WO2020206953A1 - Procédé et système de traitement de données - Google Patents

Procédé et système de traitement de données Download PDF

Info

Publication number
WO2020206953A1
WO2020206953A1 PCT/CN2019/109098 CN2019109098W WO2020206953A1 WO 2020206953 A1 WO2020206953 A1 WO 2020206953A1 CN 2019109098 W CN2019109098 W CN 2019109098W WO 2020206953 A1 WO2020206953 A1 WO 2020206953A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
data
encryption
service cluster
key
Prior art date
Application number
PCT/CN2019/109098
Other languages
English (en)
Chinese (zh)
Inventor
郁国勇
孙迁
Original Assignee
苏宁云计算有限公司
苏宁易购集团股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏宁云计算有限公司, 苏宁易购集团股份有限公司 filed Critical 苏宁云计算有限公司
Priority to CA3176858A priority Critical patent/CA3176858A1/fr
Publication of WO2020206953A1 publication Critical patent/WO2020206953A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Definitions

  • the present invention relates to the technical field of data security, in particular to a data processing method and system.
  • Method 1 Use the same key to encrypt sensitive data during data production or transmission before storage, and the data user uses the corresponding key (equal or non-equal) to decrypt;
  • Method 2 High-level authority management and control of sensitive data, ensuring that only necessary personnel can access sensitive data physically and technically;
  • Method 3 Embed encryption and decryption mechanisms on the database access engine, and encryption and decryption of sensitive data is transparent to users.
  • the data producer or user can access the encryption and decryption keys, there is a risk of key leakage, and if the key is leaked, the encrypted data is no longer safe;
  • the encryption and decryption mechanism is implanted on the database access engine, which cannot avoid the possibility of data leakage during the data flow before storage.
  • the present invention aims to solve at least one of the technical problems existing in the prior art or related technologies. To this end, the present invention provides a data processing method and system.
  • a data processing method which is applied to a data processing system, the data processing system includes a service gateway and a service cluster, the service cluster includes multiple service instances, and a database is deployed in the service cluster ,
  • the method includes:
  • the service gateway receives the data encryption request sent by the first user, and routes the data encryption request to the service cluster, and the data encryption request carries the data to be encrypted and the data access authority;
  • the service cluster calls the corresponding service instance among multiple service instances to encrypt the data to be encrypted to generate a ciphertext, and generate an encryption event;
  • the service gateway returns the encryption result to the first user.
  • the routing the data encryption request to the service cluster includes:
  • the data encryption request is routed to a service cluster that has a mapping relationship with the first user.
  • the multiple service clusters include at least two of a symmetric encryption service cluster, a Hash algorithm service cluster, an asymmetric encryption service cluster, and a business customized encryption service cluster.
  • the key is randomly extracted from a key pool, and the method further includes:
  • the key in the key pool is replaced.
  • the key replacement condition is one of the following conditions:
  • the use times of the keys in the key pool reach the use times threshold
  • the existence time of the key in the key pool reaches the time threshold.
  • the method further includes:
  • the service gateway receives a data decryption request sent by a second user, and the data decryption request carries a ciphertext to be encrypted, a service cluster identifier, and an encryption event number;
  • the service gateway routes the data decryption request to the service cluster corresponding to the service cluster identifier
  • the service cluster queries the database for the data access authority corresponding to the encrypted event number, and when the second user has the data access authority, calls the corresponding service instance among the multiple service instances Decrypt the ciphertext to be encrypted according to the encryption algorithm and key corresponding to the encryption event number to obtain the plaintext;
  • the service cluster returns the decryption result including the plaintext to the service gateway, so that the service gateway returns the decryption result to the second user.
  • the corresponding service instance is selected from the multiple service instances in a load balancing manner or a random manner.
  • a data processing system including a service gateway and a service cluster, the service cluster includes multiple service instances, and a database is deployed in the service cluster, wherein:
  • the service gateway is configured to receive a data encryption request sent by a first user, and route the data encryption request to the service cluster, where the data encryption request carries data to be encrypted and data access rights;
  • the service cluster is configured to call corresponding service instances in multiple service instances to encrypt the data to be encrypted to generate ciphertext, and generate encryption events;
  • the service cluster is further configured to correspondingly store the data access authority, the event number of the encryption event, the encryption algorithm and key used to encrypt the data to be encrypted in the database;
  • the service gateway is also used to return the encryption result to the first user.
  • the service gateway is specifically configured to:
  • the data encryption request is routed to a service cluster that has a mapping relationship with the first user.
  • the multiple service clusters include at least two of a symmetric encryption service cluster, a Hash algorithm service cluster, an asymmetric encryption service cluster, and a business customized encryption service cluster.
  • the key is randomly extracted from the key pool, and the service cluster is specifically used for:
  • the key in the key pool is replaced.
  • the key replacement condition is one of the following conditions:
  • the use times of the keys in the key pool reach the use times threshold
  • the existence time of the key in the key pool reaches the time threshold.
  • the service gateway is further configured to receive a data decryption request sent by a second user, and the data decryption request carries a ciphertext to be encrypted, a service cluster identifier, and an encryption event number;
  • the service gateway is further configured to route the data decryption request to the service cluster corresponding to the service cluster identifier;
  • the service cluster is also used to query the data access authority corresponding to the encrypted event number from the database, and when the second user has the data access authority, in the multiple service instances, call The corresponding service instance decrypts the ciphertext to be encrypted according to the encryption algorithm and key corresponding to the encryption event number to obtain the plaintext;
  • the service cluster is also used to return the decryption result including the plaintext to the service gateway;
  • the serving gateway is also used to return the decryption result to the second user.
  • service cluster is specifically used for:
  • the corresponding service instance is selected from the multiple service instances in a load balancing manner or a random manner.
  • Figure 1 is a schematic diagram of an application environment provided by an embodiment of the present invention.
  • Embodiment 1 of the present invention is a flowchart of a data processing method provided by Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of a data processing method provided by Embodiment 2 of the present invention.
  • Fig. 4 is a block diagram of a data processing system provided by the third embodiment of the present invention.
  • FIG. 1 is a schematic diagram of an application environment provided by an embodiment of the present invention.
  • the application environment may include a client 01, a service gateway 02, and a service cluster 03.
  • the client 01 can be run on the user equipment of the data producer or data provider, or it can be run on the user equipment of the data consumer. It is understandable that the number of the client 01 is not limited to one, and the above
  • the user equipment includes, but is not limited to, physical devices such as desktop computers, tablet computers, notebook computers, and smart phones.
  • Service gateway 02 can uniformly provide REST API (Application Programming Interface) to client 01 to receive external requests and forward the received external requests to the back-end service cluster.
  • REST API Application Programming Interface
  • the service gateway also has permission control
  • the service cluster 03 includes multiple service instances such as service instance 1, service instance 27-8 service instance n, and multiple service instances include multiple different types of service instances, and the number of service instances in each type is at least As one, each service instance can provide encryption and decryption services by deploying corresponding encryption and decryption algorithms.
  • the embodiment of the present invention provides a data processing method, which is applied to a data processing system.
  • the data processing system includes a service gateway and a service cluster.
  • the service cluster includes multiple service instances, and a database is deployed in the service cluster, such as As shown in Figure 2, the data processing method may include steps:
  • the service gateway receives a data encryption request sent by a first user, and routes the data encryption request to the service cluster, where the data encryption request carries data to be encrypted and data access rights.
  • the first user may be a data producer or a data provider, and the first user submits a data encryption request to the service gateway through the first client.
  • the data to be encrypted carried in the data encryption request may be data containing sensitive information, for example, user identity information or asset information.
  • the data access authority carried in the data encryption request is used to indicate the authority to decrypt the ciphertext of the data to be encrypted.
  • the data access authority can include the user ID of the authorized access user.
  • the user ID can be a user name, client address (for example, , MAC address), etc. There is no limitation here.
  • the above-mentioned service cluster may be any one of a symmetric encryption service cluster, a Hash algorithm service cluster, an asymmetric encryption service cluster, and a business customized encryption service cluster.
  • the multiple service instances included in the service cluster can include multiple different types of service instances.
  • the number of service instances in each type is at least one.
  • Each service instance can provide encryption and decryption services by deploying a corresponding encryption and decryption algorithm. .
  • the type mentioned here means that the encryption and decryption algorithms deployed are the same.
  • the service cluster can include several DES encryption service instances, several 3DES encryption service instances, several SM4 encryption service instances, and several AES encryption service instances; if the service cluster is Hash When an algorithm service cluster is used, the service cluster may include several MD5 service instances, several SHA service instances, several SM3 service instances; several AES encryption service instances; if the service cluster is an asymmetric encryption service cluster, this The service cluster can include several RSA encryption service instances, several ECC encryption service instances, and several SM2 encryption service instances.
  • the method provided in the embodiment of the present invention may further include:
  • the service caller is authenticated and authenticated, so that different clients can be provided with different permissions through permission control, and monitoring functions can be provided for the access and availability of the service cluster, and can be targeted for different
  • the client opens different service clusters, which can improve the security of accessing the service clusters.
  • step 201 the service gateway routes the data encryption request to the service clusters. This process may include:
  • a service cluster that has a mapping relationship with the user identifier in the data encryption request is determined among multiple service clusters, and the data encryption request is routed to a service cluster that has a mapping relationship with the user identifier.
  • the multiple service clusters include at least two of a symmetric encryption service cluster, a Hash algorithm service cluster, an asymmetric encryption service cluster, and a business customized encryption service cluster.
  • the service gateway can establish the mapping relationship between the user ID of the data producer or data provider and multiple service clusters after the data producer or data provider completes service registration, so that the data producer or data provider Through the first client, the data provider can have a one-to-one relationship or a one-to-many relationship. If it is a one-to-many relationship, the data encryption request can be randomly routed to the one that has a mapping relationship with the user ID. In a service cluster.
  • the encryption service request can be routed to a service cluster that has a mapping relationship with the user identifier and corresponds to the encryption service identifier.
  • the encryption request is routed to the service cluster that has a mapping relationship with the user identifier in the data encryption request according to the preset mapping relationship table, so that different users can be satisfied.
  • the invocation requirements of different encryption services are realized, and the secure access to the encryption service cluster is controlled, thereby improving the security of accessing the service cluster.
  • the service cluster calls the corresponding service instance among multiple service instances to encrypt the data to be encrypted to generate a ciphertext, and generate an encryption event.
  • the process may include:
  • the service instance is called to encrypt the encrypted data according to the encryption algorithm preset on the service instance and the pre-generated key to generate a ciphertext, and at the same time generate an encryption event.
  • the corresponding service instance is selected from multiple service instances according to the load balancing method, including:
  • Real-time monitoring of the load status of multiple service instances and according to the monitoring results, select the one with the lowest current load from multiple service instances in a load balancing manner.
  • the load status of the service instance may include one or more of CPU usage, memory usage, disk read and write, and network connection status.
  • the key used to encrypt the data to be encrypted is randomly extracted from the key pool.
  • encryption and decryption key pools can be set separately for different types of encryption algorithms in advance, and a preset number of keys can be generated in the encryption and decryption key pool in advance.
  • service cluster calls service instances for encryption services , You can randomly extract one/pair key from the corresponding encryption and decryption key pool as the key to encrypt the data to be encrypted this time.
  • the method provided in the embodiment of the present invention further includes:
  • the keys in the key pool are replaced.
  • the key replacement condition is one of the following conditions:
  • the number of uses of the key in the key pool reaches the threshold of use times
  • the existence time of the key in the key pool reaches the time threshold.
  • the key when the number of uses of a key in the key pool reaches the threshold of the number of uses, the key can be deleted from the key pool, and a new key/pair can be generated and placed in the key pool at the same time; or , You can delete the key from the key pool when the existence time of the key in the key pool reaches the time threshold, and generate a new key/pair into the key pool at the same time.
  • the security in the data encryption process can be further improved.
  • a service instance called is an AES encryption service instance
  • the AES encryption service instance is called according to the AES algorithm and a secret randomly extracted from the key pool.
  • the key encrypts the ID number
  • the encryption service also generates an event number, which is used to uniquely identify this encryption event.
  • the event number can be a serial number with a length of 64 bits, and expressed by using a decimal system.
  • the data access authority, the event number of the encryption event, the encryption algorithm and the key used to encrypt the data to be encrypted are correspondingly stored in the database.
  • the database may adopt a key-value database, and the key-value database may organize, index, and store data in the form of key-value pairs.
  • the event number of the encryption event is used as the Key
  • the data access authority, the encryption algorithm used to encrypt the data to be encrypted, and the key are used as the Value, which are correspondingly stored in the key-value database.
  • the key-value database to store the event number of the encrypted event, the data access authority, the encryption algorithm and key used to encrypt the data to be encrypted, it is convenient for subsequent quick retrieval based on the encrypted event number, and the retrieval performance is high. , Which makes the database resource consumption small, and can realize the control of the data access authority of the ciphertext, avoiding the encryption algorithm and key in the database from being called by the decryption service in the service cluster by inappropriate users to decrypt the plaintext, thereby further ensuring The security of the data.
  • the encrypted event number, the identifier of the service cluster, and the encrypted event number are assembled according to a certain data format to obtain the encrypted result.
  • the encryption result may be a byte array obtained by sequentially concatenating the byte array of the event number, the identifier of the service cluster, and the byte array of the ciphertext.
  • the service gateway returns the encryption result to the first user.
  • the service gateway after the service gateway returns the encryption result to the first user, the first user can store the encryption result in the data warehouse or transmit it to other users.
  • the embodiment of the present invention provides a data processing method, because the data encryption request sent by the user is routed and forwarded to the corresponding service cluster through the service gateway for encryption processing, and the encryption result returned by the service cluster is received.
  • the encryption process Since the encryption algorithm and key used to generate the ciphertext are stored in the database by the service cluster, the user cannot access the encryption key, so there is no risk of leaking the key through the data producer and user, thus ensuring higher
  • the data encryption request also carries data access permissions, it can provide guarantee for the implementation of the principle of minimizing data access permissions, ensuring that data is always transmitted and stored in a specific ciphertext format.
  • the systems and personnel involved in the transmission process and storage phase cannot obtain the plaintext, which further ensures the security of the data.
  • the embodiment of the present invention provides a data processing method.
  • the data processing method includes the steps described in FIG. 2 and after step 205, it also includes steps 301 to 304.
  • steps 301 to 304 For the sake of brevity of description , The steps described in Figure 2 are omitted.
  • the data processing method further includes:
  • the service gateway receives a data decryption request sent by a second user.
  • the data decryption request carries a ciphertext to be encrypted, a service cluster identifier, and an encryption event number.
  • the second user may be a data user, and the second user submits a data encryption request to the service gateway through the second client.
  • the service gateway routes the data decryption request to the service cluster corresponding to the service cluster identifier.
  • the service gateway may determine the corresponding service cluster according to the service cluster identifier, and route the data decryption request to the corresponding service cluster.
  • step 302 the method provided in the embodiment of the present invention may further include:
  • the service gateway performs identity authentication and authentication on the second user. If the second user fails the identity authentication or authentication, it returns a decryption request failure message to the second user. If the second user passes the authentication, the data decryption request is routed To the corresponding service cluster.
  • the service caller is authenticated and authenticated through the service gateway.
  • different clients can be provided with different permissions through permission control, and monitoring functions for the access and availability of the service cluster can be provided.
  • Different service clusters can be opened for different clients, thereby ensuring the security of accessing the service clusters and realizing the authority control of calling decryption services.
  • the service cluster queries the database for the data access authority corresponding to the encrypted event number, and when the second user has data access authority, in multiple service instances, call the corresponding service instance according to the encryption algorithm and encryption algorithm corresponding to the encrypted event number.
  • the key decrypts the encrypted ciphertext to obtain the plaintext.
  • the service cluster can query the data access authority corresponding to the encrypted event number from the database, and compare the user identification of the second user with the user identification of the authorized access user in the data access authority. If the comparison is consistent, It is determined that the second user has data access authority. If the comparison is inconsistent, the second user does not have data access authority. When the second user does not have data access authority, the service cluster returns a decryption request failure to the second user through the service gateway. information.
  • the service cluster determines that the second user has data access rights, among the multiple service instances that are preset with the encryption algorithm corresponding to the encryption event number, select a service from the multiple service instances according to the load balancing mode or random mode Instance, so that the service instance decrypts the ciphertext according to the encryption algorithm and key to obtain the plaintext.
  • the load status of multiple service instances that are preset with the encryption algorithm corresponding to the encryption event number can be monitored in real time, and the current load can be selected from the multiple service instances according to the load balancing method according to the monitoring results
  • the smallest service instance performs decryption services.
  • the load status of the service instance may include one or more of CPU usage, memory usage, disk read and write, and network connection status.
  • the service cluster returns the decryption result including the plaintext to the service gateway, so that the service gateway returns the decryption result to the second user.
  • the embodiment of the present invention provides a data processing method. Since the data decryption request sent by the user is routed and forwarded to the corresponding service cluster through the service gateway for decryption processing, in the data decryption process, it is first determined whether the user as the data user is Have data access rights. Data decryption services can only be performed when they have data access rights.
  • the embodiment of the present invention provides a data processing system.
  • the data processing system may include a service gateway 41 and a service cluster 42.
  • the service cluster 42 includes multiple service instances, and a database is deployed in the service cluster 42. among them:
  • the service gateway 41 is configured to receive a data encryption request sent by the first user, and route the data encryption request to the service cluster, where the data encryption request carries the data to be encrypted and the data access authority;
  • the service cluster 42 is used to call the corresponding service instance among multiple service instances to encrypt the data to be encrypted to generate ciphertext, and generate encryption events;
  • the service cluster 42 is also used to store the data access authority, the event number of the encryption event, the encryption algorithm and the key used to encrypt the data to be encrypted into the database correspondingly;
  • the service gateway 41 is also used to return the encryption result to the first user.
  • the service gateway 41 is specifically used for:
  • mapping relationship table determine a service cluster that has a mapping relationship with the first user among the multiple service clusters
  • the data encryption request is routed to a service cluster that has a mapping relationship with the first user.
  • the multiple service clusters 42 include at least two of a symmetric encryption service cluster, a Hash algorithm service cluster, an asymmetric encryption service cluster, and a business customized encryption service cluster.
  • the key is randomly extracted from the key pool, and the service cluster 42 is specifically used to:
  • the keys in the key pool are replaced.
  • the key replacement condition is one of the following conditions:
  • the number of uses of the key in the key pool reaches the threshold of use times
  • the existence time of the key in the key pool reaches the time threshold.
  • the service gateway 41 is also configured to receive a data decryption request sent by the second user, and the data decryption request carries the ciphertext to be encrypted, the service cluster identifier, and the encryption event number;
  • the service gateway 41 is also used to route the data decryption request to the service cluster corresponding to the service cluster identifier;
  • the service cluster 42 is also used to query the data access authority corresponding to the encrypted event number from the database, and when the second user has the data access authority, in multiple service instances, call the corresponding service instance according to the encrypted event number corresponding to the encryption The algorithm and key decrypt the encrypted ciphertext to obtain the plaintext;
  • the service cluster 42 is also used to return the decryption result including the plaintext to the service gateway;
  • the service gateway 41 is also used to return the decryption result to the second user.
  • service cluster 42 is specifically used for:
  • the corresponding service instance is selected from multiple service instances according to the load balancing mode or random mode.
  • the data processing system provided in this embodiment belongs to the same inventive concept as the data processing method provided in the embodiment of the present invention, can execute the data processing method provided in the embodiment of the present invention, and has the corresponding functional modules and beneficial effects for executing the data processing method .
  • the data processing method provided in the embodiment of the present invention which will not be repeated here.
  • the program can be stored in a computer-readable storage medium.
  • the storage medium can be read-only memory, magnetic disk or optical disk, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un procédé et un système de traitement de données, se rapportant au domaine technique de la sécurité de données. Le procédé comprend les étapes suivantes : une passerelle de service reçoit une requête de chiffrement de données envoyée par un premier utilisateur, et achemine la requête de chiffrement de données vers une grappe de services, la requête de chiffrement de données transportant des données à chiffrer et un droit d'accès aux données ; la grappe de services appelle une instance de service correspondante parmi une pluralité d'instances de service pour chiffrer les données à chiffrer de façon à générer un texte chiffré, et génère un événement de chiffrement ; la grappe de services stocke de manière correspondante, dans une base de données, le droit d'accès aux données, un numéro d'événement de l'événement de chiffrement et un algorithme de chiffrement et une clé utilisée pour chiffrer les données à chiffrer ; la grappe de services renvoie, à la passerelle de service, un résultat de chiffrement comprenant le texte chiffré, un identifiant de la grappe de services et le numéro d'événement ; et la passerelle de service renvoie le résultat de chiffrement au premier utilisateur. Les modes de réalisation de la présente invention peuvent réduire le risque de fuite de clé d'un producteur de données et d'un utilisateur de données, de telle sorte que la sécurité des données est plus élevée, et ils assurent également la mise en œuvre du principe de minimisation de droit d'accès aux données.
PCT/CN2019/109098 2019-04-09 2019-09-29 Procédé et système de traitement de données WO2020206953A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CA3176858A CA3176858A1 (fr) 2019-04-09 2019-09-29 Procede et systeme de traitement de donnees

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910281710.9A CN110061983B (zh) 2019-04-09 2019-04-09 一种数据处理方法及系统
CN201910281710.9 2019-04-09

Publications (1)

Publication Number Publication Date
WO2020206953A1 true WO2020206953A1 (fr) 2020-10-15

Family

ID=67317620

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/109098 WO2020206953A1 (fr) 2019-04-09 2019-09-29 Procédé et système de traitement de données

Country Status (3)

Country Link
CN (1) CN110061983B (fr)
CA (1) CA3176858A1 (fr)
WO (1) WO2020206953A1 (fr)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110061983B (zh) * 2019-04-09 2020-11-06 苏宁云计算有限公司 一种数据处理方法及系统
CN111526184B (zh) * 2020-04-07 2022-07-29 中国建设银行股份有限公司 业务审核的方法和装置
CN111818032B (zh) * 2020-06-30 2021-09-07 腾讯科技(深圳)有限公司 基于云平台的数据处理方法、装置及计算机程序
CN112003697B (zh) * 2020-08-25 2023-09-29 成都卫士通信息产业股份有限公司 密码模块加解密方法、装置、电子设备及计算机存储介质
CN112153072B (zh) * 2020-09-30 2023-05-26 重庆电子工程职业学院 计算机网络信息安全控制装置
CN113259407B (zh) * 2021-03-25 2023-02-03 上海卓悠网络科技有限公司 一种基于应用市场架构的数据交互方法及设备
CN113407967B (zh) * 2021-06-25 2023-02-07 上海卓悠网络科技有限公司 一种基于应用市场架构的服务安全方法及设备
CN115544530A (zh) * 2021-06-30 2022-12-30 阿里巴巴新加坡控股有限公司 密钥管理系统及其实现密钥管理的方法和计算节点
CN113656819A (zh) * 2021-08-20 2021-11-16 蚌埠学院 一种电子商务系统中的信息保密处理方法和系统
CN115314269A (zh) * 2022-07-29 2022-11-08 北京国领科技有限公司 一种串行任务分工实现高性能网络加密的方法

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006080754A1 (fr) * 2004-10-12 2006-08-03 Information And Communications University Research And Industrial Cooperation Group Procede de chiffrement de contenu, systeme et procede pour la fourniture de contenu a travers le reseau mettant en oeuvre le procede de chiffrement
CN103581196A (zh) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 分布式文件透明加密方法及透明解密方法
CN107454590A (zh) * 2017-07-26 2017-12-08 上海斐讯数据通信技术有限公司 一种数据加密方法、解密方法及无线路由器
CN108280369A (zh) * 2018-03-05 2018-07-13 中国工商银行股份有限公司 云文档离线访问系统、智能终端及方法
CN108985094A (zh) * 2018-06-28 2018-12-11 电子科技大学 云环境下实现密文空间数据的访问控制和范围查询方法
CN110061983A (zh) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 一种数据处理方法及系统

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102769675B (zh) * 2012-08-13 2015-04-22 广州杰赛科技股份有限公司 基于云计算平台保持主机资源稳定的方法
CN105320896B (zh) * 2015-10-21 2018-04-06 成都卫士通信息产业股份有限公司 一种云存储加密以及其密文检索方法与系统
CN105678156B (zh) * 2016-01-04 2019-06-28 成都卫士通信息产业股份有限公司 一种基于虚拟化技术的云密码服务平台及其工作流程
CN108809906B (zh) * 2017-05-03 2020-07-07 腾讯科技(深圳)有限公司 数据处理方法、系统及装置
CN108228316B (zh) * 2017-12-26 2022-01-25 成都卫士通信息产业股份有限公司 一种密码设备虚拟化的方法及设备
CN108521424B (zh) * 2018-04-10 2021-01-05 西安石油大学 面向异构终端设备的分布式数据处理方法
CN108449358B (zh) * 2018-04-10 2021-04-09 深圳市深银联易办事金融服务有限公司 基于云的低延时安全计算方法
CN109361517B (zh) * 2018-08-21 2021-09-07 西安得安信息技术有限公司 一种基于云计算的虚拟化云密码机系统及其实现方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006080754A1 (fr) * 2004-10-12 2006-08-03 Information And Communications University Research And Industrial Cooperation Group Procede de chiffrement de contenu, systeme et procede pour la fourniture de contenu a travers le reseau mettant en oeuvre le procede de chiffrement
CN103581196A (zh) * 2013-11-13 2014-02-12 上海众人网络安全技术有限公司 分布式文件透明加密方法及透明解密方法
CN107454590A (zh) * 2017-07-26 2017-12-08 上海斐讯数据通信技术有限公司 一种数据加密方法、解密方法及无线路由器
CN108280369A (zh) * 2018-03-05 2018-07-13 中国工商银行股份有限公司 云文档离线访问系统、智能终端及方法
CN108985094A (zh) * 2018-06-28 2018-12-11 电子科技大学 云环境下实现密文空间数据的访问控制和范围查询方法
CN110061983A (zh) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 一种数据处理方法及系统

Also Published As

Publication number Publication date
CA3176858A1 (fr) 2020-10-15
CN110061983B (zh) 2020-11-06
CN110061983A (zh) 2019-07-26

Similar Documents

Publication Publication Date Title
WO2020206953A1 (fr) Procédé et système de traitement de données
LU101903B1 (en) System and method for storing and accessing private data of Hyperledger Fabric blockchain
US10402578B2 (en) Management of encrypted data storage
JP6700294B2 (ja) データの安全を確保するためのシステムおよび方法
US7171557B2 (en) System for optimized key management with file groups
US7219230B2 (en) Optimizing costs associated with managing encrypted data
US20190147170A1 (en) Processing data queries in a logically sharded data store
KR101371608B1 (ko) Dbms 및 데이터베이스에서 암호화 방법
US10911538B2 (en) Management of and persistent storage for nodes in a secure cluster
US20140019753A1 (en) Cloud key management
US10887085B2 (en) System and method for controlling usage of cryptographic keys
US20180041520A1 (en) Data access method based on cloud computing platform, and user terminal
US10462112B1 (en) Secure distributed authentication data
KR20180131056A (ko) 클라우드 서비스를 위한 암호화 키 관리 시스템
CN112699399A (zh) 加密数据库系统、实现加密数据库系统的方法以及装置
KR101648364B1 (ko) 대칭키 암호화와 비대칭키 이중 암호화를 복합적으로 적용한 암/복호화 속도개선 방법
CN110688666B (zh) 一种分布式存储中数据加密保存方法
US11321471B2 (en) Encrypted storage of data
WO2019114137A1 (fr) Procédé d'appel de mot de passe, serveur et support de stockage
EP2943878A1 (fr) Gestion du presse-papiers
US20220374540A1 (en) Field level encryption searchable database system
KR100594886B1 (ko) 데이터베이스 보안 시스템 및 방법
KR20210109667A (ko) 보안 전자 데이터 전송을 위한 시스템 및 방법
WO2022199796A1 (fr) Procédé et système informatique pour la gestion de clés
Zhang Research on the application of computer big data technology in cloud storage security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19924104

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19924104

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 19924104

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 3176858

Country of ref document: CA