[go: up one dir, main page]

CN120449176A - Data protected search method and system - Google Patents

Data protected search method and system

Info

Publication number
CN120449176A
CN120449176A CN202510492909.1A CN202510492909A CN120449176A CN 120449176 A CN120449176 A CN 120449176A CN 202510492909 A CN202510492909 A CN 202510492909A CN 120449176 A CN120449176 A CN 120449176A
Authority
CN
China
Prior art keywords
data
encryption
processing
search
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510492909.1A
Other languages
Chinese (zh)
Inventor
刘明达
张道磊
姚萌萌
宋炳瑶
麻宁娜
倪颖杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
32051 Unit Of Chinese Pla
Original Assignee
32051 Unit Of Chinese Pla
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 32051 Unit Of Chinese Pla filed Critical 32051 Unit Of Chinese Pla
Priority to CN202510492909.1A priority Critical patent/CN120449176A/en
Publication of CN120449176A publication Critical patent/CN120449176A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application relates to a data protected search method and a system. The method comprises the steps that a user side conducts encryption anonymization processing on initial search data based on a user private key to obtain first anonymized search data, the first anonymized search data are sent to a data provider, the data provider conducts encryption anonymization processing on the first anonymized search data based on the data private key to obtain second anonymized search data, matching processing is conducted on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, the target encryption function data are sent to the user side, and the user side conducts decryption processing on the target encryption function data based on a symmetric private key to obtain inquired function data corresponding to the initial search data. By adopting the method, the data stored on the cloud side can be protected and searched in the scene of the data provider.

Description

Data protected search method and system
Technical Field
The present application relates to the field of data searching technologies, and in particular, to a method and a system for searching data under protection.
Background
With the collaborative development of cloud computing, edge computing and terminal devices, a cloud edge collaborative architecture becomes an important computing mode gradually. Under the architecture, a user at an end side performs query and search on data on a cloud, which is a common requirement, wherein query contents of the user are stored in a terminal device, and a queried data set is stored at an side or cloud side. In some application scenarios, the query condition of the user is privacy data of the user, such as data of a customer name, a telephone number, and the like, and has high requirements on the privacy of the search. Therefore, a data protected search method is generally adopted to realize that specific data is searched from a cloud side database under the condition that the user search data is in an encrypted state.
The data protected searching method in the related technology is characterized in that a user encrypts data and then uploads the encrypted data to a cloud side database for storage, when the user needs to inquire, the user firstly encrypts the search data, the cloud side matches the encrypted search data with the encrypted database, an encrypted search result is fed back, and the user decrypts the search result to obtain the needed data.
However, in some application scenarios of the cloud-side system architecture, the data stored on the cloud side is not uploaded by the user, but belongs to the data provider, so a protected search method for data applicable to the scenario is needed.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a data protected search method and system that can apply data stored on the cloud side to data providers.
In a first aspect, the present application provides a data protected search method. The method is used for a data protected search system comprising a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are both positioned on a cloud side, and the method comprises the following steps:
The user terminal carries out encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data, and sends the first anonymized search data to a data provider;
The data provider carries out encryption anonymization processing on the first anonymous search data based on a data private key to obtain second anonymous search data, carries out matching processing on the second anonymous search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymous search data, and sends the target encryption function data to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by carrying out two-round encryption anonymization processing on the initial keyword data by a big data processing platform based on the data private key and the user private key, and the encryption function data in a non-search column in the target database is obtained by carrying out symmetric encryption processing on the initial function data by the big data processing platform based on a symmetric key of the user terminal;
and the user terminal decrypts the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
In one embodiment, the method further comprises:
The data provider sends the initial keyword data of the initial database to a first processing module of the data processing platform, wherein the first processing module is a data processing resource distributed to the data provider in the data processing platform;
the first processing module carries out encryption anonymization processing on the initial keyword data based on the data private key to obtain intermediate keyword data, and sends the intermediate keyword data to the second processing module of the data processing platform, wherein the second processing module is used for processing data processing resources distributed to a user side in the data processing platform, and processing logic between the first processing module and the second processing module is mutually isolated;
The second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain encrypted keyword data, and sends the encrypted keyword data to the data provider;
the data provider stores the encrypted keyword data in the target database.
In one embodiment, the method further comprises:
the data provider sends the initial function data in the initial database to the second processing module;
The second processing module performs symmetric encryption processing on the initial function data based on the symmetric key to obtain encryption function data, and sends the encryption function data to the data provider;
The data provider stores the encryption function data in the target database.
In one embodiment, the second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain encrypted keyword data, including:
the second processing module invokes the cryptographic engine, wherein the user private key is stored in the cryptographic engine;
The cipher machine uses the private key of the user to encrypt and anonymize the intermediate keyword data, and the encrypted keyword data is obtained.
In one embodiment, the method further comprises:
The cipher machine sends the cipher public key of the cipher machine to the user terminal;
The user terminal encrypts the user private key based on the password public key to obtain an intermediate private key, and sends the intermediate private key to the password machine;
And the cipher machine uses the cipher private key to decrypt the intermediate private key to obtain the user private key.
In one embodiment, the second processing module performs symmetric encryption processing on the initial function data based on the symmetric key to obtain encrypted function data, including:
the second processing module invokes the cryptographic engine, wherein the symmetric private key is stored in the cryptographic engine;
and the cipher machine uses the symmetric private key to carry out encryption anonymization processing on the initial function data to obtain the encryption function data.
In one embodiment, the data provider performs matching processing based on the second anonymous search data and the encrypted keyword data in the target database to obtain target encrypted function data corresponding to the second anonymous search data, and the method includes:
The data provider establishes a query index based on the encrypted keyword data in the target database;
the data provider determines target cryptographic function data based on the second anonymous search data and the query index.
In a second aspect, the application also provides a data protected search system, which comprises a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are positioned on the cloud side;
the user terminal is used for carrying out encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data, and sending the first anonymized search data to the data provider;
The data provider is used for carrying out encryption anonymization processing on the first anonymized search data based on the data private key to obtain second anonymized search data, carrying out matching processing on the second anonymized search data and encryption keyword data in the target database to obtain target encryption function data corresponding to the second anonymized search data, and sending the target encryption function data to the user side;
the big data processing platform is used for carrying out two-round encryption anonymization processing on the initial keyword data based on the data private key and the user private key to obtain encrypted keyword data, and carrying out symmetrical encryption processing on the initial function data based on the symmetric key of the user side to obtain encrypted function data;
And the user end is used for decrypting the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
In a third aspect, the present application further provides a data protected searching method, where the method is used for a data provider, the data provider is located on a cloud side, and the data provider is communicatively connected with a user side, and the method includes:
Acquiring first anonymous search data sent by a user terminal, wherein the first anonymous search data is obtained by the user terminal through encryption and anonymization processing on initial search data based on a user private key;
the first anonymous search data is encrypted and anonymized based on a data private key of the data provider, so that second anonymous search data is obtained;
Matching processing is carried out on the basis of the second anonymous search data and the encrypted keyword data in the target database to obtain target encrypted function data corresponding to the second anonymous search data, the encrypted keyword data in the search column in the target database is obtained by carrying out two-round encryption anonymization processing on the initial keyword data by a big data processing platform on the cloud side based on a data private key and a user private key, and the encrypted function data in the non-search column in the target database is obtained by carrying out symmetric encryption processing by the big data processing platform based on a symmetric key of the user side;
And sending the target encryption function data to the user side so that the user side can decrypt the target encryption function data based on the symmetric key to obtain the queried function data corresponding to the initial search data.
In a fourth aspect, the present application further provides a data protected searching method, where the method is used for a user side, and the user side is communicatively connected to a data provider located on a cloud side, and the method includes:
performing encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data;
The method comprises the steps of sending first anonymous search data to a data provider, conducting encryption anonymization processing on the first anonymous search data by the data provider based on a data private key to obtain second anonymous search data, conducting matching processing on the second anonymous search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymous search data, and sending the target encryption function data to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by conducting two rounds of encryption anonymization processing on initial keyword data by a large data processing platform based on a data private key and a user private key, and the encryption function data in a non-search column in the target database is obtained by conducting symmetric encryption processing on the initial function data by the large data processing platform based on a symmetric key of the user terminal;
and decrypting the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
The data protected searching method and the system provided by the invention are applied to a data protected searching system comprising a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are both positioned on a cloud side; the data provider performs encryption anonymization processing on the first anonymized search data based on a data private key to obtain second anonymized search data, performs matching processing on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, and sends the target encryption function data to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by performing two-round encryption anonymization processing on initial keyword data based on a data private key and a user private key for a large data processing platform, the encryption function data in a non-search column in the target database is obtained by performing symmetric encryption processing on initial function data based on a symmetric key of the user terminal for a large data processing platform, the user terminal performs decryption processing on the target encryption function data based on the symmetric private key to obtain queried function data corresponding to the initial search data, so that the initial query data of the user terminal performs two-round encryption processing on the basis of the user private key and the data private key, the searched data of the data provider also performs two-round encryption processing on the basis of the user private key and the data private key, the two data in a specific state cannot be known by the user terminal on the cloud content of the data provider, meanwhile, the non-search column data is encrypted in advance by using a symmetric key of the user side, so that a data provider cannot reversely push and inquire specific contents of the data according to the functional data obtained by searching, and the data stored on the cloud side belongs to the data protected search under the scene of the data provider.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
FIG. 1 is a block diagram of a data protected search system in one embodiment;
FIG. 2 is a flow diagram of a method of data protected searching in one embodiment;
FIG. 3 is a block diagram of a data protected search system in another embodiment
FIG. 4 is a flowchart illustrating steps for obtaining encrypted keyword data in one embodiment;
FIG. 5 is a flowchart illustrating steps for obtaining encryption function data in one embodiment;
FIG. 6 is a flow chart of a method of data protected searching in another embodiment;
FIG. 7 is an internal block diagram of a computer device in one embodiment;
fig. 8 is a block diagram showing an internal structure of a computer device in another embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The data protected searching method provided by the embodiment of the application can be applied to a data protected searching system shown in figure 1. The client 102 in the data protected search system is communicatively connected to the cloud side 104. The cloud side 104 comprises a big data processing platform 1044, the cloud side 104 allocates storage resources and service processing resources based on the use requirement of the data provider 1042, wherein an initial database is used for storing original data stored by the data provider 1042, a target database is used for storing data obtained by encrypting the initial data, the target database is used for searching required data by the user side 102, the big data processing platform 1044 is relatively independent from hardware resources of the data provider 1042, an interface can be used for communication, and the data provider 1042 can apply for the use of the data processing resources to the big data processing platform 1044.
For example, the cloud side 104 may be implemented as a server cluster formed by a plurality of servers, where a portion of the resources in the server cluster are provided to the data provider 1042 and used as a business office environment for the data provider 1042, and a portion of the resources in the server cluster are used as a big data processing platform 1044 for the user side 102 and the data provider 1042 to process data.
The user terminal 102 may be a terminal device, and the terminal device may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, wherein the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car devices and the like, and the portable wearable devices may be smart watches, smart bracelets, head-mounted devices and the like.
The system shown in fig. 1 may be applied in a financial business scenario, in which the user terminal 102 may be a terminal device used by a specific user of a financial business, the data provider 1042 is a data storage resource leased by a financial business enterprise on the cloud side 104, and the large data platform 1044 is a data processing resource on the cloud side and may be allocated to the data provider 1042 and the user terminal 102 for use based on a request from the financial business enterprise.
Also by way of example, the system shown in FIG. 1 may also be used in a medical business scenario or other business scenario requiring a protected search.
In an exemplary embodiment, as shown in fig. 2, a data protected search method is provided, and an example of application of the method to the data protected search system in fig. 1 is described, where the data protected search system includes a user side, a big data processing platform, and a data provider, where the data provider and the big data processing platform are located on a cloud side. The method includes the following steps 202 through 206. Wherein:
Step 202, the user side performs encryption anonymization processing on the initial search data based on the user private key to obtain first anonymized search data, and sends the first anonymized search data to the data provider.
The public key generated by the user terminal is not disclosed so as to ensure that the cloud side and the data provider cannot decrypt the first anonymous search data.
The initial search data refers to the query data in a plaintext form at the user end, and is generally sensitive private data of the user, such as data of a name, a telephone number or an identification card number.
For example, the process of the user end performing encryption anonymization processing on the initial search data based on the user private key to obtain the first anonymized search data may use an RSA asymmetric encryption algorithm, as shown in formula 1:
B=a≡d 1 mod n, equation 1
Where B is the first anonymous search data, d 1 is the user private key, and n is the modulus in the RSA asymmetric encryption algorithm.
And 204, the data provider performs encryption anonymization processing on the first anonymized search data based on the data private key to obtain second anonymized search data, performs matching processing on the second anonymized search data and the encryption keyword data in the target database to obtain target encryption function data corresponding to the second anonymized search data, and sends the target encryption function data to the user side.
The data private key refers to a private key generated by the data provider based on a public-private key system, wherein the public key generated by the data provider is not disclosed, so that the cloud side cannot decrypt the second anonymous search data.
For example, the data provider performs encryption anonymization processing on the first anonymous search data based on the data private key, and the process of obtaining the second anonymous search data may also use an RSD asymmetric encryption algorithm, as shown in equation 2:
C=B≡d 2 mod n, equation 2
Where C is the second anonymous search data and d 2 is the data private key.
The encryption keyword data in the search column in the target database is obtained by carrying out two-round encryption anonymization processing on the initial keyword data by the big data processing platform based on the data private key and the user private key, and the encryption function data in the non-search column in the target database is obtained by carrying out symmetrical encryption processing on the initial function data by the big data processing platform based on the symmetric key of the user side.
The initial keyword data refer to data included in a search column in original data provided by a data provider, and the initial keyword data are encrypted twice by using a data private key and a user private key by using a big data platform, so that when the data provider performs matching processing by using second anonymous search data which is encrypted and anonymously processed twice and the encrypted keyword data, the data provider cannot know the currently queried data content of the user based on the user private key in the encryption process of the second anonymous search data and the encrypted keyword data, and the security of the search privacy of the user side can be realized.
The initial function data refers to data except a search column in the original data provided by the data provider, namely actual data content which the user side wants to acquire from the data provider. In this embodiment, this data is referred to as functional data, and is distinguished in terms of names from keyword data serving as search matching.
The large platform data is used for carrying out symmetric encryption processing on the initial function data based on the symmetric key of the user terminal, so that the fact that a data provider cannot reversely push the specific content of query data sent by the user terminal according to the target encryption function data obtained by matching can be ensured, and the security of searching privacy of the user terminal is ensured. In this embodiment, the symmetric encryption mode is used to encrypt the initial function data of the non-search column, so that on one hand, the user side can decrypt the received target encryption function data by using the symmetric key, and on the other hand, the symmetric encryption calculation amount is smaller, so that the resource consumption in the encryption processing process of the non-search column is reduced.
The symmetric key is generated by the user side based on a symmetric encryption algorithm.
In one possible implementation manner, the process that the big data processing platform performs two rounds of encryption anonymization processing on the initial keyword data to obtain the encrypted keyword data and performs symmetric encryption processing on the initial function data to obtain the encrypted function data is completed before the user side triggers the query. The data provider can call the big data processing platform in real time to carry out two-round encryption anonymization processing on the initial data or the initial keyword data in the initial data when the initial data or a group of initial data is newly stored in the initial database, symmetrically encrypt the initial functional data and store the encrypted data in the target database, and directly search from the target database when the user side triggers the data search, thereby improving the response speed of the real-time search.
In one possible implementation, the data provider performs matching processing based on the second anonymous search data and the encrypted keyword data in the target database to obtain target encrypted function data corresponding to the second anonymous search data, and the method comprises the steps that the data provider establishes a query index based on the encrypted keyword data in the target database, and the data provider determines the target encrypted function data based on the second anonymous search data and the query index. Thus, the searching efficiency is improved by establishing the query index.
And 206, the user end decrypts the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
The data protected search method provided by the embodiment is applied to a data protected search system comprising a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are both positioned on a cloud side; the data provider performs encryption anonymization processing on the first anonymized search data based on a data private key to obtain second anonymized search data, performs matching processing on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, and sends the target encryption function data to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by performing two-round encryption anonymization processing on initial keyword data based on a data private key and a user private key for a large data processing platform, the encryption function data in a non-search column in the target database is obtained by performing symmetric encryption processing on initial function data based on a symmetric key of the user terminal for a large data processing platform, the user terminal performs decryption processing on the target encryption function data based on the symmetric private key to obtain queried function data corresponding to the initial search data, so that the initial query data of the user terminal performs two-round encryption processing on the basis of the user private key and the data private key, the searched data of the data provider also performs two-round encryption processing on the basis of the user private key and the data private key, the two data in a specific state cannot be known by the user terminal on the cloud content of the data provider, meanwhile, the non-search column data is encrypted in advance by using a symmetric key of the user side, so that a data provider cannot reversely push and inquire specific contents of the data according to the functional data obtained by searching, and the data stored on the cloud side belongs to the data protected search under the scene of the data provider.
In an exemplary embodiment, referring to fig. 3, a large data processing platform in a data protected search system includes a first processing module and a second processing module, where the first processing module and the second processing module are respectively allocated to a data provider and a user side call, and processing logic between the first processing module and the second processing module is isolated from each other. The first processing module and the second processing module may be in data communication via an interface.
In this embodiment, referring to fig. 4, the provided data protected searching method further includes steps 402 to 408, wherein:
in step 402, the data provider transmits initial keyword data of an initial database to a first processing module of the data processing platform.
And step 404, the first processing module performs encryption anonymization processing on the initial keyword data based on the data private key to obtain intermediate keyword data, and sends the intermediate keyword data to the second processing module of the data processing platform.
In one possible implementation manner, the cloud side is provided with a cryptographic engine for use in the process of performing encryption anonymization processing on the intermediate keyword data by the second processing module based on the user private key.
Where a cryptographic engine is a dedicated hardware encryption device, the encryption operations are performed by using physical chips, modules, or dedicated processors, without relying entirely on software implementation.
In the embodiment, the user private key is stored in the cipher machine, and the second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain the encrypted keyword data.
In the embodiment, the cryptographic engine is used for storing the user private key, so that the security of the user private key is ensured, and particularly, the risk of stealing the user private key is reduced under the condition that a cloud side service provider possibly attacks or the inside of the service provider has security threat.
In one implementation mode of the embodiment, the provided data protected search processing method further comprises the steps that the cipher machine sends a cipher public key of the cipher machine to the user side, the user side encrypts a user private key based on the cipher public key to obtain an intermediate private key, the intermediate private key is sent to the cipher machine, and the cipher machine decrypts the intermediate private key by using the Miya private key to obtain the user private key. Wherein the public key and the private key are a pair of asymmetric keys.
Therefore, the user terminal encrypts the private key of the user through the public key of the cipher machine and then sends the encrypted private key to the cipher machine, the cipher machine decrypts the intermediate key by using the private key to obtain the private key of the user and stores the private key of the user, and the security of the private key of the user in the process of transmitting the private key of the user between the user terminal and the cipher machine can be ensured.
And step 406, the second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain encrypted keyword data, and sends the encrypted keyword data to the data provider.
The data provider stores the encrypted keyword data in the target database, step 408.
In the data protected search method provided in the above embodiment, the first processing module and the second processing module, which are isolated from each other by using two processing logics in the big data processing platform, are used to respectively complete the data private key encryption process and the user private key encryption process of the initial keyword data, on one hand, the encryption and anonymization processing efficiency is improved by using the resources of the big data processing platform, on the other hand, the two encryption and anonymization processing processes are isolated from each other, so as to ensure the security of the user private key and the data private key, on the other hand, the first processing module firstly uses the data key to encrypt and anonymize the initial keyword data, and the second processing module uses the user key to encrypt and anonymize the initial keyword data, so as to avoid exposing the unencrypted search column to the user side.
In an exemplary embodiment, referring to fig. 5, the provided data protected search method further includes steps 502 to 506, wherein:
In step 502, the data provider sends the initial function data in the initial database to the second processing module.
In step 504, the second processing module performs symmetric encryption processing on the initial function data based on the symmetric key to obtain encrypted function data, and sends the encrypted function data to the data provider.
In the implementation mode of setting the cipher machine on the cloud side, the symmetric key is stored in the cipher machine, the second processing module performs symmetric encryption processing on the initial function data based on the symmetric key, and the process of obtaining the encrypted function data comprises the steps that the second processing module calls the cipher machine, and the cipher machine performs encryption anonymization processing on the initial function data by using the symmetric private key to obtain the encrypted function data.
In the embodiment, the user terminal encrypts the user private key based on the public key to obtain the intermediate private key, and encrypts the symmetric key based on the public key to obtain the intermediate key, and the user terminal transmits the intermediate key to the cipher machine in the process of transmitting the intermediate private key to the cipher machine, and the cipher machine decrypts the intermediate key by using the private key to obtain the symmetric key and stores the symmetric key.
The data provider stores 506 the cryptographic function data in the target database.
In one possible implementation, the data provider sends the initial function data in the initial database to the second processing module through the first processing module, and the second processing module sends the encryption function data to the data provider through the first processing module.
The data provider sends a data table T1 which is currently required to be encrypted in an initial database to a first processing module, the first processing module carries out encryption anonymization processing on initial keyword data in a search column in the data table to obtain a data table T2, a non-search column in the data table T2 is consistent with a non-search column in the data table T1, the first processing module sends the data table T2 to a second processing module, the second processing module carries out encryption anonymization processing on the search column in the data table T2 based on a user private key, the second processing module carries out symmetric encryption processing on the non-search column in the data table T2 to obtain a data table T3, the second processing module sends the data table T3 to the first processing module, the first processing module sends the data table T3 to the data provider, and the data provider stores the data table T3 into a target database.
In an exemplary embodiment, as shown in fig. 6, a data protected search method is provided, which is used in the data protected search system in fig. 1 for illustration, where the data protected search system includes a user side, a big data processing platform, and a data provider, where the data provider and the big data processing platform are located on a cloud side, the big data processing platform includes a first processing module and a second processing module, where the first processing module and the second processing module are respectively allocated to the data provider and the user side for calling, and processing logic between the first processing module and the second processing module is isolated from each other. The method includes the following steps S1 to S18. Wherein:
step S1, the cipher machine sends the cipher public key of the cipher machine to the user side.
And S2, the user terminal encrypts the user private key and the symmetric key based on the password public key to obtain an intermediate private key and an intermediate key.
And step S3, the user sends the intermediate private key and the intermediate secret key to the cipher machine.
And S4, the cipher machine decrypts the intermediate private key and the intermediate key based on the cipher private key decryption to obtain a user private key and a symmetric key, and stores the user private key and the symmetric key.
And S5, the data provider sends the initial keyword data and the initial function data of the initial database to a first processing module of the data processing platform.
And S6, the first processing module carries out encryption anonymization processing on the initial keyword data based on the data private key to obtain intermediate keyword data.
And S7, the first processing module sends the intermediate keyword data and the initial function data to a second processing module of the data processing platform.
And S8, the second processing module sends the intermediate keyword data and the initial function data to the cipher machine.
And S9, the cipher machine performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain encrypted keyword data, and performs symmetric encryption processing on the initial function data based on the symmetric key to obtain encrypted function data.
And step S10, the cipher machine sends the encryption keyword data and the cipher function data to the second processing module.
In step S11, the second processing module sends the encrypted keyword data and the cryptographic function data to the first processing module.
In step S12, the first processing module stores the encrypted keyword data and the cryptographic function data to a target database in the data provider.
And step S13, the user side carries out encryption anonymization processing on the initial search data based on the user private key to obtain first anonymized search data.
In step S14, the user side sends the first anonymous search data to the data provider.
And step S15, the data provider carries out encryption anonymization processing on the first anonymized search data based on the data private key to obtain second anonymized search data.
Step S16, the data provider performs matching processing on the basis of the second anonymous search data and the encryption keyword data in the target database to obtain target encryption function data corresponding to the second anonymous search data;
In step S17, the data provider sends the target encryption function data to the user terminal.
And S18, the user end decrypts the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
According to the data protected search method, efficient encryption operation processing and key security protection are achieved on queried data through the combination of the big data processing platform of the cloud side and the hardware cipher machine, encryption tasks on initial keyword data and initial function data are set in operation by utilizing high-performance computing resources of the cloud side, and meanwhile security of a user private key and a symmetric key of a user side is protected through the hardware cipher machine, and data leakage caused by malicious theft of the user private key and the symmetric key is prevented.
The process from step S1 to step S4 may be regarded as an environment preparation stage, and the process from step S5 to step S12 may be regarded as a data offline preparation stage, wherein offline refers to triggering of a data search request in advance of a user side, and the process from step S13 to step S18 may be regarded as a real-time query stage, so that the data protected search method provided by the embodiment can ensure that the user side only needs to perform two rounds of anonymization processing on initial query data when performing protected search, and has near real-time response efficiency.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
It will be appreciated that the term "based on" as used herein to describe one or more factors that influence a determination is not to be taken as excluding other factors that may influence the determination. For example, the phrase "determining a based on B" means that the determination of a may be based, at least in part, on or entirely on factor B, that is, B is one factor affecting the determination of a, but does not exclude that the determination of a is also based on C.
Based on the same inventive concept, the embodiment of the application also provides a data protected search system, as shown in fig. 1, which comprises a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are positioned on the cloud side.
And the user end is used for carrying out encryption anonymization processing on the initial search data based on the user private key to obtain first anonymized search data, and sending the first anonymized search data to the data provider.
And the data provider is used for carrying out encryption anonymization processing on the first anonymized search data based on the data private key to obtain second anonymized search data, carrying out matching processing on the second anonymized search data and the encryption keyword data in the target database to obtain target encryption function data corresponding to the second anonymized search data, and sending the target encryption function data to the user side.
The big data processing platform is used for carrying out two-round encryption anonymization processing on the initial keyword data based on the data private key and the user private key to obtain encrypted keyword data, and carrying out symmetrical encryption processing on the initial function data based on the symmetric key of the user side to obtain encrypted function data;
And the user end is used for decrypting the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
In an exemplary embodiment, referring to fig. 3, the big data processing platform includes a first processing module and a second processing module, where the first processing module and the second processing module are respectively allocated to the data provider and the client call, and processing logic between the first processing module and the second processing module is isolated from each other.
The first processing module is used for carrying out encryption anonymization processing on the initial keyword data based on the data private key to obtain intermediate keyword data, and sending the intermediate keyword data to the second processing module of the data processing platform. The second processing module is used for carrying out encryption anonymization processing on the intermediate keyword data based on the private key of the user to obtain encrypted keyword data, and sending the encrypted keyword data to the data provider, wherein the data provider is used for storing the encryption function data in the target database.
In an exemplary embodiment, referring to fig. 3, the cloud side further includes a cryptographic engine in which the user private key is stored. The second processing module is used for calling a cipher machine, and the cipher machine is used for carrying out encryption anonymization processing on the intermediate keyword data by using a user private key to obtain encrypted keyword data.
In one exemplary embodiment, the cryptographic engine is configured to send a public cryptographic key of the cryptographic engine to the user, the user is configured to encrypt a private user key based on the public cryptographic key to obtain an intermediate private key, and send the intermediate private key to the cryptographic engine, and the cryptographic engine is configured to decrypt the intermediate private key using the private cryptographic key to obtain the private user key.
In one exemplary embodiment, the symmetric private key is stored in a cryptographic engine, and the second processing module invokes the cryptographic engine, which is configured to use the symmetric private key to perform encryption anonymization processing on the initial function data to obtain encrypted function data.
In one exemplary embodiment, the data provider is configured to establish a query index based on the encrypted keyword data in the target database, and the data provider is configured to determine the target encryption function data based on the second anonymous search data and the query index.
In one exemplary embodiment, a data protected search method is provided for a data provider in a data protected system as shown in FIG. 1. The method comprises the steps of obtaining first anonymous search data sent by a user side, wherein the first anonymous search data are obtained by the user side through encryption anonymization processing of initial search data based on a user private key, conducting encryption anonymization processing of the first anonymous search data based on a data private key of the data provider to obtain second anonymous search data, conducting matching processing of the second anonymous search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymous search data, the encryption keyword data in a search column in the target database are obtained by conducting two-round encryption anonymization processing on the initial keyword data based on the data private key and the user private key by a big data processing platform, the encryption function data in a non-search column in the target database are obtained by conducting symmetric encryption processing on the big data processing platform based on a symmetric key of the user side, and the target encryption function data are sent to the user side for the user side to conduct decryption processing on the target encryption function data based on the symmetric key to obtain inquired function data corresponding to the initial search data.
In an exemplary embodiment, a data protected search method is provided, and the data protected search method is used for a user side in a data protected system shown in fig. 1, the user side is in communication connection with a data provider located at a cloud side, the method includes the steps of conducting encryption anonymization processing on initial keyword data based on a user private key to obtain first anonymized search data, sending the first anonymized search data to the data provider, conducting encryption anonymization processing on the first anonymized search data based on the data private key by the data provider to obtain second anonymized search data, conducting matching processing on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, and sending the target encryption function data to the user side, wherein the encryption keyword data in a search column in the target database is obtained by conducting two rounds of encryption anonymization processing on the initial keyword data based on the data private key and the user private key, the encryption function data in a non-search column in the target database is obtained by conducting symmetric encryption processing on the initial function data based on a symmetric key of the user side, and the target encryption function data is obtained by conducting encryption processing on the initial function data corresponding to the target encryption function data based on the symmetric key.
In one exemplary embodiment, a computer device is provided, which may be a server, for implementing a data provider in the data protected search system shown in FIG. 1, the internal structure of which may be as shown in FIG. 7. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The number of databases of the computer device may be plural, at least one database for storing the encryption key data and the encryption function data, and at least one database for storing the initial key data and the initial function data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data protected search method for a data provider.
In an exemplary embodiment, a computer device, which may be a terminal, is provided for implementing a user terminal in the data protected search system shown in fig. 1, and an internal structure diagram thereof may be shown in fig. 8. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a data protected search method for a user side. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by persons skilled in the art that the structures shown in fig. 7 and 8 are block diagrams of only portions of structures associated with the present inventive arrangements and are not limiting of the computer device to which the present inventive arrangements are applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are both information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to meet the related regulations.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. The data protected searching method is used for a data protected searching system comprising a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are both located on a cloud side, and the method comprises the following steps:
the user terminal carries out encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data, and sends the first anonymized search data to a data provider;
The data provider carries out encryption anonymization processing on the first anonymized search data based on a data private key to obtain second anonymized search data, carries out matching processing on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, and sends the target encryption function data to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by carrying out two-round encryption anonymization processing on initial keyword data by the big data processing platform based on the data private key and the user private key, and the encryption function data in a non-search column in the target database is obtained by carrying out symmetric encryption processing on the initial function data by the big data processing platform based on a symmetric key of the user terminal;
And the user terminal decrypts the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
2. The method according to claim 1, wherein the method further comprises:
the data provider sends initial keyword data of an initial database to a first processing module of the data processing platform, wherein the first processing module is a data processing resource distributed to the data provider in the data processing platform;
the first processing module performs encryption anonymization processing on the initial keyword data based on the data private key to obtain intermediate keyword data, and sends the intermediate keyword data to a second processing module of the data processing platform, wherein the second processing module is allocated to data processing resources of the user side in the data processing platform, and processing logics between the first processing module and the second processing module are mutually isolated;
the second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain the encrypted keyword data, and sends the encrypted keyword data to the data provider;
The data provider stores the encrypted keyword data in the target database.
3. The method according to claim 2, wherein the method further comprises:
The data provider sends initial function data in the initial database to the second processing module;
the second processing module performs symmetric encryption processing on the initial function data based on the symmetric key to obtain the encryption function data, and sends the encryption function data to the data provider;
The data provider stores the encryption function data in the target database.
4. The method of claim 2, wherein the second processing module performs encryption anonymization processing on the intermediate keyword data based on the user private key to obtain the encrypted keyword data, including:
the second processing module invokes a cryptographic engine, wherein the user private key is stored in the cryptographic engine;
and the cipher machine uses the user private key to carry out encryption anonymization processing on the intermediate keyword data to obtain the encryption keyword data.
5. The method according to claim 4, wherein the method further comprises:
The cipher machine sends the cipher public key of the cipher machine to the user side;
The user terminal encrypts the user private key based on the password public key to obtain an intermediate private key, and sends the intermediate private key to the password machine;
And the cipher machine uses the cipher private key to decrypt the intermediate private key to obtain the user private key.
6. A method according to claim 3, wherein the second processing module performs symmetric encryption processing on the initial function data based on the symmetric key to obtain the encrypted function data, and includes:
the second processing module invokes a cryptographic engine, wherein the symmetric private key is stored in the cryptographic engine;
and the cipher machine uses the symmetric private key to carry out encryption anonymization processing on the initial function data to obtain the encryption function data.
7. The method according to claim 1, wherein the data provider performs matching processing based on the second anonymous search data and the encrypted keyword data in the target database to obtain target encryption function data corresponding to the second anonymous search data, and the method includes:
the data provider establishes a query index based on the encrypted keyword data in the target database;
the data provider determines the target cryptographic function data based on the second anonymous search data and the query index.
8. The data protected search system is characterized by comprising a user side, a big data processing platform and a data provider, wherein the big data processing platform and the data provider are positioned on a cloud side;
The user terminal is used for carrying out encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data, and sending the first anonymized search data to a data provider;
The data provider is used for carrying out encryption anonymization processing on the first anonymized search data based on a data private key to obtain second anonymized search data, carrying out matching processing on the second anonymized search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymized search data, and sending the target encryption function data to a user side;
The big data processing platform is used for carrying out two-round encryption anonymization processing on the initial keyword data based on the data private key and the user private key to obtain the encrypted keyword data, and carrying out symmetric encryption processing on the initial function data based on the symmetric key of the user side to obtain the encrypted function data;
and the user side is used for decrypting the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
9. A data protected search method, wherein the method is used for a data provider, the data provider is located at a cloud side, and the data provider is in communication connection with a user side, the method comprises:
Acquiring first anonymous search data sent by the user side, wherein the first anonymous search data is obtained by the user side through encryption anonymizing processing of initial search data based on a user private key;
Performing encryption anonymization processing on the first anonymized search data based on a data private key of the data provider to obtain second anonymized search data;
Matching processing is carried out on the second anonymous search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymous search data, the encryption keyword data in a search column in the target database is obtained by carrying out two-round encryption anonymization processing on initial keyword data by a big data processing platform on the cloud side on the basis of the data private key and the user private key, and the encryption function data in a non-search column in the target database is obtained by carrying out symmetric encryption processing by the big data processing platform on the basis of a symmetric key of the user side;
and sending the target encryption function data to the user side so that the user side can decrypt the target encryption function data based on the symmetric key to obtain the queried function data corresponding to the initial search data.
10. A data protected search method, wherein the method is used for a user terminal, the user terminal is in communication connection with a data provider located at a cloud side, and the method comprises:
performing encryption anonymization processing on the initial search data based on a user private key to obtain first anonymized search data;
The first anonymous search data is sent to a data provider, so that the data provider carries out encryption anonymization processing on the first anonymous search data based on a data private key to obtain second anonymous search data, matching processing is carried out on the second anonymous search data and encryption keyword data in a target database to obtain target encryption function data corresponding to the second anonymous search data, and the target encryption function data is sent to a user terminal, wherein the encryption keyword data in a search column in the target database is obtained by carrying out two-round encryption anonymization processing on initial keyword data by a big data processing platform on a cloud side based on the data private key and the user private key, and the encryption function data in a non-search column in the target database is obtained by carrying out symmetric encryption processing on the initial function data by the big data processing platform based on a symmetric key of the user terminal;
And decrypting the target encryption function data based on the symmetric private key to obtain the queried function data corresponding to the initial search data.
CN202510492909.1A 2025-04-18 2025-04-18 Data protected search method and system Pending CN120449176A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510492909.1A CN120449176A (en) 2025-04-18 2025-04-18 Data protected search method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510492909.1A CN120449176A (en) 2025-04-18 2025-04-18 Data protected search method and system

Publications (1)

Publication Number Publication Date
CN120449176A true CN120449176A (en) 2025-08-08

Family

ID=96608482

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510492909.1A Pending CN120449176A (en) 2025-04-18 2025-04-18 Data protected search method and system

Country Status (1)

Country Link
CN (1) CN120449176A (en)

Similar Documents

Publication Publication Date Title
Viswanath et al. Hybrid encryption framework for securing big data storage in multi-cloud environment
US12309127B2 (en) End-to-end secure operations using a query vector
US20180212751A1 (en) End-To-End Secure Operations Using a Query Matrix
US11509709B1 (en) Providing access to encrypted insights using anonymous insight records
US8447983B1 (en) Token exchange
KR20190061078A (en) Establish a link between identifiers without disclosing specific identification information
US20220078023A1 (en) Private set calculation using private intersection and calculation, and applications thereof
CN113326517A (en) System and method for detecting sensitive information leakage while preserving privacy
US20230254126A1 (en) Encrypted search with a public key
CN112825520A (en) User privacy data processing method, device, system and storage medium
Badsha et al. Privacy preserving user based web service recommendations
CN117395077A (en) Encryption processing method and device for access request, computer equipment and storage medium
CN112953974A (en) Data collision method, device, equipment and computer readable storage medium
JP2004234344A (en) Database access system
Prasadreddy et al. A threat free architecture for privacy assurance in cloud computing
CN115174260B (en) Data verification method, device, computer, storage medium and program product
CN117874787A (en) Data protection method, device, electronic device and computer-readable storage medium
US20240291650A1 (en) Secure environment for operations on private data
CN117313140A (en) Information query method, device, computer equipment and storage medium
CN116708016A (en) Sensitive data transmission method, server and storage medium
CN120449176A (en) Data protected search method and system
CN116680741A (en) Method, device, electronic equipment and storage medium for constructing user portrait by financial system
CN115883156A (en) Shared login method and device
CN115758403A (en) Data encryption and decryption method and device, storage medium and electronic equipment
Kanakamedala et al. Attribute-based storage supporting secure deduplication of encrypted data in cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination