CN116708016A - Sensitive data transmission method, server and storage medium - Google Patents

Sensitive data transmission method, server and storage medium Download PDF

Info

Publication number
CN116708016A
CN116708016A CN202310920027.1A CN202310920027A CN116708016A CN 116708016 A CN116708016 A CN 116708016A CN 202310920027 A CN202310920027 A CN 202310920027A CN 116708016 A CN116708016 A CN 116708016A
Authority
CN
China
Prior art keywords
data
server
information access
current information
stored
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310920027.1A
Other languages
Chinese (zh)
Inventor
张庆东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qizhi Technology Co ltd
Original Assignee
Qizhi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qizhi Technology Co ltd filed Critical Qizhi Technology Co ltd
Priority to CN202310920027.1A priority Critical patent/CN116708016A/en
Publication of CN116708016A publication Critical patent/CN116708016A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a sensitive data transmission method, a server and a storage medium, wherein the method comprises the following steps: the method comprises the steps that a server receives a storage request instruction of data to be stored, which is sent by current information access equipment; the server generates an encryption program for encrypting the data to be stored according to the storage request instruction; the server sends the encryption program to the current information access equipment, so that the current information access equipment encrypts data to be stored by using the encryption program to obtain encrypted data; the server receives the encrypted data sent by the current information access equipment; the server sends the encrypted data to the database such that the database holds the encrypted data. The server encrypts the data to be stored, which is input by the user, at the user side, and transmits the data in a mode of encrypting a file in a subsequent transmission process, so that the perfection of the confidentiality mode of the sensitive data is improved, and the confidentiality of the sensitive data is further improved.

Description

Sensitive data transmission method, server and storage medium
Technical Field
The present application relates to the field of data security technologies, and in particular, to a sensitive data transmission method, a server, and a storage medium.
Background
With the explosive growth of the mobile internet, a large number of events involving sensitive information and data leakage have occurred worldwide. These data disclosure events seriously affect the personal privacy and security of citizens. Related laws and regulations such as "network security law," personal information protection law, "and" data security law "have been issued in China to enhance protection of personal information and data. Meanwhile, with the rapid development of business of some companies, the requirements of the companies on data security are also becoming more and more strict.
In some related art encryption systems, plaintext data generated by a user side is obtained and encrypted, and then the encrypted data is stored in a database, but security risks still exist, for example, a transmission path between the user side and the encryption system all contain plaintext data, if the plaintext data leaks due to various conditions such as accidents or artifacts, the plaintext data will be disclosed, resulting in a leakage event, so that the security manner in the related art is not perfect enough, resulting in poor security.
Disclosure of Invention
The application provides a sensitive data transmission method, a server and a storage medium, which are used for improving the perfection of a confidentiality mode of sensitive data and further improving the confidentiality of the sensitive data.
In a first aspect, the present application provides a sensitive data transmission method, applied to a sensitive data transmission system, where the sensitive data transmission system includes a current information access device for generating data to be stored and a database for storing the data to be stored, and the sensitive data transmission system further includes a server, and the method includes: the method comprises the steps that a server receives a storage request instruction of data to be stored, which is sent by current information access equipment; the server generates an encryption program for encrypting the data to be stored according to the storage request instruction; the server sends the encryption program to the current information access equipment, so that the current information access equipment encrypts data to be stored by using the encryption program to obtain encrypted data; the server receives the encrypted data sent by the current information access equipment; the server sends the encrypted data to the database such that the database holds the encrypted data.
In the above embodiment, the server sends the encryption program to the current information access device, so that the current information access device encrypts the data to be stored by using the encryption program to obtain encrypted data, so that the data to be stored input by the user is encrypted at the user side, and is transmitted in the mode of encrypting a file in the subsequent transmission process, thereby improving the perfection of the confidentiality mode of the sensitive data and further improving the confidentiality of the sensitive data.
With reference to some embodiments of the first aspect, in some embodiments, the sensitive data transmission system further includes a key repository for storing a private key, the server generates an encryption program for encrypting the data to be stored according to the storage request instruction, and the server sends the encryption program to the current information access device, and specifically includes: the server generates a private key and a public key for asymmetric encryption according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key; the server sends the public key to the current information access equipment, so that the current information access equipment encrypts data to be stored by using the public key to obtain encrypted data; the server sends the private key to the key store so that the database holds the private key.
In the embodiment, the public key and the private key are stored in different places, the public key is used for encrypting the data, and even if the encrypted data and the public key are intercepted by an external attacker, the external attacker cannot push out the private key through the public key in an inverse way to ensure the safety of the encrypted data, meanwhile, the key exchange is convenient, and compared with the problem that the key is required to be shared in advance in the traditional symmetric encryption algorithm, the complexity of key management is reduced.
With reference to some embodiments of the first aspect, in some embodiments, the sensitive data transmission system further includes a key repository for storing a private key, the server generates an encryption program for encrypting the data to be stored according to the storage request instruction, and the server sends the encryption program to the current information access device, and specifically includes: the server generates a private key and a public key according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key; the server sends the private key to the key storage library so that the database stores the private key; the server sends the public key to the current information access device, so that the current information access device encrypts the secret key by using the public key, and the secret key is a tool which is generated by the current information access device and used for encrypting the data to be stored to obtain encrypted data.
In the above embodiment, the data to be stored is encrypted by using the symmetric encryption algorithm, and the secret key generated by the symmetric encryption algorithm is encrypted by using the asymmetric encryption algorithm, so that the advantages of small calculation amount of the symmetric encryption algorithm and high confidentiality degree of the asymmetric encryption algorithm are fully utilized.
With reference to some embodiments of the first aspect, in some embodiments, after the server sends the private key to the key repository, the method further includes: the method comprises the steps that a server receives a reference request instruction of data to be stored, which is sent by current information access equipment; the server reads the encrypted data and the private key; the server sends the encrypted data and the private key to the current information access device, so that the current information access device decrypts the encrypted private key according to the private key, and then decrypts the encrypted data according to the private key to obtain the data to be stored.
In the above embodiment, it is possible to prevent an external attacker from acquiring encrypted data, and only after the authorized current information access device decrypts the encrypted key by using the private key, the data to be stored can be obtained by decrypting the encrypted data according to the private key, and even if the external attacker acquires the private key or the encrypted data, the external attacker cannot obtain the data to be stored.
With reference to some embodiments of the first aspect, in some embodiments, after the server receives a storage request instruction of the data to be stored sent by the current information access device, the method further includes: the server generates a plurality of desensitization rules with different desensitization degrees according to the storage request instruction; the server sends the desensitization rule to the current information access equipment, so that the current information access equipment desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees; the server receives desensitization data sent by the current information access equipment; the server sends the desensitized data to the database such that the database holds the desensitized data.
In the above embodiment, the current information access device performs desensitization on the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees, when the subsequent part units or individuals need the desensitized data, the corresponding desensitized data can be directly extracted from the database, and compared with the process of performing desensitization on the data to be stored by using the server, the security of the embodiment on the sensitive data is stronger.
With reference to some embodiments of the first aspect, in some embodiments, the sensitive data transmission system further includes an information requesting device for accessing the data to be stored, and after the server sends the desensitized data to the database, the method further includes: the method comprises the steps that a server receives a reference request instruction of content to be referred, which is sent by information request equipment, wherein the reference request instruction comprises identity information of the information request equipment and identification of the content to be referred; the server determines that the reference authority of the information request equipment comprises the reading authority of the content to be referred, the reference authority is determined by the identity information of the information request equipment, the content to be referred is determined by the identification of the content to be referred, and the content to be referred is one desensitization data in a plurality of desensitization data with different desensitization degrees; the server transmits the content to be referred to the information requesting device.
In the above embodiment, the server may confirm whether the information requesting device has the right to review a certain desensitized data according to the identity information and the authority, thereby limiting the access range of the sensitive information and protecting the privacy of the user.
With reference to some embodiments of the first aspect, in some embodiments, the sensitive data transmission system further includes a new information access device, and after the server sends the encrypted data to the database, the method further includes: the server receives the verification program and the encrypted secret key sent by the current information access equipment; under the condition that the verification password sent by the new information access equipment and received by the server accords with the verification program, the server sends the encrypted secret key to the new information access equipment; or the server receives the verification program of the current information access device; and when the server receives that the verification password sent by the new information access device accords with the verification program, the server sends the prestored key generation condition to the new information access device, so that the new information access device generates a new key according to the key generation condition, and the new key has the same function as the key.
In the above embodiment, only legal information access devices can be ensured to communicate with the server through matching of the verification program and the verification password, so that the user is allowed to access on different information access devices, the user can access the required information on different places or different information access devices, and the convenience of the method is improved.
In a second aspect, an embodiment of the present application provides a sensitive data transmission server, which is applied to a sensitive data transmission system, where the sensitive data transmission system includes a current information access device for generating data to be stored and a database for storing the data to be stored, and the sensitive data transmission system further includes a server; the server comprises:
the first receiving module is used for receiving a storage request instruction of data to be stored, which is sent by the current information access equipment;
the encryption module is used for generating an encryption program for encrypting the data to be stored according to the storage request instruction;
the first sending module is used for sending the encryption program to the current information access equipment, so that the current information access equipment encrypts data to be stored by using the encryption program to obtain encrypted data;
the second receiving module is used for receiving the encrypted data sent by the current information access equipment;
And the second sending module is used for sending the encrypted data to the database so that the database stores the encrypted data.
With reference to some embodiments of the second aspect, in some embodiments: the sensitive data transmission system further comprises a key storage for storing a private key, and the encryption module further comprises:
the first encryption sub-module is used for generating a private key and a public key for asymmetric encryption according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
the first transmitting module further includes:
the first sending sub-module is used for sending the public key to the current information access equipment so that the current information access equipment encrypts data to be stored by using the public key to obtain encrypted data;
and the second sending submodule is used for sending the private key to the private key storage library so that the database stores the private key.
With reference to some embodiments of the second aspect, in some embodiments: the sensitive data transmission system further comprises a key storage for storing a private key, and the encryption module further comprises:
the second encryption sub-module is used for generating a private key and a public key according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
The third sending submodule is used for sending the private key to the private key storage library so that the database stores the private key;
and the fourth sending sub-module is used for sending the public key to the current information access equipment so that the current information access equipment encrypts the secret key by using the public key, and the secret key is a tool which is generated by the current information access equipment and used for encrypting the data to be stored to obtain encrypted data.
With reference to some embodiments of the second aspect, in some embodiments, the server further includes:
the third receiving module is used for receiving a reference request instruction of the data to be stored, which is sent by the current information access equipment;
the reading module is used for reading the encrypted data and the private key;
and the third sending module is used for sending the encrypted data and the private key to the current information access equipment, so that the current information access equipment decrypts the encrypted private key according to the private key and decrypts the encrypted data according to the private key to obtain the data to be stored.
With reference to some embodiments of the second aspect, in some embodiments, the server further includes:
the desensitization module is used for generating a plurality of desensitization rules with different desensitization degrees according to the storage request instruction;
the fourth sending module is used for sending the desensitization rule to the current information access equipment, so that the current information access equipment desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees;
A fourth receiving module, configured to receive desensitized data sent by the current information access device;
and the fifth sending module is used for sending the desensitization data to the database so that the database stores the desensitization data.
With reference to some embodiments of the second aspect, in some embodiments, the server further includes:
a fifth receiving module, configured to receive a reference request instruction of the content to be referred sent by the information request device, where the reference request instruction includes identity information of the information request device and an identifier of the content to be referred;
the information request equipment comprises a determination module, a judgment module and a storage module, wherein the determination module is used for determining that the reference authority of the information request equipment comprises the reading authority of the content to be referred, the reference authority is determined by the identity information of the information request equipment, the content to be referred is determined by the identity of the content to be referred, and the content to be referred is one desensitization data in a plurality of desensitization data with different desensitization degrees;
and the sixth sending module is used for sending the content to be referred to the information requesting equipment.
With reference to some embodiments of the second aspect, in some embodiments, the server further includes:
a sixth receiving module, configured to receive the verification program and the encrypted key sent by the current information access device;
a seventh sending module, configured to send the encrypted key to the new information access device when the verification password sent by the new information access device received by the server matches the verification program;
Or (b)
A seventh receiving module, configured to receive an authentication procedure of the current information access apparatus;
and the eighth sending module is used for sending the prestored secret key generation condition to the new information access equipment to enable the new information access equipment to generate a new secret key according to the secret key generation condition when the server receives that the verification password sent by the new information access equipment accords with the verification program, and the new secret key has the same function as the secret key.
In a third aspect, an embodiment of the present application provides a server, including: one or more processors and memory;
the memory is coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors call to cause the server to perform the method as described in the first aspect and any possible implementation of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer program product comprising instructions which, when run on a server, cause the server to perform a method as described in the first aspect and any possible implementation of the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer readable storage medium comprising instructions which, when executed on a server, cause the server to perform a method as described in the first aspect and any possible implementation manner of the first aspect.
It will be appreciated that the server provided in the second aspect, the server provided in the third aspect, the computer program product provided in the fourth aspect and the computer storage medium provided in the fifth aspect are all configured to perform the sensitive data transmission method provided by the embodiment of the present application. Therefore, the advantages achieved by the method can be referred to as the advantages of the corresponding method, and will not be described herein.
One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
1. in the sensitive data transmission method provided by the application, the server sends the encryption program to the current information access equipment, so that the current information access equipment encrypts the data to be stored by using the encryption program to obtain the encrypted data, the data to be stored input by a user is encrypted at the user side, and the data to be stored is transmitted in the mode of encrypting a file in the subsequent transmission process, thereby improving the perfection of the confidentiality mode of the sensitive data and further improving the confidentiality of the sensitive data.
2. In the sensitive data transmission method provided by the application, the data to be stored is encrypted by utilizing the symmetric encryption algorithm, and the secret key generated by the symmetric encryption algorithm is encrypted by utilizing the asymmetric encryption algorithm, so that the advantages of small calculation amount of the symmetric encryption algorithm and high confidentiality degree of the asymmetric encryption algorithm are fully utilized.
3. In the sensitive data transmission method provided by the application, the current information access equipment desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees, when the desensitization data is needed by a subsequent part of units or individuals, the corresponding desensitized data can be directly extracted from the database, and compared with the desensitization processing of the data to be stored by using the server, the confidentiality of the embodiment on the sensitive data is stronger.
Drawings
Fig. 1 is a schematic diagram of an information interaction scenario of a sensitive data transmission system provided by the present application.
Fig. 2 is a schematic diagram of an exemplary scenario in the related art.
Fig. 3 is a schematic diagram of an exemplary scenario of a sensitive data transmission method provided by the present application.
Fig. 4 is a schematic flow chart of a sensitive data transmission method provided by the application.
Fig. 5 is a schematic diagram of another exemplary scenario of the sensitive data transmission method provided by the present application.
Fig. 6 is a schematic diagram of another exemplary scenario of the sensitive data transmission method provided by the present application.
Fig. 7 is another flow chart of the sensitive data transmission method provided by the application.
Fig. 8 is another flow chart of the sensitive data transmission method provided by the application.
Fig. 9 is a schematic diagram of an entity apparatus of a sensitive data transmission server according to the present application.
Detailed Description
The terminology used in the following embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," "the," and "the" are intended to include the plural forms as well, unless the context clearly indicates to the contrary. It should also be understood that the term "and/or" as used in this disclosure refers to and encompasses any or all possible combinations of one or more of the listed items.
The terms "first," "second," and the like, are used below for descriptive purposes only and are not to be construed as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The sensitive data is plaintext data, i.e. unencrypted and desensitized data.
The following describes a sensitive data transmission system according to the present application:
referring to fig. 1, fig. 1 is a schematic diagram of an information interaction scenario of a sensitive data transmission system provided by the present application. The sensitive data transmission system comprises: current information access device, information request device, new message access device, server, database, key store.
The information access device refers to a device for acquiring, processing, storing, transmitting or displaying information;
the current information access device, the information request device and the new information access device are information access devices under different scenes, and the current information access device, the information request device and the new information access device can be terminal devices running or opening web pages with sensitive data transmission systems, for example, mobile phones, tablet computers, desktop computers, intelligent televisions and the like, and are not limited herein.
The current information access device is an information access device currently used by a user and used for inputting and outputting data to be stored, encrypting the data to be stored and desensitizing the data to be stored.
The new message access device is a different message access device used by the same user than the current message access device.
The information requesting device is an information accessing device currently used by departments, units and individuals for accessing data to be stored.
A database is a device for storing data and programs, for storing encrypted data and desensitized data.
A server is a special purpose computer or computer system for processing requests, generating encryption programs, generating desensitization rules, etc.
As shown in fig. 2, fig. 2 is a schematic view of an exemplary scenario in the related art.
The current information access device generates plaintext data, sends the plaintext data to the server to encrypt the plaintext data, and the server stores the encrypted data obtained by encryption in the database.
It should be noted that the plaintext data, i.e., the unencrypted data, is also the data to be stored mentioned in some embodiments.
The transmission path between the information access device and the server both contain plaintext data, if a hacker intercepts the plaintext data in the path by using a crawler, the plaintext data will be disclosed, which leads to a leakage event, so that the confidentiality manner in the related art is not perfect enough, resulting in poor confidentiality.
The method for transmitting sensitive data provided by the present application is specifically described below with reference to the embodiment shown in fig. 3:
after the current information access device generates plaintext data, the current information access device sends a storage request instruction of the data to be stored to a server, the server sends an encryption program to the current information access device, and the current information access device encrypts the data to be stored by using the encryption program to obtain encrypted data; the server receives the encrypted data sent by the current information access equipment; the server sends the encrypted data to a database, which holds the encrypted data.
The transmission path between the information access device and the server and the form of plaintext data in the server are both encrypted data, so even if a hacker intercepts the encrypted data in the path by using a crawler, the hacker cannot acquire the plaintext data.
The server sends the encryption program to the current information access device, so that the current information access device encrypts the data to be stored by using the encryption program to obtain encrypted data, the data to be stored input by a user is encrypted at the user side, and the data to be stored is transmitted in the mode of encrypting a file in the subsequent transmission process, so that the perfection of the confidentiality mode of the sensitive data is improved, and the confidentiality of the sensitive data is further improved.
The following describes a sensitive data transmission method in this embodiment:
fig. 4 is a schematic flow chart of a sensitive data transmission method provided by the application.
S401, the server receives a storage request instruction of data to be stored, which is sent by the current information access equipment.
To be precise, the sensitive data transmission system only comprises a webpage or a program in the current information access device, and the webpage or the program forces the current information access device to send a storage request instruction of the data to be stored as long as a user inputs the data to be stored in the webpage or the program.
The storage request instruction is an instruction in the computer for issuing a read to the storage device. The store request instruction typically contains information such as the memory address to be read or written, the size of the data, and the address pattern of the memory.
S402, the server generates an encryption program for encrypting data to be stored according to the storage request instruction.
An encryption program is a software program for encrypting sensitive information. It converts the data to be stored into unreadable encrypted data by using a cryptographic algorithm to protect confidentiality and security of the data to be stored.
The encryption program may be a hash function, a digital signature program, a symmetric encryption program and an asymmetric encryption program adopted in the subsequent embodiments, or other encryption methods, which are not limited herein.
S403, the server sends the encryption program to the current information access device, so that the current information access device encrypts data to be stored by using the encryption program to obtain encrypted data.
In some embodiments, the server signs the encrypted program using a digital signature to ensure its integrity and authenticity.
After receiving the encryption program, the current information access device verifies the signature of the server to ensure that the encryption program is not tampered.
Current information access devices utilize encryption programs to convert readable data to be stored into unreadable encrypted data.
S404, the server receives the encrypted data sent by the current information access device.
S405, the server transmits the encrypted data to the database, so that the database holds the encrypted data.
The server sends the encryption program to the current information access device, so that the current information access device encrypts the data to be stored by using the encryption program to obtain encrypted data, the data to be stored input by a user is encrypted at the user side, and the data to be stored is transmitted in the mode of encrypting a file in the subsequent transmission process, so that the perfection of the confidentiality mode of the sensitive data is improved, and the confidentiality of the sensitive data is further improved.
In the above embodiment, the server sends the encryption program to the current information access device, so that the current information access device encrypts the data to be stored by using the encryption program to obtain the encrypted data, thereby improving the confidentiality of the sensitive data. However, in practical applications, the encryption effect of the symmetric encryption program is poor, the encrypted data volume of the asymmetric encryption program is large, so that the encryption effect of the data to be stored is poor, and in the following, in combination with the embodiment shown in fig. 5, a specific description is given of the sensitive data transmission method in the embodiment of the present application by taking one of the ways that the encryption effect of the data to be stored is good as an example:
fig. 5 is a schematic diagram of another exemplary scenario of the sensitive data transmission method provided by the present application.
The method comprises the steps that current information access equipment sends a storage request instruction of data to be stored to a server, the server generates a private key and a public key according to the storage request instruction, the public key is used for decrypting content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key; the server sends the private key to a private key storage library, and the database stores the private key; the server sends the public key to the current information access equipment, the current information access equipment generates a secret key, the data to be stored are encrypted by the secret key to obtain encrypted data, and then the secret key is encrypted by the public key; the server sends the encrypted data to a database, which holds the encrypted data.
It should be noted that, the secret key is generated by the symmetric encryption program; the public key and the private key are generated by an asymmetric encryption program.
Therefore, the data to be stored is encrypted by utilizing the symmetric encryption algorithm, and the secret key generated by the symmetric encryption algorithm is encrypted by utilizing the asymmetric encryption algorithm, so that the advantages of small calculation amount of the symmetric encryption algorithm and high confidentiality degree of the asymmetric encryption algorithm are fully utilized.
In the embodiment, the advantages of small calculation amount of the symmetric encryption algorithm and high confidentiality degree of the asymmetric encryption algorithm are fully utilized by utilizing the symmetric encryption algorithm and the asymmetric encryption algorithm at the same time. However, in practical applications, some departments, units and individuals need to refer to and use data to be stored, and in this case, desensitization processing needs to be performed on the data to be stored, and in the following, a specific description is given of a method for desensitizing data to be stored by taking one of the methods for desensitizing data to be stored as an example in the embodiment of the present application:
fig. 6 is a schematic diagram of another exemplary scenario of the sensitive data transmission method provided by the present application.
The method comprises the steps that current information access equipment sends a storage request instruction of data to be stored to a server, and the server receives the storage request instruction of the data to be stored, which is sent by the current information access equipment; the server generates an encryption program for encrypting data to be stored and a plurality of desensitization rules with different desensitization degrees according to the storage request instruction, the server sends the desensitization rules and the encryption program to the current information access equipment, the current information access equipment generates encryption data and a plurality of desensitization data with different desensitization degrees according to the encryption program and the desensitization rules, and sends the encryption data and the desensitization data with different desensitization degrees to the server, and the database stores the encryption data and the desensitization data with different desensitization degrees.
The information request device sends the content to be referred to the server, the server determines that the reference authority of the information request device contains the reading authority of the content to be referred to, the server acquires the desensitization data from the database, and then sends the desensitization data to the information request device.
It can be seen that the current information access device desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees, when the subsequent information request device needs the desensitized data, the corresponding desensitized data can be directly extracted from the database, and compared with the desensitization processing of the data to be stored by using the server, the confidentiality of the embodiment on the sensitive data is stronger.
In the above embodiments, various usage fields Jing Jin of the sensitive data transmission method are described, and the sensitive data transmission method in the embodiment of the present application is specifically described below with reference to the embodiments shown in fig. 7 and 8:
fig. 7 is another flow chart of the sensitive data transmission method provided by the application.
Steps S701 and S708 are encryption stages;
s701, the current information access device sends a storage request instruction of data to be stored to a server.
The steps adopted in this embodiment are the same as those adopted in the above embodiment, and the specific implementation process is shown in step S401, which is not repeated here.
S702, the current information access device encrypts data to be stored by using a secret key.
It should be noted that in some embodiments, the key is generated for the server and sent to the current information access device, and in other embodiments, the key is generated by its own hardware security module.
It should be noted that, the key is generated by a symmetric encryption algorithm, and may be used to encrypt and decrypt at the same time.
S703, the server generates a private key and a public key according to the storage request instruction.
The private key and the public key are generated by an asymmetric encryption algorithm, the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key.
S704, the server sends the public key to the current information access device.
S705, the server sends the private key to the key repository.
It should be noted that in some embodiments, the key store and the database may reside in the same memory, but the key store and the database need to be located in different memory areas.
S706, the current information access device encrypts the secret key by using the public key.
S707, the current information access device sends the encrypted data to the server.
S708, the server sends the encrypted data to the database.
The above embodiment is a preferred embodiment, and two sub-embodiments are provided below, and these three embodiments will be analyzed later to obtain the effect of the preferred embodiment.
In other embodiments, the encryption phase is:
the current information access device sends a storage request instruction of data to be stored to a server.
The server generates a key according to the storage request instruction.
It should be noted that, the key is generated by a symmetric encryption algorithm, and may be used to encrypt and decrypt at the same time.
The server sends the key to the current information access device.
The current information access apparatus encrypts data to be stored into encrypted data using a key.
The current information access device transmits encrypted data to the server.
In the embodiment, the data to be stored is encrypted by adopting a symmetrical encryption algorithm, the symmetrical encryption algorithm is relatively simple to realize, and the calculation resource requirement is low, so that the encryption and subsequent decryption speeds are higher; but with poor safety.
In other embodiments, the encryption phase is:
the current information access device sends a storage request instruction of data to be stored to a server.
And the server generates a public key and a private key according to the storage request instruction.
It should be noted that, the public key and the private key are generated by an asymmetric encryption algorithm, and may be used to encrypt and decrypt at the same time.
The server sends the key to the current information access device.
The current information access apparatus encrypts data to be stored into encrypted data using a key.
The current information access device transmits encrypted data to the server.
In the above embodiment, the data to be stored is encrypted by adopting an asymmetric encryption algorithm, which has better security, but is relatively difficult to implement, and has higher requirement on computing resources, so that the encryption and subsequent decryption speeds are slower.
In combination with the two embodiments, in the preferred embodiment, the data to be stored is encrypted by using a symmetric encryption algorithm, and the secret key generated by the symmetric encryption algorithm is encrypted by using an asymmetric encryption algorithm, so that the advantages of small calculation amount of the symmetric encryption algorithm and high confidentiality degree of the asymmetric encryption algorithm are fully utilized.
Steps S709 and S713 are encryption stages;
s709, the server generates a plurality of desensitization rules with different desensitization degrees according to the storage request instruction;
desensitization rules refer to a series of rules that process sensitive information to protect user privacy and data security. The following are some common desensitization rules:
Name desensitization: the partial characters in the name are replaced with specific placeholders, such as "Zhang Sano" is replaced with "Zhang x".
Desensitizing the ID card number: a portion of the numbers or letters in the identification card number are replaced with a specific placeholder, such as "320102199001011234" is replaced with "320102".
Desensitizing the mobile phone number: a portion of digits in a phone number are replaced with a specific placeholder, such as "13812345678" by "138" 5678".
Mailbox address desensitization: replacing a portion of the characters in the mailbox address with a particular placeholder, such as replacing "example@example.com" with "exa @ sample.
Address desensitization: specific location information in the detailed address is replaced by a specific placeholder, for example, "Beijing city Korea Jian Guogui No. 1" is replaced by "Beijing city Korea".
Desensitizing the bank card number: a portion of the digits in the bank card number are replaced with a specific placeholder, such as "6222021234" with "622202".
IP address desensitization: replacing a portion of the digits in the IP address with a particular placeholder, such as replacing "192.168.0.1" with "192.168. In other embodiments, other ways may be used, without limitation.
S710, the server sends a plurality of desensitization rules with different desensitization degrees to the current information access equipment.
And S711, desensitizing the data to be stored by the current information access equipment by using a desensitization rule to obtain a plurality of desensitized data with different desensitization degrees.
S712, the current information access device transmits a plurality of desensitization data with different desensitization degrees to the server.
S713, transmitting a plurality of desensitization data with different desensitization degrees to a database.
The current information access device desensitizes the data to be stored by using a desensitization rule to obtain a plurality of desensitized data with different desensitization degrees, when the subsequent partial units or individuals need the desensitized data, the corresponding desensitized data can be directly extracted from the database, and compared with the desensitization processing of the data to be stored by using a server, the confidentiality of the embodiment to the sensitive data is stronger.
Fig. 8 is another flow chart of the sensitive data transmission method provided by the application.
Steps S801 and S807 are decryption stages;
s801, the current information access apparatus transmits a reference request instruction of data to be stored.
S802, the secret key storage library sends the secret key to the server.
S803, the server sends the private key to the current information access device.
S804, the current information access device decrypts the encrypted secret key by using the private key.
S805, the database sends the encrypted data to the server.
S806, the server sends the encrypted data to the current information access device.
S807, the current information access device decrypts the encrypted data according to the key to obtain the data to be stored.
Therefore, the above embodiment can prevent the external attacker from obtaining the encrypted data, and only after the authorized current information access device decrypts the encrypted key by using the private key, the external attacker can obtain the data to be stored by decrypting the encrypted data according to the private key, and even if the external attacker obtains the private key or the encrypted data, the external attacker can not obtain the data to be stored.
Steps S808 and S811 are request phases.
In practical application, some departments, units and individuals need to refer to and use the data to be stored, in the related technology, the server desensitizes the data to be stored to obtain desensitized data, but the server is attacked or human factors of some related personnel can cause the data to be stored to be disclosed, so that the current information access equipment uses the desensitizing rule to desensitize the data to be stored before other data to be desensitized are combined with steps S709 and S713
S808, the information request equipment sends a reference request instruction of the content to be referred to the server; the reference request instruction includes identity information of the information request equipment and an identifier of the content to be referred to.
The desensitization data is needed to be consulted;
the information requesting device identity information may include, but is not limited to, any one or a combination of the following: the name of the computing device, the internet protocol (internet protocol, IP) address of the computing device, the Identity (ID) of the software running on the computing device.
The identification of the content to be reviewed may include, but is not limited to, any one or a combination of the following: keywords, URLs or other identifiers, require the identification of the content to be reviewed to initiate the request, and obtain the desired content to be reviewed in response from the server.
S809, the server determines that the reference authority of the information request device contains the reading authority of the content to be referred.
In some embodiments, the server determines the current reference rights of the information requesting device in a preset rights table according to the identity information of the information requesting device, where the preset rights table refers to a rights list preset for the information requesting device in a computer system or a network, and specifies reference contents that can be accessed or operated by the information requesting device.
In other embodiments the preset permission table is typically set and managed by an administrator.
And S810, the database sends the desensitized data to the server.
S811, the server sends the desensitization data to the information request device.
In practical application, some departments, units and individuals need to refer to and use data to be stored, in the related technology, the server desensitizes the data to be stored to obtain desensitized data, but the server is attacked or human factors of some related personnel can cause the data to be stored to be disclosed, so that the current information access equipment desensitizes the data to be stored by using a desensitizing rule before other data to be desensitized are combined with steps S709 and S713.
The server confirms whether the information request device is authorized to review certain desensitized data according to the identity information and the authority, so that the access range of sensitive information is limited, and the privacy of a user is protected.
In other embodiments, in the context of a different location or a different information access device, the same user needs the data to be stored, so the new information access device needs the key of the current information access device;
under the condition that the verification password sent by the new information access equipment and received by the server accords with the verification program, the server sends the encrypted secret key to the new information access equipment;
In other embodiments, the server receives an authentication procedure for the current information access device; and when the server receives that the verification password sent by the new information access device accords with the verification program, the server sends the prestored key generation condition to the new information access device, so that the new information access device generates a new key according to the key generation condition, and the new key has the same function as the key.
Therefore, only legal information access equipment can be communicated with the server through matching of the verification program and the verification password, a user is allowed to access on different information access equipment, the user can access required information on different places or different information access equipment, and convenience of the method is improved.
The following are device embodiments of the present application that may be used to perform method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.
The embodiment of the application provides a sensitive data transmission server which is applied to a sensitive data transmission system, wherein the sensitive data transmission system comprises current information access equipment for generating data to be stored and a database for storing the data to be stored, and the sensitive data transmission system also comprises a server; the server comprises:
The first receiving module is used for receiving a storage request instruction of data to be stored, which is sent by the current information access equipment;
the encryption module is used for generating an encryption program for encrypting the data to be stored according to the storage request instruction;
the first sending module is used for sending the encryption program to the current information access equipment, so that the current information access equipment encrypts data to be stored by using the encryption program to obtain encrypted data;
the second receiving module is used for receiving the encrypted data sent by the current information access equipment;
and the second sending module is used for sending the encrypted data to the database so that the database stores the encrypted data.
In some embodiments: the sensitive data transmission system further comprises a key storage for storing a private key, and the encryption module further comprises:
the first encryption sub-module is used for generating a private key and a public key for asymmetric encryption according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
the first transmitting module further includes:
the first sending sub-module is used for sending the public key to the current information access equipment so that the current information access equipment encrypts data to be stored by using the public key to obtain encrypted data;
And the second sending submodule is used for sending the private key to the private key storage library so that the database stores the private key.
In some embodiments: the sensitive data transmission system further comprises a key storage for storing a private key, and the encryption module further comprises:
the second encryption sub-module is used for generating a private key and a public key according to the storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
the third sending submodule is used for sending the private key to the private key storage library so that the database stores the private key;
and the fourth sending sub-module is used for sending the public key to the current information access equipment so that the current information access equipment encrypts the secret key by using the public key, and the secret key is a tool which is generated by the current information access equipment and used for encrypting the data to be stored to obtain encrypted data.
In some embodiments, the server further comprises:
the third receiving module is used for receiving a reference request instruction of the data to be stored, which is sent by the current information access equipment;
the reading module is used for reading the encrypted data and the private key;
and the third sending module is used for sending the encrypted data and the private key to the current information access equipment, so that the current information access equipment decrypts the encrypted private key according to the private key and decrypts the encrypted data according to the private key to obtain the data to be stored.
In some embodiments, the server further comprises:
the desensitization module is used for generating a plurality of desensitization rules with different desensitization degrees according to the storage request instruction;
the fourth sending module is used for sending the desensitization rule to the current information access equipment, so that the current information access equipment desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees;
a fourth receiving module, configured to receive desensitized data sent by the current information access device;
and the fifth sending module is used for sending the desensitization data to the database so that the database stores the desensitization data.
In some embodiments, the server further comprises:
a fifth receiving module, configured to receive a reference request instruction of the content to be referred sent by the information request device, where the reference request instruction includes identity information of the information request device and an identifier of the content to be referred;
the information request equipment comprises a determination module, a judgment module and a storage module, wherein the determination module is used for determining that the reference authority of the information request equipment comprises the reading authority of the content to be referred, the reference authority is determined by the identity information of the information request equipment, the content to be referred is determined by the identity of the content to be referred, and the content to be referred is one desensitization data in a plurality of desensitization data with different desensitization degrees;
And the sixth sending module is used for sending the content to be referred to the information requesting equipment.
In some embodiments, the server further comprises:
a sixth receiving module, configured to receive the verification program and the encrypted key sent by the current information access device;
a seventh sending module, configured to send the encrypted key to the new information access device when the verification password sent by the new information access device received by the server matches the verification program;
or (b)
A seventh receiving module, configured to receive an authentication procedure of the current information access apparatus;
and the eighth sending module is used for sending the prestored secret key generation condition to the new information access equipment to enable the new information access equipment to generate a new secret key according to the secret key generation condition when the server receives that the verification password sent by the new information access equipment accords with the verification program, and the new secret key has the same function as the secret key.
It should be noted that: in the device provided in the above embodiment, when implementing the functions thereof, only the division of the above functional modules is used as an example, in practical application, the above functional allocation may be implemented by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to implement all or part of the functions described above. In addition, the embodiments of the apparatus and the method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the embodiments of the method are detailed in the method embodiments, which are not described herein again.
The embodiment of the present application further provides a computer storage medium, where the computer storage medium may store a plurality of instructions, where the instructions are adapted to be loaded by a processor and execute the sensitive data transmission method according to the embodiment shown in fig. 1 to 8, and a specific execution process may be referred to in the specific description of the embodiment shown in fig. 1 to 8, which is not described herein.
The application also discloses a server. Referring to fig. 9, a schematic diagram of an entity apparatus of a sensitive data transmission server according to the present application is provided. The server 900 may include: at least one processor 901, at least one network interface 904, a user interface 903, memory 905, at least one communication bus 902.
Wherein a communication bus 902 is employed to facilitate a coupled communication between the components.
The user interface 903 may include a Display screen (Display) and a Camera (Camera), and the optional user interface 903 may further include a standard wired interface and a wireless interface.
The network interface 904 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Processor 901 may include one or more processing cores, among other things. The processor 901 connects various parts within the overall server using various interfaces and lines, performs various functions of the server and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 905, and invoking data stored in the memory 905. Alternatively, the processor 901 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 901 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 901 and may be implemented by a single chip.
The Memory 905 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 905 includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). The memory 905 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 905 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the above-described respective method embodiments, etc.; the storage data area may store data or the like involved in the above respective method embodiments. The memory 905 may also optionally be at least one storage device located remotely from the processor 901. Referring to fig. 9, an operating system, a network communication module, a user interface module, and applications for sensitive data transmission may be included in the memory 405, which is a type of computer storage medium.
In the server 900 shown in fig. 9, the user interface 903 is mainly used for providing an input interface for a user, and acquiring data input by the user; and processor 901 may be used to invoke applications of sensitive data transfers stored in memory 905, which when executed by one or more processors 901, cause server 900 to perform the methods as described in one or more of the embodiments above. It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all of the preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as a division of units, merely a division of logic functions, and there may be additional divisions in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some service interface, device or unit indirect coupling or communication connection, electrical or otherwise.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in whole or in part in the form of a software product stored in a memory, comprising several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned memory includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a magnetic disk or an optical disk.
The foregoing is merely exemplary embodiments of the present disclosure and is not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure.
This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.

Claims (10)

1. A sensitive data transmission method, applied to a sensitive data transmission system, the sensitive data transmission system including a current information access device for generating data to be stored and a database for storing the data to be stored, the method further comprising a server, the method comprising:
the server receives a storage request instruction of the data to be stored, which is sent by the current information access equipment;
the server generates an encryption program for encrypting the data to be stored according to the storage request instruction;
the server sends the encryption program to the current information access equipment, so that the current information access equipment encrypts the data to be stored by using the encryption program to obtain encrypted data;
The server receives the encrypted data sent by the current information access device;
the server sends the encrypted data to the database so that the database stores the encrypted data.
2. The sensitive data transmission method according to claim 1, wherein the sensitive data transmission system further comprises a key repository for storing a private key, the server generates an encryption program for encrypting data to be stored according to a storage request instruction, and the server transmits the encryption program to the current information access device, specifically comprising:
the server generates a private key and a public key for asymmetric encryption according to a storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
the server sends the public key to the current information access equipment, so that the current information access equipment encrypts the data to be stored by using the public key to obtain encrypted data;
the server sends the private key to the key store so that the database stores the private key.
3. The sensitive data transmission method according to claim 1, wherein the sensitive data transmission system further comprises a key repository for storing a private key, the server generates an encryption program for encrypting data to be stored according to a storage request instruction, and the server transmits the encryption program to the current information access device, specifically comprising:
The server generates a private key and a public key according to a storage request instruction, wherein the public key is used for decrypting the content encrypted by the private key, and the private key is used for decrypting the content encrypted by the public key;
the server sends the private key to the private key storage library so that the database stores the private key;
and the server sends the public key to the current information access equipment, so that the current information access equipment encrypts a secret key by using the public key, and the secret key is a tool which is generated by the current information access equipment and used for encrypting the data to be stored to obtain the encrypted data.
4. A method of sensitive data transmission according to claim 3, wherein after the server sends the private key to the key store, the method further comprises:
the server receives a reference request instruction of the data to be stored, which is sent by the current information access equipment;
the server reads the encrypted data and the private key;
and the server sends the encrypted data and the private key to the current information access equipment, so that the current information access equipment decrypts the encrypted private key according to the private key, and decrypts the encrypted data according to the private key to obtain the data to be stored.
5. The method for transmitting sensitive data according to claim 1, wherein after the server receives a storage request instruction of data to be stored sent by a current information access device, the method further comprises:
the server generates a plurality of desensitization rules with different desensitization degrees according to the storage request instruction;
the server sends the desensitization rule to the current information access equipment, so that the current information access equipment desensitizes the data to be stored by using the desensitization rule to obtain a plurality of desensitized data with different desensitization degrees;
the server receives the desensitization data sent by the current information access equipment;
the server sends the desensitized data to the database so that the database holds the desensitized data.
6. The method of claim 5, wherein the sensitive data transmission system further comprises an information requesting device for accessing the data to be stored, and wherein the server, after transmitting the desensitized data to a database, further comprises:
the server receives a reference request instruction of the content to be referred, which is sent by the information request equipment, wherein the reference request instruction comprises identity information of the information request equipment and an identifier of the content to be referred;
The server determines that the reference authority of the information request equipment comprises a reading authority of the content to be referred, wherein the reference authority is determined by the identity information of the information request equipment, the content to be referred is determined by the identification of the content to be referred, and the content to be referred is one desensitization data in desensitization data with different desensitization degrees;
the server transmits the content to be referred to the information requesting device.
7. The method of sensitive data transmission according to claim 4, wherein the sensitive data transmission system further comprises a new information access device, and wherein after the server transmits the encrypted data to the database, the method further comprises:
the server receives the verification program and the encrypted secret key sent by the current information access equipment;
the server sends the encrypted secret key to the new information access equipment under the condition that the verification password sent by the new information access equipment and received by the server accords with the verification program;
or (b)
The server receives the verification program of the current information access device;
and under the condition that the server receives that the verification password sent by the new information access equipment accords with the verification program, the server sends a prestored secret key generation condition to the new information access equipment, so that the new information access equipment generates a new secret key according to the secret key generation condition, and the new secret key has the same function as the secret key.
8. A sensitive data transmission server for use in a sensitive data transmission system comprising a current information access device for generating data to be stored and a database for storing data to be stored, the sensitive data transmission system further comprising a server comprising:
the first receiving module is used for receiving a storage request instruction of the data to be stored, which is sent by the current information access equipment;
the encryption module is used for generating an encryption program for encrypting the data to be stored according to the storage request instruction;
the first sending module is used for sending the encryption program to the current information access equipment, so that the current information access equipment encrypts the data to be stored by using the encryption program to obtain encrypted data;
the second receiving module is used for receiving the encrypted data sent by the current information access equipment;
and the second sending module is used for sending the encrypted data to the database so that the database stores the encrypted data.
9. A server, comprising: one or more processors and memory;
The memory is coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors invoke to cause the server to perform the method of any of claims 1-7.
10. A computer readable storage medium comprising instructions which, when run on a server, cause the server to perform the method of any of claims 1-7.
CN202310920027.1A 2023-07-24 2023-07-24 Sensitive data transmission method, server and storage medium Pending CN116708016A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310920027.1A CN116708016A (en) 2023-07-24 2023-07-24 Sensitive data transmission method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310920027.1A CN116708016A (en) 2023-07-24 2023-07-24 Sensitive data transmission method, server and storage medium

Publications (1)

Publication Number Publication Date
CN116708016A true CN116708016A (en) 2023-09-05

Family

ID=87837661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310920027.1A Pending CN116708016A (en) 2023-07-24 2023-07-24 Sensitive data transmission method, server and storage medium

Country Status (1)

Country Link
CN (1) CN116708016A (en)

Similar Documents

Publication Publication Date Title
CN106980794B (en) TrustZone-based file encryption and decryption method and device and terminal equipment
CN108463827B (en) System and method for detecting sensitive information leakage while preserving privacy
EP2743842A1 (en) Secure search processing system and secure search processing method
CN107506659A (en) A kind of data protection system and method for the Universal Database based on SGX
CN113849847B (en) Method, apparatus and medium for encrypting and decrypting sensitive data
JP2010514000A (en) Method for securely storing program state data in an electronic device
US11288381B2 (en) Calculation device, calculation method, calculation program and calculation system
CN117220865A (en) Longitude and latitude encryption method, longitude and latitude verification device and readable storage medium
CN107920060A (en) Data access method and device based on account
US20230418911A1 (en) Systems and methods for securely processing content
CN115514578B (en) Block chain based data authorization method and device, electronic equipment and storage medium
Prasadreddy et al. A threat free architecture for privacy assurance in cloud computing
CN114615087B (en) Data sharing method, device, equipment and medium
CN116049802A (en) Application single sign-on method, system, computer equipment and storage medium
CN111831978A (en) Method and device for protecting configuration file
CN115277225A (en) Data encryption method, data decryption method and related equipment
CN115442115A (en) Risk data pushing method, system, server and trusted unit
CN113946862A (en) Data processing method, device and equipment and readable storage medium
CN114584299A (en) Data processing method and device, electronic equipment and storage medium
CN116708016A (en) Sensitive data transmission method, server and storage medium
CN112995109A (en) Data encryption system and method, data processing method and device and electronic equipment
WO2018034192A1 (en) Information processing device, information processing method, and storage medium
CN115952518B (en) Data request method, device, electronic equipment and storage medium
CN117499159B (en) Block chain-based data transaction method and device and electronic equipment
CN115001716B (en) Network data processing method and system of education all-in-one machine and education all-in-one machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination