WO2019136959A1 - Data processing method and device, computer device and storage medium - Google Patents

Data processing method and device, computer device and storage medium Download PDF

Info

Publication number
WO2019136959A1
WO2019136959A1 PCT/CN2018/096760 CN2018096760W WO2019136959A1 WO 2019136959 A1 WO2019136959 A1 WO 2019136959A1 CN 2018096760 W CN2018096760 W CN 2018096760W WO 2019136959 A1 WO2019136959 A1 WO 2019136959A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
distributed system
data
key
written
Prior art date
Application number
PCT/CN2018/096760
Other languages
French (fr)
Chinese (zh)
Inventor
张宇
宦鹏飞
谢丹力
王梦寒
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Publication of WO2019136959A1 publication Critical patent/WO2019136959A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/303Terminal profiles

Definitions

  • the present application relates to a data processing method, apparatus, computer device, and storage medium.
  • the distributed database is used by multiple organizations to write data to this database.
  • nodes that join a distributed system provide a read-write interface.
  • the data read and write of the existing distributed system is initiated and controlled by the mechanism that interfaces with the distributed system.
  • the docking mechanism initiates a request for data to be stored in the distributed system, and the data is distributed.
  • the write interface provided by the system writes the data to the distributed system and synchronizes to other nodes in the distributed system.
  • the access mechanism uses the read interface provided by the distributed system from the distributed system. Read the data and use it.
  • the inventors realized that all data to be stored in a distributed system must be completed via a read/write interface provided by the distributed system, which causes problems such as concentration of permissions and performance bottlenecks. In addition, once this read/write interface fails, there is a risk that data cannot be written to the distributed system. When the amount of data to be written is large, there are also problems such as data write delay and loss.
  • a data processing method, apparatus, computer device, and storage medium are provided.
  • a data processing method comprising:
  • a data processing device comprising:
  • a key obtaining module configured to exchange, by using a pre-configured interface, a first temporary session key according to a key exchange protocol and a distributed system
  • An encryption module configured to encrypt data to be written by using the first temporary session key
  • a writing module configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system writes the encrypted to be written by using a second temporary session key
  • the data is decrypted to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • a computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executable by the processor to cause the one or more processors to execute The following steps: obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface; encrypting the data to be written by the first temporary session key; and encrypting through a pre-configured interface
  • the to-be-written data is sent to the distributed system, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary The session key corresponds to the first temporary session key.
  • One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain a first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written through a pre-configured interface And the distributed system, wherein the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary session key and the first A temporary session key corresponds.
  • FIG. 1 is an application scenario diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 2 is a flow diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 3 is a flow diagram of pre-configured steps in accordance with one or more embodiments.
  • FIG. 4 is a timing diagram of a data processing method in accordance with one or more embodiments.
  • FIG. 5 is a block diagram of a data processing apparatus in accordance with one or more embodiments.
  • FIG. 6 is a block diagram of a computer device in accordance with one or more embodiments.
  • the data processing method provided by the present application can be applied to an application environment as shown in FIG. 1.
  • the terminal connects to the distributed system through the network through the network.
  • the distributed system allocates the read and write permissions of the read/write nodes originally deployed in the distributed system to the terminal by configuring the terminal in advance, so that the data to be written can be uploaded to any node of the distributed system through the terminal, for example,
  • the terminal is configured by using a configuration file, which may be an integrated SDK (Software Development Kit), and a security module is formed on the terminal by configuring an interface of the terminal, and the security module is distributed.
  • the terminal obtains the first temporary session key by using the security module to exchange with the distributed system according to the key exchange protocol, encrypts the data to be written by using the first temporary session key, and encrypts the data to be written through the pre-configured interface.
  • Sending to the distributed system to achieve data writing, the same data reading may be through the security module to send a data read request to the distributed system, and then through the pre-configured interface to receive the distributed system returned through the second temporary
  • the data to be read after the session key is encrypted; the encrypted data to be read is decrypted by the first temporary session key to obtain the second plaintext.
  • Terminal 102 can be, but is not limited to, a variety of personal computers, notebook computers, smart phones, tablets, and portable wearable devices.
  • a data processing method is provided, which is applied to the terminal in FIG. 1 as an example, and includes the following steps:
  • S202 Obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
  • the distributed system may be a blockchain or other distributed system, and is not specifically limited herein.
  • the pre-configured interface is obtained by the terminal by registering with the distributed system.
  • the terminal sends a registration request to the distributed system, and the distributed system determines whether the terminal is a secure terminal.
  • the terminal may perform the terminal.
  • Authorization for example, sending a corresponding configuration file to configure the target interface of the terminal. That is, the read and write permissions of the read/write nodes originally deployed in the distributed system are placed on the terminal through pre-configuration, so that the data to be uploaded can be uploaded to any node of the distributed system after being processed by the terminal, and the distributed system is no longer distributed. A large number of read and write nodes need to be deployed, which can greatly reduce the cost.
  • the deployment process may be in the form of forming a security module in the terminal. For example, after downloading the configured SDK to the terminal for loading and running, the SDK uniformly manages an interface for interacting with the distributed system.
  • the first temporary session key may be different temporary data keys according to different types of data, for example, the temporary session key for each terminal interaction with the distributed system may be different, so that even the criminals Obtaining the temporary session key also fails to predict the key of the next data interaction, so that the data plaintext cannot be obtained.
  • the sharing curve parameter may be stored in the terminal and the authorized terminal, for example, the first shared curve parameter is stored in the first terminal, and the second shared curve parameter is stored in the second terminal, and all the shared files are stored in the distributed system.
  • Curve parameters, each shared curve parameter includes an elliptic curve E, a step N, and a base point G.
  • Obtaining the first temporary session key by using the pre-configured interface to exchange with the distributed system according to the key exchange protocol may include: sending a key exchange request to the distributed system through the pre-configured interface; receiving the distributed system according to the key exchange Requesting a first key key to be returned; generating a first temporary session key according to the first key key; wherein the second temporary session key is generated by the terminal to generate a second random number, and generating a second according to the second random number
  • the key key transmits the second key key to the distributed system, and the distributed system generates the second temporary session key according to the second key key and the first random number generated by the distributed system.
  • the delivery of A can be made public, that is, the attacker can acquire A. Since the discrete logarithm problem of the elliptic curve is a problem, the attacker cannot calculate a through A and G. Therefore, the exchange parties can negotiate a key without sharing any secrets, thereby ensuring the security of the data to be written.
  • S204 Encrypt data to be written by the first temporary session key.
  • the terminal may encrypt the data to be written by using the first temporary session key, thereby ensuring the security of the data to be written, and further
  • the distributed system can be configured to know which terminal to send the data to be written, and send the terminal identifier and the encrypted data to be written together to the distributed system, where the terminal identifier can uniquely determine the terminal, which can It is the MAC address of the terminal, etc.
  • S206 Send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, and second.
  • the temporary session key corresponds to the first temporary session key.
  • the encrypted data to be written is sent to the distributed system through the pre-configured interface, and the distributed system can obtain the data after the encrypted data to be written. Calculating the obtained second temporary session key, and decrypting the encrypted data to be written by using the second temporary session key to obtain data plaintext.
  • the distributed system first obtains the calculated second temporary session key according to the terminal identifier of the terminal, for example, the distributed system calculates the When the second temporary session key is used, the second temporary session key is first stored in association with the corresponding terminal identifier, so that the distributed system can obtain the calculated second temporary session key according to the terminal identifier, and then according to the second The temporary session key decrypts the encrypted data to be uploaded to obtain the first plaintext.
  • the data may be encrypted and stored according to the data encryption method on the distributed system to ensure the security of the data on the distributed system.
  • the above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the distributed system, thereby greatly saving the deployment cost, and by configuring the interface to the authorized terminal, the data source in the distributed system can be rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node.
  • step S204 further comprises: signing the encrypted data to be written by the pre-deployed terminal private key;
  • the pre-configured interface sends the encrypted data to be written to the distributed system, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, that is, step S206
  • the method may include: sending, by using a pre-configured interface, the encrypted and signed data to be written to the distributed system, so that the distributed system successfully checks the received data to be written through the terminal public key, and then passes the The second temporary session key decrypts the encrypted data to be written to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the public key of the terminal may be pre-deployed, that is, the data sent by the terminal to the distributed system is signed by the private key of the terminal, so that the distributed system is The verification can be performed through the corresponding terminal public key, which further ensures the security of data transmission.
  • the pre-deployed terminal public private key may be generated by the terminal, that is, when the terminal registers, the public key generated by the terminal is submitted to the distributed system, and then the distributed system passes the certificate public authority of the distributed system to the terminal public key.
  • the signature is stored on the distributed system, and the authorization certificate is returned to the terminal to indicate that the terminal is successfully registered.
  • the public and private keys of the terminal may be generated in a distributed system, that is, the distributed system is based on the terminal information.
  • the public key of the terminal is generated, and then the terminal private key is returned to the terminal, and in order to ensure the security of the private key of the terminal, the process may be performed offline.
  • the encrypted data to be written may be further signed by the pre-deployed terminal private key, thereby encrypting and signing the data.
  • the data to be written and the identifier of the terminal are sent to the distributed system.
  • the distributed system may first obtain the public key of the terminal according to the identifier of the terminal, and the encrypted and tagged to be written by the public key of the terminal. The data is checked. Only after the verification is successful, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext. Otherwise, the data to be written that is unsuccessful in the verification is directly deleted to ensure uploading to the data.
  • the data on the distributed system is all secure data.
  • the step of obtaining the public key of the terminal may be that the distributed system is signed by the certificate of the distributed system, so that the signed public key of the terminal can be checked and verified by the private key corresponding to the distributed system certificate. key.
  • a different session key can be used for both encryption and digital signatures to achieve a one-purpose key.
  • the double-layer signing can be performed. For example, after the terminal adds the key through the terminal private key, the terminal adds the key through the distributed system public key, so that after the distributed system receives the data, it first passes the distribution. The private key corresponding to the public key of the system is checked. After the verification is successful, the terminal public key is used for verification, and finally the second temporary session key is used for decryption to further ensure data security.
  • the distributed system performs signature verification on the data sent by the terminal, confirms the authorization authority of the terminal, ensures that the data is actually sent by the terminal, and has not been tampered with; thereby ensuring that the data on the distributed system is valid. Sex and authenticity.
  • the security problem of uploading data in a system in which a multi-terminal accesses a distributed system is effectively solved, and after obtaining the data, the authorized reader of the data can obtain a certificate of an authorized terminal through the distributed system, and verify Get the authenticity of the data and solve the trust problem of the authorized organization.
  • the data processing method may further include a data reading step, the data reading step may include receiving, by the pre-configured interface, the to-be-read after being encrypted by the second temporary session key returned by the distributed system. Data; decrypting the encrypted data to be read by the first temporary session key to obtain a second plaintext.
  • the foregoing embodiment mainly relates to uploading data to be uploaded of the terminal to the distributed system.
  • the embodiment mainly relates to the terminal reading the data to be read from the distributed system, where the terminal may firstly go to the distributed system.
  • Sending a data read request where the data read request carries a terminal identifier, and then the distributed system performs key exchange with the terminal according to the key exchange protocol to obtain a second temporary session key and a first temporary session key, the first
  • the specific manner of obtaining the temporary session key and the second temporary session key refer to the foregoing, and no further details are provided herein.
  • the distributed system encrypts the data to be read by the acquired second temporary session key, and sends the encrypted data to be read to the corresponding terminal, so that the terminal can pass the second temporary session key.
  • a temporary session key decrypts the data to be read to obtain a second plaintext, so that the second plaintext can be processed.
  • the interface is configured in the authorization center in advance, and the ingress node deployed in the distributed system is not used, which greatly saves the deployment cost, and the interface is configured to the authorized terminal, so that the data source in the distributed system is rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node.
  • each terminal uses a unique identifier for the same data, which avoids duplication of incoming data.
  • the access of multiple channels is realized, thereby realizing the function of data sharing.
  • each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
  • the step of receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: receiving, by the pre-configured interface, the through terminal returned by the distributed system The public key and the second temporary session key are tagged and encrypted data to be read. Therefore, before the step of decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal The encrypted data to be read is obtained.
  • the public key and the private key of the terminal may be configured in a pre-configuration phase, and the public key of the terminal is stored on the distributed system, so that when the terminal reads data from the distributed system, the distributed system may first pass the first
  • the temporary session key encrypts the data to be read, and then the data to be read is added by the terminal public key to further ensure the security of the data to be read.
  • the terminal receives the data to be read, the terminal obtains the private key of the terminal, and performs verification on the data to be read after the encryption and the signing. After the verification is successful, the data to be read is passed.
  • a temporary session key is decrypted to obtain a second plaintext, thereby performing other processing on the second plaintext.
  • different session keys can be used for encryption and digital signatures, and one-purpose and one-key can be used.
  • the double-layer signing can be performed. For example, after the tag is added by the terminal public key, the distributed system can be added through the distributed system private key, so that after the terminal receives the data, the first After the verification is performed by the distributed system public key, after the verification is successful, the terminal private key is used for verification, and finally the first temporary session key is used for decryption, thereby further ensuring data security.
  • the accessed terminal can save the deployment cost by using the ingress node of the distributed system, and can provide differentiated interface configurations for different terminals, so that the access mode is more abundant.
  • the data source in the distributed system is rich, the access is simpler and more convenient, and the pressure of the distributed system accessing the server is greatly alleviated.
  • the problem of writing data by one access port is avoided.
  • organizations and enterprises use unique identifiers for the same data to avoid duplication of incoming data.
  • the access of multiple channels is realized, thereby realizing the function of data sharing.
  • each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
  • the data processing method may further include a pre-configuration step for lowering the read and write permissions originally deployed in the read/write node of the distributed system to the terminal, so that the data can pass through the terminal. After processing, it is directly uploaded to the distributed system, and the terminal can directly obtain data from the distributed system. The accessed terminal can save the deployment cost without deploying the ingress node of the distributed system.
  • FIG. 3 is a flowchart of a pre-configuration step in an embodiment, where the pre-configuration step may include:
  • S302 Send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
  • the terminal wants to directly exchange data with the distributed system, the authorization of the distributed system needs to be acquired, so the terminal sends a registration request to the distributed system, where the registration request carries the terminal identifier to uniquely Characterizing the terminal, the registration type is because some terminals are data storage type terminals, and some terminals are accounting type terminals.
  • the configuration files are different for different terminals, and different interfaces can be provided for different authorized terminals. Configuration makes the access method richer.
  • the distributed system may first determine the terminal according to the terminal identifier, and then determine whether the terminal is a secure terminal. For example, the distributed system may pre-store the identifier of the security terminal, when receiving the terminal. The registration request may be compared with the identifier of the pre-stored security terminal. Only if the comparison is successful, the corresponding configuration file may be obtained according to the terminal identifier and the registration type.
  • S304 Receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the step of obtaining the corresponding configuration file according to the terminal identifier and the registration type may include obtaining the corresponding configuration file according to the registration type in the registration request, and then filling in the related information of the terminal in the configuration file, such as the terminal identifier.
  • the registration type may include a data storage type and a billing type.
  • the initialized interface in the configuration file includes: an interface for data encryption, decryption, data ID confusion, and distributed system database query;
  • the accounting type needs to provide an interface related to accounting reconciliation such as homomorphic encryption and ring signature.
  • the configuration file can be sent to the corresponding terminal, and in order to ensure the security of the configuration file, the configuration file is prevented from being obtained by illegal elements in the online transmission, and can be transmitted offline.
  • the method sends the configuration file to the corresponding terminal.
  • the terminal configures the terminal according to the content in the configuration file.
  • the configuration file is not only the access rights of the authorized terminal, but also includes other functions, such as encryption and decryption, private key/certificate management, etc., which is equivalent to the written SDK module, which is loaded and run locally after being downloaded by the terminal, and the authorized terminal is authorized. It is equivalent to calling the SDK, and the SDK accesses the distributed system read and write nodes.
  • These functions are more complicated, so they can provide security modules. When configuring, they can also be understood as configuring security modules, so that subsequent data upload and data reading are all. It is unified from the security module processing.
  • the read/write permission originally deployed in the read/write node of the distributed system is placed on the terminal, so that the data can be directly uploaded to the distributed system after being processed by the terminal, and the terminal can be directly obtained from the distributed system.
  • the access terminal can not deploy the ingress node of the distributed system, which greatly saves the deployment cost.
  • the pre-configuration step may further include a terminal public-private key generation step, which may include two implementation manners, one is that a public-private key pair is generated by the terminal, and the terminal submits to the distributed system when registering.
  • the certificate authority has the certificate authority to sign the terminal public key, and store the signed terminal public key and the terminal identifier in association with the distributed system, so that the distributed system receives the data signed by the terminal private key.
  • the terminal can be checked by the public key of the terminal.
  • the terminal submits the terminal information to the distributed system, and the distributed system generates the public and private key of the terminal according to the terminal information, and returns the generated terminal private key to the terminal, optionally, by offline
  • the terminal private key is returned to the terminal to ensure the security of the private key of the terminal.
  • the first method may include acquiring terminal information by the terminal, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distributed system .
  • the terminal information may include a terminal identifier, user information, such as an account number and a password, etc., according to the terminal information, the public key of the terminal may be generated through an open source tool, or the terminal information may be sent to an authoritative certificate authority center, and the authority certificate authority
  • the terminal public key is generated according to the terminal information, and is sent to the terminal, and the terminal uploads the generated terminal public key to the distributed system, so that the distributed system can pass the terminal when receiving the data signed by the terminal private key. The key is checked.
  • the step of receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type includes: after the distributed system successfully signs the terminal public key through the certificate authority, the receiving distributed system generates the terminal identifier and the registration type according to the terminal identifier and the registration type.
  • Configuration file After the distributed system receives the terminal public key uploaded by the terminal, the terminal public key is signed by the certificate authority on the distributed system to be stored in the distributed system, and the public key of the terminal is prevented from being acquired by other illegal elements. After the storage is complete, the authorization certificate is issued to the terminal, that is, the configuration file generated according to the terminal identifier and the registration type.
  • the second method may be that the terminal acquires the terminal information, and sends the terminal information to the distributed system, and the distributed system generates a public key of the corresponding terminal according to the terminal information, where the terminal information may include the terminal identifier and the user information.
  • the distributed system generates a public key of the terminal according to the terminal information through the certificate authority of the distributed system, and sends the terminal private key to the terminal for storage, and the terminal public key is stored in association with the terminal identifier to be distributed.
  • the system so that the distributed system can perform the verification by the terminal public key when receiving the data signed by the terminal private key.
  • Receiving the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, and the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
  • the pre-configuration step may further generate a public-private key of the terminal, so that when the terminal and the distributed system perform data transmission, not only the temporary session key is used for encryption, but also the terminal public key is used for signing, thereby further improving the data. Security.
  • FIG. 4 is a sequence diagram of a data processing method in an embodiment.
  • a terminal uploads data to a distributed system, and a public-private key of the terminal is generated by the terminal.
  • the distributed system is a blockchain.
  • the terminal first acquires the terminal information, and then generates the terminal public private key according to the terminal information. Secondly, the terminal sends a registration request to the blockchain, where the registration request carries the registration type, the terminal identifier, and the generated terminal public key information; After receiving the registration request, the block link signs the terminal public key through the certificate authority of the blockchain, and stores it on the blockchain, and generates a corresponding configuration file according to the registration type and the terminal identifier; The blockchain delivers the configuration file to the terminal, and the step can be performed in an offline manner. Fifth, the terminal configures the terminal according to the configuration file, for example, forms a corresponding security module.
  • the terminal The authorization certificate can be obtained from the blockchain, that is, the data can be encrypted to ensure data security; seventh, the terminal exchanges with the blockchain according to the key exchange protocol by the security module to obtain a temporary session key; The temporary session key encrypts the uploaded data, and the data is added by the terminal private key; ninth, final The encrypted and tagged data is sent to the blockchain through the security module.
  • the blockchain can obtain the terminal public key according to the terminal identifier, and pass the terminal public key. The encrypted and tagged data is checked. After the successful verification, the encrypted session data is decrypted by the temporary session key obtained by the key exchange to obtain the plaintext. After obtaining the plaintext, the zone can be passed as needed.
  • the public and private keys on the blockchain encrypt the data and store it on the blockchain to ensure the security of the data on the blockchain.
  • the above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the blockchain, which greatly saves the deployment cost, and by configuring the interface to the authorized terminal, the data source in the blockchain can be rich and the access is more It is simple and convenient, and greatly relieves the pressure of the block link into the node, avoiding the problem of writing data by an access node.
  • FIGS. 2-4 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other orders. Moreover, at least some of the steps in FIGS. 2-4 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be executed at different times, these sub-steps or stages The order of execution is not necessarily performed sequentially, but may be performed alternately or alternately with at least a portion of other steps or sub-steps or stages of other steps.
  • a data processing apparatus including a key acquisition module 100, an encryption module 200, and a write module 300, wherein:
  • the key obtaining module 100 is configured to obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
  • the encryption module 200 is configured to encrypt the data to be written by using the first temporary session key.
  • the writing module 300 is configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key.
  • the second temporary session key corresponds to the first temporary session key.
  • the apparatus may further include:
  • the signing module is configured to: after encrypting the data to be written by the first temporary session key, sign the encrypted data to be written by using the pre-deployed terminal private key.
  • the writing module 300 is further configured to send the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system successfully checks the received data to be written through the terminal public key. Then, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the apparatus may further include:
  • a reading module configured to receive, by using a pre-configured interface, the data to be read that is encrypted by the second temporary session key returned by the distributed system.
  • a decryption module configured to decrypt the encrypted data to be read by using the first temporary session key to obtain a second plaintext.
  • the reading module is further configured to receive, by the pre-configured interface, the data to be read that is signed and encrypted by the terminal public key and the second temporary session key returned by the distributed system.
  • the device may further include an verification module, configured to: after the encrypted temporary data to be read is decrypted by the first temporary session key to obtain the second plaintext, the terminal private key is to be read after being signed by the terminal public key The data is checked to obtain the encrypted data to be read.
  • an verification module configured to: after the encrypted temporary data to be read is decrypted by the first temporary session key to obtain the second plaintext, the terminal private key is to be read after being signed by the terminal public key The data is checked to obtain the encrypted data to be read.
  • the apparatus may further include:
  • the sending module is configured to send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
  • the receiving module is configured to receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • Configuration module for configuring according to the configuration file.
  • the apparatus may further include:
  • the first public private key generating module is configured to acquire terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information.
  • the sending module is also used to send the terminal public key to the distributed system.
  • the receiving module is further configured to: after the distributed system successfully signs the terminal public key through the certificate authority, receive the configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the sending module is further configured to acquire terminal information and send the terminal information to the distributed system.
  • the receiving module is further configured to receive the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, where the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
  • the various modules in the data processing apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor calls to perform operations corresponding to the above modules.
  • a computer device which may be a terminal, and its internal structure diagram may be as shown in FIG. 6.
  • the computer device includes a processor, memory, network interface, display screen, and input device connected by a system bus.
  • the processor of the computer device is used to provide computing and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium, an internal memory.
  • the non-volatile storage medium stores operating systems and computer readable instructions.
  • the internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium.
  • the network interface of the computer device is used to communicate with an external terminal via a network connection.
  • the computer readable instructions are executed by a processor to implement a data processing method.
  • the display screen of the computer device may be a liquid crystal display or an electronic ink display screen
  • the input device of the computer device may be a touch layer covered on the display screen, or may be a button, a trackball or a touchpad provided on the computer device casing. It can also be an external keyboard, trackpad or mouse.
  • FIG. 6 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied.
  • the specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
  • a computer device comprising a memory and one or more processors having stored therein computer readable instructions that, when executed by a processor, cause one or more processors to perform the steps of: preconfiguring an interface Obtaining a first temporary session key according to a key exchange protocol and a distributed system; and encrypting the data to be written by the first temporary session key; and sending the encrypted data to be written to the distributed through a pre-configured interface a system, wherein the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • the method may further include: encrypting the to-be-prepared by the pre-deployed terminal private key pair Writing data for signature; transmitting the encrypted data to be written to the distributed system through a pre-configured interface when the processor executes the computer readable instructions, so that the distributed system is encrypted by the second temporary session key pair
  • the step of decrypting the data to be decrypted to obtain the first plaintext may include: transmitting the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system receives the terminal through the public key pair After the data to be written is successfully verified, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the processor when executing the computer readable instructions, further implements: receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system;
  • the temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
  • the step of receiving, by the processor when executing the computer readable instructions, the data to be read after being encrypted by the second temporary session key returned by the distributed system through the pre-configured interface may include: The configured interface receives, by the distributed system, the data to be read after being encrypted and encrypted by the terminal public key and the second temporary session key; and the first temporary session key pair implemented by the processor when executing the computer readable instruction Before the step of decrypting the encrypted data to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal to obtain the encrypted data to be read.
  • the processor when executing the computer readable instructions, further implements the steps of: sending a registration request to the distributed system, the registration request carrying the registration type and the terminal identifier; and receiving the distributed system according to the terminal identifier and the registration type The generated configuration file; configured according to the configuration file.
  • the processor further implements the steps of: acquiring terminal information, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distribution
  • the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, when the processor executes the computer readable instruction may include: after the distributed system successfully signs the terminal public key through the certificate authority Receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  • the processor further implements the steps of: acquiring terminal information and transmitting the terminal information to the distributed system; and receiving the terminal private key corresponding to the terminal information returned by the distributed system, when the processor executes the computer readable instructions
  • the terminal public key, the terminal private key, and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
  • One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain the first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written to the distribution through a pre-configured interface
  • the system is configured to cause the distributed system to decrypt the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  • the computer readable instructions may further include: encrypting the encrypted pair by using a pre-deployed terminal The data to be written is signed; the computer readable instructions are executed by the processor to transmit the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the second temporary session key pair
  • the step of decrypting the encrypted data to obtain the first plaintext may include: sending the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the terminal public key.
  • the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
  • the computer readable instructions are further executed by the processor to: receive, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system; A temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
  • the step of receiving, by the processor, the pre-configured interface, when the computer readable instructions are executed by the processor, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: The pre-configured interface receives the data to be read that is returned and encrypted by the terminal public key and the second temporary session key returned by the distributed system; and the first temporary session is implemented when the computer readable instructions are executed by the processor Before the step of decrypting the encrypted data to be read to obtain the second plaintext, the method may further include: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal, and the encrypted to be read. data.
  • the computer readable instructions are further executed by the processor to: send a registration request to the distributed system, the registration request carries a registration type and a terminal identifier; and the receiving distributed system is based on the terminal identifier and the registration type.
  • the generated configuration file and configured according to the configuration file.
  • the computer readable instructions are further executed by the processor to: obtain terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and send the terminal public key to
  • the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type when the computer readable instructions are executed by the processor, may include: when the distributed system signs the terminal public key through the certificate authority After successful, it receives the configuration file generated by the distributed system based on the terminal identification and registration type.
  • the computer readable instructions are further executed by the processor to: acquire terminal information and transmit the terminal information to the distributed system; and receive the terminal private key corresponding to the terminal information returned by the distributed system And the terminal public key, the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
  • Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • Synchlink DRAM SLDRAM
  • Memory Bus Radbus
  • RDRAM Direct RAM
  • DRAM Direct Memory Bus Dynamic RAM
  • RDRAM Memory Bus Dynamic RAM

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A data processing method, comprising: acquiring a first temporary session key by means of a pre-configured interface according to a key exchange protocol and distributed system exchange; encrypting data to be written in by means of the first temporary session key; and sending the encrypted data to be written in to a distributed system by means of the pre-configured interface, thereby enabling the distributed system to decrypt the encrypted data to be written in by means of a second temporary session key so as to obtain a first plaintext, the second temporary session key corresponding to the first temporary session key.

Description

数据处理方法、装置、计算机设备和存储介质Data processing method, device, computer device and storage medium
相关申请的交叉引用Cross-reference to related applications
本申请要求于2018年1月12日提交中国专利局,申请号为201810030994X,申请名称为“数据处理方法、装置、计算机设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201810030994X, filed on Jan. 12, 2018, the entire disclosure of which is incorporated herein by reference. In this application.
技术领域Technical field
本申请涉及一种数据处理方法、装置、计算机设备和存储介质。The present application relates to a data processing method, apparatus, computer device, and storage medium.
背景技术Background technique
分布式的数据库的使用方式为多方机构共同往这个数据库里写入数据。通常情况下,加入分布式系统的节点会提供读写接口。The distributed database is used by multiple organizations to write data to this database. Typically, nodes that join a distributed system provide a read-write interface.
现有的分布式系统的数据读写都是由与分布式系统对接的机构来发起和控制的,在一次写操作过程中,由对接机构发起数据存入分布式系统的请求,数据会通过分布式系统提供的写入接口将数据写到分布式系统中,并同步到分布式系统中的其他节点,在一次读操作过程中,接入机构通过分布式系统提供的读接口从分布式系统中读取数据并使用。The data read and write of the existing distributed system is initiated and controlled by the mechanism that interfaces with the distributed system. During a write operation, the docking mechanism initiates a request for data to be stored in the distributed system, and the data is distributed. The write interface provided by the system writes the data to the distributed system and synchronizes to other nodes in the distributed system. During a read operation, the access mechanism uses the read interface provided by the distributed system from the distributed system. Read the data and use it.
因此,发明人意识到,所有要存入分布式系统中的数据必须经由分布式系统所提供的读写接口来完成,这样就会造成权限集中以及性能瓶颈等问题。除此之外,一旦这一个读写接口出问题,那么会造成无法向分布式系统上写入数据的风险。当待写入数据量很多时,也会有数据写入延时、丢失等问题。Therefore, the inventors realized that all data to be stored in a distributed system must be completed via a read/write interface provided by the distributed system, which causes problems such as concentration of permissions and performance bottlenecks. In addition, once this read/write interface fails, there is a risk that data cannot be written to the distributed system. When the amount of data to be written is large, there are also problems such as data write delay and loss.
发明内容Summary of the invention
根据本申请公开的各种实施例,提供一种数据处理方法、装置、计算机设备和存储介质。According to various embodiments disclosed herein, a data processing method, apparatus, computer device, and storage medium are provided.
一种数据处理方法,包括:A data processing method comprising:
通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;Obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface;
通过所述第一临时会话密钥对待写入数据进行加密;及Encrypting the data to be written by the first temporary session key; and
通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。Transmitting the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first In plaintext, the second temporary session key corresponds to the first temporary session key.
一种数据处理装置,包括:A data processing device comprising:
密钥获取模块,用于通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;a key obtaining module, configured to exchange, by using a pre-configured interface, a first temporary session key according to a key exchange protocol and a distributed system;
加密模块,用于通过所述第一临时会话密钥对待写入数据进行加密;及An encryption module, configured to encrypt data to be written by using the first temporary session key; and
写入模块,用于通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。a writing module, configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system writes the encrypted to be written by using a second temporary session key The data is decrypted to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
一种计算机设备,包括存储器和一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;通过所述第一临时会话密钥对待写入数据进行加密;及通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。A computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executable by the processor to cause the one or more processors to execute The following steps: obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface; encrypting the data to be written by the first temporary session key; and encrypting through a pre-configured interface The to-be-written data is sent to the distributed system, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary The session key corresponds to the first temporary session key.
一个或多个存储有计算机可读指令的非易失性计算机可读存储介质,计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;通过所述第一临时会话密钥对待写入数据进行加密;及通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain a first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written through a pre-configured interface And the distributed system, wherein the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary session key and the first A temporary session key corresponds.
本申请的一个或多个实施例的细节在下面的附图和描述中提出。本申请的其它特征和优点将从说明书、附图以及权利要求书变得明显。Details of one or more embodiments of the present application are set forth in the accompanying drawings and description below. Other features and advantages of the present invention will be apparent from the description, drawings and claims.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some embodiments of the present application, Those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图1为根据一个或多个实施例中数据处理方法的应用场景图。1 is an application scenario diagram of a data processing method in accordance with one or more embodiments.
图2为根据一个或多个实施例中数据处理方法的流程示意图。2 is a flow diagram of a data processing method in accordance with one or more embodiments.
图3为根据一个或多个实施例中的预先配置步骤的流程图。FIG. 3 is a flow diagram of pre-configured steps in accordance with one or more embodiments.
图4为根据一个或多个实施例中的数据处理方法的时序图。4 is a timing diagram of a data processing method in accordance with one or more embodiments.
图5为根据一个或多个实施例中数据处理装置的框图。FIG. 5 is a block diagram of a data processing apparatus in accordance with one or more embodiments.
图6为根据一个或多个实施例中计算机设备的框图。FIG. 6 is a block diagram of a computer device in accordance with one or more embodiments.
具体实施方式Detailed ways
为了使本申请的技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the technical solutions and advantages of the present application more clear, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
本申请提供的数据处理方法,可以应用于如图1所示的应用环境中。终端通过网络与分布式系统通过网络进行连接。分布式系统通过预先对终端进行配置,将原本部署在分布式系统的读写节点处的读写权限下放至终端,从而待写入数据可以通过终端上传至分布式系统的任意节点上,例如可以对终端通过配置文件进行配置,该配置文件可以是集成的SDK(Software Development Kit,软件工具开发包),通过对终端的接口等进行配置,在终端形成一安全模块,该安全模块获得了分布式系统的访问权限、加解密的密钥管理、终端私钥的管理、授权证书的管理等。终端通过该安全模块根据密钥交换协议与分布式系统交换获得第一临时会话密钥,通过第一临时会话密钥对待写入数据进行加密;通过预先配置的接口将加密后的待写入数据发送至分布式系统以实现数据的写入,同样数据的读取则可以是通过该安全模块向分布式系统发送数据读取请求,然后通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文。终端102可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备。The data processing method provided by the present application can be applied to an application environment as shown in FIG. 1. The terminal connects to the distributed system through the network through the network. The distributed system allocates the read and write permissions of the read/write nodes originally deployed in the distributed system to the terminal by configuring the terminal in advance, so that the data to be written can be uploaded to any node of the distributed system through the terminal, for example, The terminal is configured by using a configuration file, which may be an integrated SDK (Software Development Kit), and a security module is formed on the terminal by configuring an interface of the terminal, and the security module is distributed. System access rights, encryption and decryption key management, terminal private key management, authorization certificate management, etc. The terminal obtains the first temporary session key by using the security module to exchange with the distributed system according to the key exchange protocol, encrypts the data to be written by using the first temporary session key, and encrypts the data to be written through the pre-configured interface. Sending to the distributed system to achieve data writing, the same data reading may be through the security module to send a data read request to the distributed system, and then through the pre-configured interface to receive the distributed system returned through the second temporary The data to be read after the session key is encrypted; the encrypted data to be read is decrypted by the first temporary session key to obtain the second plaintext. Terminal 102 can be, but is not limited to, a variety of personal computers, notebook computers, smart phones, tablets, and portable wearable devices.
在其中一个实施例中,如图2所示,提供一种数据处理方法,以该方法应用于图1中的终端为例进行说明,包括以下步骤:In one embodiment, as shown in FIG. 2, a data processing method is provided, which is applied to the terminal in FIG. 1 as an example, and includes the following steps:
S202:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥。S202: Obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
其中,该分布式系统可以是区块链或其他的分布式系统,在此不作具体限制。The distributed system may be a blockchain or other distributed system, and is not specifically limited herein.
具体地,预先配置的接口是终端通过向分布式系统注册获得的,例如终端向分布式系统发送注册请求,分布式系统判断终端是否为安全终端,当为安全终端时,则可以对该终端进行授权,例如发送对应的配置文件对终端的目标接口进行配置等。即通过预先配置将原本部署在分布式系统的读写节点处的读写权限下放到终端,从而待上传数据可以通过终端处理后,上传至分布式系统的任意节点上,且分布式系统不再需要部署大量的读写节点,可以大大降低成本。该部署过程可以是通过在终端形成安全模块的形式存在,例如将配置好的SDK下载到终端进行加载运行后,该SDK则统一管理与分布式系统进行交互的接口。Specifically, the pre-configured interface is obtained by the terminal by registering with the distributed system. For example, the terminal sends a registration request to the distributed system, and the distributed system determines whether the terminal is a secure terminal. When the terminal is a secure terminal, the terminal may perform the terminal. Authorization, for example, sending a corresponding configuration file to configure the target interface of the terminal. That is, the read and write permissions of the read/write nodes originally deployed in the distributed system are placed on the terminal through pre-configuration, so that the data to be uploaded can be uploaded to any node of the distributed system after being processed by the terminal, and the distributed system is no longer distributed. A large number of read and write nodes need to be deployed, which can greatly reduce the cost. The deployment process may be in the form of forming a security module in the terminal. For example, after downloading the configured SDK to the terminal for loading and running, the SDK uniformly manages an interface for interacting with the distributed system.
其中,第一临时会话密钥可以是根据需要做到不同类型的数据采用不同的临时会话密钥,例如每一次终端与分布式系统进行数据交互的临时会话密钥均可以不同,这样即使不法分子获取到该临时会话密钥也无法预测下一次数据交互的密钥,从而无法获取到数据明文。The first temporary session key may be different temporary data keys according to different types of data, for example, the temporary session key for each terminal interaction with the distributed system may be different, so that even the criminals Obtaining the temporary session key also fails to predict the key of the next data interaction, so that the data plaintext cannot be obtained.
具体地,终端和授权终端中可以存储有共享曲线参数,例如第一终端中存储有第一共享曲线参数,第二终端中存储有第二共享曲线参数,而分布式系统中存储有所有的共享曲线参数,每一共享曲线参数包括椭圆曲线E,阶N以及基点G。通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥具体可以包括:向通过预先配置的接口向分布式系统发送密钥交换请求;接收分布式系统根据密钥交换请求返回的第一密钥关键码;根据第一密钥关键码生成第一临时会话密钥;其中第二临时会话密钥是由终端生 成第二随机数,并根据第二随机数生成第二密钥关键码,将第二密钥关键码发送至分布式系统,分布式系统根据第二密钥关键码以及分布式系统生成的第一随机数生成第二临时会话密钥。Specifically, the sharing curve parameter may be stored in the terminal and the authorized terminal, for example, the first shared curve parameter is stored in the first terminal, and the second shared curve parameter is stored in the second terminal, and all the shared files are stored in the distributed system. Curve parameters, each shared curve parameter includes an elliptic curve E, a step N, and a base point G. Obtaining the first temporary session key by using the pre-configured interface to exchange with the distributed system according to the key exchange protocol may include: sending a key exchange request to the distributed system through the pre-configured interface; receiving the distributed system according to the key exchange Requesting a first key key to be returned; generating a first temporary session key according to the first key key; wherein the second temporary session key is generated by the terminal to generate a second random number, and generating a second according to the second random number The key key transmits the second key key to the distributed system, and the distributed system generates the second temporary session key according to the second key key and the first random number generated by the distributed system.
下面详细地说明第一临时会话密钥和第二临时会话密钥的生成过程:终端向分布式系统发送密钥交换请求,该请求携带有终端标识,终端标识可以唯一地确定该终端,并生成第二随机数;当分布式系统接收到终端发送的密钥交换请求后,则获取到与该终端对应的基点G,并生成第一随机数a,分布式系统根据该基点G和第一随机数生成第一密钥关键码A=a*G,并将生成的第一密钥关键码发送给终端;终端根据自身存储的基点G以及第二随机数生成第二密钥关键码B=b*G,并将该第二密钥关键码发送给分布式系统;分布式系统根据第二密钥关键码以及第一随机数计算得到第二临时会话密钥Q=a*B,终端根据第一密钥关键码以及第二随机数计算得到第一临时会话密钥Q’=b*A,根据交换律和结合律Q=Q’,过程为Q=a*B=a*b*G=b*a*G=b*G=Q’。其中A的传递可以公开,即攻击者可以获取A。由于椭圆曲线的离散对数问题是难题,所以攻击者不可以通过A、G计算出a。从而交换双方可以在不共享任何秘密的情况下协商出一个密钥,从而可以保证待写入数据的安全性。The process of generating the first temporary session key and the second temporary session key is described in detail below: the terminal sends a key exchange request to the distributed system, the request carries a terminal identifier, and the terminal identifier can uniquely determine the terminal and generate a second random number; after receiving the key exchange request sent by the terminal, the distributed system acquires the base point G corresponding to the terminal, and generates a first random number a, and the distributed system according to the base point G and the first random number The first key key A=a*G is generated, and the generated first key key is sent to the terminal; the terminal generates the second key key B=b according to the base point G stored by the terminal and the second random number. *G, and transmitting the second key key to the distributed system; the distributed system calculates the second temporary session key Q=a*B according to the second key key and the first random number, and the terminal according to the The first temporary session key Q'=b*A is obtained by a key key and the second random number. According to the exchange law and the combination law Q=Q', the process is Q=a*B=a*b*G= b*a*G=b*G=Q'. The delivery of A can be made public, that is, the attacker can acquire A. Since the discrete logarithm problem of the elliptic curve is a problem, the attacker cannot calculate a through A and G. Therefore, the exchange parties can negotiate a key without sharing any secrets, thereby ensuring the security of the data to be written.
S204:通过第一临时会话密钥对待写入数据进行加密。S204: Encrypt data to be written by the first temporary session key.
具体地,在终端与分布式系统计算得到临时会话密钥后,终端可以通过该第一临时会话密钥对待写入数据进行加密,从而可以保证该待写入数据的安全性,且进一步地为了使得分布式系统可以了解具体是哪一个终端发送的待写入数据,可以将终端标识以及该加密后的待写入数据一起发送给分布式系统,该终端标识可以唯一地确定该终端,其可以是终端的MAC地址等。Specifically, after the terminal and the distributed system calculate the temporary session key, the terminal may encrypt the data to be written by using the first temporary session key, thereby ensuring the security of the data to be written, and further The distributed system can be configured to know which terminal to send the data to be written, and send the terminal identifier and the encrypted data to be written together to the distributed system, where the terminal identifier can uniquely determine the terminal, which can It is the MAC address of the terminal, etc.
S206:通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,第二临时会话密钥与第一临时会话密钥对应。S206: Send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, and second. The temporary session key corresponds to the first temporary session key.
具体地,在数据加密成功后,则通过预先配置的接口将加密后的待写入数据发送至分布式系统中,分布式系统在接收到该加密后的待写入数据后,可以获取到刚计算得到的第二临时会话密钥,通过该第二临时会话密钥对加密的待写入数据进行解密得到数据明文。且优选地,当存在多个终端同时向分布式系统发送待写入数据时,则分布式系统首先根据终端的终端标识获得所计算的第二临时会话密钥,例如在分布式系统计算出该第二临时会话密钥时,首先将该第二临时会话密钥与对应的终端标识进行关联存储,从而分布式系统可以根据终端标识获得所计算的第二临时会话密钥,再根据该第二临时会话密钥对该加密的待上传数据进行解密即可获得第一明文。Specifically, after the data is successfully encrypted, the encrypted data to be written is sent to the distributed system through the pre-configured interface, and the distributed system can obtain the data after the encrypted data to be written. Calculating the obtained second temporary session key, and decrypting the encrypted data to be written by using the second temporary session key to obtain data plaintext. And preferably, when there are multiple terminals simultaneously transmitting data to be written to the distributed system, the distributed system first obtains the calculated second temporary session key according to the terminal identifier of the terminal, for example, the distributed system calculates the When the second temporary session key is used, the second temporary session key is first stored in association with the corresponding terminal identifier, so that the distributed system can obtain the calculated second temporary session key according to the terminal identifier, and then according to the second The temporary session key decrypts the encrypted data to be uploaded to obtain the first plaintext.
在分布式系统获取到第一明文后,还可以按照分布式系统上的数据加密方式,对数据进行加密存储以保证数据在分布式系统上的安全性。After the first plaintext is obtained by the distributed system, the data may be encrypted and stored according to the data encryption method on the distributed system to ensure the security of the data on the distributed system.
上述数据处理方法,预先在授权中心配置接口,不用在分布式系统部署的入口节点, 大大节约了部署成本,且通过对授权终端配置接口,可以使得分布式系统中的数据来源丰富,接入更加简单方便,而且大大缓解了分布式系统接入节点的压力,避免了由一个接入节点来写入数据的相关问题。The above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the distributed system, thereby greatly saving the deployment cost, and by configuring the interface to the authorized terminal, the data source in the distributed system can be rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node.
在其中一个实施例中,通过第一临时会话密钥对待写入数据进行加密的步骤之后,即步骤S204之后还包括通过预先部署的终端私钥对加密后的待写入数据进行签名;从而通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文的步骤,即步骤S206可以包括:通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,终端公钥与终端私钥对应。In one embodiment, after the step of encrypting the data to be written by the first temporary session key, step S204 further comprises: signing the encrypted data to be written by the pre-deployed terminal private key; The pre-configured interface sends the encrypted data to be written to the distributed system, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, that is, step S206 The method may include: sending, by using a pre-configured interface, the encrypted and signed data to be written to the distributed system, so that the distributed system successfully checks the received data to be written through the terminal public key, and then passes the The second temporary session key decrypts the encrypted data to be written to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
具体地,为了进一步保证终端与分布式系统之间数据传输的安全性,还可以预先部署终端公私钥,即终端发向分布式系统的数据均通过终端私钥进行签名,从而在分布式系统处可以通过对应的终端公钥进行验签,进一步保证了数据传输的安全性。Specifically, in order to further ensure the security of data transmission between the terminal and the distributed system, the public key of the terminal may be pre-deployed, that is, the data sent by the terminal to the distributed system is signed by the private key of the terminal, so that the distributed system is The verification can be performed through the corresponding terminal public key, which further ensures the security of data transmission.
该预先部署的终端公私钥可以是由终端生成的,即终端在注册时,将终端生成的公钥提交到分布式系统,然后由分布式系统通过分布式系统的证书授权中心对该终端公钥进行签名存放在分布式系统上,并向终端返回授权证书,以表示终端注册成功;在另外的实施例中,该终端的公私钥可以是在分布式系统生成的,即分布式系统根据终端信息生成终端的公私钥,然后将终端私钥返给终端,且为了保证终端私钥的安全性,该过程可以是通过线下进行的。The pre-deployed terminal public private key may be generated by the terminal, that is, when the terminal registers, the public key generated by the terminal is submitted to the distributed system, and then the distributed system passes the certificate public authority of the distributed system to the terminal public key. The signature is stored on the distributed system, and the authorization certificate is returned to the terminal to indicate that the terminal is successfully registered. In another embodiment, the public and private keys of the terminal may be generated in a distributed system, that is, the distributed system is based on the terminal information. The public key of the terminal is generated, and then the terminal private key is returned to the terminal, and in order to ensure the security of the private key of the terminal, the process may be performed offline.
具体地,在终端通过第一临时会话密钥对待写入数据进行加密后,还可以通过该预先部署的终端私钥对该加密后的待写入数据进行加签,从而将该加密和加签后的待写入数据以及终端标识发送至分布式系统,分布式系统在接收到该数据后,可以首先根据终端标识获取到终端公钥,通过终端公钥对该加密和加签的待写入数据进行验签,只有验签成功后才会通过第二临时会话密钥对加密的待写入数据进行解密获得第一明文,否则直接删除验签不成功的待写入数据,以保证上传到分布式系统上的数据均是安全数据。其中获取到终端公钥的步骤可以是通过分布式系统的证书对分布式系统进行了签名,因此可以首先通过分布式系统证书对应的私钥对该签名后的终端公钥进行验签得到终端公钥。优选地,对于加密和数字签名可以使用不同的会话密钥,做到一用途一密钥。且为了保证数据的可靠性,可以通过双层加签,例如终端在通过终端私钥加签后,再通过分布式系统公钥进行加签,从而在分布式系统接收到数据后,首先通过分布式系统公钥对应的私钥进行验签,验签成功后,再通过终端公钥进行验签,最后再通过第二临时会话密钥进行解密,进一步保证数据的安全性。Specifically, after the terminal encrypts the data to be written by using the first temporary session key, the encrypted data to be written may be further signed by the pre-deployed terminal private key, thereby encrypting and signing the data. The data to be written and the identifier of the terminal are sent to the distributed system. After receiving the data, the distributed system may first obtain the public key of the terminal according to the identifier of the terminal, and the encrypted and tagged to be written by the public key of the terminal. The data is checked. Only after the verification is successful, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext. Otherwise, the data to be written that is unsuccessful in the verification is directly deleted to ensure uploading to the data. The data on the distributed system is all secure data. The step of obtaining the public key of the terminal may be that the distributed system is signed by the certificate of the distributed system, so that the signed public key of the terminal can be checked and verified by the private key corresponding to the distributed system certificate. key. Preferably, a different session key can be used for both encryption and digital signatures to achieve a one-purpose key. In order to ensure the reliability of the data, the double-layer signing can be performed. For example, after the terminal adds the key through the terminal private key, the terminal adds the key through the distributed system public key, so that after the distributed system receives the data, it first passes the distribution. The private key corresponding to the public key of the system is checked. After the verification is successful, the terminal public key is used for verification, and finally the second temporary session key is used for decryption to further ensure data security.
上述实施例中分布式系统会对该终端上送的数据进行签名验证,确认该终端的授权权限,确保该数据确实由该终端上送并且未被篡改;由此保证分布式系统上的数据有效性和真实性。通过该方案,有效解决了多终端接入分布式系统的系统中的上传数据的安全问题, 数据的授权读取方在获取数据后,可通过分布式系统上获取某个授权终端的证书,验证获取数据的真实性,解决了授权机构的信任问题。In the above embodiment, the distributed system performs signature verification on the data sent by the terminal, confirms the authorization authority of the terminal, ensures that the data is actually sent by the terminal, and has not been tampered with; thereby ensuring that the data on the distributed system is valid. Sex and authenticity. Through this scheme, the security problem of uploading data in a system in which a multi-terminal accesses a distributed system is effectively solved, and after obtaining the data, the authorized reader of the data can obtain a certificate of an authorized terminal through the distributed system, and verify Get the authenticity of the data and solve the trust problem of the authorized organization.
在其中一个实施例中,该数据处理方法还可以包括数据读取步骤,该数据读取步骤可以包括通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文。In one embodiment, the data processing method may further include a data reading step, the data reading step may include receiving, by the pre-configured interface, the to-be-read after being encrypted by the second temporary session key returned by the distributed system. Data; decrypting the encrypted data to be read by the first temporary session key to obtain a second plaintext.
具体地,上述实施例中主要涉及到将终端的待上传数据上传至分布式系统上,本实施例主要是涉及到终端从分布式系统读取待读取数据,其中终端可以首先向分布式系统发送数据读取请求,该数据读取请求中携带有终端标识,然后分布式系统根据密钥交换协议与终端进行密钥交换得到第二临时会话密钥和第一临时会话密钥,该第一临时会话密钥和第二临时会话密钥的具体获取方式可以参见上述所述,在此不再赘述。分布式系统通过所获取到的第二临时会话密钥对待读取数据进行加密,并将加密后的待读取数据发送至对应的终端,从而终端可以通过与第二临时会话密钥对应的第一临时会话密钥解密待读取数据得到第二明文,从而可以对第二明文进行处理。Specifically, the foregoing embodiment mainly relates to uploading data to be uploaded of the terminal to the distributed system. The embodiment mainly relates to the terminal reading the data to be read from the distributed system, where the terminal may firstly go to the distributed system. Sending a data read request, where the data read request carries a terminal identifier, and then the distributed system performs key exchange with the terminal according to the key exchange protocol to obtain a second temporary session key and a first temporary session key, the first For the specific manner of obtaining the temporary session key and the second temporary session key, refer to the foregoing, and no further details are provided herein. The distributed system encrypts the data to be read by the acquired second temporary session key, and sends the encrypted data to be read to the corresponding terminal, so that the terminal can pass the second temporary session key. A temporary session key decrypts the data to be read to obtain a second plaintext, so that the second plaintext can be processed.
上述实施例中,预先在授权中心配置接口,不用在分布式系统部署的入口节点,大大节约了部署成本,且通过对授权终端配置接口,可以使得分布式系统中的数据来源丰富,接入更加简单方便,而且大大缓解了分布式系统接入节点的压力,避免了由一个接入节点来写入数据的相关问题。同时各终端对相同数据采用唯一标识,避免了入链数据的重复。实现了多方渠道的接入,从而实现数据共享的功能。并且,各个入口是互相独立的,某个入口的宕机是不会影响到别的入口的工作的。In the foregoing embodiment, the interface is configured in the authorization center in advance, and the ingress node deployed in the distributed system is not used, which greatly saves the deployment cost, and the interface is configured to the authorized terminal, so that the data source in the distributed system is rich and the access is more. It is simple and convenient, and greatly relieves the pressure on the access nodes of the distributed system, and avoids the problem of writing data by one access node. At the same time, each terminal uses a unique identifier for the same data, which avoids duplication of incoming data. The access of multiple channels is realized, thereby realizing the function of data sharing. Moreover, each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
在其中一个实施例中,通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据的步骤可以包括:通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据。从而通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文的步骤之前,还可以包括:通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。In one embodiment, the step of receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: receiving, by the pre-configured interface, the through terminal returned by the distributed system The public key and the second temporary session key are tagged and encrypted data to be read. Therefore, before the step of decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal The encrypted data to be read is obtained.
具体地,在预先配置阶段可以配置终端的公钥和私钥,并将终端的公钥存储在分布式系统上,从而在终端从分布式系统读取数据的时候,分布式系统可以首先通过第二临时会话密钥对该待读取数据进行加密,再通过终端公钥对该待读取数据进行加签以进一步保证待读取数据的安全性。在终端接收到该待读取数据时,首先获取到终端私钥,对该加密和加签后的待读取数据进行验签,在验签成功后,才会对该待读取数据通过第一临时会话密钥进行解密得到第二明文,从而对该第二明文进行其他处理。其中,对于加密和数字签名可以使用不同的会话密钥,做到一用途一密钥。且为了保证数据的可靠性,可以通过双层加签,例如分布式系统在通过终端公钥进行加签后,可以再通过分布式系统私钥进行加签,从而在终端接收到数据后,首先通过分布式系统公钥进行验签,验签成功后,再通过终端私钥进行验签,最后再通过第一临时会话密钥进行解密,进一步保证数据的安全性。Specifically, the public key and the private key of the terminal may be configured in a pre-configuration phase, and the public key of the terminal is stored on the distributed system, so that when the terminal reads data from the distributed system, the distributed system may first pass the first The temporary session key encrypts the data to be read, and then the data to be read is added by the terminal public key to further ensure the security of the data to be read. When the terminal receives the data to be read, the terminal obtains the private key of the terminal, and performs verification on the data to be read after the encryption and the signing. After the verification is successful, the data to be read is passed. A temporary session key is decrypted to obtain a second plaintext, thereby performing other processing on the second plaintext. Among them, different session keys can be used for encryption and digital signatures, and one-purpose and one-key can be used. In order to ensure the reliability of the data, the double-layer signing can be performed. For example, after the tag is added by the terminal public key, the distributed system can be added through the distributed system private key, so that after the terminal receives the data, the first After the verification is performed by the distributed system public key, after the verification is successful, the terminal private key is used for verification, and finally the first temporary session key is used for decryption, thereby further ensuring data security.
在该实施例中,接入的终端可以不用部署分布式系统的入口节点,大大节约了部署成 本,同时可以针对不同终端的自身特点,提供差异化的接口配置,使得接入方式更为丰富。采用这种系统,可以使得分布式系统中的数据来源丰富,接入更加简单方便,而且大大缓解了分布式系统接入服务器的压力。避免了由一个接入口来写入数据的相关问题。同时各机构和企业对相同数据采用唯一标识,避免了入链数据的重复。实现了多方渠道的接入,从而实现数据共享的功能。并且,各个入口是互相独立的,某个入口的宕机是不会影响到别的入口的工作的。In this embodiment, the accessed terminal can save the deployment cost by using the ingress node of the distributed system, and can provide differentiated interface configurations for different terminals, so that the access mode is more abundant. By adopting such a system, the data source in the distributed system is rich, the access is simpler and more convenient, and the pressure of the distributed system accessing the server is greatly alleviated. The problem of writing data by one access port is avoided. At the same time, organizations and enterprises use unique identifiers for the same data to avoid duplication of incoming data. The access of multiple channels is realized, thereby realizing the function of data sharing. Moreover, each entrance is independent of each other, and the downtime of an entrance does not affect the work of other entrances.
在其中一个实施例中,该数据处理方法还可以包括一预先配置步骤,该预先配置步骤是为了将原本部署在分布式系统的读写节点处的读写权限下放到终端,从而数据可以通过终端处理后直接上传到分布式系统,且终端可以直接从分布式系统上获取到数据,接入的终端可以不用部署分布式系统的入口节点,大大节约了部署成本。In one embodiment, the data processing method may further include a pre-configuration step for lowering the read and write permissions originally deployed in the read/write node of the distributed system to the terminal, so that the data can pass through the terminal. After processing, it is directly uploaded to the distributed system, and the terminal can directly obtain data from the distributed system. The accessed terminal can save the deployment cost without deploying the ingress node of the distributed system.
参见图3,图3为一实施例中的预先配置步骤的流程图,该预先配置步骤可以包括:Referring to FIG. 3, FIG. 3 is a flowchart of a pre-configuration step in an embodiment, where the pre-configuration step may include:
S302:向分布式系统发送注册请求,注册请求中携带有注册类型以及终端标识。S302: Send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
具体地,当终端想要直接与分布式系统进行数据交换时,则需要获取到分布式系统的授权,因此由终端向分布式系统发送注册请求,该注册请求中携带有终端标识,以唯一地表征该终端,注册类型是由于有些终端是数据存储类型终端,有些终端是记账类型终端,针对不同的终端其配置文件是不相同的,可以针对不同授权终端的自身特点,提供差异化的接口配置,使得接入方式更为丰富。Specifically, when the terminal wants to directly exchange data with the distributed system, the authorization of the distributed system needs to be acquired, so the terminal sends a registration request to the distributed system, where the registration request carries the terminal identifier to uniquely Characterizing the terminal, the registration type is because some terminals are data storage type terminals, and some terminals are accounting type terminals. The configuration files are different for different terminals, and different interfaces can be provided for different authorized terminals. Configuration makes the access method richer.
其中,分布式系统在接收到该终端的注册请求时,首先可以根据终端标识确定该终端,然后判断该终端是否是安全终端,例如分布式系统中可以预先存储安全终端的标识,当接收到终端的注册请求时,可以首先与预先存储的安全终端的标识进行比对,只有比对成功,才会继续根据终端标识和注册类型获取到对应的配置文件。When receiving the registration request of the terminal, the distributed system may first determine the terminal according to the terminal identifier, and then determine whether the terminal is a secure terminal. For example, the distributed system may pre-store the identifier of the security terminal, when receiving the terminal. The registration request may be compared with the identifier of the pre-stored security terminal. Only if the comparison is successful, the corresponding configuration file may be obtained according to the terminal identifier and the registration type.
S304:接收分布式系统根据终端标识和注册类型生成的配置文件。S304: Receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
具体地,根据终端标识和注册类型获取到对应的配置文件的步骤可以包括根据注册请求中的注册类型获取到对应的配置文件,再将终端的相关信息填写在该配置文件中,例如终端标识等。具体地,注册类型可以包括数据存储类型和记账类型等,对于数据存储类型,其配置文件中的初始化的接口中包括了:数据加密、解密、数据ID混淆、分布式系统数据库查询等接口;记账类型则需要提供同态加密、环签名等账本记账对账相关的接口。在分布式系统生成对应的配置文件后,可以将该配置文件发送到对应的终端,且为了保证配置文件的安全性,防止线上传输中该配置文件被非法分子获取,可以通过线下传输的方式将配置文件发送至对应的终端。Specifically, the step of obtaining the corresponding configuration file according to the terminal identifier and the registration type may include obtaining the corresponding configuration file according to the registration type in the registration request, and then filling in the related information of the terminal in the configuration file, such as the terminal identifier. . Specifically, the registration type may include a data storage type and a billing type. For the data storage type, the initialized interface in the configuration file includes: an interface for data encryption, decryption, data ID confusion, and distributed system database query; The accounting type needs to provide an interface related to accounting reconciliation such as homomorphic encryption and ring signature. After the distributed system generates the corresponding configuration file, the configuration file can be sent to the corresponding terminal, and in order to ensure the security of the configuration file, the configuration file is prevented from being obtained by illegal elements in the online transmission, and can be transmitted offline. The method sends the configuration file to the corresponding terminal.
S306:根据配置文件进行配置。S306: Configure according to a configuration file.
具体地,终端获取到该配置文件后,根据配置文件中的内容对终端进行配置。配置文件不仅仅是授权终端的访问权限,还有包括其他的功能,比如加解密、私钥/证书管理等,是相当于写好的SDK模块,由终端下载后在本地加载运行,而授权终端相当于调用SDK,由SDK统一访问到分布式系统读写节点,这些功能因为比较复杂,所以可以提供安全模 块,配置的时候,也可以理解为配置安全模块,从而后续数据上传和数据读取全部是统一从安全模块处理。Specifically, after acquiring the configuration file, the terminal configures the terminal according to the content in the configuration file. The configuration file is not only the access rights of the authorized terminal, but also includes other functions, such as encryption and decryption, private key/certificate management, etc., which is equivalent to the written SDK module, which is loaded and run locally after being downloaded by the terminal, and the authorized terminal is authorized. It is equivalent to calling the SDK, and the SDK accesses the distributed system read and write nodes. These functions are more complicated, so they can provide security modules. When configuring, they can also be understood as configuring security modules, so that subsequent data upload and data reading are all. It is unified from the security module processing.
上述实施例中,将原本部署在分布式系统的读写节点处的读写权限下放到终端,从而数据可以通过终端处理后直接上传到分布式系统,且终端可以直接从分布式系统上获取到数据,接入的终端可以不用部署分布式系统的入口节点,大大节约了部署成本。In the above embodiment, the read/write permission originally deployed in the read/write node of the distributed system is placed on the terminal, so that the data can be directly uploaded to the distributed system after being processed by the terminal, and the terminal can be directly obtained from the distributed system. Data, the access terminal can not deploy the ingress node of the distributed system, which greatly saves the deployment cost.
在其中一个实施例中,该预先配置步骤还可以包括终端公私钥生成步骤,该步骤可以包括两种实现方式,一种是由终端生成公私钥对,终端在注册的时候,提交到分布式系统的证书授权中心,有该证书授权中心对终端公钥进行签名,并将签名后的终端公钥和终端标识关联存储至分布式系统上,以便于分布式系统接收到经过终端私钥签名的数据时可以通过该终端公钥进行验签。另一种方式时由终端提交终端信息至分布式系统,分布式系统根据该终端信息生成终端的公私钥,并将生成的终端私钥返给终端,可选地,通过线下的方式将该终端私钥返给终端,以保证终端私钥的安全性。In one embodiment, the pre-configuration step may further include a terminal public-private key generation step, which may include two implementation manners, one is that a public-private key pair is generated by the terminal, and the terminal submits to the distributed system when registering. The certificate authority has the certificate authority to sign the terminal public key, and store the signed terminal public key and the terminal identifier in association with the distributed system, so that the distributed system receives the data signed by the terminal private key. The terminal can be checked by the public key of the terminal. In another mode, the terminal submits the terminal information to the distributed system, and the distributed system generates the public and private key of the terminal according to the terminal information, and returns the generated terminal private key to the terminal, optionally, by offline The terminal private key is returned to the terminal to ensure the security of the private key of the terminal.
下面就两种方式分别进行详细地说明:第一种方式可以包括终端获取终端信息,并根据终端信息生成终端公钥以及与终端公钥对应的终端私钥;将终端公钥发送至分布式系统。其中终端信息可以包括终端标识、用户信息,例如账号和密码等,根据该终端信息可以通过开源工具生成终端的公私钥,或者将该终端信息发送至权威的证书授权中心,由权威的证书授权中心根据该终端信息生成终端公私钥,并下发至终端,终端将生成的终端公钥上传至分布式系统,以便于分布式系统在接收到通过终端私钥签名的数据时,可以通过该终端公钥进行验签。具体地,接收分布式系统根据终端标识和注册类型生成的配置文件的步骤,包括:当分布式系统对通过证书授权中心对终端公钥签名成功后,接收分布式系统根据终端标识和注册类型生成的配置文件。当分布式系统接收到终端上传的终端公钥后,通过分布式系统上的证书授权中心对终端公钥进行签名,以存储在分布式系统上,防止该终端公钥被其他非法分子获取到,且在存储完成后,则向终端下发授权证书,即根据终端标识和注册类型生成的配置文件。The following two methods are respectively described in detail: the first method may include acquiring terminal information by the terminal, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distributed system . The terminal information may include a terminal identifier, user information, such as an account number and a password, etc., according to the terminal information, the public key of the terminal may be generated through an open source tool, or the terminal information may be sent to an authoritative certificate authority center, and the authority certificate authority The terminal public key is generated according to the terminal information, and is sent to the terminal, and the terminal uploads the generated terminal public key to the distributed system, so that the distributed system can pass the terminal when receiving the data signed by the terminal private key. The key is checked. Specifically, the step of receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type includes: after the distributed system successfully signs the terminal public key through the certificate authority, the receiving distributed system generates the terminal identifier and the registration type according to the terminal identifier and the registration type. Configuration file. After the distributed system receives the terminal public key uploaded by the terminal, the terminal public key is signed by the certificate authority on the distributed system to be stored in the distributed system, and the public key of the terminal is prevented from being acquired by other illegal elements. After the storage is complete, the authorization certificate is issued to the terminal, that is, the configuration file generated according to the terminal identifier and the registration type.
第二种方式可以是终端获取到终端信息,并将终端信息发送至分布式系统,由分布式系统根据该终端信息生成对应的终端的公私钥,该其中终端信息可以包括终端标识、用户信息,例如账号和密码等,分布式系统通过分布式系统的证书授权中心根据该终端信息生成终端公私钥,并将该终端私钥发送至终端进行存储,终端公钥则与终端标识关联存储至分布式系统,以便于分布式系统在接收到通过终端私钥签名的数据时,可以通过该终端公钥进行验签。接收分布式系统返回的与终端信息对应的终端私钥和终端公钥,终端私钥和终端公钥为分布式系统通过证书授权中心根据终端信息生成的。The second method may be that the terminal acquires the terminal information, and sends the terminal information to the distributed system, and the distributed system generates a public key of the corresponding terminal according to the terminal information, where the terminal information may include the terminal identifier and the user information. For example, an account and a password, the distributed system generates a public key of the terminal according to the terminal information through the certificate authority of the distributed system, and sends the terminal private key to the terminal for storage, and the terminal public key is stored in association with the terminal identifier to be distributed. The system, so that the distributed system can perform the verification by the terminal public key when receiving the data signed by the terminal private key. Receiving the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, and the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
上述实施例中,预先配置步骤还可以生成终端公私钥,从而在终端和分布式系统进行数据传输时,不仅仅通过临时会话密钥进行加密,还通过终端公私钥进行加签,进一步提高了数据的安全性。In the foregoing embodiment, the pre-configuration step may further generate a public-private key of the terminal, so that when the terminal and the distributed system perform data transmission, not only the temporary session key is used for encryption, but also the terminal public key is used for signing, thereby further improving the data. Security.
参阅图4,图4为一实施例中的数据处理方法的时序图,该实施例中以终端向分布式 系统上传数据进行说明,且终端的公私钥是由终端生成的,在该实施例中,该分布式系统为区块链。Referring to FIG. 4, FIG. 4 is a sequence diagram of a data processing method in an embodiment. In this embodiment, a terminal uploads data to a distributed system, and a public-private key of the terminal is generated by the terminal. In this embodiment, The distributed system is a blockchain.
其中,终端首先获取到终端信息,然后根据终端信息生成终端公私钥;其次终端向区块链发送注册请求,该注册请求携带有注册类型、终端标识以及生成的终端公钥信息;第三,区块链接收到该注册请求后,通过区块链的证书授权中心对该终端公钥进行签名,并存储至区块链上,并根据注册类型和终端标识生成对应的配置文件;第四,区块链将该配置文件下发至终端,该步骤可以通过线下的方式进行;第五,终端根据该配置文件对终端进行配置,例如形成对应的安全模块;第六,在配置完成后,终端可以从区块链获取到授权证书,即可以对数据进行加密,以保证数据安全;第七,终端通过安全模块根据密钥交换协议与区块链进行交换获得临时会话密钥;第八,通过该临时会话密钥对待上传数据进行加密,并通过终端私钥对数据进行加签;第九,终端将加密和加签后的数据通过安全模块发送至区块链;第十,区块链在接收到该加密和加签后的数据后,可以根据终端标识获取到终端公钥,通过终端公钥对该加密和加签后的数据进行验签,在验签成功后再通过密钥交换歇息获得的临时会话密钥对加密的数据进行解密得到明文,在得到明文后,还可以根据需要通过区块链上的公私钥对该数据进行加密后存储在区块链上,以保证数据在区块链上的安全。The terminal first acquires the terminal information, and then generates the terminal public private key according to the terminal information. Secondly, the terminal sends a registration request to the blockchain, where the registration request carries the registration type, the terminal identifier, and the generated terminal public key information; After receiving the registration request, the block link signs the terminal public key through the certificate authority of the blockchain, and stores it on the blockchain, and generates a corresponding configuration file according to the registration type and the terminal identifier; The blockchain delivers the configuration file to the terminal, and the step can be performed in an offline manner. Fifth, the terminal configures the terminal according to the configuration file, for example, forms a corresponding security module. Sixth, after the configuration is completed, the terminal The authorization certificate can be obtained from the blockchain, that is, the data can be encrypted to ensure data security; seventh, the terminal exchanges with the blockchain according to the key exchange protocol by the security module to obtain a temporary session key; The temporary session key encrypts the uploaded data, and the data is added by the terminal private key; ninth, final The encrypted and tagged data is sent to the blockchain through the security module. Tenth, after receiving the encrypted and tagged data, the blockchain can obtain the terminal public key according to the terminal identifier, and pass the terminal public key. The encrypted and tagged data is checked. After the successful verification, the encrypted session data is decrypted by the temporary session key obtained by the key exchange to obtain the plaintext. After obtaining the plaintext, the zone can be passed as needed. The public and private keys on the blockchain encrypt the data and store it on the blockchain to ensure the security of the data on the blockchain.
上述数据处理方法,预先在授权中心配置接口,不用在区块链部署的入口节点,大大节约了部署成本,且通过对授权终端配置接口,可以使得区块链中的数据来源丰富,接入更加简单方便,而且大大缓解了区块链接入节点的压力,避免了由一个接入节点来写入数据的相关问题。The above data processing method pre-configures the interface in the authorization center, and does not need to be deployed at the ingress node of the blockchain, which greatly saves the deployment cost, and by configuring the interface to the authorized terminal, the data source in the blockchain can be rich and the access is more It is simple and convenient, and greatly relieves the pressure of the block link into the node, avoiding the problem of writing data by an access node.
应该理解的是,虽然图2-4的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,图2-4中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flowcharts of FIGS. 2-4 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other orders. Moreover, at least some of the steps in FIGS. 2-4 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be executed at different times, these sub-steps or stages The order of execution is not necessarily performed sequentially, but may be performed alternately or alternately with at least a portion of other steps or sub-steps or stages of other steps.
在其中一个实施例中,如图5所示,提供了一种数据处理装置,包括密钥获取模块100、加密模块200以及写入模块300,其中:In one embodiment, as shown in FIG. 5, a data processing apparatus is provided, including a key acquisition module 100, an encryption module 200, and a write module 300, wherein:
密钥获取模块100,用于通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥。The key obtaining module 100 is configured to obtain a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface.
加密模块200,用于通过第一临时会话密钥对待写入数据进行加密。The encryption module 200 is configured to encrypt the data to be written by using the first temporary session key.
写入模块300,用于通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,第二临时会话密钥与第一临时会话密钥对应。The writing module 300 is configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key. In plaintext, the second temporary session key corresponds to the first temporary session key.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
签名模块,用于在通过第一临时会话密钥对待写入数据进行加密后,通过预先部署的终端私钥对加密后的待写入数据进行签名。The signing module is configured to: after encrypting the data to be written by the first temporary session key, sign the encrypted data to be written by using the pre-deployed terminal private key.
写入模块300还用于通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,终端公钥与终端私钥对应。The writing module 300 is further configured to send the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system successfully checks the received data to be written through the terminal public key. Then, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
读取模块,用于通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据。And a reading module, configured to receive, by using a pre-configured interface, the data to be read that is encrypted by the second temporary session key returned by the distributed system.
解密模块,用于通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文。And a decryption module, configured to decrypt the encrypted data to be read by using the first temporary session key to obtain a second plaintext.
在其中一个实施例中,读取模块还用于通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据。In one embodiment, the reading module is further configured to receive, by the pre-configured interface, the data to be read that is signed and encrypted by the terminal public key and the second temporary session key returned by the distributed system.
装置还可以包括验签模块,用于在通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文之前,通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。The device may further include an verification module, configured to: after the encrypted temporary data to be read is decrypted by the first temporary session key to obtain the second plaintext, the terminal private key is to be read after being signed by the terminal public key The data is checked to obtain the encrypted data to be read.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
发送模块,用于向分布式系统发送注册请求,注册请求中携带有注册类型以及终端标识。The sending module is configured to send a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier.
接收模块,用于接收分布式系统根据终端标识和注册类型生成的配置文件。The receiving module is configured to receive a configuration file generated by the distributed system according to the terminal identifier and the registration type.
配置模块,用于根据配置文件进行配置。Configuration module for configuring according to the configuration file.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
第一公私钥生成模块,用于获取终端信息,并根据终端信息生成终端公钥以及与终端公钥对应的终端私钥。The first public private key generating module is configured to acquire terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information.
发送模块还用于将终端公钥发送至分布式系统。The sending module is also used to send the terminal public key to the distributed system.
接收模块还用于当分布式系统对通过证书授权中心对终端公钥签名成功后,接收分布式系统根据终端标识和注册类型生成的配置文件。The receiving module is further configured to: after the distributed system successfully signs the terminal public key through the certificate authority, receive the configuration file generated by the distributed system according to the terminal identifier and the registration type.
在其中一个实施例中,发送模块还可以用于获取终端信息,并将终端信息发送至分布式系统。In one of the embodiments, the sending module is further configured to acquire terminal information and send the terminal information to the distributed system.
接收模块还用于接收分布式系统返回的与终端信息对应的终端私钥和终端公钥,终端私钥和终端公钥为分布式系统通过证书授权中心根据终端信息生成的。The receiving module is further configured to receive the terminal private key and the terminal public key corresponding to the terminal information returned by the distributed system, where the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
关于数据处理装置的具体限定可以参见上文中对于数据处理方法的限定,在此不再赘述。上述数据处理装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于 计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For specific definitions of the data processing apparatus, reference may be made to the definition of the data processing method in the above, and details are not described herein again. The various modules in the data processing apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor calls to perform operations corresponding to the above modules.
在其中一个实施例中,提供了一种计算机设备,该计算机设备可以是终端,其内部结构图可以如图6所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口、显示屏和输入装置。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统和计算机可读指令。该内存储器为非易失性存储介质中的操作系统和计算机可读指令的运行提供环境。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机可读指令被处理器执行时以实现一种数据处理方法。该计算机设备的显示屏可以是液晶显示屏或者电子墨水显示屏,该计算机设备的输入装置可以是显示屏上覆盖的触摸层,也可以是计算机设备外壳上设置的按键、轨迹球或触控板,还可以是外接的键盘、触控板或鼠标等。In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in FIG. 6. The computer device includes a processor, memory, network interface, display screen, and input device connected by a system bus. The processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The non-volatile storage medium stores operating systems and computer readable instructions. The internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium. The network interface of the computer device is used to communicate with an external terminal via a network connection. The computer readable instructions are executed by a processor to implement a data processing method. The display screen of the computer device may be a liquid crystal display or an electronic ink display screen, and the input device of the computer device may be a touch layer covered on the display screen, or may be a button, a trackball or a touchpad provided on the computer device casing. It can also be an external keyboard, trackpad or mouse.
本领域技术人员可以理解,图6中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。It will be understood by those skilled in the art that the structure shown in FIG. 6 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied. The specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
一种计算机设备,包括存储器和一个或多个处理器,存储器中储存有计算机可读指令,计算机可读指令被处理器执行时,使得一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;及通过第一临时会话密钥对待写入数据进行加密;通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,第二临时会话密钥与第一临时会话密钥对应。A computer device comprising a memory and one or more processors having stored therein computer readable instructions that, when executed by a processor, cause one or more processors to perform the steps of: preconfiguring an interface Obtaining a first temporary session key according to a key exchange protocol and a distributed system; and encrypting the data to be written by the first temporary session key; and sending the encrypted data to be written to the distributed through a pre-configured interface a system, wherein the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
在其中一个实施例中,处理器执行计算机可读指令时实现的通过第一临时会话密钥对待写入数据进行加密的步骤之后,还可以包括:通过预先部署的终端私钥对加密后的待写入数据进行签名;处理器执行计算机可读指令时实现的通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文的步骤,可以包括:通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,及通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,终端公钥与终端私钥对应。In one embodiment, after the step of encrypting the data to be written by the first temporary session key implemented by the processor when the processor executes the computer readable instructions, the method may further include: encrypting the to-be-prepared by the pre-deployed terminal private key pair Writing data for signature; transmitting the encrypted data to be written to the distributed system through a pre-configured interface when the processor executes the computer readable instructions, so that the distributed system is encrypted by the second temporary session key pair The step of decrypting the data to be decrypted to obtain the first plaintext may include: transmitting the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system receives the terminal through the public key pair After the data to be written is successfully verified, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
在其中一个实施例中,处理器执行计算机可读指令时还实现以下步骤:通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;及通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文。In one embodiment, the processor, when executing the computer readable instructions, further implements: receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system; The temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
在其中一个实施例中,处理器执行计算机可读指令时实现的通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据的步骤,可以包括:通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据;及处理器执行计算机可读指令时实现的通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文的步骤之前,还可以包括:通过终端私钥对通过终端公钥 加签后的待读取数据进行验签得到加密后的待读取数据。In one embodiment, the step of receiving, by the processor when executing the computer readable instructions, the data to be read after being encrypted by the second temporary session key returned by the distributed system through the pre-configured interface may include: The configured interface receives, by the distributed system, the data to be read after being encrypted and encrypted by the terminal public key and the second temporary session key; and the first temporary session key pair implemented by the processor when executing the computer readable instruction Before the step of decrypting the encrypted data to obtain the second plaintext, the method further includes: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal to obtain the encrypted data to be read.
在其中一个实施例中,处理器执行计算机可读指令时还实现以下步骤:向分布式系统发送注册请求,注册请求中携带有注册类型以及终端标识;及接收分布式系统根据终端标识和注册类型生成的配置文件;根据配置文件进行配置。In one embodiment, the processor, when executing the computer readable instructions, further implements the steps of: sending a registration request to the distributed system, the registration request carrying the registration type and the terminal identifier; and receiving the distributed system according to the terminal identifier and the registration type The generated configuration file; configured according to the configuration file.
在其中一个实施例中,处理器执行计算机可读指令时还实现以下步骤:获取终端信息,并根据终端信息生成终端公钥以及与终端公钥对应的终端私钥;将终端公钥发送至分布式系统;及处理器执行计算机可读指令时实现的接收分布式系统根据终端标识和注册类型生成的配置文件的步骤,可以包括:当分布式系统对通过证书授权中心对终端公钥签名成功后,接收分布式系统根据终端标识和注册类型生成的配置文件。In one embodiment, the processor further implements the steps of: acquiring terminal information, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and transmitting the terminal public key to the distribution And the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, when the processor executes the computer readable instruction, may include: after the distributed system successfully signs the terminal public key through the certificate authority Receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type.
在其中一个实施例中,处理器执行计算机可读指令时还实现以下步骤:获取终端信息,并将终端信息发送至分布式系统;及接收分布式系统返回的与终端信息对应的终端私钥和终端公钥,终端私钥和终端公钥为分布式系统通过证书授权中心根据终端信息生成的。In one embodiment, the processor further implements the steps of: acquiring terminal information and transmitting the terminal information to the distributed system; and receiving the terminal private key corresponding to the terminal information returned by the distributed system, when the processor executes the computer readable instructions The terminal public key, the terminal private key, and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
一个或多个存储有计算机可读指令的非易失性计算机可读存储介质,计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;通过第一临时会话密钥对待写入数据进行加密;及通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,第二临时会话密钥与第一临时会话密钥对应。One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of: pre-configuring The interface exchanges with the distributed system according to the key exchange protocol to obtain the first temporary session key; encrypts the data to be written by the first temporary session key; and sends the encrypted data to be written to the distribution through a pre-configured interface The system is configured to cause the distributed system to decrypt the encrypted data to be written by using the second temporary session key to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
在其中一个实施例中,计算机可读指令被处理器执行时实现的通过第一临时会话密钥对待写入数据进行加密的步骤之后,还可以包括:通过预先部署的终端私钥对加密后的待写入数据进行签名;计算机可读指令被处理器执行时实现的通过预先配置的接口将加密后的待写入数据发送至分布式系统,以使分布式系统通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文的步骤,可以包括:通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,及通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,终端公钥与终端私钥对应。In one embodiment, after the step of encrypting the data to be written by the first temporary session key implemented by the processor, the computer readable instructions may further include: encrypting the encrypted pair by using a pre-deployed terminal The data to be written is signed; the computer readable instructions are executed by the processor to transmit the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the second temporary session key pair The step of decrypting the encrypted data to obtain the first plaintext may include: sending the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system passes the terminal public key. After the verification of the received data to be written is successful, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key corresponds to the terminal private key.
在其中一个实施例中,计算机可读指令被处理器执行时还实现以下步骤:通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;及通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文。In one embodiment, the computer readable instructions are further executed by the processor to: receive, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system; A temporary session key decrypts the encrypted data to be read to obtain a second plaintext.
在其中一个实施例中,计算机可读指令被处理器执行时实现的通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据的步骤,可以包括:通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据;及计算机可读指令被处理器执行时实现的通过第一临时会话密钥对加密后的待读取数据进行解密得到第二明文的步骤之前,还可以包括:通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。In one embodiment, the step of receiving, by the processor, the pre-configured interface, when the computer readable instructions are executed by the processor, the data to be read after being encrypted by the second temporary session key returned by the distributed system may include: The pre-configured interface receives the data to be read that is returned and encrypted by the terminal public key and the second temporary session key returned by the distributed system; and the first temporary session is implemented when the computer readable instructions are executed by the processor Before the step of decrypting the encrypted data to be read to obtain the second plaintext, the method may further include: performing, by using the terminal private key, the data to be read after the public key is signed by the terminal, and the encrypted to be read. data.
在其中一个实施例中,计算机可读指令被处理器执行时还实现以下步骤:向分布式系统发送注册请求,注册请求中携带有注册类型以及终端标识;接收分布式系统根据终端标识和注册类型生成的配置文件;及根据配置文件进行配置。In one of the embodiments, the computer readable instructions are further executed by the processor to: send a registration request to the distributed system, the registration request carries a registration type and a terminal identifier; and the receiving distributed system is based on the terminal identifier and the registration type. The generated configuration file; and configured according to the configuration file.
在其中一个实施例中,计算机可读指令被处理器执行时还实现以下步骤:获取终端信息,并根据终端信息生成终端公钥以及与终端公钥对应的终端私钥;将终端公钥发送至分布式系统;及计算机可读指令被处理器执行时实现的接收分布式系统根据终端标识和注册类型生成的配置文件的步骤,可以包括:当分布式系统对通过证书授权中心对终端公钥签名成功后,接收分布式系统根据终端标识和注册类型生成的配置文件。In one embodiment, the computer readable instructions are further executed by the processor to: obtain terminal information, and generate a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information; and send the terminal public key to And the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, when the computer readable instructions are executed by the processor, may include: when the distributed system signs the terminal public key through the certificate authority After successful, it receives the configuration file generated by the distributed system based on the terminal identification and registration type.
在其中一个实施例中,计算机可读指令被处理器执行时还实现以下步骤:获取终端信息,并将终端信息发送至分布式系统;及接收分布式系统返回的与终端信息对应的终端私钥和终端公钥,终端私钥和终端公钥为分布式系统通过证书授权中心根据终端信息生成的。In one of the embodiments, the computer readable instructions are further executed by the processor to: acquire terminal information and transmit the terminal information to the distributed system; and receive the terminal private key corresponding to the terminal information returned by the distributed system And the terminal public key, the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authority.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一非易失性计算机可读取存储介质中,该计算机可读指令在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the above embodiments can be completed by computer readable instructions, which can be stored in a non-volatile computer. The readable storage medium, which when executed, may include the flow of an embodiment of the methods as described above. Any reference to a memory, storage, database or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain. Synchlink DRAM (SLDRAM), Memory Bus (Rambus) Direct RAM (RDRAM), Direct Memory Bus Dynamic RAM (DRDRAM), and Memory Bus Dynamic RAM (RDRAM).
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, It is considered to be the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments are merely illustrative of several embodiments of the present application, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the present application. Therefore, the scope of the invention should be determined by the appended claims.

Claims (20)

  1. 一种数据处理方法,包括:A data processing method comprising:
    通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;Obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface;
    通过所述第一临时会话密钥对待写入数据进行加密;及Encrypting the data to be written by the first temporary session key; and
    通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。Transmitting the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first In plaintext, the second temporary session key corresponds to the first temporary session key.
  2. 根据权利要求1所述的方法,其特征在于,所述通过所述第一临时会话密钥对待写入数据进行加密之后,还包括:The method according to claim 1, wherein after the encrypting the data to be written by the first temporary session key, the method further comprises:
    通过预先部署的终端私钥对加密后的待写入数据进行签名;及Signing the encrypted data to be written by the pre-deployed terminal private key; and
    所述通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,包括:Transmitting, by the pre-configured interface, the encrypted data to be written to the distributed system, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key The first plaintext includes:
    通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使所述分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,所述终端公钥与所述终端私钥对应。Sending the encrypted and signed data to be written to the distributed system through the pre-configured interface, so that the distributed system successfully checks the received data to be written through the terminal public key, and then passes the second The temporary session key decrypts the encrypted data to be written to obtain a first plaintext, and the terminal public key corresponds to the terminal private key.
  3. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;及Receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system; and
    通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文。Decrypting the encrypted data to be read by using the first temporary session key to obtain a second plaintext.
  4. 根据权利要求3所述的方法,其特征在于,所述通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据,包括:The method according to claim 3, wherein the receiving, by the pre-configured interface, the data to be read after being encrypted by the second temporary session key returned by the distributed system comprises:
    通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据;Receiving, by the pre-configured interface, the data to be read after being signed and encrypted by the terminal public key and the second temporary session key returned by the distributed system;
    所述通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文之前,还包括:Before the decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the method further includes:
    通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。The encrypted data to be read is obtained by checking the data to be read after the terminal public key is signed by the terminal private key.
  5. 根据权利要求1至4任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, further comprising:
    向分布式系统发送注册请求,所述注册请求中携带有注册类型以及终端标识;Sending a registration request to the distributed system, where the registration request carries a registration type and a terminal identifier;
    接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件;及Receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type; and
    根据所述配置文件进行配置。Configure according to the configuration file.
  6. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    获取终端信息,并根据所述终端信息生成终端公钥以及与终端公钥对应的终端私钥;Obtaining terminal information, and generating a terminal public key and a terminal private key corresponding to the terminal public key according to the terminal information;
    将所述终端公钥发送至分布式系统;及Transmitting the terminal public key to a distributed system; and
    所述接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件的步骤,包括:And the step of receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, including:
    当所述分布式系统对通过证书授权中心对所述终端公钥签名成功后,接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件。After the distributed system successfully signs the public key of the terminal by the certificate authority, receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type.
  7. 根据权利要求5所述的方法,其特征在于,所述方法还包括:The method of claim 5, wherein the method further comprises:
    获取终端信息,并将所述终端信息发送至分布式系统;及Obtaining terminal information and transmitting the terminal information to a distributed system; and
    接收分布式系统返回的与所述终端信息对应的终端私钥和终端公钥,所述终端私钥和所述终端公钥为所述分布式系统通过证书授权中心根据所述终端信息生成的。Receiving, by the distributed system, a terminal private key and a terminal public key corresponding to the terminal information, where the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by using a certificate authority.
  8. 一种数据处理装置,包括:A data processing device comprising:
    密钥获取模块,用于通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;a key obtaining module, configured to exchange, by using a pre-configured interface, a first temporary session key according to a key exchange protocol and a distributed system;
    加密模块,用于通过所述第一临时会话密钥对待写入数据进行加密;及An encryption module, configured to encrypt data to be written by using the first temporary session key; and
    写入模块,用于通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。a writing module, configured to send the encrypted data to be written to the distributed system through a pre-configured interface, so that the distributed system writes the encrypted to be written by using a second temporary session key The data is decrypted to obtain a first plaintext, and the second temporary session key corresponds to the first temporary session key.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括:The device according to claim 8, wherein the device further comprises:
    签名模块,用于在通过所述第一临时会话密钥对待写入数据进行加密之后,通过预先部署的终端私钥对加密后的待写入数据进行签名;及a signing module, configured to: after encrypting the data to be written by the first temporary session key, sign the encrypted data to be written by using a pre-deployed terminal private key; and
    写入模块还用于通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使所述分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,所述终端公钥与所述终端私钥对应。The writing module is further configured to send the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system checks the received data to be written by using the terminal public key. After the success, the encrypted data to be written is decrypted by the second temporary session key to obtain a first plaintext, and the terminal public key corresponds to the terminal private key.
  10. 一种计算机设备,包括存储器及一个或多个处理器,所述存储器中储存有计算机可读指令,所述计算机可读指令被所述一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;通过所述第一临时会话密钥对待写入数据进行加密;及通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。A computer device comprising a memory and one or more processors having stored therein computer readable instructions, the computer readable instructions being executed by the one or more processors to cause the one or more The processor performs the steps of: obtaining, by the pre-configured interface, the first temporary session key by exchanging with the distributed system according to the key exchange protocol; encrypting the data to be written by the first temporary session key; and pre-configuring The interface sends the encrypted data to be written to the distributed system, so that the distributed system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext. The second temporary session key corresponds to the first temporary session key.
  11. 根据权利要求10所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述通过所述第一临时会话密钥对待写入数据进行加密之后,还包括:通过预先部署的终端私钥对加密后的待写入数据进行签名;及The computer device according to claim 10, wherein after the processor executes the computer readable instructions to encrypt the data to be written by the first temporary session key, the method further includes : signing the encrypted data to be written by a pre-deployed terminal private key; and
    所述处理器执行所述计算机可读指令时所实现的所述通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,包括:通过预先配置的接口将经过加密和签 名后的待写入数据发送至分布式系统,以使所述分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,所述终端公钥与所述终端私钥对应。Transmitting the encrypted data to be written to the distributed system through the pre-configured interface when the processor executes the computer readable instructions to cause the distributed system to pass the second temporary session Decrypting the encrypted data to be written to obtain the first plaintext, comprising: sending the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed system After the verification of the received data to be written by the terminal public key is successful, the encrypted data to be written is decrypted by the second temporary session key to obtain the first plaintext, and the terminal public key is private to the terminal. The key corresponds.
  12. 根据权利要求10所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;及通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文。The computer apparatus according to claim 10, wherein said processor, when said computer readable instructions are executed, further performing the step of: receiving, by a preconfigured interface, the encryption by the second temporary session key returned by the distributed system After the data to be read is decrypted; and the encrypted data to be read is decrypted by the first temporary session key to obtain a second plaintext.
  13. 根据权利要求12所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据,包括:通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据;The computer apparatus according to claim 12, wherein said processor, when said processor executing said computer readable instructions, receives a second temporary session key encryption returned by said distributed system via a preconfigured interface The data to be read after the receiving data includes: receiving, by the pre-configured interface, the data to be read that is returned and encrypted by the terminal public key and the second temporary session key returned by the distributed system;
    所述处理器执行所述计算机可读指令时所实现的所述通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文的步骤之前,还包括:通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。Before the step of decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the processor further includes: passing The terminal private key checks the data to be read after the terminal public key is added to obtain the encrypted data to be read.
  14. 根据权利要求10至13任一项所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:向分布式系统发送注册请求,所述注册请求中携带有注册类型以及终端标识;接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件;及根据所述配置文件进行配置。A computer apparatus according to any one of claims 10 to 13, wherein the processor, when executing the computer readable instructions, further performs the step of transmitting a registration request to the distributed system, the registration request being carried Having a registration type and a terminal identifier; receiving a configuration file generated by the distributed system according to the terminal identifier and the registration type; and configuring according to the configuration file.
  15. 根据权利要求14所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:获取终端信息,并根据所述终端信息生成终端公钥以及与终端公钥对应的终端私钥;将所述终端公钥发送至分布式系统;及A computer apparatus according to claim 14, wherein said processor, when said computer readable instructions are executed, further performing the steps of: acquiring terminal information, and generating a terminal public key and a terminal public key based on said terminal information Corresponding terminal private key; transmitting the terminal public key to a distributed system; and
    所述处理器执行所述计算机可读指令时所实现的所述接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件,包括:当所述分布式系统对通过证书授权中心对所述终端公钥签名成功后,接收所述分布式系统根据所述终端标识和所述注册类型生成的配置文件。The receiving the configuration file generated by the distributed system according to the terminal identifier and the registration type, when the processor executes the computer readable instructions, includes: when the distributed system authorizes to pass a certificate After the center successfully signs the terminal public key, the center receives the configuration file generated by the distributed system according to the terminal identifier and the registration type.
  16. 根据权利要求15所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时还执行以下步骤:获取终端信息,并将所述终端信息发送至分布式系统;及接收分布式系统返回的与所述终端信息对应的终端私钥和终端公钥,所述终端私钥和所述终端公钥为所述分布式系统通过证书授权中心根据所述终端信息生成的。A computer apparatus according to claim 15, wherein said processor, when said computer readable instructions are executed, further performing the steps of: acquiring terminal information, and transmitting said terminal information to a distributed system; and receiving distribution The terminal private key and the terminal public key corresponding to the terminal information returned by the system, the terminal private key and the terminal public key are generated by the distributed authorization system according to the terminal information by the certificate authorization center.
  17. 一个或多个存储有计算机可读指令的非易失性计算机可读存储介质,所述计算机可读指令被一个或多个处理器执行时,使得所述一个或多个处理器执行以下步骤:通过预先配置的接口根据密钥交换协议与分布式系统交换获得第一临时会话密钥;通过所述第一临时会话密钥对待写入数据进行加密;及通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,所述第二临时会话密钥与所述第一临时会话密钥对应。One or more non-transitory computer readable storage mediums storing computer readable instructions, when executed by one or more processors, cause the one or more processors to perform the following steps: Obtaining a first temporary session key by exchanging with a distributed system according to a key exchange protocol through a pre-configured interface; encrypting the data to be written by the first temporary session key; and encrypting the to-be-configured interface through a pre-configured interface Writing data to the distributed system, so that the distributed system decrypts the encrypted data to be written by using a second temporary session key to obtain a first plaintext, the second temporary session key Corresponding to the first temporary session key.
  18. 根据权利要求17所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时所实现的所述通过所述第一临时会话密钥对待写入数据进行加密之后,还包括:通过预先部署的终端私钥对加密后的待写入数据进行签名;及A storage medium according to claim 17, wherein said computer readable instructions are encrypted by said first temporary session key when said processor performs execution of said data to be written to said data The method includes: signing the encrypted data to be written by using a pre-deployed terminal private key; and
    所述计算机可读指令被所述处理器执行时所实现的所述通过预先配置的接口将加密后的待写入数据发送至所述分布式系统,以使所述分布式系统通过第二临时会话密钥对所述加密后的待写入数据进行解密得到第一明文,包括:通过预先配置的接口将经过加密和签名后的待写入数据发送至分布式系统,以使所述分布式系统通过终端公钥对接收到的待写入数据进行验签成功后,通过第二临时会话密钥对加密后的待写入数据进行解密得到第一明文,所述终端公钥与所述终端私钥对应。Transmitting the encrypted data to be written to the distributed system by the preconfigured interface implemented by the processor when the computer readable instructions are executed to cause the distributed system to pass the second temporary The session key decrypts the encrypted data to be written to obtain the first plaintext, including: sending the encrypted and signed data to be written to the distributed system through a pre-configured interface, so that the distributed After the system successfully checks the received data to be written by using the terminal public key, the system decrypts the encrypted data to be written by using the second temporary session key to obtain the first plaintext, and the terminal public key and the terminal The private key corresponds.
  19. 根据权利要求17所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时还执行以下步骤:通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据;及通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文。A storage medium according to claim 17, wherein said computer readable instructions, when executed by said processor, further perform the step of receiving, by a preconfigured interface, a second temporary session key returned by the distributed system And the encrypted data to be read; and decrypting the encrypted data to be read by using the first temporary session key to obtain a second plaintext.
  20. 根据权利要求19所述的存储介质,其特征在于,所述计算机可读指令被所述处理器执行时所实现的所述通过预先配置的接口接收分布式系统返回的通过第二临时会话密钥加密后的待读取数据,包括:通过预先配置的接口接收分布式系统返回的通过终端公钥和第二临时会话密钥加签和加密后的待读取数据;A storage medium according to claim 19, wherein said computer readable instructions are received by said processor to receive a second temporary session key returned by the distributed system via a preconfigured interface The encrypted data to be read includes: receiving, by using a pre-configured interface, the data to be read after being signed and encrypted by the terminal public key and the second temporary session key returned by the distributed system;
    所述处理器执行所述计算机可读指令时所实现的所述通过所述第一临时会话密钥对加密后的所述待读取数据进行解密得到第二明文的步骤之前,还包括:通过终端私钥对通过终端公钥加签后的待读取数据进行验签得到加密后的待读取数据。Before the step of decrypting the encrypted data to be read by the first temporary session key to obtain the second plaintext, the processor further includes: passing The terminal private key checks the data to be read after the terminal public key is added to obtain the encrypted data to be read.
PCT/CN2018/096760 2018-01-12 2018-07-24 Data processing method and device, computer device and storage medium WO2019136959A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810030994.X 2018-01-12
CN201810030994.XA CN108322451B (en) 2018-01-12 2018-01-12 Data processing method, data processing device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2019136959A1 true WO2019136959A1 (en) 2019-07-18

Family

ID=62894319

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096760 WO2019136959A1 (en) 2018-01-12 2018-07-24 Data processing method and device, computer device and storage medium

Country Status (2)

Country Link
CN (1) CN108322451B (en)
WO (1) WO2019136959A1 (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040076B (en) * 2018-08-09 2020-07-24 腾讯科技(深圳)有限公司 Data processing method, system, device, equipment and medium
CN109241756B (en) * 2018-08-20 2020-01-31 深圳市腾讯网络信息技术有限公司 Data processing method, system, server and medium based on block chain
CN110969527B (en) * 2018-09-29 2023-02-24 北京天能博信息科技有限公司 Data processing method of block chain and related equipment
CN109361663B (en) * 2018-10-10 2021-05-28 中航信托股份有限公司 Method, system and device for accessing encrypted data
CN109670325B (en) * 2018-12-21 2023-03-28 北京思源理想控股集团有限公司 Device and method for encrypting and decrypting configuration file
CN109698834A (en) * 2019-01-11 2019-04-30 深圳市元征科技股份有限公司 A kind of encrypted transmission method and system
CN110321732A (en) * 2019-05-23 2019-10-11 深圳壹账通智能科技有限公司 Data grant method, apparatus, storage medium and the electronic equipment of block catenary system
CN110166460B (en) * 2019-05-24 2021-12-14 北京思源理想控股集团有限公司 Service account registration method and device, storage medium and electronic device
CN111294349B (en) * 2020-01-22 2021-09-03 重庆大学 Method and device for sharing data of Internet of things equipment
CN111314072B (en) * 2020-02-21 2021-06-22 北京邮电大学 Extensible identity authentication method and system based on SM2 algorithm
CN111541690B (en) * 2020-04-21 2022-05-20 北京智芯微电子科技有限公司 Safety protection method for communication between intelligent terminal and server
CN112003697B (en) * 2020-08-25 2023-09-29 成都卫士通信息产业股份有限公司 Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium
CN113138809A (en) * 2021-04-30 2021-07-20 广东天波信息技术股份有限公司 Method and system for safely switching working modes of terminal
CN113343309B (en) * 2021-08-02 2022-01-04 北京东方通软件有限公司 Natural person database privacy security protection method and device and terminal equipment
CN114900285A (en) * 2022-04-01 2022-08-12 重庆金康赛力斯新能源汽车设计院有限公司 Secret key filling method, system, computer equipment and storage medium
CN115147956B (en) * 2022-06-29 2024-06-14 中国第一汽车股份有限公司 Data processing method, device, electronic equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106100981A (en) * 2016-08-22 2016-11-09 布比(北京)网络技术有限公司 Social network data exchange method and device
WO2017022917A1 (en) * 2015-08-03 2017-02-09 (주)코인플러그 Certificate issuing system based on block chain
CN106534092A (en) * 2016-11-02 2017-03-22 西安电子科技大学 Message-based and key-dependent privacy data encryption method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100373991C (en) * 2005-06-30 2008-03-05 中国科学院计算技术研究所 Enciphered consulating method for speech-sound communication in grouped network
US8533746B2 (en) * 2006-11-01 2013-09-10 Microsoft Corporation Health integration platform API
KR101197207B1 (en) * 2011-05-17 2012-11-02 인크로스 주식회사 Method for Verification of Contensts Using Verification Platform
CN103167498B (en) * 2011-12-19 2015-11-11 卓望数码技术(深圳)有限公司 A kind of ability control method and system
CN102970299B (en) * 2012-11-27 2015-06-03 西安电子科技大学 File safe protection system and method thereof
CN105516117A (en) * 2015-12-02 2016-04-20 南方电网科学研究院有限责任公司 Cloud computing-based electric power data secure storage method
CN107135219B (en) * 2017-05-05 2020-04-28 四川长虹电器股份有限公司 Internet of things information secure transmission method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017022917A1 (en) * 2015-08-03 2017-02-09 (주)코인플러그 Certificate issuing system based on block chain
CN106100981A (en) * 2016-08-22 2016-11-09 布比(北京)网络技术有限公司 Social network data exchange method and device
CN106534092A (en) * 2016-11-02 2017-03-22 西安电子科技大学 Message-based and key-dependent privacy data encryption method

Also Published As

Publication number Publication date
CN108322451B (en) 2020-09-22
CN108322451A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
WO2019136959A1 (en) Data processing method and device, computer device and storage medium
CN110581860B (en) Identity authentication method, device, storage medium and equipment based on block chain
WO2019233204A1 (en) Method, apparatus and system for key management, storage medium, and computer device
CN111767527B (en) Block chain-based data authority control method and device and computer equipment
WO2020181845A1 (en) Method and device for encrypting blockchain data, computer apparatus, and storage medium
WO2021003980A1 (en) Blacklist sharing method and apparatus, computer device and storage medium
US11196745B2 (en) Blockchain-based account management
US11853438B2 (en) Providing cryptographically secure post-secrets-provisioning services
CN109325342B (en) Identity information management method, device, computer equipment and storage medium
US11757640B2 (en) Non-fungible token authentication
WO2021219086A1 (en) Data transmission method and system based on blockchain
WO2020057002A1 (en) Invoice data sharing system and method based on blockchain
KR102676616B1 (en) Method and apparatus, computer device, and storage medium for authenticating biometric payment devices
CN111651794A (en) Alliance chain-based electronic data management method and device and storage medium
US11258590B1 (en) Coordinated management of cryptographic keys for communication with peripheral devices
CN110942382A (en) Electronic contract generating method and device, computer equipment and storage medium
CN109359977A (en) Network communication method, device, computer equipment and storage medium
KR20180127384A (en) Authorization methods and devices for joint accounts, and authentication methods and devices for joint accounts
US20180357411A1 (en) Authentication Of A Device
CN114070614A (en) Identity authentication method, device, equipment, storage medium and computer program product
CN116680687A (en) Data processing method, device, equipment and storage medium
EP4016921A1 (en) Certificate management method and apparatus
JP2016111440A (en) Information processing apparatus and computer program
CN112182627A (en) Block chain digital certificate management method and system based on mobile equipment
US20240048361A1 (en) Key Management for Cryptography-as-a-service and Data Governance Systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18900320

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/11/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18900320

Country of ref document: EP

Kind code of ref document: A1