[go: up one dir, main page]

CN118821183A - Data security access method and system based on encryption algorithm - Google Patents

Data security access method and system based on encryption algorithm Download PDF

Info

Publication number
CN118821183A
CN118821183A CN202411297155.6A CN202411297155A CN118821183A CN 118821183 A CN118821183 A CN 118821183A CN 202411297155 A CN202411297155 A CN 202411297155A CN 118821183 A CN118821183 A CN 118821183A
Authority
CN
China
Prior art keywords
data
key
certificate
encrypted
service end
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411297155.6A
Other languages
Chinese (zh)
Other versions
CN118821183B (en
Inventor
林志达
刘子威
林泽然
林登钰
刘佳
田德彪
李文海
王建徽
赵博文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bosi Data Mining Technology Co ltd
Original Assignee
Bosi Data Mining Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bosi Data Mining Technology Co ltd filed Critical Bosi Data Mining Technology Co ltd
Priority to CN202411297155.6A priority Critical patent/CN118821183B/en
Publication of CN118821183A publication Critical patent/CN118821183A/en
Application granted granted Critical
Publication of CN118821183B publication Critical patent/CN118821183B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a data security access method and system based on encryption algorithm, a service end applies for a secret key; the data safe generates a key pair A and a key certificate A; the service end sends storage data comprising service data; the data safe generates a key pair B and a data certificate B; splicing the key certificate A and the data certificate B to obtain an encrypted character string, encrypting service data by using the public key B and the AES algorithm to obtain encrypted data C, and configuring an AES key value by using the encrypted character string as an encryption vector value; adding salt to the key certificate A and the data certificate B by using an MD5 algorithm to obtain a character string MD5DataKey, storing the character string MD5 under a corresponding table of a database, and then returning the data certificate B to a service end; the extraction of the service data is the inverse of the above process. And various encryption modes are used, so that the secret key is encrypted, and the service data is encrypted in two layers, thereby ensuring the safety of the service data.

Description

基于加密算法的数据安全存取方法及系统Data security access method and system based on encryption algorithm

技术领域Technical Field

本发明涉及数据加密领域,尤其涉及一种基于加密算法的数据安全存取方法及系统。The present invention relates to the field of data encryption, and in particular to a data security access method and system based on encryption algorithm.

背景技术Background Art

政府采购类的商城有多种交易方式,不同于市面上成熟的电子商城(如京东、淘宝等),用户可直接进行下单交易商家上架的商品。政府采购对于买卖双方的要求,有更加明确的法律要求和执行规范。Government procurement malls have a variety of transaction methods. Unlike mature e-mall markets (such as JD.com and Taobao), users can directly place orders for goods listed by merchants. Government procurement has clearer legal requirements and implementation specifications for both buyers and sellers.

现政府采购电子商城有直接购买、网上竞价、网上询价等多种交易方式,用户分为采购人和供应商两种角色,对应买卖双方。以网上竞价为例,其有严格的交易流程和时间节点,要求采购人事先对商品需求、采购数量、采购预算等信息进行录入操作,形成一个购买项目,然后对外发布采购公告。供应商则根据采购公告进行匹配报名,参与到项目中。当时间节点到达供应商报价时,供应商登录系统参与对项目的报价,供应商可以在报价时间内进行多轮报价,报价信息供应商彼此之间互为保密,系统中也不会展示竞价信息。当报价时间结束后,系统汇总所有供应商最后一次报价信息,取其中最低价者作为成交供应商,对外发布采购结果公告。后续,合同签订、发货、付款等一系列流程则在采购人和成交供应商之间进行。The current government procurement e-mall has a variety of transaction methods such as direct purchase, online bidding, and online inquiry. Users are divided into two roles: purchasers and suppliers, corresponding to buyers and sellers. Taking online bidding as an example, it has strict transaction processes and time nodes, requiring purchasers to enter information such as commodity demand, purchase quantity, and purchase budget in advance to form a purchase project, and then publish a procurement announcement to the outside world. Suppliers match and register according to the procurement announcement and participate in the project. When the time node arrives for the supplier to quote, the supplier logs in to the system to participate in the quotation of the project. Suppliers can make multiple rounds of quotations within the quotation time. The quotation information suppliers are kept confidential from each other, and the bidding information will not be displayed in the system. When the quotation time is over, the system summarizes the last quotation information of all suppliers, takes the lowest price as the successful supplier, and publishes the procurement result announcement to the outside world. Subsequently, a series of processes such as contract signing, delivery, and payment are carried out between the purchaser and the successful supplier.

随着网络安全要求的不断提高,同时也防止系统内外部人员的互相串通,现有代码对于报价信息以明文形式进行数据库存储,仅在对外部展示时做隐藏处理。此种方式明显存在不足之处,外部攻击者可以通过非法手段获取到报价信息,甚至内部熟悉数据库库表的人员也能轻松获取到报价信息,提供给到供应商,让供应商以低于目前最低报价很小数额的价格成交。With the continuous improvement of network security requirements, and in order to prevent collusion between people inside and outside the system, the existing code stores quotation information in plain text in the database, and only hides it when it is displayed to the outside. This method obviously has shortcomings. External attackers can obtain quotation information through illegal means, and even internal personnel who are familiar with the database table can easily obtain quotation information and provide it to suppliers, allowing them to close the deal at a price that is a small amount lower than the current lowest quotation.

因此,想通过一种加密方案对报价信息进行加密存储,只在成交时对数据进行解密,成交之前数据无法被供应商通过非正常手段获取到,其中包括无法让外部攻击者通过非法手段获取到竞价信息 、无法让研发人员通过代码逻辑反向解密出竞价信息、无法让熟悉库表的实施运维人员查库获取到竞价信息。Therefore, we want to use an encryption scheme to encrypt and store the quotation information, and only decrypt the data when the transaction is completed. Before the transaction is completed, the data cannot be obtained by the supplier through abnormal means, including preventing external attackers from obtaining the bidding information through illegal means, preventing R&D personnel from reversely decrypting the bidding information through code logic, and preventing implementation and maintenance personnel who are familiar with the database table from checking the database to obtain the bidding information.

发明内容Summary of the invention

本发明的目的在于提供一种基于加密算法的数据安全存取方法及系统,采用动态、多种加密算法混合且可配置的方式加密数据,还能与业务数据进行结合,达到数据安全存取的效果。The purpose of the present invention is to provide a data security access method and system based on encryption algorithm, which adopts a dynamic, mixed and configurable way of multiple encryption algorithms to encrypt data, and can also be combined with business data to achieve the effect of data security access.

本发明通过如下技术方案实现:基于加密算法的数据安全存取方法,主体为数据保险柜,它分别与业务端和数据库连接;The present invention is implemented through the following technical solutions: a data security access method based on an encryption algorithm, the main body of which is a data safe, which is connected to a business end and a database respectively;

业务数据的存储过程为:The storage process of business data is:

步骤1,业务端携带业务端信息向数据保险柜申请密钥;Step 1: The business end applies for a key from the data safe with the business end information;

步骤2,数据保险柜对业务端信息进行合法性验证,验证通过后使用加密算法生成密钥对公钥A、私钥A以及密钥关联的密钥凭证A,对密钥凭证A使用MD5加密得到加密密钥凭证A1,而后将加密密钥凭证A1与公钥A、私钥A存储至数据库中,并返回密钥凭证A至业务端,业务端获取密钥凭证A并将之与业务数据关联储存;Step 2: The data safe verifies the legitimacy of the business end information. After the verification is passed, the encryption algorithm is used to generate a key pair of public key A, private key A and key certificate A associated with the key. The key certificate A is encrypted using MD5 to obtain the encrypted key certificate A1. The encrypted key certificate A1, public key A and private key A are then stored in the database, and the key certificate A is returned to the business end. The business end obtains the key certificate A and stores it in association with the business data.

步骤3,业务端携带业务端信息、密钥凭证A向数据保险柜发送存储数据,存储数据包括数据存储过期时间、相关用户名单、单位信息以及需要加密的业务数据;Step 3: The business end sends the storage data to the data safe with the business end information and key certificate A. The storage data includes the data storage expiration time, the relevant user list, the unit information and the business data that needs to be encrypted;

步骤4,数据保险柜对业务端信息进行合法性验证,验证通过后使用加密算法生成密钥对公钥B、私钥B以及密钥关联的数据凭证B,对数据凭证B使用MD5加密得到加密数据凭证B1,而后将加密数据凭证B1与公钥B、私钥B存储至数据库中;Step 4: The data safe verifies the legitimacy of the business end information. After the verification is passed, the encryption algorithm is used to generate a key pair of public key B, private key B and key-associated data certificate B. The data certificate B is encrypted using MD5 to obtain the encrypted data certificate B1, and then the encrypted data certificate B1, public key B and private key B are stored in the database;

步骤5,数据保险柜拼接密钥凭证A和数据凭证B得到拼接凭证,再使用MD5算法对拼接凭证加密得到加密字符串md5Key,然后使用公钥B对业务数据进行首次加密得到加密数据B,再使用AES对称加密算法对加密数据B再次加密得到加密数据C,同时配置AES密钥值并关联加密字符串md5Key作为加密数据C的加密向量值;最后将加密数据C、数据存储过期时间、相关用户名单、单位信息均存储至数据库中;Step 5: The data safe concatenates key certificate A and data certificate B to obtain a concatenated certificate, and then uses the MD5 algorithm to encrypt the concatenated certificate to obtain an encrypted string md5Key. Then, the business data is first encrypted using public key B to obtain encrypted data B, and then the encrypted data B is encrypted again using the AES symmetric encryption algorithm to obtain encrypted data C. At the same time, the AES key value is configured and the encrypted string md5Key is associated as the encryption vector value of the encrypted data C. Finally, the encrypted data C, data storage expiration time, relevant user list, and unit information are stored in the database.

步骤6,使用MD5算法对密钥凭证A和数据凭证B进行加盐运算得到字符串md5DataKey并将之存储到数据库中加密数据C的表格下,而后返回数据凭证B给业务端,业务端保存数据凭证B;Step 6: Use the MD5 algorithm to perform salt operation on the key certificate A and the data certificate B to obtain the string md5DataKey and store it in the table of encrypted data C in the database, and then return the data certificate B to the business end, and the business end saves the data certificate B;

业务数据的提取过程为:The process of extracting business data is as follows:

步骤7,业务端携带业务端信息、在存储过程中保存的密钥凭证A和数据凭证B向数据保险柜申请获取数据;Step 7: The business end applies to the data safe for data acquisition by carrying the business end information, key certificate A and data certificate B saved during the storage process;

步骤8,数据保险柜对业务端信息进行合法性验证,待验证通过后使用MD5算法对密钥凭证A和数据凭证B进行加盐运算得到字符串md5DataKey,利用字符串md5DataKey定位到数据库中存储加密数据C的表格取出加密数据C;Step 8: The data safe verifies the legitimacy of the business end information. After the verification is passed, the MD5 algorithm is used to perform salt operation on the key certificate A and the data certificate B to obtain the string md5DataKey. The string md5DataKey is used to locate the table storing the encrypted data C in the database and retrieve the encrypted data C.

步骤9,数据保险柜拼接密钥凭证A和数据凭证B后通过MD5算法计算得到加密字符串md5Key,使用md5Key作为AES对称加密算法的加密向量值对加密数据C解密为加密数据B;Step 9: The data safe concatenates the key certificate A and the data certificate B, and calculates the encrypted string md5Key using the MD5 algorithm. The encrypted data C is decrypted into the encrypted data B using md5Key as the encryption vector value of the AES symmetric encryption algorithm.

步骤10,数据保险柜使用数据凭证B通过MD5加密得到加密数据凭证B1,通过加密数据凭证B1从数据库中取出与之关联的私钥B,利用私钥B解密加密数据B得到业务数据,最终将业务数据发送给业务端。Step 10, the data safe uses data certificate B to obtain encrypted data certificate B1 through MD5 encryption, retrieves the private key B associated with encrypted data certificate B1 from the database, uses private key B to decrypt encrypted data B to obtain business data, and finally sends the business data to the business end.

一种基于加密算法的数据安全存取系统,主体为数据保险柜,它包括:A data security access system based on encryption algorithm, the main body of which is a data safe, which includes:

验证模块,在业务端访问数据保险柜时对业务端信息进行合法性检验;Verification module, which verifies the legitimacy of business-side information when the business-side accesses the data safe;

数据存取模块,用于将接收到的数据存储到数据库中或从数据库中提取对应的数据;A data access module, used to store the received data into a database or extract corresponding data from the database;

密钥模块,用于为业务端分发密钥,并通过数据存取模块将业务端的密钥保存至数据库中的对应位置;以及A key module, used to distribute keys to the business end, and save the keys of the business end to the corresponding location in the database through the data access module; and

加解密模块,用于加密密钥凭证和业务数据,并通过数据存取模块将加密数据保存至数据库中的对应位置。The encryption and decryption module is used to encrypt key credentials and business data, and save the encrypted data to the corresponding location in the database through the data access module.

较之前技术而言,本发明的有益效果为:Compared with the previous technology, the beneficial effects of the present invention are:

1.本发明使用多种加密方式混合,既对密钥进行了加密,又对业务数据进行了两层加密。1. The present invention uses a mixture of multiple encryption methods to encrypt both the key and the business data.

对于业务端来说,虽然掌握有两把钥匙(两个token),但是却不知道真正的加密密钥,研发人员无法对数据自行解密。For the business side, although they have two keys (two tokens), they do not know the real encryption key, and R&D personnel cannot decrypt the data by themselves.

对于数据保险柜来说,虽然保存有加密数据及相应密钥,但是由于两个token保留在业务方,因此无法知道密钥与数据的关联关系,无法自行解密数据。For the data safe, although the encrypted data and the corresponding keys are stored, since the two tokens are retained by the business party, it is impossible to know the association between the key and the data, and it is impossible to decrypt the data by itself.

另外对于实施运维人员来说,数据(包括两个token)在数据保险柜均按一定规则加密存储,无显式关联关系,无法直接通过联表获得其关联关系,从而提高数据被破解的难度。In addition, for operation and maintenance personnel, data (including two tokens) are encrypted and stored in the data safe according to certain rules. There is no explicit association relationship, and its association relationship cannot be directly obtained through the joint table, which increases the difficulty of data cracking.

2.本发明采用租户形式,各租户之间的加密算法可进行灵活配置,同时,对于每项业务数据,其加密的密钥均为动态生成,一数据一密钥,动态性强。2. The present invention adopts the tenant form, and the encryption algorithms between tenants can be flexibly configured. At the same time, for each business data, the encryption key is dynamically generated, one data one key, and it is highly dynamic.

3.本发明拓展性强,在本技术方案基础上,可对其密钥的动态性、加密的安全性(如增加加密层数)等进一步拓展,进一步保障数据安全等级。3. The present invention has strong expansibility. On the basis of the present technical solution, the dynamic nature of the key and the security of encryption (such as increasing the number of encryption layers) can be further expanded to further ensure the data security level.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为基于加密算法的数据安全存取方法的流程图;FIG1 is a flow chart of a data security access method based on an encryption algorithm;

图2为基于加密算法的数据安全存取系统的模块框图;FIG2 is a block diagram of a data security access system based on an encryption algorithm;

图3为网上竞价项目阶段一的流程图;FIG3 is a flow chart of the first stage of the online bidding project;

图4为网上竞价项目阶段二的流程图;Figure 4 is a flow chart of the online bidding project phase 2;

图5为网上竞价项目阶段三的流程图。FIG. 5 is a flow chart of the third stage of the online bidding project.

具体实施方式DETAILED DESCRIPTION

下面结合附图说明对本发明做详细说明,但本发明的保护内容不局限于以下所述:The present invention is described in detail below in conjunction with the accompanying drawings, but the protection content of the present invention is not limited to the following:

如图1所示,基于加密算法的数据安全存取方法,主体为数据保险柜,它分别与业务端和数据库连接;As shown in FIG1 , the data security access method based on the encryption algorithm has a data safe as the main body, which is connected to the business end and the database respectively;

业务数据的存储过程为:The storage process of business data is:

步骤1,业务端携带业务端信息向数据保险柜申请密钥;Step 1: The business end applies for a key from the data safe with the business end information;

步骤2,数据保险柜对业务端信息进行合法性验证,验证通过后使用加密算法生成密钥对公钥A、私钥A以及密钥关联的密钥凭证A,对密钥凭证A使用MD5加密得到加密密钥凭证A1,而后将加密密钥凭证A1与公钥A、私钥A存储至数据库中,并返回密钥凭证A至业务端,业务端获取密钥凭证A并将之与业务数据关联储存;Step 2: The data safe verifies the legitimacy of the business end information. After the verification is passed, the encryption algorithm is used to generate a key pair of public key A, private key A and key certificate A associated with the key. The key certificate A is encrypted using MD5 to obtain the encrypted key certificate A1. The encrypted key certificate A1, public key A and private key A are then stored in the database, and the key certificate A is returned to the business end. The business end obtains the key certificate A and stores it in association with the business data.

步骤3,业务端携带业务端信息、密钥凭证A向数据保险柜发送存储数据,存储数据包括数据存储过期时间、相关用户名单、单位信息以及需要加密的业务数据;Step 3: The business end sends the storage data to the data safe with the business end information and key certificate A. The storage data includes the data storage expiration time, the relevant user list, the unit information and the business data that needs to be encrypted;

步骤4,数据保险柜对业务端信息进行合法性验证,验证通过后使用加密算法生成密钥对公钥B、私钥B以及密钥关联的数据凭证B,对数据凭证B使用MD5加密得到加密数据凭证B1,而后将加密数据凭证B1与公钥B、私钥B存储至数据库中;Step 4: The data safe verifies the legitimacy of the business end information. After the verification is passed, the encryption algorithm is used to generate a key pair of public key B, private key B and key-associated data certificate B. The data certificate B is encrypted using MD5 to obtain the encrypted data certificate B1, and then the encrypted data certificate B1, public key B and private key B are stored in the database;

步骤5,数据保险柜拼接密钥凭证A和数据凭证B得到拼接凭证,再使用MD5算法对拼接凭证加密得到加密字符串md5Key,然后使用公钥B对业务数据进行首次加密得到加密数据B,再使用AES对称加密算法对加密数据B再次加密得到加密数据C,同时配置AES密钥值并关联加密字符串md5Key作为加密数据C的加密向量值;最后将加密数据C、数据存储过期时间、相关用户名单、单位信息均存储至数据库中;Step 5: The data safe concatenates key certificate A and data certificate B to obtain a concatenated certificate, and then uses the MD5 algorithm to encrypt the concatenated certificate to obtain an encrypted string md5Key. Then, the business data is first encrypted using public key B to obtain encrypted data B, and then the encrypted data B is encrypted again using the AES symmetric encryption algorithm to obtain encrypted data C. At the same time, the AES key value is configured and the encrypted string md5Key is associated as the encryption vector value of the encrypted data C. Finally, the encrypted data C, data storage expiration time, relevant user list, and unit information are stored in the database.

步骤6,使用MD5算法对密钥凭证A和数据凭证B进行加盐运算得到字符串md5DataKey并将之存储到数据库中加密数据C的表格下,而后返回数据凭证B给业务端,业务端保存数据凭证B;Step 6: Use the MD5 algorithm to perform salt operation on the key certificate A and the data certificate B to obtain the string md5DataKey and store it in the table of encrypted data C in the database, and then return the data certificate B to the business end, and the business end saves the data certificate B;

业务数据的提取过程为:The process of extracting business data is as follows:

步骤7,业务端携带业务端信息、在存储过程中保存的密钥凭证A和数据凭证B向数据保险柜申请获取数据;Step 7: The business end applies to the data safe for data acquisition by carrying the business end information, key certificate A and data certificate B saved during the storage process;

步骤8,数据保险柜对业务端信息进行合法性验证,待验证通过后使用MD5算法对密钥凭证A和数据凭证B进行加盐运算得到字符串md5DataKey,利用字符串md5DataKey定位到数据库中存储加密数据C的表格取出加密数据C;Step 8: The data safe verifies the legitimacy of the business end information. After the verification is passed, the MD5 algorithm is used to perform salt operation on the key certificate A and the data certificate B to obtain the string md5DataKey. The string md5DataKey is used to locate the table storing the encrypted data C in the database and retrieve the encrypted data C.

步骤9,数据保险柜拼接密钥凭证A和数据凭证B后通过MD5算法计算得到加密字符串md5Key,使用md5Key作为AES对称加密算法的加密向量值对加密数据C解密为加密数据B;Step 9: The data safe concatenates the key certificate A and the data certificate B, and calculates the encrypted string md5Key using the MD5 algorithm. The encrypted data C is decrypted into the encrypted data B using md5Key as the encryption vector value of the AES symmetric encryption algorithm.

步骤10,数据保险柜使用数据凭证B通过MD5加密得到加密数据凭证B1,通过加密数据凭证B1从数据库中取出与之关联的私钥B,利用私钥B解密加密数据B得到业务数据,最终将业务数据发送给业务端。Step 10, the data safe uses data certificate B to obtain encrypted data certificate B1 through MD5 encryption, retrieves the private key B associated with encrypted data certificate B1 from the database, uses private key B to decrypt encrypted data B to obtain business data, and finally sends the business data to the business end.

需要说明的是,在步骤2中生成的密钥对公钥A、私钥A既未在业务数据的存储过程中使用,也未在业务数据的提取过程中使用,可以在他人盗取数据时起到混淆的效果,进一步防止业务数据的泄漏,从而提高本算法的安全性。It should be noted that the key pair public key A and private key A generated in step 2 are neither used in the storage process of business data nor in the extraction process of business data. They can have a confusing effect when others steal data, further prevent the leakage of business data, and thus improve the security of this algorithm.

在本发明中,所述数据保险柜作为一个独立的模块运行,以接口的方式对外提供入口并采用租户概念进行业务数据接入。以网上竞价项目为例,在项目发起后,当采购人登录用户系统、新建网上竞价项目、录入采购需求并发布采购公告时就进入到业务数据的存储过程。In the present invention, the data safe operates as an independent module, provides an entry to the outside in the form of an interface and uses the tenant concept for business data access. Taking an online bidding project as an example, after the project is initiated, when the purchaser logs in to the user system, creates a new online bidding project, enters the procurement requirements and publishes a procurement notice, the business data storage process is entered.

进一步的,所述加密算法为SM2算法。Furthermore, the encryption algorithm is the SM2 algorithm.

在步骤2中使用SM2算法生成密钥对sm2PubA、sm2PriA以及密钥关联的密钥凭证keyToken;In step 2, use the SM2 algorithm to generate the key pair sm2PubA, sm2PriA and the key certificate keyToken associated with the key;

在步骤4中使用SM2算法生成密钥对sm2PubB、sm2PriB以及密钥关联的数据凭证dataToken。In step 4, the SM2 algorithm is used to generate the key pair sm2PubB, sm2PriB and the data certificate dataToken associated with the key.

进一步的,使用SM2算法生成的公钥、私钥以及密钥凭证分别存储至数据库密钥表中对应位置的pub_key、pri_key以及token字段当中;Furthermore, the public key, private key and key certificate generated by the SM2 algorithm are stored in the pub_key, pri_key and token fields at the corresponding positions in the database key table respectively;

其中,sm2PubA、sm2PubB存储于pub_key中,sm2PriA、sm2PriB存储于pri_key中,密钥凭证keyToken和数据凭证dataToken存储于token中;所述密钥表结构如下:Among them, sm2PubA and sm2PubB are stored in pub_key, sm2PriA and sm2PriB are stored in pri_key, and the key certificate keyToken and the data certificate dataToken are stored in token; the key table structure is as follows:

序号Serial number 字段Fields 类型type 非空Not empty 描述describe 11 idid StringString YY 主键idPrimary key id 22 tokentoken StringString YY 凭证(密钥凭证和数据凭证),通过MD5加密后存储Credentials (key credentials and data credentials), stored after being encrypted with MD5 33 pub_keypub_key StringString YY 公钥Public Key 44 pri_keypri_key StringString YY 私钥Private Key

对于密钥表中token字段数据不进行明文存储,而是通过MD5算法加密后再存储至数据库中的密钥表中,这种方法避免了在密钥表中存储明文的token,并且避免了联表查询,进一步提高了破解密码的难度。数据保险柜返回给业务端的密钥凭证A、数据凭证B均为明文。其中密钥凭证keyToken和数据凭证dataToken均为36位的uuid格式;The token field data in the key table is not stored in plain text, but encrypted by the MD5 algorithm before being stored in the key table in the database. This method avoids storing plain text tokens in the key table and avoids joint table queries, further increasing the difficulty of cracking passwords. The key certificate A and data certificate B returned by the data safe to the business end are both in plain text. The key certificate keyToken and the data certificate dataToken are both in 36-bit uuid format;

进一步的,密钥表中的token为密钥凭证,用于关联响应的密钥数据,即每生成一对公私钥对,将产生唯一的token与其关联。pub_key和pri_key分别存储产生的公私钥对。Furthermore, the token in the key table is a key credential, which is used to associate the key data of the response, that is, each time a public-private key pair is generated, a unique token will be generated and associated with it. Pub_key and pri_key store the generated public-private key pairs respectively.

进一步的,如果加密算法为对称加密算法,则存储其密钥和相应的加盐向量。加盐是指在进行哈希运算之前,将一个随机生成的数据(称为盐,或Salt)与原始数据(例如密码)结合在一起,以增加哈希值的复杂性。这样可以有效防止彩虹表攻击和其他形式的哈希碰撞攻击。Furthermore, if the encryption algorithm is a symmetric encryption algorithm, its key and the corresponding salt vector are stored. Salting means combining a randomly generated data (called salt, or Salt) with the original data (such as a password) before performing a hash operation to increase the complexity of the hash value. This can effectively prevent rainbow table attacks and other forms of hash collision attacks.

进一步的,在步骤10中,使用数据凭证B从数据库中取出与之关联的私钥B还包括以下过程:Furthermore, in step 10, using the data voucher B to retrieve the private key B associated therewith from the database also includes the following process:

数据保险柜使用MD5算法计算数据凭证B得到凭证字符串,利用凭证字符串从数据库中找出与之关联的私钥B。The data safe uses the MD5 algorithm to calculate the data certificate B to obtain the certificate string, and uses the certificate string to find the private key B associated with it from the database.

所述业务端信息包括租户id、租户密码以及业务标识编码。对应到数据库中租户信息表存储的app_Key_Id、app_Key_Secret以及biz_code字段;此外,表格中的algorithm_code指加解密数据的加解密算法,在本发明中指加解密业务数据的AES算法,key_algorithm_code指加密密钥的SM2算法。所述租户信息表结构如下:The business end information includes the tenant id, tenant password and business identification code. It corresponds to the app_Key_Id, app_Key_Secret and biz_code fields stored in the tenant information table in the database; in addition, the algorithm_code in the table refers to the encryption and decryption algorithm for encrypting and decrypting data, which refers to the AES algorithm for encrypting and decrypting business data in the present invention, and the key_algorithm_code refers to the SM2 algorithm for the encryption key. The tenant information table structure is as follows:

进一步的,这里的租户对粒度没有严格控制,可以是一个系统作为一个租户,也可以是一个业务模块作为一个租户,甚至是可以一条业务数据作为一个租户,粒度大小由业务数据方自行约定。Furthermore, there is no strict control over the granularity of tenants here. A system can be a tenant, a business module can be a tenant, or even a piece of business data can be a tenant. The granularity is agreed upon by the business data party.

进一步的,所述存储数据在数据库中保存于数据表中,biz_content用于存储加密后的业务数据,storage_time存储业务数据的数据存储过期时间(该字段是在某些业务场景中当时间节点到达该时间后,无需对合法性进行验证,而是直接解密数据),user_id为相关用户名单、org_id为单位信息,biz_detail为按照一定规则生成的数据唯一值(在这里指两个密钥凭证keyToken和dataToken通过MD5算法拼接得到的加密字符串md5Key)。Furthermore, the stored data is saved in a data table in the database, biz_content is used to store encrypted business data, storage_time stores the data storage expiration time of the business data (this field is in some business scenarios, when the time node reaches this time, there is no need to verify the legitimacy, but directly decrypt the data), user_id is the list of related users, org_id is the unit information, biz_detail is the unique data value generated according to certain rules (here it refers to the encrypted string md5Key obtained by splicing the two key credentials keyToken and dataToken through the MD5 algorithm).

进一步的,所述数据存储过期时间的作用为:在后续流程中请求从数据保险柜获取数据时,在请求参数中会携带请求用户的相关信息如用户ID、用户所属单位等(这部分数据由用户登录系统后生成),数据保险柜收到取请求时,会优先校验数据存储过期时间是否已经晚于当前请求的时间,是的话认为数据已过期,取数据时不会再校验其用户信息,否则会从请求参数中取出用户信息和存储在保险柜的用户信息进行比对验证,只有比对一致才能够获取数据;Furthermore, the role of the data storage expiration time is as follows: when requesting to obtain data from the data safe in the subsequent process, the request parameters will carry relevant information of the requesting user, such as the user ID, the user's unit, etc. (this part of data is generated after the user logs into the system). When the data safe receives the retrieval request, it will first verify whether the data storage expiration time is later than the current request time. If so, the data is considered expired, and its user information will not be verified when the data is retrieved. Otherwise, the user information will be taken from the request parameters and compared with the user information stored in the safe for verification. Only when the comparison is consistent can the data be retrieved;

所述数据表的表结构如下:The table structure of the data table is as follows:

进一步的,在步骤6中结合SM2算法,在数据入库存储后对数据表的biz_detail列进行填充。填充规则为:使用MD5算法对密钥凭证keyToken和数据凭证dataToken进行加盐运算,获得字符串md5dataKey,将md5dataKey填充到biz_detail列。此种方式,可让密钥表、数据表之间无显式关联关系,实施运维等具有数据库操作权限的相关人员无法使用联表方式进行数据关联查询。而且由于MD5算法的不可逆特性,无法通过逆向取得对应的密钥凭证keyToken和数据凭证dataToken,最后再将数据凭证dataToken返回给业务端即可。Furthermore, in step 6, combined with the SM2 algorithm, the biz_detail column of the data table is filled after the data is stored in the database. The filling rule is: use the MD5 algorithm to perform salt operations on the key certificate keyToken and the data certificate dataToken, obtain the string md5dataKey, and fill the md5dataKey into the biz_detail column. In this way, there is no explicit association between the key table and the data table, and relevant personnel with database operation permissions such as implementation and maintenance cannot use the joint table method to perform data association queries. In addition, due to the irreversible nature of the MD5 algorithm, it is impossible to obtain the corresponding key certificate keyToken and data certificate dataToken through reverse, and finally the data certificate dataToken can be returned to the business end.

进一步的,在步骤5中配置AES密钥值的操作为设定一串固定的字符串作为AES密钥值或另外建立新的表格动态配置AES密钥值。Furthermore, the operation of configuring the AES key value in step 5 is to set a fixed string as the AES key value or to establish a new table to dynamically configure the AES key value.

需要说明的是,在本发明中,基于基础信息配置和加密数据存储的要求,数据库内需要重点维护的表结构为上述的密钥表、租户信息表以及数据表。数据库中还设有业务标识表、加密算法表等表结构。It should be noted that in the present invention, based on the requirements of basic information configuration and encrypted data storage, the table structures that need to be maintained in the database are the key table, tenant information table and data table mentioned above. The database also has table structures such as business identification table and encryption algorithm table.

业务标识表:按照不同的业务会有不同的标识,如网上竞价业务,还可以细分为非定点网上竞价项目(如笔记本电脑、复印纸此类商品)、定点竞价项目(如物业管理服务、车辆加油、装修工程等此类非商品属性的项目),为统一规划和管理,要求在此表配置相应的标识并在业务端请求时携带该标识,数据保险柜会验证标识是否在本表中,只有在本表中才允许其请求,其表结构如下:Business identification table: Different businesses will have different identifications. For example, online bidding business can be further divided into non-fixed-point online bidding projects (such as laptop computers, copy paper and other commodities) and fixed-point bidding projects (such as property management services, vehicle refueling, decoration projects and other non-commodity projects). For unified planning and management, it is required to configure the corresponding identification in this table and carry the identification when the business end requests. The data safe will verify whether the identification is in this table. Only in this table will the request be allowed. The table structure is as follows:

加密算法表:用于配置数据保险柜对数据加密的算法,如SM2算法、RSA算法、AES算法等,其表结构如下:Encryption algorithm table: used to configure the data safe's encryption algorithm, such as SM2 algorithm, RSA algorithm, AES algorithm, etc. The table structure is as follows:

如图2所示,一种基于加密算法的数据安全存取系统,主体为数据保险柜,它包括:As shown in FIG2 , a data security access system based on an encryption algorithm, the main body of which is a data safe, includes:

验证模块,在业务端访问数据保险柜时对业务端信息进行合法性检验;Verification module, which verifies the legitimacy of business-side information when the business-side accesses the data safe;

数据存取模块,用于将接收到的数据存储到数据库中或从数据库中提取对应的数据;A data access module, used to store the received data into a database or extract corresponding data from the database;

密钥模块,用于为业务端分发密钥,并通过数据存取模块将业务端的密钥保存至数据库中的对应位置;以及A key module, used to distribute keys to the business end, and save the keys of the business end to the corresponding location in the database through the data access module; and

加解密模块,用于加密密钥凭证和业务数据,并通过数据存取模块将加密数据保存至数据库中的对应位置。The encryption and decryption module is used to encrypt key credentials and business data, and save the encrypted data to the corresponding location in the database through the data access module.

进一步的,所述业务端、数据保险柜以及数据库之间设有密钥申请接口、数据存储接口以及数据获取接口。本发明按照密钥申请接口、数据存储接口以及数据获取接口以及数据库内表结构实现数据的加密存取。Furthermore, a key application interface, a data storage interface and a data acquisition interface are provided between the business end, the data safe and the database. The present invention realizes encrypted access of data according to the key application interface, the data storage interface and the data acquisition interface and the internal table structure of the database.

其中,密钥申请接口用于业务端申请加解密密钥,数据存储接口用于业务端存储数据,数据获取接口用于业务端获取存储的数据。Among them, the key application interface is used by the business end to apply for encryption and decryption keys, the data storage interface is used by the business end to store data, and the data acquisition interface is used by the business end to obtain stored data.

需要说明的是,所述业务端通过密钥申请接口访问系统的访问顺序为业务端、验证模块、密钥模块、数据存取模块、数据库;It should be noted that the access order of the service end to access the system through the key application interface is service end, verification module, key module, data access module, database;

所述业务端通过数据存储接口访问系统的访问顺序为业务端、验证模块、加解密模块、密钥模块、加解密模块、数据存取模块、数据库;The order in which the business end accesses the system through the data storage interface is business end, verification module, encryption and decryption module, key module, encryption and decryption module, data access module, and database;

所述业务端通过数据获取接口访问系统的访问顺序为业务端、验证模块、数据库、数据存取模块、加解密模块、业务端。The access order of the business end to the system through the data acquisition interface is business end, verification module, database, data access module, encryption and decryption module, and business end.

综上所述,本发明可以提供一个业务场景案例说明:In summary, the present invention can provide a business scenario case description:

在定点服务网上竞价项目发起时,由采购人填报采购需求并发起竞价项目,项目发起成功后会对外发布采购公告。各家供应商(即各租户)根据采购公告规定的时间节点,对项目进行商品匹配报名并在竞价时间内进行多次报价。When a designated service online bidding project is initiated, the purchaser fills in the procurement requirements and initiates the bidding project. After the project is successfully initiated, a procurement announcement will be released to the public. Each supplier (i.e., each tenant) will register for product matching for the project according to the time node specified in the procurement announcement and make multiple quotations during the bidding period.

在报价结束后,以各家供应商最后一次报价为准,价格低者为中标供应商,发布采购结果公告,项目成交。After the quotation is completed, the last quotation of each supplier will be taken as the basis, the supplier with the lowest price will be the winning supplier, the procurement result announcement will be released, and the project will be completed.

网上竞价项目整体流程可划分为三个阶段:The overall process of online bidding projects can be divided into three stages:

阶段一:采购人发起项目阶段,如图3所示。Phase 1: The purchaser initiates the project, as shown in Figure 3.

采购人登录系统,新建网上竞价项目,录入所需购买商品或者服务的品牌、规格型号及相应的采购预算(预期成交价格的最高价)等信息,录入完毕后发布采购公告,等待供应商匹配报价。The purchaser logs into the system, creates a new online bidding project, enters the brand, specification and model of the goods or services to be purchased, and the corresponding purchase budget (the highest expected transaction price) and other information. After completing the entry, the purchase notice is issued and the supplier is awaiting matching quotations.

本阶段供应商作为租户登录系统向数据保险柜申请密钥。数据保险柜验证其租户id、租户密码以及参与项目的业务标识编码,确认无误后生成密钥及密钥凭证(keyToken)。数据保险柜将keyToken颁发给本竞价项目作为整个竞价项目流程的唯一凭证。同时竞价项目业务端将keyToken关联保存到数据库中的对应表结构内。In this stage, the supplier logs in to the system as a tenant and applies for a key from the data safe. The data safe verifies its tenant ID, tenant password, and the business identification code of the participating project, and generates a key and key certificate (keyToken) after confirmation. The data safe issues the keyToken to this bidding project as the only certificate for the entire bidding project process. At the same time, the bidding project business end associates the keyToken and saves it in the corresponding table structure in the database.

阶段二:供应商报名及报价阶段,如图4所示。Phase 2: Supplier registration and quotation phase, as shown in Figure 4.

(此阶段对应到本发明的业务数据的存储过程)。(This stage corresponds to the storage process of the business data of the present invention).

多家供应商作为租户根据竞价项目采购公告要求,参与报名并在报价阶段进行报价。供应商报价时,供应商登录系统到项目下填报价格,系统携带供应商用户信息、报价信息、数据存储过期时间(这里的时间取的是竞价项目报价结束时间)及项目唯一的密钥凭证(keyToken)等信息向数据保险柜发起存储数据申请。数据保险柜针对供应商报价信息,生成密钥及数据凭证(dataToken)。As tenants, multiple suppliers participate in the registration and make quotations in the quotation stage according to the requirements of the bidding project procurement announcement. When suppliers make quotations, they log in to the system and fill in the price under the project. The system carries the supplier user information, quotation information, data storage expiration time (the time here is the end time of the bidding project quotation) and the project's unique key certificate (keyToken) and other information to initiate a data storage application to the data safe. The data safe generates a key and data certificate (dataToken) based on the supplier's quotation information.

同时,数据保险柜根据生成的密钥、keyToken和dataToken以及本发明中步骤5、步骤6所述的方法加密每个供应商的竞价数据并将各个信息存储到数据库中的对应表结构内。共同存储的还有供应商用户信息和数据存储过期时间。然后,数据保险柜把数据凭证(dataToken)颁发给竞价项目业务端。竞价项目业务端将dataToken和供应商信息、项目信息、报价信息(此时项目明细表的报价信息填充值为0,真实数据在数据保险柜加密存储)关联存储到数据库中的对应表结构内。而且每家供应商对应一条报价明细信息,单独持有一个自己的数据凭证dataToken。At the same time, the data safe encrypts the bidding data of each supplier according to the generated key, keyToken and dataToken and the methods described in steps 5 and 6 of the present invention, and stores each information in the corresponding table structure in the database. Also stored together are the supplier user information and the data storage expiration time. Then, the data safe issues the data certificate (dataToken) to the bidding project business end. The bidding project business end associates the dataToken with the supplier information, project information, and quotation information (at this time, the quotation information fill value of the project details table is 0, and the real data is encrypted and stored in the data safe) and stores them in the corresponding table structure in the database. Moreover, each supplier corresponds to a quotation detail information and holds its own data certificate dataToken separately.

在项目报价期间,各家供应商可以查看自己的已报价的竞价信息并修改报价。由于报价阶段存储在数据保险柜的报价信息对应的过期时间未过期,所以供应商到数据保险柜申请查看自身已报价的竞价信息时,需验证申请供应商的身份是否与存储在数据表的用户信息一致,只有一致时方可查看竞价信息。During the project quotation period, each supplier can view their own quoted bidding information and modify the quotation. Since the expiration time of the quotation information stored in the data safe during the quotation stage has not expired, when a supplier applies to the data safe to view their own quoted bidding information, it is necessary to verify whether the identity of the applicant supplier is consistent with the user information stored in the data table. Only when they are consistent can the bidding information be viewed.

阶段三:成交阶段,如图5所示。Phase 3: Transaction phase, as shown in Figure 5.

(此阶段对应到本发明的业务数据的提取过程)。(This stage corresponds to the business data extraction process of the present invention).

项目成交阶段(即报价结束后),竞价项目业务端会统一携带项目唯一密钥凭证keyToken和所有报价供应商的数据凭证dataToken到数据保险柜申请本项目的所有报价信息。由于此时为系统操作,无法携带各家供应商的用户信息(用户信息为用户自身登录系统后生成)。但由于此时本项目的报价数据存储过期时间已晚于当前时间,因此数据保险柜不会验证其用户信息。而后系统自动携带keyToken和dataToken访问数据保险柜,结合本发明中步骤6至步骤10的方法解密出竞价信息并返回给业务端。业务端收到竞价信息后会将竞价信息的数据放到项目报价明细表的价格字段,替换阶段二的填充的0值。During the project transaction phase (i.e. after the quotation is completed), the bidding project business end will uniformly carry the project's unique key certificate keyToken and the data certificate dataToken of all quotation suppliers to the data safe to apply for all quotation information of this project. Since this is a system operation, it is impossible to carry the user information of each supplier (the user information is generated after the user logs into the system). However, since the expiration time of the quotation data storage of this project is later than the current time at this time, the data safe will not verify its user information. The system then automatically carries the keyToken and dataToken to access the data safe, and combines the methods of steps 6 to 10 in the present invention to decrypt the bidding information and return it to the business end. After receiving the bidding information, the business end will put the data of the bidding information into the price field of the project quotation details table, replacing the 0 value filled in stage two.

最后,系统取出所有报价信息进行汇总计算,确认中标供应商并发布项目成交结果公告。Finally, the system takes out all the quotation information for summary calculation, confirms the winning supplier and publishes the project transaction result announcement.

尽管本发明采用具体实施例及其替代方式对本发明进行示意和说明,但应当理解,只要不背离本发明的精神范围内的各种变化和修改均可实施。因此,应当理解除了受随附的权利要求及其等同条件的限制外,本发明不受任何意义上的限制。Although the present invention is illustrated and described by specific embodiments and their alternatives, it should be understood that various changes and modifications within the spirit and scope of the present invention can be implemented. Therefore, it should be understood that the present invention is not limited in any sense except by the limitations of the attached claims and their equivalents.

Claims (6)

1. The data security access method based on the encryption algorithm is characterized in that the main body is a data safe which is respectively connected with a service end and a database;
the storage process of the service data is as follows:
Step 1, a service end carries service end information and applies a secret key to a data safe;
step 2, the data safe performs validity verification on the information of the service end, after the verification is passed, an encryption algorithm is used for generating a key pair public key A, a key pair private key A and a key certificate A related to the key, the key certificate A is encrypted by using MD5 to obtain an encryption key certificate A1, the public key A and the key private key A are stored in a database, the key certificate A is returned to the service end, and the service end acquires the key certificate A and stores the key certificate A and service data in a related manner;
step 3, the service end carries service end information and the key certificate A sends storage data to the data safe, wherein the storage data comprises data storage expiration time, related user lists, unit information and service data needing encryption;
Step 4, the data safe performs validity verification on the service end information, after verification, an encryption algorithm is used for generating a key pair public key B, a key pair private key B and a data certificate B related to the key, the data certificate B is encrypted by using MD5 to obtain an encrypted data certificate B1, and then the encrypted data certificate B1, the public key B and the key private B are stored in a database;
Step 5, the data safe splice Key certificate A and the data certificate B are obtained to obtain a splice certificate, then the MD5 algorithm is used for encrypting the splice certificate to obtain an encrypted character string MD5Key, then the public Key B is used for encrypting service data for the first time to obtain encrypted data B, the AES symmetric encryption algorithm is used for encrypting the encrypted data B again to obtain encrypted data C, and meanwhile, an AES Key value is configured and the encrypted character string MD5Key is correlated to be used as an encryption vector value of the encrypted data C; finally, storing the encrypted data C, the data storage expiration time, the related user list and the unit information into a database;
Step 6, performing salt adding operation on the key certificate A and the data certificate B by using an MD5 algorithm to obtain a character string MD5DataKey, storing the character string MD5DataKey under a table of encrypted data C in a database, and then returning the data certificate B to a service end, wherein the service end stores the data certificate B;
The extraction process of the service data comprises the following steps:
Step 7, the service end carries service end information, and the key certificate A and the data certificate B stored in the storage process apply for obtaining data from the data safe;
Step 8, the data safe performs validity verification on the service end information, after the verification is passed, the MD5 algorithm is used for carrying out salifying operation on the key certificate A and the data certificate B to obtain a character string MD5DataKey, and the character string MD5DataKey is used for positioning a table storing encrypted data C in a database to take out the encrypted data C;
Step 9, the data safe splices the Key certificate A and the data certificate B, then calculates an encryption character string MD5Key through an MD5 algorithm, and decrypts the encrypted data C into encrypted data B by using the MD5Key as an encryption vector value of an AES symmetric encryption algorithm;
Step 10, the data safe uses the data certificate B to encrypt through the MD5 to obtain an encrypted data certificate B1, the encrypted data certificate B1 is used for taking out a private key B associated with the encrypted data certificate B from the database, the encrypted data B is decrypted by the private key B to obtain service data, and finally the service data is sent to the service end.
2. The data security access method based on the encryption algorithm according to claim 1, wherein: the encryption algorithm is an SM2 algorithm.
3. The data security access method based on the encryption algorithm according to claim 1, wherein: the service end information comprises tenant id, tenant password and service identification code.
4. The data security access method based on the encryption algorithm according to claim 1, wherein: the operation of configuring the AES key value in step 5 is to set a string of fixed character strings as the AES key value or otherwise create a new table to dynamically configure the AES key value.
5. A data security access system based on an encryption algorithm for performing the method of any one of claims 1-4, characterized by: the main part is data safe deposit box, and it includes:
the verification module is used for verifying the validity of the service end information when the service end accesses the data safe;
the data access module is used for storing the received data into a database or extracting corresponding data from the database;
the key module is used for distributing keys for the service end and storing the keys of the service end to corresponding positions in the database through the data access module; and
And the encryption and decryption module is used for encrypting the key certificate and the service data and storing the encrypted data to the corresponding position in the database through the data access module.
6. The data security access system based on encryption algorithm of claim 5, wherein: and a key application interface, a data storage interface and a data acquisition interface are arranged among the service end, the data safe and the database.
CN202411297155.6A 2024-09-18 2024-09-18 Data security access method and system based on encryption algorithm Active CN118821183B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411297155.6A CN118821183B (en) 2024-09-18 2024-09-18 Data security access method and system based on encryption algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411297155.6A CN118821183B (en) 2024-09-18 2024-09-18 Data security access method and system based on encryption algorithm

Publications (2)

Publication Number Publication Date
CN118821183A true CN118821183A (en) 2024-10-22
CN118821183B CN118821183B (en) 2024-12-17

Family

ID=93078818

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411297155.6A Active CN118821183B (en) 2024-09-18 2024-09-18 Data security access method and system based on encryption algorithm

Country Status (1)

Country Link
CN (1) CN118821183B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109345331A (en) * 2018-08-21 2019-02-15 中国科学技术大学苏州研究院 A Task Assignment Method for Crowd Sensing System with Privacy Protection
US20210133344A1 (en) * 2018-10-09 2021-05-06 Q-Net Security, Inc. Enhanced Securing and Secured Processing of Data at Rest
CA3173536A1 (en) * 2020-02-29 2021-09-02 Secure Wallet Technology Pty Ltd Cryptosystem, systems, methods and applications for zero-knowledge anonymously-individualized marketing and loyalty management based on end-to-end encrypted transfer of statements like receipts or script
CN113657978A (en) * 2021-09-01 2021-11-16 东南大学 Distributed energy auction method and system based on block chain and privacy protection
CN114124534A (en) * 2021-11-24 2022-03-01 航天信息股份有限公司 Data interaction system and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109345331A (en) * 2018-08-21 2019-02-15 中国科学技术大学苏州研究院 A Task Assignment Method for Crowd Sensing System with Privacy Protection
US20210133344A1 (en) * 2018-10-09 2021-05-06 Q-Net Security, Inc. Enhanced Securing and Secured Processing of Data at Rest
CA3173536A1 (en) * 2020-02-29 2021-09-02 Secure Wallet Technology Pty Ltd Cryptosystem, systems, methods and applications for zero-knowledge anonymously-individualized marketing and loyalty management based on end-to-end encrypted transfer of statements like receipts or script
CN113657978A (en) * 2021-09-01 2021-11-16 东南大学 Distributed energy auction method and system based on block chain and privacy protection
CN114124534A (en) * 2021-11-24 2022-03-01 航天信息股份有限公司 Data interaction system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程思嘉;张昌宏;潘帅卿;: "基于CP-ABE算法的云存储数据访问控制方案设计", 信息网络安全, no. 02, 10 February 2016 (2016-02-10) *

Also Published As

Publication number Publication date
CN118821183B (en) 2024-12-17

Similar Documents

Publication Publication Date Title
US11004067B2 (en) Methods and devices for protecting sensitive data of transaction activity based on smart contract in blockchain
US20230046268A1 (en) Methods and systems for tracking and recovering assets stolen on distributed ledger-based networks
JP5165598B2 (en) Account link with private key
CN104463567B (en) A kind of secure electronic transaction method and system
US8964976B2 (en) Secure storage and retrieval of confidential information
CN103370688B (en) A system and method for generating multi-factor personalized server strong keys from simple user passwords
JP2022003536A (en) Method implemented by block chain for digital content control and distribution
CN109889504A (en) Decentralized data access right transaction method and system
WO2020051710A1 (en) System and process for managing digitized security tokens
CN102609841A (en) Remote mobile payment system based on digital certificate and payment method
JP2019125883A (en) Electronic commerce system, service providing server, third party organization server, electronic commerce method, and program
US12432061B2 (en) Content protection system
CN114565382B (en) A transaction account anonymous payment method and system
CN115713329A (en) Data transaction method based on block chain
CN108550035A (en) A kind of cross-border network bank business method and cross-border internet banking system
KR102475434B1 (en) Security method and system for crypto currency
CN110807634A (en) Second-hand ticket trading method and platform based on Hasp hash chain and smart contract
CN115310978A (en) A digital asset transaction method and device
WO2026031899A1 (en) Data processing method and apparatus, and device and storage medium
CN114997867A (en) Data element multi-mode delivery system and method based on block chain and privacy calculation
JP7403306B2 (en) Servers, data processing methods, computer systems and computers
TW201835825A (en) Transaction verification method and system
CN116071071B (en) Block chain-based data element transaction method, system, storage medium and equipment
CN118821183B (en) Data security access method and system based on encryption algorithm
CN113570371B (en) Trusted power transaction clearing method and system based on cryptographic technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant