[go: up one dir, main page]

CN115022066B - Key data protection method based on firewall - Google Patents

Key data protection method based on firewall Download PDF

Info

Publication number
CN115022066B
CN115022066B CN202210687289.3A CN202210687289A CN115022066B CN 115022066 B CN115022066 B CN 115022066B CN 202210687289 A CN202210687289 A CN 202210687289A CN 115022066 B CN115022066 B CN 115022066B
Authority
CN
China
Prior art keywords
data
firewall
stored
signature
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210687289.3A
Other languages
Chinese (zh)
Other versions
CN115022066A (en
Inventor
李威
李健俊
姜学峰
汪炎平
董惠良
王正敏
杜旋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Tobacco Zhejiang Industrial Co Ltd
Original Assignee
China Tobacco Zhejiang Industrial Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Tobacco Zhejiang Industrial Co Ltd filed Critical China Tobacco Zhejiang Industrial Co Ltd
Priority to CN202210687289.3A priority Critical patent/CN115022066B/en
Publication of CN115022066A publication Critical patent/CN115022066A/en
Application granted granted Critical
Publication of CN115022066B publication Critical patent/CN115022066B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种基于防火墙的关键数据保护方法,本发明主要设计构思在于,当侦测到存在数据流跨越虚拟防火墙时,基于数据流中各个数据的签名信息,确定数据流中的待存储数据,接着确定待存储数据中指定的目标根防火墙,基于待存储数据中的私钥参数确定待存储数据是否有进入目标根防火墙的权限,若待存储数据有进入目标根防火墙的权限,则基于目标根防火墙的域级应用网关对待存储数据进行加密,得到对应的加密数据。本发明先判定待存储数据进入目标根防火墙的权限,并在确定待存储数据有权进入目标根防火墙后,通过目标根防火墙的域级应用网关对待存储数据进行加密,使得每一个待存储数据都有其对应的加密数据,从而提高了生产关键数据的安全性。

The present invention discloses a method for protecting critical data based on a firewall. The main design concept of the present invention is that when it is detected that there is a data flow crossing a virtual firewall, based on the signature information of each data in the data flow, the data to be stored in the data flow is determined, and then the target root firewall specified in the data to be stored is determined, and based on the private key parameters in the data to be stored, it is determined whether the data to be stored has the authority to enter the target root firewall. If the data to be stored has the authority to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored to obtain corresponding encrypted data. The present invention first determines the authority of the data to be stored to enter the target root firewall, and after determining that the data to be stored has the authority to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored, so that each data to be stored has its corresponding encrypted data, thereby improving the security of production critical data.

Description

基于防火墙的关键数据保护方法Key data protection method based on firewall

技术领域Technical Field

本发明涉及防火墙数据处理领域,尤其涉及一种基于防火墙的关键数据保护方法。The invention relates to the field of firewall data processing, and in particular to a key data protection method based on a firewall.

背景技术Background technique

随着卷烟及烟草加工制造领域向智能化、数字化迭代变革的推进,在行业内涉及的加工制造中的多个工序环节均涉及利用网络进行生产关键信息的传递及存储,而为了保障关键生产数据安全可靠,大多采用防火墙机制进行数据存储。As the cigarette and tobacco processing and manufacturing fields advance towards intelligent and digital iterative transformation, many process links in the processing and manufacturing involved in the industry involve the use of the network to transmit and store key production information. In order to ensure the security and reliability of key production data, most of them use firewall mechanisms for data storage.

目前通过防火墙进行数据存储的方式主要是,只要待存储数据被允许进入防火墙之后,则可以将待存储数据直接存储至数据库,或者在待存储数据中添加简单处理规则并存储至数据库中。Currently, the main method of storing data through a firewall is that as long as the data to be stored is allowed to enter the firewall, the data to be stored can be directly stored in the database, or simple processing rules can be added to the data to be stored and stored in the database.

可见,待存储数据在存储的过程中是没有经过任何加密处理的,若防火墙被非法入侵之后,数据库中所有的数据都可能被盗取,或者被植入病毒,从而使得数据泄露,或者数据损坏,这会对卷烟、烟草行业的正常生产、质量安全等带来不可估量的损失和影响。It can be seen that the data to be stored is not encrypted during the storage process. If the firewall is illegally invaded, all the data in the database may be stolen or implanted with viruses, resulting in data leakage or data damage, which will bring immeasurable losses and impacts to the normal production, quality and safety of the cigarette and tobacco industry.

发明内容Summary of the invention

鉴于上述,本发明旨在提供一种基于防火墙的关键数据保护方法,以解决本行业关键数据网络存储安全问题。In view of the above, the present invention aims to provide a critical data protection method based on a firewall to solve the problem of network storage security of critical data in this industry.

本发明采用的技术方案如下:The technical solution adopted by the present invention is as follows:

本发明提供了一种基于防火墙的关键数据保护方法,其中所述防火墙包括虚拟防火墙和根防火墙,所述关键数据保护方法包括:The present invention provides a critical data protection method based on a firewall, wherein the firewall includes a virtual firewall and a root firewall, and the critical data protection method includes:

侦测到存在数据流跨越所述虚拟防火墙时,基于所述数据流中各个数据的签名信息,确定所述数据流中的待存储数据;When it is detected that there is a data flow crossing the virtual firewall, based on the signature information of each data in the data flow, determining the data to be stored in the data flow;

确定所述待存储数据中指定的目标根防火墙,基于所述待存储数据中的私钥参数确定所述待存储数据是否有进入所述目标根防火墙的权限;Determine a target root firewall specified in the data to be stored, and determine whether the data to be stored has permission to enter the target root firewall based on a private key parameter in the data to be stored;

若所述待存储数据有进入所述目标根防火墙的权限,则基于所述目标根防火墙的域级应用网关对所述待存储数据进行加密,得到对应的加密数据。If the data to be stored has permission to enter the target root firewall, the data to be stored is encrypted based on the domain-level application gateway of the target root firewall to obtain corresponding encrypted data.

在其中至少一种可能的实现方式中,所述基于所述目标根防火墙的域级应用网关对所述待存储数据进行加密,得到对应的加密数据包括:In at least one possible implementation manner, the domain-level application gateway based on the target root firewall encrypts the data to be stored, and the corresponding encrypted data obtained includes:

基于所述域级应用网关的第一丢番图方程,确定所述域级应用网关的第一剩余定理参数;Determining a first remainder theorem parameter of the domain-level application gateway based on a first Diophantine equation of the domain-level application gateway;

确定所述域级应用网关对所述待存储数据的域级签名数据;Determining domain-level signature data of the domain-level application gateway for the data to be stored;

基于所述第一剩余定理参数和所述域级签名数据对所述待存储数据进行加密,得到所述加密数据。The data to be stored is encrypted based on the first remainder theorem parameter and the domain-level signature data to obtain the encrypted data.

在其中至少一种可能的实现方式中,所述基于所述第一剩余定理参数和所述域级签名数据对所述待存储数据进行加密,得到所述加密数据包括:In at least one possible implementation manner, encrypting the data to be stored based on the first remainder theorem parameter and the domain-level signature data to obtain the encrypted data includes:

将所述第一剩余定理参数与所述待存储数据进行相乘,得到对应的第一待处理数据;Multiplying the first remainder theorem parameter by the data to be stored to obtain corresponding first data to be processed;

将所述第一待处理数据和所述域级签名数据进行打包,得到所述加密数据。The first data to be processed and the domain-level signature data are packaged to obtain the encrypted data.

在其中至少一种可能的实现方式中,在得到对应的加密数据之后,所述关键数据保护方法还包括:In at least one possible implementation, after obtaining the corresponding encrypted data, the key data protection method further includes:

基于所述目标根防火墙的地区应用网关对所述加密数据进行再加密,得到对应的目标存储数据。The regional application gateway based on the target root firewall re-encrypts the encrypted data to obtain corresponding target storage data.

在其中至少一种可能的实现方式中,所述基于所述目标根防火墙的地区应用网关对所述加密数据进行再加密,得到对应的目标存储数据包括:In at least one possible implementation, the regional application gateway based on the target root firewall re-encrypts the encrypted data to obtain the corresponding target storage data, including:

若基于所述地区应用网关确定所述域级签名数据验证通过,则基于所述地区应用网关的第二丢番图方程,确定所述地区应用网关的第二剩余定理参数;If it is determined based on the regional application gateway that the domain-level signature data verification is passed, determining a second remainder theorem parameter of the regional application gateway based on a second Diophantine equation of the regional application gateway;

确定所述地区应用网关对所述加密数据的地区签名数据;Determining regional signature data of the encrypted data by the regional application gateway;

若基于所述目标根防火墙确定所述地区签名数据验证通过,则基于所述第二剩余定理参数对所述加密数据进行再加密,得到所述目标存储数据。If it is determined based on the target root firewall that the regional signature data verification is passed, the encrypted data is re-encrypted based on the second remainder theorem parameter to obtain the target storage data.

在其中至少一种可能的实现方式中,所述基于所述第二剩余定理参数对所述加密数据进行再加密,得到所述目标存储数据包括:In at least one possible implementation manner, re-encrypting the encrypted data based on the second remainder theorem parameter to obtain the target storage data includes:

基于所述目标根防火墙的第三丢番图方程,确定所述目标根防火墙的第三剩余定理参数;Determining a third remainder theorem parameter of the target root firewall based on the third Diophantine equation of the target root firewall;

将所述第二剩余定理参数与所述第三剩余定理参数进行相乘,得到对应的目标剩余定理参数;Multiplying the second remainder theorem parameter by the third remainder theorem parameter to obtain a corresponding target remainder theorem parameter;

将所述目标剩余定理参数与所述加密数据进行相乘,得到对应的第二待处理数据,并确定所述目标根防火墙对所述第二待处理数据的防火墙签名数据;Multiplying the target remainder theorem parameter by the encrypted data to obtain corresponding second data to be processed, and determining firewall signature data of the target root firewall for the second data to be processed;

将所述防火墙签名数据和所述第二待处理数据进行打包,得到所述目标存储数据。The firewall signature data and the second data to be processed are packaged to obtain the target storage data.

在其中至少一种可能的实现方式中,将所述防火墙签名数据和所述第二待处理数据进行打包,得到所述目标存储数据之后,所述关键数据保护方法还包括:In at least one possible implementation manner, after the firewall signature data and the second data to be processed are packaged to obtain the target storage data, the key data protection method further includes:

对所述目标存储数据中的防火墙签名数据进行验证;Verifying the firewall signature data in the target storage data;

若所述防火墙签名数据验证通过,则确定所述目标存储数据对应的数据等级,并根据所述数据等级将所述目标存储数据存储至对应等级的数据库中;If the firewall signature data is verified, the data level corresponding to the target storage data is determined, and the target storage data is stored in a database of the corresponding level according to the data level;

若所述防火墙签名数据验证不通过,则根据所述目标根防火墙对所述目标存储数据中的防火墙签名数据进行重新签名,并对重新签名后的目标存储数据进行验证。If the firewall signature data verification fails, the firewall signature data in the target storage data is re-signed according to the target root firewall, and the re-signed target storage data is verified.

在其中至少一种可能的实现方式中,所述基于所述数据流中各个数据的签名信息,确定所述数据流中的待存储数据包括:In at least one possible implementation manner, determining the data to be stored in the data stream based on signature information of each data in the data stream includes:

获取数据库中的签名列表,其中,所述签名列表中有多个用户签名数据;Obtaining a signature list in a database, wherein the signature list contains multiple user signature data;

确定各个所述签名信息中是否存在目标签名信息,其中,所述目标签名信息在所述签名列表中存在对应的用户签名数据;Determine whether there is target signature information in each of the signature information, wherein the target signature information has corresponding user signature data in the signature list;

若存在所述目标签名信息,则将所述目标签名信息对应的数据,确定为所述数据流中的待存储数据。If the target signature information exists, the data corresponding to the target signature information is determined as the data to be stored in the data stream.

本发明的主要设计构思在于,当侦测到存在数据流跨越虚拟防火墙时,基于数据流中各个数据的签名信息,确定数据流中的待存储数据,接着确定待存储数据中指定的目标根防火墙,基于待存储数据中的私钥参数确定待存储数据是否有进入目标根防火墙的权限,若待存储数据有进入目标根防火墙的权限,则基于目标根防火墙的域级应用网关对待存储数据进行加密,得到对应的加密数据。本发明先判定待存储数据进入目标根防火墙的权限,并在确定待存储数据有权进入目标根防火墙后,通过目标根防火墙的域级应用网关对待存储数据进行加密,使得每一个待存储数据都有其对应的加密数据,从而提高了生产关键数据的安全性。The main design concept of the present invention is that when it is detected that there is a data flow crossing a virtual firewall, based on the signature information of each data in the data flow, the data to be stored in the data flow is determined, and then the target root firewall specified in the data to be stored is determined, and based on the private key parameters in the data to be stored, it is determined whether the data to be stored has the authority to enter the target root firewall. If the data to be stored has the authority to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored to obtain the corresponding encrypted data. The present invention first determines the authority of the data to be stored to enter the target root firewall, and after determining that the data to be stored has the right to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored, so that each data to be stored has its corresponding encrypted data, thereby improving the security of production-critical data.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步描述,其中:In order to make the purpose, technical solutions and advantages of the present invention more clear, the present invention will be further described below with reference to the accompanying drawings, in which:

图1为本发明提供的基于防火墙的关键数据保护方法第一实施例的流程图;FIG1 is a flow chart of a first embodiment of a method for protecting critical data based on a firewall provided by the present invention;

图2是本发明提供的基于防火墙的关键数据保护方法另一实施例的流程示意图;FIG2 is a flow chart of another embodiment of a method for protecting critical data based on a firewall provided by the present invention;

图3是本发明提供的基于防火墙的关键数据保护方法步骤S30的细化流程图;FIG3 is a detailed flow chart of step S30 of the firewall-based key data protection method provided by the present invention;

图4是本发明提供的基于防火墙的关键数据保护方法另一实施例的流程图;FIG4 is a flow chart of another embodiment of a method for protecting critical data based on a firewall provided by the present invention;

图5是本发明提供的基于防火墙的关键数据保护方法另一实施例的流程图;5 is a flowchart of another embodiment of a method for protecting critical data based on a firewall provided by the present invention;

图6是本发明提供的基于防火墙的关键数据保护方法另一实施例的流程图。FIG6 is a flow chart of another embodiment of a method for protecting critical data based on a firewall provided by the present invention.

具体实施方式Detailed ways

下面详细描述本发明的实施例,实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,仅用于解释本发明,而不能解释为对本发明的限制。Embodiments of the present invention are described in detail below, and examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals throughout represent the same or similar elements or elements having the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and cannot be interpreted as limiting the present invention.

本发明提出了一种基于防火墙的关键数据保护方法的实施例,具体来说,如图1示意,图1为本发明基于防火墙的关键数据保护方法第一实施例的流程示意图。The present invention proposes an embodiment of a critical data protection method based on a firewall. Specifically, as shown in FIG1 , FIG1 is a flow chart of a first embodiment of the critical data protection method based on a firewall of the present invention.

本发明实施例提供了基于防火墙的关键数据保护方法的实施例,需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些数据下,可以以不同于此处的顺序完成所示出或描述的步骤。The embodiment of the present invention provides an embodiment of a critical data protection method based on a firewall. It should be noted that although a logical order is shown in the flow chart, under certain data, the steps shown or described may be completed in an order different from that shown here.

本发明本实施例方法的执行主体以基于防火墙的关键数据保护系统作为执行主体进行举例,基于防火墙的关键数据保护方法包括:The execution subject of the method of this embodiment of the present invention is an example of a key data protection system based on a firewall as an execution subject. The key data protection method based on a firewall includes:

步骤S10,侦测到存在数据流跨越所述虚拟防火墙时,基于所述数据流中各个数据的签名信息,确定所述数据流中的待存储数据。Step S10, when it is detected that there is a data flow crossing the virtual firewall, the data to be stored in the data flow is determined based on the signature information of each data in the data flow.

需要说明的是,基于防火墙的关键数据保护系统中的防火墙包括一个虚拟防火墙(Virtual Firewall)和多个根防火墙(Root Firewall)。虚拟防火墙是基于防火墙的关键数据保护系统的第一道屏障,且虚拟防火墙是没有设置权限的,也即所有的数据都可以跨越虚拟防火墙,基于防火墙的关键数据保护系统侦测到有数据跨越虚拟防火墙时,则确定有数据要进入根防火墙,因此,虚拟防火墙在基于防火墙的关键数据保护系统中起到提示的作用。根防火墙主要的由多个域级应用网关(Residential Aggregating Gateway,RAGW)和多个地区应用网关(District Gateway,DGW)组成,域级应用网关和地区应用网关主要用于对进入根防火墙的数据进行数据加密。It should be noted that the firewall in the firewall-based critical data protection system includes a virtual firewall (Virtual Firewall) and multiple root firewalls (Root Firewall). The virtual firewall is the first barrier of the firewall-based critical data protection system, and the virtual firewall has no permission setting, that is, all data can cross the virtual firewall. When the firewall-based critical data protection system detects that data has crossed the virtual firewall, it determines that there is data about to enter the root firewall. Therefore, the virtual firewall plays a prompting role in the firewall-based critical data protection system. The root firewall is mainly composed of multiple domain-level application gateways (Residential Aggregating Gateway, RAGW) and multiple district application gateways (District Gateway, DGW). The domain-level application gateway and the district application gateway are mainly used to encrypt the data entering the root firewall.

基于防火墙的关键数据保护系统随时随刻都会接收来自用户终端发送的数据流,数据流中有用户要存储的数据,也存在其他的干扰数据,为了有效地分离出用户要存储的数据,具体方法如下:基于防火墙的关键数据保护系统侦测到存在数据流跨越虚拟防火墙时,确定数据流中每一个数据的签名信息,对每一个数据的签名信息进行验证,并将签名信息符合要求的数据确定为能够进入根防火墙的数据,即数据流中所要存储的数据(待存储数据)。其中,确定数据流中的待存储数据的具体方法如步骤S101至步骤S103。The key data protection system based on the firewall will receive data streams sent from user terminals at any time. The data streams contain data that the user wants to store and other interfering data. In order to effectively separate the data that the user wants to store, the specific method is as follows: When the key data protection system based on the firewall detects that there is a data stream crossing the virtual firewall, it determines the signature information of each data in the data stream, verifies the signature information of each data, and determines the data with the signature information that meets the requirements as the data that can enter the root firewall, that is, the data to be stored in the data stream (data to be stored). Among them, the specific method of determining the data to be stored in the data stream is as shown in steps S101 to S103.

步骤S101,获取数据库中的签名列表,其中,所述签名列表中有多个用户签名数据;Step S101, obtaining a signature list in a database, wherein the signature list contains multiple user signature data;

步骤S102,确定各个所述签名信息中是否存在目标签名信息,其中,所述目标签名信息在所述签名列表中存在对应的用户签名数据;Step S102, determining whether there is target signature information in each of the signature information, wherein the target signature information has corresponding user signature data in the signature list;

步骤S103,若存在所述目标签名信息,则将所述目标签名信息对应的数据,确定为所述数据流中的待存储数据。Step S103: If the target signature information exists, the data corresponding to the target signature information is determined as the data to be stored in the data stream.

具体地,基于防火墙的关键数据保护系统侦测到有数据跨越虚拟防火墙时,在数据库中获取对应的签名列表,其中,签名列表也即将所有有权访问根防火墙的用户对应的用户签名数据整理形成的一个列表,因此,签名列表中存在多个用户签名数据。接着,基于防火墙的关键数据保护系统根据签名列表中的用户签名数据在签名信息中查找,是否存在与用户签名数据对应的目标签名信息,也就是说目标签名信息与签名列表的其中一个用户签名数据相同。若确定在签名信息中存在目标签名信息,则将该目标签名信息对应的数据,确定为数据流中的待存储数据。若确定在签名信息中不存在目标签名信息,则确定在数据流中不存在待存储数据,并确定数据流中的数据都是干扰数据。因此,在本实施例中,根据数据流中各个数据的签名信息确定数据流中的待存储数据,从而准确找出数据流中的待存储数据,防止数据遗漏。Specifically, when the key data protection system based on the firewall detects that data has crossed the virtual firewall, the corresponding signature list is obtained from the database, wherein the signature list is a list formed by arranging the user signature data corresponding to all users who have the right to access the root firewall. Therefore, there are multiple user signature data in the signature list. Then, the key data protection system based on the firewall searches in the signature information according to the user signature data in the signature list to see whether there is target signature information corresponding to the user signature data, that is, the target signature information is the same as one of the user signature data in the signature list. If it is determined that the target signature information exists in the signature information, the data corresponding to the target signature information is determined as the data to be stored in the data stream. If it is determined that the target signature information does not exist in the signature information, it is determined that there is no data to be stored in the data stream, and it is determined that the data in the data stream are all interference data. Therefore, in this embodiment, the data to be stored in the data stream is determined according to the signature information of each data in the data stream, so as to accurately find the data to be stored in the data stream and prevent data omission.

步骤S20,确定所述待存储数据中指定的目标根防火墙,基于所述待存储数据中的私钥参数确定所述待存储数据是否有进入所述目标根防火墙的权限。Step S20, determining the target root firewall specified in the data to be stored, and determining whether the data to be stored has permission to enter the target root firewall based on the private key parameters in the data to be stored.

基于防火墙的关键数据保护系统确定数据流中的待存储数据后,进一步确定待存储数据中指定的目标根防火墙。然后,基于防火墙的关键数据保护系统获取待存储数据中所携带的秘钥参数,秘钥参数其中的一种表现方式为秘钥序列,也即,根据目标根防火墙的公钥序列对待存储数据中所携带的秘钥序列进行验证。若确定待存储数据中所携带的秘钥序列验证通过,则确定待存储数据有进入该目标根防火墙的权限。若确定待存储数据中所携带的秘钥序列验证不通过,则确定待存储数据没有进入该目标根防火墙的权限,并将该待存储数据标记为干扰数据。After the firewall-based key data protection system determines the data to be stored in the data stream, it further determines the target root firewall specified in the data to be stored. Then, the firewall-based key data protection system obtains the key parameters carried in the data to be stored, one of the expressions of the key parameters is a key sequence, that is, the key sequence carried in the data to be stored is verified according to the public key sequence of the target root firewall. If it is determined that the key sequence carried in the data to be stored is verified, it is determined that the data to be stored has the authority to enter the target root firewall. If it is determined that the key sequence carried in the data to be stored is not verified, it is determined that the data to be stored does not have the authority to enter the target root firewall, and the data to be stored is marked as interference data.

步骤S30,若所述待存储数据有进入所述目标根防火墙的权限,则基于所述目标根防火墙的域级应用网关对所述待存储数据进行加密,得到对应的加密数据。Step S30: If the data to be stored has permission to enter the target root firewall, the domain-level application gateway based on the target root firewall encrypts the data to be stored to obtain corresponding encrypted data.

基于防火墙的关键数据保护系统若确定待存储数据有进入指定的目标根防火墙的权限,则允许该待存储数据跨越该目标根防火墙。在该待存储数据跨越该目标根防火墙后,基于防火墙的关键数据保护系统将该待存储数据传输至该目标根防火墙对应的域级应用网关中,并确定该域级应用网关对应的特性参数,特性参数其中的一种的表现形式为剩余定理参数。接着,基于防火墙的关键数据保护系统根据该域级应用网关对应的特性参数对待该存储数据进行加密,得到对应的加密数据。If the firewall-based key data protection system determines that the data to be stored has the permission to enter the specified target root firewall, the data to be stored is allowed to cross the target root firewall. After the data to be stored crosses the target root firewall, the firewall-based key data protection system transmits the data to be stored to the domain-level application gateway corresponding to the target root firewall, and determines the characteristic parameters corresponding to the domain-level application gateway, one of which is expressed as a remainder theorem parameter. Then, the firewall-based key data protection system encrypts the data to be stored according to the characteristic parameters corresponding to the domain-level application gateway to obtain the corresponding encrypted data.

本实施例侦测到存在数据流跨越所述虚拟防火墙时,基于数据流中各个数据的签名信息,确定数据流中的待存储数据;确定待存储数据中指定的目标根防火墙,基于待存储数据中的私钥参数确定待存储数据是否有进入目标根防火墙的权限;若待存储数据有进入目标根防火墙的权限,则基于目标根防火墙的域级应用网关对待存储数据进行加密,得到对应的加密数据。由此可知,本实施例在确定待存储数据进入目标根防火墙后,通过目标根防火墙的域级应用网关对待存储数据进行加密,使得每一个待存储数据都有其对应的加密数据,从而提高了数据的安全性。When this embodiment detects that there is a data flow crossing the virtual firewall, based on the signature information of each data in the data flow, the data to be stored in the data flow is determined; the target root firewall specified in the data to be stored is determined, and based on the private key parameters in the data to be stored, whether the data to be stored has the authority to enter the target root firewall; if the data to be stored has the authority to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored to obtain the corresponding encrypted data. It can be seen that after determining that the data to be stored enters the target root firewall, this embodiment encrypts the data to be stored through the domain-level application gateway of the target root firewall, so that each data to be stored has its corresponding encrypted data, thereby improving the security of the data.

进一步地,参照图2,图2是本发明基于防火墙的关键数据保护方法另一实施例的流程示意图,所述步骤S30之后,还包括:Further, referring to FIG. 2 , FIG. 2 is a flow chart of another embodiment of the critical data protection method based on a firewall of the present invention, after step S30, further comprising:

步骤S40,基于所述目标根防火墙的地区应用网关对所述加密数据进行再加密,得到对应的目标存储数据。Step S40: re-encrypting the encrypted data based on the regional application gateway of the target root firewall to obtain corresponding target storage data.

基于防火墙的关键数据保护系统根据域级应用网关对待存储数据加密完成后,也即得到待存储数据的加密数据后,将该加密数据传输至该目标根防火墙对应的地区应用网关。接着,基于防火墙的关键数据保护系统确定该地区应用网关对应的特性参数,特性参数其中的一种的表现形式为剩余定理参数,并根据该地区应用网关对应的特性参数对该加密数据进行再加密,得到对应的目标存储数据。After the key data protection system based on the firewall completes the encryption of the data to be stored according to the domain-level application gateway, that is, after obtaining the encrypted data of the data to be stored, the encrypted data is transmitted to the regional application gateway corresponding to the target root firewall. Then, the key data protection system based on the firewall determines the characteristic parameters corresponding to the regional application gateway, one of which is expressed as a remainder theorem parameter, and re-encrypts the encrypted data according to the characteristic parameters corresponding to the regional application gateway to obtain the corresponding target storage data.

本实施例基于目标根防火墙的地区应用网关对加密数据进行再加密,得到对应的目标存储数据。由此可知,本实施例在通过域级应用网关对待存储数据加密完成后,在通过目标根防火墙的地区应用网关对加密数据进行再加密,从而通过域级应用网关和地区应用网关对待存储数据进行了多重加密,增加了待存储数据的数据复杂度,从而增加待存储数据的隐私性,提高了数据的安全性和关键数据的保护。This embodiment re-encrypts the encrypted data based on the regional application gateway of the target root firewall to obtain the corresponding target storage data. It can be seen that after the encryption of the data to be stored is completed through the domain-level application gateway, the encrypted data is re-encrypted through the regional application gateway of the target root firewall, so that the data to be stored is multiply encrypted through the domain-level application gateway and the regional application gateway, which increases the data complexity of the data to be stored, thereby increasing the privacy of the data to be stored, improving the security of the data and the protection of key data.

进一步地,参照图3,图3是本发明基于防火墙的关键数据保护方法步骤S30的细化流程示意图,所述步骤S30包括:Further, referring to FIG. 3 , FIG. 3 is a detailed flow chart of step S30 of the key data protection method based on a firewall of the present invention, wherein step S30 comprises:

步骤S301,基于所述域级应用网关的第一丢番图方程,确定所述域级应用网关的第一剩余定理参数;Step S301, determining a first remainder theorem parameter of the domain-level application gateway based on a first Diophantine equation of the domain-level application gateway;

步骤S302,确定所述域级应用网关对所述待存储数据的域级签名数据;Step S302, determining the domain-level signature data of the domain-level application gateway for the data to be stored;

步骤S303,基于所述第一剩余定理参数和所述域级签名数据对所述待存储数据进行加密,得到所述加密数据。Step S303: encrypt the data to be stored based on the first remainder theorem parameter and the domain-level signature data to obtain the encrypted data.

需要说明的是,丢番图方程确定剩余定理参数的具体过程如下:取丢番图方程的两组解χ=(x1,x2,...,xn1)和γ=(y1,y2,...,yn2),选取两组互素的整数集Aa=(a1,a2,...,as)和Bb=(b1,b2,...,bL),且这两组互素整数集都包含于丢番图方程的解χ和γ,也即且两组互素整数集中的最小元素都大于nmaxU,其中nmax是域级应用网关的最大个数,U是每一维数据的上限。另外,Aa对χ的补集CχAa=(x11,x12,...,x1n3),n3=n1-s,Bb对γ的补集CγBb=(y11,y12,...,y1n4),n4=n2-L,计算A=a1a2...as,B=b1b2...bL,得到剩余定理参数集Aa=(Ak|Ak=A/ak,1≦k≦s),Bb=(Bj|Bj=B/bj,1≦j≦L)。It should be noted that the specific process of determining the parameters of the remainder theorem of the Diophantine equation is as follows: take two sets of solutions of the Diophantine equation χ=(x 1 , x 2 , ..., x n1 ) and γ=(y 1 , y 2 , ..., yn2 ), select two sets of coprime integer sets A a =(a 1 , a 2 , ..., a s ) and B b =(b 1 , b 2 , ..., b L ), and these two sets of coprime integer sets are both included in the solutions χ and γ of the Diophantine equation, that is, And the smallest element in the two sets of mutually prime integers is greater than n max U, where n max is the maximum number of domain-level application gateways and U is the upper limit of each dimension of data. In addition, the complement of A a to χ is C χ A a =(x 11 ,x 12 ,...,x 1n3 ), n 3 =n 1 -s, the complement of B b to γ is C γ B b =(y 11 ,y 12 ,...,y 1n4 ), n 4 =n 2 -L, calculate A=a 1 a 2 ...a s ,B=b 1 b 2 ...b L , and obtain the remainder theorem parameter set A a =(A k |A k =A/a k ,1≦k≦s),B b =(B j |B j =B/b j ,1≦j≦L).

需要说明的是,丢番图方程确定剩余定理参数的具体过程如下:取丢番图方程的两组解χ=(x1,x2,...,xn1)和γ=(y1,y2,...,yn2),选取两组互素的整数集Aa=(a1,a2,...,as)和Bb=(b1,b2,...,bL),且这两组互素整数集都包含于丢番图方程的解χ和γ,也即且两组互素整数集中的最小元素都大于nmaxU,其中nmax是域级应用网关的最大个数,U是每一维数据的上限。另外,Aa对χ的补集CχAa=(x11,x12,...,x1n3),n3=n1-s,Bb对γ的补集CγBb=(y11,y12,...,y1n4),n4=n2-L,计算A=a1a2...as,B=b1b2...bL,得到剩余定理参数集Aa=(Ak|Ak=A/ak,1≦k≦s),Bb=(Bj|Bj=B/bj,1≦j≦L)。It should be noted that the specific process of determining the parameters of the remainder theorem of the Diophantine equation is as follows: take two sets of solutions of the Diophantine equation χ=(x 1 , x 2 , ..., x n1 ) and γ=(y 1 , y 2 , ..., yn2 ), select two sets of coprime integer sets A a =(a 1 , a 2 , ..., a s ) and B b =(b 1 , b 2 , ..., b L ), and these two sets of coprime integer sets are both included in the solutions χ and γ of the Diophantine equation, that is, And the smallest element in the two sets of mutually prime integers is greater than n max U, where n max is the maximum number of domain-level application gateways and U is the upper limit of each dimension of data. In addition, the complement of A a to χ is C χ A a =(x 11 ,x 12 ,...,x 1n3 ), n 3 =n 1 -s, the complement of B b to γ is C γ B b =(y 11 ,y 12 ,...,y 1n4 ), n 4 =n 2 -L, calculate A=a 1 a 2 ...a s ,B=b 1 b 2 ...b L , and obtain the remainder theorem parameter set A a =(A k |A k =A/a k ,1≦k≦s),B b =(B j |B j =B/b j ,1≦j≦L).

具体地,基于防火墙的关键数据保护系统若确定待存储数据有进入指定的目标根防火墙的权限,则将该待存储数据传输至该目标根防火墙对应的域级应用网关中,并取该域级应用网关的丢番图方程的两组解为χ1=(x1,x2,...,xn1)和γ1=(y1,y2,...,yn2)。接着,基于防火墙的关键数据保护系统根据该域级应用网关的丢番图方程的两组解,确定该域级应用网关的剩余定理参数集为Aa1=(Ak1|Ak1=A/ak1,1≦k1≦s),Bb1=(Bj1|Bj1=B/bj1,1≦j1≦L)。然后,基于防火墙的关键数据保护系统确定该域级应用网关对待存储数据的域级签名数据,域级签名数据为R=H(c||ID_RAGW),其中,H为哈希函数,c为待存储数据,ID_RAGW为域级应用网关的ID(Identity Document,身份证标识号)。最后,基于防火墙的关键数据保护系统根据该域级应用网关的剩余定理参数和域级签名数据对待存储数据进行加密,得到加密数据,具体过程如步骤S3031至步骤S3032。Specifically, if the key data protection system based on the firewall determines that the data to be stored has the permission to enter the designated target root firewall, the data to be stored is transmitted to the domain-level application gateway corresponding to the target root firewall, and two sets of solutions of the Diophantine equation of the domain-level application gateway are taken as χ 1 =(x 1 , x 2 , ..., x n1 ) and γ 1 =(y 1 , y 2 , ..., yn2 ). Then, the key data protection system based on the firewall determines the remainder theorem parameter set of the domain-level application gateway as A a1 =(A k1 |A k1 =A/a k1 , 1≦k 1 ≦s), B b1 =(B j1 |B j1 =B/b j1 , 1≦j 1 ≦L) according to the two sets of solutions of the Diophantine equation of the domain-level application gateway. Then, the firewall-based key data protection system determines the domain-level signature data of the domain-level application gateway for the data to be stored, and the domain-level signature data is R=H(c||ID_RAGW), where H is a hash function, c is the data to be stored, and ID_RAGW is the ID (Identity Document) of the domain-level application gateway. Finally, the firewall-based key data protection system encrypts the data to be stored according to the remainder theorem parameters of the domain-level application gateway and the domain-level signature data to obtain encrypted data. The specific process is as follows: step S3031 to step S3032.

本实施例基于域级应用网关的第一丢番图方程,确定域级应用网关的第一剩余定理参数;确定域级应用网关对待存储数据的域级签名数据;基于第一剩余定理参数和域级签名数据对待存储数据进行加密,得到加密数据。由此可知,本实施例通过域级应用网关的丢番图方程及其剩余定理参数增加了待存储数据的数据复杂度,从而增加待存储数据的隐私性,提高了数据的安全性和关键数据的保护。This embodiment determines the first remainder theorem parameter of the domain-level application gateway based on the first Diophantine equation of the domain-level application gateway; determines the domain-level signature data of the domain-level application gateway for the data to be stored; and encrypts the data to be stored based on the first remainder theorem parameter and the domain-level signature data to obtain encrypted data. It can be seen that this embodiment increases the data complexity of the data to be stored through the Diophantine equation of the domain-level application gateway and its remainder theorem parameter, thereby increasing the privacy of the data to be stored, improving the security of the data and the protection of key data.

步骤S3031,将所述第一剩余定理参数与所述待存储数据进行相乘,得到对应的第一待处理数据;Step S3031, multiplying the first remainder theorem parameter by the data to be stored to obtain corresponding first data to be processed;

步骤S3032,将所述第一待处理数据和所述域级签名数据进行打包,得到所述加密数据。Step S3032: Pack the first data to be processed and the domain-level signature data to obtain the encrypted data.

具体地,基于防火墙的关键数据保护系统先将域级应用网关的剩余定理参数集Aa1和Bb1分别与待存储数据c相乘,得到c*Aa1和c*Bb1,然后将c*Aa1和c*Bb1进行相加,得到对应的待处理数据S1=c*Aa1+c*Bb1。接着,基于防火墙的关键数据保护系统将待处理数据S1:{c*Aa1+c*Bb1}和域级签名数据R进行打包,得到加密数据ct,ct为{c*Aa1+c*Bb1,R}。Specifically, the firewall-based key data protection system first multiplies the remainder theorem parameter set A a1 and B b1 of the domain-level application gateway by the data to be stored c, respectively, to obtain c*A a1 and c*B b1 , and then adds c*A a1 and c*B b1 to obtain the corresponding data to be processed S1=c*A a1 +c*B b1 . Next, the firewall-based key data protection system packages the data to be processed S1: {c*A a1 +c*B b1 } and the domain-level signature data R to obtain the encrypted data ct, where ct is {c*A a1 +c*B b1 , R}.

在本实施例将第一剩余定理参数与待存储数据进行相乘,得到对应的第一待处理数据;将第一待处理数据和域级签名数据进行打包,得到加密数据。由此可知,本实施例通过将域级应用网关的剩余定理参数与待存储数据进行相乘再相加,再在剩余定理参数处理后的数据中加入域级签名数据并打包,得到加密数据,从而增加了待存储数据的数据复杂度,从而增加待存储数据的隐私性,提高了数据的安全性和关键数据的保护。In this embodiment, the first remainder theorem parameter is multiplied with the data to be stored to obtain the corresponding first data to be processed; the first data to be processed and the domain-level signature data are packaged to obtain encrypted data. It can be seen that in this embodiment, the remainder theorem parameter of the domain-level application gateway is multiplied with the data to be stored and then added, and then the domain-level signature data is added to the data processed by the remainder theorem parameter and packaged to obtain encrypted data, thereby increasing the data complexity of the data to be stored, thereby increasing the privacy of the data to be stored, and improving the security of the data and the protection of key data.

进一步地,参照图4,图4是本发明基于防火墙的关键数据保护方法另一实施例的流程示意图,所述步骤S40包括:Further, referring to FIG. 4 , FIG. 4 is a flow chart of another embodiment of the critical data protection method based on a firewall of the present invention, wherein step S40 comprises:

步骤S401,若基于所述地区应用网关确定所述域级签名数据验证通过,则基于所述地区应用网关的第二丢番图方程,确定所述地区应用网关的第二剩余定理参数;Step S401, if it is determined based on the regional application gateway that the domain-level signature data verification is passed, then based on the second Diophantine equation of the regional application gateway, determining the second remainder theorem parameter of the regional application gateway;

步骤S402,确定所述地区应用网关对所述加密数据的地区签名数据;Step S402, determining the regional signature data of the encrypted data by the regional application gateway;

步骤S403,若基于所述目标根防火墙确定所述地区签名数据验证通过,则基于所述第二剩余定理参数对所述加密数据进行再加密,得到所述目标存储数据。Step S403: If it is determined based on the target root firewall that the regional signature data verification is passed, the encrypted data is re-encrypted based on the second remainder theorem parameters to obtain the target storage data.

具体地,基于防火墙的关键数据保护系统通过该待存储数据指定的目标根防火墙的域级应用网关,得到该待存储数据的加密数据ct后,将加密数据ct传输至该目标根防火墙对应的地区应用网关中。该地区应用网关接收到该加密数据ct后,验证该加密数据ct中所携带的域级签名数据R是否正确,也即确定对该加密数据ct进行加密的域级应用网关是否为该地区应用网关所关联的域级应用网关。若该加密数据ct中所携带的域级签名数据R验证不通过,也即确定对该加密数据ct进行加密的域级应用网关不是该地区应用网关所关联的域级应用网关,则将对应的提示信息发送至基于防火墙的关键数据保护系统,提示基于防火墙的关键数据保护系统重新确定域级应用网关,以及根据重新确定的域级应用网关进行重新加密,并将重新加密后的数据重新传输。若该加密数据ct中所携带的域级签名数据R验证通过,也即确定对该加密数据ct进行加密的域级应用网关是该地区应用网关所关联的域级应用网关,则发送提示信息提示基于防火墙的关键数据保护系统继续后续操作。基于防火墙的关键数据保护系统取该地区应用网关的丢番图方程的两组解为χ2=(x1,x2,...,xn1)和γ2=(y1,y2,...,yn2)。接着,基于防火墙的关键数据保护系统根据该地区应用网关的丢番图方程的两组解,确定该地区应用网关的剩余定理参数集为Aa2=(Ak2|Ak2=A/ak2,1≦k2≦s),Bb2=(Bj2|Bj2=B/bj2,1≦j2≦L)。同时,基于防火墙的关键数据保护系统确定该地区应用网关对加密数据ct的地区签名数据,地区签名数据为D=H(ct||ID_DGW),其中,ID_DGW为地区应用网关的ID。同时,基于防火墙的关键数据保护系统通过该目标根防火墙对该地区签名数据进行验证,也即确定该地区应用网关是否为关联的地区应用网关。若确定该地区签名数据验证不通过,即确定该地区应用网关不是关联的地区应用网关,则重新确定地区应用网关,以及根据重新确定的地区应用网关进行重新加密和签名。若确定该地区签名数据验证通过,即确定该地区应用网关是关联的地区应用网关,则根据该地区应用网关的剩余定理参数对加密数据进行再加密,得到目标存储数据。Specifically, after the firewall-based critical data protection system obtains the encrypted data ct of the data to be stored through the domain-level application gateway of the target root firewall specified by the data to be stored, the encrypted data ct is transmitted to the regional application gateway corresponding to the target root firewall. After receiving the encrypted data ct, the regional application gateway verifies whether the domain-level signature data R carried in the encrypted data ct is correct, that is, it determines whether the domain-level application gateway that encrypts the encrypted data ct is the domain-level application gateway associated with the regional application gateway. If the domain-level signature data R carried in the encrypted data ct fails the verification, that is, it is determined that the domain-level application gateway that encrypts the encrypted data ct is not the domain-level application gateway associated with the regional application gateway, then the corresponding prompt information is sent to the firewall-based critical data protection system, prompting the firewall-based critical data protection system to redetermine the domain-level application gateway, and re-encrypt according to the redetermined domain-level application gateway, and re-transmit the re-encrypted data. If the domain-level signature data R carried in the encrypted data ct is verified, that is, it is determined that the domain-level application gateway that encrypts the encrypted data ct is the domain-level application gateway associated with the application gateway of the region, a prompt message is sent to prompt the key data protection system based on the firewall to continue the subsequent operation. The key data protection system based on the firewall takes two sets of solutions of the Diophantine equation of the application gateway of the region as χ 2 =(x 1 , x 2 , ..., x n1 ) and γ 2 =(y 1 , y 2 , ..., yn2 ). Then, the key data protection system based on the firewall determines the remainder theorem parameter set of the application gateway of the region as A a2 =(A k2 |A k2 =A/a k2 , 1≦k 2 ≦s), B b2 =(B j2 |B j2 =B/b j2 , 1≦j 2 L) according to the two sets of solutions of the Diophantine equation of the application gateway of the region. At the same time, the key data protection system based on the firewall determines the regional signature data of the encrypted data ct by the regional application gateway, and the regional signature data is D=H(ct||ID_DGW), where ID_DGW is the ID of the regional application gateway. At the same time, the key data protection system based on the firewall verifies the regional signature data through the target root firewall, that is, determines whether the regional application gateway is the associated regional application gateway. If it is determined that the regional signature data verification fails, that is, it is determined that the regional application gateway is not the associated regional application gateway, the regional application gateway is re-determined, and re-encryption and signing are performed based on the re-determined regional application gateway. If it is determined that the regional signature data verification passes, that is, it is determined that the regional application gateway is the associated regional application gateway, the encrypted data is re-encrypted according to the remainder theorem parameters of the regional application gateway to obtain the target storage data.

本实施例若基于地区应用网关确定域级签名数据验证通过,则基于地区应用网关的第二丢番图方程,确定地区应用网关的第二剩余定理参数;确定地区应用网关对加密数据的地区签名数据;若基于目标根防火墙确定地区签名数据验证通过,则基于第二剩余定理参数对加密数据进行再加密,得到目标存储数据。由此可知,本实施例在通过域级应用网关处理得到加密数据后,再通过地区应用网关的丢番图方程及其剩余定理参数增加了待存储数据的数据复杂度,从而增加待存储数据的隐私性,提高了数据的安全性和关键数据的保护。If the domain-level signature data is verified to be passed based on the regional application gateway, the second remainder theorem parameter of the regional application gateway is determined based on the second Diophantine equation of the regional application gateway; the regional signature data of the encrypted data by the regional application gateway is determined; if the regional signature data is verified to be passed based on the target root firewall, the encrypted data is re-encrypted based on the second remainder theorem parameter to obtain the target storage data. It can be seen that after the encrypted data is obtained through the domain-level application gateway processing, the Diophantine equation and its remainder theorem parameter of the regional application gateway are used to increase the data complexity of the data to be stored, thereby increasing the privacy of the data to be stored, improving the security of the data and the protection of key data.

进一步地,参照图5,图5是本发明基于防火墙的关键数据保护方法另一实施例的流程示意图,所述步骤S403包括:Further, referring to FIG. 5 , FIG. 5 is a flow chart of another embodiment of the critical data protection method based on a firewall of the present invention, wherein step S403 comprises:

步骤S4031,基于所述目标根防火墙的第三丢番图方程,确定所述目标根防火墙的第三剩余定理参数;Step S4031, determining a third remainder theorem parameter of the target root firewall based on the third Diophantine equation of the target root firewall;

步骤S4032,将所述第二剩余定理参数与所述第三剩余定理参数进行相乘,得到对应的目标剩余定理参数;Step S4032, multiplying the second remainder theorem parameter by the third remainder theorem parameter to obtain a corresponding target remainder theorem parameter;

步骤S4033,将所述目标剩余定理参数与所述加密数据进行相乘,得到对应的第二待处理数据,并确定所述目标根防火墙对所述第二待处理数据的防火墙签名数据;Step S4033, multiplying the target remainder theorem parameter by the encrypted data to obtain corresponding second data to be processed, and determining firewall signature data of the target root firewall for the second data to be processed;

步骤S4034,将所述防火墙签名数据和所述第二待处理数据进行打包,得到所述目标存储数据。Step S4034: Pack the firewall signature data and the second data to be processed to obtain the target storage data.

具体地,基于防火墙的关键数据保护系统根据目标根防火墙确定地区签名数据验证通过后,取该目标根防火墙的丢番图方程的两组解为χ3=(x1,x2,...,xn1)和γ3=(y1,y2,...,yn2)。接着,基于防火墙的关键数据保护系统根据该目标根防火墙的丢番图方程的两组解,确定该目标根防火墙的剩余定理参数集为Aa3=(Ak3|Ak3=A/ak3,1≦k3≦s),Bb3=(Bj3|Bj3=B/bj3,1≦j3≦L)。接着,基于防火墙的关键数据保护系统将该目标根防火墙的剩余定理参数和该地区应用网关的剩余定理参数进行相乘,得到目标剩余定理参数W=Aa2*Aa3+Bb2*Bb3。然后,基于防火墙的关键数据保护系统将目标剩余定理参数与加密数据ct{c*Aa1+c*Bb1,R}进行相乘,得到对应的待处理数据为S2=c*Aa1*Aa2*Aa3+c*Bb1*Bb2*Bb3,同时,确定该目标根防火墙的防火墙签名数据,防火墙签名数据为RF=H(c||ID_Root Firewall),其中ID_Root Firewall为目标根防火墙的ID。最后,基于防火墙的关键数据保护系统将防火墙签名数据RF和待处理数据S2:{c*Aa1*Aa2*Aa3+c*Bb1*Bb2*Bb3}进行打包,得到目标存储数据为{c*Aa1*Aa2*Aa3+c*Bb1*Bb2*Bb3,RF}。Specifically, after the key data protection system based on the firewall determines that the regional signature data has been verified according to the target root firewall, the two sets of solutions of the Diophantine equation of the target root firewall are taken as χ 3 =(x 1 , x 2 , ..., x n1 ) and γ 3 =(y 1 , y 2 , ..., yn2 ). Then, the key data protection system based on the firewall determines the remainder theorem parameter set of the target root firewall as A a3 =(A k3 |A k3 =A/ ak3 , 1≦k 3 ≦s), B b3 =(B j3 |B j3 =B/b j3 , 1≦j 3 ≦L) according to the two sets of solutions of the Diophantine equation of the target root firewall. Then, the key data protection system based on the firewall multiplies the remainder theorem parameters of the target root firewall with the remainder theorem parameters of the application gateway of the region to obtain the target remainder theorem parameters W=A a2 *A a3 +B b2 *B b3 . Then, the firewall-based key data protection system multiplies the target remainder theorem parameter with the encrypted data ct{c*A a1 +c*B b1 , R}, and obtains the corresponding data to be processed S2=c*A a1 *A a2 *A a3 +c*B b1 *B b2 *B b3 . At the same time, the firewall signature data of the target root firewall is determined, and the firewall signature data is RF=H(c||ID_Root Firewall), where ID_Root Firewall is the ID of the target root firewall. Finally, the firewall-based key data protection system packages the firewall signature data RF and the data to be processed S2: {c*A a1 *A a2 *A a3 +c*B b1 *B b2 *B b3 }, and obtains the target storage data {c*A a1 *A a2 *A a3 +c*B b1 *B b2 *B b3 , RF}.

本实施例基于目标根防火墙的第三丢番图方程,确定目标根防火墙的第三剩余定理参数;将第二剩余定理参数与第三剩余定理参数进行相乘,得到对应的目标剩余定理参数;将目标剩余定理参数与加密数据进行相乘,得到对应的第二待处理数据,并确定目标根防火墙对第二待处理数据的防火墙签名数据;将防火墙签名数据和第二待处理数据进行打包,得到目标存储数据。本实施例在基于地区应用网关的剩余定理参数的基础上,再增加了目标根防火墙的剩余定理参数,从而使得最后的目标存储数据的数据复杂度更高,增加待存储数据的隐私性,提高了数据的安全性和关键数据的保护。This embodiment determines the third remainder theorem parameter of the target root firewall based on the third Diophantine equation of the target root firewall; multiplies the second remainder theorem parameter with the third remainder theorem parameter to obtain the corresponding target remainder theorem parameter; multiplies the target remainder theorem parameter with the encrypted data to obtain the corresponding second data to be processed, and determines the firewall signature data of the target root firewall for the second data to be processed; packages the firewall signature data and the second data to be processed to obtain the target storage data. This embodiment adds the remainder theorem parameter of the target root firewall on the basis of the remainder theorem parameter based on the regional application gateway, thereby making the data complexity of the final target storage data higher, increasing the privacy of the data to be stored, and improving the data security and the protection of key data.

进一步地,参照图6,图6是本发明基于防火墙的关键数据保护方法另一实施例的流程示意图,所述步骤S4034之后,还包括:Further, referring to FIG. 6 , FIG. 6 is a flow chart of another embodiment of the critical data protection method based on a firewall of the present invention, after step S4034, further comprising:

步骤S50,对所述目标存储数据中的防火墙签名数据进行验证;Step S50, verifying the firewall signature data in the target storage data;

步骤S60,若所述防火墙签名数据验证通过,则确定所述目标存储数据对应的数据等级,并根据所述数据等级将所述目标存储数据存储至对应等级的数据库中;Step S60, if the firewall signature data is verified, determining the data level corresponding to the target storage data, and storing the target storage data in a database of the corresponding level according to the data level;

步骤S70,若所述防火墙签名数据验证不通过,则根据所述目标根防火墙对所述目标存储数据中的防火墙签名数据进行重新签名,并对重新签名后的目标存储数据进行验证。Step S70: If the firewall signature data verification fails, the firewall signature data in the target storage data is re-signed according to the target root firewall, and the re-signed target storage data is verified.

具体地,基于防火墙的关键数据保护系统在将目标存储数据存储至数据库之前,需要验证目标存储数据中目标根防火墙的防火墙签名数据是否正确,也即确定防火墙签名数据的签名格式是否正确。若防火墙签名数据验证不通过,则删除目标存储数据中原始的防火墙签名数据,根据目标根防火墙对目标存储数据中的防火墙签名数据进行重新签名,并对重新签名后的目标存储数据进行验证,直至目标存储数据中的防火墙签名数据验证通过。若防火墙签名数据验证通过,则基于防火墙的关键数据保护系统进一步确定目标存储数据的数据等级,根据数据等级确定数据库的等级。最后,基于防火墙的关键数据保护系统将该目标存储数据存储至该数据等级对应的数据库中。在本实施例中,比如,目标存储数据的数据等级为3级,则将目标存储数据存储至等级为3的数据库中。Specifically, before the critical data protection system based on the firewall stores the target storage data into the database, it is necessary to verify whether the firewall signature data of the target root firewall in the target storage data is correct, that is, to determine whether the signature format of the firewall signature data is correct. If the firewall signature data verification fails, the original firewall signature data in the target storage data is deleted, and the firewall signature data in the target storage data is re-signed according to the target root firewall, and the re-signed target storage data is verified until the firewall signature data in the target storage data is verified. If the firewall signature data verification passes, the critical data protection system based on the firewall further determines the data level of the target storage data, and determines the level of the database according to the data level. Finally, the critical data protection system based on the firewall stores the target storage data in the database corresponding to the data level. In this embodiment, for example, if the data level of the target storage data is level 3, the target storage data is stored in a database of level 3.

进一步地,用户在访问数据库中的目标存储数据时,首先确定用户对应的用户等级,若用户等级高于所要获取的目标存储数据的等级,则在对应的数据库中读取该目标存储数据并返回。若用户等级低于所要获取的目标存储数据的等级,则拒绝访问。在本实施例中,比如,用户A的用户等级为3级,也即说明用户A只能访问1级、2级和3级的目标存储数据。Furthermore, when a user accesses the target storage data in the database, the user level corresponding to the user is first determined. If the user level is higher than the level of the target storage data to be obtained, the target storage data is read from the corresponding database and returned. If the user level is lower than the level of the target storage data to be obtained, access is denied. In this embodiment, for example, the user level of user A is level 3, which means that user A can only access target storage data of levels 1, 2, and 3.

本实施例对目标存储数据中的防火墙签名数据进行验证;若防火墙签名数据验证通过,则确定目标存储数据对应的数据等级,并根据数据等级将目标存储数据存储至对应等级的数据库中;若防火墙签名数据验证不通过,则根据目标根防火墙对目标存储数据中的防火墙签名数据进行重新签名,并对重新签名后的目标存储数据进行验证。由此可知,本实施例在将目标存储数据存储至数据库之前,还需要对目标存储数据中的防火墙签名数据进行再次验证,通过多重验证,使得目标存储数据的安全性更高,更有利保护关键数据。同时,根据目标存储数据的数据等级进行存储,根据数据权限进行管理,优化了数据的管理效率。This embodiment verifies the firewall signature data in the target storage data; if the firewall signature data verification passes, the data level corresponding to the target storage data is determined, and the target storage data is stored in a database of the corresponding level according to the data level; if the firewall signature data verification fails, the firewall signature data in the target storage data is re-signed according to the target root firewall, and the re-signed target storage data is verified. It can be seen that this embodiment needs to verify the firewall signature data in the target storage data again before storing the target storage data in the database. Through multiple verifications, the security of the target storage data is higher and it is more conducive to protecting key data. At the same time, the target storage data is stored according to the data level and managed according to data permissions, which optimizes the management efficiency of the data.

综上所述,本发明的主要设计构思在于,当侦测到存在数据流跨越虚拟防火墙时,基于数据流中各个数据的签名信息,确定数据流中的待存储数据,接着确定待存储数据中指定的目标根防火墙,基于待存储数据中的私钥参数确定待存储数据是否有进入目标根防火墙的权限,若待存储数据有进入目标根防火墙的权限,则基于目标根防火墙的域级应用网关对待存储数据进行加密,得到对应的加密数据。本发明先判定待存储数据进入目标根防火墙的权限,并在确定待存储数据有权进入目标根防火墙后,通过目标根防火墙的域级应用网关对待存储数据进行加密,使得每一个待存储数据都有其对应的加密数据,从而提高了生产关键数据的安全性。In summary, the main design concept of the present invention is that when it is detected that there is a data flow crossing a virtual firewall, based on the signature information of each data in the data flow, the data to be stored in the data flow is determined, and then the target root firewall specified in the data to be stored is determined, and based on the private key parameters in the data to be stored, it is determined whether the data to be stored has the authority to enter the target root firewall. If the data to be stored has the authority to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored to obtain the corresponding encrypted data. The present invention first determines the authority of the data to be stored to enter the target root firewall, and after determining that the data to be stored has the right to enter the target root firewall, the domain-level application gateway of the target root firewall is used to encrypt the data to be stored, so that each data to be stored has its corresponding encrypted data, thereby improving the security of production-critical data.

本发明实施例中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示单独存在A、同时存在A和B、单独存在B的情况。其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项”及其类似表达,是指的这些项中的任意组合,包括单项或复数项的任意组合。例如,a,b和c中的至少一项可以表示:a,b,c,a和b,a和c,b和c或a和b和c,其中a,b,c可以是单个,也可以是多个。In the embodiments of the present invention, "at least one" refers to one or more, and "more than one" refers to two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B may represent the existence of A alone, the existence of A and B at the same time, and the existence of B alone. A and B may be singular or plural. The character "/" generally indicates that the previous and subsequent associated objects are in an "or" relationship. "At least one of the following" and similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c may represent: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, c may be single or multiple.

以上依据图式所示的实施例详细说明了本发明的构造、特征及作用效果,但以上仅为本发明的较佳实施例,需要言明的是,上述实施例及其优选方式所涉及的技术特征,本领域技术人员可以在不脱离、不改变本发明的设计思路以及技术效果的前提下,合理地组合搭配成多种等效方案;因此,本发明不以图面所示限定实施范围,凡是依照本发明的构想所作的改变,或修改为等同变化的等效实施例,仍未超出说明书与图示所涵盖的精神时,均应在本发明的保护范围内。The above describes in detail the structure, features and effects of the present invention based on the embodiments shown in the drawings, but the above are only preferred embodiments of the present invention. It should be noted that the technical features involved in the above embodiments and their preferred methods can be reasonably combined and matched into a variety of equivalent schemes by those skilled in the art without departing from or changing the design ideas and technical effects of the present invention; therefore, the present invention is not limited to the scope of implementation shown in the drawings, and all changes made in accordance with the concept of the present invention, or modifications to equivalent embodiments with equivalent changes, which still do not exceed the spirit covered by the description and drawings, should be within the protection scope of the present invention.

Claims (7)

1.一种基于防火墙的关键数据保护方法,其特征在于,所述防火墙包括虚拟防火墙和根防火墙,所述关键数据保护方法包括:1. A critical data protection method based on a firewall, characterized in that the firewall includes a virtual firewall and a root firewall, and the critical data protection method includes: 侦测到存在数据流跨越所述虚拟防火墙时,基于所述数据流中各个数据的签名信息,确定所述数据流中的待存储数据;When it is detected that there is a data flow crossing the virtual firewall, based on the signature information of each data in the data flow, determining the data to be stored in the data flow; 确定所述待存储数据中指定的目标根防火墙,基于所述待存储数据中的私钥参数确定所述待存储数据是否有进入所述目标根防火墙的权限;Determine a target root firewall specified in the data to be stored, and determine whether the data to be stored has permission to enter the target root firewall based on a private key parameter in the data to be stored; 若所述待存储数据有进入所述目标根防火墙的权限,则基于所述目标根防火墙的域级应用网关对所述待存储数据进行加密,得到对应的加密数据,包括:基于所述域级应用网关的第一丢番图方程,确定所述域级应用网关的第一剩余定理参数;确定所述域级应用网关对所述待存储数据的域级签名数据;基于所述第一剩余定理参数和所述域级签名数据对所述待存储数据进行加密,得到所述加密数据。If the data to be stored has the permission to enter the target root firewall, the data to be stored is encrypted based on the domain-level application gateway of the target root firewall to obtain corresponding encrypted data, including: determining the first remainder theorem parameter of the domain-level application gateway based on the first Diophantine equation of the domain-level application gateway; determining the domain-level signature data of the domain-level application gateway for the data to be stored; encrypting the data to be stored based on the first remainder theorem parameter and the domain-level signature data to obtain the encrypted data. 2.根据权利要求1所述的基于防火墙的关键数据保护方法,其特征在于,所述基于所述第一剩余定理参数和所述域级签名数据对所述待存储数据进行加密,得到所述加密数据包括:2. The method for protecting critical data based on a firewall according to claim 1, wherein the step of encrypting the data to be stored based on the first remainder theorem parameter and the domain-level signature data to obtain the encrypted data comprises: 将所述第一剩余定理参数与所述待存储数据进行相乘,得到对应的第一待处理数据;Multiplying the first remainder theorem parameter by the data to be stored to obtain corresponding first data to be processed; 将所述第一待处理数据和所述域级签名数据进行打包,得到所述加密数据。The first data to be processed and the domain-level signature data are packaged to obtain the encrypted data. 3.根据权利要求1所述的基于防火墙的关键数据保护方法,其特征在于,在得到对应的加密数据之后,所述关键数据保护方法还包括:3. The method for protecting critical data based on a firewall according to claim 1, characterized in that after obtaining the corresponding encrypted data, the method for protecting critical data further comprises: 基于所述目标根防火墙的地区应用网关对所述加密数据进行再加密,得到对应的目标存储数据。The regional application gateway based on the target root firewall re-encrypts the encrypted data to obtain corresponding target storage data. 4.根据权利要求3所述的基于防火墙的关键数据保护方法,其特征在于,所述基于所述目标根防火墙的地区应用网关对所述加密数据进行再加密,得到对应的目标存储数据包括:4. The method for protecting critical data based on a firewall according to claim 3, wherein the regional application gateway based on the target root firewall re-encrypts the encrypted data to obtain the corresponding target storage data including: 若基于所述地区应用网关确定所述域级签名数据验证通过,则基于所述地区应用网关的第二丢番图方程,确定所述地区应用网关的第二剩余定理参数;If it is determined based on the regional application gateway that the domain-level signature data verification is passed, determining a second remainder theorem parameter of the regional application gateway based on a second Diophantine equation of the regional application gateway; 确定所述地区应用网关对所述加密数据的地区签名数据;Determining regional signature data of the encrypted data by the regional application gateway; 若基于所述目标根防火墙确定所述地区签名数据验证通过,则基于所述第二剩余定理参数对所述加密数据进行再加密,得到所述目标存储数据。If it is determined based on the target root firewall that the regional signature data verification is passed, the encrypted data is re-encrypted based on the second remainder theorem parameter to obtain the target storage data. 5.根据权利要求4所述的基于防火墙的关键数据保护方法,其特征在于,所述基于所述第二剩余定理参数对所述加密数据进行再加密,得到所述目标存储数据包括:5. The firewall-based critical data protection method according to claim 4, characterized in that the step of re-encrypting the encrypted data based on the second remainder theorem parameter to obtain the target storage data comprises: 基于所述目标根防火墙的第三丢番图方程,确定所述目标根防火墙的第三剩余定理参数;Determining a third remainder theorem parameter of the target root firewall based on the third Diophantine equation of the target root firewall; 将所述第二剩余定理参数与所述第三剩余定理参数进行相乘,得到对应的目标剩余定理参数;Multiplying the second remainder theorem parameter by the third remainder theorem parameter to obtain a corresponding target remainder theorem parameter; 将所述目标剩余定理参数与所述加密数据进行相乘,得到对应的第二待处理数据,并确定所述目标根防火墙对所述第二待处理数据的防火墙签名数据;Multiplying the target remainder theorem parameter by the encrypted data to obtain corresponding second data to be processed, and determining firewall signature data of the target root firewall for the second data to be processed; 将所述防火墙签名数据和所述第二待处理数据进行打包,得到所述目标存储数据。The firewall signature data and the second data to be processed are packaged to obtain the target storage data. 6.根据权利要求5所述的基于防火墙的关键数据保护方法,其特征在于,将所述防火墙签名数据和所述第二待处理数据进行打包,得到所述目标存储数据之后,所述关键数据保护方法还包括:6. The method for protecting critical data based on a firewall according to claim 5, characterized in that after the firewall signature data and the second data to be processed are packaged to obtain the target storage data, the method for protecting critical data further comprises: 对所述目标存储数据中的防火墙签名数据进行验证;Verifying the firewall signature data in the target storage data; 若所述防火墙签名数据验证通过,则确定所述目标存储数据对应的数据等级,并根据所述数据等级将所述目标存储数据存储至对应等级的数据库中;If the firewall signature data is verified, the data level corresponding to the target storage data is determined, and the target storage data is stored in a database of the corresponding level according to the data level; 若所述防火墙签名数据验证不通过,则根据所述目标根防火墙对所述目标存储数据中的防火墙签名数据进行重新签名,并对重新签名后的目标存储数据进行验证。If the firewall signature data verification fails, the firewall signature data in the target storage data is re-signed according to the target root firewall, and the re-signed target storage data is verified. 7.根据权利要求1~6任一项所述的基于防火墙的关键数据保护方法,其特征在于,所述基于所述数据流中各个数据的签名信息,确定所述数据流中的待存储数据包括:7. The method for protecting critical data based on a firewall according to any one of claims 1 to 6, characterized in that the step of determining the data to be stored in the data stream based on the signature information of each data in the data stream comprises: 获取数据库中的签名列表,其中,所述签名列表中有多个用户签名数据;Obtaining a signature list in a database, wherein the signature list contains multiple user signature data; 确定各个所述签名信息中是否存在目标签名信息,其中,所述目标签名信息在所述签名列表中存在对应的用户签名数据;Determine whether there is target signature information in each of the signature information, wherein the target signature information has corresponding user signature data in the signature list; 若存在所述目标签名信息,则将所述目标签名信息对应的数据,确定为所述数据流中的待存储数据。If the target signature information exists, the data corresponding to the target signature information is determined as the data to be stored in the data stream.
CN202210687289.3A 2022-06-16 2022-06-16 Key data protection method based on firewall Active CN115022066B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210687289.3A CN115022066B (en) 2022-06-16 2022-06-16 Key data protection method based on firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210687289.3A CN115022066B (en) 2022-06-16 2022-06-16 Key data protection method based on firewall

Publications (2)

Publication Number Publication Date
CN115022066A CN115022066A (en) 2022-09-06
CN115022066B true CN115022066B (en) 2024-05-10

Family

ID=83075240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210687289.3A Active CN115022066B (en) 2022-06-16 2022-06-16 Key data protection method based on firewall

Country Status (1)

Country Link
CN (1) CN115022066B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941364A (en) * 2023-03-13 2023-04-07 广东电网有限责任公司 Asset data management method and system based on smart power grid
CN116436703B (en) * 2023-06-13 2023-09-19 广东电网有限责任公司 Financial privacy data management method and system based on smart grid
CN116866091B (en) * 2023-09-05 2023-11-07 中国电子信息产业集团有限公司第六研究所 Firewall protection system, method, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110311785A (en) * 2019-06-10 2019-10-08 平安科技(深圳)有限公司 A kind of Intranet access method and relevant apparatus
CN111897892A (en) * 2020-09-30 2020-11-06 鹏城实验室 Data aggregation method, system and storage medium based on smart grid
CN112364360A (en) * 2020-11-11 2021-02-12 南京信息职业技术学院 Financial data safety management system
CN112631346A (en) * 2020-09-29 2021-04-09 广西大学 Intelligent base station power consumption control system based on block chain

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7051365B1 (en) * 1999-06-30 2006-05-23 At&T Corp. Method and apparatus for a distributed firewall

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110311785A (en) * 2019-06-10 2019-10-08 平安科技(深圳)有限公司 A kind of Intranet access method and relevant apparatus
CN112631346A (en) * 2020-09-29 2021-04-09 广西大学 Intelligent base station power consumption control system based on block chain
CN111897892A (en) * 2020-09-30 2020-11-06 鹏城实验室 Data aggregation method, system and storage medium based on smart grid
CN112364360A (en) * 2020-11-11 2021-02-12 南京信息职业技术学院 Financial data safety management system

Also Published As

Publication number Publication date
CN115022066A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
CN115022066B (en) Key data protection method based on firewall
US10404455B2 (en) Multiple-phase rewritable blockchain
US10348707B2 (en) Rewritable blockchain
CN108810895B (en) Wireless Mesh network identity authentication method based on block chain
CN109428892B (en) Multi-stage rewritable block chain
CN112383391B (en) Data security protection method based on data attribute authorization, storage medium and terminal
CN108092982A (en) A kind of date storage method and system based on alliance's chain
CN118585582A (en) A secure data sharing method and system based on blockchain in smart grid
CN118590303A (en) VPN communication link encryption method, device and medium based on key negotiation
Feng et al. One-stop efficient PKI authentication service model based on blockchain
CN115941364A (en) Asset data management method and system based on smart power grid
Yang et al. New paradigm of inference control with trusted computing
Li et al. Message control for blockchain rewriting
Guo et al. Supply chain optimization: cross-chain data privacy protection scheme based on semi-homomorphic encryption.
Wu et al. A cross-chain privacy protection and key sharing scheme based on relay chain
CN117395034B (en) Block chain user privacy protection method based on trusted computing
Li et al. Trusted Attestation Protocol for Power Internet of Things
CN115396110A (en) A method for verifying the correctness of AI behavior on the blockchain
Wu et al. EMT: Extended Merkle Tree Structure for Inserted Data Redaction in Permissioned Blockchain
Xiang et al. Efficient Batch Authentication Key Agreement Protocol Based on Signatures in Internet of Vehicles
CN118041589A (en) Data encryption method, device and storage medium
Reddy et al. Proof-of-Work for Merkle based Access Tree in Patient Centric Data
CN118802143A (en) Data transmission method, device and electronic equipment
CN118802317A (en) A method for hosting identity information based on trusted digital identity
CN116737735A (en) Data modification method based on alliance chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant