CN118331787A

CN118331787A - Data backup method and system, electronic equipment and storage medium

Info

Publication number: CN118331787A
Application number: CN202410215857.9A
Authority: CN
Inventors: 秦小溪; 谢文龙; 潘廷勇; 亓娜
Original assignee: Visionvera Information Technology Co Ltd
Current assignee: Visionvera Information Technology Co Ltd
Priority date: 2024-02-27
Filing date: 2024-02-27
Publication date: 2024-07-12

Abstract

The embodiment of the invention provides a data backup method and system, which are applied to a data side system. And acquiring a data backup request of the backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system. The data security policy is then configured according to the data security level, the data security policy comprising at least one data backup security measure. Meanwhile, a data key request of the backup side equipment is acquired, and a security key is generated according to the data key request. And backing up the target data to the backup side device according to the data backup security measure and the security key. The embodiment of the invention improves the safety and reliability of data backup, meets the requirement of a user on remote backup of key data, and further ensures the safety and stability of the system.

Description

Data backup method and system, electronic equipment and storage medium

Technical Field

The present invention relates to the field of data processing technologies, and in particular, to a data backup method, a data backup system, an electronic device, and a computer readable storage medium.

Background

In the network environment of some users, there are problems of weak network and easy packet loss, which may be caused by network equipment failure, network congestion or signal interference. These problems seriously affect the stability of the network and the reliability of the data transmission. The network environment of these users is a confidential environment, which means that there may be a large number of confidential system management tasks and traffic data transmissions in the network, which are critical to the security and operation of the overall system.

In order to ensure the safety and stability of the system, the system is used for requesting the remote backup of key data in project implementation and popularization processes. These key data often include system configuration information, log data, user rights, etc., that are the core content of the system management service. Once these data are lost or corrupted, the proper operation of the system will be severely affected.

Therefore, it is necessary to have the corresponding data disaster recovery capability. By establishing a backup center in different places and regularly backing up key data to different places, the safety and stability of the system can be effectively ensured. Therefore, when natural disasters or man-made attacks and the like occur, the data can be recovered in time, and the normal operation of the system is ensured.

Disclosure of Invention

In view of the foregoing, embodiments of the present invention have been made to provide a data backup method, a data backup system, and an electronic apparatus and a computer-readable storage medium that overcome or at least partially solve the foregoing problems.

In order to solve the above problems, an embodiment of the present invention discloses a data backup method, which is applied to a data side system, and the method includes: acquiring a data backup request of backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system; configuring a data security policy according to the data security level, wherein the data security policy comprises at least one data backup security measure; acquiring a data key request of the backup side equipment; generating a security key according to the data key request; and backing up the target data to the backup side equipment according to the data backup safety measure and the safety key.

Optionally, the generating a security key according to the data key request includes: and applying the security key to a key generation center according to the data key request.

Optionally, before the target data is backed up to the backup-side device according to the data backup security measure and the security key, the method further includes: according to the data backup safety measures, respectively carrying out identity authentication on the backup side equipment and the operation user of the backup side equipment; and after the identity authentication is passed, executing the operation of backing up the target data to the backup side equipment according to the data backup security measure and the security key.

Optionally, the backing up the target data to the backup side device according to the data backup security measure and the security key includes: encrypting the security key by utilizing a digital signature algorithm encryption public key based on an elliptic curve cryptosystem negotiated with the backup side equipment; and transmitting the encrypted security key to the backup side equipment through the constructed isolation tunnel.

Optionally, the backing up the target data to the backup side device according to the data backup security measure and the security key includes: encrypting the target data by utilizing a symmetric encryption key in the security keys; adding a message authentication code key in the security key to the encrypted target data to obtain ciphertext data; and transmitting the ciphertext data to the backup side equipment through the isolation tunnel.

Optionally, the backup side device is configured to decrypt the encrypted security key by using a negotiated digital signature algorithm encryption private key based on elliptic curve cryptosystem to obtain the security key, decrypt the encrypted target data by using the symmetric encryption key in the security key, and verify whether a message authentication code key in the ciphertext data is the same as a message authentication code key in the security key; and if the message authentication code key in the ciphertext data is the same as the message authentication code key in the security key, encrypting the target data by using an encryption key locally generated by the backup side device, and storing the target data in a designated position of the backup side device.

Optionally, the data backup security measure includes: data storage measures, data transmission measures, data encapsulation measures, secret key issuing measures, tunnel construction measures and identity authentication measures.

The embodiment of the invention also discloses a data backup system, which comprises: the backup request acquisition module is used for acquiring a data backup request of backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system; the security policy configuration module is used for configuring a data security policy according to the data security level, wherein the data security policy comprises at least one data backup security measure; the key request acquisition module is used for acquiring the data key request of the backup side equipment; the safety key generation module is used for generating a safety key according to the data key request; and the target data backup module is used for backing up the target data to the backup side equipment according to the data backup safety measure and the safety key.

Optionally, the security key generation module is configured to apply, according to the data key request, the security key to a key generation center.

Optionally, the system further comprises: and the identity authentication module is used for respectively carrying out identity authentication on the backup side equipment and the operation user of the backup side equipment according to the data backup safety measure before the target data backup module backs up the target data to the backup side equipment according to the data backup safety measure and the safety key.

Optionally, the target data backup module includes: the safety key encryption module is used for encrypting the safety key by utilizing a digital signature algorithm encryption public key based on an elliptic curve cryptosystem which is negotiated with the backup side equipment; and the safety key transmission module is used for transmitting the encrypted safety key to the backup side equipment through the constructed isolation tunnel.

Optionally, the target data backup module includes: the target data encryption module is used for encrypting the target data by utilizing a symmetric encryption key in the security keys; the message authentication code key adding module is used for adding the message authentication code key in the security key to the encrypted target data to obtain ciphertext data; and the ciphertext data transmission module is used for transmitting the ciphertext data to the backup side equipment through the isolation tunnel.

The embodiment of the invention also discloses an electronic device, which comprises: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the electronic device to perform a method of backing up data as described above.

The embodiment of the invention also discloses a computer readable storage medium, which stores a computer program for causing a processor to execute the data backup method.

The embodiment of the invention has the following advantages:

the data backup scheme provided by the embodiment of the invention is applied to a data side system. And acquiring a data backup request of the backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system. The data security policy is then configured according to the data security level, the data security policy comprising at least one data backup security measure. Meanwhile, a data key request of the backup side equipment is acquired, and a security key is generated according to the data key request. And backing up the target data to the backup side device according to the data backup security measure and the security key.

According to the embodiment of the invention, the corresponding data security policy can be configured according to the importance and the sensitivity degree of the data by acquiring the data security level. Therefore, appropriate security measures can be ensured to be adopted for data of different levels, and the security of data backup is improved. And generating a security key for data backup by acquiring a data key request of the backup side equipment. Thus, the encryption and decryption processes of the backup data can be ensured to be safe and reliable. And the target data is effectively backed up to the backup side equipment, so that the data is backed up in different places. Therefore, when the data is lost or damaged, the data can be recovered in time, and the normal operation of the system is ensured.

In general, compared with the background technology, the embodiment of the invention improves the safety and reliability of data backup, meets the requirement of users on remote backup of key data, and further ensures the safety and stability of the system.

Drawings

FIG. 1 is a flow chart of the steps of a method for backing up data according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of a remote data backup scheme based on the Internet of view according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of a remote data backup scheme based on the Internet of view according to an embodiment of the present invention;

FIG. 4 is a flow chart of a remote data backup scheme based on the Internet of view according to an embodiment of the present invention;

fig. 5 is a block diagram of a data backup system according to an embodiment of the present invention.

Detailed Description

In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.

The data backup scheme provided by the embodiment of the invention is applied to a data side system, and the specific flow is as follows: firstly, a data backup request of backup side equipment is obtained, wherein the data backup request comprises the data security level of target data of a data side system. Then, a data security policy is configured according to the data security level, the policy including at least one data backup security measure. Then, a data key request of the backup side device is acquired, and a security key is generated. And finally, backing up the target data to the backup side equipment according to the data backup safety measure and the safety key. According to the scheme, the data security level is classified, and corresponding security policies and key management are configured according to the classification, so that the security and reliability of data backup are effectively improved, the requirement of customers on data remote backup is met, and the safe and stable operation of the system is ensured.

Referring to fig. 1, a flowchart of steps of a method for backing up data according to an embodiment of the present invention is shown. The data backup method can be applied to a data side system. The data backup method specifically comprises the following steps:

Step 101, obtaining a data backup request of a backup side device.

In the embodiment of the invention, in the process of data backup, a data backup request of backup side equipment needs to be acquired. The data backup request includes a data security level of target data of the data side system. The data security levels are typically classified according to the importance and sensitivity of the data in order to subsequently configure corresponding security policies and measures according to different levels.

Illustrating: it is assumed that a company's data-side system contains personnel's personal information, financial data, etc., which can be classified into different security levels. Personal information may be of a high security level, while financial data may be of a medium security level. When a data backup request of the backup side device is received, the data side system can learn the security level of the data, so that preparation is made for subsequent data backup.

Step 102, configuring the data security policy according to the data security level.

In the embodiment of the present invention, according to the data security level acquired in step 101, a data security policy needs to be configured. The data security policy at least comprises a data backup security measure to ensure the security and reliability of the data backup.

Illustrating: for data with high security level, measures such as encryption, access control and the like can be taken to ensure that the data cannot be illegally accessed or tampered in the backup process. For data of medium security level, relatively simple security measures such as data compression and integrity verification may be taken.

Step 103, obtaining a data key request of the backup side device.

In the embodiment of the invention, in the process of data backup, a data key request of backup side equipment needs to be acquired. These keys will be used in subsequent data backup encryption and decryption operations to ensure the security of the backup data.

Illustrating: the backup-side device may request a data key from the data-side system for encrypting the backup data. These keys can be generated in a secure manner and used in the data backup process to secure the backup data.

Step 104, generating a security key according to the data key request.

In an embodiment of the present invention, a security key needs to be generated according to the data key request acquired in step 103. These keys will be used to encrypt and decrypt the backup data, ensuring the security of the data during transmission and storage.

Illustrating: the secure key may be generated using a secure key generation algorithm based on the data key request of the backup-side device. The generated security key should be of sufficient complexity and randomness to ensure the security of the data backup.

And step 105, backing up the target data to the backup side equipment according to the data backup security measures and the security keys.

In the embodiment of the invention, target data is backed up to backup side equipment according to the data backup security measures and the security keys. In the backup process, the configured backup security policy and security key should be used to ensure the security and reliability of the target data backup.

Illustrating: and using the configured backup security policy and the generated security key, backing up the target data according to the security level. Target data of high security level may be transmitted and stored using encryption, while target data of low security level may be transmitted and stored using normal. Thus, the safety and the high efficiency of the target data backup can be ensured.

In an exemplary embodiment of the present invention, an implementation of generating a security key according to a data key request is to apply the security key to a key generation center according to the data key request. In the actual application process, a data key request of the security key is generated according to the need, and the data key request comprises information such as key length, encryption algorithm and the like. And sending the data key request to a key generation center to request generation of a security key. The key generation center is typically a specialized security system responsible for generating and managing security keys. After the key generation center receives the request, a secure key is generated by using a secure key generation algorithm according to the information in the request. The generated security key should have sufficient complexity and randomness to ensure the security of the key. After the security key is generated, the key generation center sends the security key to the requesting party in a secure mode, so that the security key is ensured not to be revealed or tampered in the transmission process.

Illustrating: suppose a company needs to generate a security key for its database to encrypt a database backup. The company sends a data key request to a key generation center requesting the generation of an advanced encryption standard (Advanced Encryption Standard, AES) encryption algorithm key of 128 bits length. After receiving the request, the key generation center generates a 128-bit security key by using an AES algorithm, and issues the security key to the company through a security channel. The company encrypts the database backup using the security key to ensure the security of the backup data.

The embodiment of the invention can ensure the safe and reliable generation process of the safety key by applying the safety key to the key generation center. The key generation center usually adopts a safe algorithm and a safe storage mode, so that the security of the key can be effectively improved. The security key generated by the key generation center has enough randomness and complexity to effectively prevent the key from being guessed or cracked. The key generation center is used for uniformly managing the safety keys, so that the safety keys can be conveniently managed and monitored, and reasonable use and update of the safety keys are ensured. The key generation center can generate the security key in real time according to actual requirements, and timeliness and effectiveness of the security key are ensured.

In an exemplary embodiment of the present invention, an implementation manner before the target data is backed up to the backup side device according to the data backup security measures and the security key is to respectively perform identity authentication on the backup side device and the operation user of the backup side device according to the data backup security measures. After the authentication is passed, an operation of backing up the target data to the backup-side device according to the data backup security measure and the security key is performed. In the practical application process, according to the data backup safety measures, the specific requirements of identity authentication on the backup side equipment and the operation user of the backup side equipment are confirmed, wherein the specific requirements comprise an authentication mode, an authentication standard and the like. And (3) carrying out identity authentication on the backup side equipment, ensuring that the backup side equipment is legal and has the authority of carrying out data backup. Authentication may be performed using a username password, digital certificate, etc. And carrying out identity authentication on the operation user of the backup side equipment, and ensuring that the operation user has the authority of carrying out data backup. Authentication may be performed using multi-factor authentication, single-factor authentication, or the like. After the authentication passes, a security key for data backup is prepared. The security key can be generated in advance or dynamically, and is determined according to specific requirements. After authentication is completed through and security key preparation, a data backup operation is performed. And backing up the target data to the backup side equipment according to the data backup safety measure and the safety key.

Illustrating: assuming that a certain company uses a cloud storage service as a backup side device, the company takes an authentication measure in order to ensure the security of target data to be backed up. Firstly, the backup side device (cloud storage service) requires an operation user to input a user name and a password for identity authentication, and confirms that the user identity is legal. The company then generates a security key for data backup and sends the security key to the cloud storage service for authentication. After the authentication is passed, the company backs up the target data to the cloud storage service through an encryption algorithm, so that the security of data backup is ensured.

By carrying out identity authentication on the equipment and the operation user at the backup side, the embodiment of the invention can ensure that only legal equipment and users can carry out data backup operation, thereby improving the safety of data backup. In the identity authentication process, the data backup operation can be controlled according to the user authority, so that the legality and reliability of the data backup are ensured. The log generated in the identity authentication process can be used for subsequent tracing of the data backup operation, so that the data backup process can be monitored and managed conveniently. By using the security key, the integrity of the backup data can be ensured, and the data is prevented from being tampered or damaged in the backup process.

In an exemplary embodiment of the present invention, one implementation manner of backing up target data to a backup side device according to a data backup security measure and a security key is to encrypt the security key by using a digital signature algorithm (Digital Signature Algorithm Based on Elliptic Curve Cryptography, abbreviated as SM 9) based on elliptic curve cryptosystem negotiated with the backup side device, and transmit the encrypted security key to the backup side device through a constructed isolation tunnel. In the practical application process, a public key of the SM9 encryption algorithm needs to be negotiated with the backup side device for encrypting the security key. SM9 is an encryption algorithm based on elliptic curve cryptography, and has higher security and efficiency. And encrypting the security key by utilizing the SM9 encryption public key obtained through negotiation. The encrypted safety key can only be decrypted through the corresponding private key, so that the safety of key transmission is ensured. And transmitting the encrypted security key to the backup side equipment through the constructed isolation tunnel. The isolation tunnel usually adopts an encryption transmission mode, so that the secret key cannot be stolen or tampered in the transmission process. After receiving the encrypted security key, the backup side device uses the corresponding SM9 encryption private key to perform decryption operation, so as to obtain the original security key. And after the decryption of the security key is completed, backing up the target data to the backup side equipment according to the data backup security measure and the decrypted security key.

Illustrating: assume that a company uses SM9 encryption algorithm to back up data. First, the company negotiates with the backup side device to obtain the public key of the SM9 encryption algorithm. Then, the company encrypts the generated security key using the SM9 public key to obtain an encrypted security key. Then, the company transmits the encrypted security key to the backup side device through the constructed isolation tunnel. After receiving the encrypted security key, the backup side device uses the corresponding SM9 private key to perform decryption operation to obtain the original security key. And finally, backing up the target data to the backup side equipment according to the data backup safety measure and the decrypted safety key.

According to the embodiment of the invention, the SM9 encryption algorithm is used for encrypting the security key, and the security of the key transmission process is ensured through the isolated tunnel transmission, so that the key is prevented from being stolen or tampered. The SM9 algorithm has higher encryption efficiency, can quickly encrypt and decrypt the security key, and improves the key transmission efficiency. By using the encrypted security key to carry out data backup operation, the security and reliability of the backup data are ensured, and the data is prevented from being tampered or damaged in the backup process. The SM9 algorithm is a public cryptographic algorithm, has good universality and expandability, and is suitable for various data backup scenes.

In an exemplary embodiment of the present invention, one implementation manner of backing up target data to a backup side device according to a data backup security measure and a security key is to encrypt the target data with a symmetric encryption key in the security key, and add a message authentication code (Message Authentication Code, abbreviated as MAC) key in the security key to the encrypted target data to obtain ciphertext data. And transmitting the ciphertext data to the backup side equipment through the isolation tunnel. In the practical application process, the symmetric encryption key in the security key is used for encrypting the target data. The symmetric encryption algorithm can ensure the security of data in the transmission and storage processes. And adding the MAC key in the security key to the encrypted target data to generate ciphertext data with integrity verification. The MAC key is used to generate a message authentication code to ensure that the data is not tampered with during transmission. And transmitting the generated ciphertext data to backup side equipment through the constructed isolation tunnel. The isolation tunnel usually adopts an encryption transmission mode, so that ciphertext data cannot be stolen or tampered in the transmission process. And after receiving the ciphertext data, the backup side equipment decrypts the data by using the symmetric decryption key in the corresponding security key. And then, carrying out integrity verification on the decrypted data by using the MAC key in the security key, so as to ensure that the data is not tampered in the transmission process.

Illustrating: assume that a company uses an AES symmetric encryption algorithm and a message authentication code (Hash-based Message Authentication Code, HMAC) -SHA256 algorithm based on a Hash function as symmetric encryption and MAC algorithms to backup data. First, the company encrypts the target data using the AES symmetric encryption key among the secure keys. Then, the HMAC-SHA256 key in the security key is added to the encrypted target data to generate a MAC, and the MAC and ciphertext data are transmitted to the backup side device. After receiving the data, the backup side device decrypts the data by using the corresponding AES decryption key, and performs MAC verification on the decrypted data by using the HMAC-SHA256 key so as to ensure the integrity and the security of the data.

According to the embodiment of the invention, the security of the data transmission process is ensured and the data is prevented from being stolen or tampered by symmetrically encrypting the target data and adding the MAC. By adding the MAC, the integrity of the data can be verified in the data transmission process, and the data is ensured not to be tampered in the transmission process. By using the symmetric encryption key and the MAC key in the security key, the complexity of key management is simplified, and the efficiency of data backup operation is improved. Common symmetric encryption and MAC algorithm are used, so that the method has good universality and applicability, and is suitable for various data backup scenes.

In an exemplary embodiment of the present invention, the backup side device is configured to decrypt the encrypted security key with the negotiated SM9 encryption private key to obtain a security key, decrypt the encrypted target data with the symmetric encryption key in the security key, and verify whether the MAC key in the ciphertext data is the same as the MAC key in the security key; if the MAC key in the ciphertext data is the same as the MAC key in the security key, encrypting the target data by using an encryption key locally generated by the backup side device, and storing the target data in a designated position of the backup side device.

In the actual application process, the backup side device decrypts the encrypted security key by using the negotiated SM9 encryption private key to obtain the original security key. This process ensures the security of the security key during transmission and storage. Then, the backup side device decrypts the encrypted target data using the symmetric encryption key among the secure keys. This restores the original target data. The decrypted target data includes the MAC key of the security key. The backup side device needs to compare the MAC key in the decrypted target data with the MAC key in the security key to ensure the integrity of the data. If the verification passes, the data is not tampered in the transmission process. At this time, the backup-side device may encrypt the target data using the locally generated encryption key, and store in the designated location.

Illustrating: assume that a company uses the SM9 encryption algorithm and the AES symmetric encryption algorithm to back up data. Firstly, the backup side equipment decrypts the encrypted security key by using the SM9 encryption private key obtained through negotiation to obtain an original security key. Then, the backup side device decrypts the encrypted target data using the AES symmetric encryption key among the secure keys. The decrypted data contains the MAC key in the security key, and the backup side device needs to compare the MAC key in the decrypted data with the MAC key in the security key to ensure the integrity of the data. If the verification is passed, the backup side device can encrypt the target data by using the locally generated encryption key and store the target data in a designated position, wherein the verification indicates that the data is not tampered in the transmission process.

According to the embodiment of the invention, the SM9 encryption algorithm and the symmetric encryption algorithm are used for encrypting and decrypting the data, so that the safety of the data transmission process is ensured, and the data is prevented from being stolen or tampered. By checking whether the MAC key in the decrypted data is the same as the MAC key in the security key, whether the data is tampered in the transmission process can be verified, and the integrity of the data is ensured. By encrypting the data by using the locally generated encryption key, the complexity of key management is simplified, and the efficiency of data backup operation is improved. The common SM9 encryption algorithm and the symmetric encryption algorithm are used, so that the method has good universality and applicability, and is suitable for various data backup scenes.

In one exemplary embodiment of the present invention, a data backup security measure includes: data storage measures, data transmission measures, data encapsulation measures, secret key issuing measures, tunnel construction measures and identity authentication measures. Wherein, the data storage measure: the backup data is ensured to be stored on a safe and reliable storage medium, such as encrypted storage, distributed storage and the like, so as to prevent data leakage and damage. And (3) data transmission measures: the data transmission process adopts a secure encryption transmission protocol, such as a transmission layer security protocol (Transport Layer Security, abbreviated as TLS)/a secure socket layer (Secure Sockets Layer, abbreviated as SSL) and the like, so as to ensure that the data is not stolen or tampered in the transmission process. And (3) data packaging measures: and packaging the backup data, including encryption, compression and other processes, so as to ensure the safety and the integrity of the backup data. Key issuing measures: the key required by encryption is issued and managed safely, and the security of the key in the transmission and storage processes is ensured. Tunnel construction measures: and a secure tunnel is constructed for data transmission, so that the security and privacy of the data in the transmission process are ensured. Identity authentication measures: and (3) carrying out identity authentication on the backup operation user and equipment, and ensuring that only legal users and equipment can carry out data backup operation.

Illustrating: a company uses data backup security measures to backup data. First, the company stores backup data in an encrypted hard disk, ensuring the security of data storage. And then, a TLS/SSL and other security protocols are used in the data transmission process, so that the security of the data in the transmission process is ensured. The company then encrypts and compresses the backup data to ensure the security and integrity of the backup data. Meanwhile, the company adopts a safe mode to issue and manage the secret key required by encryption, so that the security of the secret key is ensured. The company also builds a secure tunnel for data transmission, and ensures the security of the data in the transmission process. And finally, the company performs identity authentication on the user and the equipment for performing data backup operation, so that only legal user and equipment can perform data backup operation.

According to the embodiment of the invention, by comprehensively adopting various security measures, the security of the backup data is effectively improved, and the data leakage and damage are prevented. The safety transmission protocol and tunnel construction measures are adopted, so that the safety of the data in the transmission process is ensured, and the data is prevented from being stolen or tampered. The integrity of the backup data is ensured through the data encapsulation measure and the encryption measure, and the data is prevented from being tampered or damaged in the backup process. Through key issuing measures, the security of the key in the transmission and storage processes is ensured, and the data security problem caused by key leakage is prevented. Through the identity authentication measures, the legality of users and equipment for carrying out data backup operation is ensured, and the data security problem caused by illegal operation is prevented.

Based on the above description about an embodiment of a data backup method, a remote data backup scheme based on the internet of view is described below. Referring to fig. 2, a schematic diagram of a remote data backup scheme based on internet of view according to an embodiment of the present invention is shown. The remote data backup scheme can be applied to multi-level video networking. As shown in fig. 2, the view networking may be divided into a first layer autonomous domain, a second layer autonomous domain, and a third layer autonomous domain. Wherein the first autonomous domain may interface with a Key Generation Center (KGC). The second autonomous domain and the third autonomous domain are respectively provided with respective backup devices. Moreover, each backup device assigns a unique object identifier (Object Identifier, OID for short) according to the cascade structure of the internet of view, such as OID:1.1,1.2,1.3,1.1.1,1.1.2,1.3.1,1.3.2. Among the plurality of backup devices, data backup can be performed between different backup devices. Data backup can be performed between backup devices with OID of 1.1.2 and 1.3.1.

In the offsite data backup scheme, the integrated management system of the autonomous domain of any layer can integrate a password device or a password module and is in butt joint with a Key Generation Center (KGC). And the router or switch equipment integrated state monitoring module of the video network distributes unique identification OID according to the video network cascade structure by each level of backup equipment and operators based on SM9 identification algorithm. Referring to fig. 3, a schematic diagram of a remote data backup scheme based on internet of view according to an embodiment of the present invention is shown. The remote data backup scheme provides security policy modules such as identity authentication (backup operators and backup equipment) based on an SM9 identification algorithm, identity authentication for personnel or equipment in a backup domain is initiated according to a security policy, an isolation tunnel is constructed (whether the isolation tunnel is constructed or not is selected according to the security policy), secret key issuing (whether the secret key is issued or not is selected according to the security policy), data packaging (whether data packaging and format thereof are carried out or not is selected according to the security policy), data transmission (transmission mode is selected according to the security policy), data decryption/encryption storage (whether decryption/encryption is selected or not is selected according to the security policy), state monitoring and the like, a data export side, namely a data side system judges the data security level of target data, and selects the data security policy of the target data to be backed up from the functional modules according to the data security level, and if one of the inter-dependence items is selected, other dependence items are automatically checked. After the data security policy combination is selected, the target data implements the security policy according to the options to carry out data security transmission backup.

Referring to fig. 4, a flowchart of a remote data backup scheme based on internet of view according to an embodiment of the present invention is shown.

The offsite data backup scheme may involve autonomous a and autonomous B. Wherein the autonomous a comprises an autonomous a router A1, an autonomous a heald system (which may be understood as heald a) and a key generation center. Autonomous B contains an autonomous B backup device B1. The off-site data backup scheme is illustrated with the selection of all data backup security measures as an example.

The comprehensive management system integrates the password equipment or the password module, and is connected with the key generation center, the visual network router equipment integrates the state detection module, and each level of backup equipment and operators distribute unique identification OID according to the visual network cascade structure.

The backup destination side, namely the backup device, initiates a data backup request to the heald pipe A.

The data export side, namely the heald A, is provided with a security policy (taking full choice as an example) according to the data security level of the target data in the data backup request.

The backup destination applies for SM9 keys to the heald a and the data export side invokes KGC to apply for SM9 keys.

The backup destination requests identity authentication from the heald a.

The router A1 starts a state monitoring service to monitor all the following processes, if an abnormality is found, the data forwarding operation is interrupted, and if a backup process needs to be continued, an identity authentication process is restarted.

And the data export side performs operator identity authentication and backup equipment identity authentication on the backup destination side based on the identification algorithm.

After the authentication of the two is passed, the data export side and the backup destination side start SM9 key negotiation, an isolation tunnel is constructed, and the negotiated session key encrypts all data communicated by the two sides.

The data export side calls the password equipment to generate a symmetric encryption key and a Mac key, encrypts the symmetric encryption key and the Mac key by using the SM9 encryption public key of the backup destination side, and sends ciphertext of the symmetric encryption key and the Mac key to the backup destination side through the isolation tunnel.

The backup destination side decrypts the resulting key (including the symmetric encryption key and Mac key).

The data export side performs backup data encryption packaging: and encrypting the backup data, namely the target data, by using the symmetric encryption key, and adding HMac to obtain ciphertext backup data.

And the ciphertext backup data is transmitted to the backup destination side through the isolation tunnel.

The backup destination side decrypts the ciphertext backup data, verifies the Mac value, encrypts and stores the backup data by using a locally generated symmetric key after the data is correct, and sends confirmation information to feed back the backup result to the comprehensive pipe A.

The backup flow ends.

In the whole backup process, the router A1 can play a role in forwarding data between the backup equipment B1 and the heald pipe A.

It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.

Referring to FIG. 5, a block diagram of a data backup system is shown, according to an embodiment of the present invention. The data backup system specifically comprises the following modules.

A backup request obtaining module 51, configured to obtain a data backup request of a backup side device, where the data backup request includes a data security level of target data of the data side system;

A security policy configuration module 52, configured to configure a data security policy according to the data security level, where the data security policy includes at least one data backup security measure;

a key request obtaining module 53, configured to obtain a data key request of the backup side device;

a security key generation module 54, configured to generate a security key according to the data key request;

And the target data backup module 55 is configured to backup the target data to the backup side device according to the data backup security measure and the security key.

In an exemplary embodiment of the present invention, the security key generation module 54 is configured to apply the security key to a key generation center according to the data key request.

In an exemplary embodiment of the invention, the system further comprises:

And the identity authentication module is used for respectively carrying out identity authentication on the backup side equipment and the operation user of the backup side equipment according to the data backup security measures before the target data backup module 55 backs up the target data to the backup side equipment according to the data backup security measures and the security keys.

In an exemplary embodiment of the present invention, the target data backup module 55 includes:

A security key encryption module, configured to encrypt the security key by using an SM9 encryption public key negotiated with the backup side device;

And the safety key transmission module is used for transmitting the encrypted safety key to the backup side equipment through the constructed isolation tunnel.

The target data encryption module is used for encrypting the target data by utilizing a symmetric encryption key in the security keys;

The message authentication code key adding module is used for adding the MAC key in the security key to the encrypted target data to obtain ciphertext data;

and the ciphertext data transmission module is used for transmitting the ciphertext data to the backup side equipment through the isolation tunnel.

In an exemplary embodiment of the present invention, the backup side device is configured to decrypt the encrypted security key with a negotiated SM9 encryption private key to obtain the security key, decrypt the encrypted target data with the symmetric encryption key in the security key, and verify whether the MAC key in the ciphertext data is the same as the MAC key in the security key; and if the MAC key in the ciphertext data is the same as the MAC key in the security key, encrypting the target data by using an encryption key locally generated by the backup side device, and storing the target data in a designated position of the backup side device.

In an exemplary embodiment of the present invention, the data backup security measure includes: data storage measures, data transmission measures, data encapsulation measures, secret key issuing measures, tunnel construction measures and identity authentication measures.

For system embodiments, the description is relatively simple as it is substantially similar to method embodiments, and reference is made to the description of method embodiments for relevant points.

In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.

It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or terminal device that comprises the element.

The foregoing has described in detail a data backup method and a data backup system provided by the present invention, and specific examples have been applied herein to illustrate the principles and embodiments of the present invention, where the above description of the examples is only for helping to understand the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims

1. A method for backing up data, the method being applied to a data-side system, the method comprising:

acquiring a data backup request of backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system;

configuring a data security policy according to the data security level, wherein the data security policy comprises at least one data backup security measure;

acquiring a data key request of the backup side equipment;

Generating a security key according to the data key request;

And backing up the target data to the backup side equipment according to the data backup safety measure and the safety key.

2. The method of claim 1, wherein the generating a security key from the data key request comprises:

and applying the security key to a key generation center according to the data key request.

3. The method of claim 2, wherein prior to the backing up the target data to the backup-side device in accordance with the data backup security measure and the security key, the method further comprises:

according to the data backup safety measures, respectively carrying out identity authentication on the backup side equipment and the operation user of the backup side equipment;

And after the identity authentication is passed, executing the operation of backing up the target data to the backup side equipment according to the data backup security measure and the security key.

4. A method according to claim 3, wherein the backing up the target data to the backup-side device according to the data backup security measure and the security key comprises:

encrypting the security key by utilizing a digital signature algorithm encryption public key based on an elliptic curve cryptosystem negotiated with the backup side equipment;

And transmitting the encrypted security key to the backup side equipment through the constructed isolation tunnel.

5. The method of claim 4, wherein backing up the target data to the backup-side device according to the data backup security measure and the security key comprises:

encrypting the target data by utilizing a symmetric encryption key in the security keys;

Adding a message authentication code key in the security key to the encrypted target data to obtain ciphertext data;

and transmitting the ciphertext data to the backup side equipment through the isolation tunnel.

6. The method according to claim 4, wherein the backup side device is configured to decrypt the encrypted security key by using a negotiated digital signature algorithm encryption private key based on elliptic curve cryptosystem to obtain the security key, decrypt the encrypted target data by using the symmetric encryption key in the security key, and verify whether a message authentication code key in the ciphertext data is identical to a message authentication code key in the security key; and if the message authentication code key in the ciphertext data is the same as the message authentication code key in the security key, encrypting the target data by using an encryption key locally generated by the backup side device, and storing the target data in a designated position of the backup side device.

7. The method of claim 1, wherein the data backup security measure comprises: data storage measures, data transmission measures, data encapsulation measures, secret key issuing measures, tunnel construction measures and identity authentication measures.

8. A system for backing up data, the system comprising:

The backup request acquisition module is used for acquiring a data backup request of backup side equipment, wherein the data backup request comprises the data security level of target data of the data side system;

the security policy configuration module is used for configuring a data security policy according to the data security level, wherein the data security policy comprises at least one data backup security measure;

the key request acquisition module is used for acquiring the data key request of the backup side equipment;

The safety key generation module is used for generating a safety key according to the data key request;

And the target data backup module is used for backing up the target data to the backup side equipment according to the data backup safety measure and the safety key.

9. An electronic device, comprising:

One or more processors; and

One or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the electronic device to perform the method of backing up data of any of claims 1 to 7.

10. A computer readable storage medium storing a computer program for causing a processor to perform a method of backing up data according to any one of claims 1 to 7.