CN117640081A

CN117640081A - Data encryption method and device, electronic equipment and storage medium

Info

Publication number: CN117640081A
Application number: CN202311655407.3A
Authority: CN
Inventors: 柴世林
Original assignee: Agricultural Bank of China
Current assignee: Agricultural Bank of China
Priority date: 2023-12-05
Filing date: 2023-12-05
Publication date: 2024-03-01

Abstract

The invention discloses a data encryption method, a device, equipment and a storage medium. The method comprises the following steps: acquiring a database execution statement, and determining target data and an execution type according to the database execution statement; if the execution type of the target data is newly added, carrying out block encryption on the target data based on the quantum random number to generate encrypted data matched with the target data; and encrypting the quantum random numbers matched with each group according to a preset key, and determining the key information of each group key. The technical scheme solves the problem of poor data encryption security, can effectively improve the reliability of data storage, increases the flexibility of encryption configuration, and greatly improves the use efficiency of developers.

Description

Data encryption method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a data encryption method, a data encryption device, an electronic device, and a storage medium.

Background

In some situations, sensitive data such as an identification card number, a bank card number and the like need to be encrypted and then stored in a database because of the requirements of information security and user privacy protection.

In the prior art, the data encryption modes mainly comprise two types, one is an encryption mode at the service code level. The method needs to change the service codes, encrypt the data in the process of adding and updating the data to the database, and decrypt the data in the process of inquiring the data from the database. The data stored in the database itself is ciphertext. This approach typically uses a fixed key or pseudo-random number as the key. The other is a database transparent encryption method. The encryption and decryption are realized in the database layer by the method, and a database encryption key is used, and the key is fixed. This method encrypts a page in the database before writing it to disk, and decrypts the page when it is read into memory. The entire process is transparent to the user. When a legal user accesses the database, the data is read as plaintext, and the actual data stored on the disk is ciphertext.

However, the conventional data encryption method can realize data encryption, but has disadvantages. The manner of encryption at the traffic code level has the following drawbacks: (1) The security is low, and in the case of encryption with a fixed key, all data are encrypted with the same key, and if the key is compromised, all data are exposed. Therefore, it is not secure to encrypt all data using a fixed key. If encryption is performed by using a pseudo-random number key, there is actually a certain rule between different keys, and there is a possibility that other non-cracked keys are deduced from the cracked keys, so that all data still have a risk of being exposed. (2) low usability, requiring modification of the service code. If an already in use system is to be modified, the modification is very labor intensive. The database transparent encryption method has the following disadvantages: (1) The security is low, and by adopting fixed key encryption, after the key is revealed, all data have the risk of being cracked. (2) The configurability is poor, the encryption method is integrated in a database, and more free configuration and adjustment cannot be performed at the application program level. Therefore, a more secure data encryption scheme is required.

Disclosure of Invention

The invention provides a data encryption method, a device, equipment and a storage medium, which are used for solving the problem of poor data encryption security, effectively improving the reliability of data storage, increasing the flexibility of encryption configuration and greatly improving the use efficiency of developers.

According to an aspect of the present invention, there is provided a data encryption method, the method comprising:

acquiring a database execution statement, and determining target data and an execution type according to the database execution statement;

if the execution type of the target data is newly added, carrying out block encryption on the target data based on the quantum random number to generate encrypted data matched with the target data;

and encrypting the quantum random numbers matched with each group according to a preset key, and determining the key information of each group key.

According to another aspect of the present invention, there is provided a data encryption apparatus comprising:

the execution type determining module is used for acquiring database execution sentences and determining target data and an execution type according to the database execution sentences;

the encryption data generation module is used for carrying out block encryption on the target data based on the quantum random number if the execution type of the target data is newly added, so as to generate encryption data matched with the target data;

and the key information determining module is used for encrypting the quantum random numbers matched with each group according to the preset key and determining the key information of each group key.

According to another aspect of the present invention, there is provided an electronic apparatus including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data encryption method according to any one of the embodiments of the present invention.

According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute a data encryption method according to any one of the embodiments of the present invention.

According to the technical scheme, the target data and the execution type are determined according to the database execution statement by acquiring the database execution statement; if the execution type of the target data is newly added, carrying out block encryption on the target data based on the quantum random number to generate encrypted data matched with the target data; and encrypting the quantum random numbers matched with each group according to a preset key, and determining the key information of each group key. The technical scheme solves the problem of poor data encryption security, can effectively improve the reliability of data storage, increases the flexibility of encryption configuration, and greatly improves the use efficiency of developers.

It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of a data encryption method according to a first embodiment of the present invention;

fig. 2A is a flowchart of a data encryption method according to a second embodiment of the present invention;

FIG. 2B is a schematic diagram of encryption of a data packet according to a second embodiment of the present invention;

fig. 3 is a schematic structural diagram of a data encryption device according to a third embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device implementing a data encryption method according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The data acquisition, storage, use, processing and the like in the technical scheme meet the relevant regulations of national laws and regulations.

Example 1

Fig. 1 is a flowchart of a data encryption method according to an embodiment of the present invention, which is applicable to a data encryption scenario in a database. The method may be performed by a data encryption device, which may be implemented in hardware and/or software, which may be configured in an electronic apparatus.

As shown in fig. 1, the method includes:

s110, acquiring a database execution statement, and determining target data and an execution type according to the database execution statement.

The scheme can be executed by a data management service, and the data management service can manage data in a database and identify data such as tables, columns, fields and the like needing data encryption in the database. The data management service may configure an encryption scheme for data to be encrypted in response to a configuration request of the user terminal. For example, the data management service may create an encrypted data class in advance, configure a conversion rule of a type converter in mybatis, and add an encryption and decryption method for the encrypted data class data; if the data needs to be encrypted, the data type of the data is defined as an encrypted data class. Wherein MyBatis is a persistent layer framework for handling interactions between application layers and database layers.

The data management service may configure an interceptor for retrieving database execution statements, such as SQL statements. Analyzing the database execution statement based on the regular expression, extracting a data object, namely target data, of which the database execution statement needs to operate, and executing types of the data object, namely what type of operation is performed on the target data. The execution type may include operations such as adding, updating, deleting, and querying.

And S120, if the execution type of the target data is newly added, carrying out block encryption on the target data based on the quantum random number, and generating encrypted data matched with the target data.

If the execution type of the target data is newly added, the data management service can acquire quantum random data, encrypt the target data based on a block encryption mode, and accordingly obtain encrypted data corresponding to the target data. It should be noted that, the data amount of the target data may be smaller than the data amount of one packet or larger than the data amount of one packet, and the data amount of the target data is not limited in this embodiment, so the target data may be part of the data in one packet or may be divided into a plurality of packets. The data management service may encrypt one packet with one quantum random number, or may encrypt a plurality of packets with one quantum random number.

It will be appreciated that the quantum random number (Quantum Random Number) is a true random number with unpredictability and no periodicity generated based on the probabilistic nature of quantum mechanics, which can be used for higher security encryption. The true random number (True Random Number) is a random number obtained by a true random event, which is itself irregular, unpredictable and aperiodic. In contrast to true Random data, pseudo Random numbers (Pseudo-Random numbers) are Random numbers that are generated in a computer by simulation with a certain algorithm. The sequence of pseudo-random numbers only appears irregular, but in reality the variation of their data is somewhat periodic and predictable in nature. If the generation rule of the pseudo random number is grasped, there is a possibility that the data encrypted using the pseudo random number is cracked.

S130, encrypting the quantum random numbers matched with each group according to a preset key, and determining key information of each group key.

After the encryption of the target data is completed, the data management service may encrypt the quantum random data matched with each packet by using a preset key, to obtain each packet key. Meanwhile, the data management service may generate key information of each packet key match, wherein the key information may include information such as a packet key, a packet identification, a packet use number, an upper limit of use number, a table identification of the packet key match, and a column identification of the packet key match. The grouping number can be the number of times that the quantum random number corresponding to the current grouping has been encrypted, and the upper limit of the number of times that each quantum random number can be encrypted. The number of packet usages may be less than or equal to the upper number of usages limit. The table identifier matched with the packet key and the column identifier matched with the packet key can be used for representing the association relationship between the encrypted data and the packet key, namely the association relationship between the encrypted data and the quantum random number.

The scheme can further ensure the safety of the encryption key of the target data and obviously improve the reliability of data storage.

Example two

Fig. 2A is a flowchart of a data encryption method according to a second embodiment of the present invention, which is refined based on the foregoing embodiment. As shown in fig. 2A, the method includes:

s201, acquiring a database execution statement, and determining target data and an execution type according to the database execution statement.

S202, judging whether the execution type of the target data is newly added.

If the execution type of the target data is newly added, S203 is executed, and if the execution type of the target data is not newly added, S208 is executed.

S203, judging whether the grouping number of each current grouping key reaches the upper limit of the number of the grouping.

If the number of packets of each current packet key has reached the upper limit of the number of packets, S206-S207 are executed, and if the number of packets of each current packet key has not reached the upper limit of the number of packets, i.e., if there is at least one packet key in each current packet key that has not reached the upper limit of the number of packets, S204-S205 are executed.

S204, determining a target packet key from the packet keys of which the packet number does not reach the upper limit of the number of use.

For the case that the number of packet applications of at least one packet key does not reach the upper limit of the number of packet applications, the data management service may randomly select one packet key from the packet keys whose number of packet applications does not reach the upper limit of the number of packet applications as the target packet key, or may use the packet key with the smallest number of packet applications from among the packet keys whose number of packet applications does not reach the upper limit of the number of packet applications as the target packet key, or may determine the target packet key according to the matching degree between the target data and the respective packet data amounts. Specifically, the matching degree of the target data and the data amount of each packet may be determined based on the difference between the data amount of the target data and the remaining data amount of each packet. For example, for a packet in which the remaining data amount is greater than or equal to the data amount of the target data, the smaller the difference between the remaining data amount and the data amount of the target data, the higher the matching degree.

S205, carrying out block encryption on the target data according to the quantum random number matched with the target block key, and generating encrypted data matched with the target data.

It can be appreciated that the data management service may decrypt the target packet key using a preset key to obtain the quantum random number matched with the target packet key. And carrying out block encryption on the target data according to the quantum random number matched with the target block key, and generating the encrypted data matched with the target data by the data management service.

S206, generating the quantum random number matched with the target data based on the quantum random number generator.

For the case where the number for grouping of each of the current grouping keys reaches the upper limit of the number for use, the data management service may generate a new quantum random number sequence based on the quantum random number generator to assign the new quantum random number to the target data.

S207, carrying out block encryption on the target data according to the quantum random number to generate encrypted data matched with the target data.

The data management service can carry out block encryption on the target data according to the quantum random number matched with the target data to obtain encrypted data matched with the target data.

S208, judging whether the execution type of the target data is updated.

If the execution type of the target data is not newly added, the data management service may determine whether the execution type of the target data is updated. If the execution type of the target data is updated, S209-S211 are executed, and if the execution type of the target data is not updated, S212 are executed.

S209, acquiring a packet key of the target data before updating, releasing the packet key matched with the target data before updating, and distributing the target packet key for the target data after updating.

If the database execution statement is the update target data, the data management service acquires the packet key of the target data before update from the key information of each packet key stored currently, and releases the packet key matched with the target data before update. Meanwhile, the data management service needs to allocate a target packet key for the updated target data. The target packet key of the updated target data may be determined based on the manner described in S204 or S206.

And S210, encrypting the updated target data according to the quantum random number matched with the target grouping key to obtain the encrypted data matched with the updated target data.

After obtaining the quantum random number matched with the target grouping key, the data management service can encrypt the updated target data to obtain encrypted data corresponding to the updated target data.

S211, updating the key information of the packet key of the target data before updating and the key information of the packet key of the target data after updating.

After the encryption of the updated target data is completed, the data management service also needs to update the key information of the packet key of the target data before the update and the key information of the packet key of the target data after the update to ensure the correctness of the key information.

S212, judging whether the execution type of the target data is deletion or not.

If the execution type of the target data is not updated, the data management service may continue to determine whether the execution type of the target data is deleted. If the execution type of the target data is delete, S213 is executed, and if the execution type of the target data is not delete, S214 is executed.

S213, acquiring the packet key of the target data before deletion, releasing the packet key matched with the target data before update, and updating the key information of the packet key of the target data before deletion.

The data management service may acquire the packet key of the target data before deletion, release the packet key matched with the target data before update, and update the key information of the packet key of the target data before deletion.

S214, judging whether the execution type of the target data is query.

If the execution type of the target data is not deleted, the data management service may continue to determine whether the execution type of the target data is a query, if the execution type of the target data is a query, S215-S216 are executed, and if the execution type of the target data is not any one of adding, updating, deleting, and querying, S217 is executed, that is, the database execution statement is executed.

S215, acquiring a group key of the target data, and decrypting the group key according to a preset key to obtain a quantum random number matched with the group key.

If the execution type of the target data is query, the data management service can acquire the grouping key of the target data, and decrypt the grouping key according to a preset key to obtain the quantum random number matched with the grouping key.

S216, decrypting the target data based on the quantum random number, and outputting decrypted data of the target data.

And the data management service can decrypt the target data by utilizing the quantum random number to obtain decrypted data of the target data for the legal user to review.

S217, executing the database execution statement.

Fig. 2B is a schematic diagram of encryption of a data packet according to a second embodiment of the present invention. In a specific example, the target data is sensitive information such as an identity card number, a bank card number and the like of the user, and the key information can be represented in a key table form. The packet encryption process of the target data may be as shown in fig. 2B, and when applying for the key, it is queried whether there is an available key (i.e. a key having been used less than the maximum available number) in the key table according to the table name and column name that are transferred. If so, returning the key and the group number thereof, and adding one to the used number of the key group. If no key is available, a new string of quantum random numbers is generated, a new key is generated based on the quantum random numbers, and the key is stored as a new group in a key table. When the key is recovered, the number of used keys of the corresponding key group is reduced by one according to the list name and the group name of the imported table. If the number of used keys has been reduced to zero, the key information of the key is deleted in the key table.

In the block encryption manner shown in fig. 2B, when in practical application, a developer only needs to set the data type of the field as a custom encryption data type, so that data encryption and decryption can be automatically completed, and the effect of transparent encryption is achieved. Transparent encryption is the process of encryption and decryption that is done automatically in the application, and is not perceived by the user. The data is plaintext in the application and ciphertext in the database. When the user accesses the database normally through the program, plaintext data is obtained. Whereas ciphertext data is obtained by accessing the database by illegal means.

The transparent encryption scheme of the data packet based on the quantum random number has the following advantages: (1) The security is high, because the keys among the data of each group are different, even if one group of keys are leaked, the data of other groups are still safe. Each group of keys is generated by quantum random numbers, and absolute independence among keys can be deduced through the characteristics of true random numbers, so that the possibility of deducing other keys from one key is avoided. (2) The method has strong configurability, and the maximum available number of the secret keys can be set according to the actual security requirement, so that the effects of one row of secret keys, one group of secret keys and even one row of secret keys are realized. This configuration is convenient and flexible. (3) The usability is high, and encryption and decryption and key distribution and recovery are realized on the section. The developer does not need to pay attention to implementation details, has small workload for modifying the existing system, and is suitable for encrypting new fields and encrypting and modifying stock fields.

Example III

Fig. 3 is a schematic structural diagram of a data encryption device according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes:

an execution type determining module 310, configured to obtain a database execution statement, and determine target data and an execution type according to the database execution statement;

the encrypted data generating module 320 is configured to, if the execution type of the target data is newly added, perform packet encryption on the target data based on the quantum random number, and generate encrypted data matched with the target data;

the key information determining module 330 is configured to encrypt the quantum random numbers matched with each packet according to a preset key, and determine key information of each packet key.

In this scheme, optionally, the key information includes a packet key, a packet number, a table identifier matched with the packet key, and a column identifier matched with the packet key.

In one possible implementation, the encrypted data generating module 320 includes:

a target packet key determining unit, configured to determine a target packet key from the packet keys for which the packet number does not reach the upper limit of the number of use if the packet number of at least one packet key does not reach the upper limit of the number of use in the current packet keys;

the first encrypted data generating unit is used for carrying out block encryption on the target data according to the quantum random number matched with the target block key to generate encrypted data matched with the target data.

In another possible implementation, the encrypted data generating module 320 includes:

a quantum random number generation unit, configured to generate a quantum random number matched with the target data based on a quantum random number generator if the number for grouping of each current grouping key reaches a number upper limit;

and the second encrypted data generation unit is used for carrying out block encryption on the target data according to the quantum random number to generate encrypted data matched with the target data.

In this aspect, optionally, the apparatus further includes:

the first key acquisition module is used for acquiring a grouping key of target data before updating if the execution type of the target data is updated after the target data and the execution type are determined;

the target grouping key distribution module is used for releasing the grouping key matched with the target data before updating and distributing the target grouping key for the target data after updating;

the updating data encryption module is used for encrypting the updated target data according to the quantum random number matched with the target grouping key to obtain encrypted data matched with the updated target data;

and the first key information updating module is used for updating the key information of the packet key of the target data before updating and the key information of the packet key of the target data after updating.

On the basis of the above scheme, optionally, the device further comprises:

the second key acquisition module is used for acquiring a grouping key of target data before deletion if the execution type of the target data is deletion after the target data and the execution type are determined;

and the second key information updating module is used for releasing the packet key matched with the target data before updating and updating the key information of the packet key of the target data before deleting.

In a preferred embodiment, the apparatus further comprises:

the third key acquisition module is used for acquiring a grouping key of the target data if the execution type of the target data is query after the target data and the execution type are determined;

the quantum random number determining module is used for decrypting the grouping key according to a preset key to obtain a quantum random number matched with the grouping key;

and the decryption data output module is used for decrypting the target data based on the quantum random number and outputting the decryption data of the target data.

The data encryption device provided by the embodiment of the invention can execute the data encryption method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Example IV

Fig. 4 shows a schematic diagram of an electronic device 410 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 4, the electronic device 410 includes at least one processor 411, and a memory, such as a Read Only Memory (ROM) 412, a Random Access Memory (RAM) 413, etc., communicatively connected to the at least one processor 411, wherein the memory stores computer programs executable by the at least one processor, and the processor 411 may perform various suitable actions and processes according to the computer programs stored in the Read Only Memory (ROM) 412 or the computer programs loaded from the storage unit 418 into the Random Access Memory (RAM) 413. In the RAM 413, various programs and data required for the operation of the electronic device 410 may also be stored. The processor 411, the ROM 412, and the RAM 413 are connected to each other through a bus 414. An input/output (I/O) interface 415 is also connected to bus 414.

Various components in the electronic device 410 are connected to the I/O interface 415, including: an input unit 416 such as a keyboard, a mouse, etc.; an output unit 417 such as various types of displays, speakers, and the like; a storage unit 418, such as a magnetic disk, optical disk, or the like; and a communication unit 419 such as a network card, modem, wireless communication transceiver, etc. The communication unit 419 allows the electronic device 410 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.

The processor 411 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 411 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 411 performs the various methods and processes described above, such as the data encryption method.

In some embodiments, the data encryption method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 418. In some embodiments, some or all of the computer program may be loaded and/or installed onto the electronic device 410 via the ROM 412 and/or the communication unit 419. When the computer program is loaded into RAM 413 and executed by processor 411, one or more steps of the data encryption method described above may be performed. Alternatively, in other embodiments, the processor 411 may be configured to perform the data encryption method in any other suitable manner (e.g., by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-a-chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data encryption apparatus, such that the computer programs, when executed by the processor, cause the functions/operations specified in the flowchart and/or block diagram block or blocks to be performed. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. A method of encrypting data, the method comprising:

2. The method of claim 1, wherein the key information comprises a group key, a number of groups, a table identification of a group key match, and a column identification of a group key match.

3. The method of claim 2, wherein the block encrypting the target data based on the quantum random number to generate the encrypted data that matches the target data comprises:

if the packet number of at least one packet key in the current packet keys does not reach the upper limit of the number of the packet keys, determining a target packet key in the packet keys of which the packet number does not reach the upper limit of the number of the packet keys;

and carrying out block encryption on the target data according to the quantum random number matched with the target block key to generate encrypted data matched with the target data.

4. The method of claim 2, wherein the block encrypting the target data based on the quantum random number to generate the encrypted data that matches the target data comprises:

if the grouping number of each current grouping key reaches the upper limit of the number, generating a quantum random number matched with the target data based on a quantum random number generator;

and carrying out block encryption on the target data according to the quantum random number to generate encrypted data matched with the target data.

5. The method of claim 1, wherein after determining the target data and the execution type, the method further comprises:

if the execution type of the target data is update, acquiring a grouping key of the target data before update;

releasing the packet key matched with the target data before updating, and distributing the target packet key for the target data after updating;

encrypting the updated target data according to the quantum random number matched with the target grouping key to obtain encrypted data matched with the updated target data;

and updating the key information of the packet key of the target data before updating and the key information of the packet key of the target data after updating.

6. The method of claim 1, wherein after determining the target data and the execution type, the method further comprises:

if the execution type of the target data is deleting, acquiring a grouping key of the target data before deleting;

and releasing the packet key matched with the target data before updating, and updating the key information of the packet key of the target data before deleting.

7. The method of claim 1, wherein after determining the target data and the execution type, the method further comprises:

if the execution type of the target data is query, acquiring a grouping key of the target data;

decrypting the grouping key according to a preset key to obtain a quantum random number matched with the grouping key;

and decrypting the target data based on the quantum random number, and outputting decrypted data of the target data.

8. A data encryption apparatus, comprising:

9. An electronic device, the electronic device comprising:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data encryption method of any one of claims 1-7.

10. A computer readable storage medium storing computer instructions for causing a processor to implement the data encryption method of any one of claims 1-7 when executed.