CN116090011A - Data security processing method of cloud chain fusion application platform - Google Patents

Data security processing method of cloud chain fusion application platform Download PDF

Info

Publication number
CN116090011A
CN116090011A CN202310134316.9A CN202310134316A CN116090011A CN 116090011 A CN116090011 A CN 116090011A CN 202310134316 A CN202310134316 A CN 202310134316A CN 116090011 A CN116090011 A CN 116090011A
Authority
CN
China
Prior art keywords
dll
file
key
copy
section
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310134316.9A
Other languages
Chinese (zh)
Inventor
卫才智
李力
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongjin Data Wuhan Supercomputing Technology Co ltd
Original Assignee
Zhongjin Data Wuhan Supercomputing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongjin Data Wuhan Supercomputing Technology Co ltd filed Critical Zhongjin Data Wuhan Supercomputing Technology Co ltd
Priority to CN202310134316.9A priority Critical patent/CN116090011A/en
Publication of CN116090011A publication Critical patent/CN116090011A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise

Abstract

The invention provides a data security processing method of a cloud chain fusion application platform, which comprises the steps of obtaining a preset SECTION SECTION of a DLL destination file, and storing the preset SECTION SECTION into a cloud storage node; creating a copy DLL file; encrypting the DLL destination file, writing partial encryption key into the copy DLL file, and recording the copy DLL file into a block; encrypting the DLL destination file, and writing part of encryption key into the copy DLL file; and when the user login account of the blockchain node is checked, loading a copy DLL file, determining a decryption key based on a part of encryption keys, writing the decryption key into a key variable of the preset SECTION node by using the copy DLL file, and decrypting the DLL destination file by using the decryption key. And further, illegal operation of a black-out user on a local DLL file can be prevented, and effective guarantee is provided for data security of a cloud chain platform.

Description

Data security processing method of cloud chain fusion application platform
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a data security processing method of a cloud chain fusion application platform.
Background
The cost of large-scale construction of the server is high, the cloud computing service is born with the server, convenience is provided for a plurality of Internet enterprises, and the server becomes an infrastructure of the Internet at present. The cloud service greatly reduces the initial cost of the Internet enterprises, lowers the startup threshold, and becomes a great assistance for Internet startup burst;
the blockchain technology is rapidly developed and enlarged under the support of cloud computing services; however, although the data assets stored in the blockchain platform by the blockchain platform are relatively safer than the traditional centralized system platform, a plurality of lawbreakers can use the black-out technology to illegally attack the users of the blockchain platform to steal the information assets, so that great trouble is brought to enterprises and users of the blockchain platform, and the decentralization system becomes very complex and unsafe when some nodes have malicious behaviors.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
In order to solve the technical problems mentioned in the background art, the invention provides a data security processing method of a cloud chain fusion application platform, wherein the cloud chain platform comprises a cloud storage node and a block chain node, the block chain node comprises a user management module, and the method comprises the following steps:
determining, by a user management module of the blockchain node, a local DLL destination file for a user of the blockchain node; acquiring a preset SECTION SECTION of the DLL destination file; a key variable is arranged in the DLL destination file, and the preset SECTION SECTION is stored in a cloud storage node;
creating a copy DLL file of the DLL destination file by the user management module, sending the copy DLL file to the cloud storage node so that the cloud storage node stores the copy DLL file, and recording the copy DLL file into the block;
encrypting the DLL destination file by the user management module, and writing a part of encryption key into the copy DLL file;
when the user login account of the blockchain node is detected, the user management module loads the copy DLL file, the partial encryption key is obtained, the decryption key is determined based on the partial encryption key, the copy DLL file is used for writing the decryption key into the key variable of the preset SECTION node, and the decryption key is used for decrypting the DLL target file.
Optionally, the step of determining the local DLL destination file of the blockchain node user includes:
and the user management module of the block chain node reads the local DLL destination file of the block chain node user into a memory, and obtains the starting address and the ending address of the SECTION data table and the name of the preset SECTION according to the file header of the DLL destination file so as to load the preset SECTION, thereby ensuring the safety of data transmission.
Optionally, the step of encrypting the DLL destination file and writing a partial encryption key to the duplicate DLL file includes:
when encrypting the DLL destination file, using a hash value of the DLL destination file as a first partial key; performing hash calculation on the copy DLL file in the subsequent decryption, taking the calculated hash value as a second partial key, and writing the second partial encryption key into the copy DLL file;
determining an encryption key according to the hash value of the DLL destination file and the hash value of the copy DLL file;
determining the offset size of the preset SECTION SECTION based on the starting address and the ending address of the DLL destination file;
and encrypting the preset SECTION SECTION of the cloud storage node based on the encryption key and the offset of the preset SECTION SECTION.
Preferably, the replica DLL file is associated with an externally invoked interface, and the externally invoked interface has no parameter input;
correspondingly, the step of loading the copy DLL file by the user management module and obtaining the partial encryption key specifically includes:
loading the copy DLL file by the user management module, acquiring an interface associated with the copy DLL file, calling the interface by the copy DLL file to acquire a first partial key of an encryption key from the DLL destination file, performing hash calculation of the DLL destination file on the first partial key to acquire a second partial key, and taking the second partial key as a decryption key;
correspondingly, the step of writing the decryption key into the key variable of the preset SECTION SECTION by using the copy DLL file and decrypting the DLL destination file by using the decryption key specifically includes:
and writing the decryption key into a key variable of the preset SECTION SECTION by using the copy DLL file, decrypting the preset SECTION SECTION of the cloud storage node by using the decryption key and the offset of the preset SECTION SECTION to decrypt the DLL destination file, judging that the login user is a safe user if the decryption is successful, and judging that the login user is a black-producing user if the decryption is failed.
Optionally, the process of checking the user login account of the blockchain node includes:
the cloud chain platform responds to a login request sent by a user terminal, and generates a key pair and a random number based on an intelligent contract, wherein the key pair comprises a first key and a second key;
the cloud chain platform feeds back the first key and the random number to the blockchain node, and sends the second key and the random number to the cloud storage node; the blockchain node encrypts the random number through the first key, and sends the encrypted random information to the cloud storage node for login verification; and the cloud storage node decrypts the random information sent by the blockchain node through the second key, and if the decrypted random number is consistent with the random number sent by the cloud chain platform, login verification is successful.
The method has the advantages that when a user of the cloud chain platform logs in the block node account, the block node can automatically and effectively detect and screen the black-out user, illegal operation of the black-out user on the local DLL file is prevented, and effective guarantee is provided for data security of the cloud chain platform.
Drawings
Fig. 1 is a flow chart of a data security processing method of a cloud chain platform.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Embodiments of the present application relate to cloud technology and blockchain. Cloud computing and cloud storage in cloud technology.
Cloud technology refers to a hosting technology for integrating software and hardware with network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical network systems require a large amount of computing and storage resources. Along with the high development and application of the internet industry, each object possibly has an own identification mark in the future, the object needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
Cloud computing is a computing model that distributes computing tasks over a large number of computer-made resource pools, enabling various application systems to acquire computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud".
Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.
As a basic capability provider of cloud computing, a cloud computing resource pool (referred to as a cloud platform for short, generally referred to as an infrastructure as a service (InfrastructureasaService, iaaS) platform) is established, and multiple types of virtual resources are deployed in the resource pool for external clients to select for use.
Cloud storage is a new concept which extends and develops in the concept of cloud computing, and a distributed cloud storage system refers to a storage system which integrates a large number of storage devices (storage devices are also called storage nodes) of different types in a network through application software or application interfaces to work cooperatively through functions of cluster application, grid technology, distributed storage file systems and the like, and provides data storage and service access functions together.
At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices.
The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (IDentity, ID) and the like, the file system writes each object into a physical storage space of the logical volume respectively, and the file system records storage position information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage position information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: according to the capacity measurement of the objects stored in the logical volumes (which often has a large margin with respect to the capacity of the objects to be actually stored) and the group of the redundant array of independent disks, the physical storage space is divided into stripes in advance, and one logical volume can be understood as one stripe, so that the physical storage space is allocated to the logical volume.
Blockchains are novel application modes of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The blockchain is essentially a decentralised database, which is a series of data blocks generated by cryptographic methods, each data block containing a batch of information of network transactions for verifying the validity (anti-counterfeiting) of the information and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
The blockchain underlying platform may include processing modules for user management, basic services, smart contracts, operation monitoring, and the like. The user management module is responsible for identity information management of all blockchain participants, including maintenance of public and private key generation (account management), key management, maintenance of corresponding relation between the real identity of the user and the blockchain address (authority management) and the like, and under the condition of authorization, supervision and audit of transaction conditions of certain real identities, and provision of rule configuration (wind control audit) of risk control;
the basic service module is deployed on all block chain node devices, is used for verifying the validity of a service request, recording the service request on a storage after the effective request is identified, for a new service request, the basic service firstly analyzes interface adaptation and authenticates the interface adaptation, encrypts service information (identification management) through an identification algorithm, and transmits the encrypted service information to a shared account book (network communication) in a complete and consistent manner, and records and stores the service information; the intelligent contract module is responsible for registering and issuing contracts, triggering contracts and executing contracts, a developer can define contract logic through a certain programming language, issue the contract logic to a blockchain (contract registering), invoke keys or other event triggering execution according to the logic of contract clauses to complete the contract logic, and simultaneously provide a function of registering contract upgrading; the operation monitoring module is mainly responsible for deployment in the product release process, modification of configuration, contract setting, cloud adaptation and visual output of real-time states in product operation, for example: alarms, monitoring network conditions, monitoring node device health status, etc.
The platform product service layer provides basic capabilities and implementation frameworks of typical applications, and developers can complete the blockchain implementation of business logic based on the basic capabilities and the characteristics of the superposition business. The application service layer provides the application service based on the block chain scheme to the business participants for use.
The following describes a data security processing method of a cloud chain platform provided in an embodiment of the present application, where in this embodiment, the cloud chain platform includes a cloud storage node and a blockchain node, and the blockchain node includes a user management module, and the method includes:
step S10, determining a local DLL destination file of the blockchain node user by a user management module of the blockchain node; acquiring a preset SECTION SECTION of the DLL destination file; a key variable is arranged in the DLL destination file, and the preset SECTION SECTION is stored in a cloud storage node;
it should be noted that, the embodiment is applicable to a user logging in a cloud chain technology platform by means of a window operating system;
the execution main body of the embodiment is a user management module, and the user management module is responsible for identity information management of all blockchain participants, including maintenance of public and private key generation (account management), key management, maintenance of corresponding relation between the true identity of the user and the blockchain address (authority management) and the like;
DLL files (dynamic Link library, english) are the core functional components of windows platforms, and DLLs are a library containing code and data that can be used by multiple programs simultaneously. If the DLL file is not encrypted, the black product can also crack the core function in the DLL file through reverse cracking, and the blockchain technology is used as a shared account book technology, if a certain node has malicious behaviors on the DLL file on a local terminal of a user, the whole cloud chain system is complicated to encode and unsafe.
It can be understood that the DLL file is composed of a plurality of SECTIONs, each SECTION has functional code instructions for reading, writing, querying and sharing, and typically, when the compiler compiles the source program to generate the DLL file, the compiled code instructions, data and other information are put into the standard SECTIONs;
step S20, creating a copy DLL file of the DLL destination file by the user management module, sending the copy DLL file to the cloud storage node to enable the cloud storage node to store the copy DLL file, and recording the copy DLL file into the block;
it should be noted that, in this embodiment, two DLL files are used, so that the DLL files that need to be protected by the core cannot be decrypted or used alone, and accordingly, a hacker cannot crack the DLL files when the EXE execution file is executed;
in a specific implementation, if the DLL destination file is an x.dll, the user management module creates a copy file y.dll of the x.dll, so as to prevent the x.dll file from being cracked when the corresponding file is run.
Step S30, encrypting the DLL destination file by the user management module, and writing part of encryption key into the copy DLL file;
in a specific implementation, when encrypting the DLL destination file, a hash value of the DLL destination file is used as a first partial key; performing hash calculation on the copy DLL file in the subsequent decryption, taking the calculated hash value as a second partial key, and writing the second partial encryption key into the copy DLL file; determining an encryption key according to the hash value of the DLL destination file and the hash value of the copy DLL file; determining the offset size of the preset SECTION SECTION based on the starting address and the ending address of the DLL destination file; encrypting the preset SECTION SECTION of the cloud storage node based on the encryption key and the offset of the preset SECTION SECTION;
and S40, when the user login account of the blockchain node is detected, loading the copy DLL file by the user management module, obtaining the partial encryption key, determining a decryption key based on the partial encryption key, writing the decryption key into a key variable of the preset SECTION node by using the copy DLL file, and decrypting the DLL target file by using the decryption key. It should be noted that, the replica DLL file is associated with an external call interface, and the external call interface has no parameter input;
in a specific implementation, the user management module loads the copy DLL file, an interface associated with the copy DLL file is obtained, the copy DLL file calls the interface to obtain a first partial key of an encryption key from the DLL destination file, hash calculation of the DLL destination file is carried out on the first partial key to obtain a second partial key, and the second partial key is used as a decryption key;
and writing the decryption key into a key variable of the preset SECTION SECTION by using the copy DLL file, decrypting the preset SECTION SECTION of the cloud storage node by using the decryption key and the offset of the preset SECTION SECTION to decrypt the DLL destination file, judging that the login user is a safe user if the decryption is successful, and judging that the login user is a black-producing user if the decryption is failed.
It can be understood that, because both the x.dll and the y.dll are encrypted, and when detecting that the blockchain node has a user login account, the user management module of the blockchain node will load the y.dll first, and the y.dll will operate the x.dll, so that the x.dll can perform decryption execution correctly;
specifically, in one embodiment, when designing the duplicate DLL file (i.e., the y.dll file), the encryption scheme in the embodiment scheme below is first used to encrypt the core function, but decryption of the y.dll only needs itself to be able to decrypt;
meanwhile, the Y.DLL provides an external calling interface, and aims to call the subsequent X.DLL to process the secret key of the X.DLL;
the y.dll can process the key of the x.dll where the interface is just a call and there is no incoming parameter, in order to guarantee the concealment of the key data, and if the incoming parameter is then the location of the key is easily exposed. And how the y.dll finds the key in the x.dll, the embodiment searches the key variable from the x.dll according to the key variable of the subsequent x.dll, so as to find the target variable of the stored key in the x.dll, and the target variable can be obtained to fill the actually decrypted key data into the target variable.
The present embodiment searches for the target variable, and must read the x.dll loaded in the memory, but cannot read the x.dll from the device, because the x.dll loaded in the memory is needed to be executed immediately after the x.dll is needed to be used.
Further, in the embodiment, when designing the encryption method of the DLL destination file (i.e., the x.dll file), unlike the conventional file encryption method, the embodiment only encrypts one SECTION (session) in the x.dll file, while the other SECTIONs do not encrypt. While conventional encryption encrypts the entire file, this is equivalent to encrypting only a portion of the x.dll file.
The beneficial effects of the scheme of this embodiment lie in:
1, the core function of the X.DLL file can be better hidden by partial encryption, and the encryption is not easy to be carried out by the core function of the black-product discovery block chain node, so that the protection and hiding effects are better. Since the entire file is not already a DLL file if it is encrypted, it is easier to find the encryption.
2, only partial DLL files are encrypted, so that encryption and decryption speeds are higher, the performance of the whole program is higher, and particularly, when the program is started, the performance is higher, and if the user experience is higher.
3, only part of the functions are encrypted, and then the whole X.DLL is a normal DLL file, so that the compatibility with the blockchain program is better in correctness.
Specifically, in one embodiment, the specific encryption algorithm is as follows:
the core functions in the x.dll are developed into a preset SECTION.
In the process of designing the X.DLL, the embodiment independently puts the function to be protected into a SECTION SECTION, and then encrypts the code in the SECTION SECTION later to obtain the preset SECTION SECTION; then adding a special field definition to the function definition indicates that the function is stored in this SECTION and thus separated from the other SECTIONs in the x.
In order to better disguise the preset SECTION SECTION, the embodiment stores the preset SECTION SECTION to the cloud storage node, so that the cloud storage node can better disguise.
Key storage in a dll file is designed.
In our process of developing the x.dll, the key of the x.dll would then use the function corresponding to its decryption, where the x.dll would then use a separate tool to encrypt, but would require decryption of the key when the x.dll is decrypting. The embodiment mentioned earlier that the decryption of the x.dll is dependent on the y.dll-copy DLL file, while the generation of the subsequent key is dependent on the hash value of the entire content of the x.dll file in order to improve security and to prevent the x.dll from being tampered with.
This embodiment contemplates defining a key variable in the x.dll for storing key data, where the key variable is the decryption key that is required for subsequent x.dll decryption.
The decryption key is known after the subsequent encryption, so that the decryption key cannot be known in advance when the X.DLL is developed, and meanwhile, the decryption key is related to the integrity of the whole code of the X.DLL, so that the decryption key can be obtained only after the X.DLL is compiled. The embodiment designs a key variable defined in the x.dll, and the following y.dll finds the variable in the x.dll according to the key variable and writes the key data into the characteristic variable of the x.dll, thereby making the decryption depth of the x.dll dependent on the y.dll. Therefore, the cloud chain scheme of the embodiment can bind 2 DLL files, so that the local independent DLL destination file (x.dll) cannot decrypt.
In a specific implementation, this embodiment designs a char [128] = {0};
specifically, a global variable var is defined, wherein the size of the global variable var is a 128-byte character string, a piece of content is filled into the global variable var as a characteristic value, and a subsequent Y.DLL searches the characteristic from an X.DLL, so that the position of the var in the X.DLL is found.
The characteristic value cannot be the same as that of other character strings in the X.DLL, otherwise, 2 or more parts are found in the Y.DLL searching process, so that the characteristic value cannot be used.
Meanwhile, in order to improve the concealment of the characteristic value, the characteristic value can be replaced every time.
For example, the global variable is 128 bytes in length, plus the last terminator 0, so a 127 byte string is used and there are no 0 characters in it.
And encrypting the preset SECTION SECTION in the cloud storage node in the X.DLL.
After the design of the x.dll is completed, the code is compiled, and finally, a compiled x.dll file is obtained, and at this time, the x.dll is not encrypted. The specific algorithm is as follows:
the file header is parsed to obtain the section table, in this embodiment, the mmap memory mapping mode is used to read the x.dll file, which has higher performance, and when reading, we obtain the start address and the end address of the section table according to the file header. And loading the preset SECTION SECTION according to the start address and the end address of the SECTION data table obtained by the file header of the DLL destination file and the name of the preset SECTION SECTION.
The preset SECTION in the cloud storage node is encrypted, and the SECTION can be encrypted according to the embodiment because of the offset of the preset SECTION. In encryption, there is a principle that the encrypted size must be consistent with the original size.
In this embodiment, the preset SECTION is encrypted, the size of the preset SECTION is fixed in the DLL file, the preset SECTION is in the middle of the DLL file, if the encrypted content exceeds the original content, other data will be covered, so that the DLL is damaged, and if the size of the SECTION needs to be increased, the place where the DLL needs to be modified is very much, so that the whole scheme is more complex and the compatibility is not good.
So we keep the content size consistent after encryption and before encryption.
Therefore, in this embodiment, an RC4 encryption algorithm is selected and used, and the algorithm can keep the length before encryption and the length after encryption consistent.
The encryption key uses the hash value of the file of the x.dll as a part of the key, so that the x.dll can be hashed to obtain another part of the key during subsequent decryption, and the correct decryption can be performed only by using the x.dll without modification, otherwise the decryption can fail.
Whereas the integrity of the x.dll is exactly related to decryption, the x.dll cannot be decrypted once it has been modified.
The specific key may then be set as follows: the file hash of the DLL obtains a 32-bit character string as part of data of the key, the other part of data is the file hash of the Y-DLL, the file hash is used as the 32-bit character string, and the 128-bit key consists of the 32-bit hash of 2 files and the rest of random numbers.
When the Y.DLL writes data into the key of the X.DLL, only random data is written, and the rest key data is obtained by calculating the file hash of the X.DLL and the file hash of the Y.DLL by the X.DLL. If the header is destroyed, the method is used for destroying the header data in the DLL, so that other reverse tools cannot analyze the SECTION SECTION in the DLL when analyzing the DLL, and the DLL destination file is protected.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (5)

1. The data security processing method of the cloud chain fusion application platform is characterized in that the cloud chain platform comprises cloud storage nodes and block chain nodes, the block chain nodes comprise user management modules, and the method comprises the following steps:
determining, by a user management module of the blockchain node, a local DLL destination file for a user of the blockchain node; acquiring a preset SECTION SECTION of the DLL destination file; a key variable is arranged in the DLL destination file, and the preset SECTION SECTION is stored in a cloud storage node;
creating a copy DLL file of the DLL destination file by the user management module, sending the copy DLL file to the cloud storage node so that the cloud storage node stores the copy DLL file, and recording the copy DLL file into the block;
encrypting the DLL destination file by the user management module, and writing a part of encryption key into the copy DLL file;
when the user login account of the blockchain node is detected, the user management module loads the copy DLL file, the partial encryption key is obtained, the decryption key is determined based on the partial encryption key, the copy DLL file is used for writing the decryption key into the key variable of the preset SECTION node, and the decryption key is used for decrypting the DLL target file.
2. The method of claim 1, wherein the step of determining the local DLL destination file for the blockchain node user comprises:
and the user management module of the block chain node reads the local DLL destination file of the block chain node user into a memory, and obtains the starting address and the ending address of the SECTION data table and the name of the preset SECTION according to the file header of the DLL destination file so as to load the preset SECTION, thereby ensuring the safety of data transmission.
3. The method of claim 2 wherein the step of encrypting the DLL destination file and writing a partial encryption key to the duplicate DLL file comprises: when encrypting the DLL destination file, using a hash value of the DLL destination file as a first partial key; performing hash calculation on the copy DLL file in the subsequent decryption, taking the calculated hash value as a second partial key, and writing the second partial encryption key into the copy DLL file;
determining an encryption key according to the hash value of the DLL destination file and the hash value of the copy DLL file;
determining the offset size of the preset SECTION SECTION based on the starting address and the ending address of the DLL destination file;
and encrypting the preset SECTION SECTION of the cloud storage node based on the encryption key and the offset of the preset SECTION SECTION.
4. The method of claim 3 wherein the replica DLL file is associated with an externally invoked interface, the externally invoked interface having no parameter incoming;
correspondingly, the step of loading the copy DLL file by the user management module and obtaining the partial encryption key specifically includes:
loading the copy DLL file by the user management module, acquiring an interface associated with the copy DLL file, calling the interface by the copy DLL file to acquire a first partial key of an encryption key from the DLL destination file, performing hash calculation of the DLL destination file on the first partial key to acquire a second partial key, and taking the second partial key as a decryption key;
correspondingly, the step of writing the decryption key into the key variable of the preset SECTION SECTION by using the copy DLL file and decrypting the DLL destination file by using the decryption key specifically includes:
and writing the decryption key into a key variable of the preset SECTION SECTION by using the copy DLL file, decrypting the preset SECTION SECTION of the cloud storage node by using the decryption key and the offset of the preset SECTION SECTION to decrypt the DLL destination file, judging that the login user is a safe user if the decryption is successful, and judging that the login user is a black-producing user if the decryption is failed.
5. The method of any of claims 1-4, wherein the process of checking the blockchain node's user login account includes:
the cloud chain platform responds to a login request sent by a user terminal, and generates a key pair and a random number based on an intelligent contract, wherein the key pair comprises a first key and a second key;
the cloud chain platform feeds back the first key and the random number to the blockchain node, and sends the second key and the random number to the cloud storage node; the blockchain node encrypts the random number through the first key, and sends the encrypted random information to the cloud storage node for login verification; and the cloud storage node decrypts the random information sent by the blockchain node through the second key, and if the decrypted random number is consistent with the random number sent by the cloud chain platform, login verification is successful.
CN202310134316.9A 2023-02-20 2023-02-20 Data security processing method of cloud chain fusion application platform Pending CN116090011A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310134316.9A CN116090011A (en) 2023-02-20 2023-02-20 Data security processing method of cloud chain fusion application platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310134316.9A CN116090011A (en) 2023-02-20 2023-02-20 Data security processing method of cloud chain fusion application platform

Publications (1)

Publication Number Publication Date
CN116090011A true CN116090011A (en) 2023-05-09

Family

ID=86186866

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310134316.9A Pending CN116090011A (en) 2023-02-20 2023-02-20 Data security processing method of cloud chain fusion application platform

Country Status (1)

Country Link
CN (1) CN116090011A (en)

Similar Documents

Publication Publication Date Title
KR100996784B1 (en) Saving and retrieving data based on public key encryption
KR101067399B1 (en) Saving and retrieving data based on symmetric key encryption
Zheng et al. Using replication and partitioning to build secure distributed systems
US8239954B2 (en) Access control based on program properties
US20170163418A1 (en) Resilient secret sharing cloud based architecture for data vault
EP1542112A1 (en) Open type general-purpose attack-resistant cpu, and application system thereof
US11080371B2 (en) Method and system of state consistency protection for Intel SGX
CN107111713A (en) The automatic checking of software systems
JPH0816104A (en) Method and device for verifying information security with dispersed collator
JP2005322234A (en) Security check of web service configuration
JP2005310122A (en) File locker, and mechanism for providing and using file locker
CN112800450B (en) Data storage method, system, device, equipment and storage medium
CN115114305B (en) Lock management method, device, equipment and storage medium for distributed database
CN113010856A (en) Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system
CN115580413B (en) Zero-trust multi-party data fusion calculation method and device
CN114218595A (en) File protection method and system in cloud computing platform
CN110851851B (en) Authority management method, device and equipment in block chain type account book
WO2022116761A1 (en) Self auditing blockchain
CN116090011A (en) Data security processing method of cloud chain fusion application platform
CN114978664A (en) Data sharing method and device and electronic equipment
CN113901507A (en) Multi-party resource processing method and privacy computing system
EP1782203B1 (en) Method for guaranteeing freshness of results for queries against a non-secure data store
Luna et al. Providing security to the desktop data grid
KR102618922B1 (en) Apparatus and method for Preventing SW reverse engineering of embedded system
Pandey et al. Privacy Preserving Of Cloud Storage Security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication