CN116582267B - Data encryption system, method and device, storage medium and electronic equipment - Google Patents
Data encryption system, method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN116582267B CN116582267B CN202310544659.2A CN202310544659A CN116582267B CN 116582267 B CN116582267 B CN 116582267B CN 202310544659 A CN202310544659 A CN 202310544659A CN 116582267 B CN116582267 B CN 116582267B
- Authority
- CN
- China
- Prior art keywords
- encryption
- data
- key
- module
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 150
- 238000012545 processing Methods 0.000 claims abstract description 14
- 238000010187 selection method Methods 0.000 claims abstract description 10
- 238000012544 monitoring process Methods 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 abstract description 21
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 239000007787 solid Substances 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000000306 component Substances 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/125—Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
Abstract
The invention discloses a data encryption system, a method, a device, a storage medium and electronic equipment, wherein the mixed encryption of an AES encryption algorithm and an SM4 encryption algorithm is used, so that potential safety hazards possibly existing in the AES encryption algorithm are eliminated, and the safety autonomous control of data is realized; the target encryption algorithm combination is selected by using a preset encryption strategy selection method, and even if configuration information is leaked, an algorithm and a secret key used for data encryption can not be determined, so that the safety of data is ensured; the external cryptographic card is introduced for encryption, so that the safety and the encryption performance of data are improved, CPU computing resources are released, and the service concurrency capacity and the data throughput are improved; furthermore, by using a key management module in the system, all the processing processes of the key are realized in the server through the key management module, so that the potential safety hazard caused by the transmission of the key from the client or the acquisition of the key from the remote key management service is reduced.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a data encryption system, method, apparatus, storage medium, and electronic device.
Background
The rapid development of internet technology brings about the storage requirement of mass data, and the distributed storage technology is generated. In the current mainstream open source distributed storage software, only a small part of software supports encryption functions, such as Ceph object storage, an HDFS file system and the like. At present, data encryption of a mainstream distributed system uses an AES algorithm built in a CPU to encrypt data, but the encryption mode can increase the CPU load of a server, meanwhile, the true security of the data is doubtful, and the data is not absolute security, so that great hidden danger is caused to the data security of various industries.
Disclosure of Invention
In view of the above, embodiments of the present invention provide a data encryption system, a method, an apparatus, a storage medium, and an electronic device, so as to solve the technical problems that in the prior art, using an AES algorithm built in a CPU to encrypt data increases the CPU load of a server side and cannot guarantee absolute security of the data.
The technical scheme provided by the invention is as follows:
in a first aspect, an embodiment of the present invention provides a data encryption system for a distributed system; the data encryption system includes: the system comprises an intelligent decision module, an encryption resource monitoring module, a data encryption module, a key management module, a local server and a national encryption card, wherein the encryption resource monitoring module is respectively connected with the intelligent decision module, the data encryption module, the local server and the national encryption card, the key management module is respectively connected with the intelligent decision module, the data encryption module and the encryption resource monitoring module, and the data encryption module is respectively connected with the local server and the national encryption card; the encryption resource monitoring module is used for monitoring the local server and the national encryption card, acquiring the load data of a central processor of the local server and the load data of the encryption card of the national encryption card, and sending the load data of the central processor and the load data of the encryption card to the intelligent decision module; the intelligent decision module is used for selecting in a preset encryption algorithm combination set by utilizing a preset encryption strategy selection method based on the load data of the central processing unit and the load data of the encryption card to obtain a target encryption algorithm combination, and sending the target encryption algorithm combination to the key management module, wherein the target encryption algorithm combination is one of four random combinations of an AES encryption algorithm and an SM4 encryption algorithm; the key management module comprises a key generation unit, a data encryption module and a data encryption module, wherein the key generation unit is used for generating a first key and a second key based on the target encryption algorithm combination and sending the first key and the second key to the data encryption module; the data encryption module comprises a data encryption unit and is used for obtaining the file name and the file content data of a file to be encrypted in the distributed system, encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
With reference to the first aspect, in a possible implementation manner of the first aspect, the intelligent decision module includes: the acquisition unit is used for acquiring the encryption algorithm configuration information and sending the encryption algorithm configuration information to the calculation unit; the computing unit is used for computing the configuration weight of each encryption algorithm combination in the preset encryption algorithm combination set based on the encryption algorithm configuration information, and sending the configuration weight to the decision unit; the determining unit is used for determining an encryption resource decision principle based on the CPU load data and the encryption card load data and sending the encryption resource decision principle to the decision unit; the decision unit is used for determining the target encryption algorithm combination based on the configuration weight and the encryption resource decision principle.
With reference to the first aspect, in another possible implementation manner of the first aspect, the determining unit includes: the judging subunit is used for judging whether the load data of the central processing unit meets a first preset condition or not, judging whether the load data of the encryption card meets a second preset condition or not, and sending a judging result to the determining subunit; the determining subunit is configured to determine a priority of each encryption algorithm combination in the preset encryption algorithm combination set based on the determination result, and select the target encryption algorithm combination in the preset encryption algorithm combination set based on the priority.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the data encryption module further includes: and the calling unit is used for receiving the target encryption algorithm combination sent by the intelligent decision module and calling corresponding encryption computing power providing equipment based on the target encryption algorithm combination, so that the encryption computing power providing equipment provides encryption computing power for the data encryption unit, and the encryption computing power providing equipment is at least one of the local server and the national encryption card.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the key management module further includes: and the key storage unit is used for receiving and storing the first key and the second key sent by the key generation unit.
With reference to the first aspect, in a further possible implementation manner of the first aspect, the data encryption module further includes: the creating unit is used for receiving the file name ciphertext data sent by the data encrypting unit and creating a file under a directory tree corresponding to the file to be encrypted based on the file name ciphertext data.
In a second aspect, an embodiment of the present invention provides a data encryption method, which is used in the data encryption system according to any one of the first aspect and the first aspect of the embodiment of the present invention, where the data encryption system is used in a distributed system; the data encryption method comprises the following steps: acquiring a preset encryption algorithm combination set, a monitoring data set and a file data set of a file to be encrypted in the distributed system, wherein the monitoring data set comprises central processor load data of a local server in the data encryption system and encryption card load data of a national encryption card, and the file data set comprises file names and file content data of the file to be encrypted in the distributed system; based on the CPU load data and the encryption card load data, selecting in the preset encryption algorithm combination set by using a preset encryption strategy selection method to obtain a target encryption algorithm combination; generating a first key and a second key based on the target encryption algorithm combination; and encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
In a third aspect, an embodiment of the present invention provides a data encryption device, configured to be used in a data encryption system according to any one of the first aspect and the first aspect of the embodiments of the present invention, where the data encryption system is used in a distributed system; the data encryption device includes: the system comprises an acquisition module, a data encryption module and a data encryption module, wherein the acquisition module is used for acquiring a preset encryption algorithm combination set, a monitoring data set and a file data set of a file to be encrypted in the distributed system, the monitoring data set comprises central processing unit load data of a local server in the data encryption system and encryption card load data of a national encryption card, and the file data set comprises file names and file content data of the file to be encrypted in the distributed system; the selecting module is used for selecting in the preset encryption algorithm combination set by utilizing a preset encryption strategy selecting method based on the CPU load data and the encryption card load data to obtain a target encryption algorithm combination; the generation module is used for generating a first key and a second key based on the target encryption algorithm combination; and the encryption module is used for encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium, where a computer program is stored, where the computer program is configured to cause the computer to perform the data encryption method according to any one of the first aspect and the first aspect of the embodiment of the present invention.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including: the memory is in communication connection with the processor, the memory stores a computer program, and the processor executes the computer program to execute the data encryption method according to any one of the first aspect and the first aspect of the embodiments of the present invention.
The technical scheme provided by the invention has the following effects:
the data encryption system provided by the embodiment of the invention uses the mixed encryption of the AES encryption algorithm and the SM4 encryption algorithm, so that potential safety hazards possibly existing in the AES encryption algorithm are eliminated, and the autonomous and controllable data security is realized; selecting a target encryption algorithm combination in a preset encryption algorithm combination set by using a preset encryption strategy selection method, so that the selection of the target encryption algorithm combination cannot be subjectively determined, and even if configuration information is leaked, an algorithm and a secret key used for data encryption cannot be determined, and the safety of data is greatly ensured; external cryptographic encryption is introduced, so that the safety and encryption performance of data are greatly improved; simultaneously, CPU computing resources are released, the performance bottleneck problem of using a domestic cryptographic algorithm by a general server is solved, and the service concurrency capacity and the data throughput are improved; furthermore, by using a key management module in the system, all processing processes of the key are realized in the server through the key management module, and by using the mixed encryption of the AES encryption algorithm and the SM4 encryption algorithm, the potential safety hazard caused by the transmission of the key from the client or the acquisition of the key from the remote key management service is reduced; furthermore, the invention not only encrypts the file content data, but also encrypts the file name, which is equivalent to encrypting the directory structure of the file system, thereby not only having extremely high security on the user plane, but also preventing the stealing of system maintainers or DBA and the like.
The data encryption method provided by the embodiment of the invention has the advantages that the data is confidential by utilizing the data encryption system provided by the embodiment of the invention, double encryption of file names and file content data is realized, autonomous and controllable data security is realized, and the data security is greatly ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a data encryption system according to an embodiment of the present invention;
FIG. 2 is a flow chart of a data encryption method provided according to an embodiment of the present invention;
FIG. 3 is a block diagram of an encryption subsystem provided in accordance with an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a new data security protection method, strategy and encryption in the process according to an embodiment of the present invention;
fig. 5 is a block diagram of a data encryption device according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a computer-readable storage medium provided according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The embodiment of the invention provides a data encryption system which is used for a distributed system; as shown in fig. 1, the data encryption system 1 includes: the system comprises an intelligent decision module 11, an encryption resource monitoring module 12, a key management module 13, a data encryption module 14, a local server 15 and a national encryption card 16.
The encryption resource monitoring module 12 is respectively connected with the intelligent decision module 11, the data encryption module 14, the local server 15 and the national encryption card 16; the key management module 13 is respectively connected with the intelligent decision module 11 and the data encryption module 14; the data encryption module 14 is connected to a local server 15 and a national encryption card 16, respectively.
It should be understood that the above system also includes other devices, apparatuses.
Preferably, the intelligent decision module 11 comprises: an acquisition unit 111, a calculation unit 112, a determination unit 113, and a decision unit 114. Wherein the calculation unit 112 is connected to the acquisition unit 111 and the decision unit 114, respectively; the determination unit 113 is connected to the decision unit 114.
Further, the determination unit 113 includes: a determination subunit 1131 and a determination subunit 1132. Wherein the judging subunit 1131 is connected to the determining subunit 1132.
Preferably, the data encryption module 14 includes: a data encryption unit 141, a calling unit 142, and a creation unit 143. Wherein the data encryption unit 141 is connected to the calling unit 142 and the creating unit 143, respectively.
Preferably, the key management module 13 includes: a key generation unit 131 and a key storage unit 132. Wherein the key generation unit 131 and the key storage unit 132 are connected.
Further, the functions of the respective devices in the above system are described.
Specifically, the encryption resource monitoring module 12 may acquire Central Processing Unit (CPU) load data of the local server 15 and encryption card load data of the cryptographic card 16 by monitoring the local server 15 and the cryptographic card 16 in real time, and send the CPU load data and the encryption card load data to the intelligent decision module 11.
After receiving the CPU load data and the encryption card load data, the intelligent decision module 11 selects a preset encryption policy selection method from a preset encryption algorithm combination set, obtains a target algorithm combination, and sends the target encryption algorithm combination to the key management module 13.
First, the acquiring unit 111 in the intelligent decision module 11 acquires encryption algorithm configuration information: state-secret (SM 4) priority, AES priority, system state weights, whether or not to enable a mixing algorithm, name and data mixing, etc. Four encryption algorithm combinations for file content data and file names, namely a preset encryption algorithm combination set, are preset in the intelligent decision module 11 according to the configuration information, and the four encryption algorithm combination sets comprise: aes+sm4; aes+aes; sm4+sm4; sm4+aes.
Meanwhile, the acquiring unit 111 sends the obtained encryption algorithm configuration information to the calculating unit 112, and calculates a configuration weight of each encryption algorithm combination in the preset encryption algorithm combination set in the calculating unit 112, and further, the calculating unit 112 sends the configuration weight to the deciding unit 114.
Next, the determining unit 113 in the intelligent decision module 11 may determine an encryption resource decision rule based on the CPU load data and the encryption card load data, and send the encryption resource decision rule to the decision unit 114.
Specifically, in the determination unit 113, it is determined in the determination subunit 1131 whether the CPU load data satisfies the first preset condition, and at the same time, whether the encryption card load data satisfies the second preset condition, and the determination result is sent to the determination subunit 1132.
The determining subunit 1132 may determine, according to the determination result, a priority of each encryption algorithm combination in the preset encryption algorithm combination set, and select, based on the priority, a corresponding target encryption algorithm combination in the preset encryption algorithm combination set.
Specifically, when the load of the CPU is too high, that is, when the CPU load data does not satisfy the first preset condition and the encryption card load data satisfies the second preset condition, the SM4 encryption algorithm is preferentially selected, that is, the priority of the encryption algorithm combination in the preset encryption algorithm combination set is ordered from high to low as follows: sm4+sm4, sm4+aes, aes+sm4, aes+aes.
When the load of the cryptographic card 16 is too high, that is, when the CPU load data satisfies the first preset condition and the cryptographic card load data does not satisfy the second preset condition, the AES encryption algorithm is preferentially used, that is, the priority of the encryption algorithm combinations in the preset encryption algorithm combination set is ordered from high to low: aes+aes, aes+sm4, sm4+aes, sm4+sm4.
When the load of the two is not high, namely when the CPU load data meets the first preset condition and the load data of the encryption card meets the second preset condition, the SM4 encryption algorithm can be selected randomly or can be selected preferentially.
When the load of the two is higher, namely when the CPU load data does not meet the first preset condition and the load data of the encryption card does not meet the second preset condition, the SM4 encryption algorithm is required to be used for ensuring the normal operation of the system, namely the target algorithm is combined into SM4+SM4.
Finally, the decision unit 114 performs a trade-off according to the received configuration weight and the encryption resource decision rule to obtain a final target encryption algorithm combination.
Further, after receiving the target encryption algorithm combination sent by the intelligent decision module 11, the key management module 13 generates a filename key, i.e. a first key and a file content data key, i.e. a second key, in the key generation unit 131 according to the target encryption algorithm combination, and sends the first key and the second key to the data encryption module 14.
Specifically, the key generation operation may be performed according to the key length required for the target encryption algorithm combination. Further, the key management module 13 may also directly receive the CPU load data and the encryption card load data sent by the encryption resource monitoring module, and generate the first key and the second key in the key generating unit 131 according to the CPU load data and the encryption card load data using a random number generator included in the CPU.
Further, the key generation unit 131 may also send the generated first key and second key to the key storage unit 132 for storage.
The key management module 13 provided by the embodiment of the invention is completely invisible to a user or an upper layer system, the generation and storage of the key are completely independent, and only interaction with other modules in the system is performed, so that the data security is greatly improved.
Further, the data encryption unit 141 in the data encryption module 14 obtains the file name and the file content data of the file to be encrypted in the distributed system, encrypts the file name by using the received first key filename-key to obtain file name ciphertext data, and encrypts the file content data by using the received second key data-key to obtain file content ciphertext data. And further, the encrypted data is dropped according to the directory structure.
Wherein the encryption process also requires a providing device for determining the encryption algorithm.
Specifically, the calling unit 142 in the data encryption module 14 receives the target encryption algorithm combination sent by the intelligent decision module 11, and calls the corresponding encryption power providing apparatus based on the target encryption algorithm combination, so that the encryption power providing apparatus provides the encryption power for the data encryption unit 141.
Wherein the encryption power providing device is at least one of a local server 15 and a national encryption card 16.
Specifically, when the target combination algorithm is one of the encryption algorithm combinations corresponding to the preferential SM4 encryption algorithm, the CPU (local server 15) is invoked to provide the encryption algorithm power to the data encryption unit 141; when the target combination algorithm is one of the corresponding encryption algorithm combinations when the AES encryption algorithm is preferentially selected, the cryptographic card 16 is called to provide the data encryption unit 141 with encryption algorithm power.
Further, after the data encryption unit 141 generates the file name ciphertext data, the file name ciphertext data is sent to the creation unit 143, and a file is created in the creation unit 143 under a directory tree corresponding to the file to be encrypted according to the file name ciphertext data, so that the encrypted file content data is stored when the file content data is encrypted later.
The data encryption system provided by the embodiment of the invention uses the mixed encryption of the AES encryption algorithm and the SM4 encryption algorithm, so that potential safety hazards possibly existing in the AES encryption algorithm are eliminated, and the autonomous and controllable data security is realized; selecting a target encryption algorithm combination in a preset encryption algorithm combination set by using a preset encryption strategy selection method, so that the selection of the target encryption algorithm combination cannot be subjectively determined, and even if configuration information is leaked, an algorithm and a secret key used for data encryption cannot be determined, and the safety of data is greatly ensured; external cryptographic encryption is introduced, so that the safety and encryption performance of data are greatly improved; simultaneously, CPU computing resources are released, the performance bottleneck problem of using a domestic cryptographic algorithm by a general server is solved, and the service concurrency capacity and the data throughput are improved; furthermore, by using a key management module in the system, all processing processes of the key are realized in the server through the key management module, and by using the mixed encryption of the AES encryption algorithm and the SM4 encryption algorithm, the potential safety hazard caused by the transmission of the key from the client or the acquisition of the key from the remote key management service is reduced; furthermore, the invention not only encrypts the file content data, but also encrypts the file name, which is equivalent to encrypting the directory structure of the file system, thereby not only having extremely high security on the user plane, but also preventing the stealing of system maintainers or DBA and the like.
The embodiment of the invention also provides a data encryption method, which is used for the data encryption system 1 according to the embodiment of the invention, wherein the data encryption system 1 is used for a distributed system; as shown in fig. 2, the method comprises the steps of:
step 201: and acquiring a preset encryption algorithm combination set, a monitoring data set and a file data set of a file to be encrypted in the distributed system.
The preset encryption algorithm combination set may be determined according to the obtained encryption algorithm configuration information, including: aes+sm4; aes+aes; sm4+sm4; sm4+aes. The specific acquisition and determination process refers to the above description of the function of the acquisition unit 111 in the intelligent decision module 11 in the data encryption system 1, and will not be repeated here.
The monitoring data set includes the load data of the central processor of the local server in the data encryption system and the load data of the encryption card of the cryptographic card, and can be obtained according to the encryption resource monitoring module 12 in the data encryption system 1, and the specific obtaining process refers to the above description of the function of the encryption resource monitoring module 12 in the data encryption system 1, which is not repeated here.
The file data set includes the file name and the file content data of the file to be encrypted in the distributed system, which can be obtained according to the data encryption module 14 in the data encryption system 1, and the specific process refers to the above description of the function of the data encryption module 14 in the data encryption system 1, which is not repeated here.
Step 202: and selecting in the preset encryption algorithm combination set by using a preset encryption strategy selection method based on the CPU load data and the encryption card load data to obtain a target encryption algorithm combination.
Specifically, the corresponding target encryption algorithm combination can be obtained by the intelligent decision module 11 in the data encryption system 1.
The specific selection process refers to the above description of the interaction process between the intelligent decision module 11 and the encryption resource monitoring module in the data encryption system 1, and the description and the functional description of the interaction process between the acquisition unit 111, the calculation unit 112, the determination unit 113 and the decision unit 114 in the intelligent decision module 11, which are not described herein.
Step 203: a first key and a second key are generated based on the target encryption algorithm combination.
Specifically, the first key and the second key are generated by the key management module 13 in the data encryption system 1.
The specific process refers to the above description of the interaction process of the intelligent decision module 11 and the key management module 13 in the data encryption system 1 and the description of the function of the key generation unit 131 in the key management module 13, and will not be described herein.
Step 204: and encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
Specifically, the file name and the file content data are encrypted by the data encryption module 14 in the data encryption system 1.
The specific encryption process refers to the above description of the interaction process of the key management module 13 and the data encryption module 14 in the data encryption system 1, and the description of the functions of the data encryption unit 141 and the calling unit 142 in the data encryption module 14, which are not described herein.
The data encryption method provided by the embodiment of the invention has the advantages that the data is confidential by utilizing the data encryption system provided by the embodiment of the invention, double encryption of file names and file content data is realized, autonomous and controllable data security is realized, and the data security is greatly ensured.
In one example, a new data security protection method, strategy and process is provided for an encryption subsystem as shown in FIG. 3. The key management module interacts with the intelligent decision module and the data encryption module in the encryption subsystem; the DB is a database for storing keys.
As shown in fig. 4, the detailed encryption process is:
(1) Information preprocessing: and analyzing and storing metadata of the file, so that the judgment of the data receiving integrity and the judgment of the correctness of the encryption and decryption result are facilitated.
(2) Selecting an encryption strategy: the step is a core component of the method, and can realize various and intricate encryption strategies. Corresponding encryption algorithm configuration information exists in the intelligent decision module: national encryption priority, AES priority, system state weights, whether or not a mixing algorithm is enabled, name and data mixing, and so on. From this, it can be seen that there are 4 kinds of algorithm combinations, aes+sm4 respectively, for encryption of data and file names; aes+aes; sm4+sm4; sm4+aes. The system will select a different algorithm for each file.
The principle of selecting the algorithm combination is as follows: firstly, the load of the cryptographic card and the CPU load of the local server are monitored in real time by the cryptographic monitoring module, and the monitored data can be used as one of the main basis for the cryptographic algorithm selection. Meanwhile, when the system selects the encryption strategy, the configuration weight is calculated after comprehensive comparison is carried out according to the weights of different configurations, and finally the system carries out weighing according to the configured weight ratio and the load condition of the encryption resource to obtain the final encryption algorithm combination.
The decision principle of the encryption resource load is as follows: when the load of the CPU is too high, the SM4 cryptographic algorithm is preferentially selected; when the load of the encryption card is too high, the AES algorithm is preferentially used; when the load of the two is not high, the SM4 algorithm can be selected randomly or the SM4 algorithm can be prioritized; when the load of the two is high, an SM4 cryptographic algorithm is used, and the normal operation of the system needs to be ensured.
(3) Generating an encryption key: the step is mainly used for generating the encryption key, and comprises a file name encryption key filename-key and a data encryption key data-key, and the key generation operation can be performed according to the key length required by the encryption algorithm determined by the encryption strategy because the calculated amount is small and no direct relation exists between the calculated amount and the encryption algorithm. The random number generator that the CPU has itself may be selected.
(4) File name encryption: and encrypting the file name character string in the metadata according to the file name encryption key filename-key generated in the previous step to obtain a ciphertext of the file name, and simultaneously creating a file under a corresponding directory tree by using the ciphertext so as to store the encrypted data when the data is encrypted later.
(5) Encrypting file data: the step is to encrypt the real data, which needs to be operated according to the encryption algorithm selected in the policy selection. And in the step, a data encryption interface is required to be intelligently called according to the result of the encryption strategy, and the interface determines whether the encryption calculation power of the data is provided by the CPU or the encryption card. Finally, the encrypted data is dropped according to the directory structure.
The novel data security protection method, strategy and process provided by the embodiment of the invention have the following advantages:
(1) The mixed encryption of the AES and the SM4 algorithm is used, potential safety hazards possibly existing in the AES are eliminated, and autonomous and controllable data safety is realized.
(2) The intelligent decision module is used, the choice of encryption algorithm can not be subjectively determined, and even if configuration information is leaked, the algorithm and secret key used for data encryption can not be determined, so that the safety of data is greatly ensured.
(3) An external encryption card is introduced to encrypt data, so that the safety and encryption performance of the data are greatly improved; meanwhile, CPU computing resources are released, the performance bottleneck problem of using a domestic cryptographic algorithm by a general server is solved, and service concurrency capacity and data throughput are improved.
(4) The key management module in the system is used, all the processing processes of the key are realized in the server through the key management module, and the AES and the domestic secret mixed encryption are used.
(5) The potential safety hazard caused by the transmission of the secret key from the client or the acquisition of the secret key from the remote secret key management service is reduced.
(6) The generation of the secret key is generated by using a hardware true random number generator, and the security level of the secret key is higher than that of the secret key uploaded by the client.
(7) Besides encrypting the file data, the file name is also encrypted, which is equivalent to encrypting the directory structure of the file system, so that the method has extremely high security on the user level and can prevent the stealing behavior of system maintainers or DBA (digital broadcasting service) and the like.
The embodiment of the invention also provides a data encryption device which is used for the data encryption system 1 according to the embodiment of the invention, wherein the data encryption system 1 is used for a distributed system; as shown in fig. 5, the apparatus includes:
the acquiring module 501 is configured to acquire a preset encryption algorithm combination set, a monitoring data set, and a file data set of a file to be encrypted in the distributed system, where the monitoring data set includes load data of a central processor of a local server in the data encryption system and load data of an encryption card of a cryptographic card, and the file data set includes a file name and file content data of the file to be encrypted in the distributed system; for details, see the description of step 201 in the method embodiment described above.
The selecting module 502 is configured to select, based on the load data of the central processor and the load data of the encryption card, from the preset encryption algorithm combination set by using a preset encryption policy selection method, to obtain a target encryption algorithm combination; for details, see the description of step 202 in the method embodiment above.
A generating module 503, configured to generate a first key and a second key based on the target encryption algorithm combination; for details, see the description of step 203 in the above method embodiment.
An encryption module 504, configured to encrypt the file name with the first key to obtain file name ciphertext data, and encrypt the file content data with the second key to obtain file content ciphertext data; for details, see the description of step 204 in the method embodiment above.
The data encryption device provided by the embodiment of the invention is utilized to secret the data, so that double encryption of file names and file content data is realized, autonomous and controllable data security is realized, and the data security is greatly ensured.
The function description of the data encryption device provided by the embodiment of the invention is detailed with reference to the description of the data encryption method in the above embodiment.
The embodiment of the present invention also provides a storage medium, as shown in fig. 6, on which a computer program 601 is stored, which when executed by a processor, implements the steps of the data encryption method in the above embodiment. The storage medium may be a magnetic Disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. The storage medium may be a magnetic Disk, an optical disc, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
The present invention also provides an electronic device, as shown in fig. 7, which may include a processor 71 and a memory 72, where the processor 71 and the memory 72 may be connected by a bus or other means, and in fig. 7, the connection is exemplified by a bus.
The processor 71 may be a central processing unit (Central Processing Unit, CPU). The processor 71 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations of the above.
The memory 72 serves as a non-transitory computer readable storage medium that may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as corresponding program instructions/modules in embodiments of the present invention. The processor 71 executes various functional applications of the processor and data processing, i.e., implements the data encryption method in the above-described method embodiments, by running non-transitory software programs, instructions, and modules stored in the memory 72.
The memory 72 may include a memory program area that may store an operating device, an application program required for at least one function, and a memory data area; the storage data area may store data created by the processor 71, etc. In addition, memory 72 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 72 may optionally include memory located remotely from processor 71, such remote memory being connectable to processor 71 through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 72, which when executed by the processor 71, performs the data encryption method in the embodiment shown in fig. 2.
The details of the electronic device may be understood correspondingly with respect to the corresponding relevant descriptions and effects in the embodiment shown in fig. 2, which are not repeated herein.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (9)
1. A data encryption system for a distributed system; wherein the data encryption system comprises: the system comprises an intelligent decision module, an encryption resource monitoring module, a data encryption module, a key management module, a local server and a national encryption card, wherein the encryption resource monitoring module is respectively connected with the intelligent decision module, the data encryption module, the local server and the national encryption card, the key management module is respectively connected with the intelligent decision module, the data encryption module and the encryption resource monitoring module, and the data encryption module is respectively connected with the local server and the national encryption card;
the encryption resource monitoring module is used for monitoring the local server and the national encryption card, acquiring the load data of a central processor of the local server and the load data of the encryption card of the national encryption card, and sending the load data of the central processor and the load data of the encryption card to the intelligent decision module;
the intelligent decision module is used for selecting in a preset encryption algorithm combination set by utilizing a preset encryption strategy selection method based on the load data of the central processing unit and the load data of the encryption card to obtain a target encryption algorithm combination, and sending the target encryption algorithm combination to the key management module, wherein the target encryption algorithm combination is one of four random combinations of an AES encryption algorithm and an SM4 encryption algorithm;
the key management module comprises a key generation unit, a data encryption module and a data encryption module, wherein the key generation unit is used for generating a first key and a second key based on the target encryption algorithm combination and sending the first key and the second key to the data encryption module;
the data encryption module comprises a data encryption unit, a first key and a second key, wherein the data encryption unit is used for obtaining the file name and the file content data of a file to be encrypted in the distributed system, encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data;
the intelligent decision module comprises:
the acquisition unit is used for acquiring the encryption algorithm configuration information and sending the encryption algorithm configuration information to the calculation unit;
the computing unit is used for computing the configuration weight of each encryption algorithm combination in the preset encryption algorithm combination set based on the encryption algorithm configuration information, and sending the configuration weight to the decision unit;
the determining unit is used for determining an encryption resource decision principle based on the CPU load data and the encryption card load data and sending the encryption resource decision principle to the decision unit;
the decision unit is used for determining the target encryption algorithm combination based on the configuration weight and the encryption resource decision principle.
2. The system according to claim 1, wherein the determining unit comprises:
the judging subunit is used for judging whether the load data of the central processing unit meets a first preset condition or not, judging whether the load data of the encryption card meets a second preset condition or not, and sending a judging result to the determining subunit;
the determining subunit is configured to determine a priority of each encryption algorithm combination in the preset encryption algorithm combination set based on the determination result, and select the target encryption algorithm combination in the preset encryption algorithm combination set based on the priority.
3. The system of claim 1, wherein the data encryption module further comprises:
and the calling unit is used for receiving the target encryption algorithm combination sent by the intelligent decision module and calling corresponding encryption computing power providing equipment based on the target encryption algorithm combination, so that the encryption computing power providing equipment provides encryption computing power for the data encryption unit, and the encryption computing power providing equipment is at least one of the local server and the national encryption card.
4. The system of claim 1, wherein the key management module further comprises:
and the key storage unit is used for receiving and storing the first key and the second key sent by the key generation unit.
5. The system of claim 3, wherein the data encryption module further comprises:
the creating unit is used for receiving the file name ciphertext data sent by the data encrypting unit and creating a file under a directory tree corresponding to the file to be encrypted based on the file name ciphertext data.
6. A data encryption method for a data encryption system according to any one of claims 1 to 5, the data encryption system being for a distributed system; characterized in that the method comprises:
acquiring a preset encryption algorithm combination set, a monitoring data set and a file data set of a file to be encrypted in the distributed system, wherein the monitoring data set comprises central processor load data of a local server in the data encryption system and encryption card load data of a national encryption card, and the file data set comprises file names and file content data of the file to be encrypted in the distributed system;
based on the CPU load data and the encryption card load data, selecting in the preset encryption algorithm combination set by using a preset encryption strategy selection method to obtain a target encryption algorithm combination;
generating a first key and a second key based on the target encryption algorithm combination;
and encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
7. A data encryption device for use in a data encryption system according to any one of claims 1 to 5, the data encryption system being for use in a distributed system; characterized in that the device comprises:
the system comprises an acquisition module, a data encryption module and a data encryption module, wherein the acquisition module is used for acquiring a preset encryption algorithm combination set, a monitoring data set and a file data set of a file to be encrypted in the distributed system, the monitoring data set comprises central processing unit load data of a local server in the data encryption system and encryption card load data of a national encryption card, and the file data set comprises file names and file content data of the file to be encrypted in the distributed system;
the selecting module is used for selecting in the preset encryption algorithm combination set by utilizing a preset encryption strategy selecting method based on the CPU load data and the encryption card load data to obtain a target encryption algorithm combination;
the generation module is used for generating a first key and a second key based on the target encryption algorithm combination;
and the encryption module is used for encrypting the file name by using the first key to obtain file name ciphertext data, and encrypting the file content data by using the second key to obtain file content ciphertext data.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for causing the computer to execute the data encryption method according to claim 6.
9. An electronic device, comprising: a memory and a processor, said memory and said processor being communicatively connected to each other, said memory storing a computer program, said processor executing the data encryption method according to claim 6 by executing said computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310544659.2A CN116582267B (en) | 2023-05-15 | 2023-05-15 | Data encryption system, method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310544659.2A CN116582267B (en) | 2023-05-15 | 2023-05-15 | Data encryption system, method and device, storage medium and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116582267A CN116582267A (en) | 2023-08-11 |
| CN116582267B true CN116582267B (en) | 2023-10-31 |
Family
ID=87537160
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310544659.2A Active CN116582267B (en) | 2023-05-15 | 2023-05-15 | Data encryption system, method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116582267B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117527193A (en) * | 2023-10-20 | 2024-02-06 | 合芯科技有限公司 | Encryption method and device based on CEPH object storage |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105224853A (en) * | 2014-06-10 | 2016-01-06 | 江苏真云计算科技有限公司 | Based on the file encryption-decryption technology of hardware encipher equipment |
| CN110866262A (en) * | 2019-11-05 | 2020-03-06 | 郑州信大捷安信息技术股份有限公司 | Asynchronous encryption and decryption system and method with cooperative work of software and hardware |
| CN111258756A (en) * | 2020-01-09 | 2020-06-09 | 奇安信科技集团股份有限公司 | Load balancing method and device, computer equipment and readable storage medium |
| CN111416807A (en) * | 2020-03-13 | 2020-07-14 | 苏州科达科技股份有限公司 | Data acquisition method, device and storage medium |
| CN112035860A (en) * | 2020-09-03 | 2020-12-04 | 深圳市百富智能新技术有限公司 | File encryption method, terminal, device, equipment and medium |
| CN112631772A (en) * | 2020-12-21 | 2021-04-09 | 海光信息技术股份有限公司 | Cryptographic operation method, processor, device and storage medium |
| CN112865969A (en) * | 2021-02-07 | 2021-05-28 | 广东工业大学 | Encryption method and device for data encryption card |
| CN113987600A (en) * | 2021-10-28 | 2022-01-28 | 北京百度网讯科技有限公司 | Computer system, data processing method and computer readable storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080022136A1 (en) * | 2005-02-18 | 2008-01-24 | Protegrity Corporation | Encryption load balancing and distributed policy enforcement |
-
2023
- 2023-05-15 CN CN202310544659.2A patent/CN116582267B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105224853A (en) * | 2014-06-10 | 2016-01-06 | 江苏真云计算科技有限公司 | Based on the file encryption-decryption technology of hardware encipher equipment |
| CN110866262A (en) * | 2019-11-05 | 2020-03-06 | 郑州信大捷安信息技术股份有限公司 | Asynchronous encryption and decryption system and method with cooperative work of software and hardware |
| CN111258756A (en) * | 2020-01-09 | 2020-06-09 | 奇安信科技集团股份有限公司 | Load balancing method and device, computer equipment and readable storage medium |
| CN111416807A (en) * | 2020-03-13 | 2020-07-14 | 苏州科达科技股份有限公司 | Data acquisition method, device and storage medium |
| CN112035860A (en) * | 2020-09-03 | 2020-12-04 | 深圳市百富智能新技术有限公司 | File encryption method, terminal, device, equipment and medium |
| WO2022048315A1 (en) * | 2020-09-03 | 2022-03-10 | 深圳市百富智能新技术有限公司 | File encryption method, terminal, apparatus, device, and medium |
| CN112631772A (en) * | 2020-12-21 | 2021-04-09 | 海光信息技术股份有限公司 | Cryptographic operation method, processor, device and storage medium |
| CN112865969A (en) * | 2021-02-07 | 2021-05-28 | 广东工业大学 | Encryption method and device for data encryption card |
| CN113987600A (en) * | 2021-10-28 | 2022-01-28 | 北京百度网讯科技有限公司 | Computer system, data processing method and computer readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| Secure Boot from Non-Volatile Memory for Programmable SoC Architectures;Franz-Josef Streit等;《2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)》;全文 * |
| 一种基于软硬结合加密的VPN系统结构的研究与实现;李之棠;吴锋;林晓;;计算机工程与科学(01);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116582267A (en) | 2023-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683747B (en) | Resource obtaining, distributing and downloading method, device, equipment and storage medium | |
| AU2019381268B2 (en) | Systems and methods for distributed data storage and delivery using blockchain | |
| US9680809B2 (en) | Secure data storage on a cloud environment | |
| CN104852925A (en) | Method for leakproof, secure storage and backup of data of mobile smart terminal | |
| CN112019541B (en) | Data transmission method and device, computer equipment and storage medium | |
| CN107342861B (en) | Data processing method, device and system | |
| CN116582267B (en) | Data encryption system, method and device, storage medium and electronic equipment | |
| CN104836656B (en) | A kind of storage of video file and transmission method | |
| CN110138754B (en) | Multi-cloud-end information processing system and resource sharing method thereof | |
| CN113032357A (en) | File storage method and device and server | |
| CN106603561A (en) | Block level encryption method in cloud storage and multi-granularity deduplication method | |
| CN114041134A (en) | System and method for block chain based secure storage | |
| CN111343003A (en) | Data analysis method and device based on block chain and SDN edge computing network system | |
| CN110378128A (en) | Data ciphering method, device and terminal device | |
| US20110154015A1 (en) | Method For Segmenting A Data File, Storing The File In A Separate Location, And Recreating The File | |
| CN108898026B (en) | Data encryption method and device | |
| CN112580114B (en) | Information processing method, device, equipment and storage medium | |
| CN109670338A (en) | A kind of method and system of data whole process encryption | |
| CN105491118B (en) | A kind of avionics Ethernet data loading system | |
| CN115567596A (en) | Cloud service resource deployment method, device, equipment and storage medium | |
| CN114157470A (en) | Token management method and device | |
| CN113922969A (en) | Method and system for realizing cluster deployment of Intel SGX trusted service and electronic equipment | |
| CN113296737A (en) | Random number generation system, method and device and cloud server | |
| CN116112172B (en) | Android client gRPC interface security verification method and device | |
| CN116318686B (en) | Data encryption transmission method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |