is the sum of the second subkey string and the second interference data.
7. The information security protection method based on big data according to claim 6, wherein in step S5, the user node performs Paillier homomorphic encryption according to the first sub-secret key and the second sub-secret key respectively to obtain an encrypted first sub-secret key and an encrypted second sub-secret key;
the user node integrates the encrypted first sub-secret key into encrypted data to obtain an integrated data packet, and transmits the integrated data packet to a cloud storage server;
and the user node transmits the encrypted second sub-key to the key management node, and the key management node correspondingly records the encrypted second sub-key and the target data information.
8. The big data-based information security protection method according to claim 6, wherein step S5 comprises: a user node generates a homomorphic encryption key and a homomorphic decryption key;
the user node performs homomorphic encryption on the first sub-secret key and the second sub-secret key based on the homomorphic encryption secret key, and transmits a decryption secret key to the big data analysis module;
or the like, or, alternatively,
the user node receives the homomorphic encryption key transmitted by the big data analysis module,
and the user node performs homomorphic encryption on the first sub-secret key and the second sub-secret key based on the homomorphic encryption secret key to obtain the encrypted sub-secret keys.
9. The big data-based information security protection method according to claim 7, wherein step S6 includes:
the big data analysis module acquires an integrated data packet of the target data from the cloud storage server and acquires a corresponding second sub-key from the key management node according to the target data information;
the big data analysis module performs sum operation according to the first sub-secret key and the second sub-secret key to obtain an encryption secret key;
and performing homomorphic decryption according to the obtained encryption key to obtain a data encryption key; and decrypting the encrypted data according to the obtained data encryption key to obtain the target data.
10. The information security protection system based on the big data is characterized by comprising a user node, a key management node, a big data analysis module and a cloud storage server; wherein the content of the first and second substances,
the key management node is used for receiving the user characteristic information transmitted by the user node, generating a user characteristic key according to the user characteristic information and transmitting the user characteristic key to the user node;
the user node is used for generating a data encryption key according to the received characteristic key and the own equipment encryption key;
the user node is also used for encrypting the target data F by adopting a data encryption key to obtain encrypted data;
the user node is also used for generating two sub-keys according to the data encryption key, wherein the first sub-key and the second sub-key are added to obtain the data encryption key;
the user node is also used for integrating the first sub-secret key into the encrypted data to obtain an integrated data packet and transmitting the integrated data packet to the cloud storage server;
the cloud storage server is used for storing the integrated data packet corresponding to the target data;
the user node is also used for transmitting the second subkey to the key management node;
when the big data analysis module needs to acquire original data, the big data analysis module is used for acquiring an integrated data packet from the cloud storage server, acquiring a second sub-key from the key management node, restoring a data encryption key according to the first sub-key and the second sub-key in the integrated data packet, and decrypting encrypted data F' according to the data encryption key to obtain target data.
CN202211083335.5A 2022-09-06 2022-09-06 Information security protection method and system based on big data Withdrawn CN115426189A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211083335.5A CN115426189A (en) 2022-09-06 2022-09-06 Information security protection method and system based on big data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211083335.5A CN115426189A (en) 2022-09-06 2022-09-06 Information security protection method and system based on big data

Publications (1)

Publication Number Publication Date
CN115426189A true CN115426189A (en) 2022-12-02

Family

ID=84203274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211083335.5A Withdrawn CN115426189A (en) 2022-09-06 2022-09-06 Information security protection method and system based on big data

Country Status (1)

Country Link
CN (1) CN115426189A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116383844A (en) * 2023-03-31 2023-07-04 深圳市博通智能技术有限公司 Automatic comprehensive management analysis system, method, medium and equipment based on big data

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116383844A (en) * 2023-03-31 2023-07-04 深圳市博通智能技术有限公司 Automatic comprehensive management analysis system, method, medium and equipment based on big data
CN116383844B (en) * 2023-03-31 2024-02-09 深圳市博通智能技术有限公司 Automatic comprehensive management analysis system, method, medium and equipment based on big data

Similar Documents

Publication Publication Date Title
US11595210B2 (en) Accurate, real-time and secure privacy-preserving verification of biometrics or other sensitive information
EP3905087B1 (en) Method and system for selective and privacy-preserving anonymization
CN113870999B (en) Remote disease intelligent diagnosis system and auxiliary diagnosis method based on algorithm, medical image and blockchain
Yang et al. Efficient Secure Data Provenance Scheme in Multimedia Outsourcing and Sharing.
CN106936775A (en) A kind of authentication method and system based on fingerprint recognition
CN116383793B (en) Face data processing method, device, electronic equipment and computer readable medium
CN115426189A (en) Information security protection method and system based on big data
Mohanty et al. PANDORA: Preserving privacy in PRNU-based source camera attribution
CN115801382A (en) User information authentication method and system
Wang et al. TPE-ISE: approximate thumbnail preserving encryption based on multilevel DWT information self-embedding
CN114596639A (en) Biological feature recognition method and device, electronic equipment and storage medium
Bentafat et al. Towards real-time privacy-preserving video surveillance
CN114090994A (en) Face recognition authentication method and system based on block chain
Jasmine et al. A privacy preserving based multi-biometric system for secure identification in cloud environment
CN112398861A (en) Encryption system and method for sensitive data in web configuration system
Han et al. The privacy protection framework for biometric information in network based CCTV environment
Alsamaraee et al. A crypto-steganography scheme for IoT applications based on bit interchange and crypto-system
US20210073396A1 (en) System and Method for Secure Image Embeddings
CN113190858B (en) Image processing method, system, medium and device based on privacy protection
CN113052044A (en) Method, apparatus, computing device, and medium for recognizing iris image
CN116522382B (en) Application program user information protection method and system
CN112968859A (en) Encryption storage system for work privacy data
Agarwala et al. Client side secure image deduplication using DICE protocol
CN113052045A (en) Method, apparatus, computing device and medium for recognizing finger vein image
Lin et al. A Privacy-Preserving Gait Recognition Scheme Under Homomorphic Encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20221202