CN117319070A - Data processing method and device - Google Patents

Data processing method and device Download PDF

Info

Publication number
CN117319070A
CN117319070A CN202311405978.1A CN202311405978A CN117319070A CN 117319070 A CN117319070 A CN 117319070A CN 202311405978 A CN202311405978 A CN 202311405978A CN 117319070 A CN117319070 A CN 117319070A
Authority
CN
China
Prior art keywords
field
plaintext
key
preset
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311405978.1A
Other languages
Chinese (zh)
Inventor
李迎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Safety Technology Co Ltd
Original Assignee
Tianyi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Safety Technology Co Ltd filed Critical Tianyi Safety Technology Co Ltd
Priority to CN202311405978.1A priority Critical patent/CN117319070A/en
Publication of CN117319070A publication Critical patent/CN117319070A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data processing method and a device, comprising the following steps: and acquiring plaintext data, wherein the plaintext data comprises at least one plaintext field. For any plaintext field, if the attribute of the plaintext field is determined to be a preset first attribute, randomly generating a first key of the plaintext field. Encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field, wherein the first keys of any two plaintext fields are different. The encryption key is dynamically calculated for the data of each piece of sensitive information, and then the encryption result is obtained by calculation according to the dynamic key and the configuration information. The function of sensitive information processing is increased, and the safety of sensitive information is improved.

Description

Data processing method and device
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for data processing.
Background
With the development and popularity of networks, the amount of data in the networks has exploded. During the use of the network, a lot of data information is generated, which contains a lot of sensitive information such as identification card number, name, mobile phone number, address, etc.
The processing is needed when the sensitive information is stored, but the current internet market only performs a single processing process when the sensitive information is processed, for example, only performs a fixed encryption processing method or a fixed desensitization encryption processing method when the sensitive information is processed. Therefore, the prior art has the problems of incomplete processing function, single function, insufficient security of the sensitive information and the like.
Therefore, how to solve the technical problems of insufficient processing function and single function of the sensitive information, and insufficient security of the sensitive information is a technical problem to be solved at present.
Disclosure of Invention
The embodiment of the invention provides a data processing method and device, which are used for dynamically calculating an encryption key for data of each piece of sensitive information and obtaining an encryption result according to the dynamic key and configuration information. The function of sensitive information processing is increased, and the safety of sensitive information is improved.
In a first aspect, an embodiment of the present invention provides a method for processing data, where the method is applied to a persistence framework, and the persistence framework includes an interceptor module, an encryption and decryption module, a desensitization module, and a key calculation module. Comprising the following steps:
Acquiring plaintext data; the plaintext data comprises at least one plaintext field;
for any plaintext field, if the attribute of the plaintext field is determined to be a preset first attribute, randomly generating a first key of the plaintext field;
encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field; the first keys of any two plaintext fields are not identical.
In the above technical solution, plaintext data is first obtained, where the plaintext data includes at least one plaintext field. For any plaintext field, if the attribute of the plaintext field is a preset first attribute, a first key of the plaintext field is generated. Wherein the attributes of the plaintext field are capable of characterizing the type of data stored by the field. The first attribute is preset to represent the attribute of the data field needing encryption. If the attribute of the plaintext field is a preset first attribute, the plaintext field is indicated as sensitive information, i.e. encryption is needed to be performed on the plaintext field. The first key encrypts the plaintext field to obtain the ciphertext field. Wherein the first keys of any two plaintext fields that need to be encrypted are different. The method and the device realize encryption by utilizing different keys aiming at different data fields, increase the safety of the data fields, expand the function of data field processing and enable the function of data field processing to be more comprehensive.
Optionally, encrypting the plaintext field according to the first key includes:
determining a preset identifier corresponding to the plaintext field according to the mapping relation between the preset first attribute and the preset identifier; the preset identifier represents the processing requirement of the plaintext field;
and based on the first key, encrypting the plaintext field according to the preset identifier.
In the above technical solution, the preset first attribute and the preset identifier have a mapping relationship, and the preset identifier of the plaintext field is determined according to the mapping relationship. And adding the preset identifier to a corresponding plaintext field, wherein the preset identifier is used for representing the processing requirement of the plaintext field. And finally, encrypting the plaintext field according to the preset identifier and the first key. The method and the device realize targeted processing of the data field and improve the safety of the data field.
Optionally, based on the first key, encrypting the plaintext field according to the preset identifier, including:
if the preset identifier is determined to comprise a first identifier and a second identifier, determining a first parameter and a second parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
And encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a second key of the plaintext field.
In the above technical solution, the preset identifier includes a first identifier and a second identifier, where the first identifier is used for representing that calculation of the second key of the plaintext field is required, and the second identifier is used for representing that encryption is required by adding a random number to the plaintext field. The first parameter and the second parameter may be determined according to the first identifier and the second identifier, where the first parameter and the second parameter may be randomly generated or a preset fixed value. And calculating a second key of the plaintext field by using a preset calculation rule according to the first parameter and the first key. And finally, encrypting the plaintext field and the second parameter by using a preset encryption algorithm according to the second secret key to obtain a ciphertext. The data field is dynamically calculated to be an encryption key according to the first parameter and the first key, and then the data field and the second parameter are encrypted according to the encryption key, so that the safety of the data field is improved.
Optionally, based on the first key, encrypting the plaintext field according to the preset identifier, including:
If the preset identifier is determined to comprise a first identifier, determining a first parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
encrypting the plaintext field according to a preset encryption algorithm and a second key of the plaintext field.
In the above technical solution, the first parameter is determined according to the first identifier. And calculating a second key by using a preset calculation rule according to the first parameter and the first key. And encrypting the plaintext field by using a preset encryption algorithm according to the second secret key. The encryption key is dynamically calculated for each data field, and then the data field is encrypted, so that the safety of the data field is improved.
Optionally, based on the first key, encrypting the plaintext field according to the preset identifier, including:
if the preset identifier is determined to comprise a second identifier, determining a second parameter;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a first key of the plaintext field.
In the above technical scheme, the plaintext field and the second parameter are encrypted according to the first key by using a preset encryption algorithm. Dynamic encryption is carried out on each data field, and the safety of the data field is ensured.
Optionally, the method further comprises:
recording the first key, the first parameter, the second parameter of the plaintext field and/or the second key of the plaintext field to the local;
recording a ciphertext field corresponding to the plaintext field to a database, wherein the ciphertext field has a preset identifier.
In the technical scheme, the association relation between the plaintext field and the ciphertext field and the corresponding first key, the first parameter, the second parameter and/or the second key of the plaintext field is established, and then the parameters are stored locally. And replacing the corresponding plaintext field with the ciphertext field, and storing the ciphertext field with the preset identifier into a database to realize the lasting storage of the data field.
Optionally, after recording the ciphertext field corresponding to the plaintext field to the database, the method further includes:
obtaining ciphertext data from the database; the ciphertext data comprises at least one ciphertext field;
for any ciphertext field, a first key corresponding to the ciphertext field is acquired;
and decrypting the ciphertext field according to a preset identifier based on the first key to obtain a plaintext field corresponding to the ciphertext field.
In the technical scheme, the ciphertext field with the preset identifier is obtained from the database, and the first key corresponding to the ciphertext field is determined according to the association relation of the ciphertext field. And decrypting the ciphertext field according to the preset identifier and the first key to obtain a plaintext field. The ciphertext field is decrypted according to the preset identification, the safety of the data field is improved, and the processing function of the data field is expanded.
Optionally, decrypting the ciphertext field according to a preset identifier based on the first key includes:
if the preset identifier comprises a first identifier and a second identifier, locally inquiring a first parameter and a second parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, a second key of the ciphertext field and the second parameter.
In the above technical solution, corresponding first parameters and second parameters are obtained according to the association relation of the ciphertext fields. And calculating according to the first parameter and the first key by using a preset calculation rule to obtain a second key. And if the second secret key corresponding to the ciphertext field is stored, directly acquiring the second secret key according to the association relation. And decrypting the ciphertext field and the second parameter by using a preset encryption algorithm according to the second key. The decryption according to the preset identification is realized, the safety of the data field is improved, and the function of processing the data field is expanded.
Optionally, decrypting the ciphertext field according to a preset identifier based on the first key includes:
If the preset identifier is determined to comprise a first identifier, locally inquiring a first parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm and a second key of the ciphertext field. In the above technical solution, if the preset identifier includes the first identifier, the corresponding first parameter is obtained according to the association relationship of the ciphertext field. And calculating a second key by using a preset calculation rule according to the first parameter and the first key. And then, according to the second secret key, decrypting the ciphertext field by using a preset encryption algorithm, so that the security of the data field is improved.
Optionally, decrypting the ciphertext field according to a preset identifier based on the first key includes:
if the preset identifier comprises a second identifier, locally inquiring a second parameter of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, the first key of the ciphertext field and the second parameter.
In the above technical solution, if the second identifier is included, the second parameter is obtained according to the association relationship of the ciphertext field. And decrypting the ciphertext field and the second parameter according to the first key by using a preset encryption algorithm, so that the security of the data field is improved.
Optionally, after obtaining the plaintext field corresponding to the ciphertext field, the method further includes:
if the preset identifier of the plaintext field is determined to comprise a third identifier, determining a third parameter;
and according to a preset desensitization rule, desensitizing the plaintext field based on the third parameter to obtain a desensitization field corresponding to the plaintext field.
In the above technical solution, if the preset identifier further includes a third identifier, the data desensitization is required to be performed to characterize the plaintext field. And obtaining a third parameter according to the third identifier, wherein the third parameter can be randomly generated or a preset fixed value. And performing data desensitization on the plaintext field according to the third parameter to obtain a desensitized field. The desensitization of the data field is realized, and the safety of the data field is improved.
In a second aspect, an embodiment of the present invention provides an apparatus for data processing, including:
the acquisition module is used for acquiring plaintext data; the plaintext data comprises at least one plaintext field;
the processing module is used for randomly generating a first key of a plaintext field according to any plaintext field if the attribute of the plaintext field is determined to be a preset first attribute;
encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field; the first keys of any two plaintext fields are not identical.
Optionally, the processing module is specifically configured to:
determining a preset identifier corresponding to the plaintext field according to the mapping relation between the preset first attribute and the preset identifier; the preset identifier represents the processing requirement of the plaintext field;
and based on the first key, encrypting the plaintext field according to the preset identifier.
Optionally, the processing module is specifically configured to:
if the preset identifier is determined to comprise a first identifier and a second identifier, determining a first parameter and a second parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a second key of the plaintext field.
Optionally, the processing module is specifically configured to:
if the preset identifier is determined to comprise a first identifier, determining a first parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
encrypting the plaintext field according to a preset encryption algorithm and a second key of the plaintext field.
Optionally, the processing module is specifically configured to:
if the preset identifier is determined to comprise a second identifier, determining a second parameter;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a first key of the plaintext field.
Optionally, the processing module is further configured to:
recording the first key, the first parameter, the second parameter of the plaintext field and/or the second key of the plaintext field to the local;
recording a ciphertext field corresponding to the plaintext field to a database, wherein the ciphertext field has a preset identifier.
Optionally, the acquiring module is further configured to:
obtaining ciphertext data from the database; the ciphertext data comprises at least one ciphertext field;
optionally, the processing module is further configured to:
for any ciphertext field, a first key corresponding to the ciphertext field is acquired;
and decrypting the ciphertext field according to a preset identifier based on the first key to obtain a plaintext field corresponding to the ciphertext field.
Optionally, the processing module is specifically configured to:
if the preset identifier comprises a first identifier and a second identifier, locally inquiring a first parameter and a second parameter of the ciphertext field;
Calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, a second key of the ciphertext field and the second parameter.
Optionally, the processing module is specifically configured to:
if the preset identifier is determined to comprise a first identifier, locally inquiring a first parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm and a second key of the ciphertext field.
Optionally, the processing module is specifically configured to:
if the preset identifier comprises a second identifier, locally inquiring a second parameter of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, the first key of the ciphertext field and the second parameter.
Optionally, the processing module is further configured to:
if the preset identifier of the plaintext field is determined to comprise a third identifier, determining a third parameter;
and according to a preset desensitization rule, desensitizing the plaintext field based on the third parameter to obtain a desensitization field corresponding to the plaintext field.
In a third aspect, an embodiment of the present invention further provides a computer apparatus, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the data processing method according to the obtained program.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the above-described method of data processing.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a system architecture according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for data processing according to an embodiment of the present invention;
fig. 3 is a flow chart of a method for encrypting data according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method for decrypting and desensitizing data according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 illustrates a system architecture to which an embodiment of the present invention is applied, the system architecture including a DAO object 150, a persistence framework 100, and a database 160, the persistence framework 100 may include an interceptor module 110, a key calculation module 120, an encryption and decryption module 130, and a desensitization module 140.
DAO object 150 is used to write data fields and input the data fields to persistence framework 100.
The interceptor module 110 is configured to identify a preset identifier in the plaintext data input by the DAO object 150 and the ciphertext field acquired by the database 160. And reading a preset identifier, and acquiring a first key, a plaintext field to be encrypted, a ciphertext field to be decrypted and a preset third parameter.
The key calculation module 120 is configured to calculate a second key according to the first key and the first parameter obtained from the interceptor module 110 by using a preset calculation rule.
The encryption and decryption module 130 is configured to encrypt the plaintext field and the second parameter by using a preset encryption algorithm according to the second key obtained from the key calculation module 120 to obtain a ciphertext field, or decrypt the ciphertext field and the second parameter to obtain a plaintext field. The encryption and decryption module 130 supports the main stream encryption and decryption algorithm such as AES, DES, MD, and the specific encryption and decryption algorithm is not limited specifically.
The desensitization module 140 is configured to desensitize the plaintext field according to the third parameter, so as to obtain a desensitized field. The desensitization module 140 supports desensitization of common information such as address, phone, name, etc., and is not specifically limited herein.
Database 160 is used for storing ciphertext fields with preset identifiers.
It should be noted that the structure shown in fig. 1 is merely an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 2 is a schematic flow chart illustrating a method for processing data according to an embodiment of the present invention, as shown in fig. 2, where the flow specifically includes:
step 210, obtain plaintext data.
In the embodiment of the invention, the plaintext data comprises at least one plaintext field. Specifically, the system initializes the DAO object and writes plaintext data into the DAO object, where the plaintext data includes at least one plaintext field, such as a name, a phone number, an identification card number, a creation time, and other data fields. The DAO object is capable of inputting plaintext data into the persistence framework.
Step 220, for any plaintext field, if it is determined that the attribute of the plaintext field is a preset first attribute, a first key of the plaintext field is randomly generated.
In the embodiment of the invention, the attribute of the plaintext field can represent the data type stored in the field, the data type can be user data, time data, daily data and the like, such as name, telephone number and identity card number are user data, and the creation time is time data. The preset first attribute may characterize the data field attribute that needs to be encrypted, and thus the preset first attribute may be referred to as a preset encryption attribute. If the first attribute is preset as the user data, the name, the phone number and the identification card number of the user data need to be encrypted. Specifically, for any plaintext field, if the plaintext field needs to be encrypted, a first key corresponding to the plaintext field is randomly generated, for example, if the plaintext field is a telephone number, the first key of the telephone number is generated. The first key may be used to characterize that the corresponding plaintext field needs to be encrypted.
And 230, encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field.
In the embodiment of the invention, the preset identifier corresponding to the plaintext field is determined according to the mapping relation between the preset first attribute and the preset identifier. Wherein, the preset mark represents the processing requirement of a plaintext field; by way of example, the preset identifier may include a first identifier, a second identifier, and a third identifier, which are not specifically limited herein. Further, a mapping relationship is provided between the preset first attribute and the preset identifier, for example, the preset first attribute includes an attribute 1, an attribute 2 and an attribute 3, a field of the attribute 1 and the first identifier have a preset mapping relationship, a field of the attribute 2 and the first identifier and the second identifier all have a preset mapping relationship, and a field of the attribute 3 and the second identifier have a preset mapping relationship. If the attribute of the plaintext field is determined to be the attribute 2 in the preset first attribute, adding a first identifier and a second identifier into the plaintext field. For example, if the attribute of the mobile phone number is attribute 2 in the preset first attribute, the first identifier and the second identifier are added in the field of the mobile phone number. If the attribute of the plaintext field is determined to be the attribute 1 in the preset first attribute, adding a first identifier into the plaintext field. For example, if the attribute of the name is attribute 1 in the preset first attribute, the first identifier is added in the plaintext field of the name. If the attribute of the plaintext field is determined to be the attribute 3 in the preset first attribute, adding a second identifier into the plaintext field. For example, if the attribute of the address is attribute 3 in the preset first attribute, a second identifier is added in a plaintext field of the address.
. The first identifier may also be called a random factor flag, and is used for indicating that a calculation needs to be performed to obtain a second key of a plaintext field; the second identifier may also be called an encryption/decryption flag, and is used for encrypting and decrypting the plaintext field by adding a random number.
And based on the first secret key, encrypting the plaintext field according to the preset identifier to obtain a ciphertext field corresponding to the plaintext field. The first keys of any two plaintext fields are different, for example, the first key of the mobile phone number is K1, and the first key of the identity card number is K2.
For example, if it is determined that the preset identifier includes a first identifier and a second identifier, the first parameter and the second parameter are determined. The first parameter and the second parameter may be generated randomly or may be preset fixed values, the first parameter may also be referred to as a dynamic factor value, the second parameter may also be referred to as a salt value, for example, the second key is calculated by randomly generating the dynamic factor value, encrypting the random generated salt value and the plaintext field, or the system sets a fixed dynamic factor value and a fixed salt value, and when in use, the system is queried to obtain the dynamic factor value and the salt value.
Further, the first parameter and the first key are calculated according to a preset calculation rule to obtain a second key of the plaintext field, for example, a random factor mark is read to obtain a first key K1, the first parameter, namely a dynamic factor value F, the second key, namely a dynamic key K2, is calculated according to a k2=e (K1, F) formula of the preset calculation rule, and the dynamic key K2 is written into the local linear variable. The calculation method E may be a time-based algorithm (such as HOTP and TOTP), a counter-based algorithm (such as OCRA and S/KEY), and the like, which are not particularly limited herein.
Encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a second key of the plaintext field, for example, the plaintext field P which needs to be encrypted, determining the second parameter, namely the salt value V, according to a second identifier, reading a dynamic key K2 in a local linear variable, and calculating to obtain the ciphertext field C according to a preset encryption algorithm C=M (K2, P, V) formula. The encryption and decryption algorithm M may be a main stream encryption and decryption algorithm such as AES (Advanced EncryptionStandard ), DES (Data Encryption Standard, data encryption standard), MD5 (Message Digest Algorithm, information summary algorithm), and the specific encryption and decryption algorithm is not limited specifically.
In one possible implementation, the first parameter is determined based on a first identification in a plaintext field. And then calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field, wherein the calculation process is the same as that described above and will not be repeated here. Encrypting the plaintext field according to a preset encryption algorithm and a second key of the plaintext field to obtain a ciphertext field, for example, the plaintext field P which needs to be encrypted, reading a dynamic key K2 in a local linear variable, and calculating according to a preset encryption algorithm C=M (K2, P) formula to obtain a ciphertext field C. The encryption and decryption algorithm M is the same as above, and will not be described here again.
In yet another possible implementation, the second parameter is determined based on a second identification in the plaintext field. And encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a first key of the plaintext field to obtain a ciphertext field, for example, the plaintext field P is needed to be encrypted, determining the second parameter, namely the salt value V, according to a second identifier, obtaining a first key K1 corresponding to the plaintext field, and calculating according to a preset encryption algorithm C=M (K1, P, V) formula to obtain the ciphertext field C. The encryption and decryption algorithm M is the same as above, and will not be described here again.
Based on the description, after determining the ciphertext field corresponding to the plaintext field, the first key, the first parameter, the second parameter and/or the second key of the plaintext field are recorded locally. Specifically, an association relationship between the ciphertext field and the first key, the first parameter, the second parameter and/or the second key of the plaintext field is established, and then the parameters are saved to the local. If the first parameter and the second parameter are generated random numbers, the random numbers need to be recorded to the local; if the fixed value is preset for the system, the recording to the local is not needed to be repeated. And then, recording a ciphertext field corresponding to the plaintext field to a database, wherein the ciphertext field has a preset identifier. For example, after obtaining the ciphertext field, replacing the plaintext field corresponding to the ciphertext field in the DAO object with the ciphertext field, thereby obtaining the ciphertext field with the preset identifier, and storing the ciphertext field in the database.
In order to better explain the above technical solution, fig. 3 is a schematic flow diagram illustrating a method for encrypting data according to an embodiment of the present invention, as shown in fig. 3, where the flow includes:
step 301, initializing a DAO object and writing plaintext data.
The DAO object is created and plaintext data is written, the plaintext data includes plaintext fields of name, phone number, creation time.
Step 302, judging whether encryption is needed, if yes, executing step 303, otherwise executing step 306.
The preset encryption attribute is user data, and the preset encryption attribute is the same as a telephone number belonging to the user data, and a plaintext field representing the telephone number needs to be encrypted. Meanwhile, the preset desensitization attribute is user data, and the preset desensitization attribute is the same as a telephone number belonging to the user data, and indicates that a plaintext field of the telephone number needs to be desensitized.
In step 303, a preset identifier is written in the plaintext field.
If the plaintext field of the telephone number needs to be encrypted, a first key of the plaintext field is generated, and an encryption and decryption mark and a random factor mark are written into the plaintext field of the telephone number. If the plaintext field of the telephone number needs to be subjected to desensitization, a desensitization mark is written into the plaintext field of the telephone number.
Step 304, a dynamic key is calculated.
Reading a random factor mark to obtain a first key K1, obtaining a fixed dynamic factor value F preset by a system, calculating according to a K2=E (K1, F) formula to obtain a dynamic key K2, and writing the dynamic key K2 into a local linear variable.
Step 305, encrypt the plaintext field to obtain the ciphertext field.
The encryption is needed to be carried out on a plaintext field P of the telephone number, a fixed salt value V preset by a system is obtained according to encryption and decryption marks, a dynamic key K2 in a local thread variable is obtained, and a ciphertext field C of the telephone number is obtained through calculation according to a formula of C=M (K2, P, V). The plaintext field P in the DAO object is replaced by the ciphertext field C of the phone number.
Step 306, save DAO object to database.
And storing the ciphertext field comprising the telephone number and the DAO object with the preset identification into a database. And establishing an association relation between a plaintext field and a ciphertext field of the telephone number and the first key K1, and then storing the first key K1 to the local.
Based on the description, whether the attribute of the plaintext field is the preset first attribute is determined, so that the preset identifier of the plaintext field is determined, and the first key of the plaintext field is generated. And encrypting the plaintext field according to the preset identifier and the first key to obtain the ciphertext field. The method and the device realize encryption by using different keys for different data fields, increase the safety of the data fields and expand the function of processing the data fields.
In some embodiments, after the ciphertext field is recorded in the database, when a plaintext field corresponding to the ciphertext field needs to be used, ciphertext data is obtained from the database, where the ciphertext data includes at least one ciphertext field, for example, DAO object data in the database is read, and the ciphertext data includes a ciphertext field having a preset identifier. For any ciphertext field, a first key corresponding to the ciphertext field is obtained, and in some embodiments, the first identifier or the second identifier may include the first key, and the first key corresponding to the plaintext field is obtained by reading the first identifier or the second identifier, or the first key is obtained locally according to an association relationship of the ciphertext field. For example, a random factor identifier in a preset identifier is read, and a first key is obtained. And then decrypting the ciphertext field according to the preset identifier and the first key to obtain a plaintext field corresponding to the ciphertext field. If the preset identifier includes the first identifier and the second identifier, the first parameter and the second parameter of the ciphertext field are queried locally, for example, the corresponding first parameter and the second parameter, that is, the dynamic factor value and the salt value, are read locally according to the association relationship of the ciphertext field. The first parameter and the first key are calculated according to a preset calculation rule to obtain a second key of the ciphertext field, for example, the first key K1 is locally obtained according to an association relation of the ciphertext field, the first parameter, namely the dynamic factor value F, is calculated according to a preset calculation rule k2=e (K1, F) formula to obtain the second key, namely the dynamic key K2, and the dynamic key K2 is written into a local linear variable, wherein the calculation method E is the same as above and is not described herein. Decrypting the ciphertext field according to a preset encryption algorithm, a second key of the ciphertext field and a second parameter, for example, the ciphertext field C which needs to be decrypted, obtaining the second parameter, namely the salt value V, from the local query according to the association relation between the second identifier and the ciphertext field, reading a dynamic key K2 in a local linear variable, and calculating according to a preset encryption algorithm P=M (K2, C, V) formula to obtain a plaintext field P, wherein the encryption and decryption algorithm is the same as above and is not described herein.
In one possible implementation manner, if the preset identifier of the ciphertext field only includes the first identifier, the first parameter is obtained locally according to the association relationship query. And then calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field, wherein the calculation process is the same as that described above and is not repeated here. Decrypting the ciphertext field according to a preset encryption algorithm and a second key of the ciphertext field to obtain a plaintext field, for example, the ciphertext field C which needs to be decrypted, reading a dynamic key K2 in a local linear variable, and calculating according to a preset encryption algorithm P=M (K2, C) formula to obtain a plaintext field P. The encryption and decryption algorithm M is the same as above, and will not be described here again.
In another possible implementation manner, if the preset identifier of the ciphertext field only includes the second identifier, the second parameter is obtained locally according to the association relationship query. Decrypting the ciphertext field according to a preset encryption algorithm, a first key of the ciphertext field and a second parameter to obtain a plaintext field, for example, the ciphertext field C needs to be decrypted, and obtaining the plaintext field P by locally inquiring the second parameter, namely the salt value V, and a first key K1 corresponding to the ciphertext field according to a second identifier and an association relation and calculating according to a preset encryption algorithm P=M (K1, C, V) formula. The encryption and decryption algorithm M is the same as above, and will not be described here again.
In another possible implementation manner, the method may further include a preset second attribute, and the field that may characterize a certain attribute needs to be desensitized, if the preset desensitization attribute is user data, then the name, phone number, and identification card number of the user data need to be desensitized. If the attribute of the plaintext field is determined to be the preset second attribute, a third identifier is added to the plaintext field, where the third identifier is used to indicate that data desensitization is performed, and the third identifier may also be referred to as a desensitization flag, for example, the attribute of the plaintext field of the mobile phone number is the same as the preset second attribute, which indicates that the plaintext field of the mobile phone needs to be desensitized, and the desensitization flag is added to the field of the mobile phone number. After the ciphertext field is decrypted to obtain the plaintext field, if the preset identifier of the plaintext field further comprises a third identifier, determining a third parameter. The third parameter may be a randomly generated character or a fixed value preset for the system, and may also be referred to as a replacement character, for example, the replacement character may be randomly generated for desensitization, or a fixed replacement character may be set by the system, and the system may be queried to obtain the replacement character when in use. And according to a preset desensitization rule, desensitizing the plaintext field based on a third parameter to obtain a desensitization field corresponding to the plaintext field, if the desensitization is required to be performed, determining the third parameter, such as a replacement character R, according to a formula of S=D (P, R) to obtain a desensitization field S, wherein the desensitization field is the plaintext field P to be desensitized.
In order to better explain the above technical solution, fig. 4 is a schematic flow chart schematically illustrating a method for decrypting and desensitizing data according to an embodiment of the present invention, as shown in fig. 4, where the flow includes:
in step 401, DAO object data in a database is read.
If a plaintext field of the phone number is required, the DAO object including the data field is read.
Step 402, determining whether decryption is needed, if yes, executing step 403, otherwise executing step 405.
And identifying whether the data field has an encryption and decryption mark and/or a random factor mark, and if so, indicating that the data field needs to be decrypted.
In step 403, the dynamic key is calculated.
Reading a random factor mark to obtain a first key K1, obtaining a fixed random field value F preset by a system, calculating according to a formula of K2=E (K1, F) to obtain a dynamic key K2, and writing the dynamic key K2 into a local linear variable.
And step 404, decrypting the ciphertext field to obtain a plaintext field.
The cipher text field C of the telephone number to be decrypted is obtained, a dynamic key K2 in a local thread variable is obtained, a fixed salt value V preset by the system is obtained according to encryption and decryption marks, and a plaintext field P of the telephone number is obtained through calculation according to a formula of P=M (K2, C, V). The ciphertext field C in the DAO object is replaced with the plaintext field P of the phone number.
Step 405, determining whether desensitization is needed, if yes, executing step 406, otherwise executing step 407.
Identifying whether the data field has a desensitization flag, if so, indicating that the data field needs to be desensitized.
And step 406, desensitizing the plaintext field to obtain a desensitized field.
The method comprises the steps of obtaining a fixed replacement character R preset by a system according to a desensitization mark, and calculating a desensitization field S according to an S=D (P, R) formula, wherein the desensitization field P is a plaintext field P of a telephone number to be desensitized.
Step 407, outputting the DAO object.
And outputting the DAO object containing the data field.
In the embodiment of the invention, when a plaintext field is required to be used, a ciphertext field with a pre-identifier is obtained from a database, and a corresponding first key is determined according to the association relationship between the ciphertext field and the first key. And then decrypting the ciphertext field according to the preset identifier and the first key to obtain a plaintext field, so that the corresponding decryption method is used for decrypting different ciphertext fields. When the plaintext field needs to be desensitized, the plaintext field is desensitized according to a preset identifier to obtain a desensitized field, the desensitization operation on the data field is realized, the safety of the data field is improved, and the function of processing the data field is expanded.
Based on the same technical concept, fig. 5 schematically illustrates a structural diagram of a data processing apparatus according to an embodiment of the present invention, where the apparatus may perform the flow of the data processing method.
As shown in fig. 5, the apparatus specifically includes:
an obtaining module 510, configured to obtain plaintext data; the plaintext data comprises at least one plaintext field;
the processing module 520, for any plaintext field, generates a first key of the plaintext field randomly if it is determined that the attribute of the plaintext field is a preset first attribute;
encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field; the first keys of any two plaintext fields are not identical.
Optionally, the processing module 520 is specifically configured to:
determining a preset identifier corresponding to the plaintext field according to the mapping relation between the preset first attribute and the preset identifier; the preset identifier represents the processing requirement of the plaintext field;
and based on the first key, encrypting the plaintext field according to the preset identifier.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier is determined to comprise a first identifier and a second identifier, determining a first parameter and a second parameter;
Calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a second key of the plaintext field.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier is determined to comprise a first identifier, determining a first parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
encrypting the plaintext field according to a preset encryption algorithm and a second key of the plaintext field.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier is determined to comprise a second identifier, determining a second parameter;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a first key of the plaintext field.
Optionally, the processing module 520 is further configured to:
recording the first key, the first parameter, the second parameter of the plaintext field and/or the second key of the plaintext field to the local;
recording a ciphertext field corresponding to the plaintext field to a database, wherein the ciphertext field has a preset identifier.
Optionally, the obtaining module 510 is further configured to:
obtaining ciphertext data from the database; the ciphertext data comprises at least one ciphertext field;
optionally, the processing module 520 is further configured to:
for any ciphertext field, a first key corresponding to the ciphertext field is acquired;
and decrypting the ciphertext field according to a preset identifier based on the first key to obtain a plaintext field corresponding to the ciphertext field.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier comprises a first identifier and a second identifier, locally inquiring a first parameter and a second parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, a second key of the ciphertext field and the second parameter.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier is determined to comprise a first identifier, locally inquiring a first parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
And decrypting the ciphertext field according to a preset encryption algorithm and a second key of the ciphertext field.
Optionally, the processing module 520 is specifically configured to:
if the preset identifier comprises a second identifier, locally inquiring a second parameter of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, the first key of the ciphertext field and the second parameter.
Optionally, the processing module 520 is further configured to:
if the preset identifier of the plaintext field is determined to comprise a third identifier, determining a third parameter;
and according to a preset desensitization rule, desensitizing the plaintext field based on the third parameter to obtain a desensitization field corresponding to the plaintext field.
Based on the same technical concept, the embodiment of the invention further provides a computer device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the data processing method according to the obtained program.
Based on the same technical idea, the embodiment of the present invention also provides a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the above-described data processing method.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (14)

1. A method of data processing, comprising:
acquiring plaintext data; the plaintext data comprises at least one plaintext field;
for any plaintext field, if the attribute of the plaintext field is determined to be a preset first attribute, randomly generating a first key of the plaintext field;
encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field; the first keys of any two plaintext fields are not identical.
2. The method of claim 1, wherein encrypting the plaintext field according to the first key comprises:
determining a preset identifier corresponding to the plaintext field according to the mapping relation between the preset first attribute and the preset identifier; the preset identifier represents the processing requirement of the plaintext field;
and based on the first key, encrypting the plaintext field according to the preset identifier.
3. The method of claim 2, wherein encrypting the plaintext field based on the first key according to the preset identifier comprises:
if the preset identifier is determined to comprise a first identifier and a second identifier, determining a first parameter and a second parameter;
Calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a second key of the plaintext field.
4. The method of claim 2, wherein encrypting the plaintext field based on the first key according to the preset identifier comprises:
if the preset identifier is determined to comprise a first identifier, determining a first parameter;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the plaintext field;
encrypting the plaintext field according to a preset encryption algorithm and a second key of the plaintext field.
5. The method of claim 2, wherein encrypting the plaintext field based on the first key according to the preset identifier comprises:
if the preset identifier is determined to comprise a second identifier, determining a second parameter;
and encrypting the plaintext field and the second parameter according to a preset encryption algorithm and a first key of the plaintext field.
6. The method of any one of claims 1 to 5, further comprising:
recording the first key, the first parameter, the second parameter of the plaintext field and/or the second key of the plaintext field to the local;
recording a ciphertext field corresponding to the plaintext field to a database, wherein the ciphertext field has a preset identifier.
7. The method of claim 6, wherein after recording the ciphertext field corresponding to the plaintext field into a database, further comprising:
obtaining ciphertext data from the database; the ciphertext data comprises at least one ciphertext field;
for any ciphertext field, a first key corresponding to the ciphertext field is acquired;
and decrypting the ciphertext field according to a preset identifier based on the first key to obtain a plaintext field corresponding to the ciphertext field.
8. The method of claim 7, wherein decrypting the ciphertext field according to a preset identification based on the first key comprises:
if the preset identifier comprises a first identifier and a second identifier, locally inquiring a first parameter and a second parameter of the ciphertext field;
Calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, a second key of the ciphertext field and the second parameter.
9. The method of claim 7, wherein decrypting the ciphertext field according to a preset identification based on the first key comprises:
if the preset identifier is determined to comprise a first identifier, locally inquiring a first parameter of the ciphertext field;
calculating the first parameter and the first key according to a preset calculation rule to obtain a second key of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm and a second key of the ciphertext field.
10. The method of claim 7, wherein decrypting the ciphertext field according to a preset identification based on the first key comprises:
if the preset identifier comprises a second identifier, locally inquiring a second parameter of the ciphertext field;
and decrypting the ciphertext field according to a preset encryption algorithm, the first key of the ciphertext field and the second parameter.
11. The method of claim 7, wherein after obtaining the plaintext field corresponding to the ciphertext field, the method further comprises:
if the preset identifier of the plaintext field is determined to comprise a third identifier, determining a third parameter;
and according to a preset desensitization rule, desensitizing the plaintext field based on the third parameter to obtain a desensitization field corresponding to the plaintext field.
12. An apparatus for data processing, comprising:
the acquisition module is used for acquiring plaintext data; the plaintext data comprises at least one plaintext field;
the processing module is used for randomly generating a first key of a plaintext field for any plaintext field if the attribute of the plaintext field is determined to be a preset first attribute;
encrypting the plaintext field according to the first key to obtain a ciphertext field corresponding to the plaintext field; the first keys of any two plaintext fields are not identical.
13. A computer device, comprising:
a memory for storing program instructions;
a processor for invoking program instructions stored in said memory to perform the method of any of claims 1 to 11 in accordance with the obtained program.
14. A computer-readable storage medium storing computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 11.
CN202311405978.1A 2023-10-26 2023-10-26 Data processing method and device Pending CN117319070A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311405978.1A CN117319070A (en) 2023-10-26 2023-10-26 Data processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311405978.1A CN117319070A (en) 2023-10-26 2023-10-26 Data processing method and device

Publications (1)

Publication Number Publication Date
CN117319070A true CN117319070A (en) 2023-12-29

Family

ID=89242670

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311405978.1A Pending CN117319070A (en) 2023-10-26 2023-10-26 Data processing method and device

Country Status (1)

Country Link
CN (1) CN117319070A (en)

Similar Documents

Publication Publication Date Title
US10778427B2 (en) Method and apparatus for encrypting and decrypting product information
CN110457945B (en) List query method, query party device, service party device and storage medium
JP5337411B2 (en) Information concealment method and information concealment device
CN109271798A (en) Sensitive data processing method and system
CN105577379A (en) Information processing method and apparatus thereof
CN103378971B (en) A kind of data encryption system and method
CN110929291A (en) Method and device for accessing text file and computer readable storage medium
CN110740128A (en) off-line data encryption method and device
CN110825639A (en) Tamper-resistant time software License verification method
CN109687966A (en) Encryption method and its system
CN110719160A (en) Database encryption method based on quantum random number and national encryption algorithm
CN115795514A (en) Private information retrieval method, device and system
CN103336928A (en) Method and device for encrypting and decrypting database
CN117319070A (en) Data processing method and device
CN116049783A (en) Enterprise bill management method and system based on secure hardware carrier
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
CN112099901B (en) Method and device for configuring virtual machine memory data encryption mode and CPU chip
CN113946862A (en) Data processing method, device and equipment and readable storage medium
CN112948852A (en) Data access method, device and computer readable storage medium
CN115694921B (en) Data storage method, device and medium
CN106600520A (en) Hiding method and reappearing method for encrypted image and corresponding device
CN116527616A (en) Method and device for monitoring instant messaging data, electronic equipment and storage medium
CN114662146A (en) Ciphertext data storage method, device, equipment and storage medium
CN117527209A (en) Cryptographic machine trusted starting method and device, cryptographic machine and storage medium
CN118013537A (en) Data processing method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination