CN116418505A - Data processing method, system, computer device and storage medium - Google Patents
Data processing method, system, computer device and storage medium Download PDFInfo
- Publication number
- CN116418505A CN116418505A CN202310685410.3A CN202310685410A CN116418505A CN 116418505 A CN116418505 A CN 116418505A CN 202310685410 A CN202310685410 A CN 202310685410A CN 116418505 A CN116418505 A CN 116418505A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- encryption
- management service
- application system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 238000000034 method Methods 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010367 cloning Methods 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 2
- 238000007726 management method Methods 0.000 abstract description 72
- 238000004458 analytical method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 2
- 230000002427 irreversible effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of encryption and decryption, and discloses a data processing method, a system, computer equipment and a storage medium. The method is applied to an application system and comprises the following steps: when the system is started, key data is acquired from a key management service and stored in a local key pool; if the key updating information sent by the key management service is received, applying a key updating operation to the key management service; when data encryption is carried out, a secret key is obtained from a secret key pool stored locally, the data to be encrypted is encrypted for the first time through the secret key, then the serial number of the secret key is added into the result of the first encryption, the second encryption is carried out, and then the data encryption result after the second encryption is stored into a database. The key management method and the key management system realize flexible management of the key, and the key can be updated, so that stability and security are improved.
Description
Technical Field
The present invention relates to the field of encryption and decryption, and in particular, to a data processing method, system, computer device, and storage medium.
Background
In the prior art, for a fixed key, the key is fixed, so the key cannot be replaced, a certain risk exists, a dynamic key is used, an encryption result is no longer unique, the data can not be confirmed in existence or can not be associated with the data, meanwhile, for a developer, some interceptor tools can be used for operating the data in the database, at the moment, encryption and decryption operations both meet the safety, and the operations of the developer on the data by using the interceptors cannot be influenced.
Disclosure of Invention
In a first aspect, the present application provides a data processing method, applied to an application system, including:
when the system is started, key data is acquired from a key management service and stored in a local key pool;
if the key updating information sent by the key management service is received, applying a key updating operation to the key management service;
when data encryption is carried out, a secret key is obtained from a secret key pool stored locally, the data to be encrypted is encrypted for the first time through the secret key, then the serial number of the secret key is added into the result of the first encryption, the second encryption is carried out, and then the data encryption result after the second encryption is stored into a database.
Further, after the key update operation is applied to the key management service, the method further includes:
receiving an updated key sent from the key management service;
when the key in the key management service is updated, the application system sends an update request to the key management server and receives the latest key data of the key management service;
the received latest key data is replaced with the key data in the local key pool.
Further, the method further comprises:
when decryption is carried out, obtaining encrypted data to be decrypted from the database;
decrypting according to the second encryption mode to obtain a first ciphertext after first decryption, and obtaining the serial number of the secret key from the first ciphertext;
and obtaining a corresponding real secret key from the secret key pool according to the serial number, and performing secondary decryption according to the real secret key to obtain decrypted data.
Further, before the encrypting, the method further comprises:
and if the original data to be encrypted or decrypted is intercepted by the interceptor, cloning the original data, judging whether the plaintext is to be encrypted or not by judging the entering parameters, if the entering parameters are the Wrapper encapsulation class provided by MyBatis Plus, driving a label to be encrypted into the original data if the original data is to be encrypted, and then encrypting the original data.
Further, the step of storing the encrypted result after the second encryption in a database includes:
and carrying out hash operation on the data to be encrypted to generate a corresponding hash field, wherein the hash field is used as a unique index of the encryption result and is bound with the encryption result to be stored in the database.
In a second aspect, the present application further provides a data processing method, applied to a key management service, including:
when a loading request from an application system is received, key data is sent to the application system;
and when receiving the update request of the application system, sending the latest key data to the application system.
Further, the method further comprises:
when the key in the key management service is updated, the key management service automatically backs up the updated key and encrypts the backed up key;
after the key updating is completed, the key management service broadcasts key updating information to an application system accessing the key management service.
In a third aspect, the present application further provides a data processing system, including an application system and a key management service:
the application system is used for acquiring key information from the key management service when the system is started;
if the key updating information sent by the key management service is received, applying a key updating operation to the key management service;
the application system is also used for acquiring a secret key from a secret key pool stored locally when data encryption is carried out, carrying out primary encryption on data to be encrypted through the secret key, adding a serial number of the secret key into a result of the primary encryption, carrying out secondary encryption, and storing a data encryption result after the secondary encryption into a database;
the key management service is used for sending a key list to the application system when receiving a loading request from the application system; and when the key management service receives the update request of the application system, the latest key is sent to the application system.
In a fourth aspect, the present application also provides a computer device comprising a processor and a memory, the memory storing a computer program which, when run on the processor, performs the data processing method.
In a fifth aspect, the present application also provides a readable storage medium storing a computer program which, when run on a processor, performs the data processing method.
The invention discloses a data processing method, a data processing system, computer equipment and a storage medium. The method is applied to an application system and comprises the following steps: when the system is started, key data is acquired from a key management service and stored in a local key pool; if the key updating information sent by the key management service is received, applying a key updating operation to the key management service; when data encryption is carried out, a secret key is obtained from a secret key pool stored locally, the data to be encrypted is encrypted for the first time through the secret key, then the serial number of the secret key is added into the result of the first encryption, the second encryption is carried out, and then the data encryption result after the second encryption is stored into a database. The key management service realizes flexible management of the key, and the key can be updated to increase the stability and the security of stored data and reduce the situation that the key is cracked due to the fact that only one set of key is used.
Drawings
In order to more clearly illustrate the technical solutions of the present invention, the drawings that are required for the embodiments will be briefly described, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope of the present invention. Like elements are numbered alike in the various figures.
FIG. 1 is a schematic flow chart of a data processing method according to an embodiment of the present application;
FIG. 2 is a flow chart of another method for processing data according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a decryption method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a data processing system according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present invention.
The terms "comprises," "comprising," "including," or any other variation thereof, are intended to cover a specific feature, number, step, operation, element, component, or combination of the foregoing, which may be used in various embodiments of the present invention, and are not intended to first exclude the presence of or increase the likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing.
Furthermore, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of the invention belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in connection with the various embodiments of the invention.
The technical scheme is applied to the processes of encrypting, storing, decrypting and reading data, and can be understood that for some banking-like financial systems, a large amount of sensitive data has to be stored for business reasons, so that the data cannot be stored in a plaintext when being stored by taking security and other considerations, but is stored in a ciphertext after being encrypted. The key management service is used for independently and dynamically managing the key for encryption, and the business system obtains the key and then performs encryption and decryption operation on the data, so that dynamic encryption and decryption operation is realized. To ensure the security of the file data.
The following describes the technical scheme of the present application in specific embodiments.
Example 1
As shown in fig. 1, the data processing method of the present embodiment is applied to an application system, and includes:
step S100, when the system is started, key data is obtained from the key management service and stored in a local key pool.
The application system refers to a collection of service systems actually corresponding to different services, and takes banking related services as an example, the application system can comprise service systems with different properties such as an approval system, a loan system or a deposit system, and the service systems all relate to the situation of storing user data, so that encryption and decryption operations are required. It will be appreciated that the application system is of a wide variety and there is a large amount of information interaction with the outside world, so that multiple decryption and encryption operations are required for the data, so that each encryption and decryption is obviously unsuitable by means of on-line encryption, and thus the service system locally stores a key stored in a key management service.
When an arbitrary application system is just started, a current key list is acquired from the key management service, so that the types of keys stored in the key management service are known, and the key list and the keys in a locally stored key pool can be matched.
Step S200, if the key update information sent by the key management service is received, applying a key update operation to the key management service.
The key management service is a separate application specially used for managing keys, and provides functions of adding, deleting and checking the keys by storing and maintaining a plurality of keys through a database.
The key management service updates the key, and when the key is updated, the key stored in the key management service is different from the key and the application system, so that after the key is updated, key update information is sent to all the application systems in a broadcast mode to inform the application systems that the key is updated, when the application systems receive the broadcast, the application systems know that new keys need to be acquired, and the application systems send update requests to the key management service, so that the latest key version is downloaded from the key management service, and the keys in the local key pool are kept up-to-date.
Step S300, when encryption is carried out, a secret key is obtained from a secret key pool stored locally, data to be encrypted is encrypted for the first time through the secret key, then the serial number of the secret key is added into the result of the first encryption, the second encryption is carried out, and then the encryption result after the second encryption is stored into a database.
The scenario where encryption of data is required is generally that some data is received that needs to be stored, and the data needs to be stored in a database in a ciphertext manner, so that an encryption operation may be required. Each encryption of data is actually a separate event, so the key used may be different each time it is encrypted, thereby increasing the security of the data.
In this embodiment, all keys in the key management service are stored in the key pool of the application system, so that the key can be randomly obtained to encrypt the data to be encrypted when the encryption operation is performed each time by randomly selecting the key.
The encryption of this embodiment is divided into a plurality of steps, after a key is obtained first, the key is used to encrypt the plaintext to be stored for the first time, it can be understood that the encryption may be a symmetric encryption algorithm such as AES, then the sequence number of the key is added to the result after the first encryption, for example, the ciphertext character string obtained by the first encryption is "abcde", the sequence number of the key is 13, and then the character string of "abcde13" is obtained after the sequence number is added.
It will be appreciated that the sequence number of the key may be added to the result of the first encryption, as in the example above, or may be inserted into the string sequentially, or may be added to the result of the first encryption in other ways.
After adding the serial number, the second encryption is performed, and the second encryption can be a simple encryption without a key, such as a base64 mode, so that the ciphertext obtained after the two encryptions is the final ciphertext. The data stored in the database is the ciphertext.
Meanwhile, since the secret key is obtained randomly, the ciphertext obtained by encryption in two possible storage operations is different for the same data, so that when encryption is performed, besides the double encryption, hash calculation is additionally performed on the plaintext, for example, the plaintext is processed by using an MD5 encryption mode to obtain an irreversible unique hash field, the hash field and the ciphertext obtained by encryption in two times are bound and stored in a database, when the data needs to be searched in the database, confirmation can be performed through the hash field, even if the same data uses different encryption modes, because of the uniqueness of the hash field, the corresponding ciphertext can be accurately searched and matched by using the hash field as an index, and further the subsequent modification and other operations are supported.
In addition, as shown in fig. 2, the present embodiment also provides a decryption method:
step S400, when decryption is performed, the encrypted data to be decrypted is acquired from the database.
The decryption operation generally uses data extracted from a database, and then the data is put on a front end for display or extracted for calculation, and the ciphertext needs to be decrypted into plaintext.
And step S500, decrypting according to the second encryption mode to obtain a first ciphertext after the first decryption, and obtaining the serial number of the secret key from the first ciphertext.
The decryption step is the opposite of the encryption step, and since the last step in the encryption scheme in this embodiment is simply encryption using a symmetric encryption scheme, the decryption using this scheme can result in the first ciphertext including the key sequence number.
The obtaining mode of the serial number of the secret key is related to the adding of the serial number of the secret key, for example, the serial number of the secret key is added at the tail part of the ciphertext, and then characters at the tail part of the ciphertext are intercepted to obtain the serial number.
Step S600, obtaining the corresponding real secret key from the secret key pool according to the serial number, and performing secondary decryption according to the real secret key to obtain decrypted data.
The sequence number of the key is the index of the key, so that the corresponding key can be obtained through the sequence number of the key, and then the first ciphertext is decrypted for the second time according to the key, so that the final plaintext is obtained.
In an actual production environment, a developer often uses some plugins to simplify operations for facilitating use of a database, for example, myBatis plugins are used, the plugins provide data interception operations for extracting data from the database, so that the developer can acquire the data of the database and then perform special rendering operations, but in the step of data warehousing encryption, after the data is intercepted and analyzed by the MyBatis, irreversible changes are caused to the data, so that encryption or analysis operations cannot be performed on the rendered data any more, and unpredictable changes occur after analysis so as to cause system abnormality for an application system applying such scenes.
Therefore, if the data to be encrypted and decrypted are intercepted by the interceptor technology of MyBatis, if a Wrapper data package with the parameters of MyBatis Plus is encountered, cloning the data to be encrypted in a cloning mode, analyzing the cloned data, determining whether the data is to be encrypted, and attaching the analysis result to the original data after determining, so that the data can be subjected to the next operation.
In this embodiment, cloning operation is performed on the data to obtain another copy of identical data, then the analysis operation is performed on the data to obtain the operation requirement corresponding to the data, while the original data is not analyzed, and after the analysis result is obtained, encryption or decryption operation is performed or encryption or decryption is not performed according to the analysis result, but other business operations are performed. Therefore, encryption and decryption operations cannot be affected by the MyBatis Plus plug-in, and plaintext acquisition is guaranteed.
As shown in fig. 3, a data processing method applied to a key management service includes:
step S700, when a loading request from an application system is received, sending a key list to the application system.
The key management service is an application for managing keys, and is mainly used for performing operations of adding, deleting and checking the keys through a database so as to maintain a plurality of keys, when an application system is on line, the key management service can apply for obtaining a current key list, and according to the application, the key management service can send the key list to a corresponding application system.
Step S800, when receiving the update request of the application system, the latest key data is sent to the application system.
When the application system receives the key updating information sent by the key management service, the key management service applies for updating the key, and at the moment, the key management service sends the current latest key data to the application system.
In addition, the key management service also has the condition of updating the key on line, so when the updating is finished, the key management service can automatically backup the updated key and encrypt the backup key;
after the key update is completed, the key management service transmits the latest key in a broadcast form to an application system accessing the key management service. That is, when the key management system finishes updating the key, the key management system immediately synchronizes once, so that the online application system can immediately use the updated key, and the stability of each application system is ensured.
It should be noted that, the key stored in the key management system of this embodiment may correspond to different encryption and decryption modes, for example, 10 keys currently exist, each key corresponds to a certain encryption mode and is stored in a binding manner, when the application system invokes the corresponding key to perform encryption operation, the encryption mode corresponding to the key may be read, so as to perform encryption, and when decryption, because the key serial number is obtained and then the key is obtained, the encryption mode corresponding to the key may be obtained, so as to obtain the corresponding decryption mode to perform decryption.
The dynamic key encryption and decryption method in the embodiment describes the encryption and decryption method flow from two directions of the application system and the key management service, and the key management method in the background, and the independent key management service is used for specially processing the storage and update of the keys, so that the security of the keys can be effectively ensured, each key is backed up, and the situation that the data cannot be decrypted due to the loss of the keys can be avoided. Meanwhile, all key data can be acquired by the application system each time the application system is online, and the key management service can automatically broadcast and issue keys when the key of the application system is updated, so that the keys in all the application systems are up to date, and the identity of key use in the system is ensured. Meanwhile, when certain tool scripts, such as MyBatis are used, the encryption and decryption operation of the data can be performed in an interceptor mode under the condition that normal functions of the plug-in are not interfered, so that the encryption and decryption method of the embodiment can be adapted to complex use scenes.
Example 2
As shown in fig. 4, the present application also provides a data processing system, including an application system 200 and a key management service 100.
The application system 200 is configured to apply for loading key data to a key management service when the system is started, and apply for a key update operation to the key management service 100 when key update information sent by the key management service 100 is received;
the application system 200 is further configured to obtain a key from a locally stored key pool when encryption is performed, encrypt data to be encrypted for the first time by using the key, then add a serial number of the key to a result of the first encryption, perform second encryption, and store an encryption result after the second encryption in a database.
The key management service 100 is configured to send a key list to the application system 200 when receiving a load request from the application system; when the key management service 100 receives the update request of the application system, the latest key is transmitted to the application system.
As can be seen from fig. 4, the key management service is a single independent module, and the application system 200 actually includes a plurality of service systems, where the service systems are service systems related to actual services, and the application system 200 is a collection of these service systems. The key management service 100 performs key issuing and updating operations by communicating with the application system 200, and is an independent service management key, and the service does not interact with the outside, so that the key management service has high security, and thus, even when the key is cracked, the key in the key management service can be modified by the background to implement key updating, so as to ensure the security of data.
Furthermore, the present application provides a computer device comprising a processor and a memory, said memory storing a computer program which, when run on said processor, performs said data processing method. The computer device may be a computer or a computer device such as a server that can carry the above method.
The present application also provides a readable storage medium storing a computer program which, when run on a processor, performs the data processing method.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, of the flow diagrams and block diagrams in the figures, which illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules or units in various embodiments of the invention may be integrated together to form a single part, or the modules may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a smart phone, a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention.
Claims (10)
1. A data processing method, applied to an application system, comprising:
when the system is started, key data is acquired from a key management service and stored in a local key pool;
if the key updating information sent by the key management service is received, applying a key updating operation to the key management service;
when data encryption is carried out, a secret key is obtained from a secret key pool stored locally, the data to be encrypted is encrypted for the first time through the secret key, then the serial number of the secret key is added into the result of the first encryption, the second encryption is carried out, and then the data encryption result after the second encryption is stored into a database.
2. The data processing method according to claim 1, wherein after applying for a key update operation to the key management service, further comprising:
accepts an updated key sent from the key management service,
when the key in the key management service is updated, the application system sends an update request to the key management service and receives the latest key data of the key management service;
the received latest key data is replaced with the key data in the local key pool.
3. The data processing method according to claim 1, characterized by further comprising:
when decryption is carried out, obtaining encrypted data to be decrypted from the database;
decrypting according to the second encryption mode to obtain a first ciphertext after first decryption, and obtaining the serial number of the secret key from the first ciphertext;
and obtaining a corresponding real secret key from the secret key pool according to the serial number, and performing secondary decryption according to the real secret key to obtain decrypted data.
4. The data processing method according to claim 1, wherein before the data encryption, further comprising:
and if the original data to be encrypted or decrypted is intercepted by the interceptor, cloning the original data, judging whether the original data is to be encrypted or not by judging the entering parameters, if the entering parameters are the Wrapper encapsulation class provided by MyBatis Plus, driving a label to be encrypted into the original data if the original data is to be encrypted, and then encrypting the original data.
5. The method according to claim 1, wherein the step of storing the encrypted result after the second encryption in a database comprises:
and carrying out hash operation on the data to be encrypted to generate a corresponding hash field, wherein the hash field is used as a unique index of the encryption result and is bound with the encryption result to be stored in the database.
6. A data processing method, applied to a key management service, comprising:
when a loading request from an application system is received, key data is sent to the application system;
and when receiving the update request of the application system, sending the latest key data to the application system.
7. The data processing method of claim 6, further comprising:
when the key in the key management service is updated, the key management service automatically backs up the updated key and encrypts the backed up key;
after the key updating is completed, the key management service broadcasts key updating information to an application system accessing the key management service.
8. A data processing system comprising an application system and a key management service:
the application system is used for acquiring key information from the key management service when the system is started;
if the key updating information sent by the key management service is received, applying a key updating operation to the key management service;
the application system is also used for acquiring a secret key from a secret key pool stored locally when data encryption is carried out, carrying out primary encryption on data to be encrypted through the secret key, adding a serial number of the secret key into a result of the primary encryption, carrying out secondary encryption, and storing a data encryption result after the secondary encryption into a database;
the key management service is used for sending a key list to the application system when receiving a loading request from the application system; and when the key management service receives the update request of the application system, the latest key is sent to the application system.
9. A computer device comprising a processor and a memory, the memory storing a computer program which, when run on the processor, performs the data processing method of any one of claims 1 to 7.
10. A readable storage medium, characterized in that it stores a computer program which, when run on a processor, performs the data processing method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310685410.3A CN116418505A (en) | 2023-06-12 | 2023-06-12 | Data processing method, system, computer device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310685410.3A CN116418505A (en) | 2023-06-12 | 2023-06-12 | Data processing method, system, computer device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116418505A true CN116418505A (en) | 2023-07-11 |
Family
ID=87049659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310685410.3A Pending CN116418505A (en) | 2023-06-12 | 2023-06-12 | Data processing method, system, computer device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116418505A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075327A (en) * | 2010-12-21 | 2011-05-25 | 北京握奇数据系统有限公司 | Method, device and system for unlocking electronic key |
| CN107995174A (en) * | 2017-11-23 | 2018-05-04 | 上海斐讯数据通信技术有限公司 | File key acquisition device and method, file deciphering device and method |
| US20180260125A1 (en) * | 2017-03-10 | 2018-09-13 | Pure Storage, Inc. | Synchronously replicating datasets and other managed objects to cloud-based storage systems |
| CN113630407A (en) * | 2021-08-02 | 2021-11-09 | 中电信量子科技有限公司 | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology |
| CN114186264A (en) * | 2022-01-07 | 2022-03-15 | 中国工商银行股份有限公司 | Data random encryption and decryption method, device and system |
-
2023
- 2023-06-12 CN CN202310685410.3A patent/CN116418505A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075327A (en) * | 2010-12-21 | 2011-05-25 | 北京握奇数据系统有限公司 | Method, device and system for unlocking electronic key |
| US20180260125A1 (en) * | 2017-03-10 | 2018-09-13 | Pure Storage, Inc. | Synchronously replicating datasets and other managed objects to cloud-based storage systems |
| CN107995174A (en) * | 2017-11-23 | 2018-05-04 | 上海斐讯数据通信技术有限公司 | File key acquisition device and method, file deciphering device and method |
| CN113630407A (en) * | 2021-08-02 | 2021-11-09 | 中电信量子科技有限公司 | Method and system for enhancing transmission security of MQTT protocol by using symmetric cryptographic technology |
| CN114186264A (en) * | 2022-01-07 | 2022-03-15 | 中国工商银行股份有限公司 | Data random encryption and decryption method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019204712B2 (en) | Managing sensitive data elements in a blockchain network | |
| KR100753932B1 (en) | contents encryption method, system and method for providing contents through network using the encryption method | |
| US8396218B2 (en) | Cryptographic module distribution system, apparatus, and program | |
| CN109471844A (en) | File sharing method, device, computer equipment and storage medium | |
| EP1586973A2 (en) | Method for encryption backup and method for decryption restoration | |
| CN110289946B (en) | Block chain wallet localized file generation method and block chain node point equipment | |
| US9064133B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
| CN113326517A (en) | System and method for detecting sensitive information leakage while preserving privacy | |
| CN110070363B (en) | Account management method and verification method in block chain network and terminal equipment | |
| CN109936546B (en) | Data encryption storage method and device and computing equipment | |
| CN107040520B (en) | Cloud computing data sharing system and method | |
| US9054864B2 (en) | Method and apparatus of securely processing data for file backup, de-duplication, and restoration | |
| JP4594078B2 (en) | Personal information management system and personal information management program | |
| CN108701200B (en) | Improved memory system | |
| CN111475690B (en) | Character string matching method and device, data detection method and server | |
| CN110955909B (en) | Personal data protection method and block link point | |
| CN113542187A (en) | File uploading and downloading method and device, computer device and medium | |
| CN107222453A (en) | A kind of document transmission method and device | |
| US11856085B2 (en) | Information management system and method for the same | |
| CN114124469B (en) | Data processing method, device and equipment | |
| CN116418505A (en) | Data processing method, system, computer device and storage medium | |
| WO2018043466A1 (en) | Data extraction system, data extraction method, registration device, and program | |
| CN109711207B (en) | Data encryption method and device | |
| CN109933994B (en) | Data hierarchical storage method and device and computing equipment | |
| JP7086163B1 (en) | Data processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230711 |
|
| RJ01 | Rejection of invention patent application after publication |