WO2022252632A1 - Data encryption processing method and apparatus, computer device, and storage medium - Google Patents

Data encryption processing method and apparatus, computer device, and storage medium Download PDF

Info

Publication number
WO2022252632A1
WO2022252632A1 PCT/CN2022/071868 CN2022071868W WO2022252632A1 WO 2022252632 A1 WO2022252632 A1 WO 2022252632A1 CN 2022071868 W CN2022071868 W CN 2022071868W WO 2022252632 A1 WO2022252632 A1 WO 2022252632A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encrypted
secret key
key
character string
Prior art date
Application number
PCT/CN2022/071868
Other languages
French (fr)
Chinese (zh)
Inventor
李强
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2022252632A1 publication Critical patent/WO2022252632A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Definitions

  • the server After receiving the data to be encrypted and the first secret key uploaded by the client, the server generates a random character string corresponding to the data to be encrypted, and encrypts the random character string with the first secret key to generate the second secret key. key.
  • an object storage gateway RGW (Rados Gate Way, RGW) is configured in the server, and the object storage gateway RGW reads the data to be encrypted, and outputs a set of random characters corresponding to the data to be encrypted string.
  • the first key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second key is generated by the first key and a random character string. Therefore, by generating the second Even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
  • the server does not actually use the secret key provided by the KMS for encryption, but uses this secret key to encrypt a random string generated by the server. After encrypting the random string, it is actually used for encryption.
  • the secret key of the data so that even if the KMS key is leaked, it will not pose a threat to the user's data security.
  • the server when performing data decryption, after receiving the data decryption instruction uploaded by the client, the server reads the mixed data in the local storage, identifies the data incision identifier in the mixed data, and divides the mixed data based on the data incision identifier. Obtain several subcharacters, combine several subcharacters to obtain a random string, and finally receive the first secret key uploaded by the client, and encrypt the random string with the first secret key to obtain the second secret key.
  • the private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
  • the server receives the encrypted data to be encrypted and the first secret key, invokes the private key in the local storage, and decrypts the encrypted data to be encrypted and the first secret key through the private key to obtain the data to be encrypted and the first secret key. first secret key.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with each other using cryptographic methods. Each data block contains a batch of network transaction information, which is used to verify its Validity of information (anti-counterfeiting) and generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the present application provides an embodiment of a data encryption processing device.
  • the device embodiment corresponds to the method embodiment shown in FIG. 2 , and the device specifically It can be applied to various electronic devices.
  • a random secret key generation module 302 configured to generate a random character string corresponding to the data to be encrypted, and encrypt the random character string with the first secret key to generate a second secret key;
  • the sub-character inserting unit is configured to set a data notch identifier, and based on the data notch identifier, sequentially insert several of the subcharacters into corresponding positions of the data notch to obtain mixed data.
  • a sub-character combination unit configured to combine several of the sub-characters to obtain the random character string
  • a key pair encryption unit configured to send the public key to the client, and instruct the client to use the public key to encrypt the data to be encrypted and the first secret key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application discloses a data encryption processing method and apparatus, a computer device, and a storage medium, which relate to data encryption technology in the technical field of information security. The present application comprises: acquiring data to be encrypted and a first key uploaded by a client, and generating a random character string corresponding to the data to be encrypted; encrypting the random character string by means of the first key, and generating a second key; encrypting, on the basis of the second key, the data to be encrypted, and obtaining ciphertext data; receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string by means of the first key, and obtaining the second key; and decrypting the ciphertext data on the basis of the second key, and obtaining plaintext data. In addition, the present application also relates to blockchain technology, and data to be encrypted may be stored in a blockchain. In the present application, a second key is generated by means of a first key and a random character string, data to be encrypted is encrypted by means of the second key, and the security coefficient of information encryption at a server side is improved.

Description

一种数据加密处理方法、装置、计算机设备及存储介质A data encryption processing method, device, computer equipment and storage medium
本申请要求于2021年6月1日提交中国专利局、申请号为202110609708.7,发明名称为“一种数据加密处理方法、装置、计算机设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202110609708.7 submitted to the China Patent Office on June 1, 2021, and the title of the invention is "a data encryption processing method, device, computer equipment and storage medium", the entire content of which Incorporated in this application by reference.
技术领域technical field
本申请涉及信息安全技术领域,具体涉及一种数据加密处理方法、装置、计算机设备及存储介质。The present application relates to the technical field of information security, in particular to a data encryption processing method, device, computer equipment and storage medium.
背景技术Background technique
当前业界流行的对象存储产品为了保护用户的数据安全,一般都会提供加密功能,按照加密的位置一般分成两大类,即客户端加密和服务端加密。Currently popular object storage products in the industry generally provide encryption functions in order to protect user data security. According to the location of encryption, they are generally divided into two categories, namely, client-side encryption and server-side encryption.
客户端加密较简单,就是用户将数据加密后在传输到对象存储系统,对象存储本身不负责任何加密相关的流程,所有的加密和秘钥管理都由用户端负责,这种加密方式较简单,但安全性一般。The client-side encryption is relatively simple, that is, the user encrypts the data and then transmits it to the object storage system. The object storage itself is not responsible for any encryption-related processes. All encryption and key management are handled by the client. This encryption method is relatively simple. But security is average.
而服务端加密其加密操作在对象存储服务端进行,服务端加密根据秘钥是否由用户保存又分为SSE-C和SSE-KMS,其中SSE-C模式加密的秘钥由用户保存,每次存取数据时,时用户需要将秘钥一起传过来,通过用户给的秘钥对数据进行加解密,然后在对用户做回应。SSE-KMS模式加密由用户预先在KMS中创建密钥,并在PUT对象时提供密钥key_id,服务端收到请求后根据key_id去KMS请求具体密钥并完成数据加密。The encryption operation of server-side encryption is performed on the object storage server. Server-side encryption is divided into SSE-C and SSE-KMS according to whether the key is stored by the user. The key encrypted in SSE-C mode is stored by the user. When accessing data, the user needs to pass the secret key together, encrypt and decrypt the data through the secret key given by the user, and then respond to the user. SSE-KMS mode encryption requires the user to create a key in KMS in advance, and provide the key key_id when PUTing the object. After receiving the request, the server will go to KMS to request a specific key according to the key_id and complete data encryption.
在服务端数据加密过程中,发明人意识到,不管是SSE-C还是SSE-KMS,秘钥都是在KMS中创建,秘钥的安全性完全依赖KMS服务,假设KMS服务产生了信息泄露,存储在对象存储上的用户数据安全就会产生了安全风险,因此,现有服务端加密方案依旧存在安全隐患。During the data encryption process on the server side, the inventor realized that no matter it is SSE-C or SSE-KMS, the secret key is created in KMS, and the security of the secret key completely depends on the KMS service. Assuming that the KMS service generates information leakage, The security of user data stored on object storage creates security risks. Therefore, existing server-side encryption schemes still have security risks.
发明内容Contents of the invention
本申请实施例的目的在于提出一种数据加密处理方法、装置、计算机设备及存储介质,以解决现有的数据加密方案存在的安全系数不高,容易导致信息泄露的技术问题。The purpose of the embodiment of the present application is to propose a data encryption processing method, device, computer equipment and storage medium to solve the technical problem that the existing data encryption scheme has a low safety factor and easily leads to information leakage.
为了解决上述技术问题,本申请实施例提供一种数据加密处理方法,采用了如下所述的技术方案:In order to solve the above technical problems, the embodiment of the present application provides a data encryption processing method, which adopts the following technical solutions:
一种数据加密处理方法,包括:A data encryption processing method, comprising:
接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
进一步地,在所述基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据的步骤之后,还包括:Further, after the step of encrypting the data to be encrypted based on the second secret key to obtain the ciphertext data corresponding to the data to be encrypted, it further includes:
将所述随机字符串添加到所述密文数据中,得到混合数据;adding the random character string to the ciphertext data to obtain mixed data;
将所述混合数据存储至本地存储器,并删除所述第二秘钥。storing the mixed data in a local memory, and deleting the second secret key.
进一步地,所述将所述随机字符串添加到所述密文数据中,得到混合数据的步骤,具体包括:Further, the step of adding the random character string to the ciphertext data to obtain mixed data specifically includes:
对所述密文数据进行分割,确定数据切口的位置和数量;Segmenting the ciphertext data to determine the position and number of data incisions;
基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;segmenting the random character string based on the number of data cutouts to obtain several subcharacters;
设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。A data cutout mark is set, and based on the data cutout mark, several of the subcharacters are sequentially inserted into corresponding positions of the data cutout to obtain mixed data.
进一步地,所述接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥的步骤,具体包括:Further, the step of receiving the data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key , including:
接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;receiving the data decryption instruction, reading the mixed data, and identifying a data cutout identifier in the mixed data;
基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;Segmenting the mixed data based on the data cut mark to obtain several subcharacters;
组合若干个所述子字符,得到所述随机字符串;combining several of the subcharacters to obtain the random character string;
接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。receiving the first secret key uploaded by the client, and encrypting the random character string with the first secret key to obtain the second secret key.
进一步地,所述接收数据加密指令,获取客户端上传的待加密数据的步骤,具体包括:Further, the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client specifically includes:
接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;receiving a data encryption instruction, and generating a key pair based on the data encryption instruction, the key pair including a public key and a private key;
将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;sending the public key to the client, and instructing the client to use the public key to encrypt the data to be encrypted and the first secret key;
以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。and instructing the client to upload the encrypted data to be encrypted and the first secret key.
进一步地,在所述接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥的步骤之后,还包括:Further, after the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted, the method further includes:
接收加密后的所述待加密数据和所述第一秘钥;receiving the encrypted data to be encrypted and the first secret key;
调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。The private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
进一步地,在所述接收数据加密指令,基于所述数据加密指令生成密钥对之后,还包括:Further, after receiving the data encryption instruction and generating a key pair based on the data encryption instruction, it further includes:
指示所述客户端获取初始化时间信息和发送所述数据加密指令的时间信息;instructing the client to obtain initialization time information and time information for sending the data encryption instruction;
指示所述客户端基于所述初始化时间信息和发送所述数据加密指令的时间信息计算所述客户端的当前时间;instructing the client to calculate the current time of the client based on the initialization time information and the time information of sending the data encryption instruction;
指示所述客户端根据所述当前时间生成时间戳,以及指示所述客户端基于所述时间戳生成所述第一秘钥。instructing the client to generate a timestamp according to the current time, and instructing the client to generate the first secret key based on the timestamp.
为了解决上述技术问题,本申请实施例还提供一种数据加密处理装置,采用了如下所述的技术方案:In order to solve the above technical problems, the embodiment of the present application also provides a data encryption processing device, which adopts the following technical solutions:
一种数据加密处理装置,包括:A data encryption processing device, comprising:
第一指令接收模块,用于接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;The first instruction receiving module is used to receive the data encryption instruction, and obtain the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
随机秘钥生成模块,用于生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;A random secret key generating module, configured to generate a random character string corresponding to the data to be encrypted, and encrypt the random character string with the first secret key to generate a second secret key;
密文数据生成模块,用于基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;A ciphertext data generating module, configured to encrypt the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
第二指令接收模块,用于接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;The second instruction receiving module is configured to receive a data decryption instruction, read the ciphertext data and the random character string, and encrypt the random character string with the first secret key to obtain the second secret key key;
密文数据解密模块,用于基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。A ciphertext data decryption module, configured to decrypt the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
为了解决上述技术问题,本申请实施例还提供一种计算机设备,采用了如下所述的技术方案:In order to solve the above technical problems, the embodiment of the present application also provides a computer device, which adopts the following technical solution:
一种计算机设备,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述处理器执行所述计算机可读指令时实现如下述所述的数据加密处理方法的步骤:A computer device, comprising a memory and a processor, wherein computer-readable instructions are stored in the memory, and when the processor executes the computer-readable instructions, the steps of the data encryption processing method as described below are implemented:
接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
为了解决上述技术问题,本申请实施例还提供一种计算机可读存储介质,采用了如下所述的技术方案:In order to solve the above technical problems, the embodiment of the present application also provides a computer-readable storage medium, which adopts the following technical solution:
一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下述所述的数据加密处理方法的步骤:A computer-readable storage medium, where computer-readable instructions are stored on the computer-readable storage medium, and when the computer-readable instructions are executed by a processor, the steps of the data encryption processing method as described below are implemented:
接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
与现有技术相比,本申请实施例主要有以下有益效果:Compared with the prior art, the embodiments of the present application mainly have the following beneficial effects:
本申请公开了一种数据加密处理方法、装置、计算机设备及存储介质,本申请在进行数据加密时,通过在服务端生成一组随机字符串,并利用客户端上传的第一秘钥对服务端生成的随机字符串进行加密,得到第二秘钥,然后通过第二秘钥来对待加密数据进行加密,得到密文数据,最后将密文数据和随机字符串存储至服务端内;在进行数据解密时,先读取密文数据和随机字符串,然后利用客户端上传的第一秘钥对读取的随机字符串进行加密,得到第二秘钥,最后通过第二秘钥对密文数据进行解密,得到明文数据。本申请中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。This application discloses a data encryption processing method, device, computer equipment, and storage medium. When performing data encryption, this application generates a set of random character strings on the server side and uses the first secret key uploaded by the client to pair the service Encrypt the random character string generated by the terminal to obtain the second secret key, and then use the second secret key to encrypt the data to be encrypted to obtain the ciphertext data, and finally store the ciphertext data and the random character string in the server; When decrypting data, first read the ciphertext data and random strings, then use the first secret key uploaded by the client to encrypt the read random strings to obtain the second secret key, and finally use the second secret key to encrypt the ciphertext The data is decrypted to obtain plaintext data. In this application, the first secret key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second secret key is generated by the first secret key and a random string. Therefore, by generating the second secret key , even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
附图说明Description of drawings
为了更清楚地说明本申请中的方案,下面将对本申请实施例描述中所需要使用的附图作一个简单介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the solution in this application more clearly, a brief introduction will be given below to the accompanying drawings that need to be used in the description of the embodiments of the application. Obviously, the accompanying drawings in the following description are some embodiments of the application. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.
图1示出了本申请可以应用于其中的示例性系统架构图;FIG. 1 shows an exemplary system architecture diagram to which the present application can be applied;
图2示出了根据本申请的数据加密处理方法的一个实施例的流程图;Fig. 2 shows the flowchart of an embodiment of the data encryption processing method according to the present application;
图3示出了根据本申请的数据加密处理装置的一个实施例的结构示意图;FIG. 3 shows a schematic structural diagram of an embodiment of a data encryption processing device according to the present application;
图4示出了根据本申请的计算机设备的一个实施例的结构示意图。Fig. 4 shows a schematic structural diagram of an embodiment of a computer device according to the present application.
具体实施方式Detailed ways
除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同;本文中在申请的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本申请;本申请的说明书和权利要求书及上述附图说明中的术语“包括”和“具有”以及它们的任何变形,意图在于覆盖不排他的包含。本申请的说明书和权利要求书或上述附图中的术语“第一”、“第二”等是用于区别不同对象,而不是用于描述特定顺序。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the technical field of the application; the terms used herein in the description of the application are only to describe specific embodiments The purpose is not to limit the present application; the terms "comprising" and "having" and any variations thereof in the specification and claims of the present application and the description of the above drawings are intended to cover non-exclusive inclusion. The terms "first", "second" and the like in the description and claims of the present application or the above drawings are used to distinguish different objects, rather than to describe a specific order.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The occurrences of this phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is understood explicitly and implicitly by those skilled in the art that the embodiments described herein can be combined with other embodiments.
为了使本技术领域的人员更好地理解本申请方案,下面将结合附图,对本申请实施例中的技术方案进行清楚、完整地描述。In order to enable those skilled in the art to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings.
如图1所示,系统架构100可以包括终端设备101、102、103,网络104和服务器105。网络104用以在终端设备101、102、103和服务器105之间提供通信链路的介质。网络104可以包括各种连接类型,例如有线、无线通信链路或者光纤电缆等等。As shown in FIG. 1 , a system architecture 100 may include terminal devices 101 , 102 , 103 , a network 104 and a server 105 . The network 104 is used as a medium for providing communication links between the terminal devices 101 , 102 , 103 and the server 105 . Network 104 may include various connection types, such as wires, wireless communication links, or fiber optic cables, among others.
用户可以使用终端设备101、102、103通过网络104与服务器105交互,以接收或发送消息等。终端设备101、102、103上可以安装有各种通讯客户端应用,例如网页浏览器应用、购物类应用、搜索类应用、即时通信工具、邮箱客户端、社交平台软件等。Users can use terminal devices 101 , 102 , 103 to interact with server 105 via network 104 to receive or send messages and the like. Various communication client applications can be installed on the terminal devices 101, 102, 103, such as web browser applications, shopping applications, search applications, instant messaging tools, email clients, social platform software, and the like.
终端设备101、102、103可以是具有显示屏并且支持网页浏览的各种电子设备,包括但不限于智能手机、平板电脑、电子书阅读器、MP3播放器(Moving Picture Experts Group Audio Layer III,动态影像专家压缩标准音频层面3)、MP4(Moving Picture Experts Group Audio Layer IV,动态影像专家压缩标准音频层面4)播放器、膝上型便携计算机和台式计算机等等。 Terminal devices 101, 102, 103 can be various electronic devices with display screens and support web browsing, including but not limited to smartphones, tablet computers, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic Video experts compress standard audio layer 3), MP4 (Moving Picture Experts Group Audio Layer IV, moving picture experts compress standard audio layer 4) players, laptops and desktop computers, etc.
服务器105可以是提供各种服务的服务器,例如对终端设备101、102、103上显示的页面提供支持的后台服务器。The server 105 may be a server that provides various services, such as a background server that provides support for pages displayed on the terminal devices 101 , 102 , 103 .
需要说明的是,本申请实施例所提供的数据加密处理方法一般由服务器执行,相应地,数据加密处理装置一般设置于服务器中。It should be noted that the data encryption processing method provided in the embodiment of the present application is generally executed by a server, and correspondingly, the data encryption processing device is generally set in the server.
应该理解,图1中的终端设备、网络和服务器的数目仅仅是示意性的。根据实现需要,可以具有任意数目的终端设备、网络和服务器。It should be understood that the numbers of terminal devices, networks and servers in Fig. 1 are only illustrative. According to the implementation needs, there can be any number of terminal devices, networks and servers.
继续参考图2,示出了根据本申请的数据加密处理的方法的一个实施例的流程图。所述的数据加密处理方法,包括以下步骤:Continuing to refer to FIG. 2 , it shows a flowchart of an embodiment of a data encryption processing method according to the present application. The described data encryption processing method comprises the following steps:
S201,接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥。S201. Receive a data encryption instruction, and acquire data to be encrypted uploaded by a client and a first secret key used to encrypt the data to be encrypted.
其中,本申请的数据加密指的是服务器端数据加密,服务器端数据加密主要是为静态数据提供有效保护,适合于对于文件存储有高安全性或者合规性要求的应用场景。例如,深度学习样本文件的存储、在线协作类文档数据的存储等等。Among them, the data encryption in this application refers to server-side data encryption. Server-side data encryption mainly provides effective protection for static data, and is suitable for application scenarios with high security or compliance requirements for file storage. For example, the storage of deep learning sample files, the storage of online collaborative document data, and so on.
具体的,服务端在接收到客户端上传的数据加密指令后,获取客户端上传的待加密数据和用于加密待加密数据的第一秘钥。在本申请一种具体的实施例中,第一秘钥为AES(symmetric encryption algorithm,AES)对称加密秘钥,第一秘钥可以由KMS(Key Management Service)秘钥服务系统生成。Specifically, after receiving the data encryption instruction uploaded by the client, the server obtains the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted. In a specific embodiment of the present application, the first key is an AES (symmetric encryption algorithm, AES) symmetric encryption key, and the first key may be generated by a KMS (Key Management Service) key service system.
S202,生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥。S202. Generate a random character string corresponding to the data to be encrypted, and encrypt the random character string with the first key to generate a second key.
具体的,服务端在接收到客户端上传的待加密数据和第一秘钥后,生成与待加密数据对应的随机字符串,并通过第一秘钥对随机字符串进行加密,生成第二秘钥。在本申请一种具体的实施例中,服务端内配置有对象存储网关RGW(Rados Gate Way,RGW),对象存储网关RGW读取待加密数据,并输出与待加密数据对应的一组随机字符串。Specifically, after receiving the data to be encrypted and the first secret key uploaded by the client, the server generates a random character string corresponding to the data to be encrypted, and encrypts the random character string with the first secret key to generate the second secret key. key. In a specific embodiment of the present application, an object storage gateway RGW (Rados Gate Way, RGW) is configured in the server, and the object storage gateway RGW reads the data to be encrypted, and outputs a set of random characters corresponding to the data to be encrypted string.
S203,基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据。S203. Encrypt the data to be encrypted based on the second key to obtain ciphertext data corresponding to the data to be encrypted.
具体的,服务端基于生成的第二秘钥和预设的AES256加密算法对客户端上传的待加密数据进行加密,得到待加密数据对应的密文数据,并在加密完成后将随机字符串插入密文数据,得到混合数据,将混合数据存储至本地存储器,同时删除第二秘钥。Specifically, the server encrypts the data to be encrypted uploaded by the client based on the generated second secret key and the preset AES256 encryption algorithm, obtains the ciphertext data corresponding to the data to be encrypted, and inserts the random string into the The ciphertext data is obtained as mixed data, and the mixed data is stored in the local storage, and the second secret key is deleted at the same time.
需要说明的是,在本申请具体的实施例中,在对待加密数据进行加密前,可以预先将待加密数据转换成json字符串,例如,可以借用Google的Gson包来将待加密数据转换成json字符串。然后使用MD5算法生成json字符串的摘要,以及使用第二秘钥对摘要进行加密处理,生成签名,以完成对待加密数据的加密。其中,MD5信息摘要算法(MD5Message-Digest Algorithm,MD5算法),一种被广泛使用的密码散列函数,可以产生出一个128位(16字节)的散列值(hash value),用于确保信息传输完整一致。It should be noted that, in the specific embodiment of this application, before encrypting the data to be encrypted, the data to be encrypted can be converted into a json string in advance, for example, the data to be encrypted can be converted into json by using Google's Gson package string. Then use the MD5 algorithm to generate a digest of the json string, and use the second secret key to encrypt the digest and generate a signature to complete the encryption of the data to be encrypted. Among them, MD5 message digest algorithm (MD5Message-Digest Algorithm, MD5 algorithm), a widely used cryptographic hash function, can generate a 128-bit (16-byte) hash value (hash value), used to ensure Information transmission is complete and consistent.
其中,对称加密算法(symmetric encryption algorithm,AES)是应用较早的加密算法,技术成熟。在AES算法中,数据发信方将明文(原始数据)和加密密钥一起经过特殊加密算法处理后,使其变成复杂的加密密文发送出去。收信方收到密文后,若想解读原文,则需要使用加密用过的密钥及相同算法的逆算法对密文进行解密,才能使其恢复成可读明文。在AES算法中,使用的密钥只有一个,发收信双方都使用这个密钥对数据进行加密和解密,这就要求解密方事先必须知道加密密钥。Among them, the symmetric encryption algorithm (symmetric encryption algorithm, AES) is an earlier encryption algorithm with mature technology. In the AES algorithm, the data sender processes the plaintext (original data) and the encryption key together with a special encryption algorithm to make it a complex encrypted ciphertext and send it out. After the recipient receives the ciphertext, if he wants to interpret the original text, he needs to use the encrypted key and the inverse algorithm of the same algorithm to decrypt the ciphertext to restore it to readable plaintext. In the AES algorithm, only one key is used, and both sender and receiver use this key to encrypt and decrypt data, which requires the decryption party to know the encryption key in advance.
S204,接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。S204. Receive a data decryption instruction, read the ciphertext data and the random string, and encrypt the random string with the first key to obtain the second key.
具体的,服务端在接收到客户端上传的数据解密指令后,读取从本地存储器读取混合数据,并将混合数据中密文数据和随机字符串分离,最后通过第一秘钥对随机字符串进行加密,得到第二秘钥。需要说明的是,客户端在上传数据解密指令后,会再次上传第一秘钥,在上述第一秘钥对随机字符串进行的两次加密中,得到第二秘钥为相同的对称秘钥。Specifically, after receiving the data decryption instruction uploaded by the client, the server reads the mixed data from the local storage, separates the ciphertext data from the random string in the mixed data, and finally uses the first secret key to pair the random character The string is encrypted to obtain the second secret key. It should be noted that after the client uploads the data decryption command, it will upload the first secret key again, and in the two encryptions performed on the random string by the above first secret key, the second secret key is the same symmetric key .
在本实施例中,数据加密处理方法运行于其上的电子设备(例如图1所示的服务器)可以通过有线连接方式或者无线连接方式接收数据加密指令或接收数据解密指令。需要指出的是,上述无线连接方式可以包括但不限于3G/4G连接、WiFi连接、蓝牙连接、WiMAX连接、Zigbee连接、UWB(ultra wideband)连接、以及其他现在已知或将来开发的无线连接方式。In this embodiment, the electronic device on which the data encryption processing method runs (for example, the server shown in FIG. 1 ) may receive a data encryption instruction or a data decryption instruction through a wired connection or a wireless connection. It should be pointed out that the above wireless connection methods may include but not limited to 3G/4G connection, WiFi connection, Bluetooth connection, WiMAX connection, Zigbee connection, UWB (ultra wideband) connection, and other wireless connection methods known or developed in the future .
S205,基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。S205. Decrypt the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
具体的,在进行数据解密时,服务端在得到第二秘钥后,基于第二秘钥对密文数据进行解密,得到待加密数据对应的明文数据,并将待加密数据对应的明文数据发送至客户端。Specifically, when performing data decryption, after obtaining the second secret key, the server decrypts the ciphertext data based on the second secret key, obtains the plaintext data corresponding to the data to be encrypted, and sends the plaintext data corresponding to the data to be encrypted to to the client.
在上述实施例中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。采用上面的加密方式后,服务端实际并不是使用的KMS提供的秘钥进行的加密,而是使用这个秘钥加密一个由服务端生成的随机字符串,加密随机字符串后产生真正用于加密数据的秘钥,这样即使KMS的秘钥发生泄露,也不会对用户的数据安全产生威胁。In the above embodiments, the first key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second key is generated by the first key and a random character string. Therefore, by generating the second Even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption. After adopting the above encryption method, the server does not actually use the secret key provided by the KMS for encryption, but uses this secret key to encrypt a random string generated by the server. After encrypting the random string, it is actually used for encryption. The secret key of the data, so that even if the KMS key is leaked, it will not pose a threat to the user's data security.
进一步地,在所述基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据的步骤之后,还包括:Further, after the step of encrypting the data to be encrypted based on the second secret key to obtain the ciphertext data corresponding to the data to be encrypted, it further includes:
将所述随机字符串添加到所述密文数据中,得到混合数据;adding the random character string to the ciphertext data to obtain mixed data;
将所述混合数据存储至本地存储器,并删除所述第二秘钥。storing the mixed data in a local memory, and deleting the second secret key.
具体的,服务端在基于第二秘钥对待加密数据进行加密,得到待加密数据对应的密文数据之后,将随机字符串添加到生成的密文数据中,形成混合数据,并将混合数据存储至本地存储器,同时删除用于加密的第二秘钥。Specifically, after the server encrypts the data to be encrypted based on the second secret key and obtains the ciphertext data corresponding to the data to be encrypted, the server adds random strings to the generated ciphertext data to form mixed data, and stores the mixed data to the local storage, and delete the second secret key used for encryption at the same time.
在上述实施例中,服务端通过将随机字符串添加到生成的密文数据中,形成混合数据,同时删除第二秘钥,以随机字符串与密文数据混合保存的方式,保证随机字符串难以被窃取,在无法有效拿到随机字符串的情况下,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。In the above embodiment, the server adds random strings to the generated ciphertext data to form mixed data, and deletes the second secret key at the same time, so as to ensure that the random strings and ciphertext data are mixed and saved It is difficult to be stolen. If the random string cannot be effectively obtained, even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
进一步地,所述将所述随机字符串添加到所述密文数据中,得到混合数据的步骤,具体包括:Further, the step of adding the random character string to the ciphertext data to obtain mixed data specifically includes:
对所述密文数据进行分割,确定数据切口的位置和数量;Segmenting the ciphertext data to determine the position and number of data incisions;
基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;segmenting the random character string based on the number of data cutouts to obtain several subcharacters;
设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。A data cutout mark is set, and based on the data cutout mark, several of the subcharacters are sequentially inserted into corresponding positions of the data cutout to obtain mixed data.
具体的,在进行数据加密时,服务器对密文数据进行分割,同时确定数据切口的位置和数量,然后基于数据切口的数量对随机字符串进行分割,得到若干个子字符,为每一个数据切口设定特定标识,并基于数据切口标识将若干个子字符依次插入数据切口的相应位置处,得到混合数据。Specifically, when performing data encryption, the server divides the ciphertext data, and at the same time determines the position and number of data cutouts, and then divides the random character string based on the number of data cutouts to obtain several subcharacters. Determine a specific mark, and based on the mark of the data cutout, several subcharacters are sequentially inserted into the corresponding positions of the data cutout to obtain mixed data.
在本申请一种具体的实施例中,将密文数据P分割为N份,得到N-1个数据切口(N1,N2,N3……N-1),在每一个数据切口处配置特定标识,并将随机字符串Q分割为N-1份,得到N-1个子字符(n1,n2,n3……n-1),将N-1个子字符基于数据切口标识依次插入上述N-1个数据切口(N1,N2,N3……N-1)中,得到混合数据,其中,子字符n1插入至数据切口N1,子字符n2插入至数据切口N2,以此类推,直至所有子字符均完成插入为止。In a specific embodiment of the present application, the ciphertext data P is divided into N parts to obtain N-1 data cutouts (N1, N2, N3...N-1), and a specific identifier is configured at each data cutout , and divide the random character string Q into N-1 parts to obtain N-1 sub-characters (n1, n2, n3...n-1), and insert the N-1 sub-characters into the above N-1 in sequence based on the data cutout identifier In data cutouts (N1, N2, N3...N-1), mixed data is obtained, wherein subcharacter n1 is inserted into data cutout N1, subcharacter n2 is inserted into data cutout N2, and so on until all subcharacters are completed until inserted.
在上述实施例中,通过密文数据分割和随机字符串分割,将随机字符串分割生成的子字符依次插入到密文数据分割的切口位置,以获得混合数据,以随机字符串与密文数据混合保存的方式,保证随机字符串难以被窃取,在无法有效拿到随机字符串的情况下,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。In the above-mentioned embodiment, through ciphertext data segmentation and random character string segmentation, the subcharacters generated by random character string segmentation are sequentially inserted into the incision positions of ciphertext data segmentation to obtain mixed data, and the random character string and ciphertext data The mixed storage method ensures that random strings are difficult to steal. In the case where random strings cannot be obtained effectively, even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security of server-side information encryption. Safety factor.
进一步地,所述接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥的步骤,具体包括:Further, the step of receiving the data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key , including:
接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;receiving the data decryption instruction, reading the mixed data, and identifying a data cutout identifier in the mixed data;
基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;Segmenting the mixed data based on the data cut mark to obtain several subcharacters;
组合若干个所述子字符,得到所述随机字符串;combining several of the subcharacters to obtain the random character string;
接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。receiving the first secret key uploaded by the client, and encrypting the random character string with the first secret key to obtain the second secret key.
具体的,在进行数据解密时,服务端在接收到客户端上传的数据解密指令后,读取本地存储器中的混合数据,并识别混合数据中的数据切口标识,基于数据切口标识分割混合数据,得到若干个子字符,组合若干个子字符,得到随机字符串,最后接收客户端上传的第一秘钥,并通过第一秘钥对随机字符串进行加密,得到第二秘钥。Specifically, when performing data decryption, after receiving the data decryption instruction uploaded by the client, the server reads the mixed data in the local storage, identifies the data incision identifier in the mixed data, and divides the mixed data based on the data incision identifier. Obtain several subcharacters, combine several subcharacters to obtain a random string, and finally receive the first secret key uploaded by the client, and encrypt the random string with the first secret key to obtain the second secret key.
在上述实例中,通过设置数据切口标识,以及基于数据切口标识将子字符插入数据切口的相应位置,在进行加密数据和随机字符串的还原时,服务端可以简单地通过识别数据切口标识,就能够顺利地将随机字符串从混合数据中分割出来,方便加密数据和随机字符串的还原。通过以随机字符串与密文数据混合保存的方式,保证随机字符串难以被窃取,在无法有效拿到随机字符串的情况下,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。In the above example, by setting the data slot ID and inserting subcharacters into the corresponding position of the data slot based on the data slot ID, when restoring encrypted data and random character strings, the server can simply recognize the data slot ID to It can successfully separate random character strings from mixed data, and facilitate the restoration of encrypted data and random character strings. By storing random strings and ciphertext data in a mixed way, it is ensured that the random strings are difficult to be stolen. In the case that the random strings cannot be obtained effectively, even if the first secret key is stolen, the ciphertext data still cannot be encrypted. Decryption improves the security factor of server-side information encryption.
进一步地,所述接收数据加密指令,获取客户端上传的待加密数据的步骤,具体包括:Further, the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client specifically includes:
接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;receiving a data encryption instruction, and generating a key pair based on the data encryption instruction, the key pair including a public key and a private key;
将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;sending the public key to the client, and instructing the client to use the public key to encrypt the data to be encrypted and the first secret key;
以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。and instructing the client to upload the encrypted data to be encrypted and the first secret key.
其中,密钥对为RSA密钥对,由预设的RSA算法生成,非对称加密算法(asymmetric cryptographic algorithm,RSA)需要两个密钥:公开密钥(publickey:简称公钥)和私有密钥(privatekey:简称私钥),公钥与私钥是一对,公钥与私钥可以基于加密文件的内容自动生成,如果用公钥对数据进行加密,只有用对应的私钥才能解密,因为加密和解密使用的是两个不同的密钥,所以这种算法叫作非对称加密算法。RSA密钥体制有两种密钥,其中一个是公开的,这样就可以不需要像AES秘钥那样传输对方的密钥了,本提案采用AES加密和RSA加密的联合加密方案,可以显著提高http信息传输的安全性。Among them, the key pair is an RSA key pair, which is generated by a preset RSA algorithm. The asymmetric encryption algorithm (asymmetric cryptographic algorithm, RSA) requires two keys: a public key (public key: public key for short) and a private key (privatekey: referred to as private key), the public key and the private key are a pair, and the public key and the private key can be automatically generated based on the content of the encrypted file. If the data is encrypted with the public key, only the corresponding private key can be used to decrypt it, because Encryption and decryption use two different keys, so this algorithm is called an asymmetric encryption algorithm. The RSA key system has two kinds of keys, one of which is public, so that it is not necessary to transmit the other party’s key like the AES key. This proposal adopts the joint encryption scheme of AES encryption and RSA encryption, which can significantly improve http Security of Information Transmission.
具体的,服务端接收数据加密指令后,基于数据加密指令生成密钥对,密钥对包括公钥和私钥,服务端将私钥存储在本地存储器内,并将公钥发送至客户端,并指示客户端利用公钥加密待加密数据和第一秘钥,以及指示客户端上传加密后的待加密数据和第一秘钥。Specifically, after receiving the data encryption instruction, the server generates a key pair based on the data encryption instruction. The key pair includes a public key and a private key. The server stores the private key in the local memory and sends the public key to the client. And instruct the client to use the public key to encrypt the data to be encrypted and the first secret key, and instruct the client to upload the encrypted data to be encrypted and the first secret key.
在上述实例中,通过非对称加密算法生成密钥对,在进行数据加密时,通过密钥对加密需要上传服务端的待加密数据和第一秘钥,以防止待加密数据和第一秘钥在上传过程中被窃取,通过设置密钥对以提高信息传输的安全。In the above example, the key pair is generated by an asymmetric encryption algorithm. When encrypting data, the data to be encrypted and the first secret key need to be uploaded to the server to prevent the data to be encrypted and the first secret key from being It is stolen during the upload process, and the security of information transmission can be improved by setting a key pair.
进一步地,在所述接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥的步骤之后,还包括:Further, after the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted, the method further includes:
接收加密后的所述待加密数据和所述第一秘钥;receiving the encrypted data to be encrypted and the first secret key;
调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。The private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
具体的,服务端接收加密后的待加密数据和第一秘钥,调用在本地存储器内的私钥,通过私钥对加密后的待加密数据和第一秘钥进行解密,得到待加密数据和第一秘钥。Specifically, the server receives the encrypted data to be encrypted and the first secret key, invokes the private key in the local storage, and decrypts the encrypted data to be encrypted and the first secret key through the private key to obtain the data to be encrypted and the first secret key. first secret key.
在上述实例中,通过非对称加密算法生成密钥对,在进行数据解密时,通过密钥对加密上传的第一秘钥,以防止第一秘钥在上传过程中被窃取,通过设置密钥对以提高信息传输的安全。In the above example, the key pair is generated by an asymmetric encryption algorithm. When decrypting data, the first secret key uploaded is encrypted by the key pair to prevent the first secret key from being stolen during the upload process. By setting the key To improve the security of information transmission.
进一步地,在所述接收数据加密指令,基于所述数据加密指令生成密钥对之后,还包括:Further, after receiving the data encryption instruction and generating a key pair based on the data encryption instruction, it further includes:
指示所述客户端获取初始化时间信息和发送所述数据加密指令的时间信息;instructing the client to obtain initialization time information and time information for sending the data encryption instruction;
指示所述客户端基于所述初始化时间信息和发送所述数据加密指令的时间信息计算所述客户端的当前时间;instructing the client to calculate the current time of the client based on the initialization time information and the time information of sending the data encryption instruction;
指示所述客户端根据所述当前时间生成时间戳,以及指示所述客户端基于所述时间戳生成所述第一秘钥。instructing the client to generate a timestamp according to the current time, and instructing the client to generate the first secret key based on the timestamp.
具体的,可以基于时钟同步原则计算客户端的当前时间,然后根据客户端的当前时间生成第一秘钥。在服务端接收数据加密指令,基于数据加密指令生成密钥对之后,服务端先指示客户端获取自身初始化时间信息和发送数据加密指令的时间信息,指示客户端基于初始化时间信息和发送数据加密指令的时间信息计算客户端的当前时间,指示客户端根据当前时间生成时间戳,以及指示客户端将时间戳发送至KMS以生成第一秘钥。Specifically, the current time of the client may be calculated based on the principle of clock synchronization, and then the first secret key may be generated according to the current time of the client. After the server receives the data encryption instruction and generates a key pair based on the data encryption instruction, the server first instructs the client to obtain its own initialization time information and the time information of sending the data encryption instruction, and instructs the client to send the data encryption instruction based on the initialization time information The time information of calculates the current time of the client, instructs the client to generate a timestamp according to the current time, and instructs the client to send the timestamp to KMS to generate the first secret key.
在本申请具体的实施例中,基于时钟同步原则计算过程如下,在客户端初始化的时候,获取一次时间接口信息,记录此时客户端的服务器时间为A,同时获取到当前客户端的时间,并记为B。当客户端需要获取当前服务器的时间时,首先获取客户端的当前时间,并记为C,那么,客户端当前服务器的时间就可以通过一个简单的差值计算得到D=A+(C-B)通过计算两次本地时间的差值,就可以推出客户端当前服务器的时间。In the specific embodiment of the present application, the calculation process based on the principle of clock synchronization is as follows. When the client is initialized, the time interface information is obtained once, and the server time of the client is recorded as A at this time. At the same time, the time of the current client is obtained and recorded. for B. When the client needs to obtain the time of the current server, it first obtains the current time of the client and records it as C. Then, the time of the current server of the client can be calculated by a simple difference D=A+(C-B) by calculating two The difference between the local time and the current server time of the client can be deduced.
上述实施例公开了一种数据加密处理方法,本申请在进行数据加密时,通过在服务端生成一组随机字符串,并利用客户端上传的第一秘钥对服务端生成的随机字符串进行加密,得到第二秘钥,然后通过第二秘钥来对待加密数据进行加密,得到密文数据,最后将密文 数据和随机字符串存储至服务端内;在进行数据解密时,先读取密文数据和随机字符串,然后利用客户端上传的第一秘钥对读取的随机字符串进行加密,得到第二秘钥,最后通过第二秘钥对密文数据进行解密,得到明文数据。本申请中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。The above-mentioned embodiment discloses a data encryption processing method. When the application encrypts data, a group of random character strings are generated at the server end, and the random character strings generated at the server end are encrypted by using the first secret key uploaded by the client end. Encrypt to obtain the second secret key, and then use the second secret key to encrypt the data to be encrypted to obtain ciphertext data, and finally store the ciphertext data and random strings in the server; when decrypting data, first read The ciphertext data and random string, and then use the first secret key uploaded by the client to encrypt the read random string to obtain the second secret key, and finally decrypt the ciphertext data through the second secret key to obtain plaintext data . In this application, the first secret key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second secret key is generated by the first secret key and a random string. Therefore, by generating the second secret key , even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
需要强调的是,为进一步保证上述待加密数据的私密和安全性,上述待加密数据还可以存储于一区块链的节点中。It should be emphasized that, in order to further ensure the privacy and security of the above-mentioned data to be encrypted, the above-mentioned data to be encrypted can also be stored in nodes of a block chain.
本申请所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链(Blockchain),本质上是一个去中心化的数据库,是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了一批次网络交易的信息,用于验证其信息的有效性(防伪)和生成下一个区块。区块链可以包括区块链底层平台、平台产品服务层以及应用服务层等。The blockchain referred to in this application is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. Blockchain (Blockchain), essentially a decentralized database, is a series of data blocks associated with each other using cryptographic methods. Each data block contains a batch of network transaction information, which is used to verify its Validity of information (anti-counterfeiting) and generation of the next block. The blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,该计算机可读指令可存储于一计算机可读取存储介质中,该计算机可读指令在执行时,可包括如上述各方法的实施例的流程。其中,前述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)等非易失性存储介质,或随机存储记忆体(Random Access Memory,RAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing related hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium. , when the computer-readable instructions are executed, they may include the processes of the embodiments of the above-mentioned methods. Wherein, the aforementioned storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM).
应该理解的是,虽然附图的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,其可以以其他的顺序执行。而且,附图的流程图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,其执行顺序也不必然是依次进行,而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flow chart of the accompanying drawings are displayed in sequence according to the arrows, these steps are not necessarily executed in sequence in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the flow charts of the accompanying drawings may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the order of execution is also It is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.
进一步参考图3,作为对上述图2所示方法的实现,本申请提供了一种数据加密处理装置的一个实施例,该装置实施例与图2所示的方法实施例相对应,该装置具体可以应用于各种电子设备中。Further referring to FIG. 3 , as an implementation of the method shown in FIG. 2 above, the present application provides an embodiment of a data encryption processing device. The device embodiment corresponds to the method embodiment shown in FIG. 2 , and the device specifically It can be applied to various electronic devices.
如图3所示,本实施例所述的数据加密处理装置包括:As shown in Figure 3, the data encryption processing device described in this embodiment includes:
第一指令接收模块301,用于接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;The first instruction receiving module 301 is configured to receive a data encryption instruction, obtain the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
随机秘钥生成模块302,用于生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;A random secret key generation module 302, configured to generate a random character string corresponding to the data to be encrypted, and encrypt the random character string with the first secret key to generate a second secret key;
密文数据生成模块303,用于基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;A ciphertext data generating module 303, configured to encrypt the data to be encrypted based on the second secret key, to obtain ciphertext data corresponding to the data to be encrypted;
第二指令接收模块304,用于接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;The second instruction receiving module 304 is configured to receive a data decryption instruction, read the ciphertext data and the random character string, and encrypt the random character string with the first secret key to obtain the second Secret key;
密文数据解密模块305,用于基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。The ciphertext data decryption module 305 is configured to decrypt the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
进一步地,所述数据加密处理装置还包括:Further, the data encryption processing device also includes:
密文数据混合模块,用于将所述随机字符串添加到所述密文数据中,得到混合数据;A ciphertext data mixing module, configured to add the random character string to the ciphertext data to obtain mixed data;
混合数据存储模块,用于将所述混合数据存储至本地存储器,并删除所述第二秘钥。A mixed data storage module, configured to store the mixed data in a local storage, and delete the second secret key.
进一步地,所述密文数据混合模块具体包括:Further, the ciphertext data mixing module specifically includes:
密文数据分割单元,用于对所述密文数据进行分割,确定数据切口的位置和数量;The ciphertext data segmentation unit is used to divide the ciphertext data and determine the position and number of data cuts;
随机字符串分割单元,用于基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;A random character string segmentation unit, configured to segment the random character string based on the number of data cutouts to obtain several subcharacters;
子字符插入单元,用于设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。The sub-character inserting unit is configured to set a data notch identifier, and based on the data notch identifier, sequentially insert several of the subcharacters into corresponding positions of the data notch to obtain mixed data.
进一步地,所述第二指令接收模块304具体包括:Further, the second instruction receiving module 304 specifically includes:
混合数据读取单元,用于接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;a mixed data reading unit, configured to receive the data decryption instruction, read the mixed data, and identify a data cutout identifier in the mixed data;
混合数据分割单元,用于基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;a mixed data splitting unit, configured to split the mixed data based on the data notch identifier to obtain several subcharacters;
子字符组合单元,用于组合若干个所述子字符,得到所述随机字符串;A sub-character combination unit, configured to combine several of the sub-characters to obtain the random character string;
随机字符串加密单元,用于接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。The random character string encryption unit is configured to receive the first secret key uploaded by the client, and encrypt the random character string with the first secret key to obtain the second secret key.
进一步地,所述第一指令接收模块301具体包括:Further, the first instruction receiving module 301 specifically includes:
密钥对生成单元,用于接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;a key pair generating unit, configured to receive a data encryption instruction, and generate a key pair based on the data encryption instruction, the key pair including a public key and a private key;
密钥对加密单元,用于将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;a key pair encryption unit, configured to send the public key to the client, and instruct the client to use the public key to encrypt the data to be encrypted and the first secret key;
加密数据上传单元,用于以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。The encrypted data uploading unit is configured to and instruct the client to upload the encrypted data to be encrypted and the first secret key.
进一步地,所述第一指令接收模块301还包括:Further, the first instruction receiving module 301 also includes:
加密数据接收单元,用于接收加密后的所述待加密数据和所述第一秘钥;An encrypted data receiving unit, configured to receive the encrypted data to be encrypted and the first secret key;
密钥对解密单元,用于调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。A key pair decryption unit, configured to invoke the private key, and decrypt the encrypted data to be encrypted and the first secret key through the private key to obtain the data to be encrypted and the first secret key key.
进一步地,所述第一指令接收模块301还包括:Further, the first instruction receiving module 301 also includes:
时间信息获取单元,用于指示所述客户端获取初始化时间信息和发送所述数据加密指令的时间信息;a time information acquisition unit, configured to instruct the client to acquire initialization time information and time information for sending the data encryption instruction;
当前时间计算单元,用于指示所述客户端基于所述初始化时间信息和发送所述数据加密指令的时间信息计算所述客户端的当前时间;a current time calculation unit, configured to instruct the client to calculate the current time of the client based on the initialization time information and the time information for sending the data encryption instruction;
第一秘钥生成单元,用于指示所述客户端根据所述当前时间生成时间戳,以及指示所述客户端基于所述时间戳生成所述第一秘钥。A first secret key generating unit, configured to instruct the client to generate a timestamp according to the current time, and instruct the client to generate the first secret key based on the timestamp.
上述实施例公开了一种数据加密处理装置,本申请在进行数据加密时,通过在服务端生成一组随机字符串,并利用客户端上传的第一秘钥对服务端生成的随机字符串进行加密,得到第二秘钥,然后通过第二秘钥来对待加密数据进行加密,得到密文数据,最后将密文数据和随机字符串存储至服务端内;在进行数据解密时,先读取密文数据和随机字符串,然后利用客户端上传的第一秘钥对读取的随机字符串进行加密,得到第二秘钥,最后通过第二秘钥对密文数据进行解密,得到明文数据。本申请中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。The above-mentioned embodiment discloses a data encryption processing device. When performing data encryption, the present application generates a set of random character strings on the server side, and uses the first secret key uploaded by the client side to process the random character strings generated by the server side. Encrypt to obtain the second secret key, and then use the second secret key to encrypt the data to be encrypted to obtain ciphertext data, and finally store the ciphertext data and random strings in the server; when decrypting data, first read The ciphertext data and random string, and then use the first secret key uploaded by the client to encrypt the read random string to obtain the second secret key, and finally decrypt the ciphertext data through the second secret key to obtain plaintext data . In this application, the first secret key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second secret key is generated by the first secret key and a random string. Therefore, by generating the second secret key , even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
为解决上述技术问题,本申请实施例还提供计算机设备。具体请参阅图4,图4为本实施例计算机设备基本结构框图。In order to solve the above technical problems, the embodiment of the present application further provides computer equipment. Please refer to FIG. 4 for details. FIG. 4 is a block diagram of the basic structure of the computer device in this embodiment.
所述计算机设备4包括通过系统总线相互通信连接存储器41、处理器42、网络接口43。需要指出的是,图中仅示出了具有组件41-43的计算机设备4,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。其中,本技术领域技术人员可以理解,这里的计算机设备是一种能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字处理器(Digital Signal Processor,DSP)、嵌入式设备等。The computer device 4 includes a memory 41 , a processor 42 and a network interface 43 connected to each other through a system bus. It should be noted that only the computer device 4 with components 41-43 is shown in the figure, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead. Among them, those skilled in the art can understand that the computer device here is a device that can automatically perform numerical calculation and/or information processing according to preset or stored instructions, and its hardware includes but is not limited to microprocessors, dedicated Integrated circuit (Application Specific Integrated Circuit, ASIC), programmable gate array (Field-Programmable Gate Array, FPGA), digital processor (Digital Signal Processor, DSP), embedded devices, etc.
所述计算机设备可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。所述计算机设备可以与用户通过键盘、鼠标、遥控器、触摸板或声控设备等方式进行人机交互。The computer equipment may be computing equipment such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The computer device can perform human-computer interaction with the user through keyboard, mouse, remote controller, touch panel or voice control device.
所述存储器41至少包括一种类型的可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,所述存储器41可以是所述计算机设备4的内部存储单元,例如该计算机设备4的硬盘或内存。在另一些实施例中,所述存储器41也可以是所述计算机设备4的外部存储设备,例如该计算机设备4上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。当然,所述存储器41还可以既包括所述计算机设备4的内部存储单元也包括其外部存储设备。本实施例中,所述存储器41通常用于存储安装于所述计算机设备4的操作系统和各类应用软件,例如数据加密处理方法的计算机可读指令等。此外,所述存储器41还可以用于暂时地存储已经输出或者将要输出的各类数据。The memory 41 includes at least one type of readable storage medium, and the readable storage medium includes a flash memory, a hard disk, a multimedia card, a card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static Random Access Memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Programmable Read Only Memory (PROM), Magnetic Memory, Magnetic Disk, Optical Disk, etc. In some embodiments, the memory 41 may be an internal storage unit of the computer device 4 , such as a hard disk or memory of the computer device 4 . In some other embodiments, the memory 41 can also be an external storage device of the computer device 4, such as a plug-in hard disk equipped on the computer device 4, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, flash memory card (Flash Card), etc. Certainly, the memory 41 may also include both an internal storage unit of the computer device 4 and an external storage device thereof. In this embodiment, the memory 41 is generally used to store the operating system and various application software installed in the computer device 4 , such as computer-readable instructions of data encryption processing methods and the like. In addition, the memory 41 can also be used to temporarily store various types of data that have been output or will be output.
所述处理器42在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器42通常用于控制所述计算机设备4的总体操作。本实施例中,所述处理器42用于运行所述存储器41中存储的计算机可读指令或者处理数据,例如运行所述数据加密处理方法的计算机可读指令。The processor 42 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chips in some embodiments. This processor 42 is generally used to control the general operation of said computer device 4 . In this embodiment, the processor 42 is configured to execute computer-readable instructions stored in the memory 41 or process data, for example, execute computer-readable instructions of the data encryption processing method.
所述网络接口43可包括无线网络接口或有线网络接口,该网络接口43通常用于在所述计算机设备4与其他电子设备之间建立通信连接。The network interface 43 may include a wireless network interface or a wired network interface, and the network interface 43 is generally used to establish a communication connection between the computer device 4 and other electronic devices.
本申请公开了一种计算机设备,本申请在进行数据加密时,通过在服务端生成一组随机字符串,并利用客户端上传的第一秘钥对服务端生成的随机字符串进行加密,得到第二秘钥,然后通过第二秘钥来对待加密数据进行加密,得到密文数据,最后将密文数据和随机字符串存储至服务端内;在进行数据解密时,先读取密文数据和随机字符串,然后利用客户端上传的第一秘钥对读取的随机字符串进行加密,得到第二秘钥,最后通过第二秘钥对密文数据进行解密,得到明文数据。本申请中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。The present application discloses a computer device. When performing data encryption, the present application generates a set of random character strings on the server side, and encrypts the random character strings generated by the server side using the first secret key uploaded by the client side to obtain The second secret key, and then use the second secret key to encrypt the data to be encrypted to obtain the ciphertext data, and finally store the ciphertext data and random strings in the server; when decrypting data, read the ciphertext data first and a random string, and then use the first secret key uploaded by the client to encrypt the read random string to obtain the second secret key, and finally decrypt the ciphertext data with the second secret key to obtain plaintext data. In this application, the first secret key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second secret key is generated by the first secret key and a random string. Therefore, by generating the second secret key , even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
本申请还提供了另一种实施方式,即提供一种计算机可读存储介质,所述计算机可读存储介质可以是非易失性,也可以是易失性,所述计算机可读存储介质存储有计算机可读指令,所述计算机可读指令可被至少一个处理器执行,以使所述至少一个处理器执行如上述的数据加密处理方法的步骤。The present application also provides another implementation manner, which is to provide a computer-readable storage medium, the computer-readable storage medium may be non-volatile or volatile, and the computer-readable storage medium stores Computer-readable instructions, the computer-readable instructions can be executed by at least one processor, so that the at least one processor executes the steps of the above-mentioned data encryption processing method.
本申请公开了一种存储介质,本申请在进行数据加密时,通过在服务端生成一组随机字符串,并利用客户端上传的第一秘钥对服务端生成的随机字符串进行加密,得到第二秘钥,然后通过第二秘钥来对待加密数据进行加密,得到密文数据,最后将密文数据和随机字符串存储至服务端内;在进行数据解密时,先读取密文数据和随机字符串,然后利用客户端上传的第一秘钥对读取的随机字符串进行加密,得到第二秘钥,最后通过第二秘钥对密文数据进行解密,得到明文数据。本申请中,用来对待加密数据进行加密和解密的并不是客户端直接提供的第一秘钥,而是通过第一秘钥和随机字符串生成第二秘钥,因此通过生成第二秘钥,即使第一秘钥被窃取了,依旧无法对密文数据进行解密,提高了服务端信息加密的安全系数。This application discloses a storage medium. When encrypting data, this application generates a set of random character strings on the server side, and encrypts the random character strings generated by the server side using the first secret key uploaded by the client side to obtain The second secret key, and then use the second secret key to encrypt the data to be encrypted to obtain the ciphertext data, and finally store the ciphertext data and random strings in the server; when decrypting data, read the ciphertext data first and a random string, and then use the first secret key uploaded by the client to encrypt the read random string to obtain the second secret key, and finally decrypt the ciphertext data with the second secret key to obtain plaintext data. In this application, the first secret key directly provided by the client is not used to encrypt and decrypt the data to be encrypted, but the second secret key is generated by the first secret key and a random string. Therefore, by generating the second secret key , even if the first secret key is stolen, the ciphertext data cannot be decrypted, which improves the security factor of server-side information encryption.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如 ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of a software product in essence or the part that contributes to the prior art, and the computer software product is stored in a storage medium (such as ROM/RAM, disk, CD) contains several instructions to make a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the methods described in the various embodiments of the present application.
显然,以上所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例,附图中给出了本申请的较佳实施例,但并不限制本申请的专利范围。本申请可以以许多不同的形式来实现,相反地,提供这些实施例的目的是使对本申请的公开内容的理解更加透彻全面。尽管参照前述实施例对本申请进行了详细的说明,对于本领域的技术人员来而言,其依然可以对前述各具体实施方式所记载的技术方案进行修改,或者对其中部分技术特征进行等效替换。凡是利用本申请说明书及附图内容所做的等效结构,直接或间接运用在其他相关的技术领域,均同理在本申请专利保护范围之内。Apparently, the embodiments described above are only some of the embodiments of the present application, not all of them. The drawings show preferred embodiments of the present application, but do not limit the patent scope of the present application. The present application can be implemented in many different forms, on the contrary, the purpose of providing these embodiments is to make the understanding of the disclosure of the present application more thorough and comprehensive. Although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing specific embodiments, or perform equivalent replacements for some of the technical features . All equivalent structures made using the contents of the description and drawings of this application, directly or indirectly used in other related technical fields, are also within the scope of protection of this application.

Claims (20)

  1. 一种数据加密处理方法,包括:A data encryption processing method, comprising:
    接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
    生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
    基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
    接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
    基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
  2. 如权利要求1所述的数据加密处理方法,其中,在所述基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据的步骤之后,还包括:The data encryption processing method according to claim 1, wherein, after the step of encrypting the data to be encrypted based on the second key to obtain the ciphertext data corresponding to the data to be encrypted, further comprising: :
    将所述随机字符串添加到所述密文数据中,得到混合数据;adding the random character string to the ciphertext data to obtain mixed data;
    将所述混合数据存储至本地存储器,并删除所述第二秘钥。storing the mixed data in a local memory, and deleting the second secret key.
  3. 如权利要求2所述的数据加密处理方法,其中,所述将所述随机字符串添加到所述密文数据中,得到混合数据的步骤,具体包括:The data encryption processing method according to claim 2, wherein the step of adding the random character string to the ciphertext data to obtain mixed data specifically includes:
    对所述密文数据进行分割,确定数据切口的位置和数量;Segmenting the ciphertext data to determine the position and number of data incisions;
    基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;segmenting the random character string based on the number of data cutouts to obtain several subcharacters;
    设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。A data cutout mark is set, and based on the data cutout mark, several of the subcharacters are sequentially inserted into corresponding positions of the data cutout to obtain mixed data.
  4. 如权利要求3所述的数据加密处理方法,其中,所述接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥的步骤,具体包括:The data encryption processing method according to claim 3, wherein said receiving a data decryption instruction reads said ciphertext data and said random character string, and performs said random character string through said first secret key The step of encrypting and obtaining the second secret key specifically includes:
    接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;receiving the data decryption instruction, reading the mixed data, and identifying a data cutout identifier in the mixed data;
    基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;Segmenting the mixed data based on the data cut mark to obtain several subcharacters;
    组合若干个所述子字符,得到所述随机字符串;combining several of the subcharacters to obtain the random character string;
    接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。receiving the first secret key uploaded by the client, and encrypting the random character string with the first secret key to obtain the second secret key.
  5. 如权利要求1至4任一项所述的数据加密处理方法,其中,所述接收数据加密指令,获取客户端上传的待加密数据的步骤,具体包括:The data encryption processing method according to any one of claims 1 to 4, wherein the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client includes:
    接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;receiving a data encryption instruction, and generating a key pair based on the data encryption instruction, the key pair including a public key and a private key;
    将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;sending the public key to the client, and instructing the client to use the public key to encrypt the data to be encrypted and the first secret key;
    以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。and instructing the client to upload the encrypted data to be encrypted and the first secret key.
  6. 如权利要求5所述的数据加密处理方法,其中,在所述接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥的步骤之后,还包括:The data encryption processing method according to claim 5, wherein, after the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted, further comprising: :
    接收加密后的所述待加密数据和所述第一秘钥;receiving the encrypted data to be encrypted and the first secret key;
    调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。The private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
  7. 如权利要求5所述的数据加密处理方法,其中,在所述接收数据加密指令,基于所述数据加密指令生成密钥对之后,还包括:The data encryption processing method according to claim 5, wherein, after receiving the data encryption instruction and generating a key pair based on the data encryption instruction, further comprising:
    指示所述客户端获取初始化时间信息和发送所述数据加密指令的时间信息;instructing the client to obtain initialization time information and time information for sending the data encryption instruction;
    指示所述客户端基于所述初始化时间信息和发送所述数据加密指令的时间信息计算所述客户端的当前时间;instructing the client to calculate the current time of the client based on the initialization time information and the time information of sending the data encryption instruction;
    指示所述客户端根据所述当前时间生成时间戳,以及指示所述客户端基于所述时间戳生成所述第一秘钥。instructing the client to generate a timestamp according to the current time, and instructing the client to generate the first secret key based on the timestamp.
  8. 一种数据加密处理装置,包括:A data encryption processing device, comprising:
    第一指令接收模块,用于接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;The first instruction receiving module is used to receive the data encryption instruction, and obtain the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
    随机秘钥生成模块,用于生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;A random secret key generating module, configured to generate a random character string corresponding to the data to be encrypted, and encrypt the random character string with the first secret key to generate a second secret key;
    密文数据生成模块,用于基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;A ciphertext data generating module, configured to encrypt the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
    第二指令接收模块,用于接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;The second instruction receiving module is configured to receive a data decryption instruction, read the ciphertext data and the random character string, and encrypt the random character string with the first secret key to obtain the second secret key key;
    密文数据解密模块,用于基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。A ciphertext data decryption module, configured to decrypt the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
  9. 一种计算机设备,其特征在于,包括存储器和处理器,所述存储器中存储有计算机可读指令,所述处理器执行所述计算机可读指令时实现如下所述的数据加密处理方法的步骤:A computer device, characterized in that it includes a memory and a processor, wherein computer-readable instructions are stored in the memory, and when the processor executes the computer-readable instructions, the following steps of the data encryption processing method are implemented:
    接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
    生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
    基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
    接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
    基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
  10. 如权利要求9所述的计算机设备,其中,在所述基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据的步骤之后,还包括:The computer device according to claim 9, wherein, after the step of encrypting the data to be encrypted based on the second key to obtain the ciphertext data corresponding to the data to be encrypted, further comprising:
    将所述随机字符串添加到所述密文数据中,得到混合数据;adding the random character string to the ciphertext data to obtain mixed data;
    将所述混合数据存储至本地存储器,并删除所述第二秘钥。storing the mixed data in a local memory, and deleting the second secret key.
  11. 如权利要求10所述的计算机设备,其中,所述将所述随机字符串添加到所述密文数据中,得到混合数据的步骤,具体包括:The computer device according to claim 10, wherein the step of adding the random character string to the ciphertext data to obtain mixed data includes:
    对所述密文数据进行分割,确定数据切口的位置和数量;Segmenting the ciphertext data to determine the position and number of data incisions;
    基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;segmenting the random character string based on the number of data cutouts to obtain several subcharacters;
    设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。A data cutout mark is set, and based on the data cutout mark, several of the subcharacters are sequentially inserted into corresponding positions of the data cutout to obtain mixed data.
  12. 如权利要求11所述的计算机设备,其中,所述接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥的步骤,具体包括:The computer device according to claim 11, wherein the receiving data decryption instruction reads the ciphertext data and the random character string, and encrypts the random character string with the first secret key, The step of obtaining the second secret key specifically includes:
    接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;receiving the data decryption instruction, reading the mixed data, and identifying a data cutout identifier in the mixed data;
    基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;Segmenting the mixed data based on the data cut mark to obtain several subcharacters;
    组合若干个所述子字符,得到所述随机字符串;combining several of the subcharacters to obtain the random character string;
    接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。receiving the first secret key uploaded by the client, and encrypting the random character string with the first secret key to obtain the second secret key.
  13. 如权利要求9至12任一项所述的计算机设备,其中,所述接收数据加密指令,获取客户端上传的待加密数据的步骤,具体包括:The computer device according to any one of claims 9 to 12, wherein the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client specifically includes:
    接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;receiving a data encryption instruction, and generating a key pair based on the data encryption instruction, the key pair including a public key and a private key;
    将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;sending the public key to the client, and instructing the client to use the public key to encrypt the data to be encrypted and the first secret key;
    以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。and instructing the client to upload the encrypted data to be encrypted and the first secret key.
  14. 如权利要求13所述的计算机设备,其中,在所述接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥的步骤之后,还包括:The computer device according to claim 13, wherein, after the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted, further comprising:
    接收加密后的所述待加密数据和所述第一秘钥;receiving the encrypted data to be encrypted and the first secret key;
    调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。The private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
  15. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下所述的数据加密处理方法的步骤:A computer-readable storage medium, characterized in that computer-readable instructions are stored on the computer-readable storage medium, and when the computer-readable instructions are executed by a processor, the following steps of the data encryption processing method are implemented:
    接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥;Receiving a data encryption instruction, obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted;
    生成与所述待加密数据对应的随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,生成第二秘钥;generating a random character string corresponding to the data to be encrypted, and encrypting the random character string with the first secret key to generate a second secret key;
    基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据;Encrypting the data to be encrypted based on the second secret key to obtain ciphertext data corresponding to the data to be encrypted;
    接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥;receiving a data decryption instruction, reading the ciphertext data and the random character string, and encrypting the random character string with the first secret key to obtain the second secret key;
    基于所述第二秘钥对所述密文数据进行解密,得到所述待加密数据对应的明文数据。Decrypting the ciphertext data based on the second secret key to obtain plaintext data corresponding to the data to be encrypted.
  16. 如权利要求15所述的计算机可读存储介质,其中,在所述基于所述第二秘钥对所述待加密数据进行加密,得到所述待加密数据对应的密文数据的步骤之后,还包括:The computer-readable storage medium according to claim 15, wherein, after the step of encrypting the data to be encrypted based on the second key to obtain the ciphertext data corresponding to the data to be encrypted, further include:
    将所述随机字符串添加到所述密文数据中,得到混合数据;adding the random character string to the ciphertext data to obtain mixed data;
    将所述混合数据存储至本地存储器,并删除所述第二秘钥。storing the mixed data in a local memory, and deleting the second secret key.
  17. 如权利要求16所述的计算机可读存储介质,其中,所述将所述随机字符串添加到所述密文数据中,得到混合数据的步骤,具体包括:The computer-readable storage medium according to claim 16, wherein the step of adding the random character string to the ciphertext data to obtain mixed data includes:
    对所述密文数据进行分割,确定数据切口的位置和数量;Segmenting the ciphertext data to determine the position and number of data incisions;
    基于所述数据切口的数量对所述随机字符串进行分割,得到若干个子字符;segmenting the random character string based on the number of data cutouts to obtain several subcharacters;
    设置数据切口标识,并基于所述数据切口标识将若干个所述子字符依次插入所述数据切口的相应位置处,得到混合数据。A data cutout mark is set, and based on the data cutout mark, several of the subcharacters are sequentially inserted into corresponding positions of the data cutout to obtain mixed data.
  18. 如权利要求17所述的计算机可读存储介质,其中,所述接收数据解密指令,读取所述密文数据和所述随机字符串,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥的步骤,具体包括:The computer-readable storage medium according to claim 17, wherein the receiving data decryption instruction reads the ciphertext data and the random character string, and uses the first secret key to pair the random character string The step of encrypting to obtain the second secret key specifically includes:
    接收所述数据解密指令,读取所述混合数据,并识别所述混合数据中的数据切口标识;receiving the data decryption instruction, reading the mixed data, and identifying a data cutout identifier in the mixed data;
    基于所述数据切口标识分割所述混合数据,得到若干个所述子字符;Segmenting the mixed data based on the data cut mark to obtain several subcharacters;
    组合若干个所述子字符,得到所述随机字符串;combining several of the subcharacters to obtain the random character string;
    接收客户端上传的所述第一秘钥,并通过所述第一秘钥对所述随机字符串进行加密,得到所述第二秘钥。receiving the first secret key uploaded by the client, and encrypting the random character string with the first secret key to obtain the second secret key.
  19. 如权利要求15至18任一项所述的计算机可读存储介质,其中,所述接收数据加密指令,获取客户端上传的待加密数据的步骤,具体包括:The computer-readable storage medium according to any one of claims 15 to 18, wherein the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client includes:
    接收数据加密指令,基于所述数据加密指令生成密钥对,所述密钥对包括公钥和私钥;receiving a data encryption instruction, and generating a key pair based on the data encryption instruction, the key pair including a public key and a private key;
    将所述公钥发送至所述客户端,并指示所述客户端利用所述公钥加密所述待加密数据和所述第一秘钥;sending the public key to the client, and instructing the client to use the public key to encrypt the data to be encrypted and the first secret key;
    以及指示所述客户端上传加密后的所述待加密数据和所述第一秘钥。and instructing the client to upload the encrypted data to be encrypted and the first secret key.
  20. 如权利要求19所述的计算机可读存储介质,其中,在所述接收数据加密指令,获取客户端上传的待加密数据和用于加密所述待加密数据的第一秘钥的步骤之后,还包括:The computer-readable storage medium according to claim 19, wherein, after the step of receiving the data encryption instruction and obtaining the data to be encrypted uploaded by the client and the first secret key used to encrypt the data to be encrypted, further include:
    接收加密后的所述待加密数据和所述第一秘钥;receiving the encrypted data to be encrypted and the first secret key;
    调用所述私钥,通过所述私钥对加密后的所述待加密数据和所述第一秘钥进行解密,得到所述待加密数据和所述第一秘钥。The private key is called, and the encrypted data to be encrypted and the first secret key are decrypted by the private key to obtain the data to be encrypted and the first secret key.
PCT/CN2022/071868 2021-06-01 2022-01-13 Data encryption processing method and apparatus, computer device, and storage medium WO2022252632A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110609708.7A CN113364760A (en) 2021-06-01 2021-06-01 Data encryption processing method and device, computer equipment and storage medium
CN202110609708.7 2021-06-01

Publications (1)

Publication Number Publication Date
WO2022252632A1 true WO2022252632A1 (en) 2022-12-08

Family

ID=77531005

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/071868 WO2022252632A1 (en) 2021-06-01 2022-01-13 Data encryption processing method and apparatus, computer device, and storage medium

Country Status (2)

Country Link
CN (1) CN113364760A (en)
WO (1) WO2022252632A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116010984A (en) * 2022-12-30 2023-04-25 深圳市广通软件有限公司 Multiple encryption storage method, device and equipment for relational database data
CN116015650A (en) * 2022-12-30 2023-04-25 广州今之港教育咨询有限公司 File encryption and decryption method and device and storage medium
CN116074112A (en) * 2023-03-06 2023-05-05 国家海洋技术中心 Data transmission device and method
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364760A (en) * 2021-06-01 2021-09-07 平安科技(深圳)有限公司 Data encryption processing method and device, computer equipment and storage medium
CN113517979B (en) * 2021-09-10 2021-12-31 北京智科车联科技有限公司 Encrypted communication method and device, vehicle-mounted terminal and communication platform
CN113783887B (en) * 2021-09-22 2023-07-18 广东九联科技股份有限公司 Remote control method, system and storage medium based on network communication
CN114221792B (en) * 2021-11-23 2023-06-16 杭州天宽科技有限公司 Internet data transmission encryption system
CN114244508B (en) * 2021-12-15 2023-07-28 平安科技(深圳)有限公司 Data encryption method, device, equipment and storage medium
CN114422188A (en) * 2021-12-21 2022-04-29 深圳市联洲国际技术有限公司 Serial port function control method and device of gateway equipment, storage medium and equipment
CN114285575B (en) * 2021-12-28 2024-04-05 中国电信股份有限公司 Image encryption and decryption method and device, storage medium and electronic device
CN114422209B (en) * 2021-12-30 2024-04-19 中国长城科技集团股份有限公司 Data processing method, device and storage medium
CN114531230B (en) * 2021-12-31 2024-01-23 华能信息技术有限公司 Data leakage prevention system and method based on industrial Internet
CN114726597B (en) * 2022-03-25 2024-04-26 华润数字科技(深圳)有限公司 Data transmission method, device, system and storage medium
CN116070232B (en) * 2022-11-18 2023-08-08 上海创蓝云智信息科技股份有限公司 Data security export method, device and storage medium
CN116208420B (en) * 2023-03-08 2024-03-12 武汉维高凡科技有限公司 Monitoring information safety transmission method, system, equipment and storage medium
CN116092623B (en) * 2023-04-12 2023-07-28 四川执象网络有限公司 Health data management method based on basic medical quality control
CN116451257B (en) * 2023-04-18 2024-01-02 北京白龙马云行科技有限公司 Encryption method and system for database data and electronic equipment
CN117744156A (en) * 2024-01-04 2024-03-22 深圳前海百丰咨询有限公司 Enterprise data resource management method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325320A (en) * 2011-09-14 2012-01-18 北京握奇数据系统有限公司 A kind of wireless security communication means and system
CN103684761A (en) * 2013-12-25 2014-03-26 广西宝恒电子科技有限公司 Coding and decoding method
CN106599698A (en) * 2015-10-19 2017-04-26 腾讯科技(深圳)有限公司 Method and device for picture encryption, and method and device for picture decryption
CN110324138A (en) * 2018-03-29 2019-10-11 阿里巴巴集团控股有限公司 Data encryption, decryption method and device
US20200266974A1 (en) * 2019-02-15 2020-08-20 Crypto Lab Inc. Apparatus for performing threshold design on secret key and method thereof
CN113364760A (en) * 2021-06-01 2021-09-07 平安科技(深圳)有限公司 Data encryption processing method and device, computer equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591737A (en) * 2016-01-27 2016-05-18 浪潮(北京)电子信息产业有限公司 Data encryption, decryption and transmission methods and systems
CN107666479A (en) * 2017-08-02 2018-02-06 上海壹账通金融科技有限公司 Information encrypting and decrypting method, apparatus, computer equipment and storage medium
CN107920088A (en) * 2017-12-21 2018-04-17 深圳市四面信息科技有限公司 A kind of encipher-decipher method
CN108924108B (en) * 2018-06-21 2021-02-02 武汉斗鱼网络科技有限公司 Communication method for client and electronic equipment
CN109150499B (en) * 2018-08-29 2021-06-08 深圳市迷你玩科技有限公司 Method and device for dynamically encrypting data, computer equipment and storage medium
CN109617677A (en) * 2018-11-20 2019-04-12 深圳壹账通智能科技有限公司 Code key based on symmetric cryptography loses method for retrieving and relevant device
CN110213041A (en) * 2019-04-26 2019-09-06 五八有限公司 Data ciphering method, decryption method, device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325320A (en) * 2011-09-14 2012-01-18 北京握奇数据系统有限公司 A kind of wireless security communication means and system
CN103684761A (en) * 2013-12-25 2014-03-26 广西宝恒电子科技有限公司 Coding and decoding method
CN106599698A (en) * 2015-10-19 2017-04-26 腾讯科技(深圳)有限公司 Method and device for picture encryption, and method and device for picture decryption
CN110324138A (en) * 2018-03-29 2019-10-11 阿里巴巴集团控股有限公司 Data encryption, decryption method and device
US20200266974A1 (en) * 2019-02-15 2020-08-20 Crypto Lab Inc. Apparatus for performing threshold design on secret key and method thereof
CN113364760A (en) * 2021-06-01 2021-09-07 平安科技(深圳)有限公司 Data encryption processing method and device, computer equipment and storage medium

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116010984A (en) * 2022-12-30 2023-04-25 深圳市广通软件有限公司 Multiple encryption storage method, device and equipment for relational database data
CN116015650A (en) * 2022-12-30 2023-04-25 广州今之港教育咨询有限公司 File encryption and decryption method and device and storage medium
CN116015650B (en) * 2022-12-30 2024-06-04 广州今之港教育咨询有限公司 File encryption and decryption method and device and storage medium
CN116074112A (en) * 2023-03-06 2023-05-05 国家海洋技术中心 Data transmission device and method
CN116074112B (en) * 2023-03-06 2023-06-23 国家海洋技术中心 Data transmission device and method
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN116318686B (en) * 2023-05-17 2023-09-05 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113364760A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
WO2022252632A1 (en) Data encryption processing method and apparatus, computer device, and storage medium
WO2020238694A1 (en) Key management method and related device
US10116645B1 (en) Controlling use of encryption keys
US8782392B1 (en) Privacy-protective data transfer and storage
EP3062261B1 (en) Community-based de-duplication for encrypted data
CN111835511A (en) Data security transmission method and device, computer equipment and storage medium
US20140143540A1 (en) Method and Apparatus for Splitting and Encrypting Files in Computer Device
US8997179B2 (en) Shared secret identification for secure communication
US10003467B1 (en) Controlling digital certificate use
US10963593B1 (en) Secure data storage using multiple factors
CN108880812B (en) Method and system for data encryption
CN112511514A (en) HTTP encrypted transmission method and device, computer equipment and storage medium
US10897362B2 (en) De-duplication of encrypted data
US20200145389A1 (en) Controlling Access to Data
US11599655B1 (en) Data sharing method
US20140059341A1 (en) Creating and accessing encrypted web based content in hybrid applications
CN103731423A (en) Safe method for repeated data deleting
CN111859435B (en) Data security processing method and device
CN112804133A (en) Encrypted group chat method and system based on block chain technology
KR20220092811A (en) Method and device for storing encrypted data
CN117061126A (en) System and method for managing encryption and decryption of cloud disk files
WO2023216987A1 (en) Container image construction method and apparatus
CN108985109A (en) A kind of date storage method and device
TW202304172A (en) Location-key encryption system
CN116264505A (en) Key management system and method, electronic device, and computer-readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22814685

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22814685

Country of ref document: EP

Kind code of ref document: A1