CN116846680A

CN116846680A - Data desensitization method, device, equipment and storage medium

Info

Publication number: CN116846680A
Application number: CN202311038940.5A
Authority: CN
Inventors: 殷联佳; 吴高峰; 赵嘉玮
Original assignee: Shencai Technology Co ltd
Current assignee: Shencai Technology Co ltd
Priority date: 2023-08-17
Filing date: 2023-08-17
Publication date: 2023-10-03

Abstract

The invention discloses a data desensitizing method, a device, equipment and a storage medium, belonging to the technical field of data security, wherein the method comprises the following steps: acquiring a data ciphertext corresponding to an API call request to be desensitized, which is sent by a service API, and decrypting the data ciphertext by adopting a target private key to obtain a data plaintext; determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller; and according to the target desensitization implementation rule, carrying out desensitization treatment on the data plaintext. The invention completes the data desensitization operation in the API gateway, avoids the invasion of the bottom code, reduces the development complexity, reduces the coupling degree between the bottom code layer and the upper business layer, and improves the stability of data desensitization.

Description

Data desensitization method, device, equipment and storage medium

Technical Field

The present invention relates to the field of data security technologies, and in particular, to a data desensitizing method, device, apparatus, and storage medium.

Background

When data is shared, desensitization treatment is often required to be carried out on the shared data so as to ensure the security in the data transmission process.

However, the existing data desensitizing method, such as a method for implementing data desensitizing by modifying a service API (Application Programming Interface ), has very high intrusion degree on codes, high development complexity and high requirements on developers. For example, the data desensitizing method through the database access interception has the advantage of no code invasiveness, but the original database access is in a technical layer of a lower layer, so that the realization difficulty is high, corresponding classified data, authority data and the like are required to be obtained through technologies such as service call of the upper layer in the process of realizing data desensitization, the corresponding classified data, authority data and the like are coupled with upper-layer business, the lower layer depends on reverse logic of the upper layer, and the stability is poor.

Disclosure of Invention

The invention provides a data desensitization method, a device, equipment and a storage medium, which are used for solving the problem of code invasion, reducing development complexity, reducing the coupling degree of a bottom code layer and an upper business layer and improving the stability of data desensitization.

According to an aspect of the present invention, there is provided a data desensitizing method applied to an API gateway, the method comprising:

acquiring a data ciphertext corresponding to an API call request to be desensitized, which is sent by a service API, and decrypting the data ciphertext by adopting a target private key to obtain a data plaintext;

Determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller;

and according to the target desensitization implementation rule, carrying out desensitization treatment on the data plaintext.

According to another aspect of the present invention, there is provided a data desensitizing method applied to a service API, the method comprising:

receiving a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by an API gateway;

decrypting the request ciphertext by using the target public key to obtain a request plaintext corresponding to the API call request to be desensitized;

executing data processing operation corresponding to the request plaintext to obtain a data processing result;

encrypting the data processing result by using the target public key to obtain a data ciphertext of the data processing result;

and sending the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext.

According to another aspect of the present invention, there is provided a data desensitizing apparatus, performed by an API gateway, the apparatus comprising:

the data plaintext determining module is used for acquiring a data ciphertext corresponding to an API call request to be desensitized, which is sent by the service API, and decrypting the data ciphertext by adopting a target private key to obtain a data plaintext;

The desensitization implementation rule determining module is used for determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller;

and the desensitization processing module is used for carrying out desensitization processing on the data plaintext according to the target desensitization implementation rule.

According to another aspect of the present invention, there is provided a data desensitizing apparatus, performed by a service API, comprising:

the data acquisition module is used for receiving a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by the API gateway;

the request plaintext determining module is used for decrypting the request ciphertext by adopting the target public key to obtain a request plaintext corresponding to the API call request to be desensitized;

the processing result determining module is used for executing data processing operation corresponding to the request plaintext to obtain a data processing result;

the data ciphertext determining module is used for encrypting the data processing result by adopting the target public key to obtain a data ciphertext of the data processing result;

the data ciphertext sending module is used for sending the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext.

According to another aspect of the present invention, there is provided an electronic apparatus including:

At least one processor; and

a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data desensitization method of any of the embodiments of the invention.

According to another aspect of the present invention there is provided a computer readable storage medium storing computer instructions for causing a processor to perform a data desensitisation method according to any of the embodiments of the present invention.

According to the technical scheme, the data ciphertext corresponding to the to-be-desensitized API call request sent by the service API is obtained, and the data ciphertext is decrypted by adopting the target private key to obtain the data plaintext; determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller; and according to the target desensitization implementation rule, carrying out desensitization treatment on the data plaintext. According to the technical scheme, the API call request to be desensitized is intercepted at the API gateway, the API gateway decrypts the data ciphertext corresponding to the API call request to be desensitized to obtain the data plaintext, the API gateway performs data desensitization on the data plaintext, the API gateway completes data desensitization operation, invasion to a bottom layer code is avoided, development complexity is reduced, coupling degree between the bottom layer code layer and an upper layer service layer is reduced, and stability of data desensitization is improved.

It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of a method for desensitizing data according to a first embodiment of the present invention;

FIG. 2 is a flow chart of a method for desensitizing data according to a second embodiment of the invention;

FIG. 3 is a flow chart of a method for desensitizing data according to a third embodiment of the invention;

FIG. 4 is a flow chart of a method for desensitizing data according to a fourth embodiment of the invention;

FIG. 5 is a schematic diagram of a data desensitizing apparatus according to a fifth embodiment of the present invention;

FIG. 6 is a schematic diagram of a data desensitizing apparatus according to a sixth embodiment of the invention;

Fig. 7 is a schematic structural diagram of an electronic device implementing a data desensitizing method according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "object," "first," and "second," and the like in the description and claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

In addition, it should be noted that, in the technical solution of the present invention, the processes of collection, storage, use, processing, transmission, provision, disclosure, etc. of the related API call request all conform to the rules of the related laws and regulations, and do not violate the public order harmony.

Example 1

Fig. 1 is a flowchart of a data desensitizing method according to a first embodiment of the present invention, where the method may be applied to data desensitizing during data sharing, and the method may be performed by a data desensitizing device, which may be implemented in hardware and/or software, and may be configured in an electronic device. As shown in fig. 1, the method includes:

s101, acquiring a data ciphertext corresponding to an API call request to be desensitized, which is sent by a service API, and decrypting the data ciphertext by adopting a target private key to obtain a data plaintext.

Wherein the service API is used to provide some easy-to-use application interfaces. The API call request to be desensitized refers to an API call request requiring desensitization processing. An API call request refers to a request sent by a data caller to call API data. Wherein, the data calling party refers to a party calling API data. The data ciphertext is ciphertext obtained by encrypting data. The target private key is a private key in a key pair agreed by the API gateway and the service API; the target private key is saved by the API gateway. The data plaintext is a plaintext obtained by decrypting the data ciphertext.

Specifically, the API gateway obtains a data ciphertext corresponding to an API call request to be desensitized, which is sent by a service API, and decrypts the data ciphertext by adopting a target private key based on a preset data decryption algorithm to obtain a data plaintext. The preset data decryption algorithm may be preset according to actual service requirements, which is not specifically limited in the embodiment of the present invention.

S102, determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller.

The target access right is the data access right owned by the data calling party; the target access right may be one of a primary access right, a secondary access right, a tertiary access right, a quaternary access right, a temporary access right, and the like. If the access rights have four levels in total, the first level access rights are the lowest access rights and the fourth level access rights are the highest access rights. The target desensitization enforcement rule refers to an enforcement rule for data desensitization of data plaintext.

Specifically, the API gateway may compare the target access right of the data caller with the access right preset in the data plaintext, and if the target access right is higher than or equal to the access right preset in the data plaintext, take the desensitization implementation rule corresponding to the target access right as the target desensitization implementation rule corresponding to the data plaintext; otherwise, taking the desensitization implementation rule corresponding to the access authority preset by the data plaintext as the target desensitization implementation rule corresponding to the data plaintext.

The target access right of the data calling party is a first-level access right, and the access right preset by the data plaintext is a fourth-level access right; the API gateway compares the target access right with the access right preset by the data plaintext, and determines a target desensitization implementation rule corresponding to the data plaintext as the target access right is lower than the access right preset by the data plaintext, namely the first-level access right is lower than the fourth-level access right.

Optionally, if the target access right is higher than or equal to the preset access right of the data plaintext, the target desensitization implementation rule is that the data plaintext is returned as it is; if the target access right is lower than the access right preset in the data plaintext, the target desensitization implementation rule is a data desensitization rule corresponding to the access right preset in the data plaintext, and the data plaintext is subjected to desensitization treatment.

Optionally, the temporary authorization record may be generated when the target access right is a temporary access right, so that the API gateway obtains the target access right of the data caller according to the temporary authorization record at any time. Optionally, the API gateway may also store the temporary authorization record in its cache for subsequent tracing of the access rights record of the data caller.

The temporary access right refers to an access right valid for a certain period of time, for example, an access right valid for 5 minutes. It will be appreciated that the temporary access rights may enable the data caller to temporarily have access to data higher than its original access rights. The temporary authorization record stores an authorization identifier, an identity identifier of a data calling party, an API of authorization, an authorization attribute, an authorization level and a valid duration.

S103, according to target desensitization implementation rules, desensitization treatment is carried out on the data plaintext.

Specifically, according to the target desensitization implementation rule, the API gateway does not desensitize the data plaintext under the condition that the target desensitization implementation rule returns the data plaintext as it is; under the condition that the target desensitization implementation rule is a data desensitization rule corresponding to the access authority preset according to the data plaintext, the data plaintext is subjected to desensitization treatment, and the data plaintext is subjected to desensitization treatment according to the data desensitization rule corresponding to the data access authority preset by the data plaintext.

The target access right is a first-level access right, and the access right preset by the data plaintext is a fourth-level access right; and the API gateway desensitizes the data plaintext according to the data desensitization rule corresponding to the four-level access authority.

The target access authority is a three-level access authority, and the access authority preset by the data plaintext comprises a first-level access authority, a second-level access authority and a fourth-level access authority; the API gateway does not desensitize the data of the first-level access right and the data of the second-level access right in the data plaintext, and desensitizes the data of the fourth-level access right according to the data desensitization rule corresponding to the fourth-level access right.

Example two

Fig. 2 is a flowchart of a data desensitizing method according to a second embodiment of the present invention, where the present embodiment provides a technical solution for encrypting a to-be-desensitized API call request before an API gateway obtains a data ciphertext corresponding to the to-be-desensitized API call request sent by a service API. In the embodiments of the present invention, parts not described in detail may be referred to for related expressions of other embodiments. As shown in fig. 2, the method includes:

s201, determining an API call request to be desensitized from at least one API call request.

Wherein, the API call request refers to a request for calling API data sent by a data calling party. Wherein, the data calling party refers to a party calling API data. The API call request to be desensitized refers to an API call request requiring desensitization processing.

Specifically, the API gateway intercepts an API call request to be desensitized from at least one API call request sent by a data caller based on a preset request interception model. The preset request interception model may be preset according to actual service requirements, for example, the preset request interception model may be a filter with an API call request function to be desensitized, which is not specifically limited in the embodiment of the present invention.

Alternatively, the target routing address of the API call request can be obtained; based on a preset routing rule desensitization table, determining an API call request to be desensitized from at least one API call request according to a target routing address.

The target routing address refers to the routing address of the API call request. It should be noted that an API call request corresponds to a target routing address. The preset routing rule desensitization table can be preset according to actual service requirements and is used for storing the routing address of the API call request to be desensitized, and the embodiment of the invention does not limit the method specifically.

Specifically, the API gateway obtains a target routing address of an API call request sent by a data calling party; detecting whether a target routing address exists in a preset routing rule desensitization table; if a target routing address exists in a preset routing rule desensitization table, determining an API call request corresponding to the target routing address as an API call request to be desensitized; otherwise, the API call request corresponding to the target routing address is released.

It can be understood that by detecting whether the target routing address of the API call request exists in the preset routing rule desensitization table, the API call request to be desensitized is determined, the identification of the API call request to be desensitized is realized, the API call request which does not need to be desensitized in the API call request is considered, the data volume of data desensitization is reduced, and the data desensitization efficiency is improved.

Optionally, the API gateway may further update, in real time, the routing address in the preset routing rule desensitization table according to the actual service requirement, so as to accurately identify the API call request to be desensitized.

Optionally, the API gateway may also record all released API call requests and record data desensitization details of all API call requests to be desensitized, so as to facilitate subsequent auditing.

S202, generating a target public key and a target private key for an API call request to be desensitized based on a preset key generation mode.

The preset key generation mode may be preset according to actual service requirements, for example, the preset key generation mode may be an RSA asymmetric encryption algorithm, for example, the preset key generation mode may be a key generation mode based on a random number, and the embodiment of the present invention is not limited specifically. The target public key is a public key in a secret key pair agreed by the API gateway and the service API; the target public key is saved by the service API. Correspondingly, the target private key refers to a private key in a key pair agreed by the API gateway and the service API; the target private key is saved by the API gateway.

Illustratively, the API gateway generates a target public key and a target private key for the API call request to be desensitized based on an RSA asymmetric encryption algorithm.

Illustratively, the API gateway generates a target public key and a target private key for the API call request to be desensitized based on a random number key generation manner.

S203, encrypting the API call request to be desensitized by adopting the target private key to obtain a request ciphertext of the API call request to be desensitized.

The request ciphertext is ciphertext obtained after encryption processing of an API call request to be desensitized.

Specifically, the API gateway encrypts an API call request to be desensitized by adopting a target private key based on a preset request encryption algorithm to obtain a request ciphertext of the API call request to be desensitized. The preset request encryption algorithm may be preset according to actual service requirements, which is not specifically limited in the embodiment of the present invention.

S204, sending the request ciphertext and the target public key to the service API so that the service API obtains a request plaintext of the API call request to be desensitized based on the request ciphertext and the target public key.

The request plaintext refers to a plaintext obtained by decrypting the request ciphertext, namely an API call request to be desensitized.

Specifically, the API gateway sends a request ciphertext and a target public key to the service API, so that the service API adopts the target public key to decrypt the request ciphertext, and a request plaintext of an API call request to be desensitized is obtained.

S205, obtaining a data ciphertext corresponding to the API call request to be desensitized sent by the service API, and decrypting the data ciphertext by adopting the target private key to obtain a data plaintext.

S206, determining a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller.

S207, adopting target desensitization implementation rules to desensitize the data plaintext.

The technical scheme of the embodiment of the invention provides a technical scheme for encrypting the API call request to be desensitized before the API gateway obtains the data ciphertext corresponding to the API call request to be desensitized sent by the service API, so that the leakage of the API call request to be desensitized in the data transmission process is avoided, and the security of the API call request to be desensitized in the data transmission process is ensured.

On the basis of the above embodiment, as an optional manner of the embodiment of the present invention, after encrypting the API call request to be desensitized by using the target private key to obtain the request ciphertext of the API call request to be desensitized, the API gateway may further be: based on a preset timestamp, carrying out digital signature on the request ciphertext to obtain a verification signature of the request ciphertext; and sending the check signature and the preset time stamp to the service API so that the service API checks the check signature based on the preset time stamp.

The preset timestamp may be preset according to an actual service requirement, for example, the preset timestamp may be 2 minutes, which is not specifically limited in the embodiment of the present invention. The verification signature is a section of digital string which comprises a request ciphertext and a preset timestamp and can identify whether the request ciphertext is tampered or not; alternatively, the verification signature may take the form of numbers, letters, or numbers plus letters, etc.

Specifically, the API gateway may input a preset timestamp and a request ciphertext into an MD5 or SHA (Security Hash Algorithm) digital signature algorithm, and obtain a verification signature of the request ciphertext through MD5 or SHA digital signature algorithm processing; the API gateway sends the check signature and the preset time stamp to the service API so that the service API checks the check signature based on the preset time stamp.

It can be understood that by digitally signing the request ciphertext, the secondary encryption processing of the request ciphertext of the request for the API call to be desensitized is realized, and the security of the request for the API call to be desensitized in the data transmission process is further ensured.

Example III

Fig. 3 is a flowchart of a data desensitizing method according to a third embodiment of the present invention, where the method may be applied to the case of desensitizing data in a data sharing process, and the method may be performed by a data desensitizing device, where the device may be implemented in hardware and/or software, and may be configured in an electronic device. As shown in fig. 3, the method includes:

S301, receiving a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by an API gateway.

The API gateway is a communication bridge between any two mutually independent local area networks; the API gateway may be a router. The API call request to be desensitized refers to an API call request requiring desensitization processing. An API call request refers to a request sent by a data caller to call API data. Wherein, the data calling party refers to a party calling API data. The request ciphertext is ciphertext obtained after encryption processing of the API call request to be desensitized. The target public key is a public key in a secret key pair agreed by the API gateway and the service API; the target public key is saved by the service API.

Specifically, the service API receives a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by the API gateway.

S302, decrypting the request ciphertext by adopting the target public key to obtain a request plaintext corresponding to the API call request to be desensitized.

The request plaintext refers to a plaintext obtained by decrypting the request ciphertext.

Specifically, after receiving the request ciphertext and the target public key, the service API triggers a decryption annotation program in the service API; and the decryption annotation program starts a preset request decryption algorithm, and decrypts the request ciphertext by adopting the target public key to obtain a request plaintext corresponding to the API call request to be desensitized. It should be noted that, the decryption annotation program is used for starting a preset request decryption algorithm to decrypt the request ciphertext.

It should be noted that, there is a correspondence between the preset request decryption algorithm and the preset request encryption algorithm; encrypting the API call request to be desensitized by adopting a preset request encryption algorithm to obtain a request ciphertext of the API call request to be desensitized; correspondingly, a preset request decryption algorithm is adopted to decrypt the request ciphertext, and a request plaintext corresponding to the API call request to be desensitized is obtained.

It can be understood that the application of the decryption annotation program makes the service API not need to develop a decryption algorithm for requesting plaintext, but directly call a preset request decryption algorithm, so that modification of codes in the service API is avoided, and development complexity is reduced.

S303, executing data processing operation corresponding to the request plaintext to obtain a data processing result.

Specifically, the service API executes data processing operation corresponding to the request plaintext to obtain a data processing result.

S304, encrypting the data processing result by using the target public key to obtain a data ciphertext of the data processing result.

The data ciphertext is ciphertext obtained by encrypting the data processing result.

Specifically, after the service API obtains the data processing result, the service API also triggers the encryption and decryption annotation program in the service API; and starting a preset data encryption algorithm by the encryption annotation program, and encrypting the data processing result by adopting the target public key to obtain a data ciphertext of the data processing result. It should be noted that, the encryption annotation program is used for starting a preset data encryption algorithm to decrypt the data processing result.

It can be understood that the application of the encryption annotation program makes the service API not need to develop the encryption algorithm of the data processing result, but directly call the preset data encryption algorithm, thereby avoiding the modification of codes in the service API and further reducing the development complexity.

It should be noted that, there is a correspondence between the preset data encryption algorithm and the preset data decryption algorithm; encrypting the data processing result by adopting a preset data encryption algorithm to obtain a data ciphertext of the data processing result; correspondingly, a preset data decryption algorithm is adopted to decrypt the data ciphertext, and a data plaintext is obtained.

And S305, sending the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext.

The data plaintext is a plaintext obtained by decrypting the data ciphertext.

Specifically, the service API sends the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext by adopting the target private key stored by the API gateway to obtain a data plaintext and desensitizes the data plaintext.

According to the technical scheme, a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by an API gateway, are received; decrypting the request ciphertext by using the target public key to obtain a request plaintext corresponding to the API call request to be desensitized; executing data processing operation corresponding to the request plaintext to obtain a data processing result; encrypting the data processing result by using the target public key to obtain a data ciphertext of the data processing result; and sending the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext. According to the technical scheme, the service API decrypts the encrypted API call request to be desensitized, and executes the given logic operation of the API call request to be desensitized, so that the data processing result corresponding to the API call request to be desensitized is obtained; and then, the service API encrypts the data processing result, so that the leakage of the data processing result in the data transmission process is avoided, and the safety of the data processing result in the data transmission process is ensured. And the whole process does not need a developer to write corresponding data desensitization codes according to the API call request to be desensitized, the desensitization processing is carried out on the data processing result, the invasion of the service API bottom code is avoided, and the development complexity is reduced.

On the basis of the above embodiment, as an optional manner of the embodiment of the present invention, before decrypting the request ciphertext by using the target public key to obtain the request plaintext corresponding to the to-be-desensitized API call request, the service API may further be: receiving a check signature and a preset time stamp sent by an API gateway; and verifying the verification signature based on the preset time stamp.

Specifically, the service API receives a check signature (marked as a first check signature) and a preset timestamp sent by an API gateway; then, the service API inputs a preset time stamp and a request ciphertext into an MD5 or SHA digital signature algorithm, and a second check signature of the request ciphertext is obtained through processing of the MD5 or SHA digital signature algorithm; and comparing the second check signature with the first check signature, if the second check signature and the first check signature are consistent, further decrypting the request ciphertext by the API gateway, and otherwise, sending leakage alarm information to the API gateway by the API gateway.

It can be appreciated that the service API verifies the verification signature based on the preset timestamp, so that the possibility that the request ciphertext is tampered is reduced, and the accuracy of the request ciphertext is further ensured.

Example IV

Fig. 4 is a flowchart of a data desensitizing method according to a fourth embodiment of the present invention, and a preferred embodiment is provided based on the above embodiment. In the embodiments of the present invention, parts not described in detail may be referred to for related expressions of other embodiments. As shown in fig. 4, the method includes:

s401, the API gateway determines an API call request to be desensitized from at least one API call request.

Optionally, the API gateway obtains a target routing address of the API call request; based on a preset routing rule desensitization table, an API call request is determined from at least one API call request according to the target routing address.

S402, the API gateway generates a target public key and a target private key for the API call request to be desensitized based on a preset key generation mode.

S403, the API gateway encrypts the API call request to be desensitized by adopting the target private key to obtain a request ciphertext of the API call request to be desensitized.

S404, the API gateway performs digital signature on the request ciphertext based on a preset time stamp to obtain a verification signature of the request ciphertext.

S405, the API gateway sends a target public key, a request ciphertext, a check signature and a preset time stamp to the service API.

S406, the service API receives a target public key, a request ciphertext, a check signature and a preset time stamp which are sent by the API gateway.

S407, the service API verifies the verification signature based on a preset timestamp.

And S408, under the condition that verification is passed, the service API adopts a target public key to decrypt the request ciphertext, and a request plaintext corresponding to the API call request to be desensitized is obtained.

S409, the service API executes data processing operation corresponding to the request plaintext to obtain a data processing result.

S410, the service API encrypts the data processing result by using the target public key to obtain a data ciphertext of the data processing result.

S411, the service API sends the data ciphertext to the API gateway.

S412, the API gateway obtains the data ciphertext sent by the service API, and decrypts the data ciphertext by adopting the target private key to obtain the data plaintext.

S413, the API gateway determines a target desensitization implementation rule corresponding to the data plaintext based on the target access authority of the data caller.

Optionally, in the case that the target access right is a temporary access right, a temporary authorization record is generated.

And S414, the API gateway performs desensitization processing on the data plaintext according to the target desensitization implementation rule.

And then, the API gateway feeds back the data obtained after the data plaintext is subjected to desensitization treatment to a data calling party.

Compared with the existing data desensitization method, the technical scheme of the embodiment of the invention has the advantages that the API call request to be desensitized is completely intercepted in the API gateway, the API gateway carries out encryption processing on the API call request to be desensitized twice and then is sent to the service API, so that the security of the API call request to be desensitized in the data transmission process is ensured; then, the service API realizes the decryption of the API call request to be desensitized according to the decryption annotation program under the condition that the bottom code is not modified; then, the service API executes data processing operation corresponding to the API call request to be desensitized to obtain a data processing result; then, the service API realizes encryption of the data processing result according to the encryption annotation program under the condition that the bottom code is not modified, and reduces development complexity; and then, the API gateway decrypts the encrypted data processing result received from the service API, performs data desensitization processing on the data processing result according to the access authority of a data calling party and the corresponding desensitization rule, does not have cross-level dependence, reduces the coupling degree of a bottom code layer and an upper service layer, can conveniently realize the desensitization processing of the data under various rules, and improves the stability of data desensitization.

Example five

Fig. 5 is a schematic structural diagram of a data desensitizing apparatus according to a fifth embodiment of the present invention, where the present embodiment is applicable to the case of desensitizing data in a data sharing process, and the apparatus may be implemented in hardware and/or software, and may be configured in an electronic device. As shown in fig. 5, the apparatus includes:

the data plaintext determining module 501 is configured to obtain a data ciphertext corresponding to an API call request to be desensitized, which is sent by the service API, and decrypt the data ciphertext by using a target private key to obtain a data plaintext;

the desensitization implementation rule determining module 502 is configured to determine a target desensitization implementation rule corresponding to the data plaintext based on a target access right of the data caller;

the desensitization processing module 503 is configured to desensitize the data plaintext according to the target desensitization implementation rule.

Optionally, the apparatus further comprises:

the call request acquisition module is used for determining the call request of the API to be desensitized from at least one API call request before acquiring the data ciphertext corresponding to the call request of the API to be desensitized sent by the service API;

the key generation module is used for generating a target public key and a target private key for the API call request to be desensitized based on a preset key generation mode;

the request ciphertext determining module is used for encrypting the API call request to be desensitized by adopting the target private key to obtain a request ciphertext of the API call request to be desensitized;

the first data sending module is used for sending the request ciphertext and the target public key to the service API so that the service API obtains a request plaintext of the API call request to be desensitized based on the request ciphertext and the target public key.

Optionally, the call request acquisition module is specifically configured to:

acquiring a target routing address of an API call request;

based on a preset routing rule desensitization table, determining an API call request to be desensitized from at least one API call request according to a target routing address.

Optionally, the device comprises:

the verification signature determining module is used for encrypting the API call request to be desensitized by adopting the target private key to obtain a request ciphertext of the API call request to be desensitized, and then carrying out digital signature on the request ciphertext based on a preset time stamp to obtain a verification signature of the request ciphertext;

And the second data sending module is used for sending the check signature and the preset time stamp to the service API so that the service API can check the check signature based on the preset time stamp.

Optionally, the apparatus further comprises:

and the authorization record generation module is used for generating a temporary authorization record under the condition that the target access right is the temporary access right.

The data desensitizing device provided by the embodiment of the invention can execute the data desensitizing method provided by any embodiment of the first embodiment and the second embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the data desensitizing methods.

Example six

Fig. 6 is a schematic structural diagram of a data desensitizing apparatus according to a sixth embodiment of the present invention, where the present embodiment is applicable to the case of desensitizing data in a data sharing process, and the apparatus may be implemented in hardware and/or software, and may be configured in an electronic device. As shown in fig. 6, the apparatus includes:

the data acquisition module 601 is configured to receive a request ciphertext and a target public key corresponding to an API call request to be desensitized, which are sent by an API gateway;

the request plaintext determining module 602 is configured to decrypt the request ciphertext by using the target public key to obtain a request plaintext corresponding to the API call request to be desensitized;

A processing result determining module 603, configured to perform a data processing operation corresponding to the request plaintext, to obtain a data processing result;

the data ciphertext determining module 604 is configured to encrypt the data processing result by using the target public key, so as to obtain a data ciphertext of the data processing result;

the data ciphertext sending module 605 is configured to send the data ciphertext to the API gateway, so that the API gateway decrypts the data ciphertext to obtain a data plaintext, and desensitizes the data plaintext.

Optionally, the apparatus further comprises:

the data receiving module is used for receiving a check signature and a preset time stamp sent by the API gateway before decrypting the request ciphertext by adopting the target public key to obtain a request plaintext corresponding to the API call request to be desensitized;

and the data verification module is used for verifying the verification signature based on the preset time stamp.

The data desensitizing device provided by the embodiment of the invention can execute the data desensitizing method provided by the third embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the data desensitizing method.

Example seven

Fig. 7 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 7, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM12 and the RAM13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the data desensitization method.

In some embodiments, the data desensitization method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM12 and/or the communication unit 19. One or more of the steps of the data desensitization method described above may be performed when the computer program is loaded into RAM13 and executed by processor 11. Alternatively, in other embodiments, the processor 11 may be configured to perform the data desensitization method by any other suitable means (e.g., by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. A method of desensitizing data, applied to an API gateway, comprising:

determining a target desensitization implementation rule corresponding to the data plaintext based on a target access right of a data caller;

2. The method of claim 1, further comprising, prior to obtaining the data ciphertext corresponding to the to-be-desensitized API call request sent by the service API:

determining an API call request to be desensitized from at least one API call request;

generating a target public key and a target private key for the API call request to be desensitized based on a preset key generation mode;

encrypting the API call request to be desensitized by adopting the target private key to obtain a request ciphertext of the API call request to be desensitized;

and sending the request ciphertext and the target public key to a service API so that the service API obtains a request plaintext of the API call request to be desensitized based on the request ciphertext and the target public key.

3. The method of claim 2, wherein determining an API call request to be desensitized from the at least one API call request comprises:

acquiring a target routing address of an API call request;

and determining an API call request to be desensitized from at least one API call request according to the target routing address based on a preset routing rule desensitization table.

4. The method according to claim 2, further comprising, after said encrypting said API call request with said target private key to obtain a request ciphertext of said API call request,:

Performing digital signature on the request ciphertext based on a preset timestamp to obtain a verification signature of the request ciphertext;

and sending the check signature and the preset time stamp to a service API so that the service API checks the check signature based on the preset time stamp.

5. The method according to claim 1, wherein the method further comprises:

and generating a temporary authorization record under the condition that the target access right is the temporary access right.

6. A method of desensitizing data, applied to a business API, comprising:

decrypting the request ciphertext by adopting the target public key to obtain a request plaintext corresponding to the API call request to be desensitized;

executing the data processing operation corresponding to the request plaintext to obtain a data processing result;

encrypting the data processing result by adopting the target public key to obtain a data ciphertext of the data processing result;

and sending the data ciphertext to an API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext.

7. The method according to claim 6, before decrypting the request ciphertext using the target public key to obtain a request plaintext corresponding to an API call request to be desensitized, comprising:

receiving a check signature and a preset time stamp sent by an API gateway;

and verifying the verification signature based on the preset timestamp.

8. A data desensitizing apparatus, performed by an API gateway, comprising:

9. A data desensitizing apparatus, performed by a service API, comprising:

The processing result determining module is used for executing the data processing operation corresponding to the request plaintext to obtain a data processing result;

and the data ciphertext sending module is used for sending the data ciphertext to the API gateway so that the API gateway decrypts the data ciphertext to obtain a data plaintext and desensitizes the data plaintext.

10. An electronic device, the electronic device comprising:

at least one processor; and

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data desensitization method according to any one of claims 1-5, and/or the data desensitization method according to any one of claims 6-7.

11. A computer readable storage medium storing computer instructions for causing a processor to perform the data desensitization method according to any one of claims 1-5 and/or the data desensitization method according to any one of claims 6-7.