CN116136911A - Data access method and device - Google Patents

Data access method and device Download PDF

Info

Publication number
CN116136911A
CN116136911A CN202111352428.9A CN202111352428A CN116136911A CN 116136911 A CN116136911 A CN 116136911A CN 202111352428 A CN202111352428 A CN 202111352428A CN 116136911 A CN116136911 A CN 116136911A
Authority
CN
China
Prior art keywords
data
client
routing information
security
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111352428.9A
Other languages
Chinese (zh)
Inventor
谭明强
江为强
周松
赵耀
邱勤
王光涛
张彬
杨小梅
廖苑秀
梁峻珲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Guizhou Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Guizhou Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Guizhou Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111352428.9A priority Critical patent/CN116136911A/en
Publication of CN116136911A publication Critical patent/CN116136911A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a data access method and a data access device, wherein the method comprises the following steps: after receiving a data access request of a client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of a data transmission channel on the data access request, and only when multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process under the application scene that the data of the client is encrypted by a third-party server and stored in the cloud server.

Description

Data access method and device
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data access method and apparatus.
Background
The development of the internet has been completed at a remote end, such as a commonly used network disk, and the comprehensive extension of the service to an integrated remote service supply is called cloud service, and the occurrence of the cloud service also has the information security problem of the cloud service, and the core of the cloud service is data security.
In the prior art, in order to ensure the security of cloud data, the data is generally encrypted in a storage stage of the data, for example, the data to be uploaded to the cloud is encrypted and protected by a user terminal, or the data to be stored by the user is encrypted and protected after the cloud receives the data, the encrypted data stored in the cloud can be directly obtained by a subsequent user when the user accesses the data stored in the cloud, and if the encryption mode is once broken, potential safety hazards are caused to the data of the user, so how to improve the security of the data when the user accesses the cloud data has become a problem to be solved at present.
Disclosure of Invention
The embodiment of the invention aims to provide a data access method and device, which are used for solving the problem of potential safety hazards of data when a user accesses cloud data in the prior art.
In order to solve the technical problems, the embodiment of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a data access method, applied to a cloud server, including:
receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
If target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so that the third party server carries out authentication and verification processing on the client based on the right authentication request;
if the authentication verification result generated by the third party server aiming at the authority authentication request is that authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on first message data;
and if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel.
In a second aspect, an embodiment of the present invention provides a data access apparatus, including:
the receiving module is used for receiving the data access request of the client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
The permission request sending module is used for sending a permission authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information if target data routing information matched with the first data routing information exists in a plurality of pre-stored second data routing information, so that the third party server carries out authentication and verification processing on the client based on the permission authentication request;
the security verification module is used for performing security verification on a data transmission channel for transmitting the target access data based on the first message data if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes;
and the data transmission module is used for transmitting the target access data to the client through the data transmission channel if the security verification result of the data transmission channel is verification passing.
In a third aspect, an embodiment of the present invention provides a computer device, including a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete communication with each other through a bus; the memory is used for storing a computer program; the processor is configured to execute a program stored in the memory, and implement the steps of the data access method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the data access method according to the first aspect.
The data access method and device in the embodiment of the invention comprise the following steps: receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by a client side and storing the encrypted user related data to a cloud server; if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so as to enable the third party server to carry out authentication and verification processing on the client based on the right authentication request; if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on the first message data; and if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel. In the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data to the cloud server by the third party server.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a first flowchart of a data access method according to an embodiment of the present invention;
fig. 2 is an application scenario schematic diagram of a data access method provided by an embodiment of the present invention;
FIG. 3 is a second flowchart of a data access method according to an embodiment of the present invention;
FIG. 4 is a third flow chart of a data access method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of the module components of a data access device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solution of the present invention better understood by those skilled in the art, the technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, shall fall within the scope of the invention.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
The embodiment of the invention provides a data access method and a data access device, wherein after a cloud server receives a data access request of a client, data routing information matching, authority authentication processing of the client and security verification of a data transmission channel are sequentially carried out on the data access request, corresponding target access data is transmitted to the client only under the condition that multiple verification processing is passed, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms under the application scene that the data of the client is encrypted by a third-party server and stored in the cloud server, and the security of the subsequent data access process is improved.
Fig. 1 is a first flowchart of a data access method according to an embodiment of the present invention, where the method in fig. 1 can be executed by a cloud server, and as shown in fig. 1, the method at least includes the following steps:
s102, receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, and the target access data is obtained by encrypting related data of a user through a third-party server in advance by a client side and storing the encrypted related data to a cloud server.
The user related data encrypted by the third-party server and stored in the cloud server in advance may be company related data such as company internal business data, employee identity data and the like encrypted by the third-party server and stored in the cloud server in advance by a certain company; the storage initiator may encrypt and store personal related data (e.g., personal album data, personal file data, etc.) to the cloud server in advance through the third party server.
When the client encrypts and stores the user related data to the cloud server through the third-party server, the cloud server distributes the data routing information for the user related data stored by the client and sends the data routing information to the client, so that the client can find a storage address where the user related data stored in the cloud server is located through the data routing information, and the client accesses the stored user related data; wherein the number of the first data routing information is at least one, and each piece of the first data routing information corresponds to a part of the user related data.
The above-mentioned time stamp information is time information for identifying the initiation time of the data access request, which is requested from the third party server when the client initiates the data access request, wherein the time stamp information can be requested from the third party server only by encrypting the user related data by the third party server and storing the encrypted user related data in the client (i.e. the authorized client) of the cloud server.
And S104, if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so as to enable the third party server to carry out authentication and verification processing on the client based on the right authentication request.
The second data routing information comprises data routing information distributed for the client to request stored user related data through a third party server and authorization routing information of other data of which the other clients authorize the access rights of the client;
specifically, the cloud server judges whether the pre-stored second data routing information is matched with the first data routing information (i.e. the data routing information is matched), if not, the data routing information carried in the data access request initiated by the client is not the data routing information corresponding to the target access data to be accessed by the client, and at the moment, the potential safety hazard exists in the target access data to be accessed by the client, so that the cloud server needs to intercept the data access request and perform security protection processing on the target access data to be accessed by the client.
Specifically, if the cloud server determines that target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, it is determined that the data routing information carried in the data access request initiated by the client is data routing information corresponding to target access data to be accessed by the client, and further based on timestamp information carried in the data access request, a permission authentication request for the client is sent to the third party server, so that the third party server performs authentication verification processing on the client based on the permission authentication request, wherein the permission authentication request is obtained by performing splicing processing on a derivative signature key and timestamp information.
Specifically, when the third party server performs authentication verification processing on the client based on the authority authentication request, firstly verifying whether timestamp information exists in the authority authentication request from the cloud server, namely firstly splitting the authority authentication request into a derivative signature key and timestamp information, and if the third party server can analyze the timestamp information from the authority authentication request, determining that the data access request is initiated by the authorized client.
Further, the third party server analyzes the second signature parameter information and the algorithm identification of the preset signature algorithm from the derivative signature key obtained through splitting, further analyzes the first signature parameter information and the security identification from the second signature parameter information, and finally analyzes the timestamp information, the version identification of the preset signature algorithm and the security key after the character string connection processing from the first signature parameter information, wherein the security identification and the security key are used for representing the identity information of the client. Further, the third party server further needs to authenticate the timestamp information analyzed in the authority authentication request, specifically, if the time difference between the timestamp information analyzed in the authority authentication request by the third party server and the timestamp information sent to the client by the third party server is within a preset range, the authority authentication request is determined to be within an effective time limit, authentication is continued on a security identifier and a security key, which are used for representing identity information of the client, in the authority authentication request, and a corresponding authentication verification result is generated, wherein if the identity information obtained by the third party server based on the security identifier and the security key, which are used for representing the identity information of the client, in the authority authentication request is consistent with the identity information of the client initiating the data access request, a corresponding authentication passing result is generated.
And S106, if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on the first message data.
Specifically, if the authentication verification result generated by the third party server for the authority authentication request is that the authentication is not passed (namely, whether the time stamp information exists in the authority authentication request, whether the authority authentication request is within the effective time limit, and whether any one of the security identifier and the security key verification in the authority authentication request is not passed), sending indication information that the authentication is not passed to the cloud server, so that the cloud server intercepts the data access request and performs security protection processing on target access data to be accessed by the cloud server.
Specifically, if the authentication result generated by the third party server for the permission authentication request is that authentication is passed (i.e. timestamp information authentication, security identification in the permission authentication request and security key authentication are all passed), sending indication information that authentication is passed to the cloud server, so that the cloud server performs security authentication on a data transmission channel for transmitting target access data based on the first message data.
Specifically, the first message data may be default message data, or may be a small amount of partial data in the target access data (the size of the partial data is smaller than a preset threshold value), where the cloud server sends the first message data to the client, and receives second message data returned by the client based on the first message data.
S108, if the security verification result of the data transmission channel is verification passing, transmitting the target access data to the client through the data transmission channel.
Specifically, the data transmission channel is one of the data transmission channels between the client and the cloud server, in order to improve data transmission efficiency, a plurality of application program ports are set for a certain client at the cloud server, a certain mapping relationship is provided between the application program ports and the target access data, and a certain mapping relationship is provided between the target access data and the first data routing information, that is, the first data routing information and the application program ports also have a certain mapping relationship, so that the target application program port corresponding to the target data routing information is determined firstly based on the mapping relationship, and the data transmission channel between the target application program port and the client is the data transmission channel for transmitting the target data.
Specifically, the cloud server verifies the security of the data transmission channel, if the first message data is the same as the second message data, the verification result is that the verification is passed, and the target access data is transmitted to the client through the data transmission channel; if the first message data is different from the second message data, the verification result is that the verification is not passed, the data access request is intercepted, and the target access data to be accessed is subjected to security protection.
In the embodiment provided by the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data to the cloud server by the third party server.
Further, for the process of matching the data routing information, in order to improve the accuracy of matching the data routing information, after receiving the data access request of the client in step S102, the method specifically includes:
acquiring a plurality of pieces of second data routing information stored in advance for a client; wherein the second data routing information includes: data routing information distributed by the client-side through the third-party server request stored user related data and authorization routing information of other data of other client-side authorization client-side access authorities;
judging whether the plurality of second data routing information comprises the first data routing information or not;
if the judgment result is that the first data routing information is included, determining that target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information;
if the judging result is not included, judging whether the first data routing information belongs to the sub-routing information of certain second data routing information;
if the judgment result is that the data routing information belongs to the first data routing information, determining that target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information.
Specifically, the cloud server firstly acquires a plurality of pieces of second data routing information stored in advance for the client; wherein the second data routing information includes: aiming at data routing information distributed by the user related data which is requested to be stored by the client through the third party server and authorization routing information of other data of which the access authority of the client is authorized by other clients, judging whether the plurality of second data routing information comprises first data routing information carried in the data access request or not;
If the judgment result is that the client-side authentication request is included, determining that target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, and sending an authentication request aiming at the client-side to a third-party server based on the time stamp information and the target data routing information, so that the third-party server performs authentication and verification processing on the client-side based on the authentication request.
If the judging result is not included, judging whether the first data routing information belongs to the sub-routing information of a certain second data routing information, if the judging result is included, determining that the first data routing information is inconsistent with any second data routing information, but belongs to the sub-routing information of the certain second data routing information, considering that the matched target data routing information matched with the first data routing information exists at the moment, and sending an authority authentication request aiming at the client to a third party server based on the timestamp information and the target data routing information, so that the third party server performs authentication and verification processing on the client based on the authority authentication request.
If the result is not the same, the data route information carried in the data access request initiated by the client is determined to be inconsistent with any one of the second data route information, and the data access request also does not belong to the sub-route information of a certain second data route information, and at the moment, the target access data to be accessed by the client has potential safety hazards, so that the cloud server needs to intercept the data access request and perform security protection processing on the target access data to be accessed by the cloud server.
In the embodiment of the invention, aiming at the process of matching the data routing information, not only the data routing information of the target access data which the client requests to store is considered, but also the data routing information of the target access data which the client grants access right to the current client is considered, and meanwhile, whether the first data routing information is the sub-routing information of a certain second data routing information is judged, so that the matching accuracy of the data routing information can be improved, and the accuracy of the data access request is further improved.
Further, in order to improve accuracy of authentication verification for the client in the process of authority authentication processing for the client, so as to further ensure security of data currently requested to be accessed by the client, in S104, based on the timestamp information and the target data routing information, the authority authentication request for the client is sent to a third party server, which specifically includes:
transmitting the time stamp information to a trusted storage area corresponding to the target data routing information; the trusted storage area stores identity related information and a preset signature algorithm, wherein the identity related information comprises: a security identifier and a security key allocated to the user in the user registration stage;
In the trusted storage area, carrying out signature processing on the timestamp information, the security identifier and the security key by using a preset signature algorithm, and generating an authority authentication request aiming at the client;
and sending the permission authentication request to the third party server.
The trusted storage area is formed by constructing a cloud server in a storage area of the cloud server, and the cloud server stores identity related information of the client to the trusted storage area of the cloud server so as to ensure the storage safety of the identity related information. Specifically, when the cloud server constructs a trusted storage area, an application program port is called and a temporary token of the application program port is acquired, an enclave container containing the temporary token is created in a memory of the cloud server, and an access interface of the enclave container is generated, wherein the enclave container divides the memory of the cloud server into the trusted storage area and an untrusted storage area, the trusted storage area refers to a memory area contained in the enclave container, the untrusted storage area refers to a memory area outside the enclave container, the access interface is used for bridging the trusted storage area and the untrusted storage area, and the trusted storage area is used for storing identity related information of a client, a preset signature algorithm, privacy data related to an application program and data for application program request protection and the like corresponding to the application program port.
Specifically, the cloud server calls an application program port to transmit timestamp information in the received data access request to a trusted storage area corresponding to the target data routing information; the trusted storage area stores identity related information and a preset signature algorithm, wherein the identity related information comprises: the cloud server distributes a security identifier and a security key for the user in the user registration stage; in the trusted storage area, signature processing is carried out on the timestamp information, the security identifier and the security key by using a preset signature algorithm, a permission authentication request aiming at the client is generated, and the permission authentication request is sent to a third party server, so that the third party server carries out authentication and verification processing on the client based on the permission authentication request.
In the generation process of the permission authentication request in the cloud server, signature processing is performed on the timestamp information, the security identifier and the security key by using a preset signature algorithm in a trusted storage area of the cloud server, so as to generate the permission authentication request for the client, which specifically comprises the following steps: in a trusted storage area of the cloud server, performing character string connection processing on a version identifier of a preset signature algorithm and a security key to obtain a processed security key; carrying out signature processing on the timestamp information and the processed security key by using a preset signature algorithm to obtain first signature parameter information; carrying out signature processing on the first signature parameter information and the security identifier by using a preset signature algorithm to obtain second signature parameter information; carrying out signature processing on the second signature parameter information and an algorithm identifier of the preset signature algorithm by using the preset signature algorithm to generate a derivative signature key; splicing the derivative signature key and the timestamp information to generate an authority authentication request aiming at the client; the algorithm identification of the preset signature algorithm is different from the version identification of the preset signature algorithm, the algorithm identification of the preset signature algorithm is in one-to-one correspondence with the preset signature algorithm, and different versions of the algorithm identification of each preset signature algorithm correspond to different version identifications of the preset signature algorithm.
In the embodiment of the invention, aiming at the authority authentication processing process of the client, a series of processing is carried out on the time stamp information, the security identifier in the identity related information and the security key in the trusted storage area by introducing the identity related information and the preset signature algorithm, so as to generate an authority authentication request, and then the third party server is triggered to carry out the authentication processing based on the authority authentication request, thus the accuracy of the authentication verification of the client can be improved, and the security of the data currently requested to be accessed by the client is further ensured.
Further, considering that after the authentication of the authority authentication request by the third party server is passed, the cloud server may transmit the target access data to the client through the data transmission channel, in order to ensure the security of the data to be transmitted in the data transmission process, the data transmission channel needs to be subjected to security verification, and further ensure that the data transmitted in the data transmission channel cannot be intercepted or tampered, based on this, the security verification is performed on the data transmission channel for transmitting the target access data based on the first message data, and specifically includes:
transmitting the first message data to the client through a data transmission channel corresponding to the target data routing information;
Receiving second message data returned by the client based on the first message data;
if the first message data is consistent with the second message data, determining that the security verification result aiming at the data transmission channel is verification passing.
Specifically, in the process that the client encrypts and stores the user related data to the cloud server through the third party server in advance, the third party server generates at least one pair of public and private key pairs for the user related data corresponding to each client, and simultaneously sends the public and private key pairs to the client and the trusted storage area for storing the user related data in the cloud server, so that the client can decrypt the user related data based on the public and private key pairs, and further obtain decrypted user related data.
Specifically, in order to verify the security of the data transmission channel, the cloud server firstly sends first message data to the client through the data transmission channel corresponding to the target data routing information, the client decrypts the first message data by using the public and private key, and sends decrypted second message data back to the cloud server through the data transmission channel corresponding to the target data routing information, the cloud server compares the second message data with the first message data after receiving the second message data returned by the client based on the first message data, if the first message data is consistent with the second message data, the cloud server determines that the security verification result for the data transmission channel is verification passing, and the cloud server can transmit target access data to the client through the data transmission channel; if the first message data is inconsistent with the second message data or the cloud server does not receive the second message data returned by the client based on the first message data within a preset time, determining that the security verification result aiming at the data transmission channel is that the verification is not passed, intercepting the received data access request by the cloud server, and performing security protection processing on target access data to be accessed by the client.
In the embodiment of the invention, aiming at the data transmission process, the cloud server firstly transmits the first message data to the client, if the first message data is consistent with the second message data returned by the client based on the first message data, the data is ensured not to be intercepted or tampered in the transmission process, the safety of a data transmission channel is ensured, the corresponding target access data is transmitted to the client, and the safety of the data currently requested to be accessed by the client is further ensured.
In view of ensuring the security of data in the data access process, the cloud server needs to intercept the data access request and perform security protection processing on the data to be accessed by the client when any one of the data routing information matching, the authority authentication processing of the client, and the security verification of the data transmission channel fails, and based on this, the data access method further includes:
if any one of the authentication of the data routing information matching, the authority authentication processing of the client and the security authentication of the data transmission channel fails, intercepting the data access request; and performing security protection processing on the target access data, wherein the security protection processing comprises: at least one of data transfer, data deletion, data backup and safety pre-warning.
The security protection processing for the target access data specifically includes: storing target access data in a backup storage subarea reserved in a trusted storage area corresponding to the target data routing information; deleting the target access data in an original storage subarea of the target access data in a trusted storage area corresponding to the target data routing information; and updating the address information of the backup memory subarea based on the address information of the original memory subarea.
Specifically, the cloud server may be divided into a plurality of storage areas, each storage area is a trusted storage area and is used for storing user related data of a certain client (for example, data of a certain driver, or data of a certain storage initiator, etc.), further, each storage area corresponds to at least two storage subareas, one storage subarea (original storage subarea) is used for storing user original data, the other storage subarea (backup storage subarea) is used for storing backup data of the user original data, and when sending public and private key pairs to the cloud server, the third party server respectively sends a pair of public and private key pairs for each storage subarea.
Specifically, when the cloud server performs security protection processing on the target access data, the target access data is stored in a backup memory subarea reserved in a trusted memory area corresponding to the target data routing information, the target access data is deleted in an original memory subarea of the target access data in the trusted memory area corresponding to the target data routing information, and the address information of the backup memory subarea is further updated based on the address information of the original memory subarea.
Further, a related data transfer evidence can be generated for the process of transferring the data from the original memory subarea to the backup memory subarea, so that the client side judges whether the data are all transferred correctly based on the data transfer evidence, specifically, in the process of transferring the data by the cloud server, the third party server sends a new public-private key pair to the cloud server aiming at the transferred data, the transferred data are encrypted by a new encryption algorithm (the data can be decrypted only after being encrypted by a new decryption rule, each time the data are transferred, the public-private key pair originally stored in the original memory subarea and the backup memory subarea is re-encrypted), the newly generated public-private key is used for updating the public-private key pair originally stored in the original memory subarea and the backup memory subarea, the cloud server firstly detects the correctness of the data after the data are all transferred, and then sends the new public-private key pair to the client side through a data transmission channel corresponding to the target data routing information, so that the data stored in the new memory subarea (namely the backup memory subarea) can be decrypted after the data are converted by the new public-private key pair based on the new public-private key.
In the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of a data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client; and under the condition that any verification is not passed, the data is subjected to security protection treatment, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene that the client data is encrypted by the third-party server and stored in the cloud server.
Fig. 2 is an application scenario schematic diagram of a data access method provided by an embodiment of the present invention, including: the method comprises the steps of a client, a third party server and a cloud server, aiming at the process of data storage, taking account of whether the client encrypts user data and uploads the encrypted data to the cloud server or the cloud server encrypts the user data after uploading the data to the cloud server by the client, the problems that the encryption process is opaque to the other party and the encryption process is complex and unsafe exist, and further potential safety hazards exist in the data stored in the cloud server, therefore, the encryption of the data is carried out by introducing the third party server, the encryption process is carried out neither on the client nor on the cloud server, the whole encryption process is transparent to the client, differential encryption can be provided for different cloud servers, further, the data stored in the cloud server is safer, and particularly, the cloud server receives a data uploading request of the client according to encryption rules set for the cloud server in advance, and encryption keys corresponding to the encryption rules, the data to be uploaded by the client are encrypted, the cloud server encrypts the data to be uploaded by the client, and the cloud server after the encryption process is carried out on the data to the client, namely, the data are accessed to the client in advance, and the data are stored by the client, and the data are accessed to the client, and the data are stored by the client.
In a specific embodiment, a specific flow for implementing the data access method according to the present invention based on the application scenario is provided, as shown in fig. 3, and a specific implementation process for implementing the data access method in the application scenario of three-party interaction shown in fig. 2 is as follows:
s302, a cloud server receives a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data;
s304, the cloud server judges whether target data routing information matched with the first data routing information exists in the prestored multiple second data routing information;
if yes, executing S306, and sending a permission authentication request aiming at the client to a third party server by the cloud server based on the timestamp information and the target data routing information;
if not, executing S308, wherein the cloud server intercepts the data access request and carries out security protection on the target access data;
s310, the third party server performs authentication verification processing on the client based on the authority authentication request and generates a corresponding authentication verification result;
S312, the third party server judges whether the authentication result is passing or not;
if so, the third party server sends the authentication passing result to the cloud server and executes S314, and the cloud server performs security verification on a data transmission channel for transmitting the target access data based on the first message data;
if not, the third party server sends the result of failed authentication to the cloud server, and returns to execute the step S308, the cloud server intercepts the data access request and carries out security protection processing on the target access data;
s316, the cloud server judges whether the security verification result of the data transmission channel passes verification;
if yes, executing S318, and transmitting target access data to the client by the cloud server through the data transmission channel;
if not, returning to execute the step S308, wherein the cloud server intercepts the data access request and performs security protection processing on the target access data.
In view of further improving the security of the user related data stored in the cloud server, the present invention further provides a cloud network tenant data security management platform (i.e. a data security management platform developed for a client registered in the cloud server and used for protecting the user related data) in the cloud server, as shown in fig. 4, specifically including: from the processes of data acquisition, data storage, data transmission, data use, data sharing and data destruction, the cloud server needs to classify the data in a grading manner and identify sensitive data when acquiring the data; the cloud server can conduct abnormal behavior analysis and safety time monitoring on data stored in the cloud server, and further ensures safety of user related data stored in the cloud server.
The data access method in the embodiment of the invention comprises the following steps: receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by a client side and storing the encrypted user related data to a cloud server; if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so as to enable the third party server to carry out authentication and verification processing on the client based on the right authentication request; if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on the first message data; and if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel. In the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data to the cloud server by the third party server.
According to the data access method provided by the foregoing embodiment, based on the same technical concept, the embodiment of the present invention further provides a data access device, and fig. 5 is a schematic block diagram of the data access device provided by the embodiment of the present invention, where the data access device is used to execute the data access method described in fig. 1 to 4, and as shown in fig. 5, the data access device includes:
a receiving module 502, configured to receive a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
a permission request sending module 504, configured to send a permission authentication request for the client to the third party server based on the timestamp information and the target data routing information if there is target data routing information matched with the first data routing information in the prestored multiple second data routing information, so that the third party server performs authentication verification processing on the client based on the permission authentication request;
The security verification module 506 is configured to perform security verification on a data transmission channel for transmitting the target access data based on the first message data if the authentication verification result generated by the third party server for the permission authentication request is that authentication passes;
and the data transmission module 508 is configured to transmit the target access data to the client through the data transmission channel if the security verification result of the data transmission channel is that the verification is passed.
In the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data by the third-party server to the cloud server.
Optionally, in one embodiment of the present invention, the data access device further includes:
The route information acquisition module is used for acquiring a plurality of second data route information stored in advance for the client; wherein the second data routing information includes: data routing information distributed by the client through the third-party server request stored user related data and authorization routing information of other data of other client authorization of the client access rights;
a judging module, configured to judge whether the plurality of second data routing information includes the first data routing information;
if the judgment result is that the data routing information comprises the first data routing information, determining that target data routing information matched with the first data routing information exists in a plurality of prestored second data routing information;
if the judging result is not included, judging whether the first data routing information belongs to the sub-routing information of a certain second data routing information;
and if the judgment result is that the data belongs to the first data routing information, determining that target data routing information matched with the first data routing information exists in the prestored multiple pieces of second data routing information.
Optionally, in an embodiment of the present invention, the permission request sending module 504 is specifically configured to:
Transmitting the time stamp information to a trusted storage area corresponding to the target data routing information; the trusted storage area stores identity related information and a preset signature algorithm, and the identity related information comprises: a security identifier and a security key allocated to the user in the user registration stage;
in the trusted storage area, signature processing is carried out on the timestamp information, the security identifier and the security key by using the preset signature algorithm, and a permission authentication request aiming at the client is generated;
and sending the permission authentication request to the third party server.
Optionally, in an embodiment of the present invention, the permission request sending module 504 is further specifically configured to:
in the trusted storage area, carrying out character string connection processing on the version identifier of the preset signature algorithm and the security key to obtain a processed security key; the method comprises the steps of,
carrying out signature processing on the timestamp information and the processed security key by using the preset signature algorithm to obtain first signature parameter information;
carrying out signature processing on the first signature parameter information and the security identifier by using the preset signature algorithm to obtain second signature parameter information;
Carrying out signature processing on the second signature parameter information and the algorithm identification of the preset signature algorithm by using the preset signature algorithm to generate a derivative signature key;
and performing splicing processing on the derivative signature key and the timestamp information to generate an authority authentication request aiming at the client.
Optionally, in one embodiment of the present invention, the security verification module 506 is specifically configured to:
transmitting first message data to the client through a data transmission channel corresponding to the target data routing information;
receiving second message data returned by the client based on the first message data;
and if the first message data is consistent with the second message data, determining that the security verification result aiming at the data transmission channel is verification passing.
Optionally, in an embodiment of the present invention, the data access device 508 further includes:
the interception module is used for intercepting the data access request if any one of the authentication of the data routing information matching, the authority authentication processing of the client and the security authentication of the data transmission channel fails; the method comprises the steps of,
the security protection module is configured to perform security protection processing on the target access data, where the security protection processing includes: at least one of data transfer, data deletion, data backup and safety pre-warning.
Optionally, in one embodiment of the present invention, the security protection module is specifically configured to:
storing the target access data in a backup storage subarea reserved in a trusted storage area corresponding to the target data routing information; the method comprises the steps of,
deleting the target access data in an original storage subarea of the target access data in a trusted storage area corresponding to the target data routing information;
updating the address information of the backup memory sub-region based on the address information of the original memory sub-region.
The data access device in the embodiment of the invention receives the data access request of the client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by a client side and storing the encrypted user related data to a cloud server; if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so as to enable the third party server to carry out authentication and verification processing on the client based on the right authentication request; if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on the first message data; and if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel. In the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if the multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data to the cloud server by the third party server.
The data access device provided by the embodiment of the invention can realize each process in the embodiment corresponding to the data access method, and in order to avoid repetition, the description is omitted here.
It should be noted that, the data access device provided by the embodiment of the present invention and the data access method provided by the embodiment of the present invention are based on the same inventive concept, so that the specific implementation of this embodiment may refer to the implementation of the foregoing data access method, and the repetition is not repeated.
According to the data access method provided by the above embodiment, based on the same technical concept, the embodiment of the present invention further provides a computer device, where the device is configured to execute the data access method, and fig. 6 is a schematic structural diagram of a computer device implementing each embodiment of the present invention, as shown in fig. 6. The computer devices may vary considerably in configuration or performance and may include one or more processors 601 and memory 602, where the memory 602 may store one or more stored applications or data. Wherein the memory 602 may be transient storage or persistent storage. The application programs stored in the memory 602 may include one or more modules (not shown) each of which may include a series of computer executable instructions for use in a computer device. Still further, the processor 601 may be arranged to communicate with the memory 602 and execute a series of computer executable instructions in the memory 602 on a computer device. The computer device may also include one or more power supplies 603, one or more wired or wireless network interfaces 604, one or more input/output interfaces 605, and one or more keyboards 606.
In this embodiment, the computer device includes a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete communication with each other through a bus; a memory for storing a computer program; the processor is used for executing the program stored in the memory and realizing the following method steps:
receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so that the third party server carries out authentication and verification processing on the client based on the right authentication request;
if the authentication verification result generated by the third party server aiming at the authority authentication request is that authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on first message data;
And if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel.
According to the computer equipment provided by the embodiment of the invention, after the cloud server receives the data access request of the client, the data access request is subjected to data routing information matching, authority authentication processing of the client and security verification of the data transmission channel in sequence, corresponding target access data is transmitted to the client only under the condition that multiple verification processing is passed, so that the client data is encrypted by the third-party server and stored in an application scene of the cloud server, and in order to improve the security of a subsequent data access process, the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms.
The computer device provided by the embodiment of the present invention can implement each process in the embodiment corresponding to the data access method, and in order to avoid repetition, a detailed description is omitted here.
It should be noted that, the computer device provided by the embodiment of the present invention and the data access method provided by the embodiment of the present invention are based on the same inventive concept, so that the specific implementation of the embodiment may refer to the implementation of the foregoing data access method, and the repetition is not repeated.
According to the data access method provided by the above embodiment, based on the same technical concept, the embodiment of the present invention further provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following method steps are implemented:
receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
if target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so that the third party server carries out authentication and verification processing on the client based on the right authentication request;
if the authentication verification result generated by the third party server aiming at the authority authentication request is that authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on first message data;
And if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel.
According to the computer readable storage medium in the embodiment of the invention, after receiving the data access request of the client, the cloud server sequentially performs data routing information matching, authority authentication processing of the client and security verification of the data transmission channel on the data access request, and only if multiple verification processing is passed, corresponding target access data is transmitted to the client, so that the security of the data currently requested to be accessed by the client is ensured by adding multiple verification mechanisms in order to improve the security of the subsequent data access process in an application scene of encrypting and storing the client data by the third-party server.
The computer readable storage medium provided in the embodiments of the present invention can implement each process in the embodiments corresponding to the data access method, and in order to avoid repetition, a description is omitted here.
It should be noted that, the computer readable storage medium provided by the embodiment of the present invention and the data access method provided by the embodiment of the present invention are based on the same inventive concept, so that the implementation of the embodiment may refer to the implementation of the foregoing data access method, and the repetition is not repeated.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are to be included in the scope of the claims of the present invention.

Claims (10)

1. A data access method, applied to a cloud server, comprising:
receiving a data access request of a client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
If target data routing information matched with the first data routing information exists in the prestored plurality of second data routing information, sending a right authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information so that the third party server carries out authentication and verification processing on the client based on the right authentication request;
if the authentication verification result generated by the third party server aiming at the authority authentication request is that authentication passes, carrying out security verification on a data transmission channel for transmitting the target access data based on first message data;
and if the security verification result of the data transmission channel is that the verification is passed, transmitting the target access data to the client through the data transmission channel.
2. The method of claim 1, further comprising, after receiving the data access request of the client:
acquiring a plurality of second data routing information stored in advance for the client; wherein the second routing information includes: data routing information distributed by the client through the third-party server request stored user related data and authorization routing information of other data of other client authorization of the client access rights;
Judging whether the first data routing information is included in the plurality of second data routing information;
if the judgment result is that the data routing information comprises the first data routing information, determining that target data routing information matched with the first data routing information exists in a plurality of prestored second data routing information;
if the judging result is not included, judging whether the first data routing information belongs to the sub-routing information of a certain second data routing information;
and if the judgment result is that the data belongs to the first data routing information, determining that target data routing information matched with the first data routing information exists in the prestored multiple pieces of second data routing information.
3. The method of claim 1, wherein the sending the rights authentication request for the client to the third party server based on the timestamp information and the target data routing information comprises:
transmitting the time stamp information to a trusted storage area corresponding to the target data routing information; the trusted storage area stores identity related information and a preset signature algorithm, and the identity related information comprises: a security identifier and a security key allocated to the user in the user registration stage;
In the trusted storage area, signature processing is carried out on the timestamp information, the security identifier and the security key by using the preset signature algorithm, and a permission authentication request aiming at the client is generated;
and sending the permission authentication request to the third party server.
4. The method of claim 3, wherein signing the timestamp information, the security identification, and the security key in the trusted storage area using the preset signing algorithm generates a rights authentication request for the client, comprising:
in the trusted storage area, carrying out character string connection processing on the version identifier of the preset signature algorithm and the security key to obtain a processed security key; the method comprises the steps of,
carrying out signature processing on the timestamp information and the processed security key by using the preset signature algorithm to obtain first signature parameter information;
carrying out signature processing on the first signature parameter information and the security identifier by using the preset signature algorithm to obtain second signature parameter information;
carrying out signature processing on the second signature parameter information and the algorithm identification of the preset signature algorithm by using the preset signature algorithm to generate a derivative signature key;
And performing splicing processing on the derivative signature key and the timestamp information to generate an authority authentication request aiming at the client.
5. The method of claim 1, wherein the security verification of the data transmission channel for transmitting the target access data based on the first message data comprises:
transmitting first message data to the client through a data transmission channel corresponding to the target data routing information;
receiving second message data returned by the client based on the first message data;
and if the first message data is consistent with the second message data, determining that the security verification result aiming at the data transmission channel is verification passing.
6. The method according to claim 1, wherein the method further comprises:
if any one of the authentication verification process of the client and the security verification of the data transmission channel fails, intercepting the data access request; the method comprises the steps of,
performing security protection processing on the target access data, wherein the security protection processing comprises: at least one of data transfer, data deletion, data backup and safety pre-warning.
7. The method of claim 6, wherein the security protection process for the target access data comprises:
storing the target access data in a backup storage subarea reserved in a trusted storage area corresponding to the target data routing information; the method comprises the steps of,
deleting the target access data in an original storage subarea of the target access data in a trusted storage area corresponding to the target data routing information;
updating the address information of the backup memory sub-region based on the address information of the original memory sub-region.
8. A data access device, comprising:
the receiving module is used for receiving the data access request of the client; the data access request carries time stamp information and first data routing information corresponding to target access data, wherein the target access data is obtained by encrypting user related data through a third-party server in advance by the client and storing the encrypted user related data to the cloud server;
the permission request sending module is used for sending a permission authentication request aiming at the client to the third party server based on the timestamp information and the target data routing information if target data routing information matched with the first data routing information exists in a plurality of pre-stored second data routing information, so that the third party server carries out authentication and verification processing on the client based on the permission authentication request;
The security verification module is used for performing security verification on a data transmission channel for transmitting the target access data based on the first message data if the authentication verification result generated by the third party server aiming at the authority authentication request is that the authentication passes;
and the data transmission module is used for transmitting the target access data to the client through the data transmission channel if the security verification result of the data transmission channel is verification passing.
9. A computer device comprising a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete communication with each other through a bus; the memory is used for storing a computer program; the processor is configured to execute a program stored in the memory, and implement the data access method according to any one of claims 1 to 7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the data access method according to any of claims 1-7.
CN202111352428.9A 2021-11-16 2021-11-16 Data access method and device Pending CN116136911A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111352428.9A CN116136911A (en) 2021-11-16 2021-11-16 Data access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111352428.9A CN116136911A (en) 2021-11-16 2021-11-16 Data access method and device

Publications (1)

Publication Number Publication Date
CN116136911A true CN116136911A (en) 2023-05-19

Family

ID=86334054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111352428.9A Pending CN116136911A (en) 2021-11-16 2021-11-16 Data access method and device

Country Status (1)

Country Link
CN (1) CN116136911A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527401A (en) * 2023-06-30 2023-08-01 诚罡科技(天津)有限公司 Secure communication method and system of distributed data server
CN117439823A (en) * 2023-12-20 2024-01-23 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116527401A (en) * 2023-06-30 2023-08-01 诚罡科技(天津)有限公司 Secure communication method and system of distributed data server
CN116527401B (en) * 2023-06-30 2023-09-01 诚罡科技(天津)有限公司 Secure communication method and system of distributed data server
CN117439823A (en) * 2023-12-20 2024-01-23 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system
CN117439823B (en) * 2023-12-20 2024-03-12 深圳市智安网络有限公司 Cloud data intelligent authority authentication safety protection method and system

Similar Documents

Publication Publication Date Title
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
US10069806B2 (en) Secure transfer and use of secret material in a shared environment
CN110855671B (en) Trusted computing method and system
CN106790183A (en) Logging on authentication method of calibration, device
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US20220114249A1 (en) Systems and methods for secure and fast machine learning inference in a trusted execution environment
CN105095696A (en) Method, system and apparatus for carrying out safety authentication on application programs
CN106454528A (en) Service processing method based on trusted execution environment and client side
CN104980477A (en) Data access control method and system in cloud storage environment
CN111538977B (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN114157415A (en) Data processing method, computing node, system, computer device and storage medium
KR101648364B1 (en) Method for improving encryption/decryption speed by complexly applying for symmetric key encryption and asymmetric key double encryption
CN116136911A (en) Data access method and device
US11640480B2 (en) Data message sharing
CN115333839A (en) Data security transmission method, system, device and storage medium
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
CN117155549A (en) Key distribution method, key distribution device, computer equipment and storage medium
CN114996694B (en) Data fusion method, device, system and storage medium
CN110807210A (en) Information processing method, platform, system and computer storage medium
CN108429732B (en) Method and system for acquiring resources
US11856085B2 (en) Information management system and method for the same
CN109104393B (en) Identity authentication method, device and system
Bojanova et al. Cryptography classes in bugs framework (BF): Encryption bugs (ENC), verification bugs (VRF), and key management bugs (KMN)
US11804969B2 (en) Establishing trust between two devices for secure peer-to-peer communication
CN112637122B (en) Test method, response method and system for access control of communication unit master station

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination