CN116094696A - Data security protection method, data security management platform, system and storage medium - Google Patents

Data security protection method, data security management platform, system and storage medium Download PDF

Info

Publication number
CN116094696A
CN116094696A CN202211698289.XA CN202211698289A CN116094696A CN 116094696 A CN116094696 A CN 116094696A CN 202211698289 A CN202211698289 A CN 202211698289A CN 116094696 A CN116094696 A CN 116094696A
Authority
CN
China
Prior art keywords
data
security
quantum
key
management platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211698289.XA
Other languages
Chinese (zh)
Inventor
辛华
左崴东
刘龙山
蒋运平
杨勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cas Quantum Network Co ltd
Original Assignee
Cas Quantum Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cas Quantum Network Co ltd filed Critical Cas Quantum Network Co ltd
Priority to CN202211698289.XA priority Critical patent/CN116094696A/en
Publication of CN116094696A publication Critical patent/CN116094696A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0464Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application relates to the technical field of data management and discloses a data security protection method, a data security management platform, a system and a storage medium, wherein the method comprises the following steps: the calling probe collects first data, wherein the first data is ciphertext encrypted by service data of a data provider through a first quantum key negotiated by the data security management platform; decrypting the first data transmitted by the first IPsec according to the shared first quantum key to obtain service data; encrypting the service data by using a second quantum key to generate second data and storing the second data in a quantum trusted cloud; if a service data use request is received by the data supervisor and/or the data demander, the shared second quantum key is utilized to decrypt the second data to obtain the service data, an integrated key application system is adopted to encrypt the service data in a calculation process, and the calculation result is shared to the data supervisor and/or the data demander through the second IPsec, so that the data is subjected to full life cycle safety protection.

Description

Data security protection method, data security management platform, system and storage medium
Technical Field
The embodiment of the application relates to the technical field of data management, in particular to a data security protection method, a data security management platform, a system and a storage medium.
Background
With the rapid development of communication technology and internet technology, government, banks, factories, schools, institutions and other institutions have realized networking, informatization and data upgrading, various data related to industry, business, telecommunication, traffic, finance, natural resources, health, education and science and technology are required to be transmitted and shared in the network, and the implementation of the data security law of the people's republic of China requires that each region and each department must be responsible for data and data security collected and generated in local region and local gate work, and strict data security management is required for the data related to industry, business, telecommunication, traffic, finance, natural resources, health, education and science and technology.
However, the inventor of the application finds that the data security management system commonly used in the industry simply encrypts the data to be securely managed according to the preset secret key, stores, transmits and shares the data, and users who need to view and use the data can view and use the data after identity verification.
Disclosure of Invention
The embodiment of the application aims to at least provide a data security protection method, a data security management platform, a system and a storage medium, at least solve the problems of low data security management level and weak data security protection, at least can perform security protection on data in a full life cycle, and greatly reduce the risk of disclosure caused by data theft.
At least one embodiment of the present application provides a data security protection method, which is applicable to a data security management platform, where the data security management platform is respectively connected to a data provider, a data supervisor, and a data demander, and the method includes the following steps: invoking a probe to collect first data of the data provider, wherein the first data is ciphertext obtained by encrypting service data of the data provider through a first quantum key negotiated by the data security management platform; decrypting the first data transmitted by the first IPsec security according to the shared first quantum key to obtain the service data; encrypting the service data by using a second quantum key to generate second data, and storing the second data in a quantum trusted cloud; and if receiving a use request of the data supervisor and/or the data demander for the service data, decrypting the second data by using the shared second quantum key to obtain the service data, encrypting the service data in a calculation process by adopting an integrated key application system, and sharing a calculation result to the data supervisor and/or the data demander through a second IPsec.
At least one embodiment of the present application further provides a data security management platform, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the data security protection method described above.
At least one embodiment of the present application further provides a data security management system, including the data security management platform described above.
At least one embodiment of the present application further provides a computer readable storage medium storing a computer program that implements the data security protection method described above when executed by a processor.
According to the data security protection method, the data security management platform, the system and the storage medium, the data security management platform calls the probe to collect first data of the data provider, the first data is ciphertext obtained by encrypting the service data of the data provider through a first quantum key negotiated by the data security management platform, the first data is transmitted to the data security management platform through first IPsec security, the data security management platform decrypts the first data according to the shared first quantum key to obtain the service data, then encrypts the service data through a second quantum key to generate second data, the generated second data is stored in the quantum trusted cloud, if a service data using request of a data supervisor and/or a data requiring party is received, the data security management platform decrypts the second data through the shared second quantum key to obtain the service data, the service data is encrypted through an integrated key application system provided by the quantum trusted cloud, and a calculation result is shared to the data supervisor and/or the data requiring party through the second IPsec. Considering that the data is simply encrypted by using a preset secret key and then transmitted, the security management level is lower, and the protection force is weaker, but in the embodiment of the application, the data security management platform can perform security protection on the whole life cycle of data acquisition, transmission, storage, use and sharing, and the whole process uses the quantum encryption technology with higher security level and stronger protection force to encrypt, so that the risk of disclosure caused by data theft is greatly reduced, and the reliability, credibility and traceability of the data are realized.
In some alternative embodiments, the data provider is provided with a first quantum security gateway encapsulating a first security agent, the data security management platform is provided with a probe deployed on the data provider side, the call probe collecting first data of the data provider, comprising: initiating a return data acquisition request to the data provider, wherein the data provider acquires return data of service data in a flow copying or light splitting mode, and the first security agent encrypts the return data by using the first quantum key provided by the first quantum integrated machine to form first data; invoking the probe to collect the first data of the data provider at a preset location of the data provider network, wherein the preset location comprises a network outlet, a security center, a core switching area, a service access area, a database server, and/or a government cloud.
In some alternative embodiments, the data security management platform is further provided with a second quantum security gateway encapsulating a second security agent, the decrypting the first data securely transmitted via the first IPsec based on the shared first quantum key, comprising: the second security agent obtains the shared first quantum key from the quantum all-in-one machine, wherein the second security agent and the first security agent share the first quantum key under the negotiation of the data security management platform; and decrypting the first data transmitted by the first IPsec security by using the first quantum key to obtain service data of the data provider, wherein the data provider is connected with the data security management platform by a first quantum security gateway and a second quantum security gateway, and the first quantum security gateway and the second quantum security gateway establish a bidirectional SA between the data provider and the data security management platform to provide an encrypted transmission channel first IPsec.
In some alternative embodiments, the encrypting the traffic data using a second quantum key to generate second data includes: the second security agent encrypts the service data by using a second quantum key to generate second data, and stores the second data in a first space of an ODS layer of a data warehouse, wherein the data warehouse of the data security management platform is built on the quantum trusted cloud, the data warehouse comprises the ODS layer for storing original data, and the ODS layer comprises the first space and a plurality of second spaces; and the second security agent encrypts the service data by using a fifth quantum key to generate disaster recovery data, and stores the disaster recovery data in any one of the second spaces, wherein the disaster recovery data is the data disaster recovery of the second data.
In some optional embodiments, the data security management platform is further provided with a third security agent, and after storing the second data in the ODS layer, the method further comprises: if the second quantum key meets a preset updating condition, decrypting the second data by using the second quantum key shared by the third security agent to obtain the service data, wherein the third security agent and the second security agent share the second quantum key under the negotiation of the data security management platform, the updating condition comprises that the time when the second quantum key is not updated exceeds a preset security duration, and the second quantum key has potential safety hazards; and encrypting the service data by using the updated third quantum key to generate third data and storing the third data in the ODS layer.
In some alternative embodiments, the encrypting the service data using the integrated key application system includes: acquiring a quantum root key according to a use request of the data supervisor and/or the data demander for the service data, wherein the quantum root key is acquired from a quantum all-in-one machine by the third security agent; and executing a virtual machine participating in the calculation of the service data, wherein the third security agent performs encryption of calculation by using a quantum derivative key derived from the quantum root key, and the quantum derivative key is obtained by integrating and deriving the quantum root key and the ID of the virtual machine by using a KDF function.
In some optional embodiments, the data supervisor and/or the data demander side is deployed with a fourth security agent, and the sharing the calculation result to the data supervisor and/or the data demander via the second IPsec includes: if the data supervisor and/or the data demander request to view the calculation result, carrying out identity authentication on the data supervisor and/or the data demander, wherein the data security management platform stores first authentication data of the data supervisor and/or the data demander in advance, the first authentication data is ciphertext obtained by encrypting an account number and a password of the data supervisor and/or the data demander by a fourth quantum key negotiated by the data security management platform, and the third security agent provides the fourth quantum key; the identity authentication comprises the following steps: encrypting account numbers and passwords in the authentication application of the data supervisor and/or the data demander by using a fourth quantum key provided by the fourth security agent to generate second authentication data, wherein the fourth security agent and the third security agent share the fourth quantum key under negotiation of the data security management platform; checking the second authentication data and the first authentication data, and if the second authentication data is consistent with the first authentication data, passing the identity authentication of the data supervisor and/or the data demander; and under the condition that the identity authentication of the data supervisor and/or the data demander passes, decrypting a calculation result transmitted by a second IPsec security by utilizing the quantum derivative key to obtain service analysis, wherein an encrypted transmission channel second IPsec is established in a physical link between the data security management platform and the data supervisor and/or the data demander, the fourth security agent shares the quantum root key with the third security agent under the negotiation of the data security management platform, and the data supervisor and/or the data demander integrate and derive the quantum root key and the ID of the virtual machine by utilizing a KDF function to form the quantum derivative key.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings.
FIG. 1 is a schematic diagram of an application of a data security management system according to the present application;
FIG. 2 is a schematic diagram of a hardware environment of a data security management system according to the present application;
FIG. 3 is a schematic diagram of a manner in which a data provider accesses a network structure as set forth in the present application;
FIG. 4 is a flow chart of a data security protection method provided by some embodiments of the present application;
FIG. 5 is a flow chart of a data security management platform invoking a probe to collect first data of a data provider in some embodiments of the present application;
FIG. 6 is a schematic diagram of a quantum key tree construction process provided in some embodiments of the present application;
FIG. 7 is a schematic architecture diagram of a quantum trust cloud provided in some embodiments of the present application;
FIG. 8 is a schematic illustration of the storage process of the ODS layer of a data warehouse provided in some embodiments of the present application;
fig. 9 is a schematic diagram of a business data calculation process provided in some embodiments of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, as will be appreciated by those of ordinary skill in the art, in the various embodiments of the present application, numerous technical details have been set forth in order to provide a better understanding of the present application. However, the technical solutions claimed in the present application can be implemented without these technical details and with various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not be construed as limiting the specific implementation of the present application, and the embodiments may be mutually combined and referred to without contradiction.
It should be noted that the terms "first," "second," and the like in the description and in the claims of the present application are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The system uses data as a center, and utilizes quantum derived keys to realize the collection, transmission, storage, use, sharing and disaster-backup trusted circulation of the data, so that the user can monitor and analyze the data circulation process and trace the data leakage behavior, thereby providing a known, visible and controllable support service. As shown in fig. 1, the data security management platform is respectively connected with a data provider, a data supervisor, and a data demander, and all of the data security management platform, the data provider, the data demander, and the data supervisor access the QKD network (Quantum Key Distribution, quantum key distribution network) through middleware. The middleware provides applications with quantum security capabilities including quantum keys, encryption algorithms, and cryptographic protocols to the user side through the cryptographic service interface based on quantum keys obtained from the QKD network. The middleware includes: middleware platform and security agent. The middleware platform is connected with the security agent and is used for carrying out centralized management and control on the security agent; the security agent is used to obtain the quantum key provided for ICT (information and communications technology, information and communication technology) applications from the QKD network and to provide a key factor or key vector to the key engine through the cryptographic service interface.
The overall architecture of the data security management system network is divided into a core layer and a convergence layer, the hardware environment of the data security management system is shown in fig. 2, and the core layer corresponds to a centralized control station of quantum networking and comprises a quantum key management service system server and a quantum network element management system. The quantum key management service system server is used for realizing the functions of all quantum equipment management, quantum key generation control, quantum key routing control and the like of the quantum network. The quantum network element management system is used for receiving the management of the quantum network element management system through the EMS northbound interface and realizing the management function of quantum equipment of all sites of the quantum network. The centralized control station is mainly responsible for connecting the backbone network, tandem connection of service control layer equipment in the metropolitan area network and high-capacity and high-speed forwarding of messages among nodes of the network. The convergence layer corresponds to a convergence station and a subscriber station of the quantum networking, the convergence station can be divided into a classical network extranet area (used for interconnection among Ethernet service data points), a quantum equipment network area (used for realizing inter-station quantum key transmission, and key and instruction information exchange between an intra-station quantum gateway and a key manager), and a data provider in the subscriber station realizes quantum key distribution with quantum key distribution equipment (such as a quantum integrated machine and a single-receiving type quantum key distribution equipment QKD-B) through an optical quantum switch by deploying a quantum key generation and management terminal (such as the quantum integrated machine), and realizes functions of quantum key management, relay and the like.
The data provider in the subscriber station adopts a double-fiber mode and is respectively used for a quantum optical channel (shown by a dotted line in fig. 2) and a quantum classical channel (shown by a dotted line in fig. 2), the data provider accesses the quantum network through the quantum security encryption router, the quantum integrated machine (or the single-shot quantum key generation and management terminal) is connected to the centralized control station through the quantum optical channel, and the subscriber access switch is connected to the centralized control station through the quantum classical channel. The quantum encryption router may encapsulate a first middleware including a middleware platform and a first security agent (e.g., a first quantum security gateway of the subscriber station in fig. 2) for encapsulating the quantum key into standard security capabilities including keys, algorithms, cryptographic protocols, etc., and providing the functions of identity authentication, key negotiation, cryptographic operations, key management, etc. to the subscriber node in the form of a standard API. The middleware platform can be packaged in the data security management platform and is used for carrying out centralized management and control on the first security agent, traffic needing to be transmitted safely is led into the quantum encryption router in a static routing or policy routing mode, traffic encryption is completed, ciphertext traffic is led into the quantum security transmission channel, the ciphertext traffic is sent to the target node according to an external network routing mode, and fig. 3 shows a mode that a data provider accesses the network structure.
In the above software and hardware environment, at least one embodiment of the present application proposes a data security protection method, which is applicable to a data security management platform, where the data security management platform is respectively connected with a data provider, a data supervisor, and a data demander, and implementation details of the data security protection method of the present embodiment are specifically described below, and the following is only implementation details provided for facilitating understanding, and is not necessary for implementing the present embodiment.
The specific flow of the data security protection method of the present embodiment may be as shown in fig. 4, and it should be noted that, the steps shown in the flow chart of the accompanying drawings may be executed in a computer system such as a set of computer executable instructions, and although a logic sequence is shown in the flow chart, in some cases, the steps shown or described may be executed in a different order from that herein, specifically including:
step 101, calling a probe to collect first data of a data provider, wherein the first data is ciphertext encrypted by service data of the data provider through a first quantum key negotiated by a data security management platform. The data security management platform is provided with a probe deployed at the side of the data provider, the data security management platform can call the probe to collect first data of the data provider under the condition that the collection condition is met, and the first data collected by the probe is ciphertext encrypted by the business data of the data provider through a first quantum key negotiated by the data security management platform. The third party is assumed to maliciously invade the probe and steal the first data, but the third party cannot steal the first quantum key and cannot decrypt the first data, so that service data of a data provider cannot be stolen, and the data acquisition process is strongly protected. The first data of the probe acquisition data provider is invoked periodically, and the acquisition condition may be that a preset acquisition time is reached.
In some embodiments, the data provider is provided with a first quantum security gateway encapsulating the first security agent, the data security
The management platform may encapsulate a middleware platform, the data security management platform is provided with probes deployed on the data provider side, the data security management platform calls the probes to collect the first data of the data provider, which may be achieved through the sub-steps shown in figure 5,
the method specifically comprises the following steps:
in a substep 1011, a return data acquisition request is initiated to the data provider.
For example, the data security management platform may initiate to the data provider when it is required to obtain service data of the data provider
And returning the data acquisition request, wherein the data provider acquires the returning data of the service data in a flow copying or light splitting mode, and 0 encrypts the returning data by utilizing a first quantum key acquired by the first security agent from the first quantum integrated machine to form first data.
In some embodiments, the backhaul data belongs to a two-layer ethernet frame data traffic.
In some embodiments, the data provider encrypts the returned data with the first quantum key through the first security agent to form first data, e.g., a quantum root key KQ corresponding to the returned data may be obtained from the first security agent, into
The first security agent, in turn, uses a KDF function (Key derivation function, key derivation function 5) based on the quantum-root key KQ, in combination with a user ID (data provider ID), a service ID, a hierarchy or process ID, and the IDs of the nodes in the circulation process,
the integrity key KQUenc and the encryption key KQUint are derived, the first security agent encrypts the returned data based on KQUenc and KQUint to generate first data, and FIG. 6 outputs the construction process of the quantum key tree.
In some embodiments, the returned data may be ICT service data such as internet of things, internet of vehicles, etc., cloud application data, or security log information of the system and the security device.
Sub-step 1012, call probe collects first data of data provider at preset location of data provider network.
For example, the data security management platform may probe the first data of the data provider at a preset location of the data provider network, which may include a network outlet, a security center, a core switching area, a service access area, a database server, and/or a government cloud, among others.
In some embodiments, the probe is a programmable matrix device unit, all ports support flow access and flow control output, and 5 the probe receives unified management of the wavelength division convergence unit based on an Openflow interface or a netcon interface, so that input, classification identification output and load balancing output of the flow can be realized. The probe also supports VxLAN stripping processing, label stripping, time stamping, tunneling protocol identification, etc. The probe can also introduce an advanced SDN architecture to carry out bypass flow data management, and can form a complete flow scheduling data delivery network by self-networking. The probe also has abundant selection conditions for extracting, classifying, distributing priority levels and other preprocessing operations on the traffic, and has the capability of calling the first security agent for encryption.
In some embodiments, the probes related to the embodiments of the present application may be any device or component with a probe function, not limited to a narrow sense of a common probe, but may also be a sandbox, a database audit, an intrusion detection system, an analysis component on the cloud, a management and control center on the cloud, and the like.
Step 102, decrypting the first data transmitted through the first IPsec security according to the shared first quantum key to obtain service data.
For example, after the data security management platform invokes the probe to collect the first data of the data provider, the first data may be securely transmitted to the data security management platform through a first IPsec (Internet Protocol Security, internet security protocol), and the data security management platform decrypts the first data according to the shared first quantum key to obtain the service data. The data security protection method not only protects in the data acquisition stage, but also protects strongly through IPsec in the data transmission stage, and further reduces the risk of disclosure caused by data theft.
In some embodiments, the data security management platform is further provided with a second quantum security gateway, and the second quantum security gateway may encapsulate the second security agent therein, so that the second quantum security gateway (second security agent) and the first quantum security gateway (first security agent) of the data provider can share the first quantum key under negotiation of the data security management platform (in which the middleware platform is encapsulated), that is, the middleware platform can perform centralized management control on the first security agent and the second security agent. The data provider is connected with the data security management platform through a first quantum security gateway and a second quantum security gateway, the first quantum security gateway corresponds to the data provider, the second quantum security gateway corresponds to the data security management platform, and the first quantum security gateway and the second quantum security gateway establish a bidirectional SA (Security Association ) between the data provider and the data security management platform in a physical link to provide an encrypted transmission channel first IPsec. The data security management platform acquires a shared first quantum key from the second quantum security gateway, decrypts the first data transmitted through the first IPsec security by using the first quantum key, and therefore service data of a data provider are obtained.
In some embodiments, IPsec is an open standard security framework structure that can be used to guarantee confidentiality, integrity, and playback protection of data transmissions over a network, where the data transmissions are secured by two security protocols, an AH protocol (Authentication Header, authentication header protocol) and an ESP protocol (Encapsulating Security Payload, encapsulating security payload protocol), and where IPsec also performs key agreement by an IKE protocol (Internet key exchange, network key exchange protocol), establishing and maintaining an SA.
In some embodiments, the IPsec configuration process includes, in order, configuring network reachability, configuring ACLs (Access Control Lists ) to identify flows of interest, creating security proposals, creating security policies, and applying security policies.
In some embodiments, the IPsec configured code is implemented as follows:
"[ RTA ] ip route-static 10.1.2.0 24 20.1.1.2 static route to RTB
[ RTA ] acl number 3001 Create Access control List
[RTA-acl-dev-3001]rule 5permit ip source 10.1.1.0 0.0.0.255
Destination 10.1.2.0 0.0.0.255 allows 1.0 segment to go to Destination 2.0 segment
[ RTA ] ipsec proposal tran 1 creates a security protocol named tran 1
[RTA-ipsec-proposal-tran1]esp authentication-algorithm sha1
Encryption algorithm using sha1
[ RTA ] ipsec policy P1 10Manual configuration of policy with ipsec name P1 10, manual mode is adopted
Encryption of 3001 of secure acl by RTA-ipsec-policy-manual-P1-10]security acl 3001
Total proposal of using tran1 by RTA-ipsec-polar-manual-P1-10]proposal tran1
The remote address of the [ RTA-ipsec-policy-manual-P1-10]tunnel remote 20.1.1.2 tunnel is 20.1.1.2
The local address of the [ RTA-ipsec-policy-manual-P1-10]tunnel local 20.1.1.1 tunnel is 20.1.1.1
The [ RTA-ipsec-policy-manual-P1-10]sa spi outbound esp 54321 ] safety line leading-out direction is 54321
The [ RTA-ipsec-policy-manual-P1-10]sa spi inbound esp 12345 ] safety line introduction direction is 12345
[ RTA-ipsec-policy-manual-P1-10] sa string-key outbound esp simple Hua configures ike the key in the outgoing direction as Hua
[ RTA-ipsec-policy-manual-P1-10] sa string-key inbound esp simple Hua the key of the direction of entry of ike is Hua
[ RTA-ipsec-policy-manual-P1-10]quit interface GigabitEthernet0/0/1 into 0/0/1 interface view
[ RTA-gigabit Ethernet0/0/1]ipsec policy P1 applies the ipsec policy to the interface
[RTA-gigabitEthernet0/0/1]quit”。
And step 103, encrypting the service data by using the second quantum key to generate second data, and storing the second data in the quantum trusted cloud.
After the data security management platform obtains the service data, the service data can be stored, the data security management platform encrypts the service data by using the second quantum key to generate second data, and the second data is stored in the quantum trusted cloud. In the data storage stage, the service data is encrypted and stored by the quantum trusted cloud supporting the encryption and storage of the quantum key, so that the service data stored in the data security management platform is effectively protected, and the data is prevented from being divulged. In some embodiments, the quantum trusted cloud is similar to a traditional cloud platform in architecture composition, and the difference is that a security agent of the middleware is in butt joint with a security management module of the cloud platform, and an integrated key application management and control system is adopted to provide corresponding security infrastructure guarantee for computing encryption, storage encryption and network encryption. That is, the quantum trusted cloud can provide an encryption storage solution based on a quantum key, support encryption of various storage resources such as volume storage, object storage and file storage, realize safety and controllability of a data storage process, prevent data leakage, and carry out data interaction only in a specified range after encryption. The architecture of the quantum trust cloud may be as shown in fig. 7.
In some embodiments, the data security management platform is provided with a second quantum security gateway, a second security agent encapsulated in the second quantum security gateway interfaces with a security management module of the cloud platform, and an integrated key application management and control system is adopted to provide corresponding security infrastructure guarantee for computing encryption, storage encryption and network encryption. The data security management platform encrypts service data through a second quantum key acquired by a second security agent to generate second data, the second data is stored in a first space of an ODS layer (Operational Data Store, original data layer) of a data warehouse, the data warehouse of the data security management platform is built on a quantum trusted cloud, the data warehouse comprises the ODS layer for storing the original data, and the ODS layer comprises the first space and a plurality of second spaces. The data warehouse includes, in addition to ODS layers, DWD layers (Data WareHouse Detail, detail data layers), DWS layers (Data Warehouse Summary, aggregate data layers), CDS layers (Common Data Model, common dimension layers), and the like. The data security management platform can encrypt the business data through a fifth quantum key acquired by the second security agent to generate disaster backup data besides storing the second data in the first space of the ODS layer of the data warehouse, and store the disaster backup data in any one of the second spaces of the ODS layer of the data warehouse, wherein the disaster backup data is the data disaster backup of the second data, so that the data disaster backup is realized, and the data disaster backup process is also strongly protected.
In some embodiments, the ODS layer of the data warehouse is a distributed architecture, and a hadoop+mpp mixed-building architecture scheme can be adopted, so that structured, semi-structured and unstructured data storage capability can be provided according to different data types and different storage strategies. The storage process of the ODS layer of the data warehouse can be as shown in fig. 8.
In some embodiments, the data security management platform is provided with a third security agent in addition to the second security agent, and the third security agent and the second security agent can share the second quantum key under the negotiation of the data security management platform (the middleware platform is packaged inside), that is, the data security management platform can perform centralized management and control on the first security agent, the second security agent and the third security agent. After storing the second data in the ODS layer of the data repository, the data security management platform may determine whether the second quantum key meets a preset update condition, where the preset update condition includes that a time during which the second quantum key is not updated exceeds a preset security duration, that the second quantum key has a potential safety hazard (such as being attacked), and so on. And if the second quantum key meets the preset updating condition, the data security management platform decrypts the second data by using the second quantum key shared by the third security agent to obtain service data, encrypts the service data by using the updated third quantum key to generate third data and stores the third data in an ODS layer of the data warehouse, so that the security of data storage is further ensured.
Step 104, if receiving the request of the data supervisor and/or the data demander for using the service data, decrypting the second data by using the shared second quantum key to obtain the service data, encrypting the service data by adopting the integrated key application system, and sharing the calculation result to the data supervisor and/or the data demander through the second IPsec.
The data security management platform can monitor whether a request of the data supervisor and/or the data demander for using the service data is received or not in real time, after the request of the data supervisor and/or the data demander for using the service data is received, the data security management platform can decrypt the second data stored on the quantum trusted cloud by utilizing the shared second quantum key to obtain the service data, then the integrated key application system is adopted to encrypt the service data in a calculation process, and the calculation result is shared to the data supervisor and/or the data demander through the second IPsec. The data use (calculation) process has the protection of an integrated key application system, the data sharing process has the protection of the second IPsec, that is, the data security management platform completes the protection of the whole life cycle of data acquisition, transmission, storage, use and sharing, and the whole process uses the quantum encryption technology with higher security level and stronger protection force to encrypt, thereby greatly reducing the risk of secret leakage caused by data theft and realizing the reliability, credibility and traceability of the data.
In some embodiments, the data security management platform is provided with a third security agent, when the data security management platform encrypts the service data in a calculation process by adopting an integrated key application system, a quantum root key is acquired firstly according to a use request of a data supervisor and/or a data demander for the service data, the quantum root key is acquired from the quantum integrated machine by the third security agent, then a virtual machine participating in calculation of the service data is executed, and the third security agent encrypts the calculation by utilizing a quantum derivative key derived from the quantum root key, wherein the quantum derivative key is obtained by integrating and deriving the quantum root key and an ID of the virtual machine by utilizing a KDF function. The calculation process of the service data may be as shown in fig. 9.
In some embodiments, the data security management platform is provided with a third security agent, a fourth security agent is deployed on the data supervisor side and/or the data demander side, the data security management platform stores first authentication data of the data supervisor side and/or the data demander side in advance, the first authentication data is ciphertext obtained by encrypting an account number and a password of the data supervisor side and/or the data demander side by a fourth quantum key negotiated by the data security management platform, and the third security agent and the fourth security agent share the fourth quantum key under negotiation of the data security management platform. And when the identity authentication is carried out, the data security management platform encrypts the account number and the password in the authentication application of the data supervisor and/or the data requester by using the fourth quantum key deployed at the data supervisor and/or the data requester to generate second authentication data, checks the second authentication data and the first authentication data, and if the second authentication data is consistent with the first authentication data, the identity authentication of the data supervisor and/or the data requester is confirmed to pass. Under the condition that the identity authentication of a data supervisor and/or a data demander passes, the data security management platform decrypts the calculation result transmitted by the second IPsec security by utilizing the quantum derivative key to obtain service analysis, wherein an encrypted transmission channel second IPsec is established in a physical link between the data security management platform and the data supervisor and/or the data demander, and the data supervisor and/or the data demander utilizes a KDF function to integrate and derive the quantum root key and the ID of the virtual machine to form the quantum derivative key. The second IPsec is similar to the first IPsec and will not be described again here.
In some embodiments, depending on the circumstances, the data warehouse may process the business data as follows:
the DWD layer utilizes an ETL tool (Extract-Transform-Load tool) to perform data filtering, data type standardization, data summarization and unification, data deduplication, data migration, data synchronization, enhanced extraction, database searching, data quality inspection and the like on data at regular time.
For example, industrial data of an industrial enterprise is classified as: development data fields (development design data, development test data, etc.), production data fields (control information, operating conditions, process parameters, system logs, etc.), operation and maintenance data fields (logistics data, after-market product service data, etc.), management data fields (system equipment asset information, customer and product information, product supply chain data, business statistics data, etc.), external data fields (among other data).
For example, the industrial data of a platform enterprise is classified as: platform operation data (things-of-things collection data, knowledge base model base data, research and development data, etc.), enterprise management data fields (customer data, business collaboration data, awareness financial data, etc.).
The DWS layer may use the ETL tool to lightly aggregate the data processed by the DWD layer in combination with the data model of the CDS layer.
And the DMS layer performs high-level summary analysis and acquires an analysis result.
The summary analysis method may be a kylin model analysis, and the analysis model may apply a Layer-by-Layer algorithm (Layer cubic), a Fast Cube algorithm (Fast cubic), and the like, where the analysis includes: mirror image flow analysis (log analysis, network flow analysis, malicious code information analysis, network threat perception analysis, network event information analysis, special scene flow analysis), asset and threat monitoring (asset detection, website security scanning, asset vulnerability information analysis, malicious code threat discovery), etc. compliance analysis (firewall, database auditing system, vulnerability scanning system, backup special equipment, fort machine, web special firewall, log auditing system, anti-virus system), other equipment analysis (server, switch, router, cloud platform) and the like, and after analysis results are obtained, transmitting to a data security management platform, a data supervisor, a data demand party.
In some embodiments, besides security protection, the data security management platform can further realize the visualization of data management, data acquisition, transmission, storage, disaster recovery, use and sharing processes in resource management, data hierarchical classification management, data processing and data quality management and the like of the whole life cycle of data, and realize the reliability, credibility and traceability of the data. The functions and services supported by the data security management platform are as follows:
Metadata management, including metadata base data management and metadata application, is composed of at least functions of metadata automatic acquisition, metadata retrieval, data model management, blood relationship and the like.
Metadata analysis includes displaying blood-lineage relationships of objects and the like in a mesh mode and displaying directed blood-lineage relationships of objects and the like in a parent-child dependency relationship.
The data processing process comprises stream data processing, data integration management, data architecture management, data exception management, data development management, unified scheduling management, data operation and maintenance management and the like.
Data quality management, including quality model configuration, quality planning management, scheme configuration scheduling, quality inspection result viewing, quality inspection analysis reporting, and the like.
The data security protection method provided by the application has the following advantages:
firstly, data full-period management, namely realizing full-period management of data from the aspects of data discovery and classification, data acquisition and cleaning, data management and control, data center construction, data modeling and the like.
And secondly, the application scene is wide, and each product module in the scheme can independently solve the problems of different data management scenes (such as data discovery and classification scenes, data acquisition and cleaning scenes, data security scenes, data standard construction scenes and the like), can be combined at will, and is rapidly applicable to different data management scenes of government enterprises.
Thirdly, the flexibility is high, various products provide rich external interfaces, the flexibility, expansibility and integration capability are high, the safety of the products is enhanced by adopting omnibearing and strict safety codes, unsafe data are strictly checked, and the program has the functions of self-checking, fault diagnosis and the like.
Fourth, expand government enterprise data asset, intelligently find and comb enterprise data asset, establish unified data standardization system, improve the data quality.
Fifthly, the security risk of government and enterprise data is reduced, data classification is performed, sensitive data is identified, desensitization treatment is performed on the sensitive data, and the security risk of enterprise data is reduced.
Some embodiments of the present application provide a data security management platform, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the data security protection method of the embodiments described above.
Where the memory and the processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting the various circuits of the one or more processors and the memory together. The bus may also connect various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or may be a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over the wireless medium via the antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory may be used to store data used by the processor in performing operations.
Some embodiments of the present application provide a data security management system, which at least includes the data security management platform in the foregoing embodiments.
Some embodiments of the present application propose a computer readable storage medium storing a computer program. The computer program implements the above-described method embodiments when executed by a processor.
That is, it will be understood by those skilled in the art that all or part of the steps in implementing the methods of the embodiments described above may be implemented by a program stored in a storage medium, where the program includes several instructions for causing a device (which may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps in the methods of the embodiments described herein. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, etc., which can store program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific embodiments in which the present application is implemented and that various changes in form and details may be made therein without departing from the spirit and scope of the present application.

Claims (10)

1. The data security protection method is suitable for a data security management platform, and the data security management platform is respectively connected with a data provider, a data supervisor and a data demander, and is characterized by comprising the following steps:
invoking a probe to collect first data of the data provider, wherein the first data is ciphertext obtained by encrypting service data of the data provider through a first quantum key negotiated by the data security management platform;
decrypting the first data transmitted by the first IPsec security according to the shared first quantum key to obtain the service data;
encrypting the service data by using a second quantum key to generate second data, and storing the second data in a quantum trusted cloud;
and if receiving a use request of the data supervisor and/or the data demander for the service data, decrypting the second data by using the shared second quantum key to obtain the service data, encrypting the service data in a calculation process by adopting an integrated key application system, and sharing a calculation result to the data supervisor and/or the data demander through a second IPsec.
2. The data security protection method of claim 1, wherein the data provider is provided with a first quantum security gateway encapsulating a first security agent, the data security management platform is provided with a probe deployed on the data provider side, and the invoking probe collects first data of the data provider, comprising:
initiating a return data acquisition request to the data provider, wherein the data provider acquires return data of service data in a flow copying or light splitting mode, and the first security agent encrypts the return data by using the first quantum key provided by the quantum integrated machine to form first data;
invoking the probe to collect the first data of the data provider at a preset location of the data provider network, wherein the preset location comprises a network outlet, a security center, a core switching area, a service access area, a database server, and/or a government cloud.
3. The data security protection method of claim 2, wherein the data security management platform is further provided with a second quantum security gateway encapsulating a second security agent, the decrypting the first data securely transmitted via the first IPsec based on the shared first quantum key, comprising:
The second security agent obtains the shared first quantum key from the quantum all-in-one machine, wherein the second security agent and the first security agent share the first quantum key under the negotiation of the data security management platform;
and decrypting the first data transmitted by the first IPsec security by using the first quantum key to obtain service data of the data provider, wherein the data provider is connected with the data security management platform by a first quantum security gateway and a second quantum security gateway, and the first quantum security gateway and the second quantum security gateway establish a bidirectional SA between the data provider and the data security management platform to provide an encrypted transmission channel first IPsec.
4. A data security protection method according to claim 3, wherein encrypting the traffic data using a second quantum key to generate second data comprises:
the second security agent encrypts the service data by using a second quantum key to generate second data, and stores the second data in a first space of an ODS layer of a data warehouse, wherein the data warehouse of the data security management platform is built on the quantum trusted cloud, the data warehouse comprises the ODS layer for storing original data, and the ODS layer comprises the first space and a plurality of second spaces;
And the second security agent encrypts the service data by using a fifth quantum key to generate disaster recovery data, and stores the disaster recovery data in any one of the second spaces, wherein the disaster recovery data is the data disaster recovery of the second data.
5. The data security protection method according to claim 4, wherein the data security management platform is further provided with a third security agent, and after storing the second data in the ODS layer, the method further comprises:
if the second quantum key meets a preset updating condition, decrypting the second data by using the second quantum key shared by the third security agent to obtain the service data, wherein the third security agent and the second security agent share the second quantum key under the negotiation of the data security management platform, the updating condition comprises that the time when the second quantum key is not updated exceeds a preset security duration, and the second quantum key has potential safety hazards;
and encrypting the service data by using the updated third quantum key to generate third data and storing the third data in the ODS layer.
6. The data security protection method according to claim 5, wherein the encrypting the service data using the integrated key application system comprises:
Acquiring a quantum root key according to a use request of the data supervisor and/or the data demander for the service data, wherein the quantum root key is acquired from a quantum all-in-one machine by the third security agent;
and executing a virtual machine participating in the calculation of the service data, wherein the third security agent performs encryption of calculation by using a quantum derivative key derived from the quantum root key, and the quantum derivative key is obtained by integrating and deriving the quantum root key and the ID of the virtual machine by using a KDF function.
7. The data security protection method according to claim 6, wherein the data supervisor and/or the data demander side is deployed with a fourth security agent, the sharing the calculation result to the data supervisor and/or the data demander via the second IPsec includes:
if the data supervisor and/or the data demander request to view the calculation result, carrying out identity authentication on the data supervisor and/or the data demander, wherein the data security management platform stores first authentication data of the data supervisor and/or the data demander in advance, the first authentication data is ciphertext obtained by encrypting an account number and a password of the data supervisor and/or the data demander by a fourth quantum key negotiated by the data security management platform, and the third security agent provides the fourth quantum key; the identity authentication comprises the following steps: encrypting account numbers and passwords in the authentication application of the data supervisor and/or the data demander by using a fourth quantum key provided by the fourth security agent to generate second authentication data, wherein the fourth security agent and the third security agent share the fourth quantum key under negotiation of the data security management platform; checking the second authentication data and the first authentication data, and if the second authentication data is consistent with the first authentication data, passing the identity authentication of the data supervisor and/or the data demander;
And under the condition that the identity authentication of the data supervisor and/or the data demander passes, decrypting a calculation result transmitted by a second IPsec security by utilizing the quantum derivative key to obtain service analysis, wherein an encrypted transmission channel second IPsec is established in a physical link between the data security management platform and the data supervisor and/or the data demander, the fourth security agent shares the quantum root key with the third security agent under the negotiation of the data security management platform, and the data supervisor and/or the data demander integrate and derive the quantum root key and the ID of the virtual machine by utilizing a KDF function to form the quantum derivative key.
8. A data security management platform, comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the data security protection method of any one of claims 1 to 7.
9. A data security management system comprising the data security management platform of claim 8.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the data security protection method of any of claims 1 to 7.
CN202211698289.XA 2022-12-28 2022-12-28 Data security protection method, data security management platform, system and storage medium Pending CN116094696A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211698289.XA CN116094696A (en) 2022-12-28 2022-12-28 Data security protection method, data security management platform, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211698289.XA CN116094696A (en) 2022-12-28 2022-12-28 Data security protection method, data security management platform, system and storage medium

Publications (1)

Publication Number Publication Date
CN116094696A true CN116094696A (en) 2023-05-09

Family

ID=86198489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211698289.XA Pending CN116094696A (en) 2022-12-28 2022-12-28 Data security protection method, data security management platform, system and storage medium

Country Status (1)

Country Link
CN (1) CN116094696A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116541887B (en) * 2023-07-07 2023-09-15 云启智慧科技有限公司 Data security protection method for big data platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116541887B (en) * 2023-07-07 2023-09-15 云启智慧科技有限公司 Data security protection method for big data platform

Similar Documents

Publication Publication Date Title
US10601790B2 (en) System for providing end-to-end protection against network-based attacks
CN113591119B (en) Cross-domain identification analysis node data privacy protection and safety sharing method and system
Chowdhury Security in cloud computing
CN116055254B (en) Safe and trusted gateway system, control method, medium, equipment and terminal
Thabit et al. Cryptography algorithms for enhancing IoT security
CN116094696A (en) Data security protection method, data security management platform, system and storage medium
CN111885042A (en) Processing method, device and equipment for accessing website and storage medium
O’Raw et al. Securing the industrial Internet of Things for critical infrastructure (IIoT-CI)
Oruma et al. Security threats to 5G networks for social robots in public spaces: a survey
Liang et al. Collaborative intrusion detection as a service in cloud computing environment
Ujcich et al. Towards an accountable software-defined networking architecture
Radoglou-Grammatikis et al. ELECTRON: An architectural framework for securing the smart electrical grid with federated detection, dynamic risk assessment and self-healing
CN114826790A (en) Block chain monitoring method, device, equipment and storage medium
Dincer et al. Big data security: Requirements, challenges and preservation of private data inside mobile operators
Ghani et al. Cloud storage architecture: research challenges and opportunities
US11146594B2 (en) Security incident blockchain
Mani Sekhar et al. Security and privacy in 5G-enabled internet of things: a data analysis perspective
CN113014545A (en) Data processing method and device, computer equipment and storage medium
Pallavi et al. Study of security algorithms to secure IOT data in middleware
Haq et al. Cloud of things: architecture, research challenges, security threats, mechanisms and open challenges
CN115632889B (en) Data protection method, system, device and storage medium
CN117061115B (en) Key negotiation method, key negotiation apparatus, computer device, and computer-readable storage medium
Copeland Cyber Security on Azure
Ganguli Security and Privacy in Big Data Access Controls
US20240073011A1 (en) Systems and Methods for Securing a Quantum-Safe Digital Network Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination