CN118233098A

CN118233098A - Json field data encryption method and device based on cryptographic algorithm and storage medium

Info

Publication number: CN118233098A
Application number: CN202410401903.4A
Authority: CN
Inventors: 许建辉
Original assignee: Sequoiadb Corp
Current assignee: Sequoiadb Corp
Priority date: 2024-04-03
Filing date: 2024-04-03
Publication date: 2024-06-21

Abstract

The invention discloses a json field data encryption method and device based on a national encryption algorithm and a storage medium, wherein the method comprises the following steps: when a data encryption instruction and data to be encrypted are received, selecting an unencrypted target encryption set in the data to be encrypted, and determining an encryption data key of a national encryption symmetric algorithm corresponding to the target encryption set; encrypting the data body of the target encryption set according to the encryption data key, and encrypting the encryption data key through a prestored master key of a national encryption asymmetric algorithm; and determining a corresponding master key of the encrypted target encryption set, and storing the data encryption key corresponding to the target encryption set and the master key in a database in an associated manner. The invention encrypts the body of the data by the combination of symmetric and asymmetric encryption of national encryption algorithm standard, and optimizes the encryption process by utilizing the inherent structure of the data at the same time, thereby realizing the balance between the performance of the database and the data security.

Description

Json field data encryption method and device based on cryptographic algorithm and storage medium

Technical Field

The invention relates to the field of data encryption, in particular to a json field data encryption method and device based on a national encryption algorithm and a storage medium.

Background

In the related manner of encrypting the data fields, a symmetric algorithm or an asymmetric algorithm is generally adopted to encrypt the whole data field and store the whole data field in a database, or only sensitive fields in the data field are encrypted, and other fields keep plaintext storage and the like.

However, when there are a large number of sensitive fields in the data to be encrypted, operations such as field inquiry and updating are time-consuming, and the performance of the database is affected. And meanwhile, the situation that the encrypted data is stolen or decrypted by an attacker due to improper key management can occur. Therefore, the current encryption processing mode for the data field has the problem of poor balance between database performance and data security.

The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.

Disclosure of Invention

The invention mainly aims to provide a json field data encryption method, a json field data encryption device and a storage medium based on a national encryption algorithm, which solve the problem of poor balance between database performance and data security in the prior art.

In order to achieve the above purpose, the present invention provides a json field data encryption method based on a cryptographic algorithm, the method comprising the following steps:

When a data encryption instruction and data to be encrypted are received, selecting an unencrypted target encryption set in the data to be encrypted, and determining an encryption data key of a national encryption symmetric algorithm corresponding to the target encryption set, wherein the data to be encrypted comprises an array formed by a plurality of target encryption sets;

Encrypting the data body of the target encryption set according to the encryption data key, and encrypting the encryption data key through a prestored master key of a national encryption asymmetric algorithm;

and determining the corresponding master key of the target encryption set after encryption, and storing the data encryption key corresponding to the target encryption set and the master key in a database in a correlated manner.

Optionally, when the data encryption instruction and the data to be encrypted are received, selecting an unencrypted target encryption set in the data to be encrypted, and determining an encrypted data key of the national encryption symmetric algorithm corresponding to the target encryption set, and before the step of determining the encrypted data key of the national encryption symmetric algorithm, the method further includes:

Transmitting registration request information to an catalogue node, wherein when the catalogue node reads an initial encryption data key in a local key file, the initial encryption data key is stored in a binary data format, and response information corresponding to the registration request information is obtained;

and receiving the response information fed back by the cataloging node, and storing the initial encryption data key into a communication module when the initial encryption data key is obtained through analysis.

Optionally, the step of determining the encrypted data key of the national encryption symmetric algorithm corresponding to the target encrypted set includes:

sending a key acquisition request to the cataloging node, and receiving a target encrypted data key fed back by the cataloging node based on the key acquisition request;

And when the target encryption key is the same as the initial encryption key, taking the target encryption key as the encrypted data key.

Optionally, the step of encrypting the data body of the target encrypted set according to the encrypted data key includes:

Determining the encryption byte length corresponding to the encryption data key, and dividing the data body into a plurality of plaintext data blocks according to the encryption byte length;

And performing exclusive-or operation on the plurality of plaintext data blocks according to the encrypted data key based on a counter mode to obtain ciphertext data blocks.

Optionally, when the data encryption instruction and the data to be encrypted are received, the step of selecting an unencrypted target encryption set in the data to be encrypted includes:

when the data encryption instruction and the data to be encrypted are received, determining page data of the data to be encrypted;

Dividing the data to be encrypted into a plurality of processing data according to the page data, and taking the processing data as the target encryption set.

Optionally, after the step of determining the master key corresponding to the encrypted target encryption set and storing the data encryption key corresponding to the target encryption set in the database in association with the master key, the method further includes:

when receiving an updating instruction corresponding to the target encryption set, determining metadata to be updated, initial offset of the metadata to be updated and data block length of the metadata to be updated, which are associated with the updating instruction;

determining a target offset based on the initial offset and the data block length, and obtaining a buffer length based on a difference between the initial offset and the target offset;

And determining the ciphertext length according to the difference value between the pointer length of the metadata to be updated and the buffer length, and overwriting the updated data based on the ciphertext length.

when a reading instruction corresponding to the target encryption set is received, determining metadata to be read associated with the reading instruction and a second offset of the metadata to be read;

And reading the information of the metadata to be read based on the second offset.

when receiving a backup instruction of the target encryption set, determining a backup category corresponding to the backup instruction;

when the backup category is full backup, the ciphertext record corresponding to the target encryption set is backed up to a preset backup library;

and when the backup type is incremental backup, storing plaintext information corresponding to the incremental backup into the preset backup library in an incremental mode.

In addition, in order to achieve the above object, the present invention also provides a data encryption device, which includes a memory, a processor, and a data encryption program stored on the memory and executable on the processor, the data encryption program implementing the steps of the json field data encryption method based on the cryptographic algorithm as described above when executed by the processor.

In addition, in order to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a data encryption program which, when executed by a processor, implements the steps of the json field data encryption method based on the cryptographic algorithm as described above.

The embodiment of the invention provides a json field data encryption method, a json field data encryption device and a storage medium based on a cryptographic algorithm, wherein when a data encryption instruction and data to be encrypted are received, an unencrypted target encryption set is selected in the data to be encrypted, and an encrypted data key of the cryptographic algorithm corresponding to the target encryption set is determined, wherein the data to be encrypted comprises an array formed by a plurality of target encryption sets; encrypting the data body of the target encryption set according to the encryption data key, and encrypting the encryption data key through a prestored master key of a national encryption asymmetric algorithm; and determining the corresponding master key of the target encryption set after encryption, and storing the data encryption key corresponding to the target encryption set and the master key in a database in a correlated manner. It can be seen that the body of the data is encrypted by the combination of symmetric and asymmetric encryption of the national encryption algorithm standard, and the inherent structure of the data is utilized to optimize the encryption process, so that the balance between the performance of the database and the data security is realized.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention. In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.

FIG. 1 is a flow chart of a first embodiment of a json field data encryption method based on a cryptographic algorithm of the present invention;

fig. 2 is a schematic diagram of an encryption process of a json field data encryption method based on a cryptographic algorithm in the invention;

fig. 3 is a schematic flow chart before step S10 of fig. 1 of the json field data encryption method based on the cryptographic algorithm of the present invention;

FIG. 4 is a schematic diagram of encryption by a calculator mode of the json field data encryption method based on the cryptographic algorithm of the present invention;

FIG. 5 is a double encryption schematic diagram of the json field data encryption method based on the national encryption algorithm;

FIG. 6 is a flowchart of a json field data encryption method based on a cryptographic algorithm according to a second embodiment of the present invention;

FIG. 7 is a schematic diagram of updating encrypted data of the json field data encryption method based on the cryptographic algorithm of the present invention;

FIG. 8 is a schematic diagram of reading encrypted data of the json field data encryption method based on the national encryption algorithm;

Fig. 9 is a schematic diagram of a terminal hardware structure of various embodiments of the json field data encryption method based on the cryptographic algorithm of the present invention.

The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

When a large number of sensitive fields exist in the data to be encrypted, operations such as field inquiry and updating are time-consuming, and the performance of the database is affected. And meanwhile, the situation that the encrypted data is stolen or decrypted by an attacker due to improper key management can occur. Therefore, the current encryption processing mode for the data field has the problem of poor balance between database performance and data security.

In order to solve the above-mentioned defect, the embodiment of the invention provides a json field data encryption method based on a cryptographic algorithm, and the main solution comprises the following steps:

The invention encrypts the body of the data by the combination of symmetric and asymmetric encryption of national encryption algorithm standard, and optimizes the encryption process by utilizing the inherent structure of the data at the same time, thereby realizing the balance between the performance of the database and the data security.

In order to better understand the above technical solution, exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

First embodiment

Referring to fig. 1, in a first embodiment, the json field data encryption method based on the cryptographic algorithm of the present invention includes the steps of:

Step S10, when a data encryption instruction and data to be encrypted are received, selecting an unencrypted target encryption set in the data to be encrypted, and determining an encryption data key of a national encryption symmetric algorithm corresponding to the target encryption set, wherein the data to be encrypted comprises an array formed by a plurality of target encryption sets;

In this embodiment, the data to be encrypted is LOB data (Large unstructured data) stored in json (JavaScript Object Notation, data exchange format) field format, and the data needs to be processed in the process of writing the LOB data into the database. Therefore, when a data node of the data encryption system receives a processing message, it will analyze the processing message, and if the content of the processing code analyzed to the message is written LOB, it can be considered that the data encryption instruction is currently received. At this time, the content of the processing message needs to be split into an array composed of a plurality of encryption sets, and then the unencrypted target encryption set of the array is traversed in turn, and encryption processing is performed on the unencrypted target encryption set. Specifically, the step of selecting an unencrypted target encryption set from the data to be encrypted includes: when the data encryption instruction and the data to be encrypted are received, determining page data of the data to be encrypted, dividing the data to be encrypted into a plurality of processing data according to the page data, and taking the processing data as the target encryption set.

For example, referring to fig. 2, when the processing message MSG is received, if the content of the corresponding identifier code is the write LOB, the data encryption instruction is considered to be received at this time, and the content corresponding to the current processing message is randomly the data to be encrypted. The message body is required to be split, namely, the page data size PageSize of the data to be encrypted is determined first, then the data is divided into a plurality of tuple data by taking the page data size as a unit, and a total tuple array which needs to be traversed in sequence is obtained, wherein each subelement in the array is an encryption set. Further, when encryption processing is performed, it is necessary to sequentially traverse the target encryption set which is not currently written, i.e., is not subjected to encryption processing, from the tuple array, and then perform encryption processing on the target encryption set.

With continued reference to fig. 2, after the target encryption set is obtained, it needs to be determined whether the set is Encrypted, where whether the parameter Encrypted in the target encryption set characterizing encryption is Ture or not can be determined, and when the parameter Encrypted is Ture, it is indicated that the target encryption set can be Encrypted. At this time, an encrypted data key DEK (Data Encryption Key) for encryption, which is the secret symmetric algorithm SM4, can be acquired, wherein the key length of the DEK is 16 bytes.

Optionally, the encrypted data key DEK is randomly generated in a master catalogue node of the data encryption system, and the data node of the data encryption system can acquire the data encryption key in two scenarios, and when the node registration is performed, a DEK request needs to be sent to the catalogue node, so that the DEK is acquired; when writing a piece of data, namely creating an intensive set, if the data node does not have DEK, a corresponding acquisition request needs to be sent, and if the data node has DEK, a request for acquiring the DEK does not need to be sent to the cataloging node. Therefore, referring to fig. 3, before step S10, the method further includes:

Step S40, registration request information is sent to catalogue nodes, wherein when the catalogue nodes read initial encryption data keys in a local key file, the initial encryption data keys are stored in a binary data format, and response information corresponding to the registration request information is obtained;

And S50, receiving the response information fed back by the cataloging node, and storing the initial encryption data key into a communication module when the initial encryption data key is obtained through analysis.

Specifically, when the data node registers, after receiving the registration request message, the catalogue node will attempt to read the local key file, and if so, uses BSONObj format to store the read key data in the response message sent back to the data node. And the data node receives the response message, tries to parse the key BSONObj therein, and if the DEK plaintext is parsed and the plaintext passes the verification, stores the plaintext in dmsCB.

After the initial encryption key is obtained, please continue to refer to fig. 3, step S10 includes:

Step S11, a key acquisition request is sent to the cataloging node, and a target encrypted data key fed back by the cataloging node based on the key acquisition request is received; and step S12, when the target encryption key is the same as the initial encryption key, taking the target encryption key as the encrypted data key.

In the encryption processing stage, the encryption security is improved by acquiring the encryption key and checking whether the key acquired in the data node registration stage is accurate or not based on the key.

Step S20, encrypting the data body of the target encryption set according to the encryption data key, and encrypting the encryption data key through a prestored master key of a national encryption asymmetric algorithm;

In this embodiment, the cryptographic asymmetric algorithm is SM2, its corresponding master key is MK (Master Key), and MK is a key used for cryptographically protecting the data encryption key DEK. Modes of encrypting data according to a key include an ECB (Electronic Code Book Mode, electronic codebook) mode, a CBC (Cipher Block Chaining Cipher block chaining) mode, a CFB (circuit Feedback) mode, an OFB (Output Feedback) mode, and a CTR (counter mode) mode. The present embodiment may select CTR mode to encrypt LOB data.

For example, referring to fig. 4, when performing LOB data encryption in CTR mode, the data body needs to be divided into a plurality of plaintext data blocks according to a fixed encryption byte length, the divided plurality of data blocks may be plaintext packets 1-4 shown in fig. 4, then the counter is incremented according to the encryption data key based on counter mode, encryption is performed to generate a key stream, and then the key stream and the corresponding plurality of plaintext data blocks are subjected to exclusive-or operation to obtain a ciphertext data block. The specific process may include generating a random initial counter, i.e., an initial value, and performing an exclusive-or operation on the data of the plaintext block 1 after the encryption processing, to obtain the content of the ciphertext block 1. And then adding 1 to the value of the counter, encrypting the value added with 1, and performing exclusive OR operation with the data of the plaintext group 2 to obtain the content of the ciphertext group 2. And the like, until all plaintext blocks are encrypted, taking the content corresponding to the ciphertext blocks as encrypted password data blocks.

It should be noted that, the initial value of the counter is a random number, and the counter is incremented by 1 after each plaintext block is encrypted. This approach allows each ciphertext block to rely on only the counter and key, rather than the preceding plaintext block or ciphertext block, thereby improving the security of data encryption. After a plurality of plaintext data blocks are divided, the plaintext data blocks can be simultaneously processed in a parallel encryption mode, so that no dependency relationship exists between each plaintext data block, and encryption can be simultaneously performed. And the data blocks are independent of other data blocks in encryption and decryption, so that the data can be decrypted in parallel in data decryption, and the performance of the database is further improved. After encrypting the current target encryption set, other encrypted target encryption sets are selected from the tuple array shown in fig. 2 to perform the same encryption processing operation until all data in the tuple array is encrypted.

After the encryption of the data body by the encrypted data key DEK, the DEK needs to be encrypted by the master key MK of the symmetric algorithm SM4 at this time.

Step S30, determining the corresponding master key of the target encryption set after encryption, and storing the data encryption key corresponding to the target encryption set and the master key in a database in an associated mode.

In this embodiment, after the data encryption key DEK is encrypted by the master key MK, the data encryption system may store the two keys in association in the key storage file, where the data encryption key DEK may be stored in the dmsCB module. When the master key is one, the unique master key may be directly determined and stored in association with the corresponding encrypted data key. Alternatively, when the number of master keys is plural, it is necessary to determine the master key to be used for key encryption and then store the key.

In a specific processing scenario, referring to fig. 5, during the actual encryption or decryption process, the data encryption key DEK of the symmetric encryption algorithm SM4 is required to encrypt the body of the current data to be encrypted, and meanwhile, the master key MK of the asymmetric encryption algorithm SM2 is utilized to encrypt and protect or decrypt the data encryption key DEK, that is, when the data is encrypted, after the data body is encrypted by using the DEK, the data body is required to be further encrypted by using MK, and when the data is decrypted, the encrypted DEK is required to be decrypted by using MK to obtain the original DEK, and then the data is decrypted by using the original DEK. Thus, when a round-robin or key update is required, only MK may be updated and DEK may remain unchanged, while when MK is changed, only DEK may be decrypted with MK before the change, and then the plaintext of DEK may be re-encrypted using the new MK. Therefore, the stored data does not need to be decrypted and re-encrypted, so that the data processing amount when the encrypted data is processed after the data is encrypted is reduced, and the performance of the database is improved.

Optionally, verification processing can be performed on the file in which the encrypted and stored DEK is located through a cryptographic algorithm SM3, so that whether the file is tampered or not is judged, and the security of the encrypted and stored DEK is improved. That is, after the DEK is encrypted by the MK public key, the DEK may be stored in a file form along with the MK tag and the digest in a security directory, i.e., a secure directory, of dbpath (one path) where the catalogue node is located. That is, the DEK may be stored in a file form in a $ dbpath/security/DEK directory of the destination node, and only an instance window user (e.g., sdbadmin) has a read-write authority under the directory, so as to further ensure data security. After storing the DEK in the security directory, the directory includes two files: the $ dbpath/security/DEK/DEK and $ dbpath/security/DEK/design, DEK files store the currently used DEK (ciphertext encrypted with MK public key using the national encryption SM2 algorithm), the file contents of which consist of three parts: 1. a tag for encrypting the master key MK of this DEK; 2. DEK encrypted by MK public key (encrypted by SM 2), and stored by base64 code; 3. digest, SM3 (strcat (mk_tag), the base64 encoded stored DEK content is calculated using the national cryptographic digest algorithm SM3 for verification DEK that the file itself has not been tampered with. Whereas the sign is used to ensure the correctness of the DEK, its file content consists of two parts, 1.DEK validation string. Is encrypted by the predefined string via DEK (using the national cipher SM4 algorithm). 2. Digest, SM3 (strcat (DEK verification string, plan_dek)), the base64 code stored DEK verification string is calculated using the cryptographic digest algorithm SM3 to verify that the dek.sign file itself has not been tampered with.

Optionally, after the encryption of the LOB data is completed, that is, after the master key and the data encryption key are stored in an associated manner, when the encryption record in the encryption process is required to be encrypted, the record body data of the encryption record can be encrypted through the data encryption key DEK, and after the encryption, the master key MK is used for encrypting the DEK of the encrypted record body data, so that the security of the data is further ensured. In the encryption processing of the encrypted record, the record head of the record does not need to be encrypted, but one bit 0x40 of Flag is used for marking whether the record is encrypted. If the encryption record needs to be compressed in the encryption process, the record can be compressed first and then encrypted in the encryption writing process of the record, and similarly, the data needs to be decrypted and then decompressed when being read. It should be noted that, because the original record is different from the compressed and encrypted record in the offset and length definition of the data body, the compressed data and the uncompressed data need to be processed respectively when encrypting and decrypting, when the record is modified and checked, if the dmsCB module has no DEK, the record is wrongly logged out, and the attempt of obtaining the DEK from the cataloging node is not performed any more.

In the technical scheme disclosed in this embodiment, when the data node encrypts LOB data, it can acquire the encrypted data key DEK of the corresponding cryptographic algorithm SM4 from the cataloging node, and verify the key acquired when the data node registers, after the verification, based on the counter mode, encrypt the body of LOB data according to the DEK, then encrypt the encrypted data key DEK by the master key MK of the cryptographic algorithm SM2, and after storing both, further verify the stored DEK by the cryptographic algorithm SM 3. Based on the method, the data body is encrypted through the counter mode and the DEK, and encryption processing is further carried out on the DEK through a cryptographic algorithm, so that repeated decryption and encryption of data are not needed when data key change is carried out, the database performance is improved, meanwhile, the data safety is improved through a double encryption processing mode, and the stability of balance between the database performance and the data safety is further improved.

Referring to fig. 6, in the second embodiment, after step S30, based on the first embodiment, the method further includes:

step S60, when an update instruction corresponding to the target encryption set is received, determining metadata to be updated, initial offset of the metadata to be updated and data block length of the metadata to be updated, which are associated with the update instruction;

Step S70, determining a target offset based on the initial offset and the data block length, and obtaining a buffer length based on the difference between the initial offset and the target offset;

And step S80, determining a ciphertext length according to the difference value between the pointer length of the metadata to be updated and the buffer length, and overwriting the updated data based on the ciphertext length.

In this embodiment, after the encryption processing is performed on the target encryption set, when the update is required to be performed after the encryption has been performed, the update processing may be performed by the overlay update. The data to be updated is in one data block or the data to be updated is in a plurality of data blocks in one data segment, and the corresponding updating modes are the same in both cases, namely, the data is written from the data needing to be offset. In encryption, the data block is divided into 16 bytes, and thus the data block length corresponding to the metadata to be updated is 16 bytes. The initial offset refers to the degree of offset before the data before the update and the data after the update.

For example, referring to fig. 7, in the updating process, the length of each data block (block 0-block 4) is 16 bytes, the value of offset2 of the data block length (16 bytes) of which the offset is aligned downward by several times can be calculated, and then the length of the extra buffer (buffer) is extraLen (extraLen =offset-offset 2) according to the difference between the offset and the offset2, and then when the newly written data is encrypted, the value of the pointer of the extra length is subtracted by the pointer of the data to be updated as the input (i.e. data-extraLen) of the encryption algorithm, and the obtained ciphertext length is dataLen + extraLen. At this time, since the first extraLen units of data of the ciphertext does not need to be updated, that is, is meaningless, the length of dataLen needs to be written from the offset extraLen into the metadata to be updated, so that the original ciphertext is covered. Based on the method, the existing data does not need to be read and decrypted during updating, and the service performance of the data after storage is improved.

Optionally, after storing the target encryption set in association with the master key in the database, when information of a certain piece of encrypted data needs to be checked, the target encryption set can be read through an offset of the data needing to be read. Namely, when a reading instruction corresponding to the target encryption set is received, determining metadata to be read associated with the reading instruction and a second offset of the metadata to be read; and reading the information of the metadata to be read based on the second offset.

For example, referring to fig. 8, data to be queried in the data block (blcok-block 4) may be selected, so as to obtain an offset value offset corresponding to the data block, and then after the corresponding data ciphertext buffer is obtained according to the offset value, the data is decrypted, so as to obtain content of plaintext information plaintext buffer that can be read and browsed.

Optionally, after storing the target encryption set and the master key in association with the database, when backup processing needs to be performed on the data, that is, when a backup instruction of the target encryption set is received, determining a backup category corresponding to the backup instruction, and executing corresponding processing based on the backup category. For example, when the backup type is full backup, the ciphertext record corresponding to the target encryption set is backed up to a preset backup library, and when the backup type is incremental backup, the plaintext information corresponding to the incremental backup is stored in the preset backup library in an incremental mode. Note that, the full-size backup is a copy of the data file, and the ciphertext record is backed up into the file. Incremental backups are storage of plain text logs, providing the DEK at recovery ensures correct playback of the log. Considering the scenario where a direct-connect data node performs backup () (a function that creates a data backup), if there is a DEK on that node, the public key path of the master key must be specified before the backup can be successful. For cataloging nodes, the initialized public key can be used for backup without providing the public key. For data nodes, a public key must be provided, which may be the same as the public key of the cataloging node, or may be generated using sdbmkgen tools (tools for managing the sdb file). When the cataloging node backs up, the content of the key file is written into the bak file; upon recovery, the cataloging node obtains the key content from the bak, creating the key. And storing the encrypted DEK, the DEK verification public key and the MK public key in the backup file during backup.

In the technical scheme disclosed in the embodiment, after the data is encrypted and stored, the data encryption system can respond to the update operation, the reading operation, the backup operation and the like corresponding to the encrypted data, in the update process, the original content can be not required to be read and decrypted, the performance of the database is improved, the corresponding fragments can be quickly read in the process of reading, the reading efficiency is improved, the corresponding backup request can be responded in the process of backing up, and the data leakage is avoided. Based on the method, the performance of the data in the encrypted data calling process database is improved, and meanwhile, the safety of the data is also improved.

Referring to fig. 9, fig. 9 is a schematic diagram of a terminal structure of a hardware running environment according to an embodiment of the present invention.

As shown in fig. 9, the terminal may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a network interface 1003, a memory 1004. Wherein the communication bus 1002 is used to enable connected communication between these components. The network interface 1003 may optionally include a standard wired interface, a wireless interface (e.g., a wireless FIdelity (WI-FI) interface). The Memory 1004 may be a high-speed RAM Memory (Random Access Memory, RAM) or a stable Non-Volatile Memory (NVM), such as a disk Memory. The memory 1004 may also optionally be a storage device separate from the processor 1001 described above.

It will be appreciated by those skilled in the art that the terminal structure shown in fig. 9 is not limiting of the terminal and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.

As shown in fig. 9, an operating system, a data storage module, a network communication module, and a data encryption program may be included in the memory 1004, which is one type of computer storage medium.

In the terminal shown in fig. 9, the network interface 1003 is mainly used for connecting to a background server, and performing data communication with the background server; the processor 1001 may call a data encryption program stored in the memory 1004 and perform the following operations:

Further, the processor 1001 may call a data encryption program stored in the memory 1004, and further perform the following operations:

Furthermore, it will be appreciated by those of ordinary skill in the art that implementing all or part of the processes in the methods of the above embodiments may be accomplished by computer programs to instruct related hardware. The computer program comprises program instructions, and the computer program may be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the control terminal to carry out the flow steps of the embodiments of the method described above.

Accordingly, the present invention also provides a computer-readable storage medium storing a data encryption program which, when executed by a processor, implements the respective steps of the data encryption method described in the above embodiments.

It should be noted that, because the storage medium provided in the embodiments of the present application is a storage medium used for implementing the method in the embodiments of the present application, based on the method described in the embodiments of the present application, a person skilled in the art can understand the specific structure and the modification of the storage medium, and therefore, the description thereof is omitted herein. All storage media adopted by the method of the embodiment of the application belong to the scope of protection of the application.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flowchart and/or block of the flowchart illustrations and/or block diagrams, and combinations of flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It should be noted that in the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. The json field data encryption method based on the national encryption algorithm is characterized by comprising the following steps of:

2. The json field data encryption method based on the cryptographic algorithm as set forth in claim 1, wherein when the data encryption instruction and the data to be encrypted are received, selecting an unencrypted target encryption set from the data to be encrypted, and determining an encrypted data key of the cryptographic algorithm corresponding to the target encryption set, further includes:

3. The json field data encryption method based on the cryptographic algorithm of claim 2, wherein the step of determining the cryptographic data key of the cryptographic algorithm corresponding to the target cryptographic set comprises:

4. The method for encrypting json field data based on the cryptographic algorithm as recited in claim 1, wherein the step of encrypting the data body of the target encrypted set based on the encrypted data key comprises:

5. The method for encrypting json field data based on cryptographic algorithm as recited in claim 1, wherein the step of selecting an unencrypted target encryption set in the data to be encrypted when the data encryption instruction and the data to be encrypted are received comprises:

6. The method for encrypting json field data based on the cryptographic algorithm of claim 1, wherein after the steps of determining the corresponding master key of the encrypted target encryption set and storing the data encryption key corresponding to the target encryption set in association with the master key in a database, further comprises:

7. The method for encrypting json field data based on the cryptographic algorithm of claim 1, wherein after the steps of determining the corresponding master key of the encrypted target encryption set and storing the data encryption key corresponding to the target encryption set in association with the master key in a database, further comprises:

8. The method for encrypting json field data based on the cryptographic algorithm of claim 1, wherein after the steps of determining the corresponding master key of the encrypted target encryption set and storing the data encryption key corresponding to the target encryption set in association with the master key in a database, further comprises:

9. A data encryption device, characterized in that the data encryption device comprises: a memory, a processor and a data encryption program stored on the memory and executable on the processor, the data encryption program when executed by the processor implementing the steps of the json field data encryption method based on a cryptographic algorithm as claimed in any one of claims 1 to 8.

10. A computer-readable storage medium, wherein a data encryption program is stored on the computer-readable storage medium, and the data encryption program, when executed by a processor, implements the steps of the json field data encryption method based on the cryptographic algorithm of any one of claims 1 to 8.