CN117955663A

CN117955663A - Data processing method and related device

Info

Publication number: CN117955663A
Application number: CN202211296718.0A
Authority: CN
Inventors: 张佳亮
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-10-21
Filing date: 2022-10-21
Publication date: 2024-04-30

Abstract

The embodiment of the application discloses a data processing method and a related device, wherein a second node encrypts second identity information according to a first encryption rule to obtain second encrypted identity information, the second encrypted identity information is sent to a first node, if the first node decrypts the second encrypted identity information according to a first decryption rule to obtain second identity information, the first node acquires a dynamically updated random number, encrypts the first identity information and random data according to the second encryption rule to obtain a dynamic key, and sends the dynamic key to a second node, if the second node decrypts the dynamic key according to a second decryption rule to obtain the first identity information, the second node reads data to be transmitted from a storage, encrypts the data to be transmitted according to the dynamic key to obtain encrypted data, and the first node decrypts the encrypted data according to the dynamic key to obtain the data to be transmitted, so that bidirectional identity verification is realized.

Description

Data processing method and related device

Technical Field

The present application relates to the field of data processing technologies, and in particular, to a data processing method and a related device.

Background

With the wide application of new generation information technology, the degree of digitalization of society is continuously increased, a large amount of generated data is also an important resource of society, and data security is also gradually paid attention to.

In order to ensure data security, identity authentication is generally performed on a requester during data transmission. Specifically, the requester generally transmits a user name and a password to the target, and the target determines that the requester passes verification according to the user name and the password transmitted by the requester and then receives data transmitted by the requester.

However, the above method is only one-way authentication, that is, only the target party performs authentication on the requester, and the requester does not perform authentication on the target party. If the target party is forged, the data of the requesting party is transmitted to the forged target party, so that the data of the requesting party is leaked, and the data security is not facilitated.

Disclosure of Invention

In order to solve the technical problems, the application provides a data processing method and a related device for improving data security.

The embodiment of the application discloses the following technical scheme:

in a first aspect, an embodiment of the present application provides a data processing method, where the method includes:

Receiving second encrypted identity information, wherein the second encrypted identity information is obtained by encrypting the second identity information by a second node according to a first encryption rule, and the second identity information is used for identifying the identity information of the second node;

Decrypting the second encrypted identity information according to a first decryption rule;

If the second identity information is obtained through decryption, a dynamically updated random number is obtained;

encrypting the first identity information and the random data according to the second encryption rule to obtain a dynamic key, wherein the first identity information is used for identifying the identity information of the first node;

transmitting the dynamic key to the second node;

receiving encrypted data, wherein the encrypted data is obtained by encrypting data to be transmitted by the second node according to the dynamic key;

and decrypting the encrypted data according to the dynamic key to obtain the data to be transmitted.

In a second aspect, an embodiment of the present application provides a data processing method, including:

encrypting the second identity information according to the first encryption rule to obtain second encrypted identity information, wherein the second identity information is used for identifying the identity information of the second node;

the second encrypted identity information is sent to the first node, so that the first node obtains the second identity information through decryption according to a first decryption rule and the second encrypted identity information;

Receiving a dynamic key sent by the first node, wherein the dynamic key is obtained by encrypting first identity information and a random number by the first node according to a second encryption rule, and the first identity information is used for the identity information of the first node;

Decrypting the dynamic key according to a second decryption rule;

If the first identity information is obtained through decryption, encrypting the data to be transmitted according to the dynamic key to obtain encrypted data;

and sending the encrypted data to the first node.

In a third aspect, an embodiment of the present application provides a data processing apparatus, the apparatus including:

The receiving unit is used for receiving second encrypted identity information, wherein the second encrypted identity information is obtained by encrypting the second identity information by a second node according to a first encryption rule, and the second identity information is used for identifying the identity information of the second node;

the decryption unit is used for decrypting the second encrypted identity information according to a first decryption rule;

the acquisition unit is used for acquiring a dynamically updated random number if the second identity information is obtained through decryption;

The encryption unit is used for encrypting the first identity information and the random data according to the second encryption rule to obtain a dynamic key, wherein the first identity information is used for identifying the identity information of the first node;

A sending unit, configured to send the dynamic key to the second node;

The receiving unit is further configured to receive encrypted data, where the encrypted data is obtained by encrypting, by the second node, data to be transmitted according to the dynamic key;

and the decryption unit is used for decrypting the encrypted data according to the dynamic key to obtain the data to be transmitted.

In a fourth aspect, an embodiment of the present application provides a data processing apparatus, the apparatus including:

the encryption unit is used for encrypting the second identity information according to the first encryption rule to obtain second encrypted identity information, and the second identity information is used for identifying the identity information of the second node;

The sending unit is used for sending the second encrypted identity information to the first node so that the first node can decrypt the second encrypted identity information according to a first decryption rule and the second encrypted identity information to obtain second identity information;

the receiving unit is used for receiving a dynamic key sent by the first node, wherein the dynamic key is obtained by encrypting first identity information and a random number by the first node according to a second encryption rule, and the first identity information is used for the identity information of the first node;

The decryption unit is used for decrypting the dynamic key according to a second decryption rule;

The encryption unit is further configured to encrypt data to be transmitted according to the dynamic key if the first identity information is obtained by decryption, so as to obtain encrypted data;

The sending unit is further configured to send the encrypted data to the first node.

In another aspect, an embodiment of the present application provides a data processing system, where the system includes at least one first node and a plurality of second nodes;

the first node is configured to perform the method of the first aspect;

The second node is configured to perform the method according to the second aspect.

In another aspect, an embodiment of the present application provides a computer device including a processor and a memory:

the memory is used for storing a computer program and transmitting the computer program to the processor;

The processor is configured to perform the method of the above aspect according to instructions in the computer program.

In another aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program for executing the method described in the above aspect.

In another aspect, embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method described in the above aspect.

According to the technical scheme, in the process of data traffic between the first node and the second node, the second node encrypts the second identity information according to the first encryption rule to obtain second encrypted identity information, and sends the second encrypted identity information to the first node, wherein the first encryption rule and the first decryption rule are a pair of encryption and decryption algorithms, so that if the first node decrypts the second encrypted identity information according to the first decryption rule to obtain second identity information, the second node is not forged, the first node obtains a random number updated dynamically, encrypts the first identity information and random data according to the second encryption rule to obtain a dynamic key, and sends the dynamic key to the second node, the second encryption rule and the second decryption rule are a pair of encryption and decryption algorithms, and if the second node decrypts the dynamic key according to the second decryption rule to obtain first identity information, the second node encrypts data to be transmitted according to the dynamic key to obtain encrypted data, and sends the encrypted data to the first node so as to decrypt the dynamic key to obtain the encrypted data. Therefore, the identity verification is performed on the second node through the first node and the identity verification is performed on the first node through the second node, so that the bidirectional identity verification is realized, the leakage of data to be transmitted is avoided, and meanwhile, the safety of the first node is ensured. In addition, the dynamic key is generated in the bidirectional identity verification process, and the dynamic key is generated according to the dynamic random number, so that the dynamic key has the advantages of dynamic property, randomness and high complexity, the possibility of leakage of the dynamic key is low, and the safety of data is further improved.

Drawings

In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of an application scenario of a data processing method according to an embodiment of the present application;

FIG. 2 is an interaction diagram of a data processing method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a method for generating second encrypted identity information according to an embodiment of the present application;

fig. 4 is a schematic diagram of a method for decrypting second encrypted identity information according to an embodiment of the present application;

FIG. 5 is a schematic diagram of a method for generating a dynamic key according to an embodiment of the present application;

FIG. 6 is a schematic diagram of a method for decrypting a dynamic key according to an embodiment of the present application;

Fig. 7 is a schematic diagram of health detection performed by a first node on a service deployed by a second node according to an embodiment of the present application;

Fig. 8a is a schematic diagram of an application scenario of data processing according to an embodiment of the present application;

fig. 8b is a schematic diagram of an application scenario of data processing according to an embodiment of the present application;

FIG. 9 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;

FIG. 10 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a server according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a terminal device according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described below with reference to the accompanying drawings.

The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented, for example, in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "includes" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.

In the data transmission process, a requester sends information such as a user name and a password to a target party, the target party generates a token after the request passes verification, the token is sent to the requester and used as an identity mark of the requester, and the requester can request data from the target party only by carrying the token without carrying the user name and the password.

If the domain name of the requesting party is hijacked, forged, etc., the target party still obtains a token from the forged requesting party, thereby creating a connection with the forged requesting party for data transmission. This is very dangerous in a scenario where the data security requirements are high, such as industrial production. The data acquired by the target party from the falsified requesting party may be maliciously tampered data, the acquired data is stored in the database by the subsequent target party, the falsified requesting party occupies a large number of database connections, other services of the target party cannot normally operate, and the database is even expanded due to accumulation of time.

In the related art, the target party is trusted by default, and one-way identity verification is adopted to determine whether the request party is trusted, but the target party is not trusted, if the target party is forged, the data of the request party is synchronized to the forged target party, so that the data of the request party is revealed, and the data security is not facilitated.

Based on the above, the embodiment of the application provides a data processing method, which performs authentication on a second node serving as a request party through a first node serving as a target party and performs authentication on the first node by the second node, so that bidirectional authentication is realized, leakage of data to be transmitted of the second node is avoided, and normal operation of the first node is ensured.

The data processing method provided by the embodiment of the application can be applied to data processing equipment with data processing capability, such as terminal equipment and a server. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, a content distribution network (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligent platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, a vehicle-mounted terminal, a smart television, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein.

The data processing method provided by the embodiment of the application is realized based on Cloud technology, wherein Cloud technology (Cloud technology) is a hosting technology for integrating hardware, software, network and other series resources in a wide area network or a local area network to realize calculation, storage, processing and sharing of data.

Cloud technology (Cloud technology) is based on the general terms of network technology, information technology, integration technology, management platform technology, application technology and the like applied by Cloud computing business models, and can form a resource pool, so that the Cloud computing business model is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.

In the embodiment of the application, private Cloud (Private Cloud) is mainly involved, and data of a first node and data of a second node are stored through the Private Cloud, and are stored through the Private Cloud. The private cloud is formed by creating a cloud infrastructure and software and hardware resources in a firewall so as to enable departments in an organization or an enterprise to share resources in a data center. A private cloud is created, and in addition to hardware resources, there is typically cloud equipment (IaaS, infrastructure AS A SERVICE) software.

Private cloud computing also includes three levels of cloud hardware, cloud platform, cloud services. In contrast, cloud hardware is a user's own personal computer or server, rather than a data center of a cloud computing vendor. Cloud computing manufacturers build data centers to provide public cloud services for millions of users, thus requiring tens of millions of servers. Private cloud computing serves only friends and relatives to individuals, and staff and clients and suppliers to businesses, so personal or business's own personal computers or servers are sufficient to provide cloud services. In the data processing method provided by the embodiment of the application, the data generated by the terminal equipment is subjected to anomaly detection through cloud security, if viruses exist, and the like, so that the network security of the terminal equipment is ensured.

In order to facilitate understanding of the data processing method provided by the embodiment of the present application, an application scenario of the data processing method is described below by taking an execution body of the data processing method as an example of a server.

Referring to fig. 1, the application scenario of the data processing method provided by the embodiment of the present application is shown. As shown in fig. 1, the application scenario includes a server 110 and a server 120 for performing data interaction, where the server 110 is a first node; server 120 is the second node. The first node 110 and the second node 120 may communicate over a network.

The server 120 encrypts the second identity information according to the first encryption rule to obtain second encrypted identity information, and sends the second encrypted identity information to the server 110. The first decryption rule and the first encryption rule are a pair of encryption and decryption algorithms, and if the server 110 can decrypt the second encrypted identity information according to the first decryption rule and obtain the second identity information, the second identity information is used for identifying the identity information of the second node, which indicates that the server 120 is not forged and is a trusted device.

The server 110 acquires the dynamically updated random data, encrypts the random number and the first identity information according to the second encryption rule to obtain a dynamic key, and transmits the dynamic key to the server 120. The second encryption rule and the second decryption rule are a pair of encryption and decryption algorithms, and if the server 120 decrypts the dynamic key according to the second decryption rule, the first identity information can be obtained, where the first identity information is used to identify the identity information of the first node, which indicates that the server 110 is not forged, and is a trusted device.

Through the above process, the server 120 completes the identity authentication of the server 110, and the server 110 completes the identity authentication of the server 120, thereby realizing the bidirectional identity authentication between the first node and the second node. At this time, the server 120 encrypts data to be transmitted according to the dynamic key, obtains encrypted data, and transmits the encrypted data to the server 110. The server 110 decrypts the encrypted data according to the dynamic key to obtain the data to be transmitted.

Therefore, the identity verification is performed on the second node through the first node and the identity verification is performed on the first node through the second node, so that the bidirectional identity verification is realized, the leakage of data to be transmitted is avoided, and meanwhile, the safety of the first node is ensured. In addition, the dynamic key is generated in the bidirectional identity verification process, and the dynamic key is generated according to the dynamic random number, so that the dynamic key has the advantages of dynamic property, randomness and high complexity, the possibility of leakage of the dynamic key is low, and the safety of data is further improved.

The data processing method provided by the embodiment of the application can be executed by a server. However, in other embodiments of the present application, the terminal device may have a similar function to the server, so as to perform the data processing method provided in the embodiment of the present application, or the terminal device and the server may jointly perform the data processing method provided in the embodiment of the present application, which is not limited in this embodiment.

In connection with the above description, the data processing system provided by the present application will be described below, which comprises at least one first node and a plurality of second nodes. Wherein the first node acts as a receiver of the encrypted data and the second node acts as a sender of the encrypted data. For convenience of description, the following embodiments will be described by taking the first node and the second node as servers.

Referring to fig. 2, the interaction diagram of a data processing method according to an embodiment of the present application is shown.

S201: and the second node encrypts the second identity information according to the first encryption rule to obtain second encrypted identity information.

In the embodiment of the application, the second node is used as a requester for sending the encrypted data, and the first node is used as a target for receiving the encrypted data. To ensure data security, the second node needs to perform two-way authentication before sending the encrypted data to the first node.

The following describes the process of authenticating the second node by the first node through S201 to S203, and the process of authenticating the first node by the second node through S204 to S207.

In the process that the first node performs identity verification on the second node, the second node needs to send the identity information for identifying the identity of the second node, namely the second identity information, to the first node, in order to avoid information leakage, the second node encrypts the second identity information according to the first encryption rule to obtain second encrypted identity information, and sends the second encrypted identity information to the first node.

The embodiment of the application is not particularly limited to the second identity information, such as a universal unique identification code (Universally Unique Identifier, UIUID) of the second node, an account identifier (accountId) created according to the information such as the user name, the password, the mobile phone number and the like of the second node, and the like.

S202: the second node transmits second encrypted identity information to the first node.

S203: the first node decrypts the second encrypted identity information according to the first decryption rule.

After the first node obtains the second encrypted identity information, the first node needs to decrypt the second encrypted identity information to verify whether the second node is trusted. Based on this, the embodiment of the application sets a pair of encryption and decryption rules, namely a first encryption rule and a first decryption rule, the data encrypted by the first encryption rule can be decrypted by the first decryption rule, the first encryption rule is placed in the second node, and the first decryption rule is placed in the first node.

If the first node is able to decrypt the second encrypted identity information according to the first decryption rule and the decrypted content is the second identity information, it is indicated that the second node is trusted. If the decrypted content is not the second identity information, the second node is forged and unreliable, and the first node does not need to establish a data transmission channel with the second node, so that the situation that the forged second node occupies a large number of database connections, other services of the first node cannot normally operate and the database is expanded is avoided.

S204: and if the second identity information is obtained through decryption, the first node acquires the dynamically updated random number.

If the first node decrypts the second identity information to indicate that the second node is trusted, the first node may encrypt and send the first identity information for characterizing the identity information to the second node for verification by the second node.

In the related art, after the second node passes the verification, the first node and the second node also need to agree on the secret key, so as to encrypt the data to be transmitted, thereby ensuring the data security. In order to simplify the flow, the embodiment of the application combines the process of sending the first identity information and the secret key used by the two parties for agreed encryption, namely, encrypts the first identity information and the random number to obtain a dynamic secret key, and sends the dynamic secret key to the second node so that the second node can perform identity verification and data encryption.

Compared with a key obtained by encrypting only the first identity information, a dynamic key obtained by encrypting the first identity information and the random number is more complex and is not easy to crack. And the random number is dynamically generated, so that when the random number is transformed, the dynamic key is also dynamically transformed, and the security of the data is further improved. Compared with the encryption of data to be transmitted by using a key for a long time, whether using a kafka (a high throughput distributed publish-subscribe message system) self-contained encryption mechanism or using an open source encryption algorithm, the problem of key storage is involved, and once the key is leaked, the data is at risk of being stolen.

Therefore, the generation mode of the dynamic key provided by the embodiment of the application not only ensures the safety of data transmission, but also minimizes the risk of key leakage. Although the dynamic key is stored and there is a risk of leakage, by continuously generating a new dynamic key to cover the old dynamic key, even if leakage occurs, the leakage of data for a long time in a large range is not caused, and the data security is ensured to some extent.

As a possible implementation manner, the dynamically updated random number may be a current timestamp, so that not only the random number may be continuously transformed, but also the network quality between the first node and the second node may be determined based on the timestamp, which will be described in detail later, and will not be described herein.

As a possible implementation manner, in order to further improve the security of the data, the dynamic key may be generated through the first identity information, the second identity information and the random number, so that the complexity of the dynamic key is improved through increasing the diversity of the composition, the possibility that the dynamic key is cracked is reduced, and thus the security of the data is improved.

S205: the first node encrypts the first identity information and the random data according to the second encryption rule to obtain a dynamic key.

Wherein the first identity information is used to identify identity information of the first node. The embodiment of the application is not particularly limited to the first identity information, such as a universal unique identification code (Universally Unique Identifier, UIUID) of the first node, an account identifier (accountId) created according to the information such as the user name, the password, the mobile phone number and the like of the first node, and the like.

The second encryption rule and the second decryption rule are a pair of encryption and decryption rules, the data encrypted by the second encryption rule can be decrypted by the second decryption rule, the second encryption rule is arranged in the first node so that the first identity information and the random data can be encrypted based on the second encryption rule to obtain a dynamic key, and the second decryption rule is arranged in the second node so that the second node can decrypt the dynamic key to verify the identity of the first node.

It should be noted that the second encryption rule may be the same as the first encryption rule or different from the first encryption rule, which is not particularly limited in the present application, and may be set by those skilled in the art according to actual needs.

S206: the first node sends the dynamic key to the second node.

S207: the second node decrypts the dynamic key according to the second decryption rule.

S208: and if the first identity information is obtained through decryption, the second node encrypts the data to be transmitted according to the dynamic key to obtain encrypted data.

If the second node decrypts the dynamic key according to the second decryption rule and the obtained content is the first identity information, the first node is not forged, and the first node is trusted. At this time, the dynamic key is also trusted, and the second node may encrypt the data to be transmitted according to the dynamic key, obtain encrypted data, and send the encrypted data to the first node.

S209: the second node transmits the encrypted data to the first node.

S210: and the first node decrypts the encrypted data according to the dynamic key to obtain the data to be transmitted.

After obtaining the encrypted data, the first node may decrypt the encrypted data according to the dynamic key sent to the second node in S206, to obtain the data to be transmitted.

As a possible implementation manner, the first node may store the dynamic key in the cache after generating the dynamic key, so as to wait for the second node to obtain the dynamic key from the cache for decryption operation after sending the encrypted data encrypted by the dynamic key.

As a possible implementation, after the first node sends the dynamic key to the second node at S206, the first node may store the dynamic key in a database such as MySQL (a relational database management system), remote dictionary service (Remote Dictionary Server, dis), etc. to obtain the dynamic key from the database before performing S210.

It should be noted that, after each time a new dynamic key is generated, the new dynamic key is stored in the database again, so as to cover the old dynamic key, realize dynamic updating of the key stored in the database, reduce the risk of key leakage, avoid large-scale long-time data leakage, and improve the data security. As a possible implementation manner, if the second node does not obtain the first identity information after decrypting the dynamic key according to the second decryption rule, a new dynamic key will not be obtained, and it may happen that the second node encrypts the data to be transmitted by using the old dynamic key. Based on this, the embodiments of the present application provide two ways to avoid the above situation, and the following descriptions will respectively be given.

Mode one: after the second node decrypts the dynamic key according to the second decryption rule, if the first identity information is not obtained, the second node does not send the data to be transmitted to the first node any more, or the second node can re-ask the first node for the dynamic key, etc.

Mode two: the first node does not store the dynamic key in the database immediately after executing S206, but waits for the result information of the second node decrypting the dynamic key according to the second decryption rule, specifically, the second node sends the result information to the first node after executing S207, i.e. after the second node decrypts the dynamic key according to the second decryption rule, the result information is used to identify whether the second node obtains the first identity information according to the second decryption rule. If the result information identifies that the second node obtains the first identity information according to the second decryption rule, the first node stores the dynamic key in the database, so that the second node sends the result information to the first node, the first node stores the dynamic key in the database after determining that the second node correctly decrypts according to the result information to obtain the first identity information, consistency of the dynamic keys stored by the first node and the second node is guaranteed, and the situation that the dynamic keys stored by the first node and the second node are inconsistent due to failure of decryption of the second node after the first node stores a new dynamic key in the database is avoided.

Further, in order to better implement data interaction between the first node and the second node, a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) may be used for data transmission. Specifically, the first node may use the dynamic key to invoke the HTTP interface of the second node, thereby implementing that the first node sends the dynamic key to the second node. It should be noted that, in the HTTP interface, a request is necessarily accompanied by a response, so that the second node sends the result information to the first node as a response after decrypting the dynamic key according to the second decryption rule to obtain the first identity information. Therefore, by calling the HTTP interface, the first node and the second node carry out two-time handshake, so that the authentication of the second node to the first node is realized, the second node also acquires the dynamic key, and the consistency of the dynamic key stored by the first node and the second node can be ensured.

As one possible implementation, the second node may send the second encrypted identity information to the first node based on the invocation of the first node. Specifically, A1-A2 may also be performed before S201 is performed, i.e. before the second node encrypts the second identity information according to the first encryption rule, resulting in second encrypted identity information.

A1: the second node acquires a data acquisition request sent by the first node.

For large industrial enterprises, the data of each subsidiary is isolated from each other, and each subsidiary can only see the data of its own company. Each subsidiaries is a collection service and business system deployed separately. The data is not communicated. For a group, if data of a certain sub-company is to be checked, the data cannot be directly checked under the condition that the data are isolated from each other.

Based on the above, in the embodiment of the application, the first node is deployed at the group side, and the second nodes are deployed at the subsidiary side, so that each second node can only see own data, and the first node can realize the view of the data of the second node by sending a data acquisition request to the second node.

Because the first node and the second node are in different local area networks, the first node may not be able to access the second node, so the data acquisition request may carry the domain name of the second node and the access mark of the second node, so that the first node may smoothly send the data acquisition request to the second node through the gateway of the second node.

The access flag of the second node is used to indicate the gateway of the second node, and the first node is qualified to send the data acquisition request to the second node. As a possible implementation manner, the access flag of the second node may be a token generated before the second node, and may also be an access key. The access key is an application program interface (Application Programming Interface, API) key, and is a security credential that is required when the first node accesses the second node to perform identity authentication, and generally consists of a first subkey (SecretId) and a second Subkey (SECRETKEY).

Wherein SecretId and SECRETKEY are information pertaining to the primary account number. Each second node has a primary account number, a plurality of sub-account numbers can be arranged below one primary account number, the primary account number has all the rights, and the rights of the sub-account numbers are opened depending on the primary account number. It is understood that the primary account number is the super administrator. After the primary account number is successfully created by the platform, the system creates corresponding SecretId and SECRETKEY for the primary account number. SecretId and SECRETKEY are identity tags of primary account numbers. Each SecretId and SECRETKEY corresponds to one of the primary account numbers accountId. SecretId and SECRETKEY, and accountId are maintained in the tables of the database.

As one possible implementation, the first node and the second node may each deploy an account service, and the second node obtains accountId according to SecretId and SECRETKEY by invoking the account service.

A2: if the first node is determined to have the access right according to the access mark of the second node and the domain name of the second node, the second node acquires the second identity information.

If it is determined that the first node has access rights according to the access flag and the domain name, the second identity information is acquired so that the second node performs S201.

As a possible implementation manner, in order to better implement data interaction between the first node and the second node, HTTP may be used for data transmission. Specifically, the first node calls the HTTP interface of the second node by using the data acquisition request, so that the second node encrypts the second identity information according to the first encryption rule, and sends the second encrypted identity information as a response to the first node after obtaining the second encrypted identity information. Therefore, the first node and the second node carry out two-time handshake by calling the HTTP interface, so that the authentication of the first node to the second node is realized.

Therefore, the first node actively sends the data acquisition request to the second node, the second node performs the step of encrypting the second identity information according to the first encryption rule based on the data acquisition request to obtain the second encrypted identity information and the subsequent steps, and the data interaction can be better realized while the situation that the first node cannot be forged by the second node occupies a large number of database connections, other services of the first node cannot normally run and the like cannot happen in an application scene of a group architecture (namely the first node is deployed on a group side, and the second node is deployed on each sub-company side).

The first encryption rule and the first decryption rule, and the second encryption rule and the second decryption rule are specifically described below.

As a possible implementation manner, if the second identity information is obtained according to the first subkey and the second subkey, the second node encrypts the second identity information according to the first encryption rule, so as to obtain an implementation manner of the second encrypted identity information may be shown as B1-B4.

B1: the second node obtains the first sub-key and the second sub-key.

The first sub-key may be SecretId as described above and the second sub-key may be SECRETKEY as described above.

B2: the second node uses the first subkey as a key and generates a digest of the second subkey by a message digest generation algorithm.

The second sub-key is protected from tampering by generating a digest of the second sub-key by a message digest algorithm. The embodiment of the application is not particularly limited to the message digest generation algorithm, and a person skilled in the art can set the message digest generation algorithm according to actual needs, for example, a Hash-based Message Authentication Code (HMAC) algorithm related to a key is adopted.

B3: and the second node performs exclusive OR operation according to the abstract of the second subkey and the second identity information to obtain a first character string.

B4: and the second node encrypts the first character string through a first encryption algorithm to obtain second encrypted identity information.

The embodiment of the application is not particularly limited to the first encryption algorithm, and the first encryption algorithm can be a conventional algorithm or a custom string operation. Compared with the encryption of the second identity information by only one conventional (such as a message digest algorithm and the like), the second identity information encryption method can reduce the possibility of leakage of the second encrypted identity information and improve the security of the second encrypted identity information by two encryption algorithms.

As a possible implementation manner, the current timestamp may be acquired, and the timestamp and the first character string are encrypted by using a first encryption algorithm to obtain the second encrypted identity information. The timestamp may be used to identify a time of generation of the second encrypted identity information, so that after the second encrypted identity information is decrypted, the network quality between the first node and the second node is determined according to the timestamp and a current time difference value, which will not be described in detail herein.

As a possible implementation, the second encrypted identity information may be obtained by means of B41-B44, which is described in detail below.

B41: and splicing the first character string and the time stamp to obtain a second character string.

And B42: and generating a digest of the second character string by a message digest generation algorithm by taking the second subkey as a key.

B43: and splicing the abstract of the second character string with the second character string to obtain a third character string.

And B44: and encoding the third character string to obtain second encrypted identity information.

The embodiment of the present application is not particularly limited to the encoding manner, such as representing binary data based on 64 printable characters (base 64 encoding).

Therefore, the possibility that the second encrypted identity information is cracked can be further reduced by using the self-defined character string operation method as the first encryption algorithm, so that the data security is improved.

In the following, referring to fig. 3, a specific implementation manner in which the second node provided in the embodiment of the present application encrypts the second identity information according to the first encryption rule to obtain the second encrypted identity information is described, see S301-S309.

Referring to fig. 3, a schematic diagram of a method for generating second encrypted identity information according to an embodiment of the present application is shown.

S301: starting.

S302: secretId of the second node and SECRETKEY of the second node are obtained.

One node has only one primary account number, i.e., the second node has only one primary account number, i.e., only one SecretId and SECRETKEY. According to the corresponding relation between SecretId and SECRETKEY and accountId, accountId, namely the second identity information, can be obtained by inquiring SecretId and SECRETKEY.

S303: using SecretId as a key, the A string is generated by the HMAC algorithm.

Wherein, the abstract of SECRETKEY is noted as a string.

S304: and carrying out exclusive OR operation on the A string and accountId to obtain the B string.

Wherein the first string is denoted as the B string.

S305: and acquiring the current time stamp, and splicing the time stamp to the B string to obtain the C string.

Wherein, the second character string is the C string.

S306: using SECRETKEY as a key, a D string is generated by HMAC algorithm.

Wherein the abstract of the C string is noted as the D string.

S307: and splicing the D string with the C string to obtain the E string.

Wherein the third string is denoted as the E string.

S308: and performing base64 coding on the E string to obtain an F string.

Wherein the second encrypted identity information is noted as an F-string.

S309: and (5) ending.

After the first encryption rule is introduced, the first decryption rule is specifically described below. The first decryption rule and the first encryption rule are a pair of encryption and decryption rules, and data encrypted by the first encryption rule can be decrypted by the first decryption rule.

As a possible implementation, if the second identity information is obtained according to the first subkey and the second subkey, a specific implementation of the first node decrypting the second encrypted identity information according to the first decryption rule may be shown as C1-C4.

C1: a first sub-key and a second sub-key are acquired.

C2: and generating a digest of the second subkey by a message digest generation algorithm by taking the first subkey as a key.

C1-C2 reference is made to the foregoing B1-B2 and will not be described in detail herein.

And C3: and decrypting the second encrypted identity information through a first decryption algorithm to obtain a first character string.

The first decryption algorithm and the first encryption algorithm are a pair of encryption and decryption algorithms, and data encrypted by the first encryption algorithm can be decrypted by the first decryption algorithm. The first encryption algorithm is disposed in the second node and the first decryption algorithm is disposed in the first node.

As a possible implementation manner, the first string is obtained by decrypting the second encrypted identity information through the first decryption algorithm, which may be shown as C31-C34, which is described in detail below.

C31: and decoding the second encrypted identity information to obtain a third character string.

The decoding mode is determined according to the encoding mode in the foregoing B44, and as a possible implementation, a base decoding mode may be used.

C32: if the length of the third character string accords with the first preset length, splitting the third character string according to the character length to obtain a second character string and a summary of the second character string.

It should be noted that, the first preset length may be determined according to the length of the third character string obtained after encoding, which is not specifically limited in the present application.

If the third character string does not conform to the first preset length, the third character string has a problem that the second identity information cannot be obtained through analysis later, the second node is not trusted, and subsequent steps are not needed to be executed, so that occupation of resources is reduced.

If the third character string accords with the first preset length and is formed by splicing the second character string and the abstract of the second character string, the third character string can be split according to the character length of the second character string so as to obtain the second character string and the second character string abstract.

For example, in the encryption process, the length of the second string is 32 bits, the length of the abstract of the second string is 32 bits, and after the abstract of the second string is spliced to the second string, the length of the obtained third string should be 64 bits. Therefore, in the decryption process, if the length of the third string is 64 bits, the first 32 bits and the last 32 bits of the third string are split, the first 32 bits of the string is determined as the second string, and the last 32 bits of the string is determined as the abstract of the second string.

C33: and generating a pending digest of the second character string by a message digest generation algorithm by taking the second subkey as a key.

For the relevant points, reference may be made to the aforementioned B43, and details are not repeated here.

C34: if the undetermined abstract of the second character string is the same as the abstract of the second character string, splitting the second character string according to the character length to obtain the first character string.

Because the abstract generated by the message abstract generation algorithm is irreversible, if the undetermined abstract of the second character string is the same as the abstract of the second character string, the second character string is split according to the character length to obtain the first character string, which indicates that the second character string is not tampered.

It should be noted that, because the second encrypted identity information may be obtained according to the timestamp and the first string, in the encryption process, the second string may be obtained by splicing the first string and the timestamp, so that the second string is split according to the character length and the splicing manner, and the first string and the timestamp may be obtained.

Further, the time stamp is used as a dynamically updated random number, which has not only dynamics, randomness and complexity, but also enables to determine the network quality between the first node and the second node based on the time stamp. Specifically, compared with the data amount sent by the subsequent second node to the first node, the data amount required by the first node and the second node for identity verification is much smaller, if only the time required for transmitting the smaller data amount is much longer, the time required by the subsequent second node for encrypting the data to the first node is multiplied, so if the difference between the timestamp and the current time exceeds the first preset time value in the process of verifying the identity information of the second node by the first node, the current network quality is poor, the time required by the subsequent second node for transmitting the encrypted data to the first node is longer, the current network quality is poor, the user can be prompted, and the subsequent steps are not executed any more. If the difference between the timestamp and the current time does not exceed the first preset time value, the current network quality is better, the time required by the subsequent second node to send the encrypted data to the first node is within the tolerance range of the user, and the subsequent steps can be continuously executed.

The embodiment of the present application is not particularly limited to the first preset time value, and a person skilled in the art may set the first preset time value according to actual needs, for example, five minutes. As a possible implementation manner, before determining the difference between the timestamp and the current time, it is also possible to verify whether the format of the timestamp is correct, if so, execute the determination of the difference between the timestamp and the current time, and if not, end the current flow.

And C4: and performing exclusive OR operation according to the digest of the second subkey and the first character string.

If the exclusive or operation can obtain the second identity information, that is, the decryption obtains the second identity information, S204 is continuously performed. If the exclusive or operation does not obtain the second identity information, the second node is not trusted, the first node does not need to establish a data transmission channel with the second node, and the situation that the forged second node occupies a large number of database connections, so that other services of the first node cannot normally operate and the database is expanded is avoided.

Next, a specific implementation manner of decrypting the second encrypted identity information by the first node according to the first decryption rule provided in the embodiment of the present application will be described with reference to fig. 4, where the process of encrypting the second identity information by the second node according to the first decryption rule provided in S301 to S309 to obtain the second encrypted identity information is specifically referred to S401 to S416.

Referring to fig. 4, a schematic diagram of a method for decrypting second encrypted identity information according to an embodiment of the present application is shown.

S401: starting.

S402: and performing base64 decoding on the F string to obtain an E string.

The second encrypted identity information is marked as an F string, and the third character string is marked as an E string.

S403: and judging whether the length of the E string accords with the first preset length. If not, executing S404; if yes, S405 is executed.

S404: if the length of the E string does not accord with the first preset length, ending the current flow.

S405: if the length of the E string accords with the first preset length, splitting the E string according to the character length to obtain a C string and a D string.

Wherein, the second character string is marked as a C string, and the abstract of the second character string is marked as a D string.

S406: and generating a pending digest of the C string by using SECRETKEY of the second node as a key through an HMAC algorithm.

S407: and judging whether the undetermined abstract of the C string is identical with the D string. If not, executing S408; if yes, S409 is performed.

S408: if the undetermined abstract of the C string is not the same as the D string, ending the current flow.

S409: if the undetermined abstract of the C string is the same as the D string, splitting the C string according to the character length to obtain the B string and the time stamp.

Wherein the B string is a first character string.

S410: it is determined whether the timestamp format is correct. If not, then S411 is executed; if yes, then execution proceeds to S412.

S411: if the format of the time stamp is incorrect, ending the current flow.

S412: if the format of the time stamp is correct, judging whether the difference value between the time stamp and the current time is less than five minutes. If not, then execution S413; if yes, then execution proceeds to S414.

S413: if the difference between the time stamp and the current time is greater than or equal to five minutes, ending the current flow.

S414: if the difference between the time stamp and the current time is less than five minutes, secretId is used as a secret key, and an A string is generated through an HMAC algorithm.

Wherein, the abstract of SECRETKEY is noted as a string.

S415: and performing exclusive OR operation according to the A string and the B string so as to obtain accountId.

S416: and (5) ending.

After the first encryption rule and the first decryption rule are introduced, the second encryption rule is specifically described below. It should be noted that the second encryption rule and the first encryption rule may be the same encryption rule or different encryption rules, which is not particularly limited in the present application.

As a possible implementation, a specific implementation of encrypting the first identity information and the random data by the first node according to the second encryption rule to obtain the dynamic key is described below, as shown in D1-D2.

D1: and encrypting the first identity information by using the second identity information as a secret key through a symmetric encryption algorithm to obtain a fourth character string.

The symmetric encryption algorithm means that the same character string is used as a key for encryption and decryption. The embodiment of the present application is not particularly limited to the symmetric encryption algorithm, for example, advanced encryption standard (Advanced Encryption Standard, AES), and those skilled in the art may set according to actual needs. By the symmetric encryption algorithm, the first identity information can be prevented from being leaked.

D2: and encrypting the fourth character string and the random number through a second encryption algorithm to obtain a dynamic key.

The embodiment of the application is not particularly limited to the second encryption algorithm, and the second encryption algorithm can be a conventional algorithm or a custom string operation. Compared with the encryption of the first identity information by only one conventional (such as a symmetric encryption algorithm and the like), the possibility of leakage of the first encrypted identity information can be reduced by two encryption algorithms, and the security of the first encrypted identity information is improved.

As a possible implementation manner, the current time stamp may be acquired, and the time stamp, the fourth string and the random number are encrypted by using a second encryption algorithm to obtain the dynamic key. The time stamp may be used to identify a time of generation of the dynamic key for subsequent determination of network quality between the first node and the second node based on the time stamp and a current time difference after decryption of the dynamic key.

As a possible implementation manner, the dynamic key is obtained by encrypting the fourth string and the random number by the second encryption algorithm, which may be shown in D21-D24, which will be described in detail below.

D21: and splicing the fourth character string and the time stamp to obtain a fifth character string.

D22: and generating a digest of the fifth character string by a message digest algorithm by taking the second subkey as a key.

D23: and splicing the fifth character string and the abstract of the fifth character string to obtain a sixth character string.

D24: and encoding the sixth character string to obtain the dynamic key.

In the following, referring to fig. 5, a specific implementation manner of encrypting, by a first node, first identity information according to a second encryption rule to obtain a dynamic key according to an embodiment of the present application is described, see S501-S507.

Referring to fig. 5, a schematic diagram of a method for generating a dynamic key according to an embodiment of the present application is shown.

S501: starting.

S502: and using accountId of the second node as a key, and encrypting UIUID of the first node by using an AES algorithm to obtain an AA string.

Wherein the fourth string is an AA string.

S503: and splicing the AA string and the timestamp to obtain the BB string.

Wherein the fifth string is a BB string.

S504: using SECRETKEY of the second node as a key, generating a digest of the BB string by the HMAC algorithm, and recording the digest of the BB string as the CC string.

S505: and splicing the BB string and the CC string to obtain the DD string.

Wherein the sixth string is a DD string.

S506: and encoding the DD string to obtain an EE string.

Wherein the dynamic key is an EE string.

S507: and (5) ending.

After the introduction of the second encryption rule, the second decryption rule is specifically described below. The second decryption rule and the second encryption rule are a pair of encryption and decryption rules, and the data encrypted by the second encryption rule can be decrypted by the second decryption rule.

As a possible implementation, a specific implementation of the second node decrypting the dynamic key according to the second decryption rule may be shown as E1-E2.

E1: and decrypting the dynamic key through a second decryption algorithm to obtain a fourth character string.

The second decryption algorithm and the second encryption algorithm are a pair of encryption and decryption algorithms, and data encrypted by the second encryption algorithm can be decrypted by the second decryption algorithm.

E2: and decrypting the fourth character string by using the second identity information as a secret key through a symmetric encryption algorithm.

As a possible implementation manner, if the second encrypted identity information is obtained according to the first subkey and the second subkey, the first string may be obtained by means of E11-E14, which is described in detail below.

E11: and decoding the dynamic key to obtain a sixth character string.

The decoding mode is determined according to the encoding mode of D24, and as a possible implementation, a base decoding mode may be used.

E12: if the sixth character string accords with the second preset length, splitting the sixth character string according to the character length to obtain a fifth character string and abstracts of the fifth character string.

The second preset length may be determined according to the length of the sixth character string obtained after encoding, which is not particularly limited in the present application.

E13: and generating a pending digest of the fifth character string by a message digest algorithm by taking the second subkey as a key.

E14: if the undetermined abstract of the fifth character string is the same as the abstract of the fifth character string, splitting the fifth character string according to the character length to obtain a fourth character string.

Because the abstract generated by the message abstract generation algorithm is irreversible, if the undetermined abstract of the fifth character string is the same as the abstract of the fifth character string, the fifth character string is split according to the character length to obtain a fourth character string, which indicates that the fifth character string is not tampered with.

It should be noted that, since the dynamic key may be obtained according to the timestamp and the fourth string, in the encryption process, the fifth string may be obtained by splicing the fourth string and the timestamp, so that the fifth string is split according to the character length, and the fourth string and the timestamp may be obtained.

Further, the time stamp is used as a dynamically updated random number, which has not only dynamics, randomness and complexity, but also enables to determine the network quality between the first node and the second node based on the time stamp. Specifically, compared with the data amount sent by the subsequent second node to the first node, the data amount required by the first node and the second node for identity verification is much smaller, if only the time required for transmitting the smaller data amount is much longer, the time required by the subsequent second node for encrypting the data to the first node is multiplied, so if the difference between the timestamp and the current time exceeds the first preset time value in the process of verifying the identity information of the second node by the first node, the current network quality is poor, the time required by the subsequent second node for transmitting the encrypted data to the first node is longer, the current network quality is poor, the user can be prompted, and the subsequent steps are not executed any more. If the difference between the timestamp and the current time does not exceed the second preset time value, the current network quality is better, the time required by the subsequent second node to send the encrypted data to the first node is within the tolerance range of the user, and the subsequent steps can be continuously executed.

The first preset time value and the second preset time value may be the same value or different values, which is not particularly limited in the present application, and may be set by those skilled in the art according to actual needs. As a possible implementation manner, before determining the difference between the timestamp and the current time, it is also possible to verify whether the format of the timestamp is correct, if so, execute the determination of the difference between the timestamp and the current time, and if not, end the current flow.

A specific implementation manner of decrypting the dynamic key by the second node according to the second decryption rule provided in the embodiment of the present application will be described below with reference to fig. 6, where the process of encrypting the first identity information according to the second encryption rule by the first node provided in the foregoing S501-S506 to obtain the first encrypted identity information is specifically referred to S601-S616.

Referring to fig. 6, a schematic diagram of a method for decrypting a dynamic key according to an embodiment of the present application is shown.

S601: starting.

S602: and performing base64 decoding on the EE string to obtain the DD string.

Wherein the dynamic key is marked as EE string, and the sixth character string is DD string.

S603: and judging whether the length of the DD string accords with a second preset length. If not, executing S604; if yes, S605 is executed.

S604: if the length of the DD string does not accord with the second preset length, ending the current flow.

S605: if the length of the DD string accords with the second preset length, splitting the DD string according to the character length to obtain a BB string and a CC string.

Wherein, the fifth character string is BB string, and the abstract of the fifth character string is CC string.

S606: and generating the pending digest of the BB string by using SECRETKEY of the second node as a key through an HMAC algorithm.

S607: and judging whether the undetermined abstract of the BB string is identical with the CC string. If not, then executing S608; if yes, S609 is executed.

S608: if the undetermined abstract of the BB string is different from the CC string, ending the current flow.

S609: if the undetermined abstract of the BB string is the same as the CC string, splitting the BB string according to the character length to obtain the AA string and the time stamp.

Wherein the fourth string is an AA string.

S610: it is determined whether the timestamp format is correct. If not, executing S611; if yes, S612 is performed.

S611: if the format of the time stamp is incorrect, ending the current flow.

S612: if the format of the time stamp is correct, judging whether the difference value between the time stamp and the current time is less than five minutes. If not, executing S613; if yes, then S614 is performed.

S613: if the difference between the time stamp and the current time is greater than or equal to five minutes, ending the current flow.

S614: if the difference between the time stamp and the current time is less than five minutes, accountId of the second node is used as a key, and the AA string is decrypted through a symmetric encryption algorithm.

S615: it is determined whether to decrypt UIUID to obtain the first node. If not, then execution S616; if yes, S617 is performed.

S616: if the decryption fails, the current flow is ended.

S617: if the decryption is successful, UIUID of the first node is stored in the database.

S618: the dynamic key is stored to a database.

S619: and (5) ending.

As can be seen from the foregoing, for the application scenario of the group architecture, the group may want to view the data of a certain sub-company, so that the data of the sub-company needs to be collected quickly and displayed to the group side for improving the user experience. The following is a detailed description.

In practical application, a plurality of sub-companies are arranged under a group, data among the sub-companies are not communicated, a plurality of equipment required by industry is arranged in each sub-company, and a plurality of points, such as a temperature sensor, a humidity sensor and the like, are arranged on each equipment. The point location data can be acquired through the point location, the point location data acquired through the point locations of the plurality of devices of each subsidiary can be summarized to the subsidiary, then the group is communicated with the subsidiary, and the point location data of the subsidiary is transmitted to the group. In the application scenario, a group deploys a first node and a subsidiary deploys a second node.

In order to accelerate the data transmission speed, all the point location data can be transmitted through a plurality of channels, so that the first node is required to store the point location data, the dynamic key and the like acquired by the second node, and the point location data is required to be summarized.

In the related art, mySQL is generally used as a database, but a relational database management system increases the speed and flexibility by storing point location data in different tables, but the database needs to have a storage function and be capable of summarizing the point location data. If a MySQL relational database is adopted, the summarizing speed is very slow, but the application scene of the Internet of things needs the quick response capability, based on the fact, the embodiment of the application stores the point location data and the metadata separately, so that the speed of summarizing the point location data is improved. This is specifically illustrated by F1-F3.

F1: and if the second identity information is obtained, acquiring metadata of the second node.

It should be noted that metadata includes directories, channels, devices, and points. The directory includes a plurality of channels, for example, a directory may be a pipeline or a factory area. The channel, i.e. the network protocol. Each channel is used to transmit all the point location data of one device. Apparatus: i.e. industrial equipment that is produced in the factory, such as winding machines, assembling machines, slitting machines, etc. An apparatus has at least one point for acquiring point data. The point location, namely the sensor which can carry out data transmission on the industrial equipment, can acquire the point location data, namely generate the point location data.

F2: and acquiring first target point position data corresponding to the target point position from the second node in response to acquiring the target point position determined from the metadata.

In practical applications, after the first node obtains the metadata of the second node, the metadata may be shown at the first node, for example, through a tree structure. The user may determine a target point location to view in the metadata, where the target point location is a point location to view by the user in a plurality of point location data included in the metadata. Therefore, the second node can only transmit the point location data of the target point location which the user wants to view to the first node without transmitting all the point location data, and the transmitted data volume is reduced, so that the data transmission time is shortened, and the response timeliness is improved.

F3: storing target metadata corresponding to the target point locations in a first storage area; and creating a device table corresponding to each device in the second storage area according to the target point positions and the target devices corresponding to the targets so as to integrate first target point position data corresponding to the target point positions according to the device table.

After the first target point location data is acquired, in the second storage area, according to the target point location and the devices corresponding to the target point location, creating a device table corresponding to each device, so as to integrate the first target point location data according to the device table. The first storage area is different from the second storage area, and target metadata corresponding to the target point location can be stored in the first storage area.

As a possible implementation manner, the first storage area may be MySQL, where metadata such as a directory, a channel, and the like is stored. The second storage area is ClickHouse (a column-oriented database management system). In ClickHouse, a device corresponds to a device table, where the table includes all the points included in the device, and corresponds to fields in the device table. Wherein ClickHouse is a columnar database management system (DBMS) for online analysis (OLAP). In a columnar storage manner, compared with a row-stored database, for example, mysql and postgresql are compared. In the scene of a large amount of data, the efficiency of aggregation calculation is far higher than that of a line database, and the method is suitable for a large amount of real-time statistics.

As a possible implementation manner, since the point location data may be updated at fixed time intervals, including modifying the point location data and deleting the point location data, the first node needs to synchronize the updated data of the second node, so as to ensure data synchronization between the first node and the second node. The following is a description of G1-G3.

G1: the target point location is retrieved from the first storage area.

As one possible implementation, the update may be triggered manually in response to a user clicking a button, such that the first storage area obtains the target point location.

As a possible implementation, the update may be triggered by a timing task, so that the first storage area acquires the target point location.

And G2: and obtaining second target point position data corresponding to the target point position from the second node.

And G3: if the first target point location data and the second target point location data are different, updating the first target point location data according to different point location data in the first target point location data and the second target point location data.

For example, the first node may obtain the point location identifier of the target point location from the first storage area, and then obtain, from the second node, the latest point location data stored by the second node for the target point location, that is, the second target point location data, through an open API (openAPI). Comparing the first target point location data with the second target point location data, and if the first target point location data and the second target point location data are the same, not updating the point location data by the second node; if the two point location data are different, the second node updates the point location data, at the moment, the difference between the first target point location data and the second target point location data can be compared, the point location data which are deleted or modified by the second node are obtained, and the first target point location data are updated based on the deleted or modified point location data. Compared with the scheme of realizing point location data synchronization by using the technique of block chains in the related art, the method reduces cost and operation and maintenance difficulty.

Because more point location data is stored in the second storage area, the point location data after multiple synchronous operations is possible, the point location data is more in point location, the point location data is less in point location, if only the second target data is stored in the second storage area in an overlapping manner, more point location data is lost in the second storage area, and the calculation amount is large. Based on the above, the first target point location data and the second target point location data need to be compared, so that the first target point location data is updated based on different data, and the calculated amount can be reduced while the point location data is synchronized.

As a possible implementation, the transmission of the encrypted data starts after the first node and the second node establish a connection. In this process, the second node may have a service unavailable. For example, a service may be suspended, resulting in the second node not functioning properly. Based on this, the first node may also perform health detection on the service deployed by the second node, which is described in detail below by H1-H2.

H1: traversing the service schedule of the second node at preset time intervals.

Each second node is correspondingly provided with a proxy service. The second node deploys a plurality of services, and uploads the service name and the uploading time of uploading the service name to the proxy service together at fixed time intervals, so that the proxy service stores the service name and the uploading time to the service schedule in the form of key-value. Wherein the service name is used to uniquely identify the service.

As a possible implementation manner, if the same service uploads its own service name and upload time to the proxy service multiple times, the proxy service may only cover the new upload time to the old upload time, thereby reducing the occupation of resources.

H2: if the difference value between the target uploading time and the current time is larger than a third preset time value, determining that the target service represented by the service name corresponding to the target uploading time is unavailable, and canceling detecting the target service.

The service schedule includes a plurality of service names and corresponding uploading times, the first node traverses each uploading time, taking one of the plurality of uploading times, i.e. the target uploading time as an example, if the difference between the target uploading time and the current time is greater than a third preset time value, it is indicated that the target service represented by the service name corresponding to the target uploading time has no active uploading service name and uploading time for a long time, and the target service is unavailable, and at this time, detection of the target service can be canceled.

In practical applications, kafka storage metadata, point location data, etc. may be employed. At this time, the cancellation detection target service may perform the operations of stopping the acquisition and synchronization of the metadata, the point location data, and the like, and cancel the subscription to the message set (topic) of the kafka received data, thereby avoiding the resource waste due to the fact that the kafka constantly detects whether the message is stored.

As a possible implementation manner, if the first node displays the health states of all the second nodes, after the service of a certain second node is unavailable, the service may be displayed to perform operations such as data statistics.

The third preset time is not particularly limited, for example, thirty minutes, and may be set by those skilled in the art according to actual needs.

Referring to fig. 7, a schematic diagram of health detection of a service deployed by a second node by a first node according to an embodiment of the present application is shown.

In the application scenario shown in fig. 7, four services, that is, service_ A, service _ B, service _c and service_d, are deployed at the second node, and each service regularly invokes a service detection interface of the proxy service through a timer, where the parameters of the interface include a service name and an upload time. The proxy service writes the service name and upload time as key-value into a service schedule (map), respectively.

The first node calls a service statistics interface every preset time, traverses a service time table of the second node, determines that the target service represented by the service name corresponding to the target uploading time is unavailable if the difference between the target uploading time and the current time is greater than thirty minutes, and cancels detection of the target service.

In order to facilitate further understanding of the technical solution provided by the embodiments of the present application, an execution body of the data processing method provided by the embodiments of the present application is taken as a server as an example, and the data processing method is described in an overall exemplary manner.

Wherein the first node is deployed on the group side and the second node is deployed on the subsidiary side. Wherein the first node also deploys MySQL, clickHouse and kafka and the second node deploys the database. The first node can look up the internet of things data of the second node through the following four stages. The four phases are an identity authentication phase, a connection creation phase, a point location data preview phase and a metadata synchronization phase, respectively, and are described below.

Referring to fig. 8a, the application scenario of data processing provided by the embodiment of the present application is shown. In fig. 8a, an authentication phase and a connection creation phase are included. The identity verification stage is S1-S2 and S13-S16; the connection phase is created as S4-S12.

S1: the first node sends a data acquisition request to the second node.

Wherein the data acquisition request includes the domain name of the second node, secretId of the second node, and SECRETKEY of the second node.

It should be noted that, the second node may send its own domain name, secretId and SECRETKEY to the first node for storage in an offline manner.

S2: second encrypted identity information is generated.

After receiving the data acquisition request, the second node generates second encrypted identity information in the manner of fig. 3, and sends the second encrypted identity information to the first node.

Thus, through S1-S2, the authentication of the first node to the second node is realized.

S3: the second node transmits second encrypted identity information to the first node.

S4: and if the verification is passed, the first node acquires the metadata of the second node.

S5: the second node sends metadata to the first node.

S6: and obtaining the target point position.

All metadata can be displayed through the attribute structure so that a user can select the metadata, and further the target point position selected by the user can be obtained.

S7: the first node stores metadata to MySQL of the first node.

S8: the MySQL of the first node returns an asynchronous task execution progress to the first node.

The manner in which asynchronous tasks are used is mainly due to the large amount of point location data that may exist under each device, and if MySQL of the first node and ClickHouse of the first node are stored in a synchronous manner, operation timeouts may be likely to occur. The execution progress of the asynchronous task is written into the global redis, and the front end can check the execution progress of the task and whether the execution is successful or not through the identification of the asynchronous task.

It should be noted that, the point data of a device is transmitted through a channel, and corresponds to an asynchronous task, where each asynchronous task has an identifier, so as to be different from other asynchronous tasks.

S9: the first node creates a device table from the destination point locations.

And creating a device table corresponding to each device at ClickHouse of the first node according to the target point location and the target device corresponding to the target.

S10: clickHouse of the first node integrates the data.

S11: clickHouse of the first node returns an asynchronous task execution progress to the first node.

S12: the first node opens a data receiving switch to receive encrypted data.

After the connection is successfully established, a data receiving switch is opened, and point location data of the second node is ready to be received.

Thus, the creation of a connection phase is achieved through S4-S12.

S13: the first node generates a dynamic key.

The dynamic key may be generated in the manner shown in fig. 5.

S14: the first node sends the dynamic key to the second node.

S15: the second node verifies.

Verification may be performed in the manner shown in fig. 6.

S16: the second node returns the result information to the first node.

Thereby, the authentication phase of the second node to the first node is achieved through S13-S16.

S17: the second node stores the dynamic key in a database of the second node.

S18: the first node stores the dynamic key in MySQL of the first node.

The second node transmits second encrypted identity information to the first node.

S14: and if the verification is passed, generating a dynamic key.

The authentication process may be as described above with respect to fig. 4, and after the authentication is passed, the dynamic key may be generated as described above with respect to fig. 5.

Referring to fig. 8b, the application scenario of data processing provided by the embodiment of the present application is shown. In fig. 8b, a body point location data preview phase and a metadata synchronization phase are included. The point location data preview stage is S15-S22; the metadata synchronization stage is S23-S31.

S15: and creating a data forwarding task through the second node.

The device and the bit that need to be synchronized are selected, the kafka address of the first node is filled in, and the topic of kafka (which data to synchronize, requiring an offline convention).

S16: the second node creates a forwarding task and encrypts data to be transmitted according to the dynamic key.

It should be noted that, before S16 is performed, the dynamic key may be acquired from the database of the second node. When the dynamic key is acquired, the dynamic key is preferentially acquired from the rediss, and mysql is not checked in the rediss, so that the query efficiency is improved.

S17: the second node transmits the encrypted data to the kafka of the first node.

S18: the first node decrypts the encrypted data based on the dynamic key.

S19: the first node stores the first target point location data in the device table.

S20: the first node previews first target point location data.

S21: clickHouse of the first node integrates the data.

S22: clickHouse of the first node returns the aggregated point location data.

S23: the first node queries the MySQL of the first node for the target point location.

S24: the MySQL of the first node sends the target point location to the first node.

S25: and the first node acquires second target point position data according to the target point position.

S26: the second node transmits second target point location data to the first node.

S27: the first node compares the first target point location data with the second target point location data.

S28: the first node updates MySQL of the first node.

S29: the MySQL of the first node returns an asynchronous task execution progress to the first node.

S30: the first node updates ClickHouse of the first node.

S31: clickHouse of the first node returns an asynchronous task execution progress to the first node.

The application also provides a corresponding data processing device for the data processing method, so that the data processing method can be practically applied and realized.

Referring to fig. 9, a schematic structural diagram of a data processing apparatus according to an embodiment of the present application is shown. As shown in fig. 9, the data processing apparatus 900 includes:

The receiving unit 901 is configured to receive second encrypted identity information, where the second encrypted identity information is obtained by encrypting, by a second node, the second identity information according to a first encryption rule, and the second identity information is used to identify identity information of the second node;

A decryption unit 902, configured to decrypt the second encrypted identity information according to a first decryption rule;

an obtaining unit 903, configured to obtain a dynamically updated random number if the second identity information is obtained by decryption;

An encryption unit 904, configured to encrypt the first identity information and the random data according to the second encryption rule to obtain a dynamic key, where the first identity information is used to identify identity information of a first node;

a sending unit 905, configured to send the dynamic key to the second node;

the receiving unit 901 is further configured to receive encrypted data, where the encrypted data is obtained by encrypting, by the second node, data to be transmitted according to the dynamic key;

The decryption unit 902 is configured to decrypt the encrypted data according to the dynamic key, to obtain the data to be transmitted.

As a possible implementation manner, the apparatus further includes a synchronization unit, configured to:

Receiving result information sent by the second node, wherein the result information is used for identifying whether the second node obtains the first identity information according to a second decryption rule;

And if the second result information identifies that the second node obtains the first identity information according to the second decryption rule, storing the dynamic key so as to decrypt the encrypted data according to the dynamic key.

As a possible implementation manner, the encryption unit 904 is specifically configured to:

encrypting the first identity information by using the second identity information as a secret key through a symmetric encryption algorithm to obtain a fourth character string;

And encrypting the fourth character string and the random number through a second encryption algorithm to obtain the dynamic key.

Acquiring a current time stamp;

And encrypting the timestamp, the fourth character string and the random number through the second encryption algorithm to obtain the dynamic key.

As a possible implementation manner, the second identity information is obtained according to the first subkey and the second subkey, and the encryption unit 904 is specifically configured to:

splicing the fourth character string and the time stamp to obtain a fifth character string;

Generating a summary of the fifth character string by a message summary algorithm by taking the second subkey as a key;

Splicing the fifth character string and the abstract of the fifth character string to obtain a sixth character string;

and encoding the sixth character string to obtain the dynamic key.

As a possible implementation manner, the second node includes point location data of a plurality of devices, and the apparatus further includes a storage unit, configured to:

If the second identity information is obtained, metadata of the second node is obtained, wherein the metadata comprises a catalog, channels, equipment and points, the catalog comprises a plurality of channels for transmitting the point location data, the equipment comprises at least one point location for detection, and the point location generates the point location data;

acquiring first target point location data corresponding to the target point location from the second node in response to acquiring the target point location determined from the metadata;

Storing target metadata corresponding to the target point locations in a first storage area; and creating a device table corresponding to each device in a second storage area according to the target point location and the target device corresponding to the target, so as to integrate the first target point location data according to the device table, wherein the first storage area is different from the second storage area.

acquiring the target point location from the first storage area;

Acquiring second target point location data corresponding to the target point location from the second node;

And if the first target point position data and the second target point position data are different, updating the first target point position data according to different point position data in the first target point position data and the second target point position data.

As a possible implementation manner, the apparatus further includes a detection unit, configured to:

Traversing a service schedule of the second node at intervals of preset time, wherein the service schedule comprises a service name of at least one service deployed by the second node and uploading time for uploading the service name;

If the difference value between the target uploading time and the current time is larger than a third preset time value, determining that the target service represented by the service name corresponding to the target uploading time is unavailable, and canceling detection of the target service, wherein the target uploading time is one of at least one uploading time.

As a possible implementation manner, the second identity information is obtained according to the first subkey and the second subkey, and the decryption unit 902 is specifically configured to:

Acquiring the first subkey and the second subkey;

Generating a digest of the second subkey by a message digest generation algorithm with the first subkey as a key;

Decrypting the second encrypted identity information through a first decryption algorithm to obtain a first character string;

and performing exclusive OR operation according to the digest of the second subkey and the first character string.

As a possible implementation manner, the decryption unit 902 is specifically configured to:

Decoding the second encrypted identity information to obtain a third character string;

If the length of the third character string accords with the first preset length, splitting the third character string according to the character length to obtain a second character string and a summary of the second character string;

generating a pending digest of the second string by the message digest generation algorithm using the second subkey as a key;

And if the undetermined abstract of the second character string is the same as the abstract of the second character string, splitting the second character string according to the character length to obtain the first character string.

As a possible implementation manner, if the second encrypted identity information is obtained according to the timestamp and the first string, the decryption unit 902 is specifically configured to:

Splitting the second character string according to the character length to obtain the first character string and the time stamp;

the device further comprises a detection unit for:

And if the difference value between the timestamp and the current time does not exceed a first preset time value, executing the step of taking the first sub-key as a key and generating the digest of the second sub-key through the message digest generation algorithm.

Referring to fig. 10, a schematic structural diagram of a data processing apparatus according to an embodiment of the present application is shown. As shown in fig. 10, the data processing apparatus 1000 includes:

an encryption unit 1001, configured to encrypt second identity information according to a first encryption rule to obtain second encrypted identity information, where the second identity information is used to identify identity information of a second node;

a sending unit 1002, configured to send the second encrypted identity information to a first node, so that the first node decrypts the second encrypted identity information according to a first decryption rule and the second encrypted identity information to obtain second identity information;

A receiving unit 1003, configured to receive a dynamic key sent by the first node, where the dynamic key is obtained by encrypting, by the first node, first identity information and a random number according to a second encryption rule, where the first identity information is used for identity information of the first node;

A decryption unit 1004, configured to decrypt the dynamic key according to a second decryption rule;

The encryption unit 1001 is further configured to encrypt data to be transmitted according to the dynamic key if the first identity information is obtained by decryption, so as to obtain encrypted data;

the sending unit 1002 is further configured to send the encrypted data to the first node.

As a possible implementation manner, the apparatus further includes an obtaining unit, configured to:

before encrypting the second identity information according to a first encryption rule, acquiring a data acquisition request sent by the first node, wherein the data acquisition request comprises an access mark of the second node and a domain name of the second node;

And if the first node is determined to have the access right according to the access mark of the second node and the domain name of the second node, acquiring the second identity information.

As a possible implementation manner, the second identity information is obtained according to the first subkey and the second subkey, and the encryption unit 1001 is specifically configured to:

Acquiring the first subkey and the second subkey;

performing exclusive OR operation according to the abstract of the second subkey and the second identity information to obtain a first character string;

And encrypting the first character string through a first encryption algorithm to obtain the second encrypted identity information.

As a possible implementation manner, the encryption unit 1001 is specifically configured to:

Acquiring a current time stamp;

and encrypting the timestamp and the first character string through the first encryption algorithm to obtain the second encrypted identity information.

splicing the first character string and the time stamp to obtain a second character string;

generating a digest of the second character string by the message digest generation algorithm with the second subkey as a key;

Splicing the abstract of the second character string with the second character string to obtain a third character string;

and encoding the third character string to obtain second encrypted identity information.

As a possible implementation manner, the decryption unit 1004 is specifically configured to:

decrypting the dynamic key through a second decryption algorithm to obtain a fourth character string;

And decrypting the fourth character string by using the second identity information as a secret key through a symmetric encryption algorithm.

As a possible implementation manner, the second encryption identity information is obtained according to the first subkey and the second subkey, and the decryption unit 1004 is specifically configured to:

decoding the dynamic key to obtain a sixth character string;

If the sixth character string accords with the second preset length, splitting the sixth character string according to the character length to obtain a fifth character string and abstracts of the fifth character string;

Generating a pending digest of the fifth string by a message digest algorithm using the second subkey as a key;

and if the undetermined abstract of the fifth character string is the same as the abstract of the fifth character string, splitting the fifth character string according to the character length to obtain the fourth character string.

As a possible implementation manner, if the dynamic key is obtained according to the timestamp and the fourth string, the decryption unit 1004 is specifically configured to:

splitting the fifth character string according to the character string length to obtain the fourth character string and the timestamp;

the device further comprises a detection unit for:

And if the difference value between the timestamp and the current time does not exceed a second preset time value, executing the step of decrypting the fourth character string by using the second identity information as a secret key through a symmetric encryption algorithm.

The embodiment of the application also provides a computer device, which is the computer device introduced above, the computer device can be a server or a terminal device, the data processing device can be built in the server or the terminal device, and the computer device provided by the embodiment of the application is introduced from the aspect of hardware materialization.

Fig. 11 is a schematic structural diagram of a server, and fig. 12 is a schematic structural diagram of a terminal device.

Referring to fig. 11, which is a schematic diagram of a server structure according to an embodiment of the present application, the server 1400 may have a relatively large difference between configurations or performances, and may include one or more processors 1422, such as a central processing unit (Central Processing Units, CPU), a memory 1432, one or more application programs 1442, or a storage medium 1430 (such as one or more mass storage devices) for data 1444. Wherein the memory 1432 and storage medium 1430 can be transitory or persistent storage. The program stored in the storage medium 1430 may include one or more modules (not shown), each of which may include a series of instruction operations on a server. Still further, a processor 1422 may be provided in communication with a storage medium 1430 to execute a series of instructions operations on the storage medium 1430 on the server 1400.

The Server 1400 can also include one or more power supplies 1426, one or more wired or wireless network interfaces 1450, one or more input/output interfaces 1458, and/or one or more operating systems 1441, such as a Windows Server ^TM,Mac OS X^TM,Unix^TM,Linux^TM,FreeBSD^TM, or the like.

The steps performed by the server in the above embodiments may be based on the server structure shown in fig. 11.

Wherein, the CPU 1422 is configured to perform the following steps:

transmitting the dynamic key to the second node;

Or performing the following steps:

Decrypting the dynamic key according to a second decryption rule;

and sending the encrypted data to the first node.

Optionally, the CPU 1422 may also perform method steps of any specific implementation of the data processing method in the embodiment of the present application.

Referring to fig. 12, the structure of a terminal device according to an embodiment of the present application is shown. Fig. 12 is a block diagram showing a part of a structure of a smart phone related to a terminal device provided by an embodiment of the present application, where the smart phone includes: radio Frequency (RF) circuitry 1510, memory 1520, input unit 1530, display unit 1540, sensor 1550, audio circuitry 1560, wireless fidelity (WiFi) module 1570, processor 1580, power supply 1590, and the like. Those skilled in the art will appreciate that the smartphone structure shown in fig. 12 is not limiting of the smartphone and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

The following describes the components of the smart phone in detail with reference to fig. 12:

The RF circuit 1510 may be used for receiving and transmitting signals during a message or a call, and particularly, after receiving downlink information of a base station, the signal is processed by the processor 1580; in addition, the data of the design uplink is sent to the base station.

The memory 1520 may be used to store software programs and modules, and the processor 1580 implements various functional applications and data processing of the smartphone by running the software programs and modules stored in the memory 1520.

The input unit 1530 may be used to receive input numerical or character information and generate key signal inputs related to user settings and function control of the smart phone. In particular, the input unit 1530 may include a touch panel 1531 and other input devices 1532. The touch panel 1531, also referred to as a touch screen, may collect touch operations on or near the user and drive the corresponding connection device according to a predetermined program. The input unit 1530 may include other input devices 1532 in addition to the touch panel 1531. In particular, other input devices 1532 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, mouse, joystick, etc.

The display unit 1540 may be used to display information input by a user or information provided to the user and various menus of the smart phone. The display unit 1540 may include a display panel 1541, and optionally, the display panel 1541 may be configured in the form of a Liquid Crystal Display (LCD) CRYSTAL DISPLAY, an Organic Light-Emitting Diode (OLED), or the like.

The smartphone may also include at least one sensor 1550, such as a light sensor, a motion sensor, and other sensors. Other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc. that may also be configured with the smart phone are not described in detail herein.

Audio circuitry 1560, speaker 1561, and microphone 1562 may provide an audio interface between a user and a smart phone. The audio circuit 1560 may transmit the received electrical signal converted from audio data to the speaker 1561, and be converted into a sound signal by the speaker 1561 for output; on the other hand, the microphone 1562 converts the collected sound signals into electrical signals, which are received by the audio circuit 1560 for conversion into audio data, which is processed by the audio data output processor 1580 for transmission to, for example, another smart phone via the RF circuit 1510 or for output to the memory 1520 for further processing.

Processor 1580 is a control center of the smartphone, connects various parts of the entire smartphone with various interfaces and lines, performs various functions of the smartphone and processes data by running or executing software programs and/or modules stored in memory 1520, and invoking data stored in memory 1520. In the alternative, processor 1580 may include one or more processing units.

The smart phone also includes a power source 1590 (e.g., a battery) for powering the various components, which may preferably be logically connected to the processor 1580 via a power management system, such as to provide for managing charging, discharging, and power consumption.

Although not shown, the smart phone may further include a camera, a bluetooth module, etc., which will not be described herein.

In an embodiment of the present application, the memory 1520 included in the smart phone may store program codes and transmit the program codes to the processor.

The processor 1580 included in the smart phone may execute the data processing method provided in the foregoing embodiment according to the instructions in the program code.

The embodiment of the application also provides a computer readable storage medium for storing a computer program for executing the data processing method provided in the above embodiment.

Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the data processing methods provided in the various alternative implementations of the above aspects.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, where the above program may be stored in a computer readable storage medium, and when the program is executed, the program performs steps including the above method embodiments; and the aforementioned storage medium may be at least one of the following media: read-Only Memory (ROM), RAM, magnetic disk or optical disk, etc.

It should be noted that, in the present specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, with reference to the description of the method embodiments in part. The apparatus and system embodiments described above are merely illustrative, in which elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

The foregoing is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the technical scope of the present application should be included in the scope of the present application. Further combinations of the present application may be made to provide further implementations based on the implementations provided in the above aspects. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims

1. A method of data processing, the method comprising:

transmitting the dynamic key to the second node;

2. The method according to claim 1, wherein the method further comprises:

3. The method of claim 1, wherein encrypting the first identity information and the random data according to the second encryption rule results in a dynamic key, comprising:

4. A method according to claim 3, wherein said encrypting the fourth string and the random number by a second encryption algorithm to obtain the dynamic key comprises:

Acquiring a current time stamp;

5. The method of claim 4, wherein the second identity information is obtained from a first subkey and a second subkey, wherein encrypting the timestamp, the fourth string, and the random number by the second encryption algorithm to obtain the dynamic key comprises:

and encoding the sixth character string to obtain the dynamic key.

6. The method of claim 1, wherein the second node comprises point location data for a plurality of devices, the method further comprising:

7. The method of claim 6, wherein the method further comprises:

acquiring the target point location from the first storage area;

8. The method according to claim 1, wherein the method further comprises:

9. A method of data processing, the method comprising:

Decrypting the dynamic key according to a second decryption rule;

and sending the encrypted data to the first node.

10. The method of claim 9, wherein prior to encrypting the second identity information according to the first encryption rule, the method further comprises:

Acquiring a data acquisition request sent by the first node, wherein the data acquisition request comprises an access mark of the second node and a domain name of the second node;

11. The method of claim 9, wherein the second identity information is obtained according to a first subkey and a second subkey, wherein encrypting the second identity information according to a first encryption rule to obtain second encrypted identity information comprises:

Acquiring the first subkey and the second subkey;

12. The method of claim 11, wherein encrypting the first string by a first encryption algorithm to obtain the second encrypted identity information comprises:

Acquiring a current time stamp;

13. The method of claim 12, wherein encrypting the timestamp and the first string by the first encryption algorithm to obtain the second encrypted identity information comprises:

14. The method of claim 9, wherein decrypting the dynamic key according to the second decryption rule comprises:

15. A data processing apparatus, the apparatus comprising:

A sending unit, configured to send the dynamic key to the second node;

16. A data processing apparatus, the apparatus comprising:

17. A data processing system, the system comprising at least a first node and a plurality of second nodes;

the first node being adapted to perform the method of any of claims 1-8;

The second node being adapted to perform the method of any of claims 9-14.

18. A computer device, the computer device comprising a processor and a memory:

The processor is configured to perform the method of any of claims 1-8 or the method of any of claims 9-14 according to instructions in the computer program.

19. A computer readable storage medium for storing a computer program for performing the method of any one of claims 1-8 or for performing the method of any one of claims 9-14.

20. A computer program product comprising a computer program, characterized in that it when run on a computer device causes the computer device to perform the method of any one of claims 1-8 or to perform the method of any one of claims 9-14.