CN106855928A - A kind of method and apparatus for improving data safety - Google Patents
A kind of method and apparatus for improving data safety Download PDFInfo
- Publication number
- CN106855928A CN106855928A CN201510904243.2A CN201510904243A CN106855928A CN 106855928 A CN106855928 A CN 106855928A CN 201510904243 A CN201510904243 A CN 201510904243A CN 106855928 A CN106855928 A CN 106855928A
- Authority
- CN
- China
- Prior art keywords
- key information
- user
- access
- target data
- original cipher
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The purpose of the application is to provide a kind of method and apparatus for improving data safety.Compared with prior art, the application is after the access request of target data in obtaining access user to system, even if the user right grade that the access user possesses than owner user Geng Gao in the system also cannot arbitrarily access the target data, the access key information on the target data that user is provided is accessed when acquisition is described, and the access key information and the owner user are the original cipher key information match that the target data is set, the access user is just allowed to access the target data;So as to improve data safety, Consumer's Experience is improved.
Description
Technical field
The application is related to computer realm, more particularly to a kind of technology for improving data safety.
Background technology
With the fast development of cloud service, its problem of data safety is also of increasing concern.Existing cloud
Authority user (such as power user, root authority user) high can check low rights user in database
The data of (such as domestic consumer) so that oneself number of the storage in cloud database is worried by certain customers
According to security, influence Consumer's Experience.
The content of the invention
One purpose of the application is to provide a kind of method and apparatus for improving data safety, to solve authority
Grade higher than owner user access user can random access target data problem.
According to the one side of the application, there is provided a kind of method of raising data safety, wherein, should
Method includes:
The access request for accessing user to target data in system is obtained, wherein, the access user is in institute
State owner user of the user right grade in system higher than the target data;
Obtain the access key information on the target data that the access user is provided;
When the access key information is that the original cipher key that the target data is set is believed with the owner user
Manner of breathing is matched, it is allowed to which the access user accesses the target data.
According to further aspect of the application, there is provided a kind of equipment of raising data safety, wherein,
The equipment includes:
Access request acquisition device, for obtaining the access request for accessing user to target data in system,
Wherein, it is described to access user's user right grade in the system owning higher than the target data
Person user;
Access key acquisition device, for obtain it is described access user provided on the target data
Access key information;
Accessing allows device, for being the target with the owner user when the access key information
The original cipher key information match that data are set, it is allowed to which the access user accesses the target data.
Compared with prior art, the access of target data please in access user is obtained to system for the application
After asking, even if the access user possesses user right than owner user Geng Gao etc. in the system
Level also cannot arbitrarily access the target data, when obtain it is described access user provided on the mesh
The access key information of data is marked, and the access key information and the owner user are the target
The original cipher key information match that data are set, just allows the access user to access the target data;From
And data safety is improve, improve Consumer's Experience.Further, obtaining on original cipher key letter
After the modification operation of breath, by checking whether the user of the modification operation submits to and the original cipher key information
The modification key information for matching, it is determined whether allow modification to operate;It is higher than institute so as to avoid Permission Levels
The access user for stating owner user accesses the target by arbitrarily changing the original cipher key information
Data, have further ensured the safety of the target data.
Brief description of the drawings
The detailed description made to non-limiting example made with reference to the following drawings by reading, this Shen
Other features, objects and advantages please will become more apparent upon:
Fig. 1 shows a kind of method flow diagram of the raising data safety according to the application one side;
Fig. 2 shows a kind of method flow of the raising data safety according to one preferred embodiment of the application
Figure;
Fig. 3 shows a kind of equipment schematic diagram of the raising data safety according to the application other side;
Fig. 4 shows to be illustrated according to a kind of equipment of raising data safety of one preferred embodiment of the application
Figure;
Fig. 5 shows a kind of system schematic of the raising data safety according to the application one embodiment.
Same or analogous reference represents same or analogous part in accompanying drawing.
Specific embodiment
The application is described in further detail below in conjunction with the accompanying drawings.
In one typical configuration of the application, terminal, the equipment of service network and trusted party include
One or more processors (CPU), input/output interface, network interface and internal memory.
Internal memory potentially includes the volatile memory in computer-readable medium, random access memory
And/or the form, such as read-only storage (ROM) or flash memory (flash such as Nonvolatile memory (RAM)
RAM).Internal memory is the example of computer-readable medium.
Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be with
Information Store is realized by any method or technique.Information can be computer-readable instruction, data knot
Structure, the module of program or other data.The example of the storage medium of computer includes, but are not limited to phase
Become internal memory (PRAM), static RAM (SRAM), dynamic random access memory
(DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electricity
It is Erasable Programmable Read Only Memory EPROM (EEPROM), fast flash memory bank or other memory techniques, read-only
Compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical storages,
Magnetic cassette tape, magnetic disk storage or other magnetic storage apparatus or any other non-transmission medium,
Can be used to store the information that can be accessed by a computing device.Defined according to herein, computer-readable
Medium not include non-temporary computer readable media (transitory media), such as modulation data-signal and
Carrier wave.
Fig. 5 shows a kind of system schematic of the raising data safety according to the application one embodiment.
Specifically, login password can be specified when user creates user account in systems and key is logged in,
The database corresponding key can be specified when one or more databases are created under the user account,
The corresponding key of the table can also be specified when user's table is created in one or more of databases,
The login key, the corresponding key of the database and the corresponding key of the table that user is set
Store to key list.The table or the database that the user account is created are accessed when system is obtained
Access request when, can ask to access the corresponding key of user input, if detection finds to access user defeated
The counterpart keys for entering are correct (consistent with the counterpart keys stored in key list), then response should
Access request simultaneously returns to corresponding data message.
Fig. 1 shows a kind of method flow diagram of the raising data safety according to the application one side.
The method comprising the steps of S11, step S12 and step S13.Specifically, in step s 11,
Equipment 1 obtains the access request for accessing user to target data in system, wherein, the access user exists
Owner user of the user right grade higher than the target data in the system;In step s 12,
Equipment 1 obtains the access key information on the target data that the access user is provided;In step
In rapid S13, equipment 1 is when the access key information with the owner user for the target data sets
The original cipher key information match put, it is allowed to which the access user accesses the target data.
Here, the equipment 1 includes but is not limited to user equipment, the network equipment or user equipment and net
Network equipment is integrated constituted equipment by network.The user equipment its include but is not limited to any one
Plant the mobile electronic product that can carry out man-machine interaction by touch pad with user, such as smart mobile phone, flat board
Computer etc., the mobile electronic product can use any operating system, such as android operating systems, iOS
Operating system etc..Wherein, the network equipment include it is a kind of can according to the instruction being previously set or store,
The automatic electronic equipment for carrying out numerical computations and information processing, its hardware include but is not limited to microprocessor,
It is application specific integrated circuit (ASIC), programmable gate array (FPGA), digital processing unit (DSP), embedded
Equipment etc..The network equipment its include but is not limited to computer, network host, single network server,
The cloud that multiple webserver collection or multiple servers are constituted;Here, cloud is by based on cloud computing (Cloud
Computing a large amount of computers or the webserver) are constituted, wherein, cloud computing is Distributed Calculation
One kind, a virtual supercomputer being made up of the computer collection of a group loose couplings.The network bag
Include but be not limited to internet, wide area network, Metropolitan Area Network (MAN), LAN, VPN, wireless self-organization network
(Ad Hoc networks) etc..Preferably, equipment 1 can also be that running on the user equipment, network sets
Standby or user equipment is logical with the network equipment, the network equipment, touch terminal or the network equipment and touch terminal
Cross the shell script that network is integrated in constituted equipment.Certainly, those skilled in the art will be understood that
The said equipment 1 is only for example, and other equipment 1 that are existing or being likely to occur from now on are such as applicable to this Shen
Please, should also be included within the application protection domain, and be incorporated herein by reference herein.
It is constant work between each step of equipment 1.Specifically, in step s 11,
Equipment 1 persistently obtains the access request for accessing user to target data in system;In step s 12, if
Standby 1 persistently obtains the access key information on the target data that the access user is provided;
In step S13, equipment 1 is persistently when the access key information is the target with the owner user
The original cipher key information match that data are set, it is allowed to which the access user accesses the target data;Until
The equipment 1 is stopped.
In step s 11, equipment 1 obtains the access request for accessing user to target data in system, its
In, it is described to access the owner of user's user right grade in the system higher than the target data
User.
In the particular embodiment, the system includes cloud database, and the access user includes cloud data
The power user (super user) in storehouse or root (root) authority user, the owner user include cloud number
According to the domestic consumer in storehouse.The target data is included among tables of data.(tables of data is one in database
Very important object, may include several tables of data in a database.) in the system, institute
Stating owner user can create one or more databases under its user account, and by the number of targets
According to storage in one or more of databases.Here, the user right refers to authority of a user
Limitation scope, i.e., after being logged in a user account, according to the correspondence set for different user Account Type
Permission Levels, some functions can be used in system, and some functions cannot be used;Authority etc. in systems
Level user higher can be lower than Permission Levels user use more functions.
In step s 12, equipment 1 obtain that the access user provided on the target data
Access key information.
For example, after the access request of target data in obtaining the access user to system, can be to institute
State and access the request that user sends the offer access key information.Here, obtaining the access user institute
The access key information for providing, the access key information includes but is not limited to numeral, letter, symbol
Several and its independent assortment in number.
In the particular embodiment, any user (including the access user and described owner user)
The target data is desired access to, is required for providing the access key information.
In step s 13, it is the mesh that equipment 1 works as the access key information with the owner user
The original cipher key information match that mark data are set, it is allowed to which the access user accesses the target data.
In the particular embodiment, the access key information for the access user being provided is close with the original
Key information is compared, if the access key information is consistent with the original cipher key information, is matched,
The access user is allowed to access the target data.
Preferably, the original cipher key information includes following at least any one:The owner user is described
What is set when creating user in system logs in key information;The owner user creates in the system
The key information set during the corresponding database of the target data;The owner user is in the system
It is middle to create the key information set during the corresponding table of the target data.
For example, the owner user needs to create new user account when first time is using the system,
The corresponding login password of the user account is now set by the owner user and key information is logged in;
In subsequent operation, one or more are created under the user account that the owner user can be created at it
Database, wherein, the owner user can select as its setting correspondence when the database is created
Key information;The owner user can also create several in one or more of databases
Table, and the owner user can select to be that it sets corresponding key information when the table is created,
Wherein, the table includes that (tables of data is a very important object, a number in database to tables of data
According to several tables of data may be included in storehouse).
In a preferred embodiment, if the original cipher key letter that the owner user is the target data to be set
Breath includes logging in key information, the key information of the corresponding database of the target data and the number of targets
According to the key information of corresponding table, then the access key information that the access user is provided also should
Including logging in key information, the key information of the corresponding database of the target data and the target data
The key information of corresponding table, and it is described access key information matched completely with the original cipher key information,
The access user is allowed to access the target data.
Preferably, equipment 1 is worked as the access key information and is mismatched with the original cipher key information, refuses institute
State access request.
In the particular embodiment, the access key information for the access user being provided is close with the original
Key information is compared, if the access key information is inconsistent with the original cipher key information, that is, is mismatched,
The refusal access user accesses the target data.
Compared with prior art, Permission Levels can not be straight higher than the access user of the owner user
The target data is asked in receiving, but needs to provide with the owner user for the target data is set
Original cipher key information match the access key information, be just allowed access to the target data, from
And improve data safety.
Fig. 2 shows a kind of method flow of the raising data safety according to one preferred embodiment of the application
Figure.
The method comprising the steps of S14 ', step S11 ', step S12 ' and step S13 '.Here, step
Rapid S11 ', step S12 ', step S13 ' and step S11 in Fig. 1, step S12, step S13
Content is identical or essentially identical, for simplicity, repeats no more.
Specifically, in step S14 ', equipment 1 is obtained and stores the owner user for the target
The original cipher key information that data are set.
In the particular embodiment, it is the former close of target data setting the owner user is obtained
After key information, by the original cipher key information Store to key list.Here, the key list is the system
In global data, i.e., all application calls that the data stored in described key list are available in the system.
Preferably, in step S14 ', equipment 1 obtains the owner user for the target data sets
The original cipher key information put;Encrypt and store the original cipher key information.
In the particular embodiment, before by the original cipher key information Store to key list, first to institute
Original cipher key information is stated to be encrypted.For example, MD5 (Message-Digest Algorithm can be selected
5, Message Digest Algorithm 5 is a kind of widely used hash function of computer safety field,
Be used to provide the integrity protection of message), SHA (Secure Hash Algorithm, secure hash calculate
Method, is U.S.National Security Agency's design, and it is a series of close that National Institute of Standards and Technology issues
Code hash function), RIPEMD (RACE Integrity Primitives Evaluation Message
Digest, RACE raw integrity verification message are made a summary) one kind in scheduling algorithm is to the original cipher key
Information is encrypted, and then will be stored to close by the ciphertext of the original cipher key information after algorithm for encryption
Key table.
Certainly, those skilled in the art will be understood that above-mentioned algorithm is only for example, and other are existing or from now on
What is be likely to occur can such as be applicable to the application to the algorithm that the original cipher key information is encrypted, and also should
It is included within the application protection domain, and is incorporated herein by reference herein.
Here, because the encrypted result of MD5 scheduling algorithms is irreversible, i.e., described access user cannot be from
The ciphertext of the original cipher key information after the encryption of MD5 scheduling algorithms reversely derives the original cipher key information
In plain text.Even if the access user possesses authority higher etc. in the system than the owner user
Level, even if the access user is it can be seen that the ciphertext of the original cipher key information, also cannot therefrom obtain institute
The plaintext of original cipher key information is stated, therefore the target data cannot be accessed.So as to, it is to avoid Permission Levels are high
The target data is arbitrarily accessed in the access user of the owner user, the target is improve
The security of data, improves Consumer's Experience.
Preferably, the method also includes:Equipment 1 obtains the modification operation on the original cipher key information;
Equipment 1 checks whether the user of the modification operation submits close with the modification of the original cipher key information match to
Key information;Equipment 1 is close to the original when modification key information and the original cipher key information match
Key information performs the modification operation;Otherwise, the modification operation is refused.
Here, when any user of acquisition (including the access user and described owner user) is to described
After the modification operation of original cipher key information, it is required for the user to submit modification key information to, if not submitting institute to
State modification key information and then refuse the modification operation.If the modification key information includes the original cipher key
Information, then it is described to change key information and the original cipher key information match, it is allowed to which that the original cipher key is believed
Breath performs the modification operation;If the modification key information does not include the original cipher key information, such as institute
The original cipher key information of user's submittal error when being required to be input into original cipher key information of modification operation is stated,
Then the modification key information is mismatched with the original cipher key information, refuses the modification operation.So as to keep away
Exempt from the access user of the Permission Levels higher than the owner user to believe by arbitrarily changing the original cipher key
Cease to access the target data, further ensured the safety of the target data.
Fig. 3 shows a kind of equipment 1 of the raising data safety according to the application one side, wherein, if
Standby 1 includes access request acquisition device 11, accesses key acquisition device 12 and accesses permission device 13.
Specifically, the access request acquisition device 11 obtains the visit for accessing user to target data in system
Request is asked, wherein, the user's user right grade in the system that accesses is higher than the number of targets
According to owner user;It is described access that key acquisition device 12 obtains that the access user provided on
The access key information of the target data;It is described access allow device 13 when it is described access key information with
The owner user is the original cipher key information match that the target data is set, it is allowed to which the access is used
Family accesses the target data.
Here, the equipment 1 includes but is not limited to user equipment, the network equipment or user equipment and net
Network equipment is integrated constituted equipment by network.The user equipment its include but is not limited to any one
Plant the mobile electronic product that can carry out man-machine interaction by touch pad with user, such as smart mobile phone, flat board
Computer etc., the mobile electronic product can use any operating system, such as android operating systems, iOS
Operating system etc..Wherein, the network equipment include it is a kind of can according to the instruction being previously set or store,
The automatic electronic equipment for carrying out numerical computations and information processing, its hardware include but is not limited to microprocessor,
It is application specific integrated circuit (ASIC), programmable gate array (FPGA), digital processing unit (DSP), embedded
Equipment etc..The network equipment its include but is not limited to computer, network host, single network server,
The cloud that multiple webserver collection or multiple servers are constituted;Here, cloud is by based on cloud computing (Cloud
Computing a large amount of computers or the webserver) are constituted, wherein, cloud computing is Distributed Calculation
One kind, a virtual supercomputer being made up of the computer collection of a group loose couplings.The network bag
Include but be not limited to internet, wide area network, Metropolitan Area Network (MAN), LAN, VPN, wireless self-organization network
(Ad Hoc networks) etc..Preferably, equipment 1 can also be that running on the user equipment, network sets
Standby or user equipment is logical with the network equipment, the network equipment, touch terminal or the network equipment and touch terminal
Cross the shell script that network is integrated in constituted equipment.Certainly, those skilled in the art will be understood that
The said equipment 1 is only for example, and other equipment 1 that are existing or being likely to occur from now on are such as applicable to this Shen
Please, should also be included within the application protection domain, and be incorporated herein by reference herein.
It is constant work between above-mentioned each device, here, it will be understood by those skilled in the art that " holding
It is continuous " refer to that above-mentioned each device is required in real time or according to setting or real-time adjustment mode of operation respectively,
Such as described access request acquisition device 11 persistently obtains the access for accessing user to target data in system
Request;It is described access that key acquisition device 12 persistently obtains that the access user provided on the mesh
Mark the access key information of data;Described access allows device 13 persistently when access key information and the institute
State the original cipher key information match that owner user is set for the target data, it is allowed to the access user
Access the target data;Until the equipment 1 is stopped.
The access request acquisition device 11 obtains the access request for accessing user to target data in system,
Wherein, it is described to access user's user right grade in the system owning higher than the target data
Person user.
In the particular embodiment, the system includes cloud database, and the access user includes cloud data
The power user (super user) in storehouse or root (root) authority user, the owner user include cloud number
According to the domestic consumer in storehouse.The target data is included among tables of data.(tables of data is one in database
Very important object, may include several tables of data in a database.) in the system, institute
Stating owner user can create one or more databases under its user account, and by the number of targets
According to storage in one or more of databases.Here, the user right refers to authority of a user
Limitation scope, i.e., after being logged in a user account, according to the correspondence set for different user Account Type
Permission Levels, some functions can be used in system, and some functions cannot be used;Authority etc. in systems
Level user higher can be lower than Permission Levels user use more functions.
It is described access that key acquisition device 12 obtains that the access user provided on the number of targets
According to access key information.
For example, after the access request of target data in obtaining the access user to system, can be to institute
State and access the request that user sends the offer access key information.Here, obtaining the access user institute
The access key information for providing, the access key information includes but is not limited to numeral, letter, symbol
Several and its independent assortment in number.
In the particular embodiment, any user (including the access user and described owner user)
The target data is desired access to, is required for providing the access key information.
The permission device 13 that accesses is when the access key information is the mesh with the owner user
The original cipher key information match that mark data are set, it is allowed to which the access user accesses the target data.
In the particular embodiment, the access key information for the access user being provided is close with the original
Key information is compared, if the access key information is consistent with the original cipher key information, is matched,
The access user is allowed to access the target data.
Preferably, the original cipher key information includes following at least any one:The owner user is described
What is set when creating user in system logs in key information;The owner user creates in the system
The key information set during the corresponding database of the target data;The owner user is in the system
It is middle to create the key information set during the corresponding table of the target data.
For example, the owner user needs to create new user account when first time is using the system,
The corresponding login password of the user account is now set by the owner user and key information is logged in;
In subsequent operation, one or more are created under the user account that the owner user can be created at it
Database, wherein, the owner user can select as its setting correspondence when the database is created
Key information;The owner user can also create several in one or more of databases
Table, and the owner user can select to be that it sets corresponding key information when the table is created,
Wherein, the table includes that (tables of data is a very important object, a number in database to tables of data
According to several tables of data may be included in storehouse).
In a preferred embodiment, if the original cipher key letter that the owner user is the target data to be set
Breath includes logging in key information, the key information of the corresponding database of the target data and the number of targets
According to the key information of corresponding table, then the access key information that the access user is provided also should
Including logging in key information, the key information of the corresponding database of the target data and the target data
The key information of corresponding table, and it is described access key information matched completely with the original cipher key information,
The access user is allowed to access the target data.
Preferably, equipment 1 also includes access reject device (not shown).The access reject device is worked as
The access key information is mismatched with the original cipher key information, refuses the access request.
In the particular embodiment, the access key information for the access user being provided is close with the original
Key information is compared, if the access key information is inconsistent with the original cipher key information, that is, is mismatched,
The refusal access user accesses the target data.
Compared with prior art, Permission Levels can not be straight higher than the access user of the owner user
The target data is asked in receiving, but needs to provide with the owner user for the target data is set
Original cipher key information match the access key information, be just allowed access to the target data, from
And improve data safety.
Fig. 4 shows a kind of equipment 1 of the raising data safety according to one preferred embodiment of the application,
Wherein, equipment 1 includes that original cipher key acquisition device 14 ', access request acquisition device 11 ', access key are obtained
Taking device 12 ' and accessing allows device 13 '.
Here, the access request acquisition device 11 ', access key acquisition device 12 ', access allow dress
Put 13 ' allows device with access request acquisition device 11, access key acquisition device 12, access in Fig. 3
13 content is identical or essentially identical, for simplicity, repeats no more.
Specifically, original cipher key acquisition device 14 ' is obtained and stores the owner user for the target data
The original cipher key information of setting.
In the particular embodiment, it is the former close of target data setting the owner user is obtained
After key information, by the original cipher key information Store to key list.Here, the key list is the system
In global data, i.e., all application calls that the data stored in described key list are available in the system.
Preferably, the original cipher key acquisition device 14 ' obtains the owner user for the target data sets
The original cipher key information put;Encrypt and store the original cipher key information.
In the particular embodiment, before by the original cipher key information Store to key list, first to institute
Original cipher key information is stated to be encrypted.For example, MD5 (Message-Digest Algorithm can be selected
5, Message Digest Algorithm 5 is a kind of widely used hash function of computer safety field,
Be used to provide the integrity protection of message), SHA (Secure Hash Algorithm, secure hash calculate
Method, is U.S.National Security Agency's design, and it is a series of close that National Institute of Standards and Technology issues
Code hash function), RIPEMD (RACE Integrity Primitives Evaluation Message
Digest, RACE raw integrity verification message are made a summary) one kind in scheduling algorithm is to the original cipher key
Information is encrypted, and then will be stored to close by the ciphertext of the original cipher key information after algorithm for encryption
Key table.
Certainly, those skilled in the art will be understood that above-mentioned algorithm is only for example, and other are existing or from now on
What is be likely to occur can such as be applicable to the application to the algorithm that the original cipher key information is encrypted, and also should
It is included within the application protection domain, and is incorporated herein by reference herein.
Here, because the encrypted result of MD5 scheduling algorithms is irreversible, i.e., described access user cannot be from
The ciphertext of the original cipher key information after the encryption of MD5 scheduling algorithms reversely derives the original cipher key information
In plain text.Even if the access user possesses authority higher etc. in the system than the owner user
Level, even if the access user is it can be seen that the ciphertext of the original cipher key information, also cannot therefrom obtain institute
The plaintext of original cipher key information is stated, therefore the target data cannot be accessed.So as to, it is to avoid Permission Levels are high
The target data is arbitrarily accessed in the access user of the owner user, the target is improve
The security of data, improves Consumer's Experience.
Preferably, equipment 1 also includes modification operation acquisition device (not shown), verifying attachment (not shown)
With modification operation coalignment (not shown).Wherein, the modification operation acquisition device is obtained on described
The modification operation of original cipher key information;The user of the verifying attachment inspection modification operation whether submit to
The modification key information of the original cipher key information match;The modification operation coalignment works as the modification
Key information and the original cipher key information match, the modification operation is performed to the original cipher key information;
Otherwise, the modification operation is refused.
Here, when any user of acquisition (including the access user and described owner user) is to described
After the modification operation of original cipher key information, it is required for the user to submit modification key information to, if not submitting institute to
State modification key information and then refuse the modification operation.If the modification key information includes the original cipher key
Information, then it is described to change key information and the original cipher key information match, it is allowed to which that the original cipher key is believed
Breath performs the modification operation;If the modification key information does not include the original cipher key information, such as institute
The original cipher key information of user's submittal error when being required to be input into original cipher key information of modification operation is stated,
Then the modification key information is mismatched with the original cipher key information, refuses the modification operation.So as to keep away
Exempt from the access user of the Permission Levels higher than the owner user to believe by arbitrarily changing the original cipher key
Cease to access the target data, further ensured the safety of the target data.
It should be noted that the application can be carried out in the assembly of software and/or software with hardware,
For example, can be using application specific integrated circuit (ASIC), general purpose computer or any other is similar hard
Part equipment is realized.In one embodiment, the software program of the application can be by computing device
To realize steps described above or function.Similarly, software program (including the related number of the application
According to structure) can be stored in computer readable recording medium storing program for performing, for example, RAM memory, magnetic
Or CD-ROM driver or floppy disc and similar devices.In addition, some steps or function of the application can be used
Hardware is realized, for example, coordinating so as to perform the circuit of each step or function as with processor.
In addition, the part of the application can be applied to computer program product, such as computer program
Instruction, when it is computer-executed, by the operation of the computer, can call or provide basis
The present processes and/or technical scheme.And the programmed instruction of the present processes is called, may be deposited
Store up in fixed or moveable recording medium, and/or by broadcast or other signal bearing medias
Data flow and be transmitted, and/or be stored in computer equipment according to described program instruction operation
In working storage.Here, the one embodiment according to the application includes a device, the device bag
The memory for storing computer program instructions and the processor for execute program instructions are included, its
In, when the computer program instructions are by the computing device, trigger the plant running and be based on foregoing
According to the methods and/or techniques scheme of multiple embodiments of the application.
It is obvious to a person skilled in the art that the application is not limited to the thin of above-mentioned one exemplary embodiment
Section, and in the case of without departing substantially from spirit herein or essential characteristic, can be with other specific
Form realizes the application.Therefore, no matter from the point of view of which point, embodiment all should be regarded as exemplary
, and be nonrestrictive, scope of the present application is limited by appended claims rather than described above
It is fixed, it is intended that all changes fallen in the implication and scope of the equivalency of claim are included
In the application.The right that any reference in claim should not be considered as involved by limitation will
Ask.Furthermore, it is to be understood that " including " word is not excluded for other units or step, odd number is not excluded for plural number.
The multiple units or device stated in device claim can also be by a units or device by soft
Part or hardware are realized.The first, the second grade word is used for representing title, and is not offered as any spy
Fixed order.
Claims (12)
1. it is a kind of improve data safety method, wherein, the method includes:
The access request for accessing user to target data in system is obtained, wherein, the access user is in institute
State owner user of the user right grade in system higher than the target data;
Obtain the access key information on the target data that the access user is provided;
When the access key information is that the original cipher key that the target data is set is believed with the owner user
Manner of breathing is matched, it is allowed to which the access user accesses the target data.
2. method according to claim 1, wherein, the method also includes:
When the access key information is mismatched with the original cipher key information, refuse the access request.
3. method according to claim 1 and 2, wherein, the method also includes:
Obtain and store the original cipher key information that the owner user is set for the target data.
4. method according to claim 3, wherein, described acquisition simultaneously stores the owner user
For the original cipher key information that the target data is set includes:
Obtain the original cipher key information that the owner user is set for the target data;
Encrypt and store the original cipher key information.
5. method according to claim 1, wherein, the method also includes:
Obtain the modification operation on the original cipher key information;
Whether the user of the inspection modification operation submits the modification key with the original cipher key information match to
Information;
When modification key information and the original cipher key information match, the original cipher key information is performed
The modification operation;Otherwise, the modification operation is refused.
6. method according to claim 1, wherein, the original cipher key information includes following at least appointing
One:
The owner user create in the system set during user log in key information;
The owner user creates what is set during the corresponding database of the target data in the system
Key information;
The owner user creates the key set during the corresponding table of the target data in the system
Information.
7. it is a kind of improve data safety equipment, wherein, the equipment includes:
Access request acquisition device, for obtaining the access request for accessing user to target data in system,
Wherein, it is described to access user's user right grade in the system owning higher than the target data
Person user;
Access key acquisition device, for obtain it is described access user provided on the target data
Access key information;
Accessing allows device, for being the target with the owner user when the access key information
The original cipher key information match that data are set, it is allowed to which the access user accesses the target data.
8. equipment according to claim 7, wherein, the equipment also includes:
Access reject device, for being mismatched with the original cipher key information when the access key information, refuses
The exhausted access request.
9. the equipment according to claim 7 or 8, wherein, the equipment also includes:
Original cipher key acquisition device, for obtaining and store the owner user be the target data set
Original cipher key information.
10. equipment according to claim 9, wherein, the original cipher key acquisition device is used for:
Obtain the original cipher key information that the owner user is set for the target data;
Encrypt and store the original cipher key information.
11. equipment according to claim 7, wherein, the equipment also includes:
Modification operation acquisition device, for obtaining the modification operation on the original cipher key information;
Whether verifying attachment, the user for checking the modification operation submits to and the original cipher key information phase
The modification key information of matching;
Modification operation coalignment, for changing key information and the original cipher key information match when described,
The modification operation is performed to the original cipher key information;Otherwise, the modification operation is refused.
12. equipment according to claim 7, wherein, the original cipher key information include it is following at least
Any one:
The owner user create in the system set during user log in key information;
The owner user creates what is set during the corresponding database of the target data in the system
Key information;
The owner user creates the key set during the corresponding table of the target data in the system
Information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510904243.2A CN106855928A (en) | 2015-12-09 | 2015-12-09 | A kind of method and apparatus for improving data safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510904243.2A CN106855928A (en) | 2015-12-09 | 2015-12-09 | A kind of method and apparatus for improving data safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106855928A true CN106855928A (en) | 2017-06-16 |
Family
ID=59132467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510904243.2A Pending CN106855928A (en) | 2015-12-09 | 2015-12-09 | A kind of method and apparatus for improving data safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106855928A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388971A (en) * | 2018-10-26 | 2019-02-26 | 杭州虹晟信息科技有限公司 | Big data platform mobile office system based on cloud |
| CN113722736A (en) * | 2021-09-01 | 2021-11-30 | 斑马网络技术有限公司 | Access isolation method of application file, electronic device and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090300742A1 (en) * | 2008-05-27 | 2009-12-03 | Open Invention Network Llc | Identity selector for use with a user-portable device and method of use in a user-centric identity management system |
| CN102622621A (en) * | 2012-02-07 | 2012-08-01 | 上海中科高等研究院 | Communication method for improving security of radio frequency identification system |
| CN103051638A (en) * | 2013-01-09 | 2013-04-17 | 中国科学院深圳先进技术研究院 | Multimedia data encryption method and multimedia data encryption distributing system |
| CN103152417A (en) * | 2013-03-04 | 2013-06-12 | 上海帜讯信息技术有限公司 | Multi-enterprise cloud folder deployment and information interaction method facing common client |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN104011728A (en) * | 2012-07-24 | 2014-08-27 | 英特尔公司 | Provide access to encrypted data |
| CN104168291A (en) * | 2014-08-29 | 2014-11-26 | 宇龙计算机通信科技(深圳)有限公司 | Data access method, data access device and terminal |
-
2015
- 2015-12-09 CN CN201510904243.2A patent/CN106855928A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090300742A1 (en) * | 2008-05-27 | 2009-12-03 | Open Invention Network Llc | Identity selector for use with a user-portable device and method of use in a user-centric identity management system |
| CN102622621A (en) * | 2012-02-07 | 2012-08-01 | 上海中科高等研究院 | Communication method for improving security of radio frequency identification system |
| CN104011728A (en) * | 2012-07-24 | 2014-08-27 | 英特尔公司 | Provide access to encrypted data |
| CN103051638A (en) * | 2013-01-09 | 2013-04-17 | 中国科学院深圳先进技术研究院 | Multimedia data encryption method and multimedia data encryption distributing system |
| CN103152417A (en) * | 2013-03-04 | 2013-06-12 | 上海帜讯信息技术有限公司 | Multi-enterprise cloud folder deployment and information interaction method facing common client |
| CN103581187A (en) * | 2013-11-05 | 2014-02-12 | 曙光云计算技术有限公司 | Method and system for controlling access rights |
| CN104168291A (en) * | 2014-08-29 | 2014-11-26 | 宇龙计算机通信科技(深圳)有限公司 | Data access method, data access device and terminal |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109388971A (en) * | 2018-10-26 | 2019-02-26 | 杭州虹晟信息科技有限公司 | Big data platform mobile office system based on cloud |
| CN109388971B (en) * | 2018-10-26 | 2021-10-15 | 广西电网有限责任公司 | Cloud-based big data platform mobile office system |
| CN113722736A (en) * | 2021-09-01 | 2021-11-30 | 斑马网络技术有限公司 | Access isolation method of application file, electronic device and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9990507B2 (en) | Adapting decoy data present in a network | |
| TW201947446A (en) | Blockchain-based information supervision method and device | |
| US9747455B1 (en) | Data protection using active data | |
| US20130042306A1 (en) | Determining machine behavior | |
| US10432622B2 (en) | Securing biometric data through template distribution | |
| CN107919954A (en) | A kind of block chain user key guard method and device based on SGX | |
| CN109829333B (en) | OpenID-based key information protection method and system | |
| Gupta et al. | SELI: Statistical evaluation based leaker identification stochastic scheme for secure data sharing | |
| US11580206B2 (en) | Project-based permission system | |
| CN117195297B (en) | ERP-based data security and privacy protection system and method | |
| Verma et al. | A survey on data leakage detection and prevention | |
| US20210124732A1 (en) | Blockchain based distributed file systems | |
| CN116319026A (en) | Trust assessment method and device in zero-trust architecture and electronic equipment | |
| CN109510800B (en) | A network request processing method, device, electronic device and storage medium | |
| CN106487770A (en) | Method for authenticating and authentication device | |
| CN109033882A (en) | A kind of safe dissemination method of retrospective big data and system | |
| CN111090616B (en) | File management method, corresponding device, equipment and storage medium | |
| Vaidya et al. | Data leakage detection and security in cloud computing | |
| CN106855928A (en) | A kind of method and apparatus for improving data safety | |
| Ntonja et al. | Cloud data privacy preserving model for health information systems based on multi factor authentication | |
| CN106230769B (en) | Mobile cloud data staging connection control method based on mobile terminal degree of belief | |
| CN105740666A (en) | Method and device for identifying on-line operational risk | |
| CN111953637B (en) | Application service method and device | |
| US9253174B1 (en) | Providing a second factor authorization | |
| Latha et al. | Secure cloud web application in an industrial environment: a study |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170616 |
|
| RJ01 | Rejection of invention patent application after publication |