CN117235803B

CN117235803B - Data security authentication method and device based on data elements and electronic equipment

Info

Publication number: CN117235803B
Application number: CN202311516145.2A
Authority: CN
Inventors: 邹一荣; 王占溪
Original assignee: China Unicom Guangdong Industrial Internet Co Ltd
Current assignee: China Unicom Guangdong Industrial Internet Co Ltd
Priority date: 2023-11-15
Filing date: 2023-11-15
Publication date: 2024-02-27
Anticipated expiration: 2043-11-15
Also published as: CN117235803A

Abstract

The embodiment of the application relates to a data security authentication method and device based on data elements and electronic equipment, wherein the method comprises the following steps: acquiring search information and first identity information corresponding to the search information; carrying out hash calculation on the first identity information to obtain a first abstract; comparing the first abstract with a plurality of second abstracts stored in the information database respectively; each second abstract is obtained by carrying out hash calculation on second identity information of a data ownership person, wherein the data ownership person refers to an owner of accessible data stored in an information database; if the target second abstract is matched with the first abstract, target accessible data corresponding to the target second abstract and the retrieval information are obtained from the information database, and the target accessible data is output. According to the data security authentication method and device based on the data elements and the electronic equipment, the data security can be improved by authenticating the identity information of the data ownership person.

Description

Data security authentication method and device based on data elements and electronic equipment

Technical Field

The application relates to the technical field of information security, in particular to a data security authentication method and device based on data elements and electronic equipment.

Background

With the popularization of digitization, people can generate a large amount of data in daily life, and daily work needs to be completed by means of the large amount of data. Many times people will retrieve the data stored in the database and obtain the required data, in most cases, only the user needs to authenticate the identity of the retrieved user, and the user can obtain the required data. This approach has limited protection for data security.

Disclosure of Invention

The embodiment of the application discloses a data security authentication method, a data security authentication device and electronic equipment based on data elements, which can improve the security of data by authenticating the identity information of a data owner.

In a first aspect, an embodiment of the present application discloses a data security authentication method based on a data element, including:

acquiring search information and first identity information corresponding to the search information;

carrying out hash calculation on the first identity information to obtain a first abstract;

comparing the first abstract with a plurality of second abstracts stored in an information database respectively; each second abstract is obtained by carrying out hash calculation on second identity information of a data ownership person, wherein the data ownership person refers to an owner of accessible data stored in the information database;

And if the target second abstract is matched with the first abstract in the information database, acquiring target accessible data corresponding to the target second abstract and the retrieval information from the information database, and outputting the target accessible data.

As an optional implementation manner, in a first aspect of the embodiment of the present application, after the obtaining the search information and the first identity information corresponding to the search information, the method further includes:

preprocessing the search information;

extracting features of the preprocessed search information to obtain a search data label corresponding to the search information;

extracting features of the first identity information to obtain identity features corresponding to the first identity information;

the hash calculation is performed on the first identity information to obtain a first digest, including:

carrying out hash calculation on the identity characteristics corresponding to the first identity information to obtain a first abstract;

the obtaining the target accessible data corresponding to the target second abstract and the search information from the information database comprises the following steps:

and acquiring target accessible data corresponding to the target second abstract and the retrieval data tag from the information database.

As an optional implementation manner, in a first aspect of the embodiment of the present application, the information database further includes information tags corresponding to stored accessible data one-to-one, and after the feature extraction is performed on the preprocessed search information to obtain a search data tag corresponding to the search information, the method further includes:

screening the information labels of the information database according to the retrieval data labels to obtain target information labels matched with the retrieval data labels;

determining a second abstract corresponding to the target information label according to the accessible data corresponding to the target information label;

the comparing the first abstract with a plurality of second abstracts stored in an information database respectively comprises:

and comparing the first abstract with each second abstract corresponding to the target information label.

As an optional implementation manner, in the first aspect of the embodiment of the present application, the information database further includes a communication manner and a digital signature of a person who has the right to access the data corresponding to the stored second abstract; the digital signature is obtained by encrypting the accessible data corresponding to the second abstract;

acquiring a communication mode and a digital signature corresponding to the target second abstract from the information database;

outputting the communication mode and acquiring an input public key;

and decrypting the digital signature by using the public key to obtain the target second abstract and target accessible data corresponding to the retrieval information.

In a first aspect of the embodiments of the present application, the decrypting the digital signature using the public key to obtain the target second digest and the target accessible data corresponding to the search information includes:

decrypting the digital signature according to the public key to obtain combined data;

decomposing the combined data to obtain first encrypted data and a data abstract;

judging whether the first encrypted data is complete or not according to the data abstract;

and if the first encrypted data is complete, decrypting the first encrypted data by using the public key to obtain the target second abstract and the target accessible data corresponding to the retrieval information.

As an optional implementation manner, in the first aspect of the embodiment of the present application, the method further includes:

encrypting the first accessible data by using a private key of a data owner corresponding to the first accessible data to obtain a digital signature corresponding to the first accessible data;

carrying out hash calculation on second identity information of a data owner corresponding to the first accessible data to obtain a second abstract corresponding to the first accessible data;

and storing the digital signature corresponding to the first accessible data, the second abstract and the communication mode of the data owner into an information database.

In a first aspect of the embodiments of the present application, encrypting the first accessible data using a private key of a data owner corresponding to the first accessible data to obtain a digital signature corresponding to the first accessible data includes:

encrypting the first accessible data by using a private key of a data owner corresponding to the first accessible data to obtain first encrypted data corresponding to the first accessible data;

performing hash calculation on the first encrypted data to obtain a data abstract corresponding to the first accessible data;

Combining the first encrypted data corresponding to the first accessible data with the data abstract to obtain combined data corresponding to the first accessible data;

and encrypting the combined data by using a private key of a data owner corresponding to the first accessible data to obtain a digital signature corresponding to the first accessible data.

In a second aspect, an embodiment of the present application discloses a data security authentication device based on a data element, including:

the identity acquisition module is used for acquiring the search information and first identity information corresponding to the search information;

the computing module is used for carrying out hash computation on the first identity information to obtain a first abstract;

the comparison module is used for respectively comparing the first abstract with a plurality of second summaries stored in the information database; each second abstract is obtained by carrying out hash calculation on second identity information of a data ownership person, wherein the data ownership person refers to an owner of accessible data stored in the information database;

and the data acquisition module is used for acquiring target accessible data corresponding to the target second abstract and the search information from the information database and outputting the target accessible data if the target second abstract is matched with the first abstract in the information database.

In a third aspect, an embodiment of the present application discloses an electronic device, including a memory and a processor, where the memory stores a computer program, where the computer program, when executed by the processor, causes the processor to implement a method as in any one of the embodiments above.

In a fourth aspect, embodiments of the present application disclose a computer readable storage medium storing a computer program which, when executed by a processor, implements a method as in any of the embodiments above.

The data security authentication method, the data security authentication device and the electronic equipment based on the data elements acquire search information and first identity information corresponding to the search information; carrying out hash calculation on the first identity information to obtain a first abstract; comparing the first abstract with a plurality of second abstracts stored in the information database respectively; each second abstract is obtained by carrying out hash calculation on second identity information of a data ownership person, wherein the data ownership person refers to an owner of accessible data stored in an information database; if the target second abstract is matched with the first abstract, target accessible data corresponding to the target second abstract and the retrieval information are obtained from the information database, and the target accessible data is output. In the embodiment of the application, the first abstract obtained by carrying out hash calculation on the first identity information is compared with the plurality of second abstracts stored in the information database, so that whether the target second abstract matched with the first abstract exists in the information database or not is determined, whether the first identity information corresponding to the retrieval information is consistent with the second identity information of the data owner or not can be determined, and authentication on the identity information of the data owner is realized; under the condition that the authentication of the identity information of the data ownership is successful, the target accessible data is obtained from the information database, and the security of the data can be improved by authenticating the identity information of the data ownership.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow diagram of a data element based data security authentication method in one embodiment;

FIG. 2 is a flow chart of a data security authentication method based on data elements in another embodiment;

FIG. 3 is a general flow diagram of a data element-based data security authentication method in one embodiment;

FIG. 4 is a flow diagram of obtaining target accessible data in one embodiment;

FIG. 5 is a flow diagram of digital signature decryption in one embodiment;

FIG. 6 is a flow diagram of generating an information database in one embodiment;

FIG. 7 is a flow diagram of first accessible data encryption in one embodiment;

FIG. 8 is a block diagram of a data security authentication device based on data elements in one embodiment;

fig. 9 is a block diagram of an electronic device in one embodiment.

Detailed Description

The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

It should be noted that the terms "comprising" and "having" and any variations thereof in the embodiments and figures herein are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus.

It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one element from another element. For example, the first identity information may be referred to as second identity information, and similarly, the second identity information may be referred to as first identity information, without departing from the scope of the present application. Both the first identity information and the second identity information are identity information, but they are not necessarily the same identity information.

In the related technology, most of common data security authentication modes are used for authenticating identity information of a user, and if the identity information of the user meets the requirement, the user is allowed to acquire data or access the data; for example, when a user performs data search, the data security authentication device performs identity authentication on the search user. Although the method is simple and effective, whether the user is acquainted with the data ownership person or not and whether the data ownership person agrees to the user to acquire the data or not cannot be distinguished, and the protection of the data security is limited.

As shown in fig. 1, in one embodiment, a data security authentication method based on data elements is provided and can be applied to an electronic device, which can include, but is not limited to, a mobile phone, a smart wearable device, a tablet computer, a PC (Personal Computer, a personal computer), a server, and the like. The method may comprise the steps of:

step 110, obtaining the search information and the first identity information corresponding to the search information.

The big data security system can be comprehensively considered from four layers: the boundary is safe. Boundary security is used to limit users with only legitimate user identities to access large data platform clusters, the most common protection of boundary layers is identity authentication: focusing on controlling the identity authentication of external users or third party services during access, when all users access a security authentication enabled cluster, the access must be made through a security authentication mode. The data security authentication based on the data elements, which is expressed in the application, also comprises authentication of the data ownership identity information, and can be used for confirming that the user knows the data ownership identity information so as to ensure that the data is not acquired by strangers.

In some embodiments, the data security authentication device based on the data element may acquire the acquired search information and the first identity information corresponding to the search information from the input text data. The search information may be used to describe data that the user needs to search, and the search information may be keywords in text input by the user, keywords sentences, natural language input by the user, or the like. The first identity information refers to identity information of a data ownership person of data required to be retrieved by a user, and can be used for authenticating the identity information of the data ownership person of the data required to be retrieved by the user, and the first identity information can comprise personal identity information such as name, age, identity card number and the like of the data ownership person of the data required to be retrieved by the user; the data ownership person of the data that the user needs to retrieve refers to the owner of the data that the user needs to retrieve.

In some embodiments, feature extraction may be performed on the obtained search information and the first identity information corresponding to the search information, so as to obtain a search data tag or identity feature. The retrieval data tag refers to a keyword for describing retrieval information; the identity features refer to key information of a data owner for authenticating data required to be retrieved by the user in the first identity information.

Step 120, hash calculation is performed on the first identity information to obtain a first digest.

The binary value string with any length is mapped into the binary value string with fixed length, the rule of this mapping is Hash algorithm (Hash Function), and the binary value string obtained after mapping by the original data is Hash value. The first digest refers to a hash value obtained by hash calculation of the first identity information. The hash algorithm is one-way and cannot deduce the original data from the hash value reversal. Alternatively, hash algorithms that may be employed include, but are not limited to, MD5 (MD 5 Message-Digest Algorithm), SHA (Secure Hash Algorithm ), and the like.

In some embodiments, the first digest may be obtained by performing a hash calculation on the first identity information by a hash function. For example, the first identity information may be hashed using a hash function SHA-256 (Secure Hash Algorithm, secure hash algorithm 256) to obtain a first digest.

Specifically, the first identity information may be first converted into a byte message, a bit of "1" is appended at the end of the message, and the remaining bits are appended with "0" so that the final length is a multiple of 512 bits; dividing the byte message after the complement processing into blocks with 512 bits as a unit, and dividing each message block into 16 small blocks with 32 bits; initializing 8 cache hash values, which are generally fractional parts of square roots of the first 8 prime numbers (2,3,5,7,11,13,17,19) in natural numbers, and taking the 8 cache hash values as hash values obtained by the 0 th iteration, wherein each iteration uses a compression function of SHA256 to update the cache hash values, 16 small blocks corresponding to the ith message block are taken as parameters of the compression function corresponding to the ith iteration, and the hash values obtained by the ith iteration are the hash values obtained by the i-1 th iteration plus the i updated cache hash values; i is a positive integer less than or equal to the number of message blocks; the iteration times are the number of message blocks; the hash value obtained in the last iteration of the prize is used as the first digest.

Step 130, comparing the first digest with a plurality of second digests stored in the information database, respectively.

In some embodiments, an information database may be stored in the electronic device, which may be used to store a large number of accessible data, each of which may have a corresponding data owner, a corresponding second digest, a corresponding communication mode, a corresponding information tag, a corresponding digital signature, and so forth. The data ownership person corresponding to each accessible data refers to the owner of each accessible data stored in the information database; the ownership of the data corresponding to each accessible data may be the same or different. The second abstract corresponding to each accessible data is obtained by carrying out hash calculation on the second identity information of the corresponding data ownership person, and the second abstract corresponding to each accessible data is not necessarily the same as the data ownership person corresponding to each accessible data; the second abstract is used for authenticating the identity information of the data ownership person. The communication manner corresponding to each accessible data refers to any contact manner of the data ownership person corresponding to each accessible data, for example: one or more of a cell phone number, a mailbox number, a social software number, etc. for contacting the time ownership. The information label corresponding to each accessible data refers to a keyword obtained by extracting the characteristics of each accessible data, and is used for summarizing the data content of each accessible data. The digital signature corresponding to each accessible data refers to the encryption of each accessible data by using the private key of the data owner corresponding to each accessible data.

In some embodiments, the first digest is compared to all of the second digests stored in the information database one by one to determine if they are identical. Keywords in the search information can also be extracted, the keywords and information labels in the information database are searched, the searching mode can comprise SQL (Structured Query Language ) statement searching and the like, and then each second abstract corresponding to the found information is compared with the first abstract.

In some embodiments, the first digest may be compared to a plurality of second digests stored in the information database, respectively, using a comparison function. The respective bit values of the first digest may also be compared with respective bit values of a plurality of second digests stored in the information database, respectively. In particular, the first digest may be compared with a plurality of second digests stored in the information database, respectively, using comparison functions strcmp () and strcnmp ().

And 140, if the target second abstract is matched with the first abstract in the information database, acquiring target accessible data corresponding to the target second abstract and the retrieval information from the information database, and outputting the target accessible data.

If the target second abstract is matched with the first abstract, the first identity information corresponding to the first abstract is consistent with the second identity information of the person with the right to the data corresponding to the target second abstract, that is, the target accessible data stored by the first identity information corresponding to the first abstract can be found in the information database, and the target accessible data corresponds to the target second abstract and the search information.

In some embodiments, there may be multiple accessible data corresponding to the retrieved information in the information database, and then, according to the second digest, the accessible data corresponding to the target second digest matching the first digest is found as the target accessible data.

In some embodiments, if there are a plurality of second digests in the information database that match the first digest, then based on the retrieved information, accessible data corresponding to the retrieved information is found as the target accessible data. In order to find the accessible data corresponding to the search information, feature extraction may be performed on the search information to obtain a search data tag for matching with an information tag corresponding to the accessible data to find the accessible data corresponding to the search information.

In some embodiments, the second abstract stored in the information database may be searched by constructing an SQL statement using the first abstract as a search condition to find a target second abstract, and then the corresponding accessible data may be found in the information database according to the target second abstract.

In some embodiments, in order to further protect the security of the data, the accessible data stored in the information database is cryptographically calculated, so that even if there is a match between the target second digest and the first digest in the information database, it is necessary to decrypt the target accessible data corresponding to the target second digest. Specific decryption steps can be operated according to different encryption methods, and common encryption methods include RSA (asymmetric public key and secret key) encryption, AES (Advanced Encryption Standard ) encryption, and the like.

In the embodiment of the application, the first abstract obtained by carrying out hash calculation on the first identity information is compared with the plurality of second abstracts stored in the information database, so that whether the target second abstract matched with the first abstract exists in the information database or not is determined, whether the first identity information corresponding to the retrieval information is consistent with the second identity information of the data owner or not can be determined, and authentication on the identity information of the data owner is realized; only when the second abstract of the target is consistent with the first abstract, the authentication of the identity information of the ownership of the data is successful, the accessible target data corresponding to the second abstract of the target and the retrieval information is obtained from the information database, and the safety of the data can be improved.

In another embodiment, as shown in fig. 2, a method for data security authentication based on data elements is provided, and the method may be applied to the electronic device, and the method may include the following steps:

step 202, obtaining search information and first identity information corresponding to the search information.

The description of step 202 may refer to the related description of step 110 in the above embodiment, and will not be repeated here.

Step 204, preprocessing the search information.

In some embodiments, when the retrieved information is a text sequence, vectorization processing is required for the text sequence. The search information may be obtained by encoding the search information. Alternatively, the search information may be encoded by a model such as Word2Vec, negative sample, skip-Gram, gloVe (Global Vectors for Word Representation, global vector represented by words), etc., to obtain the search information. The search information may also be processed using a pre-trained GloVe word embedding model to generate search information. The GloVe word embedding model is a word representation tool based on global word frequency statistics, can form a word into a vector consisting of real numbers, can capture some semantic characteristics in the search information, and can enable subsequent use to combine various semantics in the search information.

In some embodiments, the obtained search information may have problems such as errors, missing values, abnormal values, repetition, and the like, and the search information needs to be cleaned. The search information obtained as described above may be cleaned. The error value processing method commonly adopted includes: removing spaces or other designated characters at both ends of the string, converting the string to lower/upper case, measuring the degree of difference between the two strings, correcting misspellings or approximate matches, etc. The difference degree between the two character strings can be measured by calculating the similarity between the two character strings, so that the difference degree between the two character strings is obtained and used for deleting the character strings with the difference degree exceeding a threshold value; removing the spaces or other specified characters at the two ends of the character string means that when the natural language is converted into text data, the spaces or other specified characters at the two ends of the character string can be possibly removed when the search information data is preprocessed.

The commonly used missing value processing method is as follows: the value of the missing data can be estimated by using a specified value or by a forward padding method, a backward padding method, deleting a row or a column containing the missing value and using known data, and a mean interpolation method, a median interpolation method or a regression interpolation method can be adopted; the commonly used outlier handling method is: identifying outliers that are significantly different from other data using a bin diagram, a Z-score (Standard score) or LOF (Local Outlier Factor ), DBSCAN (Density-Based Spatial Clustering of Applications with Noise, density-based noise application spatial clustering), or the like, manually culling the row or column where the outliers are located based on domain knowledge or specific business requirements; the commonly used duplicate value processing method is as follows: the duplicate values are detected and the return boolean Series indicates whether each element is duplicated, deleting the row in which the duplicate value is located. By using the method to preprocess the search information, the data of the search information can be more complete and accurate, and the situation that the result has serious deviation due to data abnormality in subsequent calculation is avoided.

And 206, extracting features of the preprocessed search information to obtain a search data tag corresponding to the search information.

The search data tag refers to a keyword obtained by extracting features of search information, and is used for describing key contents of the search information. For example, the search information input by the user is "i want to get related data of wearing the same shoe brand on the street by accident", and the corresponding search data tag may be "on the street, the same shoe brand".

In some embodiments, feature extraction can be performed on the preprocessed search information through a network model to obtain a search data tag corresponding to the search information. And extracting features of the preprocessed search information by using a key point extraction method to obtain a search data label corresponding to the search information. Specifically, a TF-IDF (Term Frequency/reverse file Frequency) may be used to acquire a keyword as a retrieval data tag corresponding to retrieval information.

In some specific embodiments, a TextRank algorithm may be used to perform feature extraction to obtain a search data tag corresponding to the search information. The TextRank algorithm is a graph-based ranking algorithm for keyword extraction and document summarization. The preprocessed retrieval information is regarded as a word network, nodes of the network represent words, links in the network represent semantic relations between words, a graph structure is represented by using an adjacent matrix (A) or a sparse matrix (S), weights (WS) of the nodes are initialized, weights of all the nodes are initialized to be equal values, the weights of the nodes in the current iteration are calculated by using a formula (1) according to the adjacent relations of the nodes and the weights of the nodes obtained in the previous iteration until the weights of the nodes meet convergence conditions, and words corresponding to the nodes with the largest weights in the weights of the nodes obtained in the last iteration are used as retrieval data labels corresponding to the retrieval information.

（1）

Wherein,representing nodesiWeights of (2); />Representing each adjacent node pair nodeiIn the search information, we can roughly consider that all sentences are adjacent, and the generation and extraction of a plurality of windows are not needed like a plurality of documents, and only a single document window is needed; />Representing nodesiAnd nodejSimilarity of (2); />Representing nodesjIs a nodeiIs the degree of penetration of (a); />Representing nodeskIs a nodeiIs a degree of departure of (2); />Representing nodeskAnd nodejSimilarity of (2); />Representing the node obtained in the last iterationjWeights of (2);dis the damping coefficient, typically 0.85.

And step 208, screening the information labels of the information database according to the retrieval data labels to obtain target information labels matched with the retrieval data labels.

In some embodiments, the search data tag may be used as a query condition to construct an SQL query statement to find a target information tag from the information database that matches the search data tag. The information labels of the information database are screened, so that the operation of finding the target second abstract from the information database can be simplified and accelerated. In the information database, if the information label is consistent with the search data label, the information label is a target information label definition matched with the search data label; if there are multiple search data labels, when the same number of information labels as the search data labels is greater than or equal to the label threshold value, the information labels corresponding to the accessible data are matched with the search data labels. The tag threshold value can be set for the data ownership person corresponding to the accessible data, the tag threshold values corresponding to different accessible data can be different, and the tag threshold values corresponding to all accessible data in the information database can be set to the same value.

Step 210, determining a second abstract corresponding to the target information label according to the accessible data corresponding to the target information label.

In some embodiments, according to the target information tag obtained by screening, accessible data corresponding to the target information tag is searched for from the information database, and a second abstract corresponding to the accessible data corresponding to the target information tag is found. Since the target information tag may correspond to one or more accessible data, there may also be one or more second digests found.

Optionally, if the target information tag matched with the search data tag cannot be found, it is indicated that no accessible data corresponding to the search information exists in the information database, that is, no data required to be searched by the user exists in the information database, and prompt information for prompting that the search fails may be output.

And 212, extracting the features of the first identity information to obtain the identity features corresponding to the first identity information.

In some embodiments, the first identity information corresponding to the obtained search information is not necessarily complete or is not necessarily an information attribute corresponding to the second identity information of the data owner in the information database, so that feature extraction needs to be performed on the first identity information corresponding to the search information, and the identity feature corresponding to the first identity information refers to the identity information capable of being matched with the second identity information of the data owner in the information database. Wherein the information attribute corresponding to the second identity information refers to the type of the second identity information, for example: the second identity information includes Zhang three, man and 1111, the information attribute corresponding to the second identity information is 4 digits after the name, sex and identification card number of the data ownership person, the first identity information corresponding to the search information may include name, age date of birth, sex and identification card number, etc., and the name, sex and identification card number of the first identity information corresponding to the search information needs to be extracted as the identity feature corresponding to the first identity information.

In some embodiments, feature extraction may be performed on the first identity information corresponding to the search information by using a feature extraction model obtained through supervised training, so as to obtain an identity feature corresponding to the first identity information. The word in the first identity information can be extracted by calculating the similarity between the word vector corresponding to the first identity information and the word vector of the identity information, so that the identity characteristic corresponding to the first identity information is obtained; the identity information word vector refers to a random word vector formed by using information attributes corresponding to the second identity information in the information database.

In the embodiment of the application, the search information is preprocessed and extracted in characteristics, a search data label corresponding to the search information is found, the information label of the information database is screened according to the search data label, a target information label matched with the search data label is obtained, and a second abstract corresponding to accessible data corresponding to the target information label is found from the information database according to the target information label. By carrying out feature extraction on the search data and carrying out feature extraction on the first identity information, extraction on important data is realized, the accuracy and the efficiency of data extraction are improved, and the comparison between the subsequent first abstract and the second abstract is more accurate and rapid. The database retrieval is performed using the feature extracted data, so that the accuracy of retrieving accessible data from the information database can be improved.

Step 214, hash calculation is performed on the identity feature corresponding to the first identity information, so as to obtain a first abstract.

The identity characteristic corresponding to the first identity information is obtained by extracting the characteristic of the first identity information, and has the same information attribute as the second identity information in the information database, so that the second identity information matched with the first identity can be found out from the information database, and the first accessible data can be acquired. In order to avoid the problems of missing and the like in the operation of data transmission or storage and the like, the hash calculation is carried out on the identity characteristics, and the operation is carried out in the form of a message digest.

In some embodiments, the identity feature may be hashed by a hash function to obtain the first digest. The identity feature may be hashed using a hash function SHA-256 (Secure Hash Algorithm, secure hash algorithm 256) to obtain a first digest.

The specific hash calculation method may refer to the description of step 120 in the above embodiment, and will not be repeated here.

And step 216, comparing the first abstract with each second abstract corresponding to the target information label.

The first abstract refers to an identity feature obtained by extracting the feature of the first identity information, and then hash calculation is carried out to obtain the first abstract; the second abstracts corresponding to the target information labels refer to all second abstracts corresponding to the target information labels, wherein the information labels are screened from the information database and matched with the data labels of the retrieval information.

The specific comparison method can refer to the related description of step 130 in the above embodiment, and will not be repeated here.

Step 218, if the target second digest matches the first digest, the target accessible data corresponding to the target second digest and the search data tag is obtained from the information database, and the target accessible data is output.

The description of step 218 may refer to the related description of step 130 in the above embodiment, and will not be repeated here.

In a specific embodiment, as shown in fig. 3, the flow of data security authentication based on data elements is as follows:

the method comprises the steps of firstly obtaining search information and first identity information corresponding to the search information, and respectively carrying out different processing on the search information and the search information. Firstly, preprocessing and feature extraction are carried out on search information to obtain a keyword of the search information as a search data tag corresponding to the search information, and then, according to the obtained search data tag, the information tag in the information database is screened to obtain a target information tag matched with the search data tag and corresponding accessible data, and a second abstract corresponding to the accessible data corresponding to the target information tag is obtained; secondly, extracting features of the first identity information corresponding to the retrieval information to obtain identity features with the same information attribute as the second identity information stored in the information database, and carrying out hash calculation on the identity features to obtain a first abstract; the method for carrying out hash calculation on the identity features is the same as the method for calculating the second abstract stored in the information database; comparing the second abstracts corresponding to all the obtained target information labels with the first abstracts with one point of identity characteristics; and if the target second abstract is matched with the first abstract, acquiring target accessible data corresponding to the target second abstract from the information database.

In the embodiment of the application, the first abstract obtained by carrying out hash calculation on the identity features obtained by carrying out feature extraction on the first identity information is used, the information labels in the information database are screened by the search data labels obtained by carrying out feature extraction on the search information, a plurality of second abstracts corresponding to the target information labels are obtained, and then the first abstract is compared with the plurality of second abstracts, so that the comparison times of the first abstract and the second abstracts can be reduced, the comparison efficiency is improved, and the accuracy of obtaining accessible data can be improved by using the search data labels to screen the information database; by comparing the first abstract with the second abstract, whether a target second abstract matched with the first abstract exists in the information database is determined, whether the first identity information corresponding to the retrieval information is consistent with the second identity information of the data ownership person can be determined, and authentication of the data ownership person identity information is realized; under the condition that the authentication of the identity information of the data ownership is successful, the target accessible data is obtained from the information database, and the security of the data can be improved by authenticating the identity information of the data ownership.

As shown in fig. 4, in one embodiment, the step of obtaining target accessible data corresponding to the target second summary and the retrieval information from the information database may include the steps of:

step 402, the communication mode and the digital signature corresponding to the second abstract of the target are obtained from the information database.

Optionally, if the target second digest matches the first digest, it is indicated that there is accessible data corresponding to the search information in the information database, but in general, the data owner encrypts the accessible data to ensure data security, so that the accessible data stored in the information database is not directly accessible, but is encrypted or otherwise assisted in obtaining the accessible data, for example: encrypted data corresponding to the second abstract, digital signature, communication mode of the data ownership person, and the like.

In some embodiments, the matching of the first digest and the target second digest may be performed to find a target second digest in the information database that matches the first digest, and then find a communication mode and a digital signature corresponding to the target second digest through the target second digest.

Step 404, outputting the communication mode and obtaining the input public key.

In some embodiments, after the communication mode and the digital signature corresponding to the target second digest are obtained from the information database, in order to complete decryption of the digital signature, the communication mode of the data owner is output, and the public key is obtained by contacting the data owner with the third party and querying the public key, so as to obtain the public key of the data owner input by the third party. The digital signature is obtained by encrypting accessible data by a data owner by using a private key; the third party refers to an object for inputting or sending out calculation information, and can be a data ownership person, a user who wants to acquire accessible data, an intelligent system and the like; if the third party is the data ownership person, the data ownership person can directly input the public key; if the third party is an intelligent system, the intelligent system can generate public key acquisition information through a mail template, an information template and the like, and send the public key acquisition information to a data owner to request a public key in a communication mode; the public key acquisition information refers to text information generated by the intelligent system for requesting the public key of the data ownership person. If the third party is a stranger or a stranger system relative to the data owner, the data owner may refuse to give the public key to the stranger or system when receiving the public key request from the stranger or system.

Public key encryption algorithms, namely asymmetric encryption algorithms, have different encrypted and decrypted passwords, one is a public key, and the other is a private key; the public key and the private key are opposed, in pairs. The public key is called public key, and only the private key is known by the public key.

And step 406, decrypting the digital signature by using the public key to obtain a target second abstract and target accessible data corresponding to the retrieval information.

In some embodiments, the digital signature may be decrypted and the integrity of the accessible data may be verified according to the public key of the data owner, and if the accessible data is complete, the target second digest and the target accessible data corresponding to the retrieved information may be obtained. The specific decryption process needs to be determined according to the encryption process of the owner of the data, and the accessible data can be obtained by decrypting the data once by using a public key, or can be obtained by decrypting the data for a plurality of times or splitting the data and other complex processes.

In some specific embodiments, as shown in fig. 5, the process of decrypting a digital signature using a public key may be as follows: decrypting the digital signature according to the public key of the data owner to obtain combined data; decomposing the combined data to obtain first encrypted data and a data abstract; judging whether the first encrypted data is complete or not according to the data abstract; and if the first encrypted data is complete, decrypting the first encrypted data by using the public key to obtain a target second abstract and target accessible data corresponding to the retrieval information.

In the embodiment of the application, if the target second abstract is matched with the first abstract, the communication mode of the actual signature corresponding to the target second abstract and the data ownership is obtained from the information database, the public key of the data ownership is removed after the communication mode is used, and the digital signature is decrypted to obtain the target accessible data. If the third party is to acquire the target accessible data, the third party not only needs to know the second identity information of the owner of the data, but also needs to decrypt the target accessible data through the contact of the owner of the data, and the accessible data stored in the learning database is protected by using a double security authentication mode, so that the security of the accessible data is improved.

As shown in fig. 6, in one embodiment, a process for generating an information database is provided, which can be applied to the data security authentication method based on data elements, and the process can include the following steps:

in step 610, the first accessible data is encrypted using the private key of the data owner corresponding to the first accessible data, so as to obtain a digital signature corresponding to the first accessible data.

In some embodiments, the first accessible data may be hashed to obtain a hash digest, and the hash digest may be placed in a digital signature to facilitate verification of the integrity of the first accessible data.

In some specific embodiments, as shown in fig. 7, the flow of encrypting the first accessible data by the data owner using the private key is as follows: encrypting the first accessible data by using a private key of a data owner corresponding to the first accessible data to obtain first encrypted data corresponding to the first accessible data; carrying out hash calculation on the first encrypted data to obtain a data abstract corresponding to the first accessible data; combining the first encrypted data corresponding to the first accessible data with the data abstract to obtain combined data corresponding to the first accessible data; and encrypting the combined data by using a private key of a data owner corresponding to the first accessible data to obtain a digital signature corresponding to the first accessible data.

And 620, performing hash calculation on the second identity information of the data ownership person corresponding to the first accessible data to obtain a second abstract corresponding to the first accessible data.

The hash calculation mode of the second identity information is the same as that of the first identity information, so that the number of bits of the second digest and the first digest which are correspondingly obtained is the same, and comparison of the first digest and the second digest can be conveniently completed in data security authentication based on data elements.

Step 630, the digital signature corresponding to the first accessible data, the second digest, and the communication mode of the data owner are stored in the information database.

The digital signature corresponding to the first accessible data, the second abstract and the communication mode of the data owner are correspondingly stored in the information database, so that each data of the information database can be conveniently extracted. The information label corresponding to the first accessible data can be correspondingly stored in the learning database so as to accelerate the comparison speed of the abstracts, the information label can be obtained by carrying out feature extraction or keyword extraction on the first accessible data, and the information label can be matched with the search data label obtained by carrying out feature extraction on the search information.

In the embodiment of the application, the information database is called for multiple times for data security authentication, the comparison operation of the abstracts is simplified through the information labels in the information database, the authentication of the identity information of the data ownership is realized through the comparison of the second abstracts and the first abstracts in the information database, the public key of the data ownership is obtained through the communication mode in the information database, the digital signature is decrypted, and the data security is improved.

As shown in fig. 8, in one embodiment, a data security authentication device 800 based on a data element is provided, and may be applied to the above-mentioned electronic device. The data security authentication device 800 based on data elements may include an identity acquisition module 810, a calculation module 820, a comparison module 830, and a data acquisition module 840.

An identity acquisition module 810, configured to acquire the search information and first identity information corresponding to the search information;

a calculation module 820, configured to perform hash calculation on the first identity information to obtain a first digest;

a comparing module 830, configured to compare the first digest with a plurality of second digests stored in the information database, respectively; each second abstract is obtained by carrying out hash calculation on second identity information of a data ownership person, wherein the data ownership person refers to an owner of accessible data stored in an information database;

the data obtaining module 840 is configured to obtain, if the target second digest matches the first digest in the information database, target accessible data corresponding to the target second digest and the search information from the information database, and output the target accessible data.

In some embodiments, the information database may further include an information tag corresponding to the stored accessible data one-to-one, a communication mode and a digital signature of the person who has the right to the stored second abstract; the digital signature is obtained by encrypting the accessible data corresponding to the second abstract.

As an alternative embodiment, the data security authentication device 800 based on the data element further includes a feature extraction module.

The feature extraction module is used for preprocessing the retrieval information; extracting features of the preprocessed search information to obtain a search data tag corresponding to the search information; and extracting the characteristics of the first identity information to obtain the identity characteristics corresponding to the first identity information.

The feature extraction module is also used for screening the information labels of the information database according to the retrieval data labels to obtain target information labels matched with the retrieval data labels; and determining a second abstract corresponding to the target information label according to the accessible data corresponding to the target information label.

In some embodiments, the calculating module 820 is further configured to perform hash calculation on the identity feature corresponding to the first identity information to obtain a first digest.

Optionally, the comparing module 830 is further configured to compare the first digest with each second digest corresponding to the target information tag, respectively.

In some embodiments, the data obtaining module 840 is further configured to obtain, from the information database, the target accessible data corresponding to the target second summary and the retrieved data tag.

Optionally, the data obtaining module 840 is further configured to obtain a communication mode and a digital signature corresponding to the second summary of the target from the information database; outputting a communication mode and acquiring an input public key; and decrypting the digital signature by using the public key to obtain a target second abstract and target accessible data corresponding to the retrieval information.

As an alternative embodiment, the data obtaining module 840 further includes a decryption unit, a decomposition unit, and a judgment unit.

The decryption unit is used for decrypting the digital signature according to the public key to obtain combined data;

the decomposition unit is used for decomposing the combined data to obtain first encrypted data and a data abstract;

the judging unit is used for judging whether the first encrypted data is complete or not according to the data abstract;

and the decryption unit is also used for decrypting the first encrypted data by using the public key if the first encrypted data is complete, so as to obtain a target second abstract and target accessible data corresponding to the retrieval information.

As an alternative embodiment, the data security authentication device 800 based on the data element further includes a storage module.

The storage module is used for encrypting the first accessible data by using a private key of a data owner corresponding to the first accessible data to obtain a digital signature corresponding to the first accessible data; carrying out hash calculation on second identity information of a data owner corresponding to the first accessible data to obtain a second abstract corresponding to the first accessible data; and storing the digital signature corresponding to the first accessible data, the second abstract and the communication mode of the data owner into an information database.

Optionally, the storage module includes an encryption unit, a hash unit, and a combining unit.

The encryption unit is used for encrypting the first accessible data by using a private key of a data owner corresponding to the first accessible data to obtain first encrypted data corresponding to the first accessible data;

the hash unit is used for carrying out hash calculation on the first encrypted data to obtain a data abstract corresponding to the first accessible data;

the combining unit is used for combining the first encrypted data corresponding to the first accessible data with the data abstract to obtain combined data corresponding to the first accessible data;

and the encryption unit is also used for encrypting the combined data by using the private key of the data owner corresponding to the first accessible data to obtain the digital signature corresponding to the first accessible data.

In the embodiment of the application, the first abstract obtained by carrying out hash calculation on the identity features obtained by carrying out feature extraction on the first identity information is used, the information labels in the information database are screened by the search data labels obtained by carrying out feature extraction on the search information to obtain the second abstract corresponding to the target information labels, and then the first abstract and the second abstract are compared, so that the comparison times of the first abstract and the second abstract can be reduced, the comparison efficiency is improved, and the accuracy of obtaining accessible data can be improved by using the search data labels to screen the information database; by comparing the first abstract with the second abstract, whether a target second abstract matched with the first abstract exists in the information database is determined, whether the first identity information corresponding to the retrieval information is consistent with the second identity information of the data ownership person can be determined, and authentication of the data ownership person identity information is realized; under the condition that the authentication of the identity information of the data ownership is successful, the target accessible data is obtained from the information database, and the security of the data can be improved by authenticating the identity information of the data ownership.

Fig. 9 is a block diagram of an electronic device in one embodiment. The electronic device can be a mobile phone, a tablet computer, an intelligent wearable device and the like. As shown in fig. 9, the electronic device 900 may include one or more of the following components: a processor 910, a memory 920 coupled to the processor 910, wherein the memory 920 may store one or more computer programs that may be configured to implement the methods described in the embodiments above when executed by the one or more processors 910.

Processor 910 may include one or more processing cores. The processor 910 utilizes various interfaces and lines to connect various portions of the overall electronic device 900, perform various functions of the electronic device 900, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 920, and invoking data stored in the memory 920. Alternatively, the processor 910 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 910 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 910 and may be implemented solely by a single communication chip.

The Memory 920 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Memory 920 may be used to store instructions, programs, code, sets of codes, or instruction sets. The memory 920 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, and the like. The storage data area may also store data or the like created by the electronic device 900 in use.

It is to be appreciated that electronic device 900 may include more or fewer structural elements than those described in the above-described block diagrams, including, for example, a power source, input keys, a camera, a speaker, a screen, an RF (Radio Frequency) circuit, a Wi-Fi (Wireless Fidelity) module, a bluetooth module, a sensor, etc., and may not be limited herein.

The present embodiments disclose a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the method as described in the above embodiments.

The embodiments of the present application disclose a computer program product comprising a non-transitory storage medium storing a computer program, which when executed by a processor, implements a method as described in the embodiments above.

Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. The computer readable storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), or the like.

Any reference to memory, storage, database, or other medium as used herein may include non-volatile and/or volatile memory. Suitable nonvolatile memory can include ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (Electrically Erasable PROM, EEPROM), or flash memory. Volatile memory can include random access memory (random access memory, RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms, such as Static RAM (SRAM), dynamic RAM (Dynamic Random Access Memory, DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDR SDRAM), enhanced SDRAM (Enhanced Synchronous DRAM, ESDRAM), synchronous Link DRAM (SLDRAM), memory bus Direct RAM (Rambus DRAM), and Direct memory bus dynamic RAM (Direct RambusDRAM, DRDRAM).

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments and that the acts and modules referred to are not necessarily required in the present application.

In various embodiments of the present application, it should be understood that the size of the sequence numbers of the above processes does not mean that the execution sequence of the processes is necessarily sequential, and the execution sequence of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

The technical features of the foregoing embodiments may be arbitrarily combined, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, all of the combinations of the technical features should be considered as being within the scope of the disclosure.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer-accessible memory. Based on such understanding, the technical solution of the present application, or a part contributing to the prior art or all or part of the technical solution, may be embodied in the form of a software product stored in a memory, including several requests for a computer device (which may be a personal computer, a server or a network device, etc., in particular may be a processor in the computer device) to perform part or all of the steps of the above-mentioned method of the various embodiments of the present application.

The foregoing describes in detail a data element-based data security authentication method, apparatus and electronic device, and specific examples are applied to illustrate the principles and embodiments of the present application, and the description of the foregoing examples is only used to help understand the method and core idea of the present application. Meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims

1. A data security authentication method based on data elements, the method comprising:

If the target second abstract is matched with the first abstract, target accessible data corresponding to the target second abstract and the retrieval information are obtained from the information database, and the target accessible data are output;

the information database also comprises a communication mode and a digital signature of the person with the right of the data corresponding to the stored second abstract; the digital signature is obtained by encrypting the accessible data corresponding to the second abstract;

outputting the communication mode and acquiring an input public key; the communication mode is used for contacting the data ownership and inquiring the public key;

2. The method according to claim 1, wherein after the retrieving information and the first identity information corresponding to the retrieving information are obtained, the method further comprises:

Preprocessing the search information;

3. The method of claim 2, wherein the information database further comprises information tags in one-to-one correspondence with stored accessible data;

after the feature extraction is performed on the preprocessed search information to obtain the search data label corresponding to the search information, the method further comprises the following steps:

4. The method of claim 1, wherein decrypting the digital signature using the public key results in the target second digest and target accessible data corresponding to the retrieved information, comprising:

5. The method according to any one of claims 1-4, further comprising:

6. The method according to claim 5, wherein encrypting the first accessible data using the private key of the data owner corresponding to the first accessible data, to obtain the digital signature corresponding to the first accessible data, comprises:

7. A data security authentication device based on data elements, the device comprising:

the data acquisition module is used for acquiring target accessible data corresponding to the target second abstract and the search information from the information database and outputting the target accessible data if the target second abstract is matched with the first abstract in the information database;

The data acquisition module is further used for acquiring a communication mode and a digital signature corresponding to the target second abstract from the information database; outputting the communication mode and acquiring an input public key; the communication mode is used for contacting the data ownership and inquiring the public key; and decrypting the digital signature by using the public key to obtain the target second abstract and target accessible data corresponding to the retrieval information.

8. An electronic device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to implement the method of any of claims 1 to 6.

9. A computer readable storage medium storing a computer program which, when executed by a processor, implements the method of any one of claims 1 to 6.