CN116861451A - Data encryption and decryption method based on data classification and grading - Google Patents
Data encryption and decryption method based on data classification and grading Download PDFInfo
- Publication number
- CN116861451A CN116861451A CN202310593033.0A CN202310593033A CN116861451A CN 116861451 A CN116861451 A CN 116861451A CN 202310593033 A CN202310593033 A CN 202310593033A CN 116861451 A CN116861451 A CN 116861451A
- Authority
- CN
- China
- Prior art keywords
- data
- algorithm
- classification
- key
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000005540 biological transmission Effects 0.000 claims abstract description 46
- 238000007726 management method Methods 0.000 claims abstract description 24
- 238000007781 pre-processing Methods 0.000 claims abstract description 12
- 238000013500 data storage Methods 0.000 claims abstract description 11
- 150000003839 salts Chemical class 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims description 3
- 238000011176 pooling Methods 0.000 claims description 3
- 210000004087 cornea Anatomy 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 claims description 2
- 230000001815 facial effect Effects 0.000 claims description 2
- 230000003014 reinforcing effect Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a data encryption and decryption method based on data classification and grading, and belongs to the field of data security. The data encryption and decryption method of the invention comprises the following steps: data hierarchical classification management, query statement preprocessing, secure password service, data storage and data transmission. The invention provides a method for encrypting and decrypting the data based on the classification of the data, enhances the safety of the data in storage and transmission, manages the secret key by the system and avoids the possibility of artificially revealing the secret key. And meanwhile, classified and hierarchical management data are used, and different key groups and encryption algorithms are used for different classifications and hierarchies, so that the safety of the data is further ensured. The method provided by the invention can be used for data classification and classification, and the method provided by the secure password service can be used for secure storage and secure transmission of data in various forms such as data center, big data, data lakes and the like.
Description
Technical Field
The invention belongs to the field of data security, and particularly relates to a data encryption and decryption method based on data classification and grading.
Background
Along with informatization and clouding, and the application of new technologies such as the Internet of things and artificial intelligence, the Internet of things has become a trend, everyone is generating a large amount of data at any moment, the trouble and harm to business bodies caused by the leakage of sensitive data in the data are increasingly serious, and even the people can endanger social and national benefits, and the reasons are (1) poor in safety consciousness and lack of necessary confidentiality consciousness; (2) most of them are stored in plain text in relational databases, big data platforms, noSQL databases, and file systems, and sensitive data is easily available to "suspicious" people. In view of this, it is common practice to use passwords to secure data, except that these have the problem of: (1) the fixed password is used, so that the risk of being cracked exists; (2) the password is mastered in a few hands, and risks such as leakage, loss, forgetting and the like exist; (3) the field encryption influence query (encrypted data cannot be matched by keyword query) and the convenience of use are carried out on the relational database; (4) when decrypting, the password is revealed in the data transmission, so that the risk of disclosure exists for other data; in view of this, there is a need to introduce a new way of data security administration.
Disclosure of Invention
First, the technical problem to be solved
The technical problem to be solved by the invention is how to provide a data encryption and decryption method based on data classification and classification so as to solve the safety management problem of the data classification and classification, the risk of being cracked caused by the singleness of a key, the risk of key leakage caused by the mastering of the key in a minority of people, the problem of inquiring an encryption field according to a keyword by a relational database, and the problem of the risk of key leakage in the data transmission, thereby ensuring the safety of the data in the storage and transmission processes.
(II) technical scheme
In order to solve the technical problems, the invention provides a data encryption and decryption method based on data classification and classification, which comprises the following steps: the system comprises a data hierarchical classification management service, a query statement preprocessing service, a security password service, and a data storage and data transmission service;
data classification hierarchical management service:
the data classification and classification management service classifies data according to a plurality of dimensions by a classification method, and then manages classified data according to a security class to form a data classification and classification result set; meanwhile, judging whether the data object in the classified data and the data field of the data object are encrypted, triggering the data field to expand, adding a [ field name ] _mw field, and encrypting the data object;
query statement preprocessing service:
preprocessing the query statement to realize the plaintext data processing in the INSERT, SELECT, UPDATE, DELETE statement and the combination or nested statement thereof;
for an INSERT sentence, firstly traversing all plaintext data fields to be inserted, holding data objects and data fields to a data classification grading result set to judge whether the plaintext data are encryption fields, if the plaintext data are encryption fields, canceling an information abstract of the plaintext data, then transmitting a mark of a data main body, a message abstract and the plaintext data to a secure cipher service for encryption, modifying the INSERT sentence again, inserting an encryption field in an original sentence into the message abstract, adding an mw field, and inserting an encrypted ciphertext;
for SELECT, UPDATE, DELETE statement, traversing related data objects and data fields, judging the data objects and the data fields to be encrypted fields through data classification hierarchical management service, and taking a message abstract of a plaintext field if the queried data item is the plaintext field, and replacing the original plaintext with the message abstract;
secure password service:
the secure cipher service realizes encryption and decryption of the data object and manages the algorithm and the secret key in a pooling mode; when encrypting and decrypting by using the secure cipher service, the main body identifier, the message digest, the secret level and the plaintext/ciphertext are required to be provided, and if the main body identifier is not specified, the default main body identifier is used;
data storage and data transfer services:
the data storage means the storage form of structured data and unstructured data when using data classification hierarchical management; for a data object to be encrypted, the structured data is stored in two columns of an original field, wherein one column is used for carrying out a message digest on the original data, the other column is used for storing ciphertext data in an [ original field name ] _mw field, and meanwhile, the main body and the secret level of the data are stored in metadata; for unstructured data, storing a message digest, body data and a security class of the original data in metadata;
the data transmission service comprises a data encryption transmission flow and a data decryption flow;
in the data encryption transmission, firstly, data encryption is carried out by holding a data security level, a plaintext abstract and a main body identifier, and then the data is transmitted according to a transmission channel corresponding to the data security level; the transmission channel corresponding to the secret level is defined by the service, the technical implementation is that the secret level is public and is internally transmitted through http and ftp network protocols, secret data is transmitted through https and sftp, digital envelopes are generated for secret data through a national secret algorithm and are transmitted in a private network, and the secret data is transmitted in the private network through biological characteristics and the national secret algorithm;
the decryption process of the received data in the data transmission is to obtain the data security, the plaintext abstract and the main body from the metadata; under the condition of cross-layer, cross-network and cross-domain transmission in data transmission, under the condition of ensuring absolute safety of data, after three super-administrators U shields respectively kept by three different personnel system administrators, audit administrators and safety administrators are authenticated, a national security channel is established between two local security password services for data synchronization, and the data in the synchronization process does not fall to the ground.
(III) beneficial effects
The invention provides a data encryption and decryption method based on data classification and classification, which provides a method for data encryption and decryption based on data classification and classification, enhances the safety of data in storage and transmission, prevents the possibility of manual key leakage due to system management of keys. And meanwhile, classified and hierarchical management data are used, and different key groups and encryption algorithms are used for different classifications and hierarchies, so that the safety of the data is further ensured. The method can be used for data classification and grading, and the method provided by the security password service in the method can be used for data security storage and security transmission of various forms such as data center, big data, data lakes and the like.
Drawings
FIG. 1 is a schematic diagram of a data encryption and decryption architecture based on data classification and classification in the present invention;
FIG. 2 is a data encryption flow;
FIG. 3 is a data look-up flow;
FIG. 4 is a flow chart of data encryption transmission;
fig. 5 is a flow chart of decrypting received data in data transmission.
Detailed Description
To make the objects, contents and advantages of the present invention more apparent, the following detailed description of the present invention will be given with reference to the accompanying drawings and examples.
A data encryption and decryption system architecture diagram based on data classification and grading is shown in figure 1.
The invention provides a data encryption and decryption method based on data classification and classification, which comprises the following steps: data hierarchical classification management, query statement preprocessing, security password service, data storage and data transmission.
(1) Data classification hierarchical management service
The data classification and classification management service classifies data according to multiple dimensions such as technical processing, business application, privacy protection and the like by a line classification method, a surface classification method, a mixed classification method and the like, and then manages classified data according to a security class to form a data classification and classification result set. The data classification hierarchical management realizes the functions of data classification and classification, and also judges whether data objects in classified data and data fields of the data objects are encrypted, triggers the 'start task to process data safely' to expand the data fields, increases the [ field name ] _mw field, and encrypts the data objects. In fig. 1, (1) shows that "data classification hierarchical management" needs to be performed before the system starts to operate; and (c) represents the reference result of the data classification hierarchical management processing, and the security level writing result of the data is concentrated.
Note that: according to the classified data, different security classes are defined. The classification data is a relatively large concept, and refers to the classified data itself, the data object refers to a specific object in the classification data, for the classification of the structured data, a table may be used, the data field represents a data attribute, for the unstructured data, a document may be used, the data field is an attribute … of the document, and a classification data includes a plurality of data objects. For example, an unstructured classification contains a plurality of documents, and in FIG. 1 a "data classification hierarchical reference result set" defines different security levels for one or more data objects under the unstructured classification.
(2) Query statement preprocessing service
Preprocessing the query statement, and realizing the function of processing plaintext data in simple statements such as INSERT, SELECT, UPDATE, DELETE and combinations or nested statements thereof. For an INSERT statement, firstly traversing all plaintext data fields to be inserted, holding data objects and data fields to a data classification grading result set to judge whether the plaintext data are encrypted fields, if the plaintext data are encrypted fields, canceling an information abstract (md 5, sha or sm3 using a cryptographic algorithm) of the plaintext data, then transmitting identification of a data main body, a message abstract and the plaintext data to a secure cryptographic service for encryption, modifying the INSERT statement again, inserting the encrypted fields in an original statement into the message abstract, adding an mw field (for example, an original field name_mw), and inserting the encrypted ciphertext; for SELECT, UPDATE, DELETE, traversing the related data object and data field, judging the data object and data field to be an encrypted field through the data classification hierarchical management service, and if the queried data item is a plaintext field, taking a message digest (md 5, sha or sm3 using a cryptographic algorithm) of the plaintext field, and replacing the original plaintext with the message digest. Fig. 1 (3) shows that the query statement preprocessing function is provided for the service application.
(3) Secure cryptographic services
The secure cipher service realizes the functions of encrypting and decrypting data objects, managing algorithms and keys in a pooling mode, and the like. When using the encryption and decryption functions of the secure cryptosystem, the main body identifier, the message digest, the secret level and the plaintext/ciphertext are required to be provided, and if the main body identifier is not specified, the default main body identifier is used. Wherein the body identification is used to indicate to which body the data belongs. Secure cryptographic service mayThe self-defined encryption and decryption algorithm can be uploaded by designating the size of the key pool corresponding to each algorithm. Fig. 1 (6) and (9) show that the secure crypto service provides encryption and decryption services for business applications and data classification hierarchical management, respectively. In FIG. 1A key is obtained. Fig. 1 (7) provides a view key function, which is used during the debug phase.
1) Algorithm pool
The key fields of the ALGORITHM POOL are GROUP id, ALGORITHM and secret, the GROUP SIZE (group_size) of the ALGORITHM POOL is 1024 by default, the GROUP value range is between 1000 and 2024, each GROUP has 4 secret levels, namely, interior, secret and absolute secret, the ALGORITHM POOL SIZE (algorithm_pool_size) of each secret is 8 by default, the ALGORITHM POOL contains the set of all ALGORITHMs, and the same ALGORITHM is allowed to appear in the ALGORITHM POOL of the same secret. The main body identification is converted into a large number pair GROUP_SIZE according to a first algorithm, the large number is divided by the GROUP_SIZE, the remainder is obtained, the main body No is obtained, and the main body No is added with 1000 to obtain the current GROUP id of the main body identification; the coding rule of ALGORITHM Id is group id+secret class+algorithm No, the secret class is represented by numbers 1, 2, 3, 4 and 5 from public, internal, secret and secret, the value of ALGORITHM No ranges from 0 to ALGORITHM_POOL_SIZE, and the calculation method is that after the message abstract is converted into a large number according to the first ALGORITHM, the ALGORITHM No is obtained by modulo ALGORITHM_POOL_SIZE, as shown in figure 1The algorithm pool is schematic. Each subject has a different pool of algorithms that are lazy loaded, i.e., generated and loaded at the time of use. The algorithm pool used by each main body can be specified and configured in the system in advance, and can also be loaded into the security password service by a self-defined algorithm.
2) Key pool
Key fields of the key pool are algorithm id, key id and key. Algorithm id is from the algorithm POOL, and the key POOL (cipher_pool_size) default SIZE for each algorithm is 32. The key id is between 0 and CIPHER_POOL_SIZENumbers. The keys of the key pools correspond to algorithms, each algorithm has a corresponding key pool, and the keys in the key pools are different. As in fig. 1The key pool is schematic.
3) Encryption and decryption of data
The principal group (corresponding to the group id of the algorithm pool of fig. 1), key number and algorithm are obtained by principal identification, security class and message digest (plaintext). (1) Group id is obtained via body token: if no main body mark can use DEFAULT main body mark (default_entity), obtaining a big number by adding a fixed disturbing value (salt) to the main body mark to make a message abstract, obtaining a GROUP id by taking the modulus of the big number (dividing the big number by GROUP_SIZE and taking the remainder), and generating an algorithm pool and a key pool of a corresponding algorithm according to a preset configuration strategy if the algorithm pool corresponding to the main body is empty. (2) A (plaintext) message digest acquisition algorithm and a key number: adding a fixed disturbance value (salt) to the message digest, performing message digest processing to obtain a large number, taking a modulus of the large number (dividing the large number by ALGORITHM_POOL_SIZE, and taking the remainder) to obtain an ALGORITHM No, and obtaining the ALGORITHM id through a group id, a secret level and the ALGORITHM No; (3) obtaining the key number via (plaintext) message digest: the message digest is added with a fixed scrambling value (different from a salt used in an algorithm) and then processed to obtain a large number, the large number is modulo (the large number is divided by CIPHER_POOL_SIZE, and the remainder is taken), a key id is obtained, and the key is obtained through the algorithm id and the key id. If the encryption is carried out, encrypting the plaintext data by using the acquired algorithm and the key; if the encryption is carried out, the obtained algorithm and the obtained secret key are used for decrypting the ciphertext data.
(4) Data storage
Data storage represents a form of storage of structured data, unstructured data (e.g., distributed files, other videos, audio, pictures, etc.) when hierarchically managed using data classification. For data objects to be encrypted, the data storage of structured data and unstructured data is slightly different, (1) the structured data is stored in two columns for the original field, one column is to do message digest (md 5, sha or not) for the original dataSm 3) of the national cryptographic algorithm is used by the user), the other column is [ original field name ]]An_mw field for storing ciphertext data, while storing the body and security of the data in metadata, see FIG. 1Storage data of structured data,/->Metadata representation of the structured data; (2) unstructured data, message digest (md 5, sha or sm3 using national cryptographic algorithm) of original data, body data and security class are stored in metadata, see +_ in fig. 1 above>As shown.
(5) Description of the flow
The flow description comprises a data encryption flow, a data viewing flow, data encryption transmission and decryption of received data in data transmission.
1) Data encryption flow
The data encryption flow is shown in fig. 2.
Starting a data security processing task to enter a data object or file encryption process after classifying and classifying the data, if the main body identification is empty, taking a DEFAULT main body identification DEFAULT_ENTITY, and if the main body identification is not empty, obtaining an algorithm id and a corresponding algorithm through calculating a main body identification, a plaintext message abstract and a secret class; the key id is obtained by calculating the plaintext message digest according to the calculation strategy for obtaining the key id, the key is obtained according to the algorithm id and the key id, the algorithm and the key are used for encrypting the data object or the file, and the ciphertext and the (plaintext) message digest are stored.
2) Data viewing process
The data viewing flow is shown in fig. 3.
When the data is required to be queried or checked, whether the user has authority to check the data is required to be judged through the user security and the data security, the query statement is required to be preprocessed for the structured data, particularly whether the query data is encrypted and the encrypted data object is required to be encrypted in the data classification and classification service or the associated metadata, the plaintext is required to be replaced in the query statement for the encrypted data object, and then the query is executed to obtain the query result. And the decryption processing flow of the structured data and the unstructured data is consistent, the algorithm id and the key id are respectively calculated and obtained through the main body mark, the secret level and the plaintext message digest, the decryption algorithm and the key are further obtained, the decryption algorithm and the key are used for decrypting the data, and the plaintext data is checked.
3) Data encryption transmission
A data encryption transmission flow chart is shown in fig. 4.
In the data encryption transmission, the encryption of the data is carried out by holding the data security level, the plaintext abstract and the main body identifier, and then the data is transmitted according to the transmission channel corresponding to the data security level. Encryption of data is consistent with the encryption process of fig. 2. The transmission channel corresponding to the secret class is defined by general business, the technical implementation is that the secret class is public, the secret class can be transmitted through a conventional network protocol, such as http, ftp and the like, secret data is transmitted through https and sftp, digital envelopes are generated in private network transmission through a national secret algorithm (physical U shield) for the secret data, and the digital envelopes are generated in private network transmission through biological characteristics (facial features, fingerprints, cornea and the like) +the national secret algorithm (physical U shield) for the absolute secret data.
4) Decrypting received data in data transmission
The flow of decrypting the received data during data transmission is shown in fig. 5.
The decryption process of the received data in the data transmission is to obtain the data security, the plaintext abstract and the main body from the metadata, and the specific decryption process is identical to the decryption process in fig. 3. In the data transmission, the conditions of cross-level, cross-network and cross-domain transmission can exist, and under the condition of ensuring the absolute safety of the data, after three super manager U shields respectively kept by three different personnel (system manager, audit manager and security manager) are authenticated, a national security channel is established between two local security password services for data synchronization, and the data in the synchronization process does not fall to the ground.
The invention provides a method for encrypting and decrypting the data based on the classification of the data, enhances the safety of the data in storage and transmission, manages the secret key by the system and avoids the possibility of artificially revealing the secret key. And meanwhile, classified and hierarchical management data are used, and different key groups and encryption algorithms are used for different classifications and hierarchies, so that the safety of the data is further ensured. The method can be used for data classification and grading, and the method provided by the security password service in the method can be used for data security storage and security transmission of various forms such as data center, big data, data lakes and the like.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that modifications and variations could be made by those skilled in the art without departing from the technical principles of the present invention, and such modifications and variations should also be regarded as being within the scope of the invention.
Claims (10)
1. A data encryption and decryption method based on data classification and classification is characterized by comprising the following steps: the system comprises a data hierarchical classification management service, a query statement preprocessing service, a security password service, and a data storage and data transmission service;
data classification hierarchical management service:
the data classification and classification management service classifies data according to a plurality of dimensions by a classification method, and then manages classified data according to a security class to form a data classification and classification result set; meanwhile, judging whether the data object in the classified data and the data field of the data object are encrypted, triggering the data field to expand, adding a [ field name ] _mw field, and encrypting the data object;
query statement preprocessing service:
preprocessing the query statement to realize the plaintext data processing in the INSERT, SELECT, UPDATE, DELETE statement and the combination or nested statement thereof;
for an INSERT sentence, firstly traversing all plaintext data fields to be inserted, holding data objects and data fields to a data classification grading result set to judge whether the plaintext data are encryption fields, if the plaintext data are encryption fields, canceling an information abstract of the plaintext data, then transmitting a mark of a data main body, a message abstract and the plaintext data to a secure cipher service for encryption, modifying the INSERT sentence again, inserting an encryption field in an original sentence into the message abstract, adding an mw field, and inserting an encrypted ciphertext;
for SELECT, UPDATE, DELETE statement, traversing related data objects and data fields, judging the data objects and the data fields to be encrypted fields through data classification hierarchical management service, and taking a message abstract of a plaintext field if the queried data item is the plaintext field, and replacing the original plaintext with the message abstract;
secure password service:
the secure cipher service realizes encryption and decryption of the data object and manages the algorithm and the secret key in a pooling mode; when encrypting and decrypting by using the secure cipher service, the main body identifier, the message digest, the secret level and the plaintext/ciphertext are required to be provided, and if the main body identifier is not specified, the default main body identifier is used;
data storage and data transfer services:
the data storage means the storage form of structured data and unstructured data when using data classification hierarchical management; for a data object to be encrypted, the structured data is stored in two columns of an original field, wherein one column is used for carrying out a message digest on the original data, the other column is used for storing ciphertext data in an [ original field name ] _mw field, and meanwhile, the main body and the secret level of the data are stored in metadata; for unstructured data, storing a message digest, body data and a security class of the original data in metadata;
the data transmission service comprises a data encryption transmission flow and a data decryption flow;
in the data encryption transmission, firstly, data encryption is carried out by holding a data security level, a plaintext abstract and a main body identifier, and then the data is transmitted according to a transmission channel corresponding to the data security level; the transmission channel corresponding to the secret level is defined by the service, the technical implementation is that the secret level is public and is internally transmitted through http and ftp network protocols, secret data is transmitted through https and sftp, digital envelopes are generated for secret data through a national secret algorithm and are transmitted in a private network, and the secret data is transmitted in the private network through biological characteristics and the national secret algorithm;
the decryption process of the received data in the data transmission is to obtain the data security, the plaintext abstract and the main body from the metadata; under the condition of cross-layer, cross-network and cross-domain transmission in data transmission, under the condition of ensuring absolute safety of data, after three super-administrators U shields respectively kept by three different personnel system administrators, audit administrators and safety administrators are authenticated, a national security channel is established between two local security password services for data synchronization, and the data in the synchronization process does not fall to the ground.
2. The data encryption and decryption method based on data classification hierarchy of claim 1, wherein the plurality of dimensions include: technology processing, business application and privacy protection.
3. The data encryption and decryption method based on data classification and hierarchy as claimed in claim 1, wherein the classification method comprises: line classification, face classification, and hybrid classification.
4. The data encryption and decryption method based on classification of data according to claim 1, wherein the message digest of plaintext data is obtained using md5, sha or sm3 using a cryptographic algorithm.
5. The data encryption and decryption method based on data classification and hierarchy as claimed in claim 1, wherein the security cryptographic service can specify the size of the key pool corresponding to each algorithm and can upload the custom encryption and decryption algorithm.
6. The data encryption and decryption method based on data classification and hierarchy as recited in any one of claims 1 to 5, wherein key fields of the algorithm pool of the secure cryptographic service are: GROUP id, ALGORITHM and secret level, the GROUP SIZE GROUP_SIZE of the ALGORITHM POOL is 1024 by default, the GROUP value range is between 1000 and 2024, each GROUP has 4 secret levels, namely, interior, secret and secret, the ALGORITHM POOL SIZE ALGORITHM_POOL_SIZE of each secret level is 8 by default, the ALGORITHM POOL contains the set of all ALGORITHMs, and the same ALGORITHM is allowed to appear in the ALGORITHM POOL of the same secret level; the main body identification is converted into a large number of pairs of GROUP_SIZEs according to a first algorithm, the main body No is obtained by taking a model, and the main body No and 1000 are added to obtain a GROUP id to which the main body identification currently belongs; the coding rule of the ALGORITHM Id is a group id+secret class+algorithm No, the secret class is represented by numbers 1, 2, 3, 4 and 5 from public, internal, secret and secret, the value range of the ALGORITHM No is from 0 to ALGORITHM_POOL_SIZE, and the calculation method is that the ALGORITHM No is obtained by converting the message abstract into a large number according to a first ALGORITHM and then modulo the ALGORITHM_POOL_SIZE; each main body is provided with a different algorithm pool, and the algorithm pool adopts a lazy loading mode, namely, the algorithm pool is generated and loaded when in use;
key fields of the key pool of the security password service are algorithm id, key id and key; algorithm id is from algorithm POOLs, the default SIZE of the key POOL CIPHOOL_POOL_SIZE of each algorithm is 32, the key id is a number between 0 and CIPHOOL_POOL_SIZE, the keys of the key POOLs correspond to the algorithms, each algorithm has a corresponding key POOL, and the keys in the key POOLs are different.
7. The data encryption and decryption method based on data classification and hierarchy as claimed in claim 6, wherein the data encryption and decryption process of the secure crypto service comprises: acquiring the group id, the key number and the algorithm of the main body through the main body identification, the secret level and the message digest; the method specifically comprises the following steps:
group id is obtained via body token: if the main body identifier is not available, using a DEFAULT main body identifier DEFAULT_ENTITY, obtaining a large number by reinforcing a fixed disturbing value salt for the main body identifier and performing message digest, and obtaining a GROUP id by modulo the large number, and if an algorithm pool corresponding to the main body is empty, generating an algorithm pool and a key pool corresponding to the algorithm according to a preset configuration strategy;
via a message digest acquisition algorithm and key number: adding a fixed disturbance value to the message digest, and then performing message digest processing to obtain a large number, and taking the modulus of the large number on the ALGORITHM_POOL_SIZE to obtain an ALGORITHM No;
acquiring an algorithm id through the group id, the secret level and the algorithm No;
obtaining the key number via the message digest: the message digest is added with a fixed disturbing value salt and then is processed to obtain a large number, the large number is used for modulo CIPHER_POOL_SIZE to obtain a key id, and the key is obtained through an algorithm id and the key id;
if the encryption is carried out, encrypting the plaintext data by using the acquired algorithm and the key; if the encryption is carried out, the obtained algorithm and the obtained secret key are used for decrypting the ciphertext data.
8. The data encryption and decryption method based on data classification and hierarchy as claimed in claim 6, wherein the data encryption flow includes: starting a data security processing task to enter a data object or file encryption process after classifying and classifying the data, if the main body identification is empty, taking a DEFAULT main body identification DEFAULT_ENTITY, and if the main body identification is not empty, obtaining an algorithm id and a corresponding algorithm through calculating a main body identification, a plaintext message abstract and a secret class; the key id is obtained by calculating the plaintext message digest according to the calculation strategy for obtaining the key id, the key is obtained according to the algorithm id and the key id, the algorithm and the key are used for encrypting the data object or the file, and the ciphertext and the message digest are stored.
9. The data encryption and decryption method based on data classification and hierarchy as claimed in claim 6, wherein the data viewing flow includes: when data is required to be queried or checked, whether a user has authority to check the data is required to be judged through a user security level and a data security level, query statement preprocessing is required to be performed on structured data, particularly whether the data is encrypted and encrypted data objects in data classification and classification service or associated metadata, and the encrypted data objects are subjected to plaintext in the query statement and are required to be replaced by message digests, and then query is performed to obtain query results; and when the structured data and the unstructured data are decrypted, the algorithm id and the key id are respectively calculated and acquired through the main body mark, the secret level and the plaintext message abstract, so that a decryption algorithm and a key are acquired, the data are decrypted by using the decryption algorithm and the key, and the plaintext data are checked.
10. The data encryption and decryption method based on data classification and hierarchy as set forth in claim 6, wherein in the data encryption transmission flow, the cryptographic algorithm is implemented by a physical U shield, and the biological features include: facial features, fingerprints, and the cornea of the eye.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593033.0A CN116861451A (en) | 2023-05-24 | 2023-05-24 | Data encryption and decryption method based on data classification and grading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310593033.0A CN116861451A (en) | 2023-05-24 | 2023-05-24 | Data encryption and decryption method based on data classification and grading |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116861451A true CN116861451A (en) | 2023-10-10 |
Family
ID=88217876
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310593033.0A Pending CN116861451A (en) | 2023-05-24 | 2023-05-24 | Data encryption and decryption method based on data classification and grading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116861451A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118316676A (en) * | 2024-04-08 | 2024-07-09 | 瑞达可信安全技术(广州)有限公司 | Data encryption authentication method and system based on data information protection |
-
2023
- 2023-05-24 CN CN202310593033.0A patent/CN116861451A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118316676A (en) * | 2024-04-08 | 2024-07-09 | 瑞达可信安全技术(广州)有限公司 | Data encryption authentication method and system based on data information protection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7865742B2 (en) | Method, apparatus, and program product for enabling access to flexibly redacted content | |
| US7861096B2 (en) | Method, apparatus, and program product for revealing redacted information | |
| US7873838B2 (en) | Method, apparatus, and program product for flexible redaction of content | |
| CN104486315B (en) | A kind of revocable key outsourcing decryption method based on contents attribute | |
| US20040022390A1 (en) | System and method for data protection and secure sharing of information over a computer network | |
| CN108768951B (en) | Data encryption and retrieval method for protecting file privacy in cloud environment | |
| CN114826696B (en) | File content hierarchical sharing method, device, equipment and medium | |
| CN105024802B (en) | Multi-user's multi-key word based on Bilinear map can search for encryption method in cloud storage | |
| US20220052835A1 (en) | Selectively sharing data in unstructured data containers | |
| US20090097769A1 (en) | Systems and methods for securely processing form data | |
| CN110502918A (en) | A kind of electronic document access control method and system based on classification safety encryption | |
| US7215778B2 (en) | Encrypted content recovery | |
| CN109284426B (en) | Multi-data document classification system based on permission level | |
| US8707034B1 (en) | Method and system for using remote headers to secure electronic files | |
| CN116861451A (en) | Data encryption and decryption method based on data classification and grading | |
| EP0912011A2 (en) | Method and apparatus for encoding and recovering keys | |
| Mahalakshmi et al. | Effectuation of secure authorized deduplication in hybrid cloud | |
| CN111541652B (en) | System for improving security of secret information keeping and transmission | |
| CN108737443B (en) | Method for hiding mail address based on cryptographic algorithm | |
| Carbunar et al. | Joining privately on outsourced data | |
| CN110830252B (en) | Data encryption method, device, equipment and storage medium | |
| Moore | The use of encryption to ensure the integrity of reusable software components | |
| Esponda | Hiding a needle in a haystack using negative databases | |
| CN112989378A (en) | File trusted intermediate storage architecture based on attribute encryption | |
| Poon et al. | Privacy-aware search and computation over encrypted data stores |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |