CN115952518B

CN115952518B - Data request method, device, electronic equipment and storage medium

Info

Publication number: CN115952518B
Application number: CN202211690980.3A
Authority: CN
Inventors: 奚智; 邹仕洪; 姜哲; 张炯明
Original assignee: Yuanxin Information Technology Group Co ltd
Current assignee: Yuanxin Information Technology Group Co ltd
Priority date: 2022-12-27
Filing date: 2022-12-27
Publication date: 2023-08-15
Anticipated expiration: 2042-12-27
Also published as: CN115952518A

Abstract

The application relates to the technical field of computers and discloses a data request method, a data request device, electronic equipment and a storage medium. The method is applied to an application program, and comprises the following steps: sending a data access request to an operating system, and receiving first encrypted data obtained by encrypting target data requested by the data access request by the operating system; decrypting the first encrypted data according to the first decryption key to obtain first decrypted data; transmitting the first decrypted data to the operating system; and receiving the target data obtained after the first decrypted data is decrypted by the operating system. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

Description

Data request method, device, electronic equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data request method, apparatus, electronic device, and storage medium.

Background

With the rapid development of the computer industry, massive data are generally required to be interacted in the running process of computer equipment, and the massive data inevitably have the problem of data security. In order to ensure data security, sensitive data of users are usually stored in an encrypted manner.

Many sensitive data require interaction with the operating system when in use, such as when an application displays user, device, contact, etc. related data information in a graphical user interface (GraphicalUser Interface, GUI). When the application program and the operating system perform interactive operation, the application program needs to acquire encrypted sensitive data, then decrypt the encrypted sensitive data to obtain original data, and generally the decrypted original data can be used after further processing in the application program or the operating system. However, in the process that the application program decrypts and acquires the original data and processes the original data, the original data has exposure risk and is easy to steal or tamper.

Disclosure of Invention

The embodiment of the application provides a data request method, which aims to solve the problem that in the prior art, original data is exposed and easy to leak in the interaction process of an application program and an operating system.

Correspondingly, the embodiment of the application also provides a data request device, electronic equipment and a storage medium, which are used for ensuring the realization and application of the method.

In order to solve the above problems, an embodiment of the present application discloses a data request method, which is applied to an application program, and the method includes:

sending a data access request to an operating system, and receiving first encrypted data obtained by encrypting target data requested by the data access request by the operating system;

decrypting the first encrypted data according to the first decryption key to obtain first decrypted data;

transmitting the first decrypted data to the operating system;

receiving the target data obtained after the first decrypted data is decrypted by the operating system;

the first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key;

the first decryption data is obtained by the operating system performing encryption processing on the target data according to the first encryption key to generate intermediate data and performing marking processing on the intermediate data.

The embodiment of the application also discloses a data request method which is applied to the operating system and comprises the following steps:

receiving a data access request sent by an application program, and encrypting target data requested by the data access request to obtain first encrypted data;

transmitting the first encrypted data to the application;

receiving first decryption data obtained by the application program through decryption processing of the first encryption data according to a first decryption key;

and obtaining the target data after decrypting the first decrypted data, and sending the target data to the application program.

The embodiment of the application also discloses a data request device which is applied to the application program, and the device comprises:

the data acquisition module is used for sending a data access request to an operating system and receiving first encrypted data obtained by encrypting target data requested by the data access request by the operating system;

the data decryption module is used for decrypting the first encrypted data according to the first decryption key to obtain first decrypted data;

the data sending module is used for sending the first decrypted data to the operating system;

The data receiving module is used for receiving the target data obtained after the first decrypted data are decrypted by the operating system;

The embodiment of the application also discloses a data request device which is applied to an operating system and comprises:

the data encryption module is used for receiving a data access request sent by an application program and encrypting target data requested by the data access request to obtain first encrypted data;

the data sending module is used for sending the first encrypted data to the application program;

the data receiving module is used for receiving first decryption data obtained by the application program through decryption processing of the first encryption data according to a first decryption key;

and the data decryption module is used for obtaining the target data after the first decryption data are decrypted and sending the target data to the application program.

The embodiment of the application also discloses an electronic device which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes one or more of the methods in the embodiment of the application when executing the program.

Embodiments of the present application also disclose a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as described in one or more of the embodiments of the present application.

The technical scheme provided by the embodiment of the application has the beneficial effects that:

in the embodiment of the application, a data access request is sent to an operating system, and first encrypted data after the target data requested by the data access request is encrypted by the operating system is received; decrypting the first encrypted data according to the first decryption key to obtain first decrypted data; transmitting the first decrypted data to the operating system; receiving the target data obtained after the first decrypted data is decrypted by the operating system; the first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key; the first decryption data is obtained by the operating system performing encryption processing on the target data according to the first encryption key to generate intermediate data and performing marking processing on the intermediate data. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

Additional aspects and advantages of embodiments of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.

Drawings

The foregoing and/or additional aspects and advantages of the application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:

FIG. 1 is a flowchart of a method for requesting data on an application program side according to an embodiment of the present application;

FIG. 2 is a flowchart of a method for requesting data on an operating system side according to an embodiment of the present application;

fig. 3 is a schematic structural diagram of a data request method at an application program side according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a data request method at an operating system side according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the application.

As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. The term "and/or" as used herein includes all or any element and all combination of one or more of the associated listed items.

It will be understood by those skilled in the art that all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs unless defined otherwise. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

The scheme provided by the embodiment of the application can be executed by any electronic equipment, such as terminal equipment, and can also be a server, wherein the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud computing service. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein. For the technical problems in the prior art, the data request method, the device, the electronic equipment and the storage medium provided by the application aim to solve at least one of the technical problems in the prior art.

The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

The embodiment of the present application provides a possible implementation manner, as shown in fig. 1, a flowchart of a data request method is provided, where the method may be executed by an application program of a system service or an application layer of an operating system, and for convenience of description, the method provided by the embodiment of the present application is described below with the application program as an execution body.

As shown in fig. 1, the method may include the steps of:

step 101, a data access request is sent to an operating system, and first encrypted data obtained after the target data requested by the data access request is encrypted by the operating system is received.

The application program can interact with the operating system to realize the operations of data storage, modification, use and the like. Optionally, the application program may acquire the required target data from the operating system, for example, when the application program needs to display related data information such as a user, a device, a contact person and the like according to an instruction of the user, the application program may acquire related data such as the user, the device, the contact person and the like from the operating system, process the related data by the operating system, and send the processed data to the application program for display.

Specifically, in order to obtain the target data, the application program may send a data access request to the operating system, and after receiving the data access request, the operating system may perform encryption processing on the target data requested by the data access request, and generate first encrypted data to prevent the target data from being stolen or tampered. The application program may acquire encrypted data, i.e., the first encrypted data, from the operating system, and display the encrypted data after decryption.

Step 102, decrypting the first encrypted data according to the first decryption key to obtain first decrypted data.

The first decryption key is generated by the application program, and the first decryption data obtained after the decryption processing of the first decryption key is incompletely decrypted data, so that the application program needs to obtain completely decrypted data, and therefore, the application program needs to further decrypt the data through the following steps 103 and 104, so that the display can be normally performed.

Step 103, sending the first decrypted data to the operating system.

The first decrypted data may be further decrypted by the operating system, thereby obtaining fully decrypted data.

In addition, the operating system typically processes the fully decrypted data to generate target data that meets the display requirements of the application, with respect to the specific data format, style, etc. required by the application to display the data.

For example, when an application program requests and displays graphics data, different applications generally have different requirements on the size, style, texture, color, etc. of the graphics data when displaying the graphics data, and graphics data required by different applications can be formed after processing by an operating system. Specifically, after the application program sends the first decrypted data obtained after the semi-decryption to the operating system, the operating system firstly decrypts the first decrypted data, and then renders the decrypted data to obtain the graphic data.

In order to realize the function of "decrypting the first decrypted data first and then rendering the decrypted data to obtain the graphics data", a rendering engine and a font engine in an operating system, such as a FreeType font engine, may need to be modified, and a specific modification manner may be obtained by a person skilled in the art by combining the embodiments of the present application with the prior art, and the embodiments of the present application are not repeated.

Step 104, receiving the target data obtained after the first decrypted data is decrypted by the operating system.

After receiving the target data obtained after the first decrypted data is decrypted by the operating system, the application program can directly display the target data. The operating system decrypts the first decrypted data to obtain data which is unencrypted original target data; after the original target data is further processed by the operating system, the target data meeting the display requirement of the application program can be obtained, such as graphic data obtained after the original target data is rendered.

In this embodiment, after the operating system obtains the target data, the original target data that is not encrypted may be cleared, so as to prevent data leakage.

In a general implementation manner, after the application program obtains the first encrypted data, the first encrypted data is decrypted by using the first decryption key to obtain decrypted data, and then the decrypted data is sent to the operating system, and is subjected to rendering and other processing by the operating system to obtain target data meeting the display requirements of the application program. In this embodiment, after the application program obtains the first encrypted data, the application program uses the first decryption key to decrypt the first encrypted data to obtain data which is not completely decrypted, and further decryption by the operating system is required. The data decrypted by the operating system is not directly sent to the application program, but is processed by the operating system to generate target data meeting the display requirement of the application program. The operating system sends the target data meeting the display requirement of the application program to the application program for display, so that when the application program interacts with the operating system, the application program does not acquire the unprocessed original target data after decryption, thereby reducing the exposure time of the original target data and further reducing the risk of data leakage.

The first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key.

After being encrypted according to the mode, the application program uses the first decryption key to decrypt the obtained first decryption data, and the first decryption data is the intermediate data after marking. After receiving the first decrypted data sent by the application program, the operating system can identify the result of the marking process and judge whether the first decrypted data needs to be decrypted for the second time. If a preset data header is added to the intermediate data in the encryption process, the operating system can analyze the first decryption data after receiving the first decryption data to obtain the intermediate data or the intermediate data and the data header, and then identify whether the preset data header exists or not, or identify whether the data header is matched with the data header prestored in the operating system. If a preset data head is identified, or the data head is identified to be matched with a data head prestored in an operating system, determining that the first decryption data needs to be decrypted according to the second decryption key. Otherwise, the first decrypted data may be processed in other preset manners, such as directly rendering the first decrypted data, etc.

According to the method, in the process of multiple interactions between the application program and the operating system, the encryption and decryption conditions of the data accessed by the application program can be distinguished. For example, the operating system stores sensitive data and non-sensitive data, when an application program accesses the sensitive data, the operating system can encrypt the sensitive data according to the first decryption key and the second encryption key, and a preset data header is added to the intermediate data in the encryption process. When the application program accesses the non-sensitive data, the operating system does not encrypt the non-sensitive data and directly returns the unencrypted data.

If the application program accesses sensitive data, the operating system receives the first decrypted data, and after analyzing the first decrypted data, the operating system can identify a preset data head, which means that the operating system needs to decrypt the intermediate data according to the second decryption key, and then perform rendering and other processes after decrypting.

If the application program accesses the non-sensitive data, the operating system receives the unencrypted data, and the operating system can directly perform rendering and other treatments on the received data by analyzing the unencrypted data and identifying no preset data head.

The method can realize the flexibility when the application program interacts with the operation system, and different data are processed in different modes.

In an alternative embodiment, the operating system may verify the application after receiving the data access request, and if the verification is passed, send the first encrypted data to the application.

Optionally, whether the main body of the data access request, such as an application program, is trusted or not can be verified by means of a digital certificate or dynamic trusted measurement, if so, the verification is passed, otherwise, the verification is not passed. Under the condition that the application program is credible, the first encrypted data is sent to the application program, so that the possibility of stealing the data can be reduced, and the data security is improved.

In an alternative embodiment, the first encryption key is pre-generated for the operating system; the second encryption key is pre-generated for the application.

Optionally, the application program generates a set of public key and private key as encryption and decryption tools of data when being installed and deployed, the public key generated by the application program is a second encryption key, the private key generated by the application program is a first decryption key, and the first decryption key is matched with the second encryption key. The operating system can generate a set of public key and private key as encryption and decryption tools of data, the public key generated by the operating system is a first encryption key, and the private key generated by the operating system is a second decryption key. The generated public key and private key can be stored safely by adopting sandbox technology and the like, so that the generated public key and private key can be prevented from being stolen.

After the operating system receives the data access request and verifies the identity of the application program to be trusted, the target data requested by the data access request can be encrypted for the first time through a first encryption key generated by the operating system. The operating system can also acquire a second encryption key generated by the application program, encrypt the data obtained after the first encryption for the second time through the second encryption key generated by the application program, generate first encrypted data, and send the first encrypted data to the application program.

After receiving the first encrypted data, the application program can decrypt the first encrypted data for the first time through a first decryption key matched with the second encryption key to obtain first decrypted data. The first decryption data corresponds to data obtained by encrypting the operating system with the first encryption key, and therefore, it is also necessary to perform the second decryption using the second decryption key that matches the first encryption key. The second decryption key is stored in the operating system in this embodiment, so that the second decryption is performed by the operating system. After the application program is decrypted, the incompletely decrypted data is obtained, so that the possibility of exposing the data can be reduced, and the data security is improved.

The embodiment of the application also provides a data request method which is applied to an operating system, as shown in fig. 2, and comprises the following steps:

step 201, receiving a data access request sent by an application program, and encrypting target data requested by the data access request to obtain first encrypted data.

The application program can interact with the operating system to realize the operations of data storage, modification, use and the like. Optionally, the application program may acquire the required target data from the operating system, for example, when related data information such as a user, a device, a contact person and the like is required to be displayed according to an instruction of the user in the application program, related data such as the user, the device, the contact person and the like may be acquired from the operating system, processed by the operating system, and then sent to the application program for display.

Specifically, in order to obtain the target data, the application program may send a data access request to the operating system, and after receiving the data access request, the operating system may perform encryption processing on the target data requested by the data access request, and generate first encrypted data to prevent the target data from being stolen or tampered.

Step 202, sending the first encrypted data to the application program.

The application program may acquire encrypted data, i.e., the first encrypted data, from the operating system, and display the encrypted data after decryption.

And 203, receiving first decrypted data obtained by the application program according to the first decryption key through decryption processing of the first encrypted data.

The first decryption key is generated by the application program, and the first decryption data obtained after the decryption processing of the first decryption key is incompletely decrypted data, so that the application program needs to obtain completely decrypted data, and therefore, the application program needs to further decrypt the data through the following step 204 to be displayed normally.

And 204, obtaining the target data after the first decrypted data is decrypted, and sending the target data to the application program.

In a general implementation manner, after the application program obtains the first encrypted data, the first encrypted data is decrypted by using the first decryption key to obtain decrypted data, and then the decrypted data is sent to the operating system and processed by the operating system to obtain target data meeting the display requirement of the application program. In this embodiment, after the application program obtains the first encrypted data, the application program uses the first decryption key to decrypt the first encrypted data to obtain data which is not completely decrypted, and further decryption by the operating system is required. The data decrypted by the operating system is not directly sent to the application program, but is processed by the operating system to generate target data meeting the display requirement of the application program. The operating system sends the target data meeting the display requirement of the application program to the application program for display, so that when the application program interacts with the operating system, the application program does not acquire the unprocessed original target data after decryption, thereby reducing the exposure time of the original target data and further reducing the risk of data leakage.

In the embodiment of the application, a data access request sent by an application program is received, and target data requested by the data access request is encrypted to obtain first encrypted data; transmitting the first encrypted data to the application; receiving first decryption data obtained by the application program through decryption processing of the first encryption data according to a first decryption key; and obtaining the target data after decrypting the first decrypted data, and sending the target data to the application program. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

In an optional embodiment, the encrypting the target data requested by the data access request to obtain the first encrypted data includes:

sequentially carrying out encryption processing on the target data according to the first encryption key and the second encryption key to generate first encrypted data; the first encryption key is pre-generated by the operating system; the second encryption key is pre-generated for the application.

After the operating system receives the data access request, the target data requested by the data access request can be encrypted for the first time through a first encryption key generated by the operating system. The operating system can also acquire a second encryption key generated by the application program, encrypt the data obtained after the first encryption for the second time through the second encryption key generated by the application program, generate first encrypted data, and send the first encrypted data to the application program.

The target data is obtained after the first decrypted data is decrypted, and the method comprises the following steps:

performing decryption processing on the first decryption data according to a second decryption key to obtain second decryption data;

and rendering the second decrypted data to obtain the target data.

The fully decrypted data is typically processed by the operating system to generate target data that meets the display requirements of the application, with respect to the specific data format, style, etc. required by the application to display the data.

For example, an application program requests and displays graphics data, and different applications generally have different requirements on the size, style, texture, color, etc. of the graphics data when displaying the graphics data, and the graphics data required by different applications can be formed after processing by the operating system. Specifically, after the application program sends the first decrypted data obtained after the semi-decryption to the operating system, the operating system firstly decrypts the first decrypted data, and then renders the decrypted data to obtain the graphic data.

In an optional embodiment, the encrypting the target data according to the first encryption key and the second encryption key sequentially, to generate first encrypted data includes:

encrypting the target data through the first encryption key to obtain intermediate data;

marking the intermediate data to obtain the first decrypted data;

and carrying out encryption processing on the first decrypted data through the second encryption key to obtain the first encrypted data.

The operating system can take the data generated after the original data is encrypted by using the first encryption key as intermediate data, and the operating system can carry out marking processing on the intermediate data, such as adding a pre-defined data head and the like, and then carry out second encryption on the intermediate data after marking processing to obtain the first encrypted data.

The decrypting the first decrypted data according to the second decryption key to obtain second decrypted data includes:

identifying and analyzing the first decryption data to obtain the intermediate data;

and carrying out decryption processing on the intermediate data through the second decryption key to obtain second decryption data.

According to the method, in the process of multiple interactions between the application program and the operating system, the encryption and decryption conditions of the data accessed by the application program can be distinguished. For example, the operating system stores sensitive data and non-sensitive data, when an application program accesses the sensitive data, the operating system can encrypt the sensitive data according to the first decryption key and the second encryption key, and in the encryption process, a preset data head is added to the intermediate data. When the application program accesses the non-sensitive data, the operating system does not encrypt the normal data and directly returns the unencrypted data.

In an optional embodiment, after receiving the data access request sent by the application program, the method further includes:

verifying the application program;

and under the condition that the application program passes verification, encrypting the target data to obtain first encrypted data.

And under the condition that the verification of the application program is passed, the first encrypted data is sent to the application program, so that the possibility of stealing the data can be reduced, and the data security is improved.

The verifying the application program comprises the following steps:

and verifying the application program by a digital certificate or dynamic trusted measurement verification mode to ensure that the identity of the application program is legal or the application program is not tampered with maliciously.

Based on the same principle as the method provided by the embodiment of the present application, the embodiment of the present application further provides a data request device, which is applied to an application program, as shown in fig. 3, and the device includes:

the data obtaining module 301 is configured to send a data access request to an operating system, and receive first encrypted data after the target data requested by the data access request is encrypted by the operating system.

The data decryption module 302 is configured to decrypt the first encrypted data according to the first decryption key to obtain first decrypted data.

The first decryption key is generated by the application program, the first decryption data obtained after the decryption processing of the first decryption key is incompletely decrypted data, and the application program needs to obtain completely decrypted data, so that the application program needs to further decrypt through the operating system to be displayed normally.

And the data sending module 303 is configured to send the first decrypted data to the operating system.

And the data receiving module 304 is configured to receive the target data obtained after the operating system decrypts the first decrypted data.

In an optional embodiment of the present application, the first encryption key is pre-generated by the operating system; the second encryption key is pre-generated for the application.

The data request device provided in the embodiment of the present application can implement each process implemented in the method embodiments of fig. 1 to 2, and in order to avoid repetition, a description is omitted here.

In the data request device provided by the application, a data acquisition module 301 sends a data access request to an operating system and receives first encrypted data obtained by encrypting target data requested by the data access request by the operating system; the data decryption module 302 decrypts the first encrypted data according to the first decryption key to obtain first decrypted data; the data sending module 303 sends the first decrypted data to the operating system; the data receiving module 304 receives the target data obtained after the operating system decrypts the first decrypted data; the first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key; the first decryption data is obtained by the operating system performing encryption processing on the target data according to the first encryption key to generate intermediate data and performing marking processing on the intermediate data. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

The data request device according to the embodiments of the present application may execute the data request method provided by the embodiments of the present application, and its implementation principle is similar, and actions executed by each module and unit in the data request device according to each embodiment of the present application correspond to steps in the data request method according to each embodiment of the present application, and detailed functional descriptions of each module of the data request device may be specifically referred to descriptions in the corresponding data request method shown in the foregoing, which are not repeated herein.

Based on the same principle as the method provided by the embodiment of the present application, the embodiment of the present application further provides a data request device, which is applied to an operating system, as shown in fig. 4, and the device includes:

the data encryption module 401 is configured to receive a data access request sent by an application program, and encrypt target data requested by the data access request to obtain first encrypted data.

A data sending module 402, configured to send the first encrypted data to the application program.

The data receiving module 403 is configured to receive first decrypted data obtained by the application program decrypting the first encrypted data according to the first decryption key.

The first decryption key is generated by the application program, and the first decryption data obtained after the decryption processing of the first decryption key is incompletely decrypted data, so that the application program needs to obtain completely decrypted data, and therefore, the application program needs to further decrypt the completely decrypted data through the data decryption module 404, so that the application program can normally display the completely decrypted data.

And the data decryption module 404 is configured to decrypt the first decrypted data to obtain the target data, and send the target data to the application program.

In an alternative embodiment of the present application, the data encryption module 401 includes:

the data encryption sub-module is used for sequentially carrying out encryption processing on the target data according to the first encryption key and the second encryption key to generate first encrypted data; the first encryption key is pre-generated by the operating system; the second encryption key is pre-generated for the application program;

the data decryption module 404 includes:

the data decryption sub-module is used for decrypting the first decryption data according to the second decryption key to obtain second decryption data;

and the data rendering sub-module is used for rendering the second decrypted data to obtain the target data.

In an alternative embodiment of the present application, the data encryption submodule includes:

the first data encryption unit is used for encrypting the target data through the first encryption key to obtain intermediate data;

the data processing unit is used for carrying out marking processing on the intermediate data to obtain the first decrypted data;

the second data encryption unit is used for encrypting the first decrypted data through the second encryption key to obtain the first encrypted data;

The data decryption sub-module comprises:

the data analysis unit is used for identifying and analyzing the first decryption data to obtain the intermediate data;

and the data decryption unit is used for decrypting the intermediate data through the second decryption key to obtain the second decryption data.

In an optional embodiment of the present application, the data request device further includes:

the program verification module is used for verifying the application program;

the data encryption module is used for encrypting the target data to obtain first encrypted data under the condition that the application program passes verification;

the program verification module includes:

and the program verification sub-module is used for verifying the application program through a digital certificate or dynamic trusted measurement verification mode.

In the data request device provided by the application, a data encryption module 401 receives a data access request sent by an application program, and encrypts target data requested by the data access request to obtain first encrypted data; the data sending module 402 sends the first encrypted data to the application program; the data receiving module 403 receives first decrypted data obtained by the application program decrypting the first encrypted data according to the first decryption key; the data decryption module 404 decrypts the first decrypted data to obtain the target data, and sends the target data to the application program. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

Based on the same principles as the methods shown in the embodiments of the present application, the embodiments of the present application also provide an electronic device that may include, but is not limited to: a processor and a memory; a memory for storing a computer program; a processor for executing the data request method shown in any of the alternative embodiments of the present application by calling a computer program. Compared with the prior art, the data request method provided by the application has the advantages that a data access request is sent to an operating system, and first encrypted data after the target data requested by the data access request is encrypted by the operating system is received; decrypting the first encrypted data according to the first decryption key to obtain first decrypted data; transmitting the first decrypted data to the operating system; receiving the target data obtained after the first decrypted data is decrypted by the operating system; the first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key; the first decryption data is obtained by the operating system performing encryption processing on the target data according to the first encryption key to generate intermediate data and performing marking processing on the intermediate data. Therefore, when the application program and the operating system interact some sensitive data needing to be decrypted, the application program and the operating system sequentially perform decryption and encryption operations, the time for exposing unencrypted sensitive data is shortened, and the data security in the data interaction process is improved.

In an alternative embodiment, there is also provided an electronic device, as shown in fig. 5, where the electronic device 5000 shown in fig. 5 may be a server, including: a processor 5001 and a memory 5003. The processor 5001 is coupled to the memory 5003, e.g., via bus 5002. Optionally, the electronic device 5000 may also include a transceiver 5004. It should be noted that, in practical applications, the transceiver 5004 is not limited to one, and the structure of the electronic device 5000 is not limited to the embodiment of the present application.

The processor 5001 may be a CPU (central processing unit), general purpose processor, DSP (digital signal processor), ASIC (application specific integrated circuit), FPGA (Field ProgrammableGateArray ) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 5001 may also be a combination of computing functions, e.g., including one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

Bus 5002 may include a path to transfer information between the aforementioned components. The bus 5002 may be a PCI (peripheral component interconnect) bus, an EISA (extended industrial standard architecture) bus, or the like. The bus 5002 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus.

The memory 5003 may be, but is not limited to, ROM (read only memory) or other type of static storage device capable of storing static information and instructions, RAM (RandomAccess Memory ) or other type of dynamic storage device capable of storing information and instructions, EEPROM (ElectricallyErasableProgrammableReadOnly Memory ), CD-ROM (CompactDiscReadOnly Memory, compact disc read only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

The memory 5003 is used for storing application program codes for implementing the inventive arrangements and is controlled to be executed by the processor 5001. The processor 5001 is operative to execute application code stored in the memory 5003 to implement what has been shown in the foregoing method embodiments.

Among them, electronic devices include, but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 5 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the present application.

The server provided by the application can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein.

Embodiments of the present application provide a computer-readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the corresponding method embodiments described above.

It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.

It should be noted that the computer readable storage medium according to the present application may also be a computer readable signal medium or a combination of a computer readable storage medium and a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.

The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.

The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the methods shown in the above-described embodiments.

According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions to cause the computer device to perform the data request methods provided in the various alternative implementations described above.

Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules involved in the embodiments of the present application may be implemented in software or in hardware. The name of the module is not limited to the module itself in some cases, and for example, the search intention category determination module may also be described as "a search intention category determination module that determines a search request".

The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in the present application is not limited to the specific combinations of technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the spirit of the disclosure. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.

Claims

1. A data request method applied to an application program, the method comprising:

sending a data access request to an operating system, and receiving first encrypted data obtained by encrypting target data requested by the data access request by the operating system; the data access request comprises the display requirement of the application program;

decrypting the first encrypted data according to the first decryption key to obtain first decrypted data; the first decryption key is an application private key which is generated in advance by the application; the first decryption data is half decryption data;

Transmitting the first decrypted data to the operating system;

receiving and displaying first data; the first data includes: after the operating system decrypts the first decrypted data according to a second decryption key to obtain the completely decrypted target data, rendering the target data according to the display requirement and removing the data obtained after the target data; the second decryption secret key is an operating system private key which is generated in advance by the operating system;

the first encrypted data is obtained by sequentially encrypting the target data by the operating system according to a first encryption key and a second encryption key; the first encryption key is an operating system public key which is generated in advance by the operating system; the second encryption key is an application program public key which is generated in advance by the application program; the first encryption private key is matched with the second decryption private key; the second encryption private key is matched with the first decryption private key;

the first decryption data is obtained by the operating system encrypting the target data according to the first encryption key to generate intermediate data and adding preset verification information into the intermediate data; the preset verification information is used for determining whether to continue decrypting the first decrypted data in the decryption process.

2. A data request method applied to an operating system, the method comprising:

receiving a data access request sent by an application program; the data access request comprises the display requirement of the application program;

encrypting target data requested by the data access request through a first encryption key to obtain intermediate data; adding preset verification information into the intermediate data to obtain first decryption data; encrypting the first decrypted data through a second encryption key to obtain first encrypted data; the first encryption key is an operating system public key which is generated in advance by the operating system, and the second encryption key is an application program public key which is generated in advance by the application program; the preset verification information is used for determining whether to continue decrypting the first decrypted data in the decryption process;

transmitting the first encrypted data to the application;

receiving first decryption data obtained by the application program through decryption processing of the first encryption data according to a first decryption key; the first decryption key is an application private key which is generated in advance by the application; the first decryption private key is matched with the second encryption private key; the first decryption data is half decryption data;

After the first decrypted data are decrypted according to a second decryption key to obtain the completely decrypted target data, rendering the target data according to the display requirement, clearing the target data to obtain first data, and sending the first data to the application program; the second decryption secret key is an operating system private key which is generated in advance by the operating system; the second decryption private key matches the first encryption private key.

3. The method of claim 2, further comprising, after receiving the data access request sent by the application program:

verifying the application program;

under the condition that the application program passes verification, encrypting target data requested by the data access request through a first encryption key to obtain intermediate data;

the verifying the application program comprises the following steps:

the application is verified by means of digital certificates or dynamic trust metric verification.

4. A data requesting apparatus for application programs, the apparatus comprising:

the data acquisition module is used for sending a data access request to an operating system and receiving first encrypted data obtained by encrypting target data requested by the data access request by the operating system; the data access request comprises the display requirement of the application program;

The data decryption module is used for decrypting the first encrypted data according to the first decryption key to obtain first decrypted data; the first decryption key is an application private key which is generated in advance by the application; the first decryption data is half decryption data;

the data receiving module is used for receiving and displaying the first data; the first data includes: after the operating system decrypts the first decrypted data according to a second decryption key to obtain the completely decrypted target data, rendering the target data according to the display requirement and removing the data obtained after the target data; the second decryption secret key is an operating system private key which is generated in advance by the operating system;

5. A data requesting device for application to an operating system, the device comprising:

the data encryption module is used for receiving a data access request sent by an application program; the data access request comprises the display requirement of the application program; encrypting target data requested by the data access request through a first encryption key to obtain intermediate data; adding preset verification information into the intermediate data to obtain first decryption data; encrypting the first decrypted data through a second encryption key to obtain first encrypted data; the first encryption key is an operating system public key which is generated in advance by the operating system, and the second encryption key is an application program public key which is generated in advance by the application program; the preset verification information is used for determining whether to continue decrypting the first decrypted data in the decryption process;

the data receiving module is used for receiving the first decrypted data obtained by the application program decrypting the first encrypted data according to a first decryption key; the first decryption key is an application private key which is generated in advance by the application; the first decryption private key is matched with the second encryption private key; the first decryption data is half decryption data;

the data decryption module is used for obtaining first data after the target data is obtained by decrypting the first decryption data according to a second decryption key, rendering the target data according to the display requirement and clearing the target data, and sending the first data to the application program; the second decryption secret key is an operating system private key which is generated in advance by the operating system; the second decryption private key matches the first encryption private key.

6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 3 when the program is executed.

7. A computer readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1 to 3.