CN115459910A - Data encryption method, device and storage medium - Google Patents

Data encryption method, device and storage medium Download PDF

Info

Publication number
CN115459910A
CN115459910A CN202211073104.6A CN202211073104A CN115459910A CN 115459910 A CN115459910 A CN 115459910A CN 202211073104 A CN202211073104 A CN 202211073104A CN 115459910 A CN115459910 A CN 115459910A
Authority
CN
China
Prior art keywords
key
data
ciphertext
encrypted data
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211073104.6A
Other languages
Chinese (zh)
Inventor
高鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingdao Haier Technology Co Ltd
Haier Smart Home Co Ltd
Haier Uplus Intelligent Technology Beijing Co Ltd
Original Assignee
Qingdao Haier Technology Co Ltd
Haier Smart Home Co Ltd
Haier Uplus Intelligent Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingdao Haier Technology Co Ltd, Haier Smart Home Co Ltd, Haier Uplus Intelligent Technology Beijing Co Ltd filed Critical Qingdao Haier Technology Co Ltd
Priority to CN202211073104.6A priority Critical patent/CN115459910A/en
Publication of CN115459910A publication Critical patent/CN115459910A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the field of data security, in particular to a data encryption method, a data encryption device and a storage medium, wherein the data encryption method comprises the following steps: receiving a data encryption application instruction sent by a client; creating a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key; encrypting the request data through the plaintext secret key to obtain encrypted data; the method for storing the encrypted data and the ciphertext key to the database of the key management server can be used for independently encrypting the data by deploying the key management server, so that the data security is realized, and the cost of data protection is reduced.

Description

Data encryption method, device and storage medium
Technical Field
The present application relates to the field of data security, and in particular, to a data encryption method, apparatus, and storage medium.
Background
With the continuous development of internet technology, data information becomes an intangible asset of an enterprise, and how to prevent the leakage or theft of sensitive information of the enterprise or an individual becomes a central importance to be considered at present. Currently, in the application development process, services can be called to implement encryption and decryption of data, for example, cloud service providers alisyun and huashi clouds implement a one-stop key management and data encryption service platform by providing a key management service, and implement simple, reliable, safe and compliant data encryption protection. However, the data encryption by using the cloud service provider needs to depend on a third-party service provider, so that the user lacks autonomy in protecting the data and high cost is generated.
Disclosure of Invention
The technical problem to be solved by the present application is to overcome the defects in the prior art, and provide a data encryption method and apparatus based on a microservice architecture, and a storage medium.
In order to solve the technical problems, the application adopts the technical scheme that the basic concept is as follows:
according to a first aspect of the present embodiment, there is provided a data encryption method, including: receiving a data encryption application instruction sent by a client; creating a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key; encrypting the request data through the plaintext secret key to obtain encrypted data; and storing the encrypted data and the ciphertext key to a database of a key management server.
Optionally, the creating a master key based on the application instruction includes: determining an encryption mode of a master key according to the encryption attribute of the received request data; determining the encryption type of the master key according to the application scene of the received request data; and creating a master key based on the encryption mode and the encryption type.
Optionally, the storing the encrypted data and the ciphertext key in a database of a key management server includes: determining a first relationship of the plaintext key and the ciphertext key based on a configuration of the key pair in a key management server; determining a second relation between the plaintext secret key and the encrypted data according to the plaintext secret key and the encrypted data obtained after the request data is encrypted; determining a third relationship between the ciphertext key and the encrypted data according to the first relationship and the second relationship; persisting the third relationship to a database of a key management server.
Optionally, the method for returning the encrypted data to the client based on the third relationship includes: determining the configuration relationship between the cipher text key and the encrypted data according to the third relationship; determining the address information of the encrypted data according to the configuration relationship; and returning the address information to the client.
Optionally, after storing the encrypted data and the ciphertext key in the database of the key management server, the decryption method further includes decrypting the ciphertext data, where the decryption method includes: calling the ciphertext key in response to receiving the application for using the encrypted data; determining a first plaintext key according to the first relation; acquiring a second plaintext secret key sent by a client, and decrypting the encrypted data based on the second plaintext secret key in response to the first plaintext secret key being the same as the second plaintext secret key; and returning the request data to the client.
Optionally, the creating a master key based on the application instruction further includes: sending a key setting frame to the client based on the application instruction; responding to a received plaintext secret key input by a user, and encrypting the request data to obtain encrypted data; creating a ciphertext key according to the plaintext key; and storing the ciphertext key and the encrypted data to a database of a key management server.
Optionally, after storing the ciphertext key and the encrypted data in the database of the key management server, the method further includes decrypting the ciphertext data, where the decrypting method further includes: in response to receiving a plaintext key using encrypted data, invoking a first ciphertext key stored in a database of a key management server; receiving a second ciphertext key using the encrypted data; in response to the first ciphertext key being the same as the second ciphertext key, decrypt the encrypted data based on the second ciphertext key; and returning the request data to the client.
According to a second aspect of the present embodiment, there is provided a data encryption apparatus comprising: the receiving module is configured to receive a data encryption application instruction sent by a client; the creation module is configured to create a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key; the obtaining module is configured to encrypt the request data through the plaintext secret key to obtain encrypted data; a saving module configured to save the encrypted data and the ciphertext key to a database of a key management server.
Optionally, the creating module creates a master key based on the application instruction in the following manner, including: determining an encryption mode of a master key according to the encryption attribute of the received request data; determining the encryption type of the master key according to the application scene of the received request data; and creating a master key based on the encryption mode and the encryption type.
Optionally, the storing module stores the encrypted data and the ciphertext key to a database of a key management server in the following manner, including: determining a first relationship of the plaintext key and the ciphertext key based on a configuration of the key pair in a key management server; determining a second relation between the plaintext secret key and the encrypted data according to the plaintext secret key and the encrypted data obtained after the request data is encrypted; determining a third relationship between the ciphertext key and the encrypted data according to the first relationship and the second relationship; persisting the third relationship to a database of a key management server.
Optionally, the saving module adopts a method of returning the encrypted data to the client based on the third relationship, including: determining the configuration relationship between the cipher text key and the encrypted data according to the third relationship; determining the address information of the encrypted data according to the configuration relationship; and returning the address information to the client.
Optionally, the storing module further stores the encrypted data and the ciphertext key to a database of a key management server in the following manner, and further decrypts the ciphertext data, where the decryption method includes: calling the ciphertext key in response to receiving the application for using the encrypted data; determining a first plaintext key according to the first relation; acquiring a second plaintext secret key sent by a client, and decrypting the encrypted data based on the second plaintext secret key in response to the first plaintext secret key being the same as the second plaintext secret key; and returning the request data to the client.
Optionally, the creating module further creates a master key based on the application instruction in the following manner, including: sending a key setting frame to the client based on the application instruction; responding to a received plaintext secret key input by a user, and encrypting the request data to obtain encrypted data; creating a ciphertext key according to the plaintext key; and storing the ciphertext key and the encrypted data to a database of a key management server.
Optionally, after the storing module stores the ciphertext key and the encrypted data in a database of a key management server in the following manner, the method further includes decrypting the ciphertext data, where the decrypting method further includes: in response to receiving a plaintext key using encrypted data, invoking a first ciphertext key stored in a database of a key management server; receiving a second ciphertext key using the encrypted data; in response to the first ciphertext key being the same as the second ciphertext key, decrypt the encrypted data based on the second ciphertext key; and returning the request data to the client.
According to a third aspect of the present application, there is provided an electronic device, the device comprising: a processor; a memory for storing processor-executable instructions for performing the method of any of the embodiments of the present application.
According to a fourth aspect of the present application, there is provided a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method of any of the embodiments of the present application.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
receiving a data encryption application instruction sent by a client; creating a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key; encrypting the request data through the plaintext secret key to obtain encrypted data; the method for storing the encrypted data and the ciphertext key to the database of the key management server can be used for independently encrypting the data by deploying the key management server, so that the data security is realized, and the data protection cost is reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic diagram of a hardware environment of an interaction method of a smart device according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of data encryption according to an embodiment of the present application;
FIG. 3 is a flow diagram of another method of data encryption according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a data encryption service interaction flow according to an embodiment of the application;
FIG. 5 is a block diagram of a data encryption service component according to an embodiment of the present application;
FIG. 6 is a block diagram of an overall architecture for data encryption according to an embodiment of the present application;
FIG. 7 is a block diagram of a data encryption apparatus according to an embodiment of the present application;
FIG. 8 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, product, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements explicitly listed, but may include other steps or elements not expressly listed or inherent to such process, method, product, or apparatus, depending on the context, the word "if" or "as used herein may be interpreted as" at 8230, "" when, "" in 8230, "" in response to a determination, "or" in response to a determination.
According to one aspect of the embodiment of the application, an interaction method of intelligent household equipment is provided. The interaction method of the intelligent Home equipment is widely applied to full-House intelligent digital control application scenes such as intelligent homes (Smart Home), intelligent homes, intelligent Home equipment ecology, intelligent House (Intelligent House) ecology and the like. Optionally, in this embodiment, the interaction method of the smart home device may be applied to a hardware environment formed by the terminal device 102 and the server 104 as shown in fig. 1. As shown in fig. 1, the server 104 is connected to the terminal device 102 through a network, and may be configured to provide a service (e.g., an application service) for the terminal or a client installed on the terminal, set a database on the server or independent of the server, and provide a data storage service for the server 104, and configure a cloud computing service on the server or independent of the server, and provide a data operation service for the server 104.
The network may include, but is not limited to, at least one of: wired network, wireless network. The wired network may include, but is not limited to, at least one of: wide area networks, metropolitan area networks, local area networks, which may include, but are not limited to, at least one of the following: WIFI (Wireless Fidelity), bluetooth. The terminal device 102 may not be limited to a PC, a mobile phone, a tablet computer, a smart television, a smart video, a smart door lock, and the like.
With the continuous development of informatization, data information becomes an intangible asset of an enterprise, and the enterprise data information not only includes important data of the enterprise, but also includes personal sensitive data, so how an enterprise processes data security becomes an important index for measuring whether the enterprise is worthy of being favored by customers. In order to prevent data from being leaked and stolen, certain specific data needs to be encrypted and stored, various data encryption forms exist currently, support for data encryption can be achieved, but support of a third-party server needs to be relied on, and therefore the application provides a method for achieving data encryption through key management.
The following embodiments of the present application will explain a data encryption method provided by the present application with reference to the accompanying drawings.
Example one
The micro-service architecture in this embodiment may be applied to the management of data security for enterprises or individuals, and multiple servers may exist simultaneously, so that the multiple servers share one service library.
Fig. 2 is a flowchart of a data encryption method according to an embodiment of the present application, as shown in fig. 2, including steps S201-S204.
In step S201, a data encryption application instruction sent by the client is received.
The user application instruction refers to an instruction which is sent by a user to a key management server and used for encrypting and decrypting request data, when the key management server receives the application instruction, a key is called in a database according to the application instruction, wherein the key management service is established by enterprises or individuals based on data safety, and based on the requirements of the enterprises or individuals, data developers can establish an encryption and decryption method independently, so that the dependence on a third-party server is reduced.
In step S202, a master key is created based on the application instruction, wherein the master key includes a plaintext key and a ciphertext key.
When a user needs to encrypt and decrypt data, an encryption and decryption application instruction is sent to the key management server, wherein the application instruction comprises the specification of attributes such as an encryption type, an alias and an application scene of the requested data.
In this embodiment, according to the application instruction, the method for creating the master key includes the following steps:
determining an encryption mode of a master key according to the encryption attribute of the received request data;
determining the encryption type of the master key according to the application scene of the received request data;
based on the encryption mode and the encryption type, a master key is created.
The encryption attribute refers to information characteristics of request data sent by the client, and includes, but is not limited to, request data acquisition information, request data transmission information, request data storage information, request data access information, request data sharing information, request data opening information, request data destruction information, and the like. According to the acquired characteristic information of the request data, the encryption mode of the master key can be determined.
In this embodiment, the encryption mode of the master key refers to what operation is performed on the request data, and the user can determine the encryption level of the request data according to the characteristic information of the request data, so as to determine the encryption mode of the request data, for example: the method comprises the following steps of encrypting request data through gestures, encrypting the request data through characters, encrypting the request data through graphs, encrypting the request data through electronic signatures, encrypting the request data through input fingerprints and the like, wherein a user can independently select an encryption mode to encrypt the request data at a client side, and can also encrypt the request data in a combined mode; the encryption mode of the key management server for the request data includes, but is not limited to, direct plaintext preservation, one-way HASH algorithm encryption, special HASH algorithm encryption, pbkdf2, BCrypt, SCrypt, argon2, and the like.
The application scenario refers to the use of the request data sent by the client, that is, the use of the client to encrypt and decrypt the request data, and includes, but is not limited to, the financial field, the medical health field, the social network field, the educational science field, the sports field, the environmental protection and hygiene field, the food safety field, the biological data field, the retail field, the e-commerce field, the farming and pasturing field, the transportation field, and the like. According to the application scene of the acquired request data, the encryption type of the master key can be determined; determining the encryption type of the master key based on different selections of the encryption type of the master key by different application scenes; when the application scene where the request data is located needs to perform advanced encryption processing on the request data, the key management server may perform advanced encryption processing, such as asymmetric encryption, on the request data according to the application instruction; when the application scene where the request data is located needs to perform medium-level encryption processing on the request data, the key management server can perform medium-level encryption processing on the request data according to the application instruction; when the application scenario in which the request data is located needs to perform a lower-level encryption process on the request data, the key management server may perform a lower-level encryption process, such as symmetric encryption, on the request data according to the application instruction.
In this embodiment, the encryption type of the master key refers to a form through which the request data is encrypted, and the key management server may determine the key pair of the request data according to an application scenario of the request data, so as to determine the encryption type of the request data, where the encryption type of the request data in this application includes, but is not limited to, two forms of symmetric encryption and asymmetric encryption. Wherein the encryption types are distinguished based on a key pair, the key pair comprising a public key and a private key. In response to determining that the encryption type belongs to symmetric encryption, the public key and the private key are the same key; in response to determining that the encryption type is an asymmetric encryption, the public key and the private key are different keys.
The public key and the private key in the key pair can be used for encrypting the request data, and the private key can be used for decrypting under the condition that the public key is used for encrypting the request data, and the public key is disclosed to all persons, but the private key is only known by a user or is informed to other users of the private key by the user, so that the security of data encryption can be ensured; when the private key is used for encrypting the request data, the request data can be decrypted through the public key, and the public key is published to all the users at the moment, so that all the users knowing the public key can realize the decryption operation on the request data, but because the current data is leaked or the data is forged, the user can realize the authentication based on the private key, namely after other people except the user knowing the public key realize the decryption operation on the request data, the user can verify according to the decrypted data returned by other users, and judge whether the request data is the data before the encryption of the user, so that the conditions of the data leakage and the data forging can be distinguished, and the security of the data encryption is ensured.
In this embodiment, the determination of the encryption mode and the encryption type of the data includes two implementation forms, that is, a mode one includes a received user application instruction, and the key management server can autonomously create a master key according to the application instruction and return the master key to the client; the second mode comprises that when the user needs to carry out encryption operation on the request data, a master key can be autonomously created and sent to the key management server.
And creating a master key according to the determined encryption mode and the encryption type, thereby realizing the encryption operation of the request data. The master key includes a plaintext key and a ciphertext key, wherein the plaintext key is a key used for encrypting the request data, and the ciphertext key is a key used for encrypting the encrypted data. The key management server stores the cipher text key in the database, and the plaintext key is used for encrypting and decrypting the data. The method comprises the following steps that a relationship is established between a plaintext secret key and a ciphertext secret key through corresponding association, for example, when the plaintext secret key is a character 1 and the ciphertext secret key is a character C, in response to the fact that a user needs to use encrypted data, the plaintext secret key 1 is input at a client; the key management server determines a character C matching the character 1 in the database based on the received character 1, thereby determining the ciphertext key.
The deployment of the key management server comprises the creation of a master key, wherein the mode of creating the master key can be created autonomously by a user or created by the key management server, so that the data is encrypted. Based on the deployment of the key management server, the dependence on a third-party server is reduced; the autonomy of the user for data encryption is increased, and therefore the security of data encryption is enhanced.
In step S203, the request data is encrypted by a plaintext key, and encrypted data is acquired.
And based on the plaintext secret key created for the request data, realizing the encryption operation for the request data and acquiring the encrypted data. The plaintext key can be in a symmetric encryption form or an asymmetric encryption form, and if the plaintext key belongs to the symmetric encryption form, a public key and a private key of the plaintext key are the same; if the plaintext key belongs to an asymmetric encryption form, the public key and the private key of the plaintext key are different.
The encrypted data is obtained by encrypting the request data through a plaintext key.
In step S204, the encrypted data and the ciphertext key are saved to the database of the key management server.
In this embodiment, the key management server stores the ciphertext key and the encrypted data into the database, where the plaintext key is used to implement the encryption and decryption operations on the request data input at the client when the user uses the request data, and is not stored in the key management server.
In this embodiment, the method for storing the encrypted data and the ciphertext key in the database of the key management server includes the following steps:
determining a first relationship between a plaintext key and a ciphertext key based on a configuration of a key pair in a key management server;
determining a second relation between the plaintext secret key and the encrypted data according to the plaintext secret key and the encrypted data obtained after the request data is encrypted;
determining a third relation between the cipher text key and the encrypted data according to the first relation and the second relation;
persisting the third relationship to a database of the key management server.
The first relation is used for determining the relation between a plaintext secret key and a ciphertext secret key, and calling a main secret key based on a deployed secret key management server in response to receiving a data encryption application instruction of a user so as to determine the plaintext secret key and the ciphertext secret key; obtaining a key pair of a plaintext key and a ciphertext key according to the determination of the encryption mode and the encryption type of the request data by the user; and determining the relationship between the plaintext key and the ciphertext key based on the corresponding relationship between the plaintext key and the ciphertext key. For example, the public key in the key pair of the plaintext key is 2, the private key is 3, the public key in the key pair of the ciphertext key is A, and the private key is D; based on the corresponding relation between the plaintext secret key and the ciphertext secret key, determining that a public key 2 of the plaintext secret key and a public key A of the ciphertext secret key are in the corresponding relation, and a private key 3 of the plaintext secret key and a private key D of the ciphertext secret key are in the corresponding relation; and according to the determined corresponding relation between the public key and the private key, responding to the received plaintext key pair sent by the user, and determining the key pair of the ciphertext key in the database.
The second relation is used for determining the relation between a plaintext secret key and the request data, and the plaintext secret key is used for the user to encrypt and decrypt the request data at the client.
The third relation is used for determining the relation between the cipher text key and the encrypted data and determining the corresponding relation between the plaintext key and the cipher text key according to the first relation; determining a corresponding relation between the plaintext secret key and the encrypted data according to the second relation; based on the corresponding relationship between the plaintext key and the ciphertext key and the corresponding relationship between the plaintext key and the encrypted data, the corresponding relationship between the ciphertext key and the encrypted data can be obtained. That is, when the user needs to use the encrypted data, the key management server may determine the ciphertext key based on the first relationship in response to receiving the plaintext key input by the user; based on the third relationship, the key management server may determine the encrypted data in response to the determined cipher text key.
In this embodiment, the method for returning the encrypted data to the client based on the third relationship includes the following steps:
determining the configuration relationship between the cipher text key and the encrypted data according to the third relationship;
determining address information of the encrypted data according to the configuration relationship;
and returning the address information to the client.
The encrypted data is determined by the key management server according to the ciphertext key, the configuration relationship between the ciphertext key and the encrypted data can be obtained according to the third relationship, and the configuration relationship is address information, so that the storage address information of the encrypted data in the database of the key management server can be obtained, the encrypted data can be returned to the client through the determined address information, the user can decrypt the encrypted data through the plaintext key, and the request data can be obtained.
In response to determining the ciphertext key and the encrypted data, the key management server is configured to persist into the relational database RDS and periodically backup, thereby preventing the key from being lost; double caching is carried out through application caching and Redis caching service, so that the response speed of an interface is increased when a main key is called, wherein an application server is deployed on a container cloud, and therefore convenience is brought to user research and development personnel to achieve telescopic expansion of a database, and stable service is provided.
In this embodiment, after the encrypted data and the ciphertext key are stored in the database of the key management server, the decryption method further includes decrypting the ciphertext data, where the decryption method includes the following steps:
calling the ciphertext key in response to receiving the application for use of the encrypted data;
determining a first plaintext key according to the first relation;
acquiring a second plaintext key sent by the client, and decrypting the encrypted data based on the second plaintext key in response to the first plaintext key being the same as the second plaintext key;
and returning the request data to the client.
Fig. 3 is a flowchart of another data encryption method according to an embodiment of the present application, as shown in fig. 3, including steps S301-S304.
In step S301, based on the application instruction, a key setting box is sent to the client.
In step S302, in response to receiving the plaintext key input by the user, the request data is encrypted to obtain encrypted data.
In step S303, a ciphertext key is created from the plaintext key.
In step S304, the ciphertext key and the encrypted data are saved to the database of the key management server.
The application can be used for encrypting the data without establishing a master key through the key management server, and the user can also independently establish the master key on the client side for requesting the data and return the master key to the key management server, so that the user sub-master can encrypt the requesting data.
In this embodiment, after the ciphertext key and the encrypted data are stored in the database of the key management server, the decryption method further includes the following steps:
in response to receiving a plaintext key using encrypted data, invoking a first ciphertext key stored in a database of a key management server;
receiving a second ciphertext key using the encrypted data;
decrypting the encrypted data based on the second ciphertext key in response to the first ciphertext key being the same as the second ciphertext key;
and returning the request data to the client.
Fig. 4 is a schematic diagram of an interaction flow of a data encryption service according to an embodiment of the present application, and as shown in fig. 4, the implementation of the data encryption method provided by the present application is to implement interaction between an encryption/decryption service 401 and an application scenario 402 based on centralized management of a key by a key management service.
The key management service can create corresponding encryption methods according to different application scenes, so that the security of data encryption is ensured. In response to receiving a data encryption application instruction of a user, a key management service creates a master key based on the application instruction to realize encryption and decryption service of request data, wherein the creation of the master key is created based on an application scene of the request data and comprises a plaintext key and a key; according to the plaintext key and the ciphertext key returned by the key management server, the user can encrypt the request data through the plaintext key. Thereby obtaining encrypted data; and finally, the key management service carries out persistent storage on the obtained encrypted data and the ciphertext key, so that the data is prevented from being leaked and lost, and the security of data encryption is ensured.
Fig. 5 is a schematic structural diagram of a data encryption service component according to an embodiment of the present application, and as shown in fig. 5, the data encryption service component provided in the present application encrypts data based on symmetric encryption and asymmetric encryption, and is applied to an abstract factory model. Wherein, the data encryption service assembly comprises: the client 501, the classification factory 502, the classifier naming box 5021, the encryption factory 503, the create master keybox 5031, the symmetric encryption factory 504, the create first master keybox 5041, the asymmetric encryption factory 505, the create second master keybox 5051, the encryptor 506, the first encryption/decryption box 5061, the symmetric encryption 507, the second encryption/decryption box 5071, the asymmetric encryption 508, and the third encryption/decryption box 5081.
As shown in fig. 5, the encryption types for creating the master key in the present embodiment include both symmetric encryption and asymmetric encryption. In response to receiving a data encryption application instruction sent by a client, the classification factory 502 processes the application instruction, and determines information corresponding to the application instruction and a given classifier name through processing of unified engineering; and returning the information corresponding to the name of the given classifier in the given classifier of the application instruction to the key management server; judging the encryption type of the application instruction based on which data is encrypted according to the corresponding information; inputting the corresponding information into the encryption factory 503 and the encryption machine 506 according to the acquired corresponding information; under the condition that the corresponding information indicates that the application instruction encrypts data based on symmetric encryption, according to a symmetric key master key created by the encryption factory 503, the symmetric encryption factory 504 receives the symmetric key master key, creates a symmetric key pair based on the symmetric key master key, and inputs the symmetric key pair into the symmetric encryption 507 to realize the encryption operation and the decryption operation on the request data, wherein in the process of the symmetric encryption operation, a public key and a private key used for encrypting and decrypting the request data are the same; in the case where the corresponding information indicates that the application command is to encrypt data based on asymmetric encryption, the asymmetric encryption factory 505 receives the asymmetric key master key from the asymmetric key master key created by the encryption factory 503, creates an asymmetric key pair based on the asymmetric key master key, and inputs the asymmetric key pair into the asymmetric symmetric encryption 508 to perform an encryption operation and a decryption operation on the requested data, wherein a public key and a private key used for encrypting and decrypting the requested data are different during the asymmetric encryption operation, so that hacking can be avoided, thereby improving data security.
Fig. 6 is a schematic diagram of an overall architecture of data encryption according to an embodiment of the present application, and as shown in fig. 6, a data encryption structure provided by the present application includes a gateway service (gateway) 601, a first server 602, a second server 603, a third server 604, a fourth server 605, a cache service (Redis) 606, and a Relational Database (RDS) 607.
As shown in fig. 6, the gateway service 601 includes a plurality of servers, and forms a micro-service architecture. The application service is deployed on the container cloud, and the expansion and contraction of the database can be achieved, so that stable service is provided. Based on an application instruction sent by a client, the encryption type, alias and other attributes of the request data can be determined, and based on the application scene of the request data, the type of the master key can be determined, wherein the type of the master key comprises a symmetric key and an asymmetric key; thereby realizing data encryption processing for a plurality of servers. The configuration is persisted into a Relational Database (RDS) 607 in response to the ciphertext key and encrypted data obtained by the data encryption process of the plurality of servers to enable key leakage or loss. By performing double caching of the application memory and the caching service (Redis) 606 on the data information, the response speed of the interface in the data transmission process can be improved under the condition that the user uses the encrypted data.
In this embodiment, the key management server may perform, according to the configuration of the master key of the user, double caching of the configured master key in the memory and the Redis cache by the key management server under the condition of first receiving a data encryption application instruction sent by the user; under the condition that a user needs to use encrypted data, a key management server searches a main key configuration from a memory first, if the main key configuration does not exist in the memory, the key management server searches from a Redis cache, and if the main key configuration does not exist in the Redis cache, the key management server searches from a database. By double caching of the data, the secret key can be better prevented from being leaked, and therefore the safety of the data is improved.
Example two
Fig. 7 is a block diagram of a data encryption apparatus according to an embodiment of the present application, and as shown in fig. 7, the apparatus 700 includes a receiving module 701, a creating module 702, an obtaining module 703 and a saving module 704.
The receiving module 701 is configured to receive a data encryption application instruction sent by a client.
The creating module 702 is configured to create a master key based on the application instruction, where the master key includes a plaintext key and a ciphertext key.
The obtaining module 703 is configured to encrypt the request data by using the plaintext key, and obtain encrypted data.
The saving module 704 is configured to save the encrypted data and the ciphertext key to a database of a key management server.
Optionally, the creating module 702 creates a master key based on the application instruction in the following manner, including: determining an encryption mode of a master key according to the encryption attribute of the received request data; determining the encryption type of the master key according to the application scene of the received request data; and creating a master key based on the encryption mode and the encryption type.
Optionally, the saving module 704 saves the encrypted data and the ciphertext key to a database of a key management server in the following manner, including: determining a first relationship of the plaintext key and the ciphertext key based on a configuration of the key pair in a key management server; determining a second relation between the plaintext secret key and the encrypted data according to the plaintext secret key and the encrypted data obtained after the request data is encrypted; determining a third relationship between the ciphertext key and the encrypted data according to the first relationship and the second relationship; persisting the third relationship to a database of a key management server.
Optionally, the saving module 704 adopts a method of returning the encrypted data to the client based on the third relationship in the following manner, including: determining the configuration relationship between the cipher text key and the encrypted data according to the third relationship; determining the address information of the encrypted data according to the configuration relationship; and returning the address information to the client.
Optionally, the storing module 704 further stores the encrypted data and the ciphertext key in a database of a key management server in the following manner, and further decrypts the ciphertext data, where the decryption method includes: calling the ciphertext key in response to receiving the application for using the encrypted data; determining a first plaintext key according to the first relation; acquiring a second plaintext secret key sent by a client, and decrypting the encrypted data based on the second plaintext secret key in response to the first plaintext secret key being the same as the second plaintext secret key; and returning the request data to the client.
Optionally, the creating module 702 further creates a master key based on the application instruction in the following manner, including: sending a key setting frame to the client based on the application instruction; responding to a received plaintext secret key input by a user, and encrypting the request data to obtain encrypted data; creating a ciphertext key according to the plaintext key; and storing the ciphertext key and the encrypted data to a database of a key management server.
Optionally, after the saving module 704 saves the ciphertext key and the encrypted data to a database of a key management server in the following manner, the method further includes decrypting the ciphertext data, where the decrypting method further includes: in response to receiving a plaintext key using encrypted data, invoking a first ciphertext key stored in a database of a key management server; receiving a second ciphertext key using the encrypted data; in response to the first ciphertext key being the same as the second ciphertext key, decrypt the encrypted data based on the second ciphertext key; and returning the request data to the client.
With regard to the apparatus in the above embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be described in detail here.
The present application also provides a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the data encryption method provided herein.
Fig. 8 is a block diagram of an electronic device apparatus according to an embodiment of the present application, as shown in fig. 8, the electronic device includes a memory for storing computer instructions executable on a processor, and the processor is configured to implement a data encryption method according to any embodiment of the present application when the computer instructions are executed, at least one embodiment of the present application further provides a computer-readable storage medium on which a computer program is stored, and the computer program is executed by the processor to implement any data encryption method described in the present application, which will be apparent to one skilled in the art. Accordingly, one or more embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
In this application, "and/or" means having at least one of two, for example, "a and/or B" includes three schemes: A. b, and "A and B".
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, as for the data processing apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The foregoing description has been directed to specific embodiments of this application. Other embodiments are within the scope of the following claims. In some cases, the acts or steps recited in the claims can be performed in an order different than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Embodiments of the subject matter and functional operations described in this application may be implemented in the following: digital electronic circuitry, tangibly embodied computer software or firmware, computer hardware comprising the structures disclosed in this application and their structural equivalents, or a combination of one or more of them. Embodiments of the subject matter described in this application can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on a tangible, non-transitory program carrier for execution by, or to control the operation of, data processing apparatus. Alternatively or additionally, the program instructions may be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus for execution by the data processing apparatus. The computer storage medium may be a machine-readable storage device, a machine-readable storage substrate, a random or serial access memory device, or a combination of one or more of them.
The processes and logic flows described in this application can be performed by one or more programmable computers executing one or more computer programs to perform corresponding functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
Computers suitable for executing computer programs include, for example, general and/or special purpose microprocessors, or any other type of central processing unit. Generally, a central processing unit will receive instructions and data from a read-only memory and/or a random access memory. The basic components of a computer include a central processing unit for implementing or executing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer does not necessarily have such a device. Moreover, a computer may be embedded in another device, e.g., a mobile telephone, a Personal Digital Assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device such as a Universal Serial Bus (USB) flash drive, to name a few.
Computer-readable media suitable for storing computer program instructions and data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices (e.g., EPROM, EEPROM, and flash memory devices), magnetic disks (e.g., internal hard disk or removable disks), magneto-optical disks, and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
While this application contains many specific implementation details, these should not be construed as limiting the scope of any invention or of what is claimed, but rather as merely describing the features of particular embodiments of particular inventions. Certain features that are described in this application in the context of separate embodiments can also be implemented in combination in a single embodiment. In another aspect, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only for the purpose of illustrating the preferred embodiments of the present application and is not intended to limit the present application to the particular embodiments of the present application, and any modifications, equivalents, improvements and the like that are within the spirit and principle of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A method for data encryption, comprising:
receiving a data encryption application instruction sent by a client;
creating a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key;
encrypting the request data through the plaintext secret key to obtain encrypted data;
and storing the encrypted data and the ciphertext key to a database of a key management server.
2. The method of claim 1,
the creating a master key based on the application instruction comprises:
determining an encryption mode of a master key according to the encryption attribute of the received request data;
determining the encryption type of the master key according to the application scene of the received request data;
and creating a master key based on the encryption mode and the encryption type.
3. The method according to claim 1 or 2,
the storing the encrypted data and the ciphertext key to a database of a key management server includes:
determining a first relationship of the plaintext key and the ciphertext key based on a configuration of the key pair in a key management server;
determining a second relation between the plaintext secret key and the encrypted data according to the plaintext secret key and the encrypted data obtained after the request data is encrypted;
determining a third relationship between the ciphertext key and the encrypted data according to the first relationship and the second relationship;
persisting the third relationship to a database of a key management server.
4. The method of claim 3,
a method of returning the encrypted data to a client based on the third relationship, comprising:
determining the configuration relationship between the cipher text key and the encrypted data according to the third relationship;
determining the address information of the encrypted data according to the configuration relationship;
and returning the address information to the client.
5. The method according to any one of claims 1 to 4,
after the encrypted data and the ciphertext key are stored in the database of the key management server, the method further comprises the step of decrypting the ciphertext data, wherein the decryption method comprises the following steps:
calling the ciphertext key in response to receiving the application for use of the encrypted data;
determining a first plaintext key according to the first relation;
acquiring a second plaintext secret key sent by a client, and decrypting the encrypted data based on the second plaintext secret key in response to the first plaintext secret key being the same as the second plaintext secret key;
and returning the request data to the client.
6. The method of claim 2,
the creating a master key based on the application instruction further comprises:
sending a key setting frame to the client based on the application instruction;
responding to a received plaintext secret key input by a user, and encrypting the request data to obtain encrypted data;
creating a ciphertext key according to the plaintext key;
and storing the ciphertext key and the encrypted data to a database of a key management server.
7. The method of claim 6,
after the ciphertext key and the encrypted data are stored in the database of the key management server, the method further comprises decrypting the ciphertext data, wherein the decrypting method comprises the following steps:
in response to receiving a plaintext key using encrypted data, invoking a first ciphertext key stored in a database of a key management server;
receiving a second ciphertext key using the encrypted data;
in response to the first ciphertext key being the same as the second ciphertext key, decrypt the encrypted data based on the second ciphertext key;
and returning the request data to the client.
8. A data encryption apparatus, comprising:
the receiving module is configured to receive a data encryption application instruction sent by a client;
the creation module is configured to create a master key based on the application instruction, wherein the master key comprises a plaintext key and a ciphertext key;
the obtaining module is configured to encrypt the request data through the plaintext secret key to obtain encrypted data;
a saving module configured to save the encrypted data and the ciphertext key to a database of a key management server.
9. A computer-readable storage medium, comprising a stored program, wherein the program when executed performs the method of any of claims 1 to 7.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 7 by means of the computer program.
CN202211073104.6A 2022-09-02 2022-09-02 Data encryption method, device and storage medium Pending CN115459910A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211073104.6A CN115459910A (en) 2022-09-02 2022-09-02 Data encryption method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211073104.6A CN115459910A (en) 2022-09-02 2022-09-02 Data encryption method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115459910A true CN115459910A (en) 2022-12-09

Family

ID=84300292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211073104.6A Pending CN115459910A (en) 2022-09-02 2022-09-02 Data encryption method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115459910A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771699A (en) * 2010-01-06 2010-07-07 华南理工大学 Method and system for improving SaaS application security
US10127399B1 (en) * 2015-12-29 2018-11-13 EMC IP Holding Company LLC Secrets as a service
CN109842589A (en) * 2017-11-27 2019-06-04 中兴通讯股份有限公司 A kind of cloud storage encryption method, device, equipment and storage medium
CN110224976A (en) * 2019-04-29 2019-09-10 北京邮电大学 A kind of encryption communication method, device and computer readable storage medium
CN110990851A (en) * 2019-11-26 2020-04-10 山东三未信安信息科技有限公司 Static data encryption protection method and system
CN111327616A (en) * 2020-02-25 2020-06-23 上海东普信息科技有限公司 Key management method, device, equipment and computer readable storage medium
CN113411345A (en) * 2021-06-29 2021-09-17 中国农业银行股份有限公司 Method and device for secure session
CN113849835A (en) * 2021-09-26 2021-12-28 百度在线网络技术(北京)有限公司 Key processing method, device, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101771699A (en) * 2010-01-06 2010-07-07 华南理工大学 Method and system for improving SaaS application security
US10127399B1 (en) * 2015-12-29 2018-11-13 EMC IP Holding Company LLC Secrets as a service
CN109842589A (en) * 2017-11-27 2019-06-04 中兴通讯股份有限公司 A kind of cloud storage encryption method, device, equipment and storage medium
CN110224976A (en) * 2019-04-29 2019-09-10 北京邮电大学 A kind of encryption communication method, device and computer readable storage medium
CN110990851A (en) * 2019-11-26 2020-04-10 山东三未信安信息科技有限公司 Static data encryption protection method and system
CN111327616A (en) * 2020-02-25 2020-06-23 上海东普信息科技有限公司 Key management method, device, equipment and computer readable storage medium
CN113411345A (en) * 2021-06-29 2021-09-17 中国农业银行股份有限公司 Method and device for secure session
CN113849835A (en) * 2021-09-26 2021-12-28 百度在线网络技术(北京)有限公司 Key processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US20230155989A1 (en) Self-encrypting key management system
US9503433B2 (en) Method and apparatus for cloud-assisted cryptography
US10250613B2 (en) Data access method based on cloud computing platform, and user terminal
KR101982237B1 (en) Method and system for data sharing using attribute-based encryption in cloud computing
CN112287372B (en) Method and apparatus for protecting clipboard privacy
CN104967693B (en) Towards the Documents Similarity computational methods based on full homomorphism cryptographic technique of cloud storage
Esposito et al. Encryption-based solution for data sovereignty in federated clouds
CN107359998A (en) A kind of foundation of portable intelligent password management system and operating method
Badsha et al. Privacy preserving user based web service recommendations
WO2022072146A1 (en) Privacy preserving centroid models using secure multi-party computation
CN105324779A (en) Host recovery using a secure store
Yadav et al. Mobile cloud computing issues and solution framework
Agarkhed et al. An efficient auditing scheme for data storage security in cloud
CN107196918B (en) Data matching method and device
CN116366364A (en) Terminal data processing method and system for cloud computer
CN109063496A (en) A kind of method and device of data processing
US11139969B2 (en) Centralized system for a hardware security module for access to encryption keys
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
Yan et al. Personal data access based on trust assessment in mobile social networking
CN112215591B (en) Distributed encryption management method, device and system for encrypted money bags
CN116743481A (en) Service security management and control method, device, equipment and storage medium
CN114095165B (en) Key updating method, server device, client device and storage medium
CN114357472B (en) Data tagging method, system, electronic device and readable storage medium
Anwar Data security issues in the realm of mobile cloud computing: A survey
CN116095671A (en) Resource sharing method based on meta universe and related equipment thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination