[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118013537A - Data processing method, device, electronic equipment and storage medium - Google Patents

Data processing method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN118013537A
CN118013537A CN202310869631.6A CN202310869631A CN118013537A CN 118013537 A CN118013537 A CN 118013537A CN 202310869631 A CN202310869631 A CN 202310869631A CN 118013537 A CN118013537 A CN 118013537A
Authority
CN
China
Prior art keywords
data
client
encryption
encrypted
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310869631.6A
Other languages
Chinese (zh)
Inventor
于乐
常嘉岳
马禹昇
霍要峰
赵元凯
廖会敏
牟艳琳
李斐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202310869631.6A priority Critical patent/CN118013537A/en
Publication of CN118013537A publication Critical patent/CN118013537A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data processing method, a device, electronic equipment and a storage medium, and relates to the technical field of: the technical field of data security. The method comprises the following steps: receiving a query request sent by a client; determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: inquiring first stored data corresponding to the request and first encryption related data used for recovering the first stored data; and feeding back the query request of the client based on the first encrypted data packet. Therefore, the user can clearly know the relevant information of how to encrypt the first storage data through the first encryption related data in the first encryption data packet, and can recover the first storage data based on the first encryption related data, so that the data corresponding to the first storage data can be accurately and safely recovered.

Description

Data processing method, device, electronic equipment and storage medium
Technical Field
The present application relates to the field of data security technologies, and in particular, to a data processing method, a data processing device, an electronic device, and a storage medium.
Background
In the related art, related data such as an encryption algorithm involved in encrypting important data is stored in a configuration file, and only ciphertext obtained by encrypting the important data is stored in a database. In this case, if the configuration file is abnormal, the corresponding important data cannot be recovered only by the ciphertext.
Disclosure of Invention
According to the data processing method, the device, the electronic equipment and the storage medium, the user can clearly know the related information of the ciphertext, and the corresponding data can be obtained through accurate and safe recovery of the ciphertext.
The technical scheme of the application is realized as follows:
the embodiment of the application provides a data processing method, which comprises the following steps:
receiving a query request sent by a client;
Determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data;
and feeding back the query request of the client based on the first encrypted data packet.
In the above aspect, the first encryption related data includes: and carrying out recovery processing on the first stored data, namely first encryption algorithm data, the identification of the first key and first encryption rule data.
In the above scheme, the first encrypted data packet is a data packet in a lightweight data exchange format formed based on the first encryption algorithm data, the first key identifier, the first encryption rule data and the first storage data.
In the above solution, before the feeding back the query request of the client based on the first encrypted data packet, the method further includes:
Determining first configuration information corresponding to the client based on the query request; wherein the first configuration information includes a protection mode for the first stored data.
In the above solution, the feeding back the query request of the client based on the first encrypted data packet includes:
and processing the first encrypted data packet based on the protection mode to obtain target data to be fed back to the client.
In the above scheme, the processing the first encrypted data packet based on the protection mode to obtain the target data includes one of the following:
Obtaining the target data through the first stored data in the first encrypted data packet based on the authorization attribute of the client under the condition that the protection mode characterization is confidentiality protection for the first stored data;
Determining the target data through the first stored data in the first encrypted data packet based on the consistency of a first verification code and a second verification code in the first encrypted data packet under the condition that the protection mode representation is integrity protection for the first stored data; wherein the second verification code is determined by the first encrypted data packet;
And under the condition that the protection mode characterization simultaneously performs the integrity protection and the confidentiality protection on the first stored data, processing the first encrypted data packet based on the consistency of the first verification code and the second verification code and the authorization attribute of the client to obtain the target data.
In the above scheme, the method further comprises:
receiving a data operation request sent by the client; the data operation request is used for representing data storage or data modification operation;
Processing the plaintext data included in the data operation request to obtain a second encrypted data packet for storage; wherein the second encrypted data packet includes: and the second storage data is obtained by processing the plaintext data, and the second encryption related data is used for recovering the second storage data.
In the above solution, after the receiving the data operation request sent by the client, the processing the plaintext data included in the data operation request to obtain a second encrypted data packet, so as to store the second encrypted data packet, where before the storing, the method further includes:
determining second configuration information corresponding to the client based on the data operation request; wherein the second configuration information includes a protection mode for the second stored data and calculation-related data for performing encryption calculation on the plaintext data.
In the above scheme, the calculating the related data includes: the second encryption algorithm data, the identification of the second key and the second bit filling rule data; the processing the plaintext data included in the data operation request to obtain a second encrypted data packet includes:
processing the plaintext data by using the second encryption algorithm data, the second key and the second bit filling rule data to obtain second storage data;
The second encryption algorithm data, the identification of the second key, the second bit-filling rule data, and the second stored data determine the second encrypted data packet based on the protection mode.
The embodiment of the application also provides a data processing device, which comprises:
the receiving unit is used for receiving the query request sent by the client;
A determining unit, configured to determine a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data;
And the feedback unit is used for feeding back the query request of the client based on the first encrypted data packet.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor realizes the steps in the method when executing the computer program.
The embodiment of the application also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, implements the steps of the above method.
In the embodiment of the application, a query request sent by a client is received; determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: inquiring first stored data corresponding to the request and first encryption related data used for recovering the first stored data; and feeding back the query request of the client based on the first encrypted data packet. In this way, the user can clearly know the relevant information of how to encrypt the first storage data through the first encryption related data in the first encryption data packet, and because the first encryption related data and the first storage data for recovering the first storage data are stored in the first encryption data packet, whether the configuration file is abnormal or not is not considered, the first storage data can be recovered based on the first encryption related data in any case, and further, the data corresponding to the first storage data can be accurately and safely recovered.
Drawings
FIG. 1 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 5 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 6 is a schematic flow chart of an alternative method for processing data according to an embodiment of the present application;
FIG. 7 is a schematic diagram of a data processing apparatus according to an embodiment of the present application;
fig. 8 is a schematic diagram of a hardware entity of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solution of the present application will be further elaborated with reference to the accompanying drawings and examples, which should not be construed as limiting the application, but all other embodiments which can be obtained by one skilled in the art without making inventive efforts are within the scope of protection of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
If a similar description of "first/second" appears in the application document, the following description is added, in which the terms "first/second/third" merely distinguish similar objects and do not represent a specific ordering of the objects, it being understood that the "first/second/third" may, where allowed, interchange a specific order or precedence order such that the embodiments of the application described herein can be implemented in an order other than that illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
In the related art, in order to ensure confidentiality and integrity of important data during storage, it is common practice to encrypt the important data, or calculate a message authentication code (Message Authentication Code, MAC) and store the encrypted important data in a database, as shown in table 1.
Table 1: confidentiality and integrity protection mode for important data
Illustratively, a mobile phone number of a person (mobile phone number is often used as important data, and confidentiality and integrity protection are required) is to be stored in the database, and is exemplified by mobile phone number 13566668888, as shown in table 2.
Table 2: data confidentiality and integrity storage examples
In combination with table 2, in the prior art, cell phone number: 13566668888, after encryption (encryption keys, encryption algorithms, encryption modes, bit filling rules, etc. involved in the encryption operation are generally written into a configuration file), the value stored in the database is "43C9a51F6BA1DFA8EDF3C620F86970A9". If the profile is removed, the user simply observes the data "43C9A51F6BA1DFA8EDF3C620F86970A9", from which no information is obtained about the cell phone number, i.e., does not know what key the value was encrypted from, does not know what the encryption algorithm is, does not know what the encryption rule is, and does not even know that "43C9A51F6BA1DFA8EDF3C620F86970A9" is a ciphertext. In this case, if the configuration information is corrupted, it may be difficult to recover the handset number 13566668888 by just "43C9a51F6BA1DFA8EDF3C620F86970A9".
An embodiment of the present application provides a data processing method, please refer to fig. 1, which is an optional flowchart of the data processing method provided in the embodiment of the present application, and will be described with reference to the steps shown in fig. 1.
S101, receiving a query request sent by a client.
In the embodiment of the application, a server receives a query request sent by a client. The query request includes identification information corresponding to the first encrypted data packet.
In some other embodiments, the server may receive a structured query language (Structured Query Language, SQL) sent by the client, and may determine the corresponding first encrypted data packet based on the "SELECT" and "FROM" fields in the SQL statement.
In some other embodiments, the server may also receive other types of query requests sent by the client.
S102, determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data.
In the embodiment of the application, the server can determine the corresponding first encrypted data packet in the database based on the query request. Wherein the first encrypted data packet includes: the method comprises the steps of inquiring first storage data corresponding to a request and first encryption related data used for recovering the first storage data.
Wherein the first encryption related data includes: the first encryption related data includes: and carrying out recovery processing on the first stored data, namely first encryption algorithm data, the identification of the first key and first encryption rule data. The first encryption data packet is a data packet in a lightweight data exchange format formed based on the first encryption algorithm data, the identification of the first key, the first encryption rule data and the first storage data. Illustratively, the first encrypted data packet may be JS key-value data pair (JavaScript Object Notation, json) data. Wherein the first encryption rule data may include: first bit-complement rule data for plaintext data of the first stored data and identification data of a protection mode.
Wherein. The server can randomly generate 100 symmetric keys (3 DES, AES, SM or one of the symmetric keys) through a cipher machine in advance, and each symmetric key is assigned with a corresponding identifier, and can be numbered 1-100. The key value cannot be revealed due to the nature of the crypto-machine.
In some other embodiments, the server may determine the corresponding first encrypted data packet in the database based on the identification information in the SQL query statement.
Among these, symmetric algorithms and asymmetric algorithms are common among encryption algorithms. Common symmetric algorithms are triple data encryption algorithm (TRIPLE DATA Encryption Algorithm,3 DES), advanced encryption standard (AES ADVANCED Encryption Standard, AES), block symmetric encryption algorithm. Wherein 3DES and AES are international algorithms, and the block symmetric encryption algorithm is Chinese algorithm; common asymmetric algorithms are asymmetric encryption algorithm (RSA algorithmRSA), elliptic curve encryption algorithm (Error CHECKING AND correction, ECC), elliptic curve public key cryptography algorithm. Wherein RSA and ECC are international algorithm, elliptic curve public key cryptographic algorithm is Chinese algorithm. Both symmetric algorithm and asymmetric algorithm can be used for encrypting and decrypting data, but the symmetric algorithm is more suitable for encrypting and decrypting data and calculating MAC in the application. The symmetric algorithm is block encryption (computing MAC). The block length of the 3DES, AES, block symmetric encryption algorithm is 16 bytes. What is block encryption, such as the existing data "12EF", which is 2 bytes, if the SM4 is encrypted using 3DES, AES, and the block symmetric encryption algorithm, the length of "12EF" needs to be complemented to 16 bytes, and the common bit complement rule is pkcs padding or zeroPadding (the number of bytes that are fewer is fewer than one). "12EF" (2 bytes, 16-2=14, the 16-ary representation corresponding to 14 is 0x 0E) bit-complemented and then becomes "12EF0E0E0E0E0E0E0E0, if the data is" 12345678ABCDEF "(14 bytes, 16-14=2), the bit is appended to" 12345678ABCDEF0202". Wherein the bit filling is performed prior to calculating the encryption.
The scheme provides a storage method for protecting confidentiality and integrity of data based on json data format. After the important data is processed by the method and the system, the value stored in the database is data in json format, and the relevant information of the data can be seen clearly visually through the json data: what the key that encrypts the data is, what the algorithm that encrypts is, what the bit-filling rule that encrypts is, whether ciphertext or plaintext+mac or ciphertext+mac is stored. By storing the data in the json format, even if the configuration file is destroyed, the plaintext of the data can be recovered through the key, the encryption algorithm and the like, and meanwhile, the json format storage mode is convenient for reading.
S103, feeding back the query request of the client based on the first encrypted data packet.
In the embodiment of the application, the server can determine the corresponding target data based on the first encrypted data packet and feed the target data back to the client.
In the embodiment of the application, the server can also determine the protection mode of the corresponding first storage data based on the query request of the client. And determining corresponding target data by using the first encrypted data packet based on the protection mode and feeding back the corresponding target data to the client.
The protection mode may include: confidentiality protection, integrity protection, confidentiality and integrity protection.
In some other embodiments, when the server determines that the protection mode of the first storage data characterizes that the first storage data does not perform confidentiality protection and integrity protection, plaintext data corresponding to the query request may be directly extracted from the database and fed back to the client.
In the embodiment of the application, a query request sent by a client is received; determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: inquiring first stored data corresponding to the request and first encryption related data used for recovering the first stored data; and feeding back the query request of the client based on the first encrypted data packet. Therefore, a user can clearly know the relevant information of how to encrypt the first storage data through the first encryption related data in the first encryption data packet, and because the first encryption related data and the first storage data are stored in the first encryption data packet, whether the configuration file is abnormal or not is not considered, the first storage data can be restored based on the first encryption related data in any case, and the data corresponding to the first storage data can be accurately and safely restored.
In some embodiments, referring to fig. 2, fig. 2 is a schematic flow chart of an alternative data processing method provided in the embodiment of the present application, S103 shown in fig. 1 may also be implemented through S104 to S105, and the description will be made with reference to the steps.
S104, determining first configuration information corresponding to the client based on the query request; wherein the first configuration information includes a protection mode for the first stored data.
In the embodiment of the application, after receiving the query request of the client, the server can determine the first configuration information corresponding to the client based on the information of the client because the query request carries the information corresponding to the client. Wherein the first configuration information includes a protection mode for the first stored data.
The first configuration information may characterize that the data corresponding to the client is any one of confidentiality protection, integrity protection, confidentiality and integrity protection.
In some other embodiments, the server intercepts a query request (such as a query corresponding sql statement of data) submitted by the client. Corresponding first configuration information is determined based on the query request. The first configuration information sets whether the data of the client is protected. And a protection mode in which data of the client is protected.
S105, processing the first encrypted data packet based on the protection mode to obtain target data, and feeding back the target data to the client.
In the embodiment of the application, the processing modes in the process of forming the first encrypted data packet are completely different according to different protection modes, so that the server needs to determine the target data by using the first encrypted data packet based on the protection mode of the first stored data to feed back to the client.
In the embodiment of the application, the first encrypted data packet comprises the first stored data and the first encrypted related data, so that whether the configuration information is destroyed or not is not considered, and the corresponding target data can be accurately and safely recovered from the first stored data by utilizing the first encrypted related data under any condition.
In some embodiments, S105 shown may also be implemented by any one of S1051 to S1053, as will be described in connection with the steps.
S1051, obtaining the target data through the first storage data in the first encrypted data packet based on the authorization attribute of the client when the protection mode representation is confidentiality protection for the first storage data.
In the embodiment of the application, the server can determine the authorization attribute of the client under the condition that the protection mode characterization is determined to be confidentiality protection aiming at the first stored data. In case the authorization attribute characterizes that the client is not an authorized user, the first stored data (target data) may be fed back to the client, i.e. ciphertext data may be fed back to the client. Under the condition that the authorization attribute characterizes the client as an authorized user, the first storage data can be decrypted and bit-complemented based on the first encryption related data in the first encryption data packet to obtain target data corresponding to the first storage data, and the target data is fed back to the client.
In some other embodiments, where the protection mode characterization is confidentiality protection for the first stored data, the data structure of the first stored data is: ciphertext data. The server may decrypt the first stored data based on the first encryption algorithm data in the first encrypted data packet and the key corresponding to the first key identifier, to obtain plaintext data. And performing bit-removing operation on the plaintext data by using the first encryption rule data to obtain target data.
Wherein, the decryption definition: mingwen = decrypt (alg, key, miwen). alg represents algorithm (3 DES, AES, SM, one of them). key, key. miwen: the first stores data. Outputting a plaintext data. And then, the target data is obtained after the bit of the plaintext data is removed.
S1052, under the condition that the protection mode representation is integrity protection for the first stored data, determining the target data through the first stored data in the first encrypted data packet based on the consistency of a first verification code and a second verification code in the first encrypted data packet; wherein the second verification code is determined by the first encrypted data packet.
In the embodiment of the application, when the server determines that the protection mode representation is integrity protection for the first stored data, the server can determine the corresponding second verification code for the first stored data according to the first encryption related data in the first encryption data packet. And the server compares the first verification code with the second verification code in the first encrypted data packet, and determines target data to feed back to the client based on the obtained comparison result.
Wherein, in the case that the protection mode characterization is integrity protection for the first stored data, the data structure of the first stored data is: plaintext data + first authentication code. If the comparison result indicates that the first verification code is consistent with the second verification code, the plaintext data in the first stored data can be determined to be target data, and then the plaintext data is fed back to the client. If the comparison result indicates that the first verification code is inconsistent with the second verification code, the data integrity of the first encrypted data packet is destroyed, and the data failing to query can be fed back to the client.
In the embodiment of the application, the second verification code can be calculated by a verification code algorithm in the first encrypted data packet, a key corresponding to the identification of the first key and first encryption rule data (first bit filling rule data) on plaintext data in the first stored data.
Wherein, calculate the definition of the second verification code: mingwen = decrypt (alg, key, miwen). Calculating a MAC definition: mac=alg_mac (alg, key, iv, mingwen). The input parameters 3, alg represent the algorithm (3 DES, AES, SM, one of them). key, key. iv initial vector (arbitrary data of length 16 bytes, such as "00000000000000000000000000000000"). mingwen: and (5) plaintext. Output parameter 1 mac: the MAC value (e.g., handset number 13566668888 (which requires a bit-filling) is calculated by a key and an initial vector to obtain the MAC value D3E5FAC 6).
S1053, under the condition that the protection mode represents that the integrity protection and the confidentiality protection are carried out on the first stored data at the same time, processing the first encrypted data packet to obtain the target data based on the consistency of the first verification code and the second verification code and the authorization attribute of the client.
In the embodiment of the present application, when the protection mode characterizes that the integrity protection and the confidentiality protection are simultaneously performed on the first stored data, the server may first determine the corresponding second verification code for the first stored data based on the first encryption related data in the first encrypted data packet. If the first verification code is consistent with the second verification code, the authorization attribute of the client can be determined. In case the authorization attribute characterizes the client as not an authorized user, the first stored data (target data) may be fed back to the client. Under the condition that the authorization attribute characterizes the client as an authorized user, the first storage data can be decrypted based on the first encryption related data in the first encryption data packet to obtain target data corresponding to the first storage data, and the target data is fed back to the client. In the case where the authorization attribute characterizes that the client is not an authorized user, ciphertext data in the first stored data may be fed back to the client. If the first verification code is inconsistent with the second verification code, the data integrity of the first encrypted data packet is destroyed, and the data failing to query can be fed back to the client.
In the embodiment of the present application, when the protection mode characterizes that the integrity protection and the confidentiality protection are performed on the first stored data at the same time, the data structure of the first stored data is: ciphertext data + a first authentication code. When the first verification code is consistent with the second verification code and the client is an authorized user, the first storage data can be decrypted based on the first encryption related data in the first encryption data packet to obtain plaintext data corresponding to the first storage data, and target data obtained after the plaintext data is complemented is fed back to the client. When the first verification code is consistent with the second verification code and the client is not an authorized user, the ciphertext data in the first storage data can be determined to be target data, and the ciphertext data in the first storage data is fed back to the client.
In the embodiment of the application, no matter whether the first storage data in the first encrypted data packet is in any protection mode of confidentiality protection, integrity protection, confidentiality and integrity protection, the first storage data can be recovered based on the first encryption related data in the first encrypted data packet to obtain the corresponding target data. The method for storing the first encryption related data and the first storage data together does not need to consider whether the configuration information is destroyed, and can accurately and safely recover the first storage data to obtain the corresponding target data.
In some embodiments, referring to fig. 3, fig. 3 is a schematic flow chart of an alternative data processing method according to an embodiment of the present application, and S1051 to S1053 shown in the present application may also be implemented through S201 to S224, and each step will be described in connection with the description.
S201, the client sends a query request.
In the embodiment of the application, the client can respond to the operation request and send the query request to the server.
S202, receiving a query request sent by the client.
In the embodiment of the application, a server receives a query request sent by a client. Wherein the query request may include an SQL query statement.
S203, determining a protection mode based on the determined first configuration information.
In the embodiment of the application. The server may determine the corresponding first configuration information based on the information of the client. The first configuration information includes which protection mode encryption is performed on the data corresponding to the client.
S204, confidentiality protection.
In the embodiment of the present application, S204 to S209 are executed when it is determined that the first configuration information characterizes that the data corresponding to the client is confidentiality protected.
S205, reading corresponding json data.
In the embodiment of the application, the server can read the corresponding json data from the database based on the identification information in the query request.
S206, identifying whether the user is an authorized user.
In the embodiment of the application, the server can also determine whether the client is an authorized user based on the account information of the client.
S207, returning data (returning ciphertext).
In the embodiment of the application, if the client is not an authorized client, the ciphertext data of json data can be fed back to the client.
S208, decrypting the ciphertext according to the key-id stored in the json, the encryption algorithm, the bit filling rule and the like to obtain a plaintext.
In the embodiment of the application, if the client is an authorized user, the first stored data can be decrypted according to a key corresponding to a key-id (key identification) in the json data and an encryption algorithm (one of 3DES, AES, SM 4) to obtain plaintext data. And then, performing bit-filling removal on the plaintext data by using a bit-filling rule to obtain target data and feeding the target data back to the client.
S209, returning data (returning plaintext).
In the embodiment of the application, the server can feed back the plaintext data obtained after bit removal to the client.
In the embodiment of the application, a server calls a cipher machine, uses a key corresponding to the determined key-id, and performs decryption operation on the first stored data (the value in content is miwen) according to a corresponding encryption algorithm to obtain a plaintext value of the data, namely mingwen =decrypt (alg, key, miwen), and performs bit removal (pkcs 5padding bit removal) on mingwen and feeds back to a client.
S210, integrity protection.
In the embodiment of the present application, S211 to S215 are executed when it is determined that the configuration information characterizes that the data corresponding to the client is integrity protected.
S211, reading corresponding json data.
In the embodiment of the application, the server can read the corresponding json data from the database based on the identification information in the query request.
S212, calculating an MAC value for the plaintext data according to the key-id stored in json, an MAC algorithm, a bit filling rule and the like.
In the embodiment of the application, the server can calculate the MAC value (the second verification code) on the plaintext data based on the key corresponding to the key-id (key identification) in the json data, the MAC algorithm, the bit filling rule and the like.
S213, whether the MAC values are consistent.
In the embodiment of the present application, the data format of the first stored data in the json data is: the plaintext + the first verification code and the server may compare whether the first verification code and the second verification code are identical.
S214, returning prompt information.
In the embodiment of the application, if the first verification code and the second verification code are inconsistent, the information prompting the data damage is fed back to the client.
S215, returning data (plain text is stored, and the plain text is returned).
In the embodiment of the application, if the first verification code is consistent with the second verification code, the plaintext in the first stored data can be directly fed back to the client.
S216, confidentiality and integrity protection.
In the embodiment of the present application, S217 to S224 are executed under the condition that it is determined that the configuration information characterizes that the data corresponding to the client is confidentiality and integrity protected.
S217, reading corresponding json data.
In the embodiment of the application, the server can read the corresponding json data from the database based on the identification information in the query request.
S218, calculating an MAC value for the plaintext data according to the key-id stored in json, an MAC algorithm, a bit filling rule and the like.
In the embodiment of the application, the server can calculate the MAC value (the second verification code) on the plaintext data based on the key corresponding to the key-id (key identification) in the json data, the MAC algorithm, the bit filling rule and the like.
S219, whether the MAC values are consistent.
In the embodiment of the present application, the data format of the first stored data in the json data is: the plaintext + the first verification code and the server may compare whether the first verification code and the second verification code are identical.
S220, returning prompt information.
In the embodiment of the application, if the first verification code and the second verification code are inconsistent, the information prompting the data damage is fed back to the client.
S221, authenticating whether the user is an authorized user.
In the embodiment of the application, the server can also determine whether the client is an authorized user based on the account information of the client.
S222, return data (return ciphertext).
In the embodiment of the application, if the client is not an authorized client, the ciphertext data of json data can be fed back to the client.
S223, decrypting the ciphertext according to the key-id stored in the json, the encryption algorithm, the bit filling rule and the like to obtain the plaintext.
In the embodiment of the present application, if the client is an authorized user, the first stored data may be decrypted according to a key corresponding to a key-id (key identifier) in the json data and an encryption algorithm (one of 3DES, AES, SM 4) to obtain a data. And then, performing bit-filling removal on the data by using a bit-filling rule to obtain plaintext data and feeding the plaintext data back to the client.
S224, return data (return plaintext).
In the embodiment of the application, the server can feed back the plaintext data obtained after bit removal to the client.
The fields of json data in the embodiment of the application relate to key-id (identification of a key), algorism, padding, mode (MAC or/and ciphertext), content and other parameters, structured data storage can be realized under three protection modes (confidentiality, integrity, confidentiality and integrity), the key adopts a key-id index storage mode and is not directly stored in a custom data structure, and the encryption/decryption security of the data can be further ensured through the access control of the storage position pointed by the key-id parameter.
In some embodiments, referring to fig. 4, fig. 4 is a schematic flow chart of an alternative data processing method according to an embodiment of the present application, and the steps will be described in connection with the description.
S106, receiving a data operation request sent by the client; wherein the data operation request is used for characterizing a data storage or data modification operation.
In the embodiment of the application, the server can receive the data modification operation request sent by the client. The data modification operation request comprises corresponding plaintext data. The plaintext data may be text information or string characters.
In the embodiment of the application, the server can receive the SQL request sent by the client. The SQL request is used to perform data storage or data modification operations.
The client in the embodiment of the application can be consistent with the client in S101 or inconsistent with the client in S101.
S107, processing the plaintext data contained in the data operation request to obtain a second encrypted data packet for storage; wherein the second encrypted data packet includes: and the second storage data is obtained by processing the plaintext data, and the second encryption related data is used for recovering the second storage data.
In the embodiment of the application, the server can extract the plaintext data in the data operation request, and encrypt the plaintext data based on the data protection mode corresponding to the client to obtain the second stored data. And forming a second encrypted data packet by using the second stored data and the second encryption related data for encrypting the plaintext data.
Wherein the second encryption related data includes: the second encryption algorithm data, the identification of the second key, and the second encryption rule data for performing recovery processing on the second stored data. The second storage data packet may be a json data structure.
In the embodiment of the application, the user can clearly know the relevant information of how to encrypt the second storage data through the second encryption related data in the second encryption data packet, and because the second encryption related data and the second storage data used for carrying out the recovery processing on the second storage data are stored in the second encryption data packet, whether the configuration file is abnormal or not is not considered, the second storage data can be recovered based on the second encryption related data in any case, and the data corresponding to the second storage data can be accurately and safely recovered.
In some embodiments, referring to fig. 5, fig. 5 is a schematic flow chart of an alternative data processing method provided in the embodiment of the present application, S107 shown in fig. 4 may also be implemented through S108 to S110, and the description will be made with reference to the steps.
S108, determining second configuration information corresponding to the client based on the data operation request; wherein the second configuration information includes a protection mode for the second stored data and calculation-related data for performing encryption calculation on the plaintext data.
In the embodiment of the application, after receiving the data operation request of the client, the server can determine the second configuration information corresponding to the client based on the information of the client because the data operation request carries the information corresponding to the client. Wherein the second configuration information includes a protection mode for the second stored data and calculation-related data for performing encryption calculation on the plaintext data.
The second configuration information may characterize that the data corresponding to the client is any one of confidentiality protection, integrity protection, confidentiality and integrity protection.
And S109, processing the plaintext data based on the second encryption algorithm data, the second secret key and the second encryption rule data to obtain the second storage data.
In the embodiment of the application, calculating the related data includes: the second encryption algorithm data, the identification of the second key and the bit filling rule data. The server may determine the second key based on the identification of the second key, and further the server may process plaintext data included in the data manipulation request based on the computing-related data to obtain second stored data.
In the embodiment of the present application, when the protection mode characterization is confidentiality protection for the second stored data, the determined calculation related data includes: the identification of the second key, the second encryption algorithm data, and the second bit-filling rule data. The second bit filling rule data and the identification data (which may be ciphertext) corresponding to the confidentiality protection mode form second encryption rule data. The server may perform bit filling on the plaintext data based on the second bit filling rule data, and then encrypt the bit-filled plaintext data using the second encryption algorithm data and the second key to obtain second stored data. The second stored data is ciphertext data.
In the embodiment of the application, the encryption definition is as follows: miwen = encrypt (alg, key, mingwen). The parameters were input 3. alg represents algorithm (3 DES, AES, SM, one of them). key, key. mingwen: and (5) plaintext. Output parameter 1 is miwen: ciphertext (e.g., handset number 13566668888 (which requires a bit-filling) may be encrypted with a key to obtain ciphertext 43C9A51F6BA1DFA8EDF3C620F86970A 9).
In the embodiment of the present application, when the protection mode representation is integrity protection for the second stored data, the determined calculation related data includes: the identification of the second key, the verification code algorithm data and the second bit filling rule data. The second bit filling rule data and the identification data (which may be MAC) corresponding to the integrity protection mode form second encryption rule data. The server can carry out bit filling on the plaintext data based on the second bit filling rule data, then randomly generates an information value after bit filling of the plaintext data, and utilizes the verification code algorithm data, the second key and the information value to process the plaintext data after bit filling to obtain a corresponding first verification code. And combining the plaintext data after bit filling with the first verification code to obtain second storage data. The data structure of the second stored data is: plaintext data + first authentication code.
In the embodiment of the present application, when the protection mode characterizes that confidentiality protection and integrity protection are performed on the second stored data at the same time, the determined calculation related data includes: the identification of the second key, the second encryption algorithm data, the verification code algorithm data and the second bit filling rule data. The second bit filling rule data, the identification data corresponding to the integrity protection mode and the identification data corresponding to the confidentiality protection mode form second encryption rule data. The server may use the second bit filling rule data to fill in bits of the plaintext data, and then randomly generate the information value after filling in bits of the plaintext data. And processing the plaintext data after bit filling by using the verification code algorithm data, the second key and the information value to obtain a corresponding first verification code. And then encrypting the bit-complemented plaintext data by using the second encryption algorithm data and the second key to obtain corresponding ciphertext data. And combining the ciphertext data with the first verification code to obtain second storage data. The data structure of the second stored data is: ciphertext data + a first authentication code.
S110, determining the second encrypted data packet based on the protection mode, the second encryption algorithm data, the identification of the second key, the second bit filling rule data and the second storage data.
In the embodiment of the application, the server can form the second encrypted data packet of the json data structure based on the second encryption algorithm data, the identification of the second key and the second encryption rule data (the second bit-complement rule data and the identification data of the protection mode).
In the embodiment of the application, when the protection mode representation is confidentiality protection for the second storage data, the json format second encrypted data packet can be obtained based on the second bit filling rule data, the second encryption algorithm data, the identification of the second key, the protection mode encryption and the second storage data processing.
In the embodiment of the application, when the protection mode representation is confidentiality protection for the second storage data, the second encryption data packet in json format can be obtained based on the second bit filling rule data, the verification code algorithm data, the identification of the second key, the information value, the protection mode MAC and the second storage data.
In the embodiment of the application, when the protection mode representation is confidentiality protection for the second storage data, the json format second encryption data packet can be obtained based on the second encryption algorithm data, the second bit filling rule data, the identification of the second key, the information value, the protection mode 'ciphertext+MAC' and the second storage data.
In the embodiment of the present application, taking the important data mobile phone number 13566668888 as an example, when the data is processed, the format stored in the database is shown in table 3.
Table 3: data confidentiality and integrity storage examples of the present application
In the embodiment of the application, after the plaintext data is processed, the format stored in the database is a json format data packet. Through json data, related information of the plaintext data can be seen clearly intuitively: what the key id that encrypts the data is, what the algorithm that encrypts is, what the bit-filling rule that encrypts is, whether ciphertext or MAC is stored or ciphertext + MAC. By storing the data in json format, even if the configuration information is destroyed, the second stored data can be decrypted by a key, an encryption algorithm, or the like, to obtain the necessary plaintext data.
In the embodiment of the application, the plaintext data in the data operation request can be determined to be any one of confidentiality protection, integrity protection, confidentiality and integrity protection through the second configuration information corresponding to the data operation request, and then the plaintext data is processed by using the calculation related data in the second configuration information to obtain the second stored data. And determining a second encrypted data packet by using the second stored data, the determined protection mode and the calculation related data. The method for storing the second encryption related data for recovering the second storage data and the second storage data together does not need to consider whether the configuration information is destroyed, and can accurately and safely recover the first storage data to obtain the corresponding target data.
In some embodiments, referring to fig. 6, fig. 6 is a schematic flow chart of an alternative data processing method provided in the embodiment of the present application, and S106 to S111 shown in fig. 5 may also be implemented through S225 to S239, and the description will be made in connection with the steps.
S225, the client sends a data operation request.
In the embodiment of the application, the client can respond to the operation request and send the data operation request to the server.
S226, receiving a data operation request sent by the client.
In the embodiment of the application, a server receives a data operation request sent by a client. Wherein the data operation request may include an SQL data operation statement. The data operation request carries plaintext data.
S227, determining a protection mode based on the second configuration information.
In the embodiment of the application. The server may determine the corresponding second configuration information based on the information of the client. And the data corresponding to the client represented by the second configuration information is encrypted in which protection mode.
S228, confidentiality protection (further checking the configuration information module, looking up the encrypted key, the encryption algorithm and the bit filling rule).
In the embodiment of the present application, S229 to S231 are executed when it is determined that the second configuration information characterizes that the data corresponding to the client is confidentiality protected. And determining the identification, encryption algorithm and bit filling rule of the corresponding key based on the configuration information.
S229, encrypting the data to obtain the ciphertext.
In the embodiment of the application, a server firstly complements the data of plaintext data, and complements the data by pkcs padding to obtain mingwen, then invokes a cipher machine, uses a key corresponding to a key-id, and encrypts the data according to a corresponding encryption algorithm to obtain a ciphertext value of the data, namely miwen =encryption (alg, key, mingwen).
S230, organizing json data according to the identification of the key, the encryption algorithm, the ciphertext and the like.
In the embodiment of the application, json data of the plaintext data is organized. json data includes key-id (identification of key), algorism, padding, mode, and content (ciphertext value). The json data is then stored in a database.
S231, storing the generated json data into a database.
S232, integrity protection (further checking the configuration information module, looking up the key for calculating the MAC, the MAC algorithm and the bit filling rule).
In the embodiment of the present application, S233 to S235 are executed under the condition that it is determined that the configuration information characterizes that the data corresponding to the client is integrity protected. And determining a corresponding key, MAC algorithm and bit filling rule based on the configuration information.
S233, calculating MAC for the data to obtain an MAC value.
In the embodiment of the application, the server firstly complements the data, and then complements the data by pkcs padding to obtain mingwen, and then randomly generates the iv value. Then, a cryptographic machine is called, and a MAC operation is performed on the data according to a corresponding MAC algorithm by using a key corresponding to the key-id, so as to obtain a MAC value of the data, i.e., mac=alg_mac (alg, key, iv, mingwen).
S234, organizing json data according to the identification of the key, the MAC algorithm, the MAC value and the like.
In the embodiment of the application, json data of the plaintext data is organized. json data includes key-id (identification of key), algorism, padding, mode (MAC), content (plaintext+mac).
S235, storing the generated json data into a database.
S236, confidentiality and integrity protection (further looking up configuration information modules, see encryption/computation MAC keys, encryption/MAC algorithms, bit filling rules, etc.).
In the embodiment of the present application, S27 to S239 are executed when it is determined that the configuration information characterizes that the data corresponding to the client is integrity protected. And determining a corresponding key, MAC algorithm, encryption algorithm and bit filling rule based on the configuration information.
S237, encrypting the data to obtain ciphertext, and calculating MAC (media access control) value for the data to obtain the MAC value.
In the embodiment of the application, the server firstly complements the data, the data is complemented by pkcs padding to obtain mingwen, then a cipher machine is called, a key corresponding to the key-id is used, and the data is encrypted according to a corresponding encryption algorithm to obtain a ciphertext value of the data. The iv value is then randomly generated. Then, a cryptographic machine is called, and a MAC operation is performed on the data according to a corresponding MAC algorithm by using a key corresponding to the key-id, so as to obtain a MAC value of the data, i.e., mac=alg_mac (alg, key, iv, mingwen).
S238, organizing json data according to the identification of the key, the encryption/MAC algorithm, the ciphertext, the MAC value and the like.
In the embodiment of the application, json data of the plaintext data is organized. json data includes key-id (identification of key), algorism, padding, mode (ciphertext+mac), content (ciphertext+mac).
S239, storing the generated json data into a database.
In some embodiments, referring to fig. 7, fig. 7 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application.
The embodiment of the present application further provides a data processing apparatus 600, including: a receiving unit 601, a determining unit 602, and a feedback unit 603.
A receiving unit 601, configured to receive a query request sent by a client;
A determining unit 602, configured to determine a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data;
and the feedback unit 603 is configured to feed back the query request of the client based on the first encrypted data packet.
In an embodiment of the present application, the first encryption related data includes: and carrying out recovery processing on the first stored data, namely first encryption algorithm data, the identification of the first key and first encryption rule data.
In the embodiment of the present application, the first encrypted data packet is a data packet in a lightweight data exchange format formed based on the first encryption algorithm data, the identifier of the first key, the first encryption rule data and the first storage data.
In the embodiment of the present application, the determining unit 602 in the data processing apparatus 600 is configured to determine, based on the query request, first configuration information corresponding to the client; wherein the first configuration information includes a protection mode for the first stored data.
In the embodiment of the present application, the determining unit 602 in the data processing apparatus 600 is configured to process the first encrypted data packet based on the protection mode to obtain the target data, so as to feed back the target data to the client.
In this embodiment of the present application, the determining unit 602 in the data processing apparatus 600 is configured to obtain, when the protection mode indicates confidentiality protection for the first stored data, the target data from the first stored data in the first encrypted data packet based on the authorization attribute of the client;
Determining the target data through the first stored data in the first encrypted data packet based on the consistency of a first verification code and a second verification code in the first encrypted data packet under the condition that the protection mode representation is integrity protection for the first stored data; wherein the second verification code is determined by the first encrypted data packet;
And under the condition that the protection mode characterization simultaneously performs the integrity protection and the confidentiality protection on the first stored data, processing the first encrypted data packet based on the consistency of the first verification code and the second verification code and the authorization attribute of the client to obtain the target data.
In the embodiment of the present application, the receiving unit 601 in the data processing apparatus 600 is configured to receive a data operation request sent by the client; the data operation request is used for representing data storage or data modification operation; processing the plaintext data included in the data operation request to obtain a second encrypted data packet for storage; wherein the second encrypted data packet includes: and the second storage data is obtained by processing the plaintext data, and the second encryption related data is used for recovering the second storage data.
In the embodiment of the present application, the determining unit 602 in the data processing apparatus 600 is configured to determine, based on the data operation request, second configuration information corresponding to the client; wherein the second configuration information includes a protection mode for the second stored data and calculation-related data for performing encryption calculation on the plaintext data.
In an embodiment of the present application, the calculating the related data includes: the second encryption algorithm data, the identification of the second key and the second bit filling rule data; a determining unit 602 in the data processing apparatus 600 is configured to process the plaintext data using the second encryption algorithm data, the second key and the second bit-filling rule data to obtain the second stored data;
The second encryption algorithm data, the identification of the second key, the second bit-filling rule data, and the second stored data determine the second encrypted data packet based on the protection mode.
It should be noted that, in the embodiment of the present application, if the above-mentioned data processing method is implemented in the form of a software functional module, and sold or used as a separate product, the data processing method may also be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium, including several instructions for causing a data processing apparatus (which may be a personal computer or the like) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the application are not limited to any specific combination of hardware and software.
Correspondingly, the embodiment of the application provides a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the client-side method.
Correspondingly, the embodiment of the application provides an electronic device 700, comprising a memory 702 and a processor 701, wherein the memory 702 stores a computer program executable on the processor 701, and the processor 701 implements the steps of the method when executing the program.
It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus of the present application, please refer to the description of the method embodiments of the present application.
Fig. 8 is a schematic diagram of a hardware entity of an electronic device according to an embodiment of the present application, as shown in fig. 8, the hardware entity of the electronic device 700 includes: a processor 701 and a memory 702, wherein;
The processor 701 generally controls the overall operation of the electronic device 700.
The memory 702 is configured to store instructions and applications executable by the processor 701, and may also cache data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or processed by various modules in the processor 701 and the electronic device 700, which may be implemented by a FLASH memory (FLASH) or a random access memory (Random Access Memory, RAM).
It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus of the present application, please refer to the description of the method embodiments of the present application.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described embodiment of the apparatus is merely illustrative, and for example, the division of the units is merely a logic function division, and there may be other division manners in actual implementation, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, device or unit, whether electrical, mechanical or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable Memory device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Or the above-described integrated units of the application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the embodiments of the present application may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable memory device, a ROM, a magnetic disk, or an optical disk.
The foregoing is merely an embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (12)

1. A method of data processing, comprising:
receiving a query request sent by a client;
Determining a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data;
and feeding back the query request of the client based on the first encrypted data packet.
2. The data processing method according to claim 1, wherein the first encryption related data includes: and carrying out recovery processing on the first stored data, namely first encryption algorithm data, the identification of the first key and first encryption rule data.
3. The data processing method according to claim 2, wherein the first encrypted data packet is a data packet in a lightweight data exchange format formed based on the first encryption algorithm data, an identification of a first key, the first encryption rule data, and the first storage data.
4. A data processing method according to any one of claims 1 to 3, wherein before said feeding back a query request of the client based on the first encrypted data packet, the method further comprises:
Determining first configuration information corresponding to the client based on the query request; wherein the first configuration information includes a protection mode for the first stored data.
5. The method according to claim 4, wherein feeding back the query request of the client based on the first encrypted data packet, comprises:
and processing the first encrypted data packet based on the protection mode to obtain target data to be fed back to the client.
6. The method according to claim 5, wherein said processing said first encrypted data packet based on said protection mode to obtain target data comprises one of:
Obtaining the target data through the first stored data in the first encrypted data packet based on the authorization attribute of the client under the condition that the protection mode characterization is confidentiality protection for the first stored data;
Determining the target data through the first stored data in the first encrypted data packet based on the consistency of a first verification code and a second verification code in the first encrypted data packet under the condition that the protection mode representation is integrity protection for the first stored data; wherein the second verification code is determined by the first encrypted data packet;
And under the condition that the protection mode characterization simultaneously performs the integrity protection and the confidentiality protection on the first stored data, processing the first encrypted data packet based on the consistency of the first verification code and the second verification code and the authorization attribute of the client to obtain the target data.
7. A data processing method according to any one of claims 1 to 3, wherein the method further comprises:
receiving a data operation request sent by the client; the data operation request is used for representing data storage or data modification operation;
Processing the plaintext data included in the data operation request to obtain a second encrypted data packet for storage; wherein the second encrypted data packet includes: and the second storage data is obtained by processing the plaintext data, and the second encryption related data is used for recovering the second storage data.
8. The method for processing data according to claim 7, wherein after said receiving the data operation request sent by the client, said processing plaintext data included in the data operation request to obtain a second encrypted data packet for storage, and before said storing, the method further comprises:
determining second configuration information corresponding to the client based on the data operation request; wherein the second configuration information includes a protection mode for the second stored data and calculation-related data for performing encryption calculation on the plaintext data.
9. The data processing method of claim 8, wherein the calculating the relevant data comprises: the second encryption algorithm data, the identification of the second key and the second bit filling rule data; the processing the plaintext data included in the data operation request to obtain a second encrypted data packet includes:
processing the plaintext data by using the second encryption algorithm data, the second key and the second bit filling rule data to obtain second storage data;
The second encryption algorithm data, the identification of the second key, the second bit-filling rule data, and the second stored data determine the second encrypted data packet based on the protection mode.
10. A data processing apparatus, comprising:
the receiving unit is used for receiving the query request sent by the client;
A determining unit, configured to determine a corresponding first encrypted data packet based on the query request; wherein the first encrypted data packet includes: the first storage data corresponding to the query request and the first encryption related data used for recovering the first storage data;
And the feedback unit is used for feeding back the query request of the client based on the first encrypted data packet.
11. An electronic device comprising a memory and a processor, the memory storing a computer program executable on the processor, the processor implementing the steps of the method of any one of claims 1 to 9 when the computer program is executed.
12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 9.
CN202310869631.6A 2023-07-14 2023-07-14 Data processing method, device, electronic equipment and storage medium Pending CN118013537A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310869631.6A CN118013537A (en) 2023-07-14 2023-07-14 Data processing method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310869631.6A CN118013537A (en) 2023-07-14 2023-07-14 Data processing method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118013537A true CN118013537A (en) 2024-05-10

Family

ID=90945882

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310869631.6A Pending CN118013537A (en) 2023-07-14 2023-07-14 Data processing method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118013537A (en)

Similar Documents

Publication Publication Date Title
EP3356988B1 (en) Method and system for verifiable searchable symmetric encryption
CN107038383B (en) Data processing method and device
US8509449B2 (en) Key protector for a storage volume using multiple keys
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US9491174B2 (en) System and method for authenticating a user
CN110969431B (en) Secure hosting method, device and system for private key of blockchain digital coin
CN113346998B (en) Key updating and file sharing method, device, equipment and computer storage medium
CN113347143B (en) Identity verification method, device, equipment and storage medium
CN111294203B (en) Information transmission method
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
US20180239910A1 (en) Encrypted text verification system, method and recording medium
CN114417073B (en) Neighbor node query method and device of encryption graph and electronic equipment
CN109005184A (en) File encrypting method and device, storage medium, terminal
CN110932868A (en) Data signature method, system and device
US10484182B2 (en) Encrypted text verification system, method, and recording medium
CN113259722B (en) Secure video Internet of things key management method, device and system
CN112818404B (en) Data access permission updating method, device, equipment and readable storage medium
CN112528309A (en) Data storage encryption and decryption method and device
CN115694921B (en) Data storage method, device and medium
CN117744116A (en) Installation package protection method, decryption method, device, electronic equipment and storage medium
CN114553557B (en) Key calling method, device, computer equipment and storage medium
CN113779634B (en) Data storage method and system
CN118013537A (en) Data processing method, device, electronic equipment and storage medium
CN112913184B (en) Computing key rotation periods for block cipher based encryption scheme systems and methods
CN114745115A (en) Information transmission method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination