WO2023078055A1 - Method and system for securely sharing data between first area and second area - Google Patents

Method and system for securely sharing data between first area and second area Download PDF

Info

Publication number
WO2023078055A1
WO2023078055A1 PCT/CN2022/125185 CN2022125185W WO2023078055A1 WO 2023078055 A1 WO2023078055 A1 WO 2023078055A1 CN 2022125185 W CN2022125185 W CN 2022125185W WO 2023078055 A1 WO2023078055 A1 WO 2023078055A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
data
area
encrypted data
target user
Prior art date
Application number
PCT/CN2022/125185
Other languages
French (fr)
Chinese (zh)
Inventor
朱永春
冯成林
Original Assignee
支付宝(杭州)信息技术有限公司
蚂蚁区块链科技(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 支付宝(杭州)信息技术有限公司, 蚂蚁区块链科技(上海)有限公司 filed Critical 支付宝(杭州)信息技术有限公司
Publication of WO2023078055A1 publication Critical patent/WO2023078055A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • One or more embodiments of this specification relate to the computer field, and in particular, to a method and system for securely sharing data between a first area and a second area.
  • One or more embodiments of this specification describe a method and system for securely sharing data between a first area and a second area, which can take into account both data sharing and data security.
  • a method for safely sharing data between a first area and a second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is provided with a safe use platform; the method is performed in the first area, including:
  • the security management and control strategy configured to the encrypted data file, generate the evidence file;
  • the security management and control strategy includes the respective access rights of the plurality of users;
  • the security level of the first area is higher than that of the second area.
  • the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
  • the target access right is an access right for a target field of the encrypted data file
  • the key file is used to decrypt the data usage result of the target field
  • encrypting the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files includes:
  • the access rights include at least one of the following:
  • the generating the certificate file according to the security management and control policy configured for the encrypted data file includes:
  • the security management and control policy is encrypted to generate the certificate file.
  • the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
  • the method also includes:
  • an updated evidence storage file is generated
  • the updated certificate storage file is transmitted to the safe use platform through the gatekeeper, so that it can perform security management and control according to the security management and control strategy in the updated certificate storage file.
  • a method for securely sharing data between a first area and a second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is provided with a safe use platform; the method is performed in the second area, including:
  • the target user in the multiple users of the safe use platform obtains the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the key file Corresponding to the target access authority of the target user to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
  • the safe use platform obtains the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control strategy includes the Describe the respective access rights of multiple users;
  • the target user sends a data usage request, requesting to use the key file to access the encrypted data file;
  • the secure use platform controls the target user's use of the data in the encrypted data file according to the security management and control policy in the certificate storage file.
  • the method also includes:
  • the safe use platform performs identity authentication on the target user, and controls the target user's use of the data in the encrypted data file when the authentication is passed.
  • the safe use platform is deployed with a decryption toolkit
  • the target user sends a data usage request, including:
  • the target user requests to invoke the decryption toolkit
  • the controlling the use of the data in the encrypted data file by the target user includes:
  • the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
  • the controlling the use of data in the encrypted data file by the target user includes:
  • the target access authority perform data use on the encrypted data file to obtain a ciphertext result
  • the key file is used to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user.
  • the data usage includes query or dense state calculation.
  • the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes the data usage frequency allowed by the target user
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
  • the target access authority using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
  • the target access authority includes data usage control, which shows the results of data usage in a desensitized manner
  • the target access authority using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
  • Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
  • the target access right is an access right for a target field of the encrypted data file
  • the use of data is a data use for the target field
  • the second area also includes a block chain network; the method also includes:
  • the safe use platform stores the certificate file in the block chain network
  • the safe use platform reads the certificate deposit file from the block chain network in response to the data use request.
  • the method also includes:
  • the safe use platform obtains an updated certificate file from the first area through the gatekeeper, and stores the updated file in the block chain network;
  • the reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
  • a system for securely sharing data between the first area and the second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is equipped with a safe use platform; the system is set in the first area, including:
  • An encryption unit is used to encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
  • a key generation unit configured to generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file generated by the encryption unit; wherein, the encrypted data file needs to be passed through the secure use of the platform, using said key file for access;
  • the certificate storage generation unit is configured to generate the certificate storage file according to the security management and control strategy configured for the encrypted data file generated by the encryption unit; wherein the security management and control strategy includes the respective access rights of the plurality of users;
  • a transmission unit configured to transmit the encrypted data file and the key file to the target user through the gatekeeper; transmit the certificate storage file to the safe use platform through the gatekeeper,
  • the safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
  • a system for securely sharing data between the first area and the second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is equipped with a safe use platform; the system is set in the second area, including:
  • the target user in the multiple users of the safe use platform is used to obtain the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the The key file corresponds to the target user's target access authority to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
  • the safe use platform is used to obtain the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control a policy comprising respective access rights of the plurality of users;
  • the target user is also used to issue a data usage request, requesting to use the key file to access the encrypted data file;
  • the secure use platform is further configured to control the target user's use of the data in the encrypted data file in response to the data use request according to the security management and control policy in the certificate storage file.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, it causes the computer to execute the method of the first aspect or the second aspect.
  • a computing device including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the method of the first aspect or the second aspect is implemented.
  • the second area is equipped with a safe use platform; in the first area, firstly, the shared Encrypt the plaintext data of multiple users of the secure use platform to generate encrypted data files; then generate corresponding key files according to the target access rights of the target users among the multiple users to the encrypted data files; wherein , the encrypted data file needs to be accessed through the safe use platform using the key file; then according to the security management and control strategy configured for the encrypted data file, a certificate file is generated; wherein the security management and control strategy includes The respective access rights of the multiple users; finally, the encrypted data file and the key file are transmitted to the target user through the network gatekeeper; the certificate storage file is transmitted to the target user through the network gatekeeper The safe use platform, so that the safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
  • the first area does not directly transmit the plaintext data to the second area, but encrypts the plaintext data, generates encrypted data files, and generates key files corresponding to the target user's target access rights , and generate a certificate file according to the security management and control strategy, and then transmit the encrypted data file, the key file and the certificate file to the second area through the gatekeeper, so that the safe use platform Controlling the target user's use of the data in the encrypted data file realizes that the data is available and invisible, and can improve the data owner's ability to control the shared data, thereby taking into account both data sharing and data security.
  • Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification
  • Fig. 2 shows a schematic diagram of interaction between a method for securely sharing data between a first area and a second area according to an embodiment
  • Fig. 3 shows a schematic flowchart of a method for securely sharing data between regions applied to a power grid according to an embodiment
  • Fig. 4 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to an embodiment
  • Fig. 5 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to another embodiment.
  • Fig. 1 is a schematic diagram of an implementation scene of an embodiment disclosed in this specification.
  • This implementation scenario involves data security sharing between the first area and the second area, that is to say, both data sharing and data security need to be considered.
  • physical isolation is adopted between the first area and the second area, and a gatekeeper is provided; the second area is provided with a safe use platform.
  • the gatekeeper is an information security device that uses a solid-state switch with multiple control functions to read and write media and connects two independent host systems. Since the two independent host systems are isolated by the gatekeeper, there is no physical connection, logical connection and information transmission protocol for communication between the systems, and there is no information exchange based on the protocol, but only non-protocol ferry in the form of data files . Therefore, the gatekeeper logically isolates and blocks all network connections that may potentially attack the internal network, making it impossible for external attackers to directly invade, attack or destroy the internal network, thereby ensuring the security of internal hosts.
  • the first area does not directly transmit the plaintext data to be shared with multiple users of the safe use platform to the second area, but encrypts the above plaintext data to generate encrypted data files; and according to the The target user in the multiple users generates a corresponding key file for the target access authority of the encrypted data file; and generates a deposit file according to the security management and control strategy configured for the encrypted data file; and then stores the encrypted data
  • the file and the key file are transmitted to the target user through the gatekeeper; the certificate storage file is transmitted to the safe use platform through the gatekeeper, so that the safe use platform can
  • the security management and control policy in the certificate file controls the use of the data in the encrypted data file by the target user.
  • Fig. 2 shows a schematic diagram of interaction between a method for data security sharing between a first area and a second area according to an embodiment.
  • the method may be based on the implementation scenario shown in Fig. 1, and the first area and the second area adopt Physical isolation is provided, and a gatekeeper is set; the second area is provided with a safe use platform; the method is jointly executed by the first area and the second area, and it should be noted that the first area mentioned in the embodiment of this specification
  • the second area and the second area may be artificially divided functional areas, which may be physically composed of one or more independent host systems.
  • the method for data security sharing between the first area and the second area in this embodiment includes the following steps: Step 21, the first area is to be shared with the plaintext data of multiple users of the safe use platform Encrypt to generate an encrypted data file; step 22, the first area generates a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the encrypted data file needs to pass
  • the safe use platform uses the key file to access; step 23, the first area generates a certificate file according to the security management and control strategy configured for the encrypted data file; wherein the security management and control strategy includes the multiple Each user's respective access rights; Step 24, the first area transmits the encrypted data file and the key file to the target user through the gatekeeper; Step 25, the first area transfers the document for depositing the certificate.
  • step 26 the target user sends a data use request, requesting to use the key file to access the encrypted data file;
  • step 27 the safe use platform responds to the data use requesting to control the target user's use of the data in the encrypted data file according to the security management and control policy in the certificate storage file.
  • the first area encrypts the plaintext data to be shared with multiple users of the secure use platform to generate encrypted data files. It can be understood that the above-mentioned encrypted data files can be provided to multiple users of the safe use platform.
  • the security level of the first area is higher than that of the second area.
  • the first region since the first region has a higher security level, while sharing the data with the second region, it is also necessary to ensure that the use of the data by the second region is controllable to ensure data security.
  • the encryption of the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files includes:
  • the first area generates a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the encrypted data file needs to pass through the safe use platform , using the key file for access. It is understandable that the target user's use of encrypted data files not only depends on the key file, but also depends on the safe use platform.
  • the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
  • the target user after the target user obtains the encrypted data file and the key file, he cannot use the key file to restore the encrypted data file to plaintext data, thereby ensuring that the users in the second area can not see the shared data in the first area.
  • the target access right is the access right to the target field of the encrypted data file
  • the key file is used to decrypt the data usage result of the target field
  • the encrypted data file includes multiple fields, and the target user may only have access rights to some of the fields.
  • the first area generates a certificate file according to the security management and control policy configured for the encrypted data file; wherein the security management and control policy includes the respective access rights of the multiple users. It can be understood that the security management and control policy specifies how each user uses encrypted data files.
  • the access rights include at least one of the following:
  • the data usage pattern indicates that only addition calculations are allowed
  • the data usage frequency indicates that the number of uses per year does not exceed 10,000 times
  • the data usage control indicates that the results of data usage are desensitized and displayed.
  • the generation of the proof file according to the security management and control strategy configured for the encrypted data file includes:
  • the security management and control policy is encrypted to generate the certificate file.
  • the secure usage platform can decrypt the certificate file, and encrypt the security control policy to prevent other parties from tampering with the security control policy.
  • the first region transmits the encrypted data file and the key file to the target user through the gatekeeper.
  • the encrypted data file needs to be shared with multiple users in the second area, the encrypted data file and the key file corresponding to each user need to be transmitted to each user through the gatekeeper.
  • User that is to say, different users may have different key files.
  • multiple key files may be generated according to the respective access rights of different users, and each key file corresponds to the access rights of the corresponding users.
  • step 22 according to the access authority of user A to the encrypted data file, key file A is generated; according to the access authority of user B to the encrypted data file, key file B is generated; according to the access authority of user C to the encrypted data file , generate key file C.
  • the first area transmits the encrypted data file and key file A to user A through the network gatekeeper; the first area transmits the encrypted data file and key file B to user B through the network gatekeeper; The first area transmits the encrypted data file and the key file C to the user C through the gatekeeper.
  • the first area transmits the certificate storage file to the safe use platform through the gatekeeper.
  • the safe use platform is the medium for users to use encrypted data files, and the use of encrypted data files by users is controlled by relying on the safe use platform.
  • the method also includes:
  • the first area generates updated evidence storage files according to the updated security management and control strategy
  • the updated certificate storage file is transmitted to the safe use platform through the gatekeeper, so that it can perform security management and control according to the security management and control strategy in the updated certificate storage file.
  • the target user sends a data usage request, requesting to use the key file to access the encrypted data file.
  • the specific user may be a device or a device cluster.
  • an instruction may be issued manually to trigger the target user to issue a data usage request.
  • the secure use platform controls the target user's use of the data in the encrypted data file in response to the data use request and according to the security management and control policy in the certificate storage file.
  • the above control may include, but is not limited to, restrictions on data usage patterns, data usage frequency, and the like.
  • the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
  • Blockchain technology is not a single information technology. It relies on existing peer-to-peer network communication technology, consensus algorithm, asymmetric encryption technology, data storage technology, etc., and adds original combinations and innovations to achieve new functions.
  • the essence and core of the blockchain network is a distributed ledger.
  • the transaction data in the network is packaged into blocks, stamped with digital watermarks, and linked to this ledger in chronological order. All nodes in the network hold a copy of the ledger , realize the synchronization between each other through the consensus protocol, and jointly maintain the update of the ledger.
  • the blockchain uses mathematics or cryptography to realize that once the information stored in the ledger is recorded in the ledger, the record will never be modified, and the data can only be updated by adding blocks.
  • Blockchain solves the pain points of many industries. It has the characteristics of distributed architecture, no trust, no tampering, no forgery, and easy traceability. It is considered to be expected to completely change the current business operation mode and create a new type of business model.
  • the method also includes:
  • the safe use platform performs identity authentication on the target user, and controls the target user's use of the data in the encrypted data file when the authentication is passed.
  • the identity authentication of the target user may be performed, but not limited to, by means of adding an account number and a password.
  • the secure usage platform is deployed with a decryption toolkit
  • the target user sends a data usage request, including:
  • the target user requests to invoke the decryption toolkit
  • the controlling the use of the data in the encrypted data file by the target user includes:
  • the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
  • controlling the use of data in the encrypted data file by the target user includes:
  • the target access authority perform data use on the encrypted data file to obtain a ciphertext result
  • the key file is used to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user.
  • the data usage includes query or dense state calculation.
  • the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes the data usage frequency allowed by the target user
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
  • the target access authority using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
  • the target access authority includes data usage control, which shows the results of data usage in a desensitized manner
  • the target access authority using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
  • Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
  • the ciphertext result is a string of uninterpretable characters, unreadable and unusable; data usage control may need to convert the ciphertext result into a decrypted state, but it does not want to be directly displayed in plaintext, so another layer of detachment is added. sensitive control. For example, if the ciphertext result is "rasmuslerdorf", the plaintext result "1391000881" will be obtained after decryption, and the desensitized display will be "139****881".
  • the target access right is an access right for a target field of the encrypted data file
  • the use of data is a data use for the target field
  • the second area also includes a block chain network; the method also includes:
  • the safe use platform stores the certificate file in the block chain network
  • the safe use platform reads the certificate deposit file from the block chain network in response to the data use request.
  • the method also includes:
  • the safe use platform obtains an updated certificate file from the first area through the gatekeeper, and stores the updated file in the block chain network;
  • the reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
  • the second area is equipped with a safe use platform; Safely use the plaintext data of multiple users of the platform to encrypt to generate an encrypted data file; then generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the The encrypted data file needs to be accessed through the safe use platform using the key file; then according to the security management and control strategy configured for the encrypted data file, a certificate file is generated; wherein the security management and control strategy includes the Multiple users' respective access rights; finally, the encrypted data file and the key file are transmitted to the target user through the gatekeeper; the certificate storage file is transmitted to the target user through the gatekeeper Safe use of the platform, so that the safe use of the platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
  • the first area does not directly transmit the plaintext data to the second area, but encrypts the plaintext data, generates encrypted data files, and generates key files corresponding to the target user's target access rights , and generate a certificate file according to the security management and control strategy, and then transmit the encrypted data file, the key file and the certificate file to the second area through the gatekeeper, so that the safe use platform Controlling the target user's use of the data in the encrypted data file realizes that the data is available and invisible, and can improve the data owner's ability to control the shared data, thereby taking into account both data sharing and data security.
  • Fig. 3 shows a schematic flowchart of a method for securely sharing data between regions applied to a power grid according to an embodiment.
  • physical isolation is adopted between the high security area and the low security area, and a gatekeeper is provided, wherein the high security area is equivalent to the aforementioned first area, and the low security area is equivalent to the aforementioned second area.
  • the high-security area is equipped with a scheduling operation platform and a high-security area data source security adaptation platform.
  • the scheduling operation platform can generate a variety of data, such as operation management data, operation data, event information data, and compliance with external data. 1.
  • Market operation data the above data can be used as plaintext data to be shared with users in the low security zone.
  • the real-time data source access file generation system in the high-security area generates plaintext data files in the high-security area according to the predefined file generation format and file generation rules; the file generation system accesses the data source security adaptation platform in the high-security area, Encrypt to generate encrypted data files, that is, generate encrypted files, and generate key files according to the user's access rights to encrypted data files. Different rights of different users correspond to different key files, that is, data access key generation; According to the data management requirements of the district, configure security management and control policies for the encrypted data files shared this time, including data user permissions, such as data usage mode, data usage frequency, data usage control and other policy rules. After the security policy is configured, Generate a certificate file, that is, a credible certificate for authority records.
  • the low-security area is equipped with a data security chain, a low-security area encrypted data security use platform (referred to as a safe use platform) and multiple users.
  • the above-mentioned data security chain belongs to the blockchain network.
  • the above-mentioned multiple users include the power grid management platform and customer service platform. and operation management platform. Safely use the platform to store the content in the authority record trusted certificate on the chain to ensure the security and auditability of the data.
  • Users of each business system use the platform securely to judge authority based on the latest stored evidence on the chain, use keys to access encrypted data files according to authority, and perform encrypted state calculations and decrypt results.
  • the data owner in the high-security zone can transmit the updated permission records through the network gatekeeper at any time for credible deposit to ensure control over the data.
  • the safe use platform can also generate trusted certificates of access records according to the user's use of encrypted data files, and store them on the chain to further ensure data security and auditability.
  • the safe sharing of data across the gatekeeper is realized, and the generation of trusted encrypted files and the setting and management of data access rights of data in the high security area are realized.
  • Encrypted data files and keys Through the secure transmission of the gatekeeper to the low-security area, the low-security area accesses and calculates encrypted data based on data authorization, so that the data is available and invisible, taking into account the requirements of both data sharing and data security.
  • a system for securely sharing data between the first area and the second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set
  • the second area is provided with a safe use platform; the system is installed in the first area, and is used to execute the actions performed in the first area in the method provided by the embodiment of this specification.
  • Fig. 4 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to an embodiment. As shown in Figure 4, the system 400 includes:
  • An encryption unit 41 configured to encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files
  • the key generation unit 42 is used to generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file generated by the encryption unit 41; wherein, the encrypted data file needs to pass
  • the safe use platform uses the key file to access;
  • a certificate generating unit 43 configured to generate a certificate file according to the security management and control strategy configured for the encrypted data file generated by the encryption unit 41; wherein the security management and control strategy includes the respective access rights of the plurality of users;
  • the transmission unit 44 is configured to transmit the encrypted data file and the key file to the target user through the gatekeeper; transmit the certificate storage file to the safe use platform through the gatekeeper so that the safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
  • the security level of the first area is higher than that of the second area.
  • the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
  • the target access authority is the access authority for the target field of the encrypted data file
  • the key file is used to decrypt the data usage result of the target field
  • the encryption unit 41 includes:
  • the generation subunit is used to treat the plaintext data shared by multiple users of the safe use platform, and generate the plaintext data file according to the predefined file generation format and file generation rules;
  • An encryption subunit is configured to encrypt the plaintext data file generated by the generating subunit to generate the encrypted data file.
  • the access rights include at least one of the following:
  • the certificate generating unit 43 is specifically configured to encrypt the security management and control policy to generate the certificate file.
  • the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
  • the certificate generating unit 43 is further configured to generate an updated certificate file according to the updated security management and control policy
  • the transmission unit 44 is also used to transmit the updated certificate storage file generated by the storage certificate generation unit 43 to the safe use platform through the gatekeeper, so that it can be controlled according to the security management and control in the updated certificate storage file. policies for security control.
  • a system for securely sharing data between the first area and the second area wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set
  • the second area is provided with a safe use platform; the system is installed in the second area, and is used to execute the actions performed by the second area in the method provided by the embodiment of this specification.
  • Fig. 5 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to another embodiment. As shown in Figure 5, the system 500 includes:
  • the target user 51 in the plurality of users of the safe use platform is used to obtain encrypted data files and key files through the gatekeeper; wherein, the encrypted data files are obtained by encrypting the plaintext data in the first area;
  • the key file corresponds to the target access authority of the target user 51 to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform 52 using the key file;
  • the safe use platform 52 is used to obtain the certificate deposit file from the first area through the gatekeeper; the certificate deposit file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security The management and control policy includes the respective access rights of the plurality of users;
  • the target user 51 is also used to issue a data usage request, requesting to use the key file to access the encrypted data file;
  • the secure use platform 52 is further configured to control the use of the data in the encrypted data file by the target user 51 in response to the data use request according to the security management and control policy in the certificate storage file.
  • the secure use platform 52 is also used to authenticate the target user 51, and control the target user 51 to verify the data in the encrypted data file if the authentication is passed. usage of.
  • the safe use platform 52 is deployed with a decryption toolkit
  • the target user 51 sends a data usage request, including:
  • the target user 51 requests to call the decryption toolkit
  • the control of the use of the data in the encrypted data file by the target user 51 includes:
  • the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
  • controlling the use of data in the encrypted data file by the target user 51 includes:
  • the target access authority perform data use on the encrypted data file to obtain a ciphertext result
  • the key file is used to process the ciphertext result to obtain the data processing result fed back to the target user 51 .
  • the data usage includes query or dense state calculation.
  • the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes the data usage frequency allowed by the target user 51;
  • performing data use on the encrypted data file to obtain a ciphertext result includes:
  • the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
  • the target access authority using the key file to perform result processing on the ciphertext result, and obtain the data processing result fed back to the target user 51, including:
  • the target access authority includes data usage control, which shows the results of data usage in a desensitized manner
  • the target access authority using the key file to perform result processing on the ciphertext result, and obtain the data processing result fed back to the target user 51, including:
  • Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
  • the target access right is an access right for a target field of the encrypted data file
  • the use of data is a data use for the target field
  • the second area also includes a block chain network; the safe use platform 52 is also used to store the certificate deposit file in the block chain network;
  • the safe use platform 52 reads the certificate deposit file from the block chain network in response to the data use request.
  • safe use platform 52 is also used to obtain an updated certificate file from the first area through the gatekeeper, and store the updated file in the block chain network;
  • the reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is instructed to execute the method described in conjunction with FIG. 2 or FIG. 3 .
  • a computing device including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the implementation in conjunction with FIG. 2 or FIG. 3 is realized. method described.
  • the functions described in the present invention may be implemented by hardware, software, firmware or any combination thereof.
  • the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.

Abstract

Embodiments of the present description provides a method and system for securely sharing data between a first area and a second area, the second area being provided with a secure use platform. The first area: encrypts plaintext data of multiple users to be shared with the secure use platform so as to generate an encrypted data file; generates a key file according to a target permission of a target user in the multiple users to access the encrypted data file, where the encrypted data file needs to be accessed by using a key file via the secure use platform; generates a storage file according to a security management and control policy configured for the encrypted data file, where the security management and control policy comprises respective access permissions of the multiple users; transmits the encrypted data file and the key file to the target user via a gatekeeper; and transmits the storage file to the secure use platform via the gatekeeper, such that the secure use platform controls the use of data in the encrypted data file by the target user according to the security management and control policy in the storage file. The present invention considers both data sharing and data security.

Description

在第一区域和第二区域间数据安全共享的方法和系统Method and system for secure sharing of data between a first region and a second region
本申请要求于2021年11月08日提交中国国家知识产权局、申请号为202111315979.8、申请名称为“在第一区域和第二区域间数据安全共享的方法和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111315979.8 and the application title "Method and system for data security sharing between the first region and the second region" submitted to the State Intellectual Property Office of China on November 08, 2021 , the entire contents of which are incorporated in this application by reference.
技术领域technical field
本说明书一个或多个实施例涉及计算机领域,尤其涉及在第一区域和第二区域间数据安全共享的方法和系统。One or more embodiments of this specification relate to the computer field, and in particular, to a method and system for securely sharing data between a first area and a second area.
背景技术Background technique
在国家强力推进数据开放共享的同时,数据共享中却一直存在一个核心困难点:数据安全问题。While the country is vigorously promoting data openness and sharing, there has always been a core difficulty in data sharing: data security.
在当前的数据共享场景中,数据一旦从数据属主方转移到数据使用方之后,这份数据的实际控制权就归属数据使用方了,数据使用方可以将数据留存、使用在非授权场景、甚至转卖,数据属主方对这份数据的所有使用情况缺乏控制能力。In the current data sharing scenario, once the data is transferred from the data owner to the data user, the actual control of the data belongs to the data user, and the data user can retain the data and use it in unauthorized scenarios, Even if it is resold, the data owner has no control over all usage of the data.
因此,希望能有改进的方案,能够提升数据属主方对共享数据的控制能力,从而兼顾数据共享与数据安全。Therefore, it is hoped that there will be an improved solution that can improve the data owner's ability to control the shared data, so as to take into account both data sharing and data security.
发明内容Contents of the invention
本说明书一个或多个实施例描述了一种在第一区域和第二区域间数据安全共享的方法和系统,能够兼顾数据共享与数据安全。One or more embodiments of this specification describe a method and system for securely sharing data between a first area and a second area, which can take into account both data sharing and data security.
第一方面,提供了一种在第一区域和第二区域间数据安全共享的方法,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述方法在第一区域中执行,包括:In the first aspect, a method for safely sharing data between a first area and a second area is provided, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is provided with a safe use platform; the method is performed in the first area, including:
对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;Encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;Generate a corresponding key file according to the target user's target access authority to the encrypted data file among the multiple users; wherein, the encrypted data file needs to be processed through the secure use platform using the key file access;
根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管 控策略包括所述多个用户各自的访问权限;According to the security management and control strategy configured to the encrypted data file, generate the evidence file; Wherein, the security management and control strategy includes the respective access rights of the plurality of users;
将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;transmitting the encrypted data file and the key file to the target user through the gatekeeper;
将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。transmitting the certificate storage file to the safe use platform through the gatekeeper, so that the safe use platform controls the target user to encrypt the encrypted Use of Data in Data Files.
在一种可能的实施方式中,所述第一区域的安全级别高于第二区域。In a possible implementation manner, the security level of the first area is higher than that of the second area.
在一种可能的实施方式中,所述加密数据文件采用初始密钥进行加密;所述密钥文件中包含利用所述初始密钥得到的派生密钥。In a possible implementation manner, the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
在一种可能的实施方式中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述密钥文件用于对所述目标字段的数据使用结果进行解密。In a possible implementation manner, the target access right is an access right for a target field of the encrypted data file, and the key file is used to decrypt the data usage result of the target field.
在一种可能的实施方式中,所述对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件,包括:In a possible implementation manner, encrypting the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files includes:
对待共享给所述安全使用平台的多个用户的明文数据,按照预定义的文件生成格式与文件生成规则生成明文数据文件;For the plaintext data shared with multiple users of the safe use platform, generate a plaintext data file according to the predefined file generation format and file generation rules;
对所述明文数据文件进行加密,生成所述加密数据文件。Encrypt the plaintext data file to generate the encrypted data file.
在一种可能的实施方式中,所述访问权限包括以下至少一项:In a possible implementation manner, the access rights include at least one of the following:
用于指示允许进行的运算类型的数据使用模式、数据使用频次、用于指示数据使用结果是明文展示还是脱敏展示的数据使用控制。The data usage pattern used to indicate the type of operation allowed, the frequency of data usage, and the data usage control used to indicate whether the result of data usage is displayed in plain text or desensitized.
在一种可能的实施方式中,所述根据对所述加密数据文件配置的安全管控策略,生成存证文件,包括:In a possible implementation manner, the generating the certificate file according to the security management and control policy configured for the encrypted data file includes:
对所述安全管控策略进行加密,生成所述存证文件。The security management and control policy is encrypted to generate the certificate file.
在一种可能的实施方式中,所述第二区域还包括区块链网络;所述存证文件被所述安全使用平台存储于所述区块链网络。In a possible implementation manner, the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
在一种可能的实施方式中,所述方法还包括:In a possible implementation manner, the method also includes:
根据更新的安全管控策略,生成更新的存证文件;According to the updated security management and control strategy, an updated evidence storage file is generated;
将所述更新的存证文件,通过所述网闸传输给所述安全使用平台,使其根据更新的存证文件中的安全管控策略进行安全管控。The updated certificate storage file is transmitted to the safe use platform through the gatekeeper, so that it can perform security management and control according to the security management and control strategy in the updated certificate storage file.
第二方面,提供了一种在第一区域和第二区域间数据安全共享的方法,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述方法在第二区域中执行,包括:In the second aspect, a method for securely sharing data between a first area and a second area is provided, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is provided with a safe use platform; the method is performed in the second area, including:
所述安全使用平台的多个用户中的目标用户通过网闸,获取加密数据文件和密钥文件;其中,所述加密数据文件为第一区域的明文数据经过加密得到的;所述密钥文件对应于所述目标用户对所述加密数据文件的目标访问权限;所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;The target user in the multiple users of the safe use platform obtains the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the key file Corresponding to the target access authority of the target user to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
所述安全使用平台通过所述网闸从所述第一区域获取存证文件;所述存证文件根据对所述加密数据文件配置的安全管控策略而生成,其中,所述安全管控策略包括所述多个用户各自的访问权限;The safe use platform obtains the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control strategy includes the Describe the respective access rights of multiple users;
所述目标用户发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;The target user sends a data usage request, requesting to use the key file to access the encrypted data file;
所述安全使用平台响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。In response to the data use request, the secure use platform controls the target user's use of the data in the encrypted data file according to the security management and control policy in the certificate storage file.
在一种可能的实施方式中,所述方法还包括:In a possible implementation manner, the method also includes:
所述安全使用平台对所述目标用户进行身份认证,在认证通过的情况下,控制所述目标用户对所述加密数据文件中数据的使用。The safe use platform performs identity authentication on the target user, and controls the target user's use of the data in the encrypted data file when the authentication is passed.
在一种可能的实施方式中,所述安全使用平台部署有解密工具包;In a possible implementation manner, the safe use platform is deployed with a decryption toolkit;
所述目标用户发出数据使用请求,包括:The target user sends a data usage request, including:
目标用户请求调用所述解密工具包;The target user requests to invoke the decryption toolkit;
所述控制所述目标用户对所述加密数据文件中数据的使用,包括:The controlling the use of the data in the encrypted data file by the target user includes:
通过运行所述解密工具包,根据所述安全管控策略并利用所述密钥文件,控制所述加密数据文件中数据的使用。By running the decryption toolkit, the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
在一种可能的实施方式中,所述控制所述目标用户对所述加密数据文件中数据的使用,包括:In a possible implementation manner, the controlling the use of data in the encrypted data file by the target user includes:
获取所述安全管控策略中所述目标用户对应的目标访问权限;Obtain the target access authority corresponding to the target user described in the security management and control policy;
根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果;According to the target access authority, perform data use on the encrypted data file to obtain a ciphertext result;
根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果。According to the target access authority, the key file is used to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user.
进一步地,所述数据使用包括查询或密态计算。Further, the data usage includes query or dense state calculation.
进一步地,所述目标访问权限包括数据使用模式,其指示允许所述目标用户进行的运算类型;Further, the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
对所述加密数据文件进行所述运算类型的密态计算,得到所述密文结果。Perform the encrypted state calculation of the operation type on the encrypted data file to obtain the ciphertext result.
进一步地,所述目标访问权限包括所述目标用户允许的数据使用频次;Further, the target access authority includes the data usage frequency allowed by the target user;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
在当前使用频次不高于所述允许的数据使用频次的情况下,对所述加密数据文件进行数据使用。When the current usage frequency is not higher than the allowed data usage frequency, data usage is performed on the encrypted data file.
进一步地,所述目标访问权限包括数据使用控制,其示出允许以明文展示数据使用结果;Further, the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果,作为所述数据处理结果。Using the key file to decrypt the ciphertext result to obtain a plaintext result as the data processing result.
进一步地,所述目标访问权限包括数据使用控制,其示出以脱敏方式展示数据使用结果;Further, the target access authority includes data usage control, which shows the results of data usage in a desensitized manner;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果;Decrypting the ciphertext result by using the key file to obtain a plaintext result;
对所述明文结果进行脱敏处理,得到脱敏结果,作为所述数据处理结果。Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
在一种可能的实施方式中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述数据的使用是针对所述目标字段的数据使用。In a possible implementation manner, the target access right is an access right for a target field of the encrypted data file, and the use of data is a data use for the target field.
在一种可能的实施方式中,所述第二区域还包括区块链网络;所述方法还包括:In a possible implementation manner, the second area also includes a block chain network; the method also includes:
所述安全使用平台将所述存证文件存储于所述区块链网络;The safe use platform stores the certificate file in the block chain network;
所述安全使用平台响应于所述数据使用请求,从所述区块链网络读取所述存证文件。The safe use platform reads the certificate deposit file from the block chain network in response to the data use request.
进一步地,所述方法还包括:Further, the method also includes:
所述安全使用平台通过所述网闸从所述第一区域获取更新的存证文件,将所述更新的存证文件存储于所述区块链网络;The safe use platform obtains an updated certificate file from the first area through the gatekeeper, and stores the updated file in the block chain network;
所述从所述区块链网络读取所述存证文件,包括:读取所述区块链网络中最新记录的存证文件作为所述存证文件。The reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
第三方面,提供了一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用 平台;所述系统设置在第一区域,包括:In the third aspect, a system for securely sharing data between the first area and the second area is provided, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is equipped with a safe use platform; the system is set in the first area, including:
加密单元,用于对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;An encryption unit is used to encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
密钥生成单元,用于根据所述多个用户中的目标用户对所述加密单元生成的加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;A key generation unit, configured to generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file generated by the encryption unit; wherein, the encrypted data file needs to be passed through the secure use of the platform, using said key file for access;
存证生成单元,用于根据对所述加密单元生成的加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;The certificate storage generation unit is configured to generate the certificate storage file according to the security management and control strategy configured for the encrypted data file generated by the encryption unit; wherein the security management and control strategy includes the respective access rights of the plurality of users;
传输单元,用于将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。a transmission unit, configured to transmit the encrypted data file and the key file to the target user through the gatekeeper; transmit the certificate storage file to the safe use platform through the gatekeeper, The safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
第四方面,提供了一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述系统设置在第二区域,包括:In the fourth aspect, a system for securely sharing data between the first area and the second area is provided, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the first area The second area is equipped with a safe use platform; the system is set in the second area, including:
所述安全使用平台的多个用户中的目标用户,用于通过网闸,获取加密数据文件和密钥文件;其中,所述加密数据文件为第一区域的明文数据经过加密得到的;所述密钥文件对应于所述目标用户对所述加密数据文件的目标访问权限;所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;The target user in the multiple users of the safe use platform is used to obtain the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the The key file corresponds to the target user's target access authority to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
所述安全使用平台,用于通过所述网闸从所述第一区域获取存证文件;所述存证文件根据对所述加密数据文件配置的安全管控策略而生成,其中,所述安全管控策略包括所述多个用户各自的访问权限;The safe use platform is used to obtain the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control a policy comprising respective access rights of the plurality of users;
所述目标用户,还用于发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;The target user is also used to issue a data usage request, requesting to use the key file to access the encrypted data file;
所述安全使用平台,还用于响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。The secure use platform is further configured to control the target user's use of the data in the encrypted data file in response to the data use request according to the security management and control policy in the certificate storage file.
第五方面,提供了一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行第一方面或第二方面的方法。In a fifth aspect, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed in a computer, it causes the computer to execute the method of the first aspect or the second aspect.
第六方面,提供了一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现第一方面或第二方面的方法。According to a sixth aspect, a computing device is provided, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the method of the first aspect or the second aspect is implemented.
通过本说明书实施例提供的方法和系统,第一区域和第二区域之间采用了物理隔离,并设置有网闸;第二区域设置有安全使用平台;在第一区域中,首先对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;然后根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;接着根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;最后将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。由上可见,本说明书实施例,第一区域不是直接将明文数据传输到第二区域,而是对明文数据进行加密,生成加密数据文件,以及生成与目标用户的目标访问权限对应的密钥文件,并根据安全管控策略,生成存证文件,后续将所述加密数据文件、所述密钥文件和所述存证文件,通过所述网闸传输给第二区域,以使所述安全使用平台控制所述目标用户对所述加密数据文件中数据的使用,实现了数据可用不可见,能够提升数据属主方对共享数据的控制能力,从而兼顾数据共享与数据安全。Through the method and system provided by the embodiment of this specification, physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is equipped with a safe use platform; in the first area, firstly, the shared Encrypt the plaintext data of multiple users of the secure use platform to generate encrypted data files; then generate corresponding key files according to the target access rights of the target users among the multiple users to the encrypted data files; wherein , the encrypted data file needs to be accessed through the safe use platform using the key file; then according to the security management and control strategy configured for the encrypted data file, a certificate file is generated; wherein the security management and control strategy includes The respective access rights of the multiple users; finally, the encrypted data file and the key file are transmitted to the target user through the network gatekeeper; the certificate storage file is transmitted to the target user through the network gatekeeper The safe use platform, so that the safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file. It can be seen from the above that in the embodiment of this specification, the first area does not directly transmit the plaintext data to the second area, but encrypts the plaintext data, generates encrypted data files, and generates key files corresponding to the target user's target access rights , and generate a certificate file according to the security management and control strategy, and then transmit the encrypted data file, the key file and the certificate file to the second area through the gatekeeper, so that the safe use platform Controlling the target user's use of the data in the encrypted data file realizes that the data is available and invisible, and can improve the data owner's ability to control the shared data, thereby taking into account both data sharing and data security.
附图说明Description of drawings
为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without making creative efforts.
图1为本说明书披露的一个实施例的实施场景示意图;Figure 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification;
图2示出根据一个实施例的在第一区域和第二区域间数据安全共享的方法交互示意图;Fig. 2 shows a schematic diagram of interaction between a method for securely sharing data between a first area and a second area according to an embodiment;
图3示出根据一个实施例的应用于电网的区域间数据安全共享的方法流程示意图;Fig. 3 shows a schematic flowchart of a method for securely sharing data between regions applied to a power grid according to an embodiment;
图4示出根据一个实施例的在第一区域和第二区域间数据安全共享的系统的示意性框图;Fig. 4 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to an embodiment;
图5示出根据另一个实施例的在第一区域和第二区域间数据安全共享的系统的示意性框图。Fig. 5 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to another embodiment.
具体实施方式Detailed ways
下面结合附图,对本说明书提供的方案进行描述。The solutions provided in this specification will be described below in conjunction with the accompanying drawings.
图1为本说明书披露的一个实施例的实施场景示意图。该实施场景涉及在第一区域和第二区域间数据安全共享,也就是说,需要兼顾数据共享与数据安全。参照图1,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台。其中,网闸是使用带有多种控制功能的固态开关读写介质,连接两个独立主机系统的信息安全设备。由于两个独立的主机系统通过网闸进行隔离,使系统间不存在通信的物理连接、逻辑连接及信息传输协议,不存在依据协议进行的信息交换,而只有以数据文件形式进行的无协议摆渡。因此,网闸从逻辑上隔离、阻断了对内网具有潜在攻击可能的一切网络连接,使外部攻击者无法直接入侵、攻击或破坏内网,保障了内部主机的安全。Fig. 1 is a schematic diagram of an implementation scene of an embodiment disclosed in this specification. This implementation scenario involves data security sharing between the first area and the second area, that is to say, both data sharing and data security need to be considered. Referring to Fig. 1, physical isolation is adopted between the first area and the second area, and a gatekeeper is provided; the second area is provided with a safe use platform. Among them, the gatekeeper is an information security device that uses a solid-state switch with multiple control functions to read and write media and connects two independent host systems. Since the two independent host systems are isolated by the gatekeeper, there is no physical connection, logical connection and information transmission protocol for communication between the systems, and there is no information exchange based on the protocol, but only non-protocol ferry in the form of data files . Therefore, the gatekeeper logically isolates and blocks all network connections that may potentially attack the internal network, making it impossible for external attackers to directly invade, attack or destroy the internal network, thereby ensuring the security of internal hosts.
本说明书实施例,第一区域不是直接将待共享给所述安全使用平台的多个用户的明文数据传输到第二区域,而是对上述明文数据进行加密,生成加密数据文件;以及根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;并根据对所述加密数据文件配置的安全管控策略,生成存证文件;再将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。通过上述方式实现了,数据属主方和数据使用方之间共享数据,并且,数据属主方对数据使用方的数据使用进行控制,能够提升数据属主方对共享数据的控制能力,从而兼顾数据共享与数据安全。In the embodiment of this specification, the first area does not directly transmit the plaintext data to be shared with multiple users of the safe use platform to the second area, but encrypts the above plaintext data to generate encrypted data files; and according to the The target user in the multiple users generates a corresponding key file for the target access authority of the encrypted data file; and generates a deposit file according to the security management and control strategy configured for the encrypted data file; and then stores the encrypted data The file and the key file are transmitted to the target user through the gatekeeper; the certificate storage file is transmitted to the safe use platform through the gatekeeper, so that the safe use platform can The security management and control policy in the certificate file controls the use of the data in the encrypted data file by the target user. Through the above method, data is shared between the data owner and the data user, and the data owner controls the data use of the data user, which can improve the data owner’s ability to control the shared data, thus taking into account Data sharing and data security.
需要说明的是,图1中虽然仅示出目标用户,但是第一区域的数据可以共享给所述安全使用平台的多个用户,由于每个用户对前述加密数据文件可能具有不同的访问权限,因此需要针对每个用户生成相应访问权限对应的密钥文件,也就是说,每个用户获得的密钥文件可能是不同的。It should be noted that although only the target user is shown in Figure 1, the data in the first area can be shared with multiple users of the safe use platform, since each user may have different access rights to the aforementioned encrypted data files, Therefore, a key file corresponding to a corresponding access right needs to be generated for each user, that is, the key file obtained by each user may be different.
图2示出根据一个实施例的在第一区域和第二区域间数据安全共享的方法交互示意图,该方法可以基于图1所示的实施场景,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;该方法由第一区域和第二区域联合执行,需要说明的是,本说明书实施例中提到的第一区域和第二区域可以是人为划分的功能区域,在物理上可以分别由一个或多个独立主机系统构成。如图2所示,该实施例中在第一区域和第二区域间数据安全共享的方法包括以下步骤:步骤21,第一区域对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;步骤22,第一区域 根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;步骤23,第一区域根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;步骤24,第一区域将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;步骤25,第一区域将所述存证文件,通过所述网闸传输给所述安全使用平台;步骤26,目标用户发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;步骤27,安全使用平台响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。下面描述以上各个步骤的具体执行方式。Fig. 2 shows a schematic diagram of interaction between a method for data security sharing between a first area and a second area according to an embodiment. The method may be based on the implementation scenario shown in Fig. 1, and the first area and the second area adopt Physical isolation is provided, and a gatekeeper is set; the second area is provided with a safe use platform; the method is jointly executed by the first area and the second area, and it should be noted that the first area mentioned in the embodiment of this specification The second area and the second area may be artificially divided functional areas, which may be physically composed of one or more independent host systems. As shown in Figure 2, the method for data security sharing between the first area and the second area in this embodiment includes the following steps: Step 21, the first area is to be shared with the plaintext data of multiple users of the safe use platform Encrypt to generate an encrypted data file; step 22, the first area generates a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the encrypted data file needs to pass The safe use platform uses the key file to access; step 23, the first area generates a certificate file according to the security management and control strategy configured for the encrypted data file; wherein the security management and control strategy includes the multiple Each user's respective access rights; Step 24, the first area transmits the encrypted data file and the key file to the target user through the gatekeeper; Step 25, the first area transfers the document for depositing the certificate. , transmitted to the safe use platform through the gatekeeper; step 26, the target user sends a data use request, requesting to use the key file to access the encrypted data file; step 27, the safe use platform responds to the data use requesting to control the target user's use of the data in the encrypted data file according to the security management and control policy in the certificate storage file. The specific implementation manner of each of the above steps is described below.
首先在步骤21,第一区域对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件。可以理解的是,上述加密数据文件可以提供给所述安全使用平台的多个用户。First, in step 21, the first area encrypts the plaintext data to be shared with multiple users of the secure use platform to generate encrypted data files. It can be understood that the above-mentioned encrypted data files can be provided to multiple users of the safe use platform.
在一个示例中,所述第一区域的安全级别高于第二区域。In an example, the security level of the first area is higher than that of the second area.
该示例中,由于第一区域的安全级别较高,因此在将数据共享给第二区域使用的同时,还要保证第二区域对数据的使用可控,保证数据安全。In this example, since the first region has a higher security level, while sharing the data with the second region, it is also necessary to ensure that the use of the data by the second region is controllable to ensure data security.
在一个示例中,所述对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件,包括:In one example, the encryption of the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files includes:
对待共享给所述安全使用平台的多个用户的明文数据,按照预定义的文件生成格式与文件生成规则生成明文数据文件;For the plaintext data shared with multiple users of the safe use platform, generate a plaintext data file according to the predefined file generation format and file generation rules;
对所述明文数据文件进行加密,生成所述加密数据文件。Encrypt the plaintext data file to generate the encrypted data file.
然后在步骤22,第一区域根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问。可以理解的是,目标用户对加密数据文件的使用,不仅依赖于密钥文件,还依赖于安全使用平台。Then in step 22, the first area generates a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the encrypted data file needs to pass through the safe use platform , using the key file for access. It is understandable that the target user's use of encrypted data files not only depends on the key file, but also depends on the safe use platform.
在一个示例中,所述加密数据文件采用初始密钥进行加密;所述密钥文件中包含利用所述初始密钥得到的派生密钥。In an example, the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
该示例中,目标用户获得加密数据文件和密钥文件后,并不能够利用密钥文件将加密数据文件恢复为明文数据,从而保证第二区域的用户对第一区域共享的数据可用不可见。In this example, after the target user obtains the encrypted data file and the key file, he cannot use the key file to restore the encrypted data file to plaintext data, thereby ensuring that the users in the second area can not see the shared data in the first area.
在一个示例中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述密钥文件用于对所述目标字段的数据使用结果进行解密。In an example, the target access right is the access right to the target field of the encrypted data file, and the key file is used to decrypt the data usage result of the target field.
该示例中,加密数据文件包括多个字段,目标用户可能仅具有对其中的部分字段的访问权限。In this example, the encrypted data file includes multiple fields, and the target user may only have access rights to some of the fields.
接着在步骤23,第一区域根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限。可以理解的是,安全管控策略中规定了各用户具体如何使用加密数据文件。Then in step 23, the first area generates a certificate file according to the security management and control policy configured for the encrypted data file; wherein the security management and control policy includes the respective access rights of the multiple users. It can be understood that the security management and control policy specifies how each user uses encrypted data files.
在一个示例中,所述访问权限包括以下至少一项:In one example, the access rights include at least one of the following:
用于指示允许进行的运算类型的数据使用模式、数据使用频次、用于指示数据使用结果是明文展示还是脱敏展示的数据使用控制。The data usage pattern used to indicate the type of operation allowed, the frequency of data usage, and the data usage control used to indicate whether the result of data usage is displayed in plain text or desensitized.
例如,数据使用模式指示了只允许做加法计算,数据使用频次指示了每年的使用次数不超过1万次,数据使用控制指示了脱敏展示数据使用结果等。For example, the data usage pattern indicates that only addition calculations are allowed, the data usage frequency indicates that the number of uses per year does not exceed 10,000 times, and the data usage control indicates that the results of data usage are desensitized and displayed.
在一个示例中,所述根据对所述加密数据文件配置的安全管控策略,生成存证文件,包括:In an example, the generation of the proof file according to the security management and control strategy configured for the encrypted data file includes:
对所述安全管控策略进行加密,生成所述存证文件。The security management and control policy is encrypted to generate the certificate file.
该示例中,安全使用平台能够解密所述存证文件,通过加密安全管控策略,防止其他方篡改安全管控策略。In this example, the secure usage platform can decrypt the certificate file, and encrypt the security control policy to prevent other parties from tampering with the security control policy.
再在步骤24,第一区域将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户。可以理解的是,当所述加密数据文件需要共享给第二区域的多个用户使用时,需要将所述加密数据文件和各用户分别对应的密钥文件,通过所述网闸分别传输给各用户,也就是说,不同的用户可能对应有不同的密钥文件。Then in step 24, the first region transmits the encrypted data file and the key file to the target user through the gatekeeper. It can be understood that when the encrypted data file needs to be shared with multiple users in the second area, the encrypted data file and the key file corresponding to each user need to be transmitted to each user through the gatekeeper. User, that is to say, different users may have different key files.
本说明书实施例,对于同一份加密数据文件,可以根据不同用户的各自的访问权限,生成多份密钥文件,每份密钥文件与相应用户的访问权限相对应。In the embodiment of this specification, for the same encrypted data file, multiple key files may be generated according to the respective access rights of different users, and each key file corresponds to the access rights of the corresponding users.
例如,在步骤22,根据用户A对加密数据文件的访问权限,生成密钥文件A;根据用户B对加密数据文件的访问权限,生成密钥文件B;根据用户C对加密数据文件的访问权限,生成密钥文件C。在步骤24,第一区域将加密数据文件和密钥文件A,通过所述网闸传输给用户A;第一区域将加密数据文件和密钥文件B,通过所述网闸传输给用户B;第一区域将加密数据文件和密钥文件C,通过所述网闸传输给用户C。For example, in step 22, according to the access authority of user A to the encrypted data file, key file A is generated; according to the access authority of user B to the encrypted data file, key file B is generated; according to the access authority of user C to the encrypted data file , generate key file C. In step 24, the first area transmits the encrypted data file and key file A to user A through the network gatekeeper; the first area transmits the encrypted data file and key file B to user B through the network gatekeeper; The first area transmits the encrypted data file and the key file C to the user C through the gatekeeper.
再在步骤25,第一区域将所述存证文件,通过所述网闸传输给所述安全使用平台。可以理解的是,安全使用平台是用户使用加密数据文件的媒介,依赖安全使用平台实现控制用户对加密数据文件的使用。Then in step 25, the first area transmits the certificate storage file to the safe use platform through the gatekeeper. It can be understood that the safe use platform is the medium for users to use encrypted data files, and the use of encrypted data files by users is controlled by relying on the safe use platform.
在一个示例中,所述方法还包括:In one example, the method also includes:
第一区域根据更新的安全管控策略,生成更新的存证文件;The first area generates updated evidence storage files according to the updated security management and control strategy;
将所述更新的存证文件,通过所述网闸传输给所述安全使用平台,使其根据更新的存证文件中的安全管控策略进行安全管控。The updated certificate storage file is transmitted to the safe use platform through the gatekeeper, so that it can perform security management and control according to the security management and control strategy in the updated certificate storage file.
再在步骤26,目标用户发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件。可以理解的是,用户具体可以为设备或设备集群等。Then at step 26, the target user sends a data usage request, requesting to use the key file to access the encrypted data file. It can be understood that the specific user may be a device or a device cluster.
本说明书实施例,可以通过人工发出指令,以触发目标用户发出数据使用请求。In this embodiment of the specification, an instruction may be issued manually to trigger the target user to issue a data usage request.
最后在步骤27,安全使用平台响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。可以理解的是,上述控制可以但不限于包括对数据使用模式、数据使用频次等的限制。Finally, in step 27, the secure use platform controls the target user's use of the data in the encrypted data file in response to the data use request and according to the security management and control policy in the certificate storage file. It can be understood that the above control may include, but is not limited to, restrictions on data usage patterns, data usage frequency, and the like.
在一个示例中,所述第二区域还包括区块链网络;所述存证文件被所述安全使用平台存储于所述区块链网络。In an example, the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
区块链技术并不是单一信息技术,它依托于现存的点对点网络通信技术、共识算法、非对称加密技术、数据存储技术等,加以独创的组合及创新,从而实现了全新的功能。区块链网络的本质和核心就是一个分布式账本,网络中的交易数据被打包成区块、加盖数字水印,按照时间顺序链接在这个账本上,网络中的所有节点持有该账本的副本,通过共识协议实现彼此之间的同步,共同维护该账本的更新。此外,区块链利用数学或者密码学的方式实现了账本中已存的信息一旦被记录到账本中,该记录将永远不能被修改,只能通过追加区块的方式更新数据。区块链解决了很多行业的痛点问题,具有分布式架构、无需信任、不可篡改、不可伪造、易于追溯等特性,被认为有望彻底改变现行的业务运作方式,创造出新型的商业模式。Blockchain technology is not a single information technology. It relies on existing peer-to-peer network communication technology, consensus algorithm, asymmetric encryption technology, data storage technology, etc., and adds original combinations and innovations to achieve new functions. The essence and core of the blockchain network is a distributed ledger. The transaction data in the network is packaged into blocks, stamped with digital watermarks, and linked to this ledger in chronological order. All nodes in the network hold a copy of the ledger , realize the synchronization between each other through the consensus protocol, and jointly maintain the update of the ledger. In addition, the blockchain uses mathematics or cryptography to realize that once the information stored in the ledger is recorded in the ledger, the record will never be modified, and the data can only be updated by adding blocks. Blockchain solves the pain points of many industries. It has the characteristics of distributed architecture, no trust, no tampering, no forgery, and easy traceability. It is considered to be expected to completely change the current business operation mode and create a new type of business model.
在一个示例中,所述方法还包括:In one example, the method also includes:
所述安全使用平台对所述目标用户进行身份认证,在认证通过的情况下,控制所述目标用户对所述加密数据文件中数据的使用。The safe use platform performs identity authentication on the target user, and controls the target user's use of the data in the encrypted data file when the authentication is passed.
该示例中,可以但不限于采用账号加密码的方式对目标用户进行身份认证。In this example, the identity authentication of the target user may be performed, but not limited to, by means of adding an account number and a password.
在一个示例中,所述安全使用平台部署有解密工具包;In one example, the secure usage platform is deployed with a decryption toolkit;
所述目标用户发出数据使用请求,包括:The target user sends a data usage request, including:
目标用户请求调用所述解密工具包;The target user requests to invoke the decryption toolkit;
所述控制所述目标用户对所述加密数据文件中数据的使用,包括:The controlling the use of the data in the encrypted data file by the target user includes:
通过运行所述解密工具包,根据所述安全管控策略并利用所述密钥文件,控制所述加密数据文件中数据的使用。By running the decryption toolkit, the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
在一个示例中,所述控制所述目标用户对所述加密数据文件中数据的使用,包括:In an example, the controlling the use of data in the encrypted data file by the target user includes:
获取所述安全管控策略中所述目标用户对应的目标访问权限;Obtain the target access authority corresponding to the target user described in the security management and control policy;
根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果;According to the target access authority, perform data use on the encrypted data file to obtain a ciphertext result;
根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果。According to the target access authority, the key file is used to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user.
进一步地,所述数据使用包括查询或密态计算。Further, the data usage includes query or dense state calculation.
进一步地,所述目标访问权限包括数据使用模式,其指示允许所述目标用户进行的运算类型;Further, the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
对所述加密数据文件进行所述运算类型的密态计算,得到所述密文结果。Perform the encrypted state calculation of the operation type on the encrypted data file to obtain the ciphertext result.
进一步地,所述目标访问权限包括所述目标用户允许的数据使用频次;Further, the target access authority includes the data usage frequency allowed by the target user;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
在当前使用频次不高于所述允许的数据使用频次的情况下,对所述加密数据文件进行数据使用。When the current usage frequency is not higher than the allowed data usage frequency, data usage is performed on the encrypted data file.
进一步地,所述目标访问权限包括数据使用控制,其示出允许以明文展示数据使用结果;Further, the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果,作为所述数据处理结果。Using the key file to decrypt the ciphertext result to obtain a plaintext result as the data processing result.
进一步地,所述目标访问权限包括数据使用控制,其示出以脱敏方式展示数据使用结果;Further, the target access authority includes data usage control, which shows the results of data usage in a desensitized manner;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果;Decrypting the ciphertext result by using the key file to obtain a plaintext result;
对所述明文结果进行脱敏处理,得到脱敏结果,作为所述数据处理结果。Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
可以理解的是,密文结果是一串不可解释的字符,不可读不可用;数据使用控制可能需要把密文结果转化成解密转态,但是又不希望直接明文展示,所以再加一层脱敏控制。 比如,密文结果为“rasmuslerdorf”,解密后得带明文结果“1391000881”,脱敏展示成“139****881”。It is understandable that the ciphertext result is a string of uninterpretable characters, unreadable and unusable; data usage control may need to convert the ciphertext result into a decrypted state, but it does not want to be directly displayed in plaintext, so another layer of detachment is added. sensitive control. For example, if the ciphertext result is "rasmuslerdorf", the plaintext result "1391000881" will be obtained after decryption, and the desensitized display will be "139****881".
在一个示例中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述数据的使用是针对所述目标字段的数据使用。In an example, the target access right is an access right for a target field of the encrypted data file, and the use of data is a data use for the target field.
在一个示例中,所述第二区域还包括区块链网络;所述方法还包括:In an example, the second area also includes a block chain network; the method also includes:
所述安全使用平台将所述存证文件存储于所述区块链网络;The safe use platform stores the certificate file in the block chain network;
所述安全使用平台响应于所述数据使用请求,从所述区块链网络读取所述存证文件。The safe use platform reads the certificate deposit file from the block chain network in response to the data use request.
进一步地,所述方法还包括:Further, the method also includes:
所述安全使用平台通过所述网闸从所述第一区域获取更新的存证文件,将所述更新的存证文件存储于所述区块链网络;The safe use platform obtains an updated certificate file from the first area through the gatekeeper, and stores the updated file in the block chain network;
所述从所述区块链网络读取所述存证文件,包括:读取所述区块链网络中最新记录的存证文件作为所述存证文件。The reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
通过本说明书实施例提供的方法,第一区域和第二区域之间采用了物理隔离,并设置有网闸;第二区域设置有安全使用平台;在第一区域中,首先对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;然后根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;接着根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;最后将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。由上可见,本说明书实施例,第一区域不是直接将明文数据传输到第二区域,而是对明文数据进行加密,生成加密数据文件,以及生成与目标用户的目标访问权限对应的密钥文件,并根据安全管控策略,生成存证文件,后续将所述加密数据文件、所述密钥文件和所述存证文件,通过所述网闸传输给第二区域,以使所述安全使用平台控制所述目标用户对所述加密数据文件中数据的使用,实现了数据可用不可见,能够提升数据属主方对共享数据的控制能力,从而兼顾数据共享与数据安全。Through the method provided by the embodiment of this specification, physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is equipped with a safe use platform; Safely use the plaintext data of multiple users of the platform to encrypt to generate an encrypted data file; then generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file; wherein, the The encrypted data file needs to be accessed through the safe use platform using the key file; then according to the security management and control strategy configured for the encrypted data file, a certificate file is generated; wherein the security management and control strategy includes the Multiple users' respective access rights; finally, the encrypted data file and the key file are transmitted to the target user through the gatekeeper; the certificate storage file is transmitted to the target user through the gatekeeper Safe use of the platform, so that the safe use of the platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file. It can be seen from the above that in the embodiment of this specification, the first area does not directly transmit the plaintext data to the second area, but encrypts the plaintext data, generates encrypted data files, and generates key files corresponding to the target user's target access rights , and generate a certificate file according to the security management and control strategy, and then transmit the encrypted data file, the key file and the certificate file to the second area through the gatekeeper, so that the safe use platform Controlling the target user's use of the data in the encrypted data file realizes that the data is available and invisible, and can improve the data owner's ability to control the shared data, thereby taking into account both data sharing and data security.
图3示出根据一个实施例的应用于电网的区域间数据安全共享的方法流程示意图。参照图3,高安全区和低安全区之间采用了物理隔离,并设置有网闸,其中,高安全区相当于前述第一区域,低安全区相当于前述第二区域。高安全区设置有调度运行平台和高安 全区数据源安全适配平台,调度运行平台作为实时数据源可以产生多种数据,例如,运行管理数据、运行数据、事件信息数据、合规引入外部数据、市场运营数据,上述数据可以作为待共享给低安全区中的用户的明文数据。高安全区的实时数据源访问文件生成系统,按照预定义的文件生成格式与文件生成规则在高安全区生成明文数据文件;文件生成系统访问高安全区数据源安全适配平台,对明文数据文件进行加密生成加密数据文件,即加密文件生成,并根据用户对加密数据文件的访问权限生成密钥文件,不同用户的不同权限对应不同的密钥文件,即数据访问密钥生成;同时按照高安全区对数据的管理要求,对本次共享的加密数据文件配置安全管控策略,包括数据使用者权限,例如数据使用模式、数据使用频次、数据使用控制等多个策略规则,安全策略配置完成后,生成存证文件,即权限记录可信存证。将加密文件、数据访问密钥、权限记录可信存证通过网闸单向传输到低安全区,并分发到对应的系统中。低安全区设置有数安链、低安全区加密数据安全使用平台(简称安全使用平台)和其多个用户,上述数安链属于区块链网络,上述多个用户包括电网管理平台、客户服务平台和运营管控平台。安全使用平台将权限记录可信存证中的内容上链存证,确保数据的安全和可审计性。各业务系统的用户通过安全使用平台,根据链上的最新存证进行权限判断,根据权限使用密钥访问加密数据文件,并进行密态计算和结果解密。Fig. 3 shows a schematic flowchart of a method for securely sharing data between regions applied to a power grid according to an embodiment. Referring to Fig. 3, physical isolation is adopted between the high security area and the low security area, and a gatekeeper is provided, wherein the high security area is equivalent to the aforementioned first area, and the low security area is equivalent to the aforementioned second area. The high-security area is equipped with a scheduling operation platform and a high-security area data source security adaptation platform. As a real-time data source, the scheduling operation platform can generate a variety of data, such as operation management data, operation data, event information data, and compliance with external data. 1. Market operation data, the above data can be used as plaintext data to be shared with users in the low security zone. The real-time data source access file generation system in the high-security area generates plaintext data files in the high-security area according to the predefined file generation format and file generation rules; the file generation system accesses the data source security adaptation platform in the high-security area, Encrypt to generate encrypted data files, that is, generate encrypted files, and generate key files according to the user's access rights to encrypted data files. Different rights of different users correspond to different key files, that is, data access key generation; According to the data management requirements of the district, configure security management and control policies for the encrypted data files shared this time, including data user permissions, such as data usage mode, data usage frequency, data usage control and other policy rules. After the security policy is configured, Generate a certificate file, that is, a credible certificate for authority records. One-way transmission of encrypted files, data access keys, and trusted certificates of authority records to the low-security area through the gatekeeper, and distributed to the corresponding system. The low-security area is equipped with a data security chain, a low-security area encrypted data security use platform (referred to as a safe use platform) and multiple users. The above-mentioned data security chain belongs to the blockchain network. The above-mentioned multiple users include the power grid management platform and customer service platform. and operation management platform. Safely use the platform to store the content in the authority record trusted certificate on the chain to ensure the security and auditability of the data. Users of each business system use the platform securely to judge authority based on the latest stored evidence on the chain, use keys to access encrypted data files according to authority, and perform encrypted state calculations and decrypt results.
高安全区的数据所有方可以随时通过网闸传输更新后的权限记录可信存证,保证对数据的掌控力。安全使用平台还可以根据用户对加密数据文件的使用情况,生成访问记录可信存证,将其上链存证,进一步确保数据的安全和可审计性。The data owner in the high-security zone can transmit the updated permission records through the network gatekeeper at any time for credible deposit to ensure control over the data. The safe use platform can also generate trusted certificates of access records according to the user's use of encrypted data files, and store them on the chain to further ensure data security and auditability.
本说明书实施例,通过设置于低安全区的数安链,实现数据跨网闸安全共享,实现数据在高安全区的可信加密文件生成与数据访问权限设置与管理,加密数据文件及密钥通过网闸向低安全区的安全传输,低安全区基于数据授权进行加密数据的访问与计算,实现数据可用不可见,兼顾了数据共享与数据安全两方面的要求。In the embodiment of this specification, through the data security chain set in the low security area, the safe sharing of data across the gatekeeper is realized, and the generation of trusted encrypted files and the setting and management of data access rights of data in the high security area are realized. Encrypted data files and keys Through the secure transmission of the gatekeeper to the low-security area, the low-security area accesses and calculates encrypted data based on data authorization, so that the data is available and invisible, taking into account the requirements of both data sharing and data security.
根据另一方面的实施例,还提供一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述系统设置在第一区域,用于执行本说明书实施例提供的方法中第一区域执行的动作。图4示出根据一个实施例的在第一区域和第二区域间数据安全共享的系统的示意性框图。如图4所示,该系统400包括:According to another embodiment, there is also provided a system for securely sharing data between the first area and the second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set The second area is provided with a safe use platform; the system is installed in the first area, and is used to execute the actions performed in the first area in the method provided by the embodiment of this specification. Fig. 4 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to an embodiment. As shown in Figure 4, the system 400 includes:
加密单元41,用于对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;An encryption unit 41, configured to encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
密钥生成单元42,用于根据所述多个用户中的目标用户对所述加密单元41生成的加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;The key generation unit 42 is used to generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file generated by the encryption unit 41; wherein, the encrypted data file needs to pass The safe use platform uses the key file to access;
存证生成单元43,用于根据对所述加密单元41生成的加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;A certificate generating unit 43, configured to generate a certificate file according to the security management and control strategy configured for the encrypted data file generated by the encryption unit 41; wherein the security management and control strategy includes the respective access rights of the plurality of users;
传输单元44,用于将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。The transmission unit 44 is configured to transmit the encrypted data file and the key file to the target user through the gatekeeper; transmit the certificate storage file to the safe use platform through the gatekeeper so that the safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
可选地,作为一个实施例,所述第一区域的安全级别高于第二区域。Optionally, as an embodiment, the security level of the first area is higher than that of the second area.
可选地,作为一个实施例,所述加密数据文件采用初始密钥进行加密;所述密钥文件中包含利用所述初始密钥得到的派生密钥。Optionally, as an embodiment, the encrypted data file is encrypted with an initial key; the key file includes a derived key obtained using the initial key.
可选地,作为一个实施例,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述密钥文件用于对所述目标字段的数据使用结果进行解密。Optionally, as an embodiment, the target access authority is the access authority for the target field of the encrypted data file, and the key file is used to decrypt the data usage result of the target field.
可选地,作为一个实施例,所述加密单元41包括:Optionally, as an embodiment, the encryption unit 41 includes:
生成子单元,用于对待共享给所述安全使用平台的多个用户的明文数据,按照预定义的文件生成格式与文件生成规则生成明文数据文件;The generation subunit is used to treat the plaintext data shared by multiple users of the safe use platform, and generate the plaintext data file according to the predefined file generation format and file generation rules;
加密子单元,用于对所述生成子单元生成的明文数据文件进行加密,生成所述加密数据文件。An encryption subunit is configured to encrypt the plaintext data file generated by the generating subunit to generate the encrypted data file.
可选地,作为一个实施例,所述访问权限包括以下至少一项:Optionally, as an embodiment, the access rights include at least one of the following:
用于指示允许进行的运算类型的数据使用模式、数据使用频次、用于指示数据使用结果是明文展示还是脱敏展示的数据使用控制。The data usage pattern used to indicate the type of operation allowed, the frequency of data usage, and the data usage control used to indicate whether the result of data usage is displayed in plain text or desensitized.
可选地,作为一个实施例,所述存证生成单元43,具体用于对所述安全管控策略进行加密,生成所述存证文件。Optionally, as an embodiment, the certificate generating unit 43 is specifically configured to encrypt the security management and control policy to generate the certificate file.
可选地,作为一个实施例,所述第二区域还包括区块链网络;所述存证文件被所述安全使用平台存储于所述区块链网络。Optionally, as an embodiment, the second area further includes a blockchain network; the certificate deposit file is stored in the blockchain network by the safe use platform.
可选地,作为一个实施例,所述存证生成单元43,还用于根据更新的安全管控策略,生成更新的存证文件;Optionally, as an embodiment, the certificate generating unit 43 is further configured to generate an updated certificate file according to the updated security management and control policy;
所述传输单元44,还用于将所述存证生成单元43生成的更新的存证文件,通过所述网闸传输给所述安全使用平台,使其根据更新的存证文件中的安全管控策略进行安全管控。The transmission unit 44 is also used to transmit the updated certificate storage file generated by the storage certificate generation unit 43 to the safe use platform through the gatekeeper, so that it can be controlled according to the security management and control in the updated certificate storage file. policies for security control.
根据另一方面的实施例,还提供一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述系统设置在第二区域,用于执行本说明书实施例提供的方法中第二区域执行的动作。图5示出根据另一个实施例的在第一区域和第二区域间数据安全共享的系统的示意性框图。如图5所示,该系统500包括:According to another embodiment, there is also provided a system for securely sharing data between the first area and the second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set The second area is provided with a safe use platform; the system is installed in the second area, and is used to execute the actions performed by the second area in the method provided by the embodiment of this specification. Fig. 5 shows a schematic block diagram of a system for securely sharing data between a first area and a second area according to another embodiment. As shown in Figure 5, the system 500 includes:
所述安全使用平台的多个用户中的目标用户51,用于通过网闸,获取加密数据文件和密钥文件;其中,所述加密数据文件为第一区域的明文数据经过加密得到的;所述密钥文件对应于所述目标用户51对所述加密数据文件的目标访问权限;所述加密数据文件需通过所述安全使用平台52,使用所述密钥文件进行访问;The target user 51 in the plurality of users of the safe use platform is used to obtain encrypted data files and key files through the gatekeeper; wherein, the encrypted data files are obtained by encrypting the plaintext data in the first area; The key file corresponds to the target access authority of the target user 51 to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform 52 using the key file;
所述安全使用平台52,用于通过所述网闸从所述第一区域获取存证文件;所述存证文件根据对所述加密数据文件配置的安全管控策略而生成,其中,所述安全管控策略包括所述多个用户各自的访问权限;The safe use platform 52 is used to obtain the certificate deposit file from the first area through the gatekeeper; the certificate deposit file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security The management and control policy includes the respective access rights of the plurality of users;
所述目标用户51,还用于发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;The target user 51 is also used to issue a data usage request, requesting to use the key file to access the encrypted data file;
所述安全使用平台52,还用于响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户51对所述加密数据文件中数据的使用。The secure use platform 52 is further configured to control the use of the data in the encrypted data file by the target user 51 in response to the data use request according to the security management and control policy in the certificate storage file.
可选地,作为一个实施例,所述安全使用平台52,还用于对所述目标用户51进行身份认证,在认证通过的情况下,控制所述目标用户51对所述加密数据文件中数据的使用。Optionally, as an embodiment, the secure use platform 52 is also used to authenticate the target user 51, and control the target user 51 to verify the data in the encrypted data file if the authentication is passed. usage of.
可选地,作为一个实施例,所述安全使用平台52部署有解密工具包;Optionally, as an embodiment, the safe use platform 52 is deployed with a decryption toolkit;
所述目标用户51发出数据使用请求,包括:The target user 51 sends a data usage request, including:
目标用户51请求调用所述解密工具包;The target user 51 requests to call the decryption toolkit;
所述控制所述目标用户51对所述加密数据文件中数据的使用,包括:The control of the use of the data in the encrypted data file by the target user 51 includes:
通过运行所述解密工具包,根据所述安全管控策略并利用所述密钥文件,控制所述加密数据文件中数据的使用。By running the decryption toolkit, the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
可选地,作为一个实施例,所述控制所述目标用户51对所述加密数据文件中数据的使用,包括:Optionally, as an embodiment, the controlling the use of data in the encrypted data file by the target user 51 includes:
获取所述安全管控策略中所述目标用户51对应的目标访问权限;Obtain the target access authority corresponding to the target user 51 in the security management and control policy;
根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果;According to the target access authority, perform data use on the encrypted data file to obtain a ciphertext result;
根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户51的数据处理结果。According to the target access authority, the key file is used to process the ciphertext result to obtain the data processing result fed back to the target user 51 .
进一步地,所述数据使用包括查询或密态计算。Further, the data usage includes query or dense state calculation.
进一步地,所述目标访问权限包括数据使用模式,其指示允许所述目标用户进行的运算类型;Further, the target access authority includes a data usage mode, which indicates the type of operation that the target user is allowed to perform;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
对所述加密数据文件进行所述运算类型的密态计算,得到所述密文结果。Perform the encrypted state calculation of the operation type on the encrypted data file to obtain the ciphertext result.
进一步地,所述目标访问权限包括所述目标用户51允许的数据使用频次;Further, the target access authority includes the data usage frequency allowed by the target user 51;
所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
在当前使用频次不高于所述允许的数据使用频次的情况下,对所述加密数据文件进行数据使用。When the current usage frequency is not higher than the allowed data usage frequency, data usage is performed on the encrypted data file.
进一步地,所述目标访问权限包括数据使用控制,其示出允许以明文展示数据使用结果;Further, the target access authority includes data usage control, which shows that data usage results are allowed to be displayed in plain text;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户51的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result, and obtain the data processing result fed back to the target user 51, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果,作为所述数据处理结果。Using the key file to decrypt the ciphertext result to obtain a plaintext result as the data processing result.
进一步地,所述目标访问权限包括数据使用控制,其示出以脱敏方式展示数据使用结果;Further, the target access authority includes data usage control, which shows the results of data usage in a desensitized manner;
所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户51的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result, and obtain the data processing result fed back to the target user 51, including:
利用所述密钥文件对所述密文结果进行解密,得到明文结果;Decrypting the ciphertext result by using the key file to obtain a plaintext result;
对所述明文结果进行脱敏处理,得到脱敏结果,作为所述数据处理结果。Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
可选地,作为一个实施例,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述数据的使用是针对所述目标字段的数据使用。Optionally, as an embodiment, the target access right is an access right for a target field of the encrypted data file, and the use of data is a data use for the target field.
可选地,作为一个实施例,所述第二区域还包括区块链网络;所述安全使用平台52,还用于将所述存证文件存储于所述区块链网络;Optionally, as an embodiment, the second area also includes a block chain network; the safe use platform 52 is also used to store the certificate deposit file in the block chain network;
所述安全使用平台52响应于所述数据使用请求,从所述区块链网络读取所述存证文件。The safe use platform 52 reads the certificate deposit file from the block chain network in response to the data use request.
进一步地,所述安全使用平台52,还用于通过所述网闸从所述第一区域获取更新的 存证文件,将所述更新的存证文件存储于所述区块链网络;Further, the safe use platform 52 is also used to obtain an updated certificate file from the first area through the gatekeeper, and store the updated file in the block chain network;
所述从所述区块链网络读取所述存证文件,包括:读取所述区块链网络中最新记录的存证文件作为所述存证文件。The reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
根据另一方面的实施例,还提供一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行结合图2或图3所描述的方法。According to another embodiment, there is also provided a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, the computer is instructed to execute the method described in conjunction with FIG. 2 or FIG. 3 .
根据再一方面的实施例,还提供一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现结合图2或图3所描述的方法。According to yet another embodiment, there is also provided a computing device, including a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the implementation in conjunction with FIG. 2 or FIG. 3 is realized. method described.
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。Those skilled in the art should be aware that, in the above one or more examples, the functions described in the present invention may be implemented by hardware, software, firmware or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。The specific embodiments described above have further described the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention and are not intended to limit the scope of the present invention. Protection scope, any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included in the protection scope of the present invention.

Claims (25)

  1. 一种在第一区域和第二区域间数据安全共享的方法,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述方法在第一区域中执行,包括:A method for safely sharing data between a first area and a second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is set with a security use platform; said method is performed in a first zone, comprising:
    对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;Encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
    根据所述多个用户中的目标用户对所述加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;Generate a corresponding key file according to the target user's target access authority to the encrypted data file among the multiple users; wherein, the encrypted data file needs to be processed through the secure use platform using the key file access;
    根据对所述加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;Generate a certificate file according to the security management and control policy configured for the encrypted data file; wherein, the security management and control policy includes the respective access rights of the multiple users;
    将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;transmitting the encrypted data file and the key file to the target user through the gatekeeper;
    将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。transmitting the certificate storage file to the safe use platform through the gatekeeper, so that the safe use platform controls the target user to encrypt the encrypted Use of Data in Data Files.
  2. 如权利要求1所述的方法,其中,所述第一区域的安全级别高于第二区域。The method of claim 1, wherein the first area has a higher security level than the second area.
  3. 如权利要求1所述的方法,其中,所述加密数据文件采用初始密钥进行加密;所述密钥文件中包含利用所述初始密钥得到的派生密钥。The method according to claim 1, wherein the encrypted data file is encrypted with an initial key; and the key file contains a derived key obtained using the initial key.
  4. 如权利要求1所述的方法,其中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述密钥文件用于对所述目标字段的数据使用结果进行解密。The method according to claim 1, wherein the target access authority is the access authority for the target field of the encrypted data file, and the key file is used to decrypt the data usage result of the target field.
  5. 如权利要求1所述的方法,其中,所述对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件,包括:The method according to claim 1, wherein said encrypting the plaintext data to be shared with multiple users of said safe use platform to generate encrypted data files comprises:
    对待共享给所述安全使用平台的多个用户的明文数据,按照预定义的文件生成格式与文件生成规则生成明文数据文件;For the plaintext data shared with multiple users of the safe use platform, generate a plaintext data file according to the predefined file generation format and file generation rules;
    对所述明文数据文件进行加密,生成所述加密数据文件。Encrypt the plaintext data file to generate the encrypted data file.
  6. 如权利要求1所述的方法,其中,所述访问权限包括以下至少一项:The method of claim 1, wherein the access rights include at least one of the following:
    用于指示允许进行的运算类型的数据使用模式、数据使用频次、用于指示数据使用结果是明文展示还是脱敏展示的数据使用控制。The data usage pattern used to indicate the type of operation allowed, the frequency of data usage, and the data usage control used to indicate whether the result of data usage is displayed in plain text or desensitized.
  7. 如权利要求1所述的方法,其中,所述根据对所述加密数据文件配置的安全管控策略,生成存证文件,包括:The method according to claim 1, wherein said generating a certificate file according to the security management and control strategy configured for said encrypted data file comprises:
    对所述安全管控策略进行加密,生成所述存证文件。The security management and control policy is encrypted to generate the certificate file.
  8. 如权利要求1所述的方法,其中,所述第二区域还包括区块链网络;所述存证文件 被所述安全使用平台存储于所述区块链网络。The method according to claim 1, wherein, the second area also includes a block chain network; the document for depositing evidence is stored in the block chain network by the safe use platform.
  9. 如权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:
    根据更新的安全管控策略,生成更新的存证文件;According to the updated security management and control strategy, an updated evidence storage file is generated;
    将所述更新的存证文件,通过所述网闸传输给所述安全使用平台,使其根据更新的存证文件中的安全管控策略进行安全管控。The updated certificate storage file is transmitted to the safe use platform through the gatekeeper, so that it can perform security management and control according to the security management and control strategy in the updated certificate storage file.
  10. 一种在第一区域和第二区域间数据安全共享的方法,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述方法在第二区域中执行,包括:A method for safely sharing data between a first area and a second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is set with a security use platform; said method is performed in a second region, comprising:
    所述安全使用平台的多个用户中的目标用户通过网闸,获取加密数据文件和密钥文件;其中,所述加密数据文件为第一区域的明文数据经过加密得到的;所述密钥文件对应于所述目标用户对所述加密数据文件的目标访问权限;所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;The target user in the multiple users of the safe use platform obtains the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the key file Corresponding to the target access authority of the target user to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
    所述安全使用平台通过所述网闸从所述第一区域获取存证文件;所述存证文件根据对所述加密数据文件配置的安全管控策略而生成,其中,所述安全管控策略包括所述多个用户各自的访问权限;The safe use platform obtains the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control strategy includes the Describe the respective access rights of multiple users;
    所述目标用户发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;The target user sends a data usage request, requesting to use the key file to access the encrypted data file;
    所述安全使用平台响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。In response to the data use request, the secure use platform controls the target user's use of the data in the encrypted data file according to the security management and control policy in the certificate storage file.
  11. 如权利要求10所述的方法,其中,所述方法还包括:The method of claim 10, wherein the method further comprises:
    所述安全使用平台对所述目标用户进行身份认证,在认证通过的情况下,控制所述目标用户对所述加密数据文件中数据的使用。The safe use platform performs identity authentication on the target user, and controls the target user's use of the data in the encrypted data file when the authentication is passed.
  12. 如权利要求10所述的方法,其中,所述安全使用平台部署有解密工具包;The method of claim 10, wherein the secure usage platform is deployed with a decryption toolkit;
    所述目标用户发出数据使用请求,包括:The target user sends a data usage request, including:
    目标用户请求调用所述解密工具包;The target user requests to invoke the decryption toolkit;
    所述控制所述目标用户对所述加密数据文件中数据的使用,包括:The controlling the use of the data in the encrypted data file by the target user includes:
    通过运行所述解密工具包,根据所述安全管控策略并利用所述密钥文件,控制所述加密数据文件中数据的使用。By running the decryption toolkit, the use of data in the encrypted data file is controlled according to the security management policy and by using the key file.
  13. 如权利要求10所述的方法,其中,所述控制所述目标用户对所述加密数据文件中数据的使用,包括:The method according to claim 10, wherein said controlling said target user's usage of data in said encrypted data file comprises:
    获取所述安全管控策略中所述目标用户对应的目标访问权限;Obtain the target access authority corresponding to the target user described in the security management and control policy;
    根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果;According to the target access authority, perform data use on the encrypted data file to obtain a ciphertext result;
    根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果。According to the target access authority, the key file is used to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user.
  14. 如权利要求13所述的方法,其中,所述数据使用包括查询或密态计算。The method of claim 13, wherein the data usage includes queries or dense state computations.
  15. 如权利要求13所述的方法,其中,所述目标访问权限包括数据使用模式,其指示允许所述目标用户进行的运算类型;The method of claim 13, wherein the target access rights include data usage patterns indicating the types of operations the target user is permitted to perform;
    所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
    对所述加密数据文件进行所述运算类型的密态计算,得到所述密文结果。Perform the encrypted state calculation of the operation type on the encrypted data file to obtain the ciphertext result.
  16. 如权利要求13所述的方法,其中,所述目标访问权限包括所述目标用户允许的数据使用频次;The method according to claim 13, wherein the target access rights include data usage frequency allowed by the target user;
    所述根据所述目标访问权限,对所述加密数据文件进行数据使用,获得密文结果,包括:According to the target access authority, performing data use on the encrypted data file to obtain a ciphertext result includes:
    在当前使用频次不高于所述允许的数据使用频次的情况下,对所述加密数据文件进行数据使用。When the current usage frequency is not higher than the allowed data usage frequency, data usage is performed on the encrypted data file.
  17. 如权利要求13所述的方法,其中,所述目标访问权限包括数据使用控制,其示出允许以明文展示数据使用结果;The method of claim 13, wherein the target access rights include data usage controls showing permission to display data usage results in clear text;
    所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
    利用所述密钥文件对所述密文结果进行解密,得到明文结果,作为所述数据处理结果。Using the key file to decrypt the ciphertext result to obtain a plaintext result as the data processing result.
  18. 如权利要求13所述的方法,其中,所述目标访问权限包括数据使用控制,其示出以脱敏方式展示数据使用结果;The method of claim 13, wherein the target access rights include data usage controls showing data usage results in a desensitized manner;
    所述根据所述目标访问权限,利用所述密钥文件对所述密文结果进行结果处理,得到反馈给所述目标用户的数据处理结果,包括:According to the target access authority, using the key file to perform result processing on the ciphertext result to obtain a data processing result fed back to the target user, including:
    利用所述密钥文件对所述密文结果进行解密,得到明文结果;Decrypting the ciphertext result by using the key file to obtain a plaintext result;
    对所述明文结果进行脱敏处理,得到脱敏结果,作为所述数据处理结果。Desensitization is performed on the plaintext result to obtain a desensitization result as the data processing result.
  19. 如权利要求10所述的方法,其中,所述目标访问权限是针对所述加密数据文件的目标字段的访问权限,所述数据的使用是针对所述目标字段的数据使用。The method of claim 10, wherein the target access rights are access rights to a target field of the encrypted data file, and the use of data is data usage for the target field.
  20. 如权利要求10所述的方法,其中,所述第二区域还包括区块链网络;所述方法还 包括:The method of claim 10, wherein the second area also includes a block chain network; the method also includes:
    所述安全使用平台将所述存证文件存储于所述区块链网络;The safe use platform stores the certificate file in the block chain network;
    所述安全使用平台响应于所述数据使用请求,从所述区块链网络读取所述存证文件。The safe use platform reads the certificate deposit file from the block chain network in response to the data use request.
  21. 如权利要求20所述的方法,其中,所述方法还包括:The method of claim 20, wherein said method further comprises:
    所述安全使用平台通过所述网闸从所述第一区域获取更新的存证文件,将所述更新的存证文件存储于所述区块链网络;The safe use platform obtains an updated certificate file from the first area through the gatekeeper, and stores the updated file in the block chain network;
    所述从所述区块链网络读取所述存证文件,包括:读取所述区块链网络中最新记录的存证文件作为所述存证文件。The reading of the certificate storage file from the blockchain network includes: reading the latest recorded certificate storage file in the blockchain network as the certificate storage file.
  22. 一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述系统设置在第一区域,包括:A system for safely sharing data between a first area and a second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is set with a security use Platform; the system is set in the first area, including:
    加密单元,用于对待共享给所述安全使用平台的多个用户的明文数据进行加密,生成加密数据文件;An encryption unit is used to encrypt the plaintext data to be shared with multiple users of the safe use platform to generate encrypted data files;
    密钥生成单元,用于根据所述多个用户中的目标用户对所述加密单元生成的加密数据文件的目标访问权限,生成对应的密钥文件;其中,所述加密数据文件需通过所述安全使用平台,使用所述密钥文件进行访问;A key generation unit, configured to generate a corresponding key file according to the target access authority of the target user among the multiple users to the encrypted data file generated by the encryption unit; wherein, the encrypted data file needs to be passed through the secure use of the platform, using said key file for access;
    存证生成单元,用于根据对所述加密单元生成的加密数据文件配置的安全管控策略,生成存证文件;其中,所述安全管控策略包括所述多个用户各自的访问权限;The certificate storage generation unit is configured to generate the certificate storage file according to the security management and control strategy configured for the encrypted data file generated by the encryption unit; wherein the security management and control strategy includes the respective access rights of the plurality of users;
    传输单元,用于将所述加密数据文件和所述密钥文件,通过所述网闸传输给所述目标用户;将所述存证文件,通过所述网闸传输给所述安全使用平台,以使所述安全使用平台根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。a transmission unit, configured to transmit the encrypted data file and the key file to the target user through the gatekeeper; transmit the certificate storage file to the safe use platform through the gatekeeper, The safe use platform controls the use of the data in the encrypted data file by the target user according to the security management and control policy in the certificate storage file.
  23. 一种在第一区域和第二区域间数据安全共享的系统,其中,所述第一区域和第二区域之间采用了物理隔离,并设置有网闸;所述第二区域设置有安全使用平台;所述系统设置在第二区域,包括:A system for safely sharing data between a first area and a second area, wherein physical isolation is adopted between the first area and the second area, and a gatekeeper is set; the second area is set with a security use platform; the system is set in the second area, including:
    所述安全使用平台的多个用户中的目标用户,用于通过网闸,获取加密数据文件和密钥文件;其中,所述加密数据文件为第一区域的明文数据经过加密得到的;所述密钥文件对应于所述目标用户对所述加密数据文件的目标访问权限;所述加密数据文件需通过所述 安全使用平台,使用所述密钥文件进行访问;The target user among the multiple users of the safe use platform is used to obtain the encrypted data file and the key file through the gatekeeper; wherein, the encrypted data file is obtained by encrypting the plaintext data in the first area; the The key file corresponds to the target user's target access authority to the encrypted data file; the encrypted data file needs to be accessed through the safe use platform using the key file;
    所述安全使用平台,用于通过所述网闸从所述第一区域获取存证文件;所述存证文件根据对所述加密数据文件配置的安全管控策略而生成,其中,所述安全管控策略包括所述多个用户各自的访问权限;The safe use platform is used to obtain the certificate storage file from the first area through the gatekeeper; the certificate storage file is generated according to the security management and control strategy configured for the encrypted data file, wherein the security management and control a policy comprising respective access rights of the plurality of users;
    所述目标用户,还用于发出数据使用请求,请求利用所述密钥文件访问所述加密数据文件;The target user is also used to issue a data usage request, requesting to use the key file to access the encrypted data file;
    所述安全使用平台,还用于响应于所述数据使用请求,根据所述存证文件中的所述安全管控策略,控制所述目标用户对所述加密数据文件中数据的使用。The secure use platform is further configured to control the target user's use of the data in the encrypted data file in response to the data use request according to the security management and control policy in the certificate storage file.
  24. 一种计算机可读存储介质,其上存储有计算机程序,当所述计算机程序在计算机中执行时,令计算机执行权利要求1-21中任一项的所述的方法。A computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, it causes the computer to perform the method described in any one of claims 1-21.
  25. 一种计算设备,包括存储器和处理器,所述存储器中存储有可执行代码,所述处理器执行所述可执行代码时,实现权利要求1-21中任一项的所述的方法。A computing device, comprising a memory and a processor, wherein executable code is stored in the memory, and when the processor executes the executable code, the method according to any one of claims 1-21 is realized.
PCT/CN2022/125185 2021-11-08 2022-10-13 Method and system for securely sharing data between first area and second area WO2023078055A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111315979.8A CN114091058A (en) 2021-11-08 2021-11-08 Method and system for secure sharing of data between a first area and a second area
CN202111315979.8 2021-11-08

Publications (1)

Publication Number Publication Date
WO2023078055A1 true WO2023078055A1 (en) 2023-05-11

Family

ID=80299276

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/125185 WO2023078055A1 (en) 2021-11-08 2022-10-13 Method and system for securely sharing data between first area and second area

Country Status (2)

Country Link
CN (1) CN114091058A (en)
WO (1) WO2023078055A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114091058A (en) * 2021-11-08 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for secure sharing of data between a first area and a second area

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447956A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Cross-GAP communication method and communication system using same
CN110417756A (en) * 2019-07-11 2019-11-05 北京百度网讯科技有限公司 Across a network data transmission method and device
WO2021073151A1 (en) * 2019-10-16 2021-04-22 平安国际智慧城市科技股份有限公司 Multi-network communication-based data transmission method and related device
CN113518078A (en) * 2021-06-01 2021-10-19 中国铁道科学研究院集团有限公司 Cross-network data sharing method, information demander, information provider and system
CN114091058A (en) * 2021-11-08 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for secure sharing of data between a first area and a second area

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447956A (en) * 2009-01-13 2009-06-03 杭州华三通信技术有限公司 Cross-GAP communication method and communication system using same
CN110417756A (en) * 2019-07-11 2019-11-05 北京百度网讯科技有限公司 Across a network data transmission method and device
WO2021073151A1 (en) * 2019-10-16 2021-04-22 平安国际智慧城市科技股份有限公司 Multi-network communication-based data transmission method and related device
CN113518078A (en) * 2021-06-01 2021-10-19 中国铁道科学研究院集团有限公司 Cross-network data sharing method, information demander, information provider and system
CN114091058A (en) * 2021-11-08 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for secure sharing of data between a first area and a second area

Also Published As

Publication number Publication date
CN114091058A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
US8059818B2 (en) Accessing protected data on network storage from multiple devices
Riedel et al. A framework for evaluating storage system security
US9380037B2 (en) Methods and devices for trusted protocols for a non-secured, distributed environment with applications to virtualization and cloud-computing security and management
US7688975B2 (en) Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure
US8625802B2 (en) Methods, devices, and media for secure key management in a non-secured, distributed, virtualized environment with applications to cloud-computing security and management
JP4560051B2 (en) Rights management Pre-licensing protected content
US20190372765A1 (en) System and Method for Providing an Authorised Third Party with Overt Ledger Secured Key Escrow Access to a Secret
US20050027979A1 (en) Secure transmission of data within a distributed computer system
WO2021129003A1 (en) Password management method and related device
US20240039709A1 (en) Method and apparatus for sharing encrypted data, and device and readable medium
JP2023527815A (en) Method, apparatus, and computer readable medium for secure data transfer over a decentralized computer network
CN115296838B (en) Block chain-based data sharing method, system and storage medium
WO2023078055A1 (en) Method and system for securely sharing data between first area and second area
US20240064009A1 (en) Distributed anonymized compliant encryption management system
Priya et al. A survey: attribute based encryption for secure cloud
Tian et al. Fine‐grained assured insertion and deletion scheme based on onion encryption in cloud storage
WO2019229257A1 (en) System and method for providing an authorised third party with overt ledger secured key escrow access to a secret
KR101304523B1 (en) apparatus for operating a cryptographic algorithm on shared computing resources and method thereof
EP3576000B1 (en) System and method for providing an authorised third party with overt ledger secured key escrow access to a secret
Zhang et al. Improved CP-ABE Algorithm Based on Identity and Access Control
Pilyankevich et al. Hermes. A framework for cryptographically assured access control and data security
Wang et al. Secure Data Deduplication And Sharing Method Based On UMLE And CP-ABE
CN117675383A (en) Data transmission architecture and data transmission method for networked collaborative design
CN113098893A (en) Cryptology structure-based method for realizing dynamic access control mechanism of untrusted cloud
Narayan et al. Secure data control: Privacy and security based on abe for access control over cloud

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22889080

Country of ref document: EP

Kind code of ref document: A1