CN116760631B - Multi-service data hierarchical management and control method and system based on regulation and control cloud platform - Google Patents
Multi-service data hierarchical management and control method and system based on regulation and control cloud platform Download PDFInfo
- Publication number
- CN116760631B CN116760631B CN202310999666.1A CN202310999666A CN116760631B CN 116760631 B CN116760631 B CN 116760631B CN 202310999666 A CN202310999666 A CN 202310999666A CN 116760631 B CN116760631 B CN 116760631B
- Authority
- CN
- China
- Prior art keywords
- data
- key
- cloud platform
- check
- storage unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012795 verification Methods 0.000 claims abstract description 16
- 238000012544 monitoring process Methods 0.000 claims description 14
- 230000001105 regulatory effect Effects 0.000 claims description 14
- 230000002618 waking effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000007789 sealing Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 3
- 238000007726 management method Methods 0.000 claims 16
- 238000006243 chemical reaction Methods 0.000 claims 1
- 238000012954 risk control Methods 0.000 abstract description 5
- 230000007246 mechanism Effects 0.000 abstract description 3
- 230000006378 damage Effects 0.000 abstract description 2
- 238000012546 transfer Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a multi-service data hierarchical management and control method and a system based on a regulation and control cloud platform, which are characterized in that confidential data are decrypted and read through a multi-level temporary data container, a hierarchical encryption mode is utilized to ensure that a verification module code is necessarily executed before the data are read, verification is carried out according to the characteristics of an original storage unit, a read link is ensured to be carried out only in the original storage unit, a destruction mechanism is arranged, data transfer cannot be realized no matter whether copying is attempted before decryption or after decryption, and the whole-course risk control of confidential documents is ensured, so that the security and confidentiality are higher. The problem that in the prior art, after data grading is completed, the whole risk control of confidential documents is difficult to maintain is solved.
Description
Technical Field
The application relates to the field of data processing, in particular to a multi-service data hierarchical management and control method and system based on a regulation and control cloud platform.
Background
With the intellectualization of the power grid, more and more business information is stored in a memory of a computer or a server in the form of electronic data, and different information relates to different authorities and confidentiality, so that the data is often required to be classified into three grades of disclosure, interior and confidentiality according to different security grades, further, different encryption and isolation forms are adopted according to different grades to prevent data from being transmitted, and encryption means are more complex when the security grade is higher, so that the risk of leakage is reduced.
In general, existing encryption means are very reliable, and it is very difficult to crack an encrypted file. However, in the actual use process of such a grading system, security problems still occur, for example, a confidential document is encrypted in a complex manner, but a person with authority needs to decrypt the document when reading, and after decryption, until the period of re-encryption, the document has a secure vacuum period, namely, the document belongs to the confidential document, but is not encrypted in the period, at the moment, the document is read, copied, transferred and the like, the document is not limited, the unencrypted document can be obtained through copying by a mobile hard disk, and an attacker can obtain the confidential document without cracking an encryption algorithm by waiting for a proper time due to the existence of a vulnerability, so that the current grading system still has obvious security risks.
Therefore, how to maintain the whole risk control on the confidential document after grading is completed is a technical problem which is difficult to solve at present.
Disclosure of Invention
Aiming at the problem that the prior art is difficult to maintain the whole risk control on confidential documents after grading is completed, the application provides a multi-service data grading management and control method and system based on a regulation and control cloud platform, which are used for decrypting and reading confidential data through a multi-layer temporary data container, and ensuring that a verification module code is necessarily executed before reading the data and is verified according to the characteristics of an original storage unit by using a layering encryption mode, ensuring that a reading link is only carried out in the original storage unit, and setting a destruction mechanism, wherein data transfer cannot be realized no matter whether copying is attempted before decryption or after decryption, thereby ensuring the whole risk control on the confidential documents and having higher safety and confidentiality.
The following is a technical scheme of the application.
The multi-service data hierarchical management and control method based on the regulation and control cloud platform is applied to regulation and control cloud platform and a plurality of service terminals and comprises the following steps of:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit;
s2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out verification, if the verification is passed, the next step is executed, and otherwise, the request is returned;
s3: judging a storage unit and a secret-related grade of target data in a data reading request, waking up a service terminal of the storage unit, and selecting to execute S4 or S5 according to the secret-related grade;
s4: decrypting the target data by using a preset encryption algorithm, reading the target data by a service terminal, and ending the step;
s5: creating a temporary data container in a storage unit where target data are located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data are located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key;
s6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the target data is successfully obtained by decryption, S4 and S7 are executed at the same time, and otherwise, the target data cannot be decrypted;
s7: and performing continuous safety monitoring, and destroying the bottommost layer of the temporary data container if the data of the address pointed by the check pointer changes or a copy instruction is detected.
The application optimizes the reading process of the subsequent file based on the traditional grading mode, generates the first key through the characteristic data stored by the partial address of the storage unit where the target data is located, binds the first key with the storage unit, destroys the storage unit after encryption, and adopts a unique temporary data container structure. If the temporary data container is transferred before reading, the storage unit changes during reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
It should be noted that, the service data is encrypted and stored, so after the bottom layer is decrypted, the decryption is performed in S4 to obtain the target data of the plaintext for reading.
Preferably, the step S1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
Preferably, the step S2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
Preferably, the step S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
Preferably, the step S4: decrypting the target data by using a preset encryption algorithm, and reading the target data by a service terminal, wherein the method comprises the following steps:
searching a preset encryption algorithm adopted in encryption according to the secret-related grade of the target data;
and decrypting by using the same preset encryption algorithm to obtain target data, and reading by the service terminal.
Preferably, the step S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data;
creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
In the application, the first secret key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first secret key is destroyed, and the check pointer does not carry any data related to the first secret key, so that the first secret key cannot be directly restored, and the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, thereby restoring the third secret key consistent with the first secret key. In order to ensure smooth implementation of the function, the characteristic data generally selects a unique identifier of the storage unit, so as to ensure that the data of the address cannot be changed easily, and the verification pointer can play a role.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
Preferably, the step S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
Preferably, the step S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
Preferably, the preset encryption algorithm includes at least two of AES algorithm, 3DES algorithm, or RC4 algorithm.
Preferably, the security class includes at least two classes.
Preferably, the characteristic data is a unique identifier of the storage unit.
Preferably, the first key and the third key are generated by means of a key generator of the RC4 algorithm.
The application also provides a multi-service data hierarchical management and control system based on the regulation and control cloud platform, which comprises the regulation and control cloud platform and a plurality of service terminals, wherein the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform.
The application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform when calling the computer program in the memory.
The application also provides a storage medium, wherein the storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform are realized.
The essential effects of the application include:
the application optimizes the reading process of the subsequent file based on the traditional grading mode, generates the first key through the characteristic data stored by the partial address of the storage unit where the target data is located, binds the first key with the storage unit, destroys the storage unit after encryption, and adopts a unique temporary data container structure. Thus, if the temporary data container is transferred before reading, the storage unit changes at the time of reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container at the time of reading is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Furthermore, the first key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, and the third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
Drawings
FIG. 1 is a flow chart of an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solution will be clearly and completely described in the following in conjunction with the embodiments, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that, in various embodiments of the present application, the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
It should be understood that in the present application, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "plurality" means two or more. "and/or" is merely an association relationship describing an association object, and means that three relationships may exist, for example, and/or B may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. "comprising A, B and C", "comprising A, B, C" means that all three of A, B, C comprise, "comprising A, B or C" means that one of the three comprises A, B, C, and "comprising A, B and/or C" means that any 1 or any 2 or 3 of the three comprises A, B, C.
The technical scheme of the application is described in detail below by specific examples. Embodiments may be combined with each other and the same or similar concepts or processes may not be described in detail in some embodiments.
Embodiment one: as shown in fig. 1, the multi-service data hierarchical management and control method based on the regulation and control cloud platform provided in this embodiment is applied to the regulation and control cloud platform and a plurality of service terminals, and includes steps S1 to S7, where:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
It should be noted that, the present embodiment does not participate in the judgment of the secret related level, but only executes different steps according to different secret related levels. In this embodiment, the secret related level may be determined by any classification system in the prior art, or may be classified manually. For example, the security-related level may be classified into public, confidential, where confidential indicates that the authority to be audited is required for viewing, and public, internal, confidential, where internal this level indicates that no restrictions are placed on some internal personnel. The confidential level of this embodiment will be described by taking the public and confidential levels as examples.
The preset encryption algorithm comprises at least two of an AES algorithm, a 3DES algorithm or an RC4 algorithm.
Specifically, DES (Triple Data Encryption Algorithm): an encryption algorithm developed on the basis of DES uses three different keys to encrypt data three times, so that the encryption strength is improved, but the encryption and decryption speed is slower.
AES (Advanced Encryption Standard): one of the most widely used symmetric encryption algorithms at present has the key length of 128 bits, 192 bits or 256 bits, is safer and more reliable than DES and 3DES, has higher encryption and decryption speeds, and is widely applied to data encryption protection in various fields.
RC4: is a symmetric stream encryption algorithm with variable key length, typically 40 bits to 2048 bits. The RC4 algorithm is simple and easy to implement, encryption and decryption use the same key, and encryption of data streams of any length can be achieved without a fixed block size.
In this embodiment, AES is selected as the preset encryption algorithm of the public level, and DES is selected as the preset encryption algorithm of the secret level.
S2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
For example, the data reading request provides a reading request for the file a, the file a is a confidential file, and the authority corresponding to the department management layer is required, at this time, the cloud platform is regulated to check the identity of the operator, if the operator is the department management layer or above, the check is passed, otherwise, the request is returned.
S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
In this embodiment, the regulation cloud platform is in communication connection with a plurality of service terminals, so that a request made by a certain service terminal may need to access another service terminal, so that it is required to determine the service terminal where the target data in the data reading request is located, further determine the storage unit where the data is located, and wake up if the service terminal is in a dormant state.
In this embodiment, if the secret related level is public, the continuous security monitoring is not required, and S4 is executed; if the secret related level is confidential, continuous security monitoring is required, and S5 is executed.
S4: and decrypting the target data by using a preset encryption algorithm, reading by the service terminal, and ending the step.
In this embodiment, the file that does not need to be continuously monitored for security is of a public level, and is thus decrypted using AES.
S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
s51: reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data; wherein the first key is generated by means of a key generator of the RC4 algorithm, i.e. the characteristic data is input to the key generator, the first key is output.
In this embodiment, when the characteristic data of a plurality of addresses are read from the storage unit, the address where the specific data is located, such as the address where the unique identifier of each storage unit is located, or the address where the relatively fixed data related to the system of the service terminal where the storage unit is located, is generally selected. That is, when some of the addresses in the memory cells are unique and not easily changed, the addresses can be read. In addition, when the check code and the check pointer are split, for example, a plurality of addresses of the storage unit store unique identifiers, and characteristic data composed of the unique identifiers is ABC, wherein A, B, C each represents a string of data, the data a can be used as the check code, and addresses where the data B and the data C are located can be used as the check pointer.
S52: creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
In the embodiment, the first key is generated by the feature data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, and the original feature data can be obtained only when the storage unit is unchanged according to the check pointer, so that a third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the embodiment forcedly limits the reading sequence of the temporary time zone through a specific encryption means, and can continue only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, and ensuring that the code of the verification module is executed first so as to ensure the normal execution of the subsequent flow and ensure the effectiveness of the whole-process safety monitoring.
S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
In this embodiment, the first key and the third key are both generated by means of the key generator of the RC4 algorithm, so that if the data (unique identifier) of the check pointer to the address is still identical if it is still the original storage unit, the resulting third key must be identical to the first key.
S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
According to the embodiment, on the basis of a traditional hierarchical mode, the reading process of a subsequent file is optimized, a first key is generated through characteristic data stored by part of addresses of storage units where target data are located, the first key is bound with the storage units and destroyed after encryption, and meanwhile, a unique temporary data container structure is adopted, under the encryption mechanism of the application, a temporary data container can only be read from the topmost layer, so that a verification module code is activated, and further, data of corresponding addresses of the storage units where the current storage module is located are searched through pointers, so that a third key is generated, and only when the storage units are unchanged, the third key is possibly consistent with the first key, and the target data of the bottommost layer can be successfully decrypted. If the temporary data container is transferred before reading, the storage unit changes during reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Embodiment two: the embodiment provides a multi-service data hierarchical management and control system based on a regulation and control cloud platform, which comprises the regulation and control cloud platform and a plurality of service terminals, wherein the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform. The service terminal comprises a customized computer, a tablet computer or a mobile terminal.
Embodiment III: the embodiment provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform when calling the computer program in the memory.
Embodiment four: the embodiment provides a storage medium, in which computer executable instructions are stored, and when the computer executable instructions are loaded and executed by a processor, the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform are realized.
In summary, the essential effects of the present embodiment include:
on the basis of a traditional hierarchical mode, the reading process of a subsequent file is optimized, a first key is generated through characteristic data stored by a part of addresses of storage units where target data are located, the first key is bound with the storage units and destroyed after encryption, and meanwhile, a unique temporary data container structure is adopted. Thus, if the temporary data container is transferred before reading, the storage unit changes at the time of reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container at the time of reading is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Furthermore, the first key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, and the third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
From the foregoing description of the embodiments, it will be appreciated by those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of a specific apparatus is divided into different functional modules to implement all or part of the functions described above.
In the embodiments provided in the present application, it should be understood that the disclosed structures and methods may be implemented in other manners. For example, the embodiments described above with respect to structures are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another structure, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, structures or units, which may be in electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (15)
1. The multi-service data hierarchical management and control method based on the regulation and control cloud platform is applied to the regulation and control cloud platform and a plurality of service terminals and is characterized by comprising the following steps of:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit;
s2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out verification, if the verification is passed, the next step is executed, and otherwise, the request is returned;
s3: judging a storage unit and a secret-related grade of target data in a data reading request, waking up a service terminal of the storage unit, and selecting to execute S4 or S5 according to the secret-related grade;
s4: decrypting the target data by using a preset encryption algorithm, reading the target data by a service terminal, and ending the step;
s5: creating a temporary data container in a storage unit where target data are located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data are located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key; the conversion into the corresponding check code and check pointer comprises: splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of the rest of the characteristic data;
s6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the target data is successfully obtained by decryption, S4 and S7 are executed at the same time, and otherwise, the target data cannot be decrypted; wherein, the processing the check code and the check pointer of the intermediate layer to form a third key comprises: reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
s7: and performing continuous safety monitoring, and destroying the bottommost layer of the temporary data container if the data of the address pointed by the check pointer changes or a copy instruction is detected.
2. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
3. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S2 is: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
4. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
5. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S4: decrypting the target data by using a preset encryption algorithm, and reading the target data by a service terminal, wherein the method comprises the following steps:
searching a preset encryption algorithm adopted in encryption according to the secret-related grade of the target data;
and decrypting by using the same preset encryption algorithm to obtain target data, and reading by the service terminal.
6. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data;
creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
7. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 6, wherein the step S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
8. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 7, wherein the step S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
9. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the preset encryption algorithm comprises at least two of AES algorithm, 3DES algorithm or RC4 algorithm.
10. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the security class comprises at least two classes.
11. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the characteristic data is a unique identifier of a storage unit.
12. The multi-service data hierarchical management method based on a regulated cloud platform according to claim 1, wherein the first key and the third key are generated by means of a key generator of an RC4 algorithm.
13. The multi-service data hierarchical management and control system based on the regulation and control cloud platform comprises the regulation and control cloud platform and a plurality of service terminals, and is characterized in that the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform according to any one of claims 1-12.
14. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulatory cloud platform according to any one of claims 1 to 12 when calling the computer program in the memory.
15. A storage medium having stored therein computer executable instructions which, when loaded and executed by a processor, implement the steps of the regulatory cloud platform based multi-service data hierarchical management method according to any one of claims 1 to 12.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310999666.1A CN116760631B (en) | 2023-08-09 | 2023-08-09 | Multi-service data hierarchical management and control method and system based on regulation and control cloud platform |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310999666.1A CN116760631B (en) | 2023-08-09 | 2023-08-09 | Multi-service data hierarchical management and control method and system based on regulation and control cloud platform |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116760631A CN116760631A (en) | 2023-09-15 |
CN116760631B true CN116760631B (en) | 2023-10-31 |
Family
ID=87951618
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310999666.1A Active CN116760631B (en) | 2023-08-09 | 2023-08-09 | Multi-service data hierarchical management and control method and system based on regulation and control cloud platform |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116760631B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104796290A (en) * | 2015-04-24 | 2015-07-22 | 广东电网有限责任公司信息中心 | Data security control method and data security control platform |
CN109525570A (en) * | 2018-11-06 | 2019-03-26 | 东南大学 | A kind of data hierarchy safety access control method of Cargo Oriented on Group client |
CN112269970A (en) * | 2020-10-28 | 2021-01-26 | 国能日新科技股份有限公司 | Script encryption method and device, server and storage medium |
CN112615816A (en) * | 2020-11-30 | 2021-04-06 | 中科热备(北京)云计算技术有限公司 | Cloud document transmission encryption and decryption method |
CN114692176A (en) * | 2020-12-26 | 2022-07-01 | 英特尔公司 | Data encryption based on encoded pointers |
CN115270182A (en) * | 2022-07-29 | 2022-11-01 | 国家电网有限公司 | Power grid project closed-loop control file management system |
CN116260606A (en) * | 2021-12-10 | 2023-06-13 | 英特尔公司 | Secret computation with legacy peripheral |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7916870B2 (en) * | 2006-11-03 | 2011-03-29 | Verizon Patent And Licensing Inc. | Systems and methods for document control using public key encryption |
US11494484B2 (en) * | 2016-10-24 | 2022-11-08 | Nubeva, Inc. | Leveraging instrumentation capabilities to enable monitoring services |
EP3776288A4 (en) * | 2018-04-10 | 2022-01-05 | Al Belooshi, Bushra Abbas Mohammed | System and method for cryptographic keys security in the cloud |
JP2022040957A (en) * | 2020-08-31 | 2022-03-11 | 株式会社日立製作所 | Encryption key management system and encryption key controlling method |
-
2023
- 2023-08-09 CN CN202310999666.1A patent/CN116760631B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104796290A (en) * | 2015-04-24 | 2015-07-22 | 广东电网有限责任公司信息中心 | Data security control method and data security control platform |
CN109525570A (en) * | 2018-11-06 | 2019-03-26 | 东南大学 | A kind of data hierarchy safety access control method of Cargo Oriented on Group client |
CN112269970A (en) * | 2020-10-28 | 2021-01-26 | 国能日新科技股份有限公司 | Script encryption method and device, server and storage medium |
CN112615816A (en) * | 2020-11-30 | 2021-04-06 | 中科热备(北京)云计算技术有限公司 | Cloud document transmission encryption and decryption method |
CN114692176A (en) * | 2020-12-26 | 2022-07-01 | 英特尔公司 | Data encryption based on encoded pointers |
CN116260606A (en) * | 2021-12-10 | 2023-06-13 | 英特尔公司 | Secret computation with legacy peripheral |
CN115270182A (en) * | 2022-07-29 | 2022-11-01 | 国家电网有限公司 | Power grid project closed-loop control file management system |
Non-Patent Citations (2)
Title |
---|
Rolling-Horizon Robust Economic Dispatch Under High Penetration Wind Power;Fengming Zhang;《2022 4th International Conference on Power and Energy Technology (ICPET)》;全文 * |
新加密文件系统的研究与实现;顾正义;黄皓;;计算机工程与设计(第14期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN116760631A (en) | 2023-09-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109033855B (en) | Data transmission method and device based on block chain and storage medium | |
US6598161B1 (en) | Methods, systems and computer program products for multi-level encryption | |
CN103189872B (en) | Safety in networked environment and the effectively method and apparatus of Content Selection | |
CN101853363B (en) | File protection method and system | |
US9647843B2 (en) | System and method for secure database queries | |
CN105740725B (en) | A kind of document protection method and system | |
WO1996005673A1 (en) | System and method for key escrow and data escrow encryption | |
CN1326629A (en) | Method and system for authenticating and utilizing secure resources in computer system | |
KR20100133953A (en) | System and method for securing data | |
CN104239820A (en) | Secure storage device | |
CN1322431C (en) | Encryption retention and data retrieve based on symmetric cipher key | |
CN103973698B (en) | User access right revoking method in cloud storage environment | |
CN114175580A (en) | Enhanced secure encryption and decryption system | |
CN106682521A (en) | File transparent encryption and decryption system and method based on driver layer | |
CN202872828U (en) | A circulation control system of files | |
CN114942729A (en) | Data safety storage and reading method for computer system | |
CN104376270A (en) | File protection method and system | |
KR20210143846A (en) | encryption systems | |
Yeboah-Ofori et al. | Blockchain Security Encryption to Preserve Data Privacy and Integrity in Cloud Environment | |
CN112039876A (en) | Data ferrying method, device, equipment and medium | |
CN116760631B (en) | Multi-service data hierarchical management and control method and system based on regulation and control cloud platform | |
JP2008242665A (en) | Encryption processing device, encryption processing method and file dividing and storing system | |
CN113901507B (en) | Multi-party resource processing method and privacy computing system | |
Rangaraj et al. | Protection of mental healthcare documents using sensitivity-based encryption | |
CN114338014B (en) | Safety reporting method, device and system for environmental supervision and law enforcement |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |