CN116108474B - Big data system password service method and system - Google Patents

Big data system password service method and system Download PDF

Info

Publication number
CN116108474B
CN116108474B CN202310389039.6A CN202310389039A CN116108474B CN 116108474 B CN116108474 B CN 116108474B CN 202310389039 A CN202310389039 A CN 202310389039A CN 116108474 B CN116108474 B CN 116108474B
Authority
CN
China
Prior art keywords
task
channel
big data
information
data system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310389039.6A
Other languages
Chinese (zh)
Other versions
CN116108474A (en
Inventor
蔡先勇
胡敦粮
江亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Aolian Information Security Technology Co ltd
Original Assignee
Shenzhen Aolian Information Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Aolian Information Security Technology Co ltd filed Critical Shenzhen Aolian Information Security Technology Co ltd
Priority to CN202310389039.6A priority Critical patent/CN116108474B/en
Publication of CN116108474A publication Critical patent/CN116108474A/en
Application granted granted Critical
Publication of CN116108474B publication Critical patent/CN116108474B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention is suitable for the technical field of big data, and provides a big data system password service method and a system, the system improves the security of data in the transmission process in a double encryption mode, meanwhile, a server password opportunity automatically generates a plurality of virtual passwords, each file of different types is classified and encrypted, and is read through dynamic encoding, so that password leakage is avoided, meanwhile, multi-layer encryption adopts real-time information automatic generation of transmission data, not only can each file adopt different connection keys, but also can prevent key leakage, only personnel related to data uploading can be ensured to know the keys, and the security of the data is enhanced.

Description

Big data system password service method and system
Technical Field
The invention belongs to the technical field of big data, and particularly relates to a big data system password service method and system.
Background
The big data operating system is a full-flow, visual and intelligent enterprise-level big data operating system, and in the big data system, a big data computing and storing and other processing systems face to the ultra-large-scale and ultra-large-data capacity and ultra-high-complexity data computing and storing requirements integrated by massive small-scale and small-data-volume small computing and storing tasks.
The password service is based on the password professional technology, skill and facility, provides the activities of integrating, operating, supervising and the like for other people, namely realizes the password function based on the password technology and products and provides the password guarantee.
At present, when data information is encrypted, in order to ensure the safety of the data, only single-layer encryption can be realized by setting up the secret protection or adding encryption equipment, so that the data leakage is easy to occur when the secret protection is leaked or lost, even if part of equipment can use dynamic coding, the virus is difficult to invade to the equipment receiving the dynamic coding to steal the data, and the safety of the data is influenced.
Disclosure of Invention
The embodiment of the invention aims to provide a big data system password service method and a system, which aim to solve the technical problems in the prior art determined in the background art.
The invention is realized in such a way that a big data system password service method comprises the following steps:
establishing connection between a server cipher machine and a big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual cipher machine for each task channel;
Receiving task information transmitted by a big data system, and automatically distributing a virtual password machine according to a task channel where the task information is located;
respectively establishing dynamic connection codes for each task channel through a virtual password machine, and synchronizing the dynamic connection codes to a user key;
when task information transmission occurs in a task channel, the task information and a task processing result are stored in a sealing mode through a virtual password machine, and a unique decoding key of the task is created according to the current transmission time, the task type and the task data size;
and when the dynamic connection coding key and the unique decoding key input by the user are in accordance with verification, reading and transmitting task information.
As a further scheme of the invention, the establishment of the connection between the server crypto-engine and the big data system establishes a plurality of task channels in the big data system according to task types, and establishes a virtual crypto-engine for each task channel respectively, and the method specifically comprises the following steps:
establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on tasks transferred in the big data system;
according to the task types existing in the big data system, a plurality of task transmission channels are established, each task transmission channel makes a limiting mark, when a task is sent out by the big data system, the task is marked according to the task type, and then the task is automatically distributed to the transmission channels with the same mark;
The virtual cipher machine is built for each transmission channel through the server cipher machine, and the virtual cipher machines of each transmission channel are mutually independent and only act on the corresponding transmission channel.
As a further scheme of the invention, the dynamic connection codes are respectively established for each task channel through the virtual cipher machine, and the dynamic connection codes are synchronized to the user key, and the method specifically comprises the following steps:
when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, and the dynamic connection code automatically changes randomly along with time;
the dynamic connection code is synchronized to the user key by the server crypto-engine.
As a further scheme of the invention, when the task information transmission occurs in the task channel, the task information and the task processing result are sealed and stored by the virtual crypto machine, and a unique decoding key of the task is created according to the current transmission time, the task type and the task data size, and the method specifically comprises the following steps:
reading the task transmission state of each task channel, when task information transmission occurs in the task channel, establishing an independent sandbox, and temporarily storing the task information into the independent sandbox;
And establishing a unique decoding key for the independent sandbox, wherein the decoding key is formed by combining the transmission time of the task, the task type mark and the task data size data.
As a further scheme of the invention, when the dynamic connection coding and the unique decoding keys input by the user are both in accordance with verification, the task information is read and transferred, and the method specifically comprises the following steps:
receiving a dynamic connection code uploaded by a user, comparing the dynamic connection code with a dynamic connection code generated by a virtual password machine, and providing receipt information refused to access to the user if the comparison is not passed;
if the comparison is passed, the unique decoding key uploaded by the user is received again, the unique decoding key is compared with the transmission time of the task, the task type mark and the task data size data, and if the comparison is not passed, receipt information refusing to access is provided for the user;
and if the comparison is passed, releasing the sealing state of the independent sand box.
Another object of an embodiment of the present invention is to provide a big data system cryptographic service system, the system including:
the connection establishment module is used for establishing connection between the server crypto-engine and the big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual crypto-engine for each task channel;
The information receiving module is used for receiving the task information transmitted by the big data system and automatically distributing the virtual password machine according to the task channel where the task information is located;
the channel encryption module is used for respectively establishing dynamic connection codes for each task channel through the virtual crypto machine and synchronizing the dynamic connection codes to the user key;
the information encryption module is used for sealing and storing task information and task processing results through the virtual password machine when task information transmission occurs in the task channel, and creating a unique decoding key of the task according to the current transmission time, the task type and the task data size;
and the decoding verification module is used for reading and transmitting task information when the dynamic connection code and the unique decoding key input by the user are in accordance with verification.
As a further aspect of the present invention, the connection establishment module includes:
the connection unit is used for establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on tasks transferred in the big data system;
the system comprises a channel establishing unit, a channel processing unit and a channel processing unit, wherein the channel establishing unit is used for establishing a plurality of task transmission channels according to task types in a big data system, each task transmission channel is provided with a limiting mark, and when a task is sent out by the big data system, the task is marked according to the task type and then is automatically distributed to the same marked transmission channels;
The automatic distribution unit is used for establishing a virtual cipher machine for each transmission channel through the server cipher machine, and the virtual cipher machines of each transmission channel are mutually independent and only act on the corresponding transmission channel.
As a further aspect of the present invention, the channel encryption module includes:
the code generation unit is used for generating independent dynamic connection codes for the task channels where the task information is located through the virtual password machine when a user applies for reading the task information, and the dynamic connection codes automatically change randomly along with time;
and the code synchronization unit is used for synchronizing the dynamic connection code to the user key through the server cipher machine.
As a further aspect of the present invention, the information encryption module includes:
the information isolation unit is used for reading the task transmission state of each task channel, establishing an independent sandbox when task information transmission occurs in the task channel, and temporarily storing the task information into the independent sandbox;
and the key establishment unit is used for establishing a unique decoding key for the independent sandbox, wherein the decoding key is formed by combining the transmission time of the task, the task type mark and the task data size data.
As a further aspect of the present invention, the decoding verification module includes:
the code verification unit is used for receiving the dynamic connection code uploaded by the user, comparing the dynamic connection code with the dynamic connection code generated by the virtual cipher machine, and providing receipt information refused to access for the user if the comparison is not passed;
the key verification unit is used for receiving the unique decoding key uploaded by the user again when the dynamic connection code comparison passes, comparing the unique decoding key with the transmission time of the task, the task type mark and the task data size data, and providing receipt information refusing access for the user if the comparison does not pass;
and the information reading unit is used for releasing the sealing state of the independent sandbox when the unique decoding key comparison passes.
The embodiment of the invention has the beneficial effects that:
the system improves the safety of data in the transmission process in a double encryption mode, meanwhile, the server password opportunity automatically generates a plurality of virtual passwords, each file of different types is classified and encrypted, and the files are read through dynamic codes, so that password leakage is avoided, meanwhile, multi-layer encryption adopts real-time information of the transmission data to automatically generate, namely, each file can be ensured to adopt different connection keys, key leakage can be prevented, only personnel related to data uploading can be ensured to know the keys, and the safety of the data is enhanced.
Drawings
FIG. 1 is a flowchart of a method for providing a big data system cryptographic service according to an embodiment of the present invention;
FIG. 2 is a flowchart for establishing a connection between a server cryptographic engine and a big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual cryptographic engine for each task channel;
FIG. 3 is a flowchart of a method for respectively establishing dynamic connection codes for each task channel by a virtual crypto machine and synchronizing the dynamic connection codes to a user key according to an embodiment of the present invention;
FIG. 4 is a flowchart of a method for sealing and storing task information and task processing results by a virtual cryptographic machine and creating a unique decoding key of a task according to the current transmission time, task type and task data size when task information transmission occurs in a task channel provided by an embodiment of the present invention;
FIG. 5 is a flowchart of reading and transmitting task information when a dynamic connection code and a unique decoding key input by a user are both in accordance with verification, provided in an embodiment of the present invention;
FIG. 6 is a block diagram of a big data system cryptographic service system according to an embodiment of the present invention;
Fig. 7 is a block diagram of a connection establishment module according to an embodiment of the present invention;
FIG. 8 is a block diagram of a channel encryption module according to an embodiment of the present invention;
fig. 9 is a block diagram of an information encryption module according to an embodiment of the present invention;
fig. 10 is a block diagram of a decoding verification module according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another element. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
Fig. 1 is a flowchart of a method for providing a password service of a big data system according to an embodiment of the present invention, as shown in fig. 1, the method includes:
S100, establishing connection between a server crypto machine and a big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual crypto machine for each task channel;
in this step, the task channels are divided according to the task types, and the number of the division is according to the actual capacity of the big data system, the larger the capacity is, the larger the number of the tasks which can be processed is, the finer the corresponding division type is, the larger the number of the task channels which can be established in the big data system is, and meanwhile, in order to realize encryption work, the server password opportunity automatically establishes a virtual password machine for each task channel, so that encryption work is respectively carried out on each task channel.
S200, receiving task information transmitted by a big data system, and automatically distributing a virtual password machine according to a task channel where the task information is located;
in this step, in order to enable the task to be quickly matched with the corresponding task channel when the task is sent out, each task channel generates a type label, and when the task is sent out, the task label is also made according to the type of the task, and the task is quickly divided according to the task label and the channel label.
S300, respectively establishing dynamic connection codes for each task channel through a virtual crypto machine, and synchronizing the dynamic connection codes to a user key;
in the step, when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, the dynamic connection code automatically changes randomly along with time, the bit number and the change frequency of the dynamic connection code can be automatically adjusted according to the encryption level of the task, for example, low-level task information is encrypted through a 6-bit code and automatically changes once after 60 seconds; the high-level task information is encrypted by 8-bit number coding and automatically changed once after 30 seconds. At the same time as the dynamic connection code is generated, the dynamic connection code is synchronized to a user key by a server crypto-engine, and the existence form of the user key includes but is not limited to: the system comprises a USBKey, a user mobile terminal APP, specific equipment matched with a big data system and the like.
S400, when task information transmission occurs in a task channel, the task information and a task processing result are stored in a sealing mode through a virtual password machine, and a unique decoding key of the task is created according to the current transmission time, the task type and the task data size;
In the step, the transmission state of the task channel is always in a read state, when task information transmission occurs in the task channel, an independent sand box is automatically built in the task channel, the task information is temporarily stored in the independent sand box, and the independent sand box has the function of providing an isolation environment for the task information in transmission, so that the task information cannot be read, and information transmission to other external equipment is avoided;
when task information is transmitted, the transmission time, task type mark and task data size data of a task are recorded in a big data system, and a creator of the task can also know the data, so that a unique code of the task can be established through the data, wherein the task type mark rule can be automatically established according to different application fields of different systems, for example, task information of which the task is created in 05 minutes and 06 seconds at 23 days of 10 months in 2020, the task is mainly ocean and the task data is 1024MB in size can be generated, and a unique decoding key of 20201001230506HYHY1024 can be generated; the coding rule of the unique connection code is as described above, but the coding generation sequence is not uniform, i.e. the generation sequence is randomly existed, such as "1024HYHY23050620201001", "HYHY102423050620201001", "HYHY202010012305061024", etc., and the specific input sequence is prompted by the input terminal, and the prompting modes include but are not limited to: the random cracking is further avoided by word prompt, digit input limit, digit or letter input limit and the like.
S500, when the dynamic connection coding and the unique decoding key input by the user are in accordance with verification, task information is read and transferred.
In this step, in order to guarantee the security of data, can carry out dual verification, if and only if dual verification all passes, can carry out information reading, and when the condition that verification fails appears, can produce the reading log, record the information that fails to pass to the user is to the inquiry of reading information, and when the condition that verification fails appears in succession, can lock the independent sandbox that this transmission file exists, and send out warning signal, avoid the violent security of breaking influence data.
Fig. 2 is a flowchart of establishing a connection between a server crypto-engine and a big data system according to a task type, establishing a plurality of task channels in the big data system, and respectively establishing a virtual crypto-engine for each task channel, as shown in fig. 2, where the establishing a connection between a server crypto-engine and a big data system, establishing a plurality of task channels in the big data system according to a task type, and respectively establishing a virtual crypto-engine for each task channel, specifically includes:
S110, establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on tasks transferred in the big data system;
s120, establishing a plurality of task transmission channels according to task types in the big data system, and making limiting marks on each task transmission channel, when a task is sent out by the big data system, marking the task according to the task type, and then automatically distributing the task to the transmission channels with the same marks;
in this step, the task channels are divided according to the task types, and the number of the division is larger according to the actual capacity of the big data system, so that the larger the number of the tasks which can be processed, the finer the corresponding division types, and the larger the number of the task channels which can be established in the big data system.
S130, establishing a virtual cipher machine for each transmission channel through the server cipher machine, wherein the virtual cipher machines of each transmission channel are mutually independent and only act on the corresponding transmission channel.
Fig. 3 is a flowchart of establishing dynamic connection codes for each task channel by a virtual crypto machine and synchronizing the dynamic connection codes to a user key, as shown in fig. 3, where the establishing dynamic connection codes for each task channel by a virtual crypto machine and synchronizing the dynamic connection codes to the user key specifically includes:
S310, when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, and the dynamic connection code automatically changes randomly along with time;
in the step, when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, the dynamic connection code automatically changes randomly along with time, the bit number and the change frequency of the dynamic connection code can be automatically adjusted according to the encryption level of the task, for example, low-level task information is encrypted through a 6-bit code and automatically changes once after 60 seconds; the high-level task information is encrypted by 8-bit number coding and automatically changed once after 30 seconds.
S320, synchronizing the dynamic connection code to the user key through the server crypto.
In this step, the dynamic connection code is generated and synchronized to the user key by the server crypto-engine, and the existence form of the user key includes but is not limited to: the system comprises a USBKey, a user mobile terminal APP, specific equipment matched with a big data system and the like.
Fig. 4 is a flowchart of sealing and storing task information and task processing results by a virtual cryptographic machine when task information transmission occurs in a task channel, and creating a unique decoding key of the task according to current transmission time, task type and task data size, as shown in fig. 4, where sealing and storing task information and task processing results by a virtual cryptographic machine when task information transmission occurs in a task channel, and creating a unique decoding key of the task according to current transmission time, task type and task data size, and specifically includes:
s410, reading a task transmission state of each task channel, when task information transmission occurs in the task channel, establishing an independent sandbox, and temporarily storing the task information into the independent sandbox;
in the step, the transmission state of the task channel is always in a read state, when task information transmission occurs in the task channel, an independent sand box is automatically built in the task channel, the task information is temporarily stored in the independent sand box, and the independent sand box has the function of providing an isolation environment for the task information in transmission, so that the task information cannot be read, and information transmission to other external equipment is avoided;
S420, establishing a unique decoding key for the independent sandbox, wherein the decoding key is formed by combining the transmission time of a task, a task type mark and task data size data.
In the step, when task information is transmitted, the transmission time, task type mark and task data size data of a task are recorded in a big data system, and a creator of the task can also know the data, so that a unique code of the task can be established through the data, wherein a task type mark rule can be automatically established according to different application fields of different systems, for example, task information of which the task is created in 23 days of 1 month and 1 month in 2020, the task is mainly ocean and the task data is freight, and the task data size is 1024MB can be generated, and a unique decoding key of 202010012305HYHY1024 can be generated; the coding rule of the unique connection code is as described above, but the coding generation sequence is not uniform, i.e. the generation sequence is randomly existed, such as "1024HYHY230520201001", "HYHY1024230520201001", "HYHY2020100123051024", etc., and the specific input sequence is prompted by the input terminal, and the prompting modes include but are not limited to: the random cracking is further avoided by word prompt, digit input limit, digit or letter input limit and the like.
Fig. 5 is a flowchart of reading and transmitting task information when both a dynamic connection code and a unique decoding key input by a user are in accordance with verification, as shown in fig. 5, where the reading and transmitting task information when both a dynamic connection code and a unique decoding key input by a user are in accordance with verification specifically includes:
s510, receiving the dynamic connection code uploaded by the user, comparing the dynamic connection code with the dynamic connection code generated by the virtual cipher machine, and if the comparison is not passed, providing receipt information refusing access to the user;
s520, if the comparison is passed, receiving the unique decoding key uploaded by the user again, comparing the unique decoding key with the transmission time of the task, the task type mark and the task data size data, and if the comparison is not passed, providing receipt information refusing to access for the user;
in this step, in order to guarantee the security of data, can carry out dual verification, if and only if dual verification all passes, can carry out information reading, and when the condition that verification fails appears, can produce the reading log, record the information that fails to pass to the user is to the inquiry of reading information, and when the condition that verification fails appears in succession, can lock the independent sandbox that this transmission file exists, and send out warning signal, avoid the violent security of breaking influence data.
And S530, if the comparison is passed, releasing the sealing state of the independent sand box.
Fig. 6 is a block diagram of a big data system password service system according to an embodiment of the present invention, as shown in fig. 6, a big data system password service system, where the system includes:
the connection establishment module 100 is configured to establish a connection between the server crypto-engine and the big data system, establish a plurality of task channels in the big data system according to task types, and respectively establish a virtual crypto-engine for each task channel;
in the module, the task channels are divided according to the types of the tasks, the dividing number is larger according to the actual capacity of the big data system, the number of the processable tasks is larger, the corresponding dividing types are finer, the number of the task channels which can be established in the big data system is larger, and meanwhile, in order to realize encryption work, the server password opportunity automatically establishes a virtual password machine for each task channel so as to respectively encrypt each task channel.
The information receiving module 200 is used for receiving the task information transmitted by the big data system and automatically distributing the virtual password machine according to the task channel where the task information is located;
In the module, in order to quickly match corresponding task channels when a task is sent out, each task channel can generate a type label, and when the task is sent out, the task label can be made according to the type of the task, and the task is quickly divided according to the task label and the channel label.
The channel encryption module 300 is configured to establish a dynamic connection code for each task channel through the virtual crypto machine, and synchronize the dynamic connection code to the user key;
in the module, when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, the dynamic connection code automatically changes randomly along with time, the bit number and the change frequency of the dynamic connection code can be automatically adjusted according to the encryption level of the task, for example, low-level task information is encrypted through a 6-bit code and automatically changes once after 60 seconds; the high-level task information is encrypted by 8-bit number coding and automatically changed once after 30 seconds. At the same time as the dynamic connection code is generated, the dynamic connection code is synchronized to a user key by a server crypto-engine, and the existence form of the user key includes but is not limited to: the system comprises a USBKey, a user mobile terminal APP, specific equipment matched with a big data system and the like.
The information encryption module 400 is used for sealing and storing task information and task processing results through the virtual crypto machine when task information transmission occurs in the task channel, and creating a unique decoding key of the task according to the current transmission time, the task type and the task data size;
in the module, the transmission state of the task channel is always in a read state, when task information transmission occurs in the task channel, an independent sand box is automatically built in the task channel, the task information is temporarily stored in the independent sand box, and the independent sand box has the function of providing an isolation environment for the task information in transmission, so that the task information cannot be read, and information transmission to other external equipment is avoided;
when task information is transmitted, the transmission time, task type mark and task data size data of a task are recorded in a big data system, and a creator of the task can also know the data, so that a unique code of the task can be established through the data, wherein a task type mark rule can be automatically established according to different application fields of different systems, for example, task information of '2020, 10 months, 1 day, 23 hours and 05 minutes is established, the task is mainly marine, the task is freight, the task data size is 1024 MB', and a unique decoding key '202010012305 HYHY1024' can be generated; the coding rule of the unique connection code is as described above, but the coding generation sequence is not uniform, i.e. the generation sequence is randomly existed, such as "1024HYHY230520201001", "HYHY1024230520201001", "HYHY2020100123051024", etc., and the specific input sequence is prompted by the input terminal, and the prompting modes include but are not limited to: the random cracking is further avoided by word prompt, digit input limit, digit or letter input limit and the like.
The decoding verification module 500 is configured to read and transfer task information when the dynamic connection code and the unique decoding key input by the user are both in accordance with verification.
In this module, in order to guarantee the security of data, can carry out dual verification, if and only if dual verification all passes, can carry out information reading, and when the condition that verification fails appears, can produce the reading log, record the information that fails to pass to the user is to the inquiry of reading information, and when the condition that verification fails appears in succession, can lock the independent sandbox that this transmission file exists, and send out warning signal, avoid violent crack to influence the security of data.
Fig. 7 is a block diagram of a connection establishment module according to an embodiment of the present invention, and as shown in fig. 7, the connection establishment module 100 includes:
the connection unit 110 is used for establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on the task transferred in the big data system;
the channel establishing unit 120 is configured to establish a plurality of task transmission channels according to task types existing in the big data system, and each task transmission channel makes a limiting mark, and when a task is sent out by the big data system, the task is marked according to the task type, and then the task is automatically distributed to the same marked transmission channel;
In the unit, the task channels are divided according to the types of the tasks, and the dividing number is larger according to the actual capacity of the big data system, so that the larger the capacity is, the larger the number of the tasks which can be processed is, the finer the corresponding dividing types are, and the larger the number of the task channels which can be established in the big data system is.
The automatic allocation unit 130 is configured to establish a virtual cryptographic engine for each transmission channel through the server cryptographic engine, where the virtual cryptographic engines of each transmission channel are independent of each other and only act on the corresponding transmission channel.
Fig. 8 is a block diagram of a channel encryption module according to an embodiment of the present invention, and as shown in fig. 8, the channel encryption module 300 includes:
the code generating unit 310 is configured to generate an independent dynamic connection code for a task channel where the task information is located through the virtual cryptographic machine when a user applies for reading the task information, where the dynamic connection code automatically changes randomly with time;
in the unit, when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, the dynamic connection code automatically changes randomly along with time, the bit number and the change frequency of the dynamic connection code can be automatically adjusted according to the encryption level of the task, for example, low-level task information is encrypted through a 6-bit code and automatically changes once after 60 seconds; the high-level task information is encrypted by 8-bit number coding and automatically changed once after 30 seconds.
The code synchronization unit 320 is configured to synchronize the dynamic connection code to the user key through the server crypto-engine.
In this unit, the dynamic connection code is generated and synchronized to the user key by the server crypto-engine, and the existence form of the user key includes but is not limited to: the system comprises a USBKey, a user mobile terminal APP, specific equipment matched with a big data system and the like.
Fig. 9 is a block diagram of an information encryption module according to an embodiment of the present invention, and as shown in fig. 9, the information encryption module 400 includes:
the information isolation unit 410 is configured to read a task transmission state of each task channel, establish an independent sandbox when task information transmission occurs in the task channel, and temporarily store the task information into the independent sandbox;
in the unit, the transmission state of the task channel is always in a read state, when task information transmission occurs in the task channel, an independent sand box is automatically built in the task channel, the task information is temporarily stored in the independent sand box, and the independent sand box has the function of providing an isolation environment for the task information in transmission, so that the task information cannot be read, and information transmission to other external equipment is avoided;
The key establishment unit 420 is configured to establish a unique decoding key for the independent sandbox, where the decoding key is formed by combining the transmission time of the task, the task type tag, and the task data size data.
In the unit, when task information is transmitted, the transmission time, task type mark and task data size data of a task are recorded in a big data system, and a creator of the task can also know the data, so that a unique code of the task can be established through the data, wherein the task type mark rule can be automatically established according to different application fields of different systems, for example, task information of which the task is created in 23 days of 1 month and 1 month in 2020, the task is mainly ocean and the task data is freight, and the task data size is 1024MB can be generated, and a unique decoding key of 202010012305HYHY1024 can be generated; the coding rule of the unique connection code is as described above, but the coding generation sequence is not uniform, i.e. the generation sequence is randomly existed, such as "1024HYHY230520201001", "HYHY1024230520201001", "HYHY2020100123051024", etc., and the specific input sequence is prompted by the input terminal, and the prompting modes include but are not limited to: the random cracking is further avoided by word prompt, digit input limit, digit or letter input limit and the like.
Fig. 10 is a block diagram of a decoding verification module according to an embodiment of the present invention, and as shown in fig. 10, the decoding verification module 500 includes:
the code verification unit 510 is configured to receive a dynamic connection code uploaded by a user, compare the dynamic connection code with a dynamic connection code generated by a virtual cryptographic machine, and if the comparison fails, provide receipt information for refusing access to the user;
the key verification unit 520 is configured to, when the dynamic connection code comparison passes, receive the unique decoding key uploaded by the user again, compare the unique decoding key with the transmission time of the task, the task type label, and the task data size data, and if the comparison fails, provide receipt information for refusing access to the user;
in this unit, in order to guarantee the security of data, can carry out dual verification, if and only if dual verification all passes, can carry out information reading, and when the condition that verification fails appears, can produce the reading log, record the information that fails to pass to the user is to the inquiry of reading information, and when the condition that verification fails appears in succession, can lock the independent sandbox that this transmission file exists, and send out warning signal, avoid violent crack to influence the security of data.
And the information reading unit 530 is configured to release the sealed state of the independent sandbox when the unique decoding key comparison passes.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.

Claims (10)

1. A method of providing a big data system cryptographic service, the method comprising:
establishing connection between a server cipher machine and a big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual cipher machine for each task channel;
Receiving task information transmitted by a big data system, and automatically distributing a virtual password machine according to a task channel where the task information is located;
respectively establishing dynamic connection codes for each task channel through a virtual password machine, and synchronizing the dynamic connection codes to a user key;
when task information transmission occurs in a task channel, the task information and a task processing result are stored in a sealing mode through a virtual password machine, and a unique decoding key of the task is created according to the current transmission time, the task type and the task data size;
and when the dynamic connection coding key and the unique decoding key input by the user are in accordance with verification, reading and transmitting task information.
2. The method for password service of big data system according to claim 1, wherein said establishing connection between server password machine and big data system establishes a plurality of task channels in big data system according to task type, and establishes virtual password machine for each task channel respectively, specifically comprising:
establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on tasks transferred in the big data system;
According to the task types existing in the big data system, a plurality of task transmission channels are established, each task transmission channel makes a limiting mark, when a task is sent out by the big data system, the task is marked according to the task type, and then the task is automatically distributed to the transmission channels with the same mark;
the virtual cipher machine is built for each transmission channel through the server cipher machine, and the virtual cipher machines of each transmission channel are mutually independent and only act on the corresponding transmission channel.
3. The method for providing the big data system password service according to claim 1, wherein the step of establishing a dynamic connection code for each task channel through the virtual password machine and synchronizing the dynamic connection code to the user key comprises the steps of:
when a user applies for reading task information, an independent dynamic connection code is generated for a task channel where the task information is located through a virtual password machine, and the dynamic connection code automatically changes randomly along with time;
the dynamic connection code is synchronized to the user key by the server crypto-engine.
4. The method for password service of big data system according to claim 1, wherein when task information transmission occurs in the task channel, the task information and the task processing result are stored in a sealed manner by a virtual password machine, and a unique decoding key of the task is created according to the current transmission time, the task type and the task data size, specifically comprising:
Reading the task transmission state of each task channel, when task information transmission occurs in the task channel, establishing an independent sandbox, and temporarily storing the task information into the independent sandbox;
and establishing a unique decoding key for the independent sandbox, wherein the decoding key is formed by combining the transmission time of the task, the task type mark and the task data size data.
5. The method for serving big data system password as claimed in claim 4, wherein when the dynamic connection code and the unique decoding key input by the user are both in accordance with the verification, the task information is read and transferred, specifically comprising:
receiving a dynamic connection code uploaded by a user, comparing the dynamic connection code with a dynamic connection code generated by a virtual password machine, and providing receipt information refused to access to the user if the comparison is not passed;
if the comparison is passed, the unique decoding key uploaded by the user is received again, the unique decoding key is compared with the transmission time of the task, the task type mark and the task data size data, and if the comparison is not passed, receipt information refusing to access is provided for the user;
and if the comparison is passed, releasing the sealing state of the independent sand box.
6. A big data system cryptographic service system, the system comprising:
the connection establishment module is used for establishing connection between the server crypto-engine and the big data system, establishing a plurality of task channels in the big data system according to task types, and respectively establishing a virtual crypto-engine for each task channel;
the information receiving module is used for receiving the task information transmitted by the big data system and automatically distributing the virtual password machine according to the task channel where the task information is located;
the channel encryption module is used for respectively establishing dynamic connection codes for each task channel through the virtual crypto machine and synchronizing the dynamic connection codes to the user key;
the information encryption module is used for sealing and storing task information and task processing results through the virtual password machine when task information transmission occurs in the task channel, and creating a unique decoding key of the task according to the current transmission time, the task type and the task data size;
and the decoding verification module is used for reading and transmitting task information when the dynamic connection code and the unique decoding key input by the user are in accordance with verification.
7. The big data system cryptographic service system according to claim 6, wherein the connection establishment module comprises:
The connection unit is used for establishing a connection relation between the server crypto-engine and the big data system, so that the server crypto-engine can act on tasks transferred in the big data system;
the system comprises a channel establishing unit, a channel processing unit and a channel processing unit, wherein the channel establishing unit is used for establishing a plurality of task transmission channels according to task types in a big data system, each task transmission channel is provided with a limiting mark, and when a task is sent out by the big data system, the task is marked according to the task type and then is automatically distributed to the same marked transmission channels;
the automatic distribution unit is used for establishing a virtual cipher machine for each transmission channel through the server cipher machine, and the virtual cipher machines of each transmission channel are mutually independent and only act on the corresponding transmission channel.
8. The big data system cryptographic service system according to claim 6, wherein the channel encryption module comprises:
the code generation unit is used for generating independent dynamic connection codes for the task channels where the task information is located through the virtual password machine when a user applies for reading the task information, and the dynamic connection codes automatically change randomly along with time;
And the code synchronization unit is used for synchronizing the dynamic connection code to the user key through the server cipher machine.
9. The big data system cryptographic service system according to claim 6, wherein the information encryption module comprises:
the information isolation unit is used for reading the task transmission state of each task channel, establishing an independent sandbox when task information transmission occurs in the task channel, and temporarily storing the task information into the independent sandbox;
and the key establishment unit is used for establishing a unique decoding key for the independent sandbox, wherein the decoding key is formed by combining the transmission time of the task, the task type mark and the task data size data.
10. The big data system cryptographic service system according to claim 9, wherein the decode verification module comprises:
the code verification unit is used for receiving the dynamic connection code uploaded by the user, comparing the dynamic connection code with the dynamic connection code generated by the virtual cipher machine, and providing receipt information refused to access for the user if the comparison is not passed;
the key verification unit is used for receiving the unique decoding key uploaded by the user again when the dynamic connection code comparison passes, comparing the unique decoding key with the transmission time of the task, the task type mark and the task data size data, and providing receipt information refusing access for the user if the comparison does not pass;
And the information reading unit is used for releasing the sealing state of the independent sandbox when the unique decoding key comparison passes.
CN202310389039.6A 2023-04-13 2023-04-13 Big data system password service method and system Active CN116108474B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310389039.6A CN116108474B (en) 2023-04-13 2023-04-13 Big data system password service method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310389039.6A CN116108474B (en) 2023-04-13 2023-04-13 Big data system password service method and system

Publications (2)

Publication Number Publication Date
CN116108474A CN116108474A (en) 2023-05-12
CN116108474B true CN116108474B (en) 2023-06-30

Family

ID=86260103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310389039.6A Active CN116108474B (en) 2023-04-13 2023-04-13 Big data system password service method and system

Country Status (1)

Country Link
CN (1) CN116108474B (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104168261B (en) * 2014-07-02 2018-09-07 百度在线网络技术(北京)有限公司 Dynamic password login method and device
KR102460096B1 (en) * 2015-05-27 2022-10-27 삼성에스디에스 주식회사 Method and apparatus for managing encryption keys for cloud service
US10601814B2 (en) * 2017-07-26 2020-03-24 Secret Double Octopus Ltd. System and method for temporary password management
CN108574573B (en) * 2017-12-14 2021-07-23 成都卫士通信息产业股份有限公司 Method for providing password service for virtual VPN, password device and virtual VPN service system
CN108228316B (en) * 2017-12-26 2022-01-25 成都卫士通信息产业股份有限公司 Method and device for virtualizing password device
CN110321695B (en) * 2019-07-11 2021-07-20 成都卫士通信息产业股份有限公司 Big data system password service method and device
CN114741169B (en) * 2022-03-30 2024-02-13 天津大学 Multi-task scheduling method for heterogeneous password computing service of load aggregation public service platform

Also Published As

Publication number Publication date
CN116108474A (en) 2023-05-12

Similar Documents

Publication Publication Date Title
US11115209B2 (en) Methods and systems for preparing and performing an object authentication
CN100464315C (en) Mobile memory divulgence protection method and system
CN1997953B (en) Method and device for protecting digital content in mobile applications
CN109064596B (en) Password management method and device and electronic equipment
CN102915411A (en) Dereplication encryption lock for software and hardware of embedded system
CN1322431C (en) Encryption retention and data retrieve based on symmetric cipher key
CN109088729B (en) Key storage method and device
CN111008374A (en) Block chain-based password processing method, device and medium
CN104281415A (en) Data processing method and device for air conditioner
CN112968774B (en) Method, device storage medium and equipment for encrypting and decrypting configuration file
US7926050B2 (en) Secure method to update software in a security module
CN113761578A (en) Document true checking method based on block chain
CN116108474B (en) Big data system password service method and system
CN115935391A (en) Card manufacturing method, card issuing method, device, medium, and program product for IC card
CN106453300A (en) Data encryption and decryption method and device, and data transmission system
CN100486157C (en) Distribution type data encryption method
CN113111371A (en) Data transmission method and system based on block chain
CN112712612A (en) Method, device, computer readable medium and equipment for controlling intelligent door lock
CN117807637B (en) Data security transaction method and system with decentralization function
CN115933993B (en) Karst fracture network type aqueous medium antifouling function evaluation system and method
WO2022137779A1 (en) Data processing system
CN101470643B (en) Fixed hardware security unit backup and recovery method and system
CN115376231A (en) Encryption verification method and device, computer equipment and storage medium
MXPA04006122A (en) Anti-pirate method for the distribution of digital content.
CN117544313A (en) Digital certificate synchronous management method and platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant