[go: up one dir, main page]

CN117061101A - Key updating method, device, equipment and storage medium - Google Patents

Key updating method, device, equipment and storage medium Download PDF

Info

Publication number
CN117061101A
CN117061101A CN202311000748.7A CN202311000748A CN117061101A CN 117061101 A CN117061101 A CN 117061101A CN 202311000748 A CN202311000748 A CN 202311000748A CN 117061101 A CN117061101 A CN 117061101A
Authority
CN
China
Prior art keywords
key
data
plaintext
database
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311000748.7A
Other languages
Chinese (zh)
Inventor
邹奋
周雍恺
袁航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202311000748.7A priority Critical patent/CN117061101A/en
Publication of CN117061101A publication Critical patent/CN117061101A/en
Priority to TW113114289A priority patent/TWI866842B/en
Priority to PCT/CN2024/089196 priority patent/WO2025030923A1/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a key updating method, a device, equipment and a storage medium, relating to the technical field of computers, wherein the method comprises the following steps: the service equipment responds to a state switching operation triggered by the application, a state switching request is sent to the management platform, the management platform replaces an original key with an updated key based on the state switching request, switches a common state strategy into a transitional state strategy and sends the transitional state strategy to the encryption equipment in real time, wherein the transitional state strategy can ensure coexistence of the new key and the old key, so that the encryption equipment can encrypt plaintext data of the application by adopting the updated key and send the obtained ciphertext data to the database. Meanwhile, the service equipment can synchronously bypass to execute batch data processing tasks, refresh stock data in the database, update a secret key in the secret state database and process the stock data under the condition that normal service provision of the application is not affected, and service availability of the application and the database is guaranteed.

Description

一种密钥更新方法、装置、设备及存储介质A key updating method, device, equipment and storage medium

技术领域Technical field

本申请实施例涉及计算机技术领域,尤其涉及一种密钥更新方法、装置、设备及存储介质。The embodiments of the present application relate to the field of computer technology, and in particular, to a key update method, device, equipment and storage medium.

背景技术Background technique

数据作为新生产要素的背景下,安全问题至关重要,重视数据安全已成为世界趋势。对敏感数据加密后传输到数据库中,敏感数据在数据库中以密文的形式存在,即使是数据库特权账户或运维人员也无法在数据库层面接触到明文数据,从而有效保障用户敏感数据的安全。In the context of data as a new factor of production, security issues are of vital importance, and paying attention to data security has become a world trend. Sensitive data is encrypted and then transferred to the database. Sensitive data exists in the form of ciphertext in the database. Even database privileged accounts or operation and maintenance personnel cannot access plaintext data at the database level, thus effectively ensuring the security of user sensitive data.

然而,对敏感数据加密后传输到数据库中保存,以保证敏感数据安全性的情况下,也存在对加密的密钥进行更新的需求。相关技术下,在服务停止后对数据库中的存量数据进行刷新,即,使用旧密钥对存量数据进行解密后再用新密钥加密,存量数据刷新完成后重新启动服务。However, when sensitive data is encrypted and then transferred to the database for storage to ensure the security of the sensitive data, there is also a need to update the encryption key. Under the related technology, the existing data in the database is refreshed after the service is stopped. That is, the existing data is decrypted using the old key and then encrypted with the new key. The service is restarted after the existing data is refreshed.

然而,在存量数据刷新期间,应用无法对外提供服务,并且,在存量数据量较大时,停服的时长也会越长,进而影响应用和数据库的服务可用性。However, during the period of refreshing the existing data, the application cannot provide external services. Moreover, when the amount of existing data is large, the service outage will be longer, which will affect the service availability of the application and database.

发明内容Contents of the invention

本申请实施例提供了一种密钥更新方法、装置、设备及存储介质,用于在不影响应用正常提供服务的情况下,实现数据库中密钥的更新和存量数据处理,保障应用和数据库的服务可用性。Embodiments of the present application provide a key updating method, device, equipment and storage medium, which are used to update the key and process the existing data in the database without affecting the normal provision of services by the application, ensuring the security of the application and the database. Service Availability.

一方面,本申请实施例提供了一种密钥更新方法,应用于服务设备,包括:On the one hand, embodiments of the present application provide a key update method, which is applied to service equipment, including:

响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,所述状态切换请求用于指示所述管理平台将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略,并将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;In response to the state switching operation triggered by the application, send a state switching request to the management platform, the state switching request is used to instruct the management platform to replace the original key with the updated key; switch the ordinary state policy to the transition state policy, And deliver the transition state policy to the encryption device, where the transition state policy at least includes: the original key and the updated key;

将明文数据发送至所述加密设备,以使所述加密设备采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;Send plaintext data to the encryption device, so that the encryption device uses the update key to encrypt the plaintext data, obtain ciphertext data and send the ciphertext data to the database;

旁路基于所述原始密钥和所述更新密钥,对所述数据库中的存量数据执行密钥刷新操作,获得更新数据。The bypass performs a key refresh operation on the existing data in the database based on the original key and the updated key to obtain updated data.

一方面,本申请实施例提供了一种密钥更新方法,应用于管理平台,包括:On the one hand, embodiments of the present application provide a key update method, which is applied to the management platform, including:

接收服务设备发送的状态切换请求,所述状态切换请求是所述服务设备响应于针对应用触发的状态切换操作发送的;Receive a state switching request sent by the service device, the state switching request being sent by the service device in response to a state switching operation triggered for the application;

基于所述状态切换请求,将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略,并将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;以使所述加密设备在接收到所述服务设备发送的明文数据时,采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;所述数据库中的存量数据由服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。Based on the state switching request, replace the original key with the updated key; switch the ordinary state policy to a transition state policy, and deliver the transition state policy to the encryption device, where the transition state policy at least includes: The original key and the updated key; so that when the encryption device receives the plaintext data sent by the service device, it uses the updated key to encrypt the plaintext data, obtains the ciphertext data, and encrypts the plaintext data. The ciphertext data is sent to the database; the existing data in the database is bypassed by the service device to perform a key refresh operation based on the original key and the updated key.

一方面,本申请实施例提供了一种密钥更新方法,应用于加密设备,包括:On the one hand, embodiments of the present application provide a key update method, which is applied to encryption devices, including:

接收管理平台下发的过渡状态策略,所述过渡状态策略至少包括:原始密钥和更新密钥,所述过渡状态策略是所述管理平台接收到服务设备发送的状态切换请求后,将所述原始密钥替换为所述更新密钥,并从普通状态策略切换获得的;Receive the transition state policy issued by the management platform. The transition state policy at least includes: an original key and an update key. The transition state policy is that after the management platform receives the state switching request sent by the service device, The original key is replaced with the updated key and obtained from the normal state policy switch;

接收到所述服务设备发送的明文数据;Receive the plaintext data sent by the service device;

采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库,所述数据库中的存量数据由所述服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。The plaintext data is encrypted using the updated key, ciphertext data is obtained and the ciphertext data is sent to a database. The stock data in the database is bypassed by the service device based on the original key and The update key performs a key refresh operation.

一方面,本申请实施例提供了一种密钥更新装置,应用于服务设备,包括:On the one hand, embodiments of the present application provide a key update device, which is applied to service equipment, including:

第一发送模块,用于响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,所述状态切换请求用于指示所述管理平台将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略,并将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;The first sending module is configured to send a state switching request to the management platform in response to the state switching operation triggered by the application. The state switching request is used to instruct the management platform to replace the original key with the updated key; The policy is switched to a transition state policy, and the transition state policy is delivered to the encryption device, where the transition state policy at least includes: the original key and the updated key;

所述第一发送模块,还用于将明文数据发送至所述加密设备,以使所述加密设备采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;The first sending module is also used to send plaintext data to the encryption device, so that the encryption device uses the updated key to encrypt the plaintext data, obtains ciphertext data, and converts the ciphertext data into Data is sent to the database;

刷新模块,用于旁路基于所述原始密钥和所述更新密钥,对所述数据库中的存量数据执行密钥刷新操作,获得更新数据。A refresh module, configured to perform a key refresh operation on the existing data in the database based on the original key and the update key to obtain updated data.

可选地,所述刷新模块具体用于:Optionally, the refresh module is specifically used for:

旁路采用所述原始密钥对所述存量数据进行解密,获得存量明文数据;The bypass uses the original key to decrypt the existing data to obtain the existing plaintext data;

旁路采用所述更新密钥对所述存量明文数据进行加密,获得所述更新数据。The bypass uses the update key to encrypt the existing plaintext data to obtain the update data.

可选地,所述刷新模块还用于:Optionally, the refresh module is also used to:

旁路基于所述原始密钥和所述更新密钥,对所述数据库中的存量数据执行密钥刷新操作之前,接收所述管理平台下发的存量数据批量处理任务。Based on the original key and the updated key, the bypass receives a batch processing task of the existing data issued by the management platform before performing a key refresh operation on the existing data in the database.

可选地,还包括第一接收模块;Optionally, it also includes a first receiving module;

所述第一发送模块,还用于:The first sending module is also used for:

向所述加密设备发送携带原始查询条件的数据读取请求,其中,所述原始查询条件包括明文查询字段,以使所述加密设备采用所述原始密钥对所述明文查询字段进行加密,获得第一加密字段,以及采用所述更新密钥对所述明文查询字段进行加密,获得第二加密字段,并将包含所述第一加密字段的查询条件与包含所述第二加密字段的查询条件拼接,获得目标查询条件;以及基于所述目标查询条件从所述数据库查询获得密文查询结果集,所述密文查询结果集中包括:通过所述第一加密字段查询获得的第一密文数据,以及通过所述第二加密字段查询获得的第二密文数据;Send a data reading request carrying original query conditions to the encryption device, where the original query conditions include a plaintext query field, so that the encryption device uses the original key to encrypt the plaintext query field, and obtain The first encrypted field, and the update key is used to encrypt the plain text query field to obtain the second encrypted field, and the query conditions containing the first encrypted field and the query conditions containing the second encrypted field are combined Splicing to obtain a target query condition; and querying the database to obtain a ciphertext query result set based on the target query condition, where the ciphertext query result set includes: the first ciphertext data obtained through the first encrypted field query , and the second ciphertext data obtained through the second encrypted field query;

所述第一接收模块,具体用于:The first receiving module is specifically used for:

接收所述加密设备返回的明文查询结果集,所述明文查询结果集包括:采用所述原始密钥对所述第一密文数据解密获得的第一明文数据,以及采用所述更新密钥对所述第二密文数据解密获得的第二明文数据。Receive a plaintext query result set returned by the encryption device. The plaintext query result set includes: the first plaintext data obtained by decrypting the first ciphertext data using the original key, and the updated key pair. The second plaintext data is obtained by decrypting the second ciphertext data.

可选地,所述第一发送模块,还用于:Optionally, the first sending module is also used to:

旁路采用所述更新密钥对所述存量明文数据进行加密,获得所述更新数据之后,响应于针对应用触发的状态恢复操作,向管理平台发送状态恢复请求,所述状态切换请求用于指示所述管理平台将过渡状态策略切换为普通状态策略,并将所述普通状态策略下发至加密设备,所述普通状态策略包括:所述更新密钥。The bypass uses the update key to encrypt the existing plaintext data. After obtaining the update data, in response to the state recovery operation triggered for the application, a state recovery request is sent to the management platform. The state switching request is used to indicate The management platform switches the transition state policy to a common state policy, and delivers the common state policy to the encryption device, where the common state policy includes: the update key.

一方面,本申请实施例提供了一种密钥更新装置,应用于管理平台,包括:On the one hand, embodiments of the present application provide a key update device, which is applied to a management platform and includes:

第二接收模块,用于接收服务设备发送的状态切换请求,所述状态切换请求是所述服务设备响应于针对应用触发的状态切换操作发送的;The second receiving module is configured to receive a state switching request sent by the service device, where the state switching request is sent by the service device in response to a state switching operation triggered for an application;

处理模块,用于基于所述状态切换请求,将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略;A processing module, configured to replace the original key with the updated key based on the state switching request; switch the ordinary state policy to the transition state policy;

第二发送模块,用于将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;以使所述加密设备在接收到所述服务设备发送的明文数据时,采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;所述数据库中的存量数据由服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。The second sending module is configured to send the transition state policy to the encryption device. The transition state policy at least includes: the original key and the update key; so that the encryption device receives the When the plaintext data is sent by the service device, the update key is used to encrypt the plaintext data, obtain the ciphertext data and send the ciphertext data to the database; the stock data in the database is bypassed by the service device based on The original key and the updated key perform a key refresh operation.

一方面,本申请实施例提供了一种密钥更新装置,应用于加密设备,包括:On the one hand, embodiments of the present application provide a key update device, which is applied to encryption equipment, including:

第三接收模块,用于接收管理平台下发的过渡状态策略,所述过渡状态策略至少包括:原始密钥和更新密钥,所述过渡状态策略是所述管理平台接收到服务设备发送的状态切换请求后,将所述原始密钥替换为所述更新密钥,并从普通状态策略切换获得的;The third receiving module is used to receive the transition state policy issued by the management platform. The transition state policy at least includes: an original key and an updated key. The transition state policy is a state sent by the management platform after receiving it from the service device. After the switch request, replace the original key with the updated key obtained from the normal state policy switch;

所述第三接收模块,用于接收到所述服务设备发送的明文数据;The third receiving module is used to receive the plaintext data sent by the service device;

加密模块,用于采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库,所述数据库中的存量数据由所述服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。An encryption module, configured to encrypt the plaintext data using the update key, obtain ciphertext data, and send the ciphertext data to a database. The stock data in the database is bypassed by the service device based on the The original key and the updated key are used to perform the key refresh operation.

可选地,所述第三接收模块,还用于接收到服务设备发送的携带原始查询条件的数据读取请求,其中,所述原始查询条件包括明文查询字段;Optionally, the third receiving module is also configured to receive a data reading request carrying original query conditions sent by the service device, where the original query conditions include a plain text query field;

所述加密模块,还用于采用所述原始密钥对所述明文查询字段进行加密,获得第一加密字段,以及采用所述更新密钥对所述明文查询字段进行加密,获得第二加密字段,并将包含所述第一加密字段的查询条件与包含所述第二加密字段的查询条件拼接,获得目标查询条件;基于所述目标查询条件从所述数据库查询获得密文查询结果集,所述密文查询结果集中包括:通过所述第一加密字段查询获得的第一密文数据,以及通过所述第二加密字段查询获得的第二密文数据;采用所述原始密钥对所述第一密文数据进行解密获得第一明文数据,以及采用所述更新密钥对所述第二密文数据进行解密获得第二明文数据;将包含所述第一明文数据和所述第二明文数据的明文查询结果集发送至所述服务设备。The encryption module is also configured to use the original key to encrypt the plaintext query field to obtain a first encrypted field, and to use the updated key to encrypt the plaintext query field to obtain a second encrypted field. and splice the query condition including the first encrypted field with the query condition including the second encrypted field to obtain the target query condition; query the ciphertext query result set from the database based on the target query condition, so The ciphertext query result set includes: the first ciphertext data obtained through the first encryption field query, and the second ciphertext data obtained through the second encryption field query; using the original key to Decrypt the first ciphertext data to obtain the first plaintext data, and use the update key to decrypt the second ciphertext data to obtain the second plaintext data; which will include the first plaintext data and the second plaintext data. The clear text query result set of the data is sent to the service device.

一方面,本申请实施例提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述密钥更新方法的步骤。On the one hand, embodiments of the present application provide a computer device, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, the above key update method is implemented. A step of.

一方面,本申请实施例提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当所述程序在计算机设备上运行时,使得所述计算机设备执行上述密钥更新方法的步骤。On the one hand, embodiments of the present application provide a computer-readable storage medium that stores a computer program that can be executed by a computer device. When the program is run on the computer device, it causes the computer device to execute the above key update method. A step of.

本申请实施例中,服务设备响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,管理平台基于状态切换请求,将原始密钥替换为更新密钥,以及将普通状态策略切换为过渡状态策略,并将过渡状态策略实时下发至加密设备,其中,过渡状态策略可以保证新旧密钥共存,使得加密设备可以采用更新密钥对应用的明文数据进行加密,并将获得的密文数据发送至数据库。同时,服务设备可同步旁路执行批量数据处理任务,对数据库中的存量数据进行刷新,在不影响应用正常提供服务的情况下,实现密态数据库中密钥的更新和存量数据处理,保障应用和数据库的服务可用性。In the embodiment of this application, the service device responds to the state switching operation triggered by the application and sends a state switching request to the management platform. Based on the state switching request, the management platform replaces the original key with an updated key and switches the ordinary state policy to Transition state policy, and deliver the transition state policy to the encryption device in real time. The transition state policy can ensure the coexistence of old and new keys, so that the encryption device can use the updated key to encrypt the application's plaintext data and obtain the ciphertext. Data is sent to the database. At the same time, the service device can synchronize and bypass the execution of batch data processing tasks, refresh the existing data in the database, and realize the update of keys in the dense database and the processing of existing data without affecting the normal service provided by the application, ensuring the application and database service availability.

附图说明Description of the drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed to describe the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. Those of ordinary skill in the art can also obtain other drawings based on these drawings without exerting any creative effort.

图1为本申请实施例提供的一种系统架构的结构示意图;Figure 1 is a schematic structural diagram of a system architecture provided by an embodiment of the present application;

图2为本申请实施例提供的一种密钥更新方法的流程示意图;Figure 2 is a schematic flow chart of a key update method provided by an embodiment of the present application;

图3为本申请实施例提供的一种状态恢复方法的流程示意图;Figure 3 is a schematic flow chart of a state recovery method provided by an embodiment of the present application;

图4为本申请实施例提供的一种密钥更新装置的流程示意图;Figure 4 is a schematic flow chart of a key update device provided by an embodiment of the present application;

图5为本申请实施例提供的一种密钥更新装置的流程示意图;Figure 5 is a schematic flow chart of a key update device provided by an embodiment of the present application;

图6为本申请实施例提供的一种密钥更新装置的流程示意图;Figure 6 is a schematic flow chart of a key update device provided by an embodiment of the present application;

图7为本申请实施例提供的一种计算机设备的结构示意图。Figure 7 is a schematic structural diagram of a computer device provided by an embodiment of the present application.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the purpose, technical solutions and beneficial effects of the present invention more clear, the present invention will be further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention.

参考图1,其为本申请实施例适用的一种系统架构图,该系统架构至少包括服务设备101、管理平台102、加密设备103和数据库104,其中,管理平台102和加密设备103可以是两个独立的设备,也可以集成在一个设备中,对此,本申请不做具体限定。Refer to Figure 1, which is a system architecture diagram applicable to the embodiment of the present application. The system architecture at least includes a service device 101, a management platform 102, an encryption device 103 and a database 104. The management platform 102 and the encryption device 103 can be two An independent device can also be integrated into one device, which is not specifically limited in this application.

管理平台102包括密钥管理模块和策略管理模块,密钥管理模块用于密钥管理,策略管理模块用于管理加解密策略。The management platform 102 includes a key management module and a policy management module. The key management module is used for key management, and the policy management module is used for managing encryption and decryption policies.

服务设备101和管理平台102可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、内容分发网络(Content DeliveryNetwork,CDN)、以及大数据和人工智能平台等基础云计算服务的云服务器。服务设备101与管理平台102可以通过有线或无线通信方式进行直接或间接地连接,本申请在此不做限制。The service device 101 and the management platform 102 can be independent physical servers, or a server cluster or distributed system composed of multiple physical servers, or they can provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, and networks. Services, cloud communications, middleware services, domain name services, security services, content delivery network (Content Delivery Network, CDN), and cloud servers for basic cloud computing services such as big data and artificial intelligence platforms. The service device 101 and the management platform 102 can be connected directly or indirectly through wired or wireless communication methods, which is not limited in this application.

加密设备103前置于数据库104,服务设备101的明文数据在存入数据库104之前,需要经过加密设备103进行加密,即数据库104中保存的是密文数据,因此,数据库104也可以称之为密态数据库。The encryption device 103 is placed in front of the database 104. Before the plaintext data of the service device 101 is stored in the database 104, it needs to be encrypted by the encryption device 103. That is, the database 104 stores ciphertext data. Therefore, the database 104 can also be called Dense database.

基于图1所示的系统架构图,本申请实施例提供了一种密钥更新方法的流程,如图2所示,该方法的流程由服务设备、管理平台、加密设备和数据库交互执行,包括以下步骤:Based on the system architecture diagram shown in Figure 1, the embodiment of the present application provides a process of a key update method, as shown in Figure 2. The process of the method is interactively executed by the service device, the management platform, the encryption device and the database, including Following steps:

步骤S201,服务设备响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求。Step S201: The service device responds to the state switching operation triggered by the application and sends a state switching request to the management platform.

具体地,服务设备上的应用登录管理平台,应用从普通状态切换至过渡状态时,服务设备向管理平台发送状态切换请求。Specifically, the application on the service device logs in to the management platform. When the application switches from the normal state to the transition state, the service device sends a state switching request to the management platform.

步骤S202,管理平台基于状态切换请求,将原始密钥替换为更新密钥,以及将普通状态策略切换为过渡状态策略。Step S202: Based on the state switching request, the management platform replaces the original key with the updated key, and switches the ordinary state policy to the transition state policy.

具体地,管理平台包括密钥管理模块和策略管理模块。管理平台接收到状态切换请求时,密钥管理模块将原始密钥替换为更新密钥,然后触发策略管理模块从普通状态策略切换为过渡状态策略,其中,普通状态策略包括更新密钥,过渡状态策略包括:原始密钥和更新密钥,例如key:keyID1|keyID2。普通状态策略和过渡状态策略各自除了包含密钥之外,还包括其他策略信息,比如应用所需加密的数据库、表、字段等信息。Specifically, the management platform includes a key management module and a policy management module. When the management platform receives the state switching request, the key management module replaces the original key with the updated key, and then triggers the policy management module to switch from the ordinary state policy to the transition state policy, where the ordinary state policy includes the update key, the transition state The policy includes: original key and updated key, such as key: keyID1|keyID2. In addition to the key, the normal state policy and the transition state policy each include other policy information, such as databases, tables, fields and other information required for encryption by the application.

步骤S203,管理平台将过渡状态策略下发至加密设备。Step S203: The management platform delivers the transition state policy to the encryption device.

具体地,加密设备接收到过渡状态策略后,也从普通状态策略切换为过渡状态策略。Specifically, after receiving the transition state policy, the encryption device also switches from the normal state policy to the transition state policy.

步骤S204,加密设备接收到服务设备发送的明文数据。Step S204: The encryption device receives the plaintext data sent by the service device.

步骤S205,加密设备采用更新密钥对明文数据进行加密,获得密文数据。Step S205: The encryption device uses the updated key to encrypt the plaintext data to obtain ciphertext data.

具体地,明文数据即应用需要新写进数据库的数据;加密设备采用新密钥对明文数据进行加密,获得密文数据。Specifically, the plaintext data is the data that the application needs to newly write into the database; the encryption device uses the new key to encrypt the plaintext data to obtain the ciphertext data.

步骤S206,加密设备将密文数据发送至数据库。Step S206: The encryption device sends the ciphertext data to the database.

步骤S207,服务设备旁路基于原始密钥和更新密钥,对数据库中的存量数据执行密钥刷新操作,获得更新数据。Step S207: The service device bypass performs a key refresh operation on the existing data in the database based on the original key and the updated key to obtain updated data.

本申请实施例中,服务设备响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,管理平台基于状态切换请求,将原始密钥替换为更新密钥,以及将普通状态策略切换为过渡状态策略,并将过渡状态策略实时下发至加密设备,其中,过渡状态策略可以保证新旧密钥共存,使得加密设备可以采用更新密钥对应用的明文数据进行加密,并将获得的密文数据发送至数据库。同时,服务设备可同步旁路执行批量数据处理任务,对数据库中的存量数据进行刷新,在不影响应用正常提供服务的情况下,实现密态数据库中密钥的更新和存量数据处理,保障应用和数据库的服务可用性。In the embodiment of this application, the service device responds to the state switching operation triggered by the application and sends a state switching request to the management platform. Based on the state switching request, the management platform replaces the original key with an updated key and switches the ordinary state policy to Transition state policy, and deliver the transition state policy to the encryption device in real time. The transition state policy can ensure the coexistence of old and new keys, so that the encryption device can use the updated key to encrypt the application's plaintext data and obtain the ciphertext. Data is sent to the database. At the same time, the service device can synchronize and bypass the execution of batch data processing tasks, refresh the existing data in the database, and realize the update of keys in the dense database and the processing of existing data without affecting the normal service provided by the application, ensuring the application and database service availability.

在一些实施例中,服务设备向加密设备发送携带原始查询条件的数据读取请求,其中,原始查询条件包括明文查询字段。加密设备采用原始密钥对明文查询字段进行加密,获得第一加密字段,以及采用更新密钥对明文查询字段进行加密,获得第二加密字段,并将包含第一加密字段的查询条件与包含第二加密字段的查询条件拼接,获得目标查询条件。In some embodiments, the service device sends a data read request carrying original query conditions to the encryption device, where the original query conditions include a plaintext query field. The encryption device uses the original key to encrypt the plaintext query field to obtain the first encrypted field, and uses the updated key to encrypt the plaintext query field to obtain the second encrypted field, and compares the query condition containing the first encrypted field with the query condition containing the first encrypted field. The query conditions of the two encrypted fields are spliced together to obtain the target query conditions.

基于目标查询条件从数据库查询获得密文查询结果集,密文查询结果集中包括:通过第一加密字段查询获得的第一密文数据,以及通过第二加密字段查询获得的第二密文数据;采用原始密钥对第一密文数据进行解密获得第一明文数据,以及采用更新密钥对第二密文数据进行解密获得第二明文数据;将包含第一明文数据和第二明文数据的明文查询结果集发送至服务设备。The ciphertext query result set is obtained from the database query based on the target query conditions. The ciphertext query result set includes: the first ciphertext data obtained through the first encrypted field query, and the second ciphertext data obtained through the second encrypted field query; Use the original key to decrypt the first ciphertext data to obtain the first plaintext data, and use the updated key to decrypt the second ciphertext data to obtain the second plaintext data; convert the plaintext containing the first plaintext data and the second plaintext data The query result set is sent to the service device.

具体地,在过渡状态下,数据库中不仅包含采用更新密钥加密的新数据,还包括采用原始密钥加密的存量数据。为了保证数据查询结果的完整性,采用解析器对原始查询条件(即原始查询语句)进行改写,即采用原始密钥对明文查询字段进行加密,获得第一加密字段,以及采用更新密钥对明文查询字段进行加密,获得第二加密字段,并将包含第一加密字段的查询条件与包含第二加密字段的查询条件拼接,获得目标查询条件(即目标查询语句),使用目标查询条件进行数据查询时,可查询到密钥变更前后的全部密文数据,对全部密文数据解密获得全部明文数据,再将全部明文数据发送至服务设备。Specifically, in the transition state, the database contains not only new data encrypted with the updated key, but also existing data encrypted with the original key. In order to ensure the integrity of the data query results, a parser is used to rewrite the original query conditions (i.e., the original query statement), that is, the original key is used to encrypt the plaintext query field, the first encrypted field is obtained, and the update key is used to encrypt the plaintext The query field is encrypted to obtain the second encrypted field, and the query condition containing the first encrypted field is spliced with the query condition containing the second encrypted field to obtain the target query condition (i.e., the target query statement), and the target query condition is used for data query At this time, all ciphertext data before and after the key change can be queried, all ciphertext data can be decrypted to obtain all plaintext data, and then all plaintext data can be sent to the service device.

举例来说,设定原始密钥为密钥1,更新密钥为密钥2,原始查询语句为:“select*from table_A where name=张三”,即原始查询语句中包括:明文字段“张三”。加密设备中的SQL解析器采用密钥1对明文字段“张三”进行加密获得密文1;然后采用密钥2对明文字段“张三”进行加密获得密文2。SQL解析器使用union语句将包含密文1的查询语句和包含密文2的查询语句进行拼接,获得目标查询语句:“select*from table_A where name=密文1union(select*from table_A where name=密文2)”。For example, set the original key to key 1, the update key to key 2, and the original query statement is: "select*from table_A where name=Zhang San", that is, the original query statement includes: the plain text field "Zhang San" three". The SQL parser in the encryption device uses key 1 to encrypt the plaintext field "Zhang San" to obtain ciphertext 1; then uses key 2 to encrypt the plaintext field "Zhang San" to obtain ciphertext 2. The SQL parser uses the union statement to splice the query statement containing ciphertext 1 and the query statement containing ciphertext 2 to obtain the target query statement: "select*from table_A where name=ciphertext1union(select*from table_A where name=ciphertext Text 2)".

在一些实施例中,管理平台将普通状态策略切换为过渡状态策略之后,创建存量数据批量处理任务,然后将存量数据批量处理任务下发至服务设备。服务设备旁路采用原始密钥对存量数据进行解密,获得存量明文数据;旁路采用更新密钥对存量明文数据进行加密,获得更新数据。In some embodiments, after the management platform switches the normal state policy to the transition state policy, it creates a batch processing task of existing data, and then delivers the batch processing task of existing data to the service device. The service device bypass uses the original key to decrypt the existing data and obtains the existing plain text data; the bypass uses the updated key to encrypt the existing plain text data and obtains the updated data.

在实际应用中,服务设备批量读取数据库中存量数据,使用原始密钥对存量数据进行解密,然后采用更新密钥对存量明文数据进行加密,并将获得的更新数据重新写入的数据库中。在密钥刷新的过程中,通过控制参数(如并发数、批量处理的数据量)将数据库的压力控制在适当的范围,从而不会影响应用正常提供服务。存量数据刷新完成后,存量数据批量处理任务终止,数据库中均为使用更新密钥加密的密文数据。In practical applications, the service device reads the existing data in the database in batches, uses the original key to decrypt the existing data, then uses the update key to encrypt the existing plaintext data, and rewrites the obtained updated data into the database. During the key refresh process, the pressure on the database is controlled within an appropriate range by controlling parameters (such as the number of concurrencies and the amount of data processed in batches), so that it will not affect the application's normal service provision. After the existing data is refreshed, the existing data batch processing task is terminated, and the database contains ciphertext data encrypted with the update key.

在一些实施例中,存量数据刷新完成后,应用恢复到普通状态,加解密策略也相应更新,参见图3,包括以下步骤:In some embodiments, after the inventory data is refreshed, the application returns to the normal state, and the encryption and decryption policies are updated accordingly. See Figure 3, which includes the following steps:

步骤S301,服务设备响应于针对应用触发的状态恢复操作,向管理平台发送状态恢复请求。Step S301: The service device responds to the state recovery operation triggered by the application and sends a state recovery request to the management platform.

步骤S302,管理平台基于状态恢复请求,将过渡状态策略切换为普通状态策略。Step S302: The management platform switches the transition state policy to the normal state policy based on the state recovery request.

步骤S303,管理平台将普通状态策略下发至加密设备。Step S303: The management platform delivers the normal state policy to the encryption device.

普通状态策略包括:更新密钥。Common state policies include: Update keys.

步骤S304,加密设备接收到服务设备发送的明文数据。Step S304: The encryption device receives the plaintext data sent by the service device.

步骤S305,加密设备采用更新密钥对明文数据进行加密,获得密文数据。Step S305: The encryption device uses the updated key to encrypt the plaintext data to obtain ciphertext data.

步骤S306,加密设备将密文数据发送至数据库。Step S306: The encryption device sends the ciphertext data to the database.

具体地,存量数据处理完成后,应用恢复普通运行状态,管理平台的加解密策略切换回普通状态策略(普通状态策略中的密钥只包含更新密钥),管理平台实时将加解密策略下发到加密设备。Specifically, after the existing data processing is completed, the application returns to the normal running state, the encryption and decryption policy of the management platform switches back to the normal state policy (the key in the normal state policy only contains the update key), and the management platform issues the encryption and decryption policy in real time. to the encryption device.

本申请实施例中,服务设备同步旁路执行批量数据处理任务,对数据库中的存量数据进行刷新,并在刷新结束后,恢复到普通状态,实现在不影响应用正常提供服务的情况下,对密态数据库中密钥的更新和存量数据处理,保障应用和数据库的服务可用性。In the embodiment of this application, the service device performs batch data processing tasks in synchronous bypass, refreshes the existing data in the database, and returns to the normal state after the refresh is completed, so as to realize the normal service provision of the application without affecting the application. Update keys and process existing data in dense databases to ensure the service availability of applications and databases.

基于相同的技术构思,本申请实施例提供了一种密钥更新装置的结构示意图,应用于服务设备,如图4所示,该装置400包括:Based on the same technical concept, the embodiment of the present application provides a schematic structural diagram of a key update device, which is applied to service equipment. As shown in Figure 4, the device 400 includes:

第一发送模块401,用于响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,所述状态切换请求用于指示所述管理平台将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略,并将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;The first sending module 401 is configured to send a state switching request to the management platform in response to the state switching operation triggered by the application. The state switching request is used to instruct the management platform to replace the original key with the updated key; replace the ordinary key with the updated key. The state policy is switched to a transition state policy, and the transition state policy is delivered to the encryption device, where the transition state policy at least includes: the original key and the updated key;

所述第一发送模块401,还用于将明文数据发送至所述加密设备,以使所述加密设备采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;The first sending module 401 is also used to send plaintext data to the encryption device, so that the encryption device uses the update key to encrypt the plaintext data, obtains ciphertext data, and encrypts the ciphertext data. Send text data to the database;

刷新模块402,用于旁路基于所述原始密钥和所述更新密钥,对所述数据库中的存量数据执行密钥刷新操作,获得更新数据。The refresh module 402 is configured to bypass and perform a key refresh operation on the existing data in the database based on the original key and the update key to obtain updated data.

可选地,所述刷新模块402具体用于:Optionally, the refresh module 402 is specifically used to:

旁路采用所述原始密钥对所述存量数据进行解密,获得存量明文数据;The bypass uses the original key to decrypt the existing data to obtain the existing plaintext data;

旁路采用所述更新密钥对所述存量明文数据进行加密,获得所述更新数据。The bypass uses the update key to encrypt the existing plaintext data to obtain the update data.

可选地,所述刷新模块402还用于:Optionally, the refresh module 402 is also used to:

旁路基于所述原始密钥和所述更新密钥,对所述数据库中的存量数据执行密钥刷新操作之前,接收所述管理平台下发的存量数据批量处理任务。Based on the original key and the updated key, the bypass receives a batch processing task of the existing data issued by the management platform before performing a key refresh operation on the existing data in the database.

可选地,还包括第一接收模块403;Optionally, it also includes a first receiving module 403;

所述第一发送模块401,还用于:The first sending module 401 is also used to:

向所述加密设备发送携带原始查询条件的数据读取请求,其中,所述原始查询条件包括明文查询字段,以使所述加密设备采用所述原始密钥对所述明文查询字段进行加密,获得第一加密字段,以及采用所述更新密钥对所述明文查询字段进行加密,获得第二加密字段,并将包含所述第一加密字段的查询条件与包含所述第二加密字段的查询条件拼接,获得目标查询条件;以及基于所述目标查询条件从所述数据库查询获得密文查询结果集,所述密文查询结果集中包括:通过所述第一加密字段查询获得的第一密文数据,以及通过所述第二加密字段查询获得的第二密文数据;Send a data reading request carrying original query conditions to the encryption device, where the original query conditions include a plaintext query field, so that the encryption device uses the original key to encrypt the plaintext query field, and obtain The first encrypted field, and the update key is used to encrypt the plain text query field to obtain the second encrypted field, and the query conditions containing the first encrypted field and the query conditions containing the second encrypted field are combined Splicing to obtain a target query condition; and querying the database to obtain a ciphertext query result set based on the target query condition, where the ciphertext query result set includes: the first ciphertext data obtained through the first encrypted field query , and the second ciphertext data obtained through the second encrypted field query;

所述第一接收模块403,具体用于:The first receiving module 403 is specifically used for:

接收所述加密设备返回的明文查询结果集,所述明文查询结果集包括:采用所述原始密钥对所述第一密文数据解密获得的第一明文数据,以及采用所述更新密钥对所述第二密文数据解密获得的第二明文数据。Receive a plaintext query result set returned by the encryption device. The plaintext query result set includes: the first plaintext data obtained by decrypting the first ciphertext data using the original key, and the updated key pair. The second plaintext data is obtained by decrypting the second ciphertext data.

可选地,所述第一发送模块401,还用于:Optionally, the first sending module 401 is also used to:

旁路采用所述更新密钥对所述存量明文数据进行加密,获得所述更新数据之后,响应于针对应用触发的状态恢复操作,向管理平台发送状态恢复请求,所述状态切换请求用于指示所述管理平台将过渡状态策略切换为普通状态策略,并将所述普通状态策略下发至加密设备,所述普通状态策略包括:所述更新密钥。The bypass uses the update key to encrypt the existing plaintext data. After obtaining the update data, in response to the state recovery operation triggered for the application, a state recovery request is sent to the management platform. The state switching request is used to indicate The management platform switches the transition state policy to a common state policy, and delivers the common state policy to the encryption device, where the common state policy includes: the update key.

基于相同的技术构思,本申请实施例提供了一种密钥更新装置的结构示意图,应用于管理平台,如图5所示,该装置500包括:Based on the same technical concept, the embodiment of the present application provides a schematic structural diagram of a key update device, which is applied to the management platform. As shown in Figure 5, the device 500 includes:

第二接收模块501,用于接收服务设备发送的状态切换请求,所述状态切换请求是所述服务设备响应于针对应用触发的状态切换操作发送的;The second receiving module 501 is configured to receive a state switching request sent by the service device, where the state switching request is sent by the service device in response to a state switching operation triggered for an application;

处理模块502,用于基于所述状态切换请求,将原始密钥替换为更新密钥;将普通状态策略切换为过渡状态策略;The processing module 502 is configured to replace the original key with the updated key based on the state switching request; switch the ordinary state policy to the transition state policy;

第二发送模块503,用于将所述过渡状态策略下发至加密设备,所述过渡状态策略至少包括:所述原始密钥和所述更新密钥;以使所述加密设备在接收到所述服务设备发送的明文数据时,采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库;所述数据库中的存量数据由服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。The second sending module 503 is configured to send the transition state policy to the encryption device. The transition state policy at least includes: the original key and the update key; so that the encryption device receives the When the plaintext data is sent by the service device, the plaintext data is encrypted using the update key, the ciphertext data is obtained, and the ciphertext data is sent to the database; the existing data in the database is bypassed by the service device A key refresh operation is performed based on the original key and the updated key.

基于相同的技术构思,本申请实施例提供了一种密钥更新装置的结构示意图,应用于加密设备,如图6所示,该装置600包括:Based on the same technical concept, the embodiment of the present application provides a schematic structural diagram of a key update device, which is applied to encryption equipment. As shown in Figure 6, the device 600 includes:

第三接收模块601,用于接收管理平台下发的过渡状态策略,所述过渡状态策略至少包括:原始密钥和更新密钥,所述过渡状态策略是所述管理平台接收到服务设备发送的状态切换请求后,将所述原始密钥替换为所述更新密钥,并从普通状态策略切换获得的;The third receiving module 601 is used to receive the transition state policy issued by the management platform. The transition state policy at least includes: the original key and the updated key. The transition state policy is the management platform receiving the transition state policy sent by the service device. After the state switch request, replace the original key with the updated key obtained from the ordinary state policy switch;

所述第三接收模块601,用于接收到所述服务设备发送的明文数据;The third receiving module 601 is used to receive the plaintext data sent by the service device;

加密模块602,用于采用所述更新密钥对所述明文数据进行加密,获得密文数据并将所述密文数据发送至数据库,所述数据库中的存量数据由所述服务设备旁路基于所述原始密钥和所述更新密钥进行密钥刷新操作。The encryption module 602 is configured to encrypt the plaintext data using the update key, obtain ciphertext data, and send the ciphertext data to a database. The stock data in the database is bypassed by the service device based on The original key and the updated key perform a key refresh operation.

可选地,所述第三接收模块601,还用于接收到服务设备发送的携带原始查询条件的数据读取请求,其中,所述原始查询条件包括明文查询字段;Optionally, the third receiving module 601 is also configured to receive a data reading request carrying original query conditions sent by the service device, where the original query conditions include a plain text query field;

所述加密模块602,还用于采用所述原始密钥对所述明文查询字段进行加密,获得第一加密字段,以及采用所述更新密钥对所述明文查询字段进行加密,获得第二加密字段,并将包含所述第一加密字段的查询条件与包含所述第二加密字段的查询条件拼接,获得目标查询条件;基于所述目标查询条件从所述数据库查询获得密文查询结果集,所述密文查询结果集中包括:通过所述第一加密字段查询获得的第一密文数据,以及通过所述第二加密字段查询获得的第二密文数据;采用所述原始密钥对所述第一密文数据进行解密获得第一明文数据,以及采用所述更新密钥对所述第二密文数据进行解密获得第二明文数据;将包含所述第一明文数据和所述第二明文数据的明文查询结果集发送至所述服务设备。The encryption module 602 is also configured to use the original key to encrypt the plaintext query field to obtain a first encrypted field, and to use the updated key to encrypt the plaintext query field to obtain a second encrypted field. field, and splice the query condition including the first encrypted field with the query condition including the second encrypted field to obtain the target query condition; query the ciphertext query result set from the database based on the target query condition, The ciphertext query result set includes: the first ciphertext data obtained through the first encryption field query, and the second ciphertext data obtained through the second encryption field query; using the original key pair Decrypt the first ciphertext data to obtain the first plaintext data, and use the update key to decrypt the second ciphertext data to obtain the second plaintext data; including the first plaintext data and the second plaintext data. The plaintext query result set of plaintext data is sent to the service device.

本申请实施例中,服务设备响应于针对应用触发的状态切换操作,向管理平台发送状态切换请求,管理平台基于状态切换请求,将原始密钥替换为更新密钥,以及将普通状态策略切换为过渡状态策略,并将过渡状态策略实时下发至加密设备,其中,过渡状态策略可以保证新旧密钥共存,使得加密设备可以采用更新密钥对应用的明文数据进行加密,并将获得的密文数据发送至数据库。同时,服务设备可同步旁路执行批量数据处理任务,对数据库中的存量数据进行刷新,在不影响应用正常提供服务的情况下,实现密态数据库中密钥的更新和存量数据处理,保障应用和数据库的服务可用性。In the embodiment of this application, the service device responds to the state switching operation triggered by the application and sends a state switching request to the management platform. Based on the state switching request, the management platform replaces the original key with an updated key and switches the ordinary state policy to Transition state policy, and deliver the transition state policy to the encryption device in real time. The transition state policy can ensure the coexistence of old and new keys, so that the encryption device can use the updated key to encrypt the application's plaintext data and obtain the ciphertext. Data is sent to the database. At the same time, the service device can synchronize and bypass the execution of batch data processing tasks, refresh the existing data in the database, and realize the update of keys in the dense database and the processing of existing data without affecting the normal service provided by the application, ensuring the application and database service availability.

基于相同的技术构思,本申请实施例提供了一种计算机设备,该计算机设备可以是图7所示的服务设备、管理平台、加密设备中的至少一个,如图7所示,包括至少一个处理器701,以及与至少一个处理器连接的存储器702,本申请实施例中不限定处理器701与存储器702之间的具体连接介质,图7中处理器701和存储器702之间通过总线连接为例。总线可以分为地址总线、数据总线、控制总线等。Based on the same technical concept, embodiments of the present application provide a computer device. The computer device may be at least one of the service device, management platform, and encryption device shown in Figure 7. As shown in Figure 7, it includes at least one process The processor 701 and the memory 702 connected to at least one processor. The specific connection medium between the processor 701 and the memory 702 is not limited in the embodiment of this application. In Figure 7, the processor 701 and the memory 702 are connected through a bus as an example. . The bus can be divided into address bus, data bus, control bus, etc.

在本申请实施例中,存储器702存储有可被至少一个处理器701执行的指令,至少一个处理器701通过执行存储器702存储的指令,可以执行上述密钥更新方法的步骤。In this embodiment of the present application, the memory 702 stores instructions that can be executed by at least one processor 701. At least one processor 701 can execute the steps of the above key update method by executing the instructions stored in the memory 702.

其中,处理器701是计算机设备的控制中心,可以利用各种接口和线路连接计算机设备的各个部分,通过运行或执行存储在存储器702内的指令以及调用存储在存储器702内的数据,从而实现密钥更新。可选的,处理器701可包括一个或多个处理单元,处理器701可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器701中。在一些实施例中,处理器701和存储器702可以在同一芯片上实现,在一些实施例中,它们也可以在独立的芯片上分别实现。Among them, the processor 701 is the control center of the computer equipment. It can use various interfaces and lines to connect various parts of the computer equipment, and implement encryption by running or executing instructions stored in the memory 702 and calling data stored in the memory 702. Key update. Optionally, the processor 701 may include one or more processing units. The processor 701 may integrate an application processor and a modem processor. The application processor mainly processes the operating system, user interface, application programs, etc., and the modem processor The debug processor mainly handles wireless communications. It can be understood that the above-mentioned modem processor may not be integrated into the processor 701. In some embodiments, the processor 701 and the memory 702 can be implemented on the same chip, and in some embodiments, they can also be implemented on separate chips.

处理器701可以是通用处理器,例如中央处理器(CPU)、数字信号处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。The processor 701 may be a general processor, such as a central processing unit (CPU), a digital signal processor, an application specific integrated circuit (ASIC), a field programmable gate array or other programmable logic devices, discrete gates or transistors. Logic devices and discrete hardware components can implement or execute the methods, steps and logical block diagrams disclosed in the embodiments of this application. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the methods disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware processor for execution, or can be executed by a combination of hardware and software modules in the processor.

存储器702作为一种非易失性计算机可读存储介质,可用于存储非易失性软件程序、非易失性计算机可执行程序以及模块。存储器702可以包括至少一种类型的存储介质,例如可以包括闪存、硬盘、多媒体卡、卡型存储器、随机访问存储器(Random AccessMemory,RAM)、静态随机访问存储器(Static Random Access Memory,SRAM)、可编程只读存储器(Programmable Read Only Memory,PROM)、只读存储器(Read Only Memory,ROM)、带电可擦除可编程只读存储器(Electrically Erasable Programmable Read-Only Memory,EEPROM)、磁性存储器、磁盘、光盘等等。存储器702是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机设备存取的任何其他介质,但不限于此。本申请实施例中的存储器702还可以是电路或者其它任意能够实现存储功能的装置,用于存储程序指令和/或数据。As a non-volatile computer-readable storage medium, the memory 702 can be used to store non-volatile software programs, non-volatile computer executable programs and modules. The memory 702 may include at least one type of storage medium, for example, may include flash memory, hard disk, multimedia card, card-type memory, random access memory (Random Access Memory, RAM), static random access memory (Static Random Access Memory, SRAM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), magnetic memory, disk, CDs etc. Memory 702 is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer device. The memory 702 in the embodiment of the present application can also be a circuit or any other device capable of realizing a storage function, used to store program instructions and/or data.

基于同一发明构思,本申请实施例提供了一种计算机可读存储介质,其存储有可由计算机设备执行的计算机程序,当程序在计算机设备上运行时,使得计算机设备执行上述密钥更新方法的步骤。Based on the same inventive concept, embodiments of the present application provide a computer-readable storage medium that stores a computer program that can be executed by a computer device. When the program is run on the computer device, the computer device is caused to perform the steps of the above key update method. .

本领域内的技术人员应明白,本发明的实施例可提供为方法、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present invention may be provided as methods, or computer program products. Thus, the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机设备或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer device or other programmable data processing device produce Means for implementing the functions specified in a process or processes of a flowchart and/or a block or blocks of a block diagram.

这些计算机程序指令也可存储在能引导计算机设备或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that causes a computer device or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction means, The instruction means implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.

这些计算机程序指令也可装载到计算机设备或其他可编程数据处理设备上,使得在计算机设备或其他可编程设备上执行一系列操作步骤以产生计算机设备实现的处理,从而在计算机设备或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer device or other programmable data processing device, such that a series of operating steps are performed on the computer device or other programmable device to produce processing implemented by the computer device, thereby causing the computer device or other programmable data processing device to perform a process on the computer device or other programmable data processing device. The instructions executed on the device provide steps for implementing the functions specified in the process or processes of the flow diagrams and/or the block or blocks of the block diagrams.

尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。Although the preferred embodiments of the present invention have been described, those skilled in the art will be able to make additional changes and modifications to these embodiments once the basic inventive concepts are apparent. Therefore, it is intended that the appended claims be construed to include the preferred embodiments and all changes and modifications that fall within the scope of the invention.

显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the invention. In this way, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention is also intended to include these modifications and variations.

Claims (13)

1. A key updating method applied to a service device, comprising:
responding to a state switching operation triggered by aiming at an application, and sending a state switching request to a management platform, wherein the state switching request is used for indicating the management platform to replace an original key with an updated key; switching the common state strategy into a transitional state strategy, and issuing the transitional state strategy to the encryption equipment, wherein the transitional state strategy at least comprises: the original key and the updated key;
the plaintext data is sent to the encryption equipment, so that the encryption equipment encrypts the plaintext data by adopting the updated secret key to obtain ciphertext data and sends the ciphertext data to a database;
and bypassing the key refreshing operation on the stock data in the database based on the original key and the updated key to obtain updated data.
2. The method of claim 1, wherein the bypassing, based on the original key and the updated key, performs a key refresh operation on the stock data in the database, comprising:
the bypass adopts the original secret key to decrypt the stock data to obtain stock plaintext data;
and the bypass adopts the updating key to encrypt the stock plaintext data to obtain the updating data.
3. The method of claim 1, wherein the bypass further comprises, prior to performing a key refresh operation on the stock data in the database based on the original key and the updated key:
and receiving the batch processing task of the stock data issued by the management platform.
4. The method as recited in claim 1, further comprising:
sending a data reading request carrying an original query condition to the encryption equipment, wherein the original query condition comprises a plaintext query field, so that the encryption equipment encrypts the plaintext query field by adopting the original key to obtain a first encryption field, encrypts the plaintext query field by adopting the updated key to obtain a second encryption field, and splices the query condition containing the first encryption field with the query condition containing the second encryption field to obtain a target query condition; and obtaining a ciphertext query result set from the database query based on the target query condition, the ciphertext query result set comprising: first ciphertext data obtained by the first encryption field query, and second ciphertext data obtained by the second encryption field query;
Receiving a plaintext query result set returned by the encryption device, wherein the plaintext query result set comprises: and decrypting the first plaintext data obtained by adopting the original key and the second plaintext data obtained by adopting the updating key.
5. The method of claim 1, wherein the bypass encrypts the stock plaintext data using the update key, and further comprising, after obtaining the update data:
responding to a state recovery operation triggered by an application, sending a state recovery request to a management platform, wherein the state switching request is used for indicating the management platform to switch a transitional state strategy into a common state strategy and issuing the common state strategy to encryption equipment, and the common state strategy comprises the following steps: the update key.
6. A key updating method applied to a management platform, comprising:
receiving a state switching request sent by service equipment, wherein the state switching request is sent by the service equipment in response to a state switching operation triggered by an application;
replacing the original key with an updated key based on the state switching request; switching the common state strategy into a transitional state strategy, and issuing the transitional state strategy to the encryption equipment, wherein the transitional state strategy at least comprises: the original key and the updated key; when receiving the plaintext data sent by the service equipment, the encryption equipment encrypts the plaintext data by adopting the updated key to obtain ciphertext data and sends the ciphertext data to a database; and bypassing, by a service device, the stock data in the database to perform a key refreshing operation based on the original key and the updated key.
7. A key updating method applied to an encryption device, comprising:
receiving a transition state strategy issued by a management platform, wherein the transition state strategy at least comprises: the transient state strategy is obtained by replacing the original key with the updated key and switching from the common state strategy after the management platform receives a state switching request sent by service equipment;
receiving plaintext data sent by the service equipment;
encrypting the plaintext data by adopting the updated key to obtain ciphertext data and sending the ciphertext data to a database, wherein the stock data in the database is bypassed by the service equipment to carry out key refreshing operation based on the original key and the updated key.
8. The method as recited in claim 7, further comprising:
receiving a data reading request carrying an original query condition sent by service equipment, wherein the original query condition comprises a plaintext query field;
encrypting the plaintext query field by adopting the original key to obtain a first encrypted field, encrypting the plaintext query field by adopting the updated key to obtain a second encrypted field, and splicing the query condition containing the first encrypted field with the query condition containing the second encrypted field to obtain a target query condition;
Obtaining a ciphertext query result set from the database query based on the target query condition, the ciphertext query result set comprising: first ciphertext data obtained by the first encryption field query, and second ciphertext data obtained by the second encryption field query;
decrypting the first ciphertext data by using the original key to obtain first plaintext data, and decrypting the second ciphertext data by using the updated key to obtain second plaintext data;
and sending a plaintext query result set containing the first plaintext data and the second plaintext data to the service device.
9. A key updating apparatus applied to a service device, comprising:
the system comprises a first sending module, a second sending module and a management platform, wherein the first sending module is used for responding to a state switching operation triggered by an application and sending a state switching request to the management platform, and the state switching request is used for indicating the management platform to replace an original key with an updated key; switching the common state strategy into a transitional state strategy, and issuing the transitional state strategy to the encryption equipment, wherein the transitional state strategy at least comprises: the original key and the updated key;
The first sending module is further configured to send plaintext data to the encryption device, so that the encryption device encrypts the plaintext data by using the updated key to obtain ciphertext data and send the ciphertext data to a database;
and the refreshing module is used for bypassing the execution of key refreshing operation on the stock data in the database based on the original key and the updated key to obtain updated data.
10. A key updating apparatus applied to a management platform, comprising:
the second receiving module is used for receiving a state switching request sent by the service equipment, wherein the state switching request is sent by the service equipment in response to a state switching operation triggered by the application;
the processing module is used for replacing the original key with the updated key based on the state switching request; switching the common state strategy into a transition state strategy;
the second sending module is configured to send the transitional state policy to an encryption device, where the transitional state policy at least includes: the original key and the updated key; when receiving the plaintext data sent by the service equipment, the encryption equipment encrypts the plaintext data by adopting the updated key to obtain ciphertext data and sends the ciphertext data to a database; and bypassing, by a service device, the stock data in the database to perform a key refreshing operation based on the original key and the updated key.
11. A key updating apparatus applied to an encryption device, comprising:
the third receiving module is configured to receive a transitional state policy issued by the management platform, where the transitional state policy at least includes: the transient state strategy is obtained by replacing the original key with the updated key and switching from the common state strategy after the management platform receives a state switching request sent by service equipment;
the third receiving module is used for receiving the plaintext data sent by the service equipment;
and the encryption module is used for encrypting the plaintext data by adopting the updated key to obtain ciphertext data and sending the ciphertext data to a database, and the server device bypasses the stock data in the database to perform key refreshing operation based on the original key and the updated key.
12. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1-8 when the program is executed.
13. A computer readable storage medium, characterized in that it stores a computer program executable by a computer device, which program, when run on the computer device, causes the computer device to perform the steps of the method according to any one of claims 1-8.
CN202311000748.7A 2023-08-09 2023-08-09 Key updating method, device, equipment and storage medium Pending CN117061101A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202311000748.7A CN117061101A (en) 2023-08-09 2023-08-09 Key updating method, device, equipment and storage medium
TW113114289A TWI866842B (en) 2023-08-09 2024-04-17 A key updating method, device, equipment and storage medium
PCT/CN2024/089196 WO2025030923A1 (en) 2023-08-09 2024-04-22 Key updating method and apparatus, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311000748.7A CN117061101A (en) 2023-08-09 2023-08-09 Key updating method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117061101A true CN117061101A (en) 2023-11-14

Family

ID=88668553

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311000748.7A Pending CN117061101A (en) 2023-08-09 2023-08-09 Key updating method, device, equipment and storage medium

Country Status (3)

Country Link
CN (1) CN117061101A (en)
TW (1) TWI866842B (en)
WO (1) WO2025030923A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119377987A (en) * 2024-10-22 2025-01-28 武汉达梦数据库股份有限公司 Key updating method, device, equipment and storage medium for fully secret database
WO2025030923A1 (en) * 2023-08-09 2025-02-13 中国银联股份有限公司 Key updating method and apparatus, and device and storage medium
CN119449287A (en) * 2024-10-17 2025-02-14 陕西华电榆横煤电有限责任公司榆横发电厂 A cipher key smooth transition system based on time window

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007104310A (en) * 2005-10-04 2007-04-19 Hitachi Ltd Network device, network system, and key update method
US9705674B2 (en) * 2013-02-12 2017-07-11 Amazon Technologies, Inc. Federated key management
TWI558152B (en) * 2014-07-18 2016-11-11 Hao-Xi Zhuang Key replacement method and computer program products
CN112711773A (en) * 2021-01-12 2021-04-27 北京金万维科技有限公司 Method for encrypting plaintext password based on PHP development platform non-stop service
CN113627936B (en) * 2021-08-16 2024-12-17 中国工商银行股份有限公司 Encryption method and device in transition process of new and old passwords
CN114915469A (en) * 2022-05-11 2022-08-16 中国银行股份有限公司 Method and device for smoothly switching application system secret keys
CN117061101A (en) * 2023-08-09 2023-11-14 中国银联股份有限公司 Key updating method, device, equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2025030923A1 (en) * 2023-08-09 2025-02-13 中国银联股份有限公司 Key updating method and apparatus, and device and storage medium
CN119449287A (en) * 2024-10-17 2025-02-14 陕西华电榆横煤电有限责任公司榆横发电厂 A cipher key smooth transition system based on time window
CN119377987A (en) * 2024-10-22 2025-01-28 武汉达梦数据库股份有限公司 Key updating method, device, equipment and storage medium for fully secret database

Also Published As

Publication number Publication date
WO2025030923A1 (en) 2025-02-13
TWI866842B (en) 2024-12-11
TW202508248A (en) 2025-02-16

Similar Documents

Publication Publication Date Title
US10686605B2 (en) Technologies for implementing mutually distrusting domains
US11537421B1 (en) Virtual machine monitor providing secure cryptographic operations
CN117061101A (en) Key updating method, device, equipment and storage medium
US11520905B2 (en) Smart data protection
CN110008735B (en) Method, node and storage medium for implementing contract call in blockchain
US11204881B2 (en) Computer system software/firmware and a processor unit with a security module
CN109547488B (en) Credible data computing and exchanging system based on alliance block chain
US20150078550A1 (en) Security processing unit with configurable access control
CN105718794A (en) Safety protection method and system for virtual machine based on VTPM
CN115859339B (en) Encryption and decryption method, device, medium and equipment for cloud storage data
CN111767556A (en) Method for realizing privacy protection in block chain, node and storage medium
US11797715B2 (en) Erasing a cryptographic hem in a memory of a device in response to a change of an operating mode of the device
CN115221183A (en) Data processing method and device
CN115758332A (en) Transaction grouping method and block link point
US20220291999A1 (en) Encryption key management
TW202449637A (en) An encryption method, device, equipment and storage medium
US20200266982A1 (en) Virtual memory extension layer for hardware security modules
CN111414610A (en) A method and device for determining a database verification password
US11645399B1 (en) Searching encrypted data
CN116383855A (en) Database cryptographic operation and maintenance method, device, equipment, storage medium and program product
CN115577048A (en) Data synchronization process encryption method, device, computer equipment and storage medium
CN115860953A (en) An information acquisition method, device, equipment and storage medium
CN115525608A (en) Data processing method and device, electronic equipment and computer readable medium
WO2025212323A1 (en) Date and time tokenization with format preservation
HK40039820A (en) Method for realizing contract calling in blockchain, node and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40102032

Country of ref document: HK