Movatterモバイル変換

[0]ホーム
URL:

CN106610995B - A method, device and system for creating ciphertext index - Google Patents

A method, device and system for creating ciphertext indexDownload PDF

Info

Publication number
CN106610995B
CN106610995BCN201510698146.2ACN201510698146ACN106610995BCN 106610995 BCN106610995 BCN 106610995BCN 201510698146 ACN201510698146 ACN 201510698146ACN 106610995 BCN106610995 BCN 106610995B
Authority
CN
China
Prior art keywords
index
search
ciphertext
string
strings
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510698146.2A
Other languages
Chinese (zh)
Other versions
CN106610995A (en
Inventor
欧锻灏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co LtdfiledCriticalHuawei Technologies Co Ltd
Priority to CN201510698146.2ApriorityCriticalpatent/CN106610995B/en
Publication of CN106610995ApublicationCriticalpatent/CN106610995A/en
Application grantedgrantedCritical
Publication of CN106610995BpublicationCriticalpatent/CN106610995B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Images

Classifications

Landscapes

Abstract

The embodiment of the invention discloses a method, a device and a system for creating a ciphertext index, which relate to the field of computer information security and are used for improving the speed of ciphertext search. The method comprises the following steps: encrypting the sensitive data by adopting a reversible encryption algorithm to obtain a ciphertext of the sensitive data; performing word segmentation on the sensitive data by adopting a word segmentation algorithm to obtain target keywords; generating a Hash authentication code according to the target keyword and a Hash algorithm; encoding the Hash authentication code by adopting a preset encoding mode to obtain an index character string, wherein the index character string is a printable character string, and the index character string is an index of the ciphertext; and sending the ciphertext and the index character string to a database server so that the database server stores the ciphertext and the index character string in the same data table, wherein the index character string and the ciphertext are stored correspondingly.

Description

Translated fromChinese
一种创建密文索引的方法、装置及系统A method, device and system for creating ciphertext index

技术领域technical field

本发明涉及计算机信息安全领域,尤其涉及一种创建密文索引的方法、装置及系统。The invention relates to the field of computer information security, in particular to a method, device and system for creating a ciphertext index.

背景技术Background technique

在大数据平台或公有云平台中,为了防止个人敏感数据(手机号码、家庭住址、身份证号码、护照号和/或银行账号等)被非法访问,需要对个人敏感数据进行加密存储,由于对个人敏感数据进行加密后得到的密文以乱码的形式被存储,无法直接进行搜索,因此,出现了基于关键词索引的密文搜索技术。In big data platforms or public cloud platforms, in order to prevent personal sensitive data (mobile phone number, home address, ID number, passport number and/or bank account number, etc.) from being illegally accessed, it is necessary to encrypt and store personal sensitive data. The ciphertext obtained by encrypting personal sensitive data is stored in the form of garbled characters, which cannot be directly searched. Therefore, the ciphertext search technology based on keyword index has emerged.

一般情况下,基于关键词索引的密文搜索技术包括创建索引阶段和搜索匹配阶段,一种创建索引的方法包括:采用中文分词算法将中文敏感数据进行分词,得到N个关键词;对N个关键词中的每个关键词计算基于拼音的编辑距离,得到N个编辑距离;将N个编辑距离中的每个编辑距离和密钥作为HMAC(Hash-based Message Authentication Code,哈希消息认证码)算法的输入,计算得到N个哈希认证码;将N个哈希认证码作为中文敏感数据的N个索引;采用加密算法将中文敏感数据进行加密,得到中文敏感数据的密文;将N个索引与该密文一同存储在数据库服务器中。In general, the ciphertext search technology based on keyword index includes an index creation stage and a search matching stage. A method for creating an index includes: using a Chinese word segmentation algorithm to segment Chinese sensitive data to obtain N keywords; Each keyword in the keywords calculates the pinyin-based edit distance, and obtains N edit distances; each edit distance and key in the N edit distances are used as HMAC (Hash-based Message Authentication Code, hash message authentication code, hash message authentication code). ) algorithm input, calculate and obtain N hash authentication codes; use N hash authentication codes as N indices of Chinese sensitive data; use encryption algorithm to encrypt Chinese sensitive data to obtain ciphertext of Chinese sensitive data; An index is stored on the database server along with the ciphertext.

采用上述方法生成的密文的索引,不能用于在数据库服务器中直接搜索该密文,因此,使得密文搜索的速度较慢。The index of the ciphertext generated by the above method cannot be used to directly search the ciphertext in the database server, therefore, the speed of searching the ciphertext is slow.

发明内容SUMMARY OF THE INVENTION

本发明的实施例提供一种创建密文索引的方法、装置及系统,用以提高密文搜索的速度。Embodiments of the present invention provide a method, device and system for creating a ciphertext index, so as to improve the speed of ciphertext search.

为达到上述目的,本发明的实施例采用如下技术方案:To achieve the above object, the embodiments of the present invention adopt the following technical solutions:

第一方面,提供一种创建密文索引的方法,包括:In a first aspect, a method for creating a ciphertext index is provided, including:

采用可逆加密算法对敏感数据进行加密得到所述敏感数据的密文;Encrypting sensitive data using a reversible encryption algorithm to obtain the ciphertext of the sensitive data;

采用分词算法对所述敏感数据进行分词得到目标关键词;A word segmentation algorithm is used to segment the sensitive data to obtain target keywords;

根据所述目标关键词和哈希算法,生成哈希认证码;Generate a hash authentication code according to the target keyword and the hash algorithm;

采用预设编码方式对所述哈希认证码进行编码得到索引字符串,所述索引字符串为可打印字符串,所述索引字符串为所述密文的索引;The hash authentication code is encoded in a preset encoding manner to obtain an index string, the index string is a printable string, and the index string is an index of the ciphertext;

向数据库服务器发送所述密文和所述索引字符串,以便于所述数据库服务器将所述密文和所述索引字符串存储在同一数据表中,所述索引字符串与所述密文是对应存储的。Send the ciphertext and the index string to the database server, so that the database server stores the ciphertext and the index string in the same data table, where the index string and the ciphertext are corresponding to the storage.

结合第一方面,在第一种可能的实现方式中,在所述采用预设编码方式对所述哈希认证码进行编码得到索引字符串之前,所述方法还包括:With reference to the first aspect, in a first possible implementation manner, before the use of a preset encoding manner to encode the hash authentication code to obtain an index string, the method further includes:

截取所述哈希认证码的前r位,得到子哈希认证码,1≤r≤R,R和r均为整数,R为所述哈希认证码的长度;Intercepting the first r bits of the hash authentication code to obtain a sub-hash authentication code, where 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code;

所述采用预设编码方式对所述哈希认证码进行编码得到索引字符串,包括:The use of a preset encoding method to encode the hash authentication code to obtain an index string, including:

采用预设编码方式对所述子哈希认证码进行编码得到索引字符串。The sub-hash authentication code is encoded in a preset encoding manner to obtain an index string.

结合第一方面或第一方面的第一种可能的实现方式,在第二种可能的实现方式中,当所述索引字符串的个数为N时,在所述采用预设编码方式对所述哈希认证码进行编码得到索引字符串之后,所述方法还包括:In combination with the first aspect or the first possible implementation manner of the first aspect, in the second possible implementation manner, when the number of the index strings is N, After encoding the hash authentication code to obtain an index string, the method further includes:

将N个索引字符串随机置乱,N≥1,N为整数;Randomly scramble N index strings, N≥1, N is an integer;

将随机置乱后的所述N个索引字符串串连起来,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开。The randomly scrambled N index strings are concatenated, and the adjacent index strings in the concatenated N index strings pass the printable non-preset encoding method. characters are spaced apart.

结合第一方面、第一方面的第一种可能的实现方式或第二种可能的实现方式,在第三种可能的实现方式中,所述方法还包括:With reference to the first aspect, the first possible implementation manner of the first aspect, or the second possible implementation manner, in a third possible implementation manner, the method further includes:

获取搜索关键词;Get search keywords;

采用将所述目标关键词生成所述索引字符串的相同方法,将所述搜索关键词生成搜索字符串,所述搜索字符串为可打印字符串;Using the same method of generating the index string from the target keyword, generating a search string from the search keyword, and the search string is a printable string;

向所述数据库服务器发送所述搜索字符串,以便于所述数据库服务器根据所述搜索字符串和存储的所述索引字符串搜索所述密文。Sending the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.

结合第一方面的第三种可能的实现方式,在第四种可能的实现方式中,在所述获取搜索关键词之前,所述方法还包括:With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner, before the acquiring the search keywords, the method further includes:

获取搜索语句;get the search statement;

所述获取搜索关键词,包括:采用所述分词算法对所述搜索语句进行分词得到搜索关键词。The obtaining of the search keywords includes: using the word segmentation algorithm to perform word segmentation on the search sentence to obtain the search keywords.

结合第一方面的第三种可能的实现方式或第四种可能的实现方式,在第五种可能的实现方式中,所述方法还包括:With reference to the third possible implementation manner or the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner, the method further includes:

所述数据库服务器接收M个搜索字符串,当M≥2时,所述数据库服务器还获取搜索方式,所述搜索方式为与方式或者或方式;The database server receives M search strings, and when M≥2, the database server also obtains a search mode, and the search mode is an AND mode or an OR mode;

所述数据库服务器将所述M个搜索字符串与存储的所述索引字符串进行匹配;The database server matches the M search strings with the stored index strings;

若M=1,获取与所述搜索字符串相同的索引字符串对应的密文;If M=1, obtain the ciphertext corresponding to the same index string as the search string;

若M≥2、且所述搜索方式为与方式时,获取与所述M个搜索字符串相同的M个索引字符串所对应的密文;If M≥2, and the search mode is AND mode, obtain the ciphertext corresponding to the M index strings that are the same as the M search strings;

若M≥2、且所述搜索方式为或方式时,获取与所述M个搜索字符串中任一搜索字符串相同的索引字符串所对应的密文。If M≥2, and the search mode is the OR mode, obtain the ciphertext corresponding to the index string that is the same as any one of the M search strings.

第二方面,提供一种创建密文索引的装置,包括:In a second aspect, an apparatus for creating a ciphertext index is provided, including:

加密单元,用于采用可逆加密算法对敏感数据进行加密得到所述敏感数据的密文;an encryption unit, used for encrypting the sensitive data with a reversible encryption algorithm to obtain the ciphertext of the sensitive data;

分词单元,用于采用分词算法对所述敏感数据进行分词得到目标关键词;A word segmentation unit, used for segmenting the sensitive data by a word segmentation algorithm to obtain target keywords;

第一生成单元,用于根据所述目标关键词和哈希算法,生成哈希认证码;a first generating unit, configured to generate a hash authentication code according to the target keyword and the hash algorithm;

编码单元,用于采用预设编码方式对所述哈希认证码进行编码得到索引字符串,所述索引字符串为可打印字符串,所述索引字符串为所述密文的索引;an encoding unit, configured to encode the hash authentication code in a preset encoding manner to obtain an index string, where the index string is a printable string, and the index string is an index of the ciphertext;

发送单元,用于向数据库服务器发送所述密文和所述索引字符串,以便于所述数据库服务器将所述密文和所述索引字符串存储在同一数据表中,所述索引字符串与所述密文是对应存储的。A sending unit, configured to send the ciphertext and the index string to a database server, so that the database server stores the ciphertext and the index string in the same data table, and the index string is the same as the The ciphertext is stored correspondingly.

结合第二方面,在第一种可能的实现方式中,所述装置还包括:With reference to the second aspect, in a first possible implementation manner, the apparatus further includes:

截取单元,用于截取所述哈希认证码的前r位,得到子哈希认证码,1≤r≤R,R和r均为整数,R为所述哈希认证码的长度;an intercepting unit, configured to intercept the first r bits of the hash authentication code to obtain a sub-hash authentication code, where 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code;

所述编码单元,具体用于采用预设编码方式对所述子哈希认证码进行编码得到索引字符串。The encoding unit is specifically configured to encode the sub-hash authentication code in a preset encoding manner to obtain an index string.

结合第二方面或第二方面的第一种可能的实现方式,在第二种可能的实现方式中,当所述索引字符串的个数为N时,所述装置还包括:In combination with the second aspect or the first possible implementation manner of the second aspect, in the second possible implementation manner, when the number of the index strings is N, the apparatus further includes:

置乱单元,用于将N个索引字符串随机置乱,N≥1,N为整数;Scrambling unit, used to randomly scramble N index strings, N≥1, N is an integer;

串连单元,用于将随机置乱后的所述N个索引字符串串连起来,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开。A concatenation unit, configured to concatenate the N index strings after random scramble, and the adjacent index strings in the concatenated N index strings pass non-preset The printable characters in the encoding are spaced apart.

结合第二方面、第二方面的第一种可能的实现方式或第二种可能的实现方式,在第三种可能的实现方式中,所述装置还包括:With reference to the second aspect, the first possible implementation manner of the second aspect, or the second possible implementation manner, in a third possible implementation manner, the apparatus further includes:

第一获取单元,用于获取搜索关键词;a first obtaining unit, used for obtaining search keywords;

第二生成单元,用于采用将所述目标关键词生成所述索引字符串的相同方法,将所述搜索关键词生成搜索字符串,所述搜索字符串为可打印字符串;a second generating unit, configured to generate a search string from the search keyword by using the same method for generating the index string from the target keyword, and the search string is a printable string;

所述发送单元,还用于向所述数据库服务器发送所述搜索字符串,以便于所述数据库服务器根据所述搜索字符串和存储的所述索引字符串搜索所述密文。The sending unit is further configured to send the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.

结合第二方面的第三种可能的实现方式,在第四种可能的实现方式中,所述装置还包括:With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner, the apparatus further includes:

第二获取单元,用于获取搜索语句;a second obtaining unit, used to obtain the search statement;

所述第一获取单元,具体用于采用所述分词算法对所述搜索语句进行分词得到搜索关键词。The first obtaining unit is specifically configured to perform word segmentation on the search sentence by using the word segmentation algorithm to obtain search keywords.

第三方面,提供一种创建密文索引的系统,包括:第二方面提供的任一种装置和数据库服务器。A third aspect provides a system for creating a ciphertext index, comprising: any of the apparatuses and database servers provided in the second aspect.

本发明实施例提供的方法、装置及系统,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the method, device and system provided by the embodiments of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string, and when there are N index strings When the N index strings are the N indices of the ciphertext of the sensitive data, the database server stores the ciphertext and the N index strings in the same data table. Since the index strings are printable strings, you can Query the index string in the database server directly via SQL. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明实施例提供的一种创建密文索引的方法的应用场景示意图;1 is a schematic diagram of an application scenario of a method for creating a ciphertext index provided by an embodiment of the present invention;

图2为本发明实施例提供的又一种创建密文索引的方法的应用场景示意图;2 is a schematic diagram of an application scenario of another method for creating a ciphertext index provided by an embodiment of the present invention;

图3为本发明实施例提供的一种创建密文索引的方法的流程图;3 is a flowchart of a method for creating a ciphertext index provided by an embodiment of the present invention;

图4为本发明实施例提供的又一种创建密文索引的方法的流程图;4 is a flowchart of another method for creating a ciphertext index provided by an embodiment of the present invention;

图5为本发明实施例提供的一种密文搜索的方法的流程图;5 is a flowchart of a method for searching ciphertext provided by an embodiment of the present invention;

图6为本发明实施例提供的再一种创建密文索引的方法的流程图;6 is a flowchart of yet another method for creating a ciphertext index provided by an embodiment of the present invention;

图7为本发明实施例提供的一种密文搜索的方法的流程图;7 is a flowchart of a method for searching ciphertext provided by an embodiment of the present invention;

图8为本发明实施例提供的一种创建密文索引的装置的结构示意图;8 is a schematic structural diagram of an apparatus for creating a ciphertext index according to an embodiment of the present invention;

图9为本发明实施例提供的又一种创建密文索引的装置的结构示意图;9 is a schematic structural diagram of another apparatus for creating a ciphertext index provided by an embodiment of the present invention;

图10为本发明实施例提供的再一种创建密文索引的装置的结构示意图。FIG. 10 is a schematic structural diagram of still another apparatus for creating a ciphertext index according to an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。本文中的“多个”是指两个或者两个以上。The term "and/or" in this article is only an association relationship to describe the associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist at the same time, and A and B exist independently B these three cases. As used herein, "plurality" refers to two or more.

本发明实施例提供的方法至少可以应用在大数据平台或公有云平台中。如图1所示(示出的数字代表步骤的先后顺序,图2中同理),在大数据平台中,用户认为大数据服务器是可信的,因此,会直接通过用户设备将敏感数据上传到大数据服务器中,大数据服务器根据该敏感数据获取到该敏感数据的密文以及该密文的索引(根据目标关键词生成)后,将该密文及该密文的索引上传到数据库服务器中,数据库服务器将该密文及该密文的索引对应存储在同一数据表中。当用户(或用户授权的管理员)需要获取敏感数据时,通过用户设备向大数据服务器提供搜索关键词,大数据服务器根据目标关键词生成密文的索引的方法将搜索关键词生成搜索字符串后向数据库服务器发送,数据库服务器根据搜索字符串和密文的索引获取到密文后,将该密文向大数据服务器发送,大数据服务器将该密文解密得到敏感数据,并向用户设备发送该敏感数据。如图2所示,在公有云平台中,租户(租用公有云设备的用户)认为公有云服务的提供商是半可信的,因此,租户设备(租户租用的公有云设备)根据敏感数据获取到该敏感数据的密文以及该密文的索引(根据目标关键词生成)后,将该密文及该密文的索引上传至公有云服务器中,公有云服务器将该密文及密文的索引上传至数据库服务器中,当用户需要获取敏感数据时,租户设备将搜索关键词根据目标关键词生成密文的索引的方法生成搜索字符串,将该搜索字符串向公有云服务器发送,公有云服务器将该搜索字符串向数据库服务器发送,数据库服务器根据该搜索字符串和密文的索引确定出密文后通过公有云服务器向租户设备发送,租户设备接收到密文后,对该密文进行解密得到敏感数据。需要说明的是,数据库服务器可以置于大数据服务器或公有云服务器内部。The method provided by the embodiment of the present invention can be applied to at least a big data platform or a public cloud platform. As shown in Figure 1 (the numbers shown represent the sequence of steps, and the same is true in Figure 2), in the big data platform, the user believes that the big data server is credible, so the sensitive data will be uploaded directly through the user equipment In the big data server, after the big data server obtains the ciphertext of the sensitive data and the index of the ciphertext (generated according to the target keyword) according to the sensitive data, uploads the ciphertext and the index of the ciphertext to the database server , the database server correspondingly stores the ciphertext and the index of the ciphertext in the same data table. When a user (or an administrator authorized by the user) needs to obtain sensitive data, the user device provides a search keyword to the big data server, and the big data server generates a search string from the search keyword according to the method of generating an index of ciphertext according to the target keyword. Then send it to the database server. After the database server obtains the ciphertext according to the search string and the index of the ciphertext, it sends the ciphertext to the big data server. The big data server decrypts the ciphertext to obtain sensitive data and sends it to the user device. the sensitive data. As shown in Figure 2, in the public cloud platform, tenants (users who rent public cloud equipment) consider the provider of public cloud services to be semi-trusted. Therefore, tenant equipment (public cloud equipment rented by tenants) obtains sensitive data After the ciphertext of the sensitive data and the index of the ciphertext (generated according to the target keyword), upload the ciphertext and the index of the ciphertext to the public cloud server, and the public cloud server will upload the ciphertext and the index of the ciphertext to the public cloud server. The index is uploaded to the database server. When the user needs to obtain sensitive data, the tenant device generates a search string by using the search keyword to generate an index of ciphertext according to the target keyword, and sends the search string to the public cloud server. The server sends the search string to the database server, and the database server determines the ciphertext according to the search string and the index of the ciphertext and sends it to the tenant device through the public cloud server. After the tenant device receives the ciphertext, it processes the ciphertext Decrypt sensitive data. It should be noted that the database server can be placed inside a big data server or a public cloud server.

实施例一Example 1

本发明实施例提供一种创建密文索引的方法,如图3所示,包括:An embodiment of the present invention provides a method for creating a ciphertext index, as shown in FIG. 3 , including:

301、采用可逆加密算法对敏感数据进行加密得到所述敏感数据的密文。301. Use a reversible encryption algorithm to encrypt sensitive data to obtain a ciphertext of the sensitive data.

在如图1和图2所示的应用场景下,当本发明实施例提供的方法应用在大数据平台中时,本发明实施例中的执行主体可以为大数据服务器,当本发明实施例提供的方法应用在公有云平台中时,本发明实施例中的执行主体可以为租户设备。In the application scenarios shown in FIG. 1 and FIG. 2 , when the method provided by the embodiment of the present invention is applied in the big data platform, the execution subject in the embodiment of the present invention may be the big data server. When the method of the present invention is applied in a public cloud platform, the execution subject in this embodiment of the present invention may be a tenant device.

示例性的,可逆加密算法可以为AES(Advanced Encryption Standard,高级加密标准)算法、DES(Data Encryption Standard,数据加密标准)算法或其他可逆加密算法,本发明实施例对此不进行限制。优选的,采用标准的数据加密算法(例如,DES算法或AES算法)相比采用非标准的数据加密算法对敏感数据进行加密而言,有利于保证密文的安全性。Exemplarily, the reversible encryption algorithm may be an AES (Advanced Encryption Standard, advanced encryption standard) algorithm, a DES (Data Encryption Standard, data encryption standard) algorithm, or other reversible encryption algorithms, which are not limited in this embodiment of the present invention. Preferably, using a standard data encryption algorithm (for example, a DES algorithm or an AES algorithm) is beneficial to ensuring the security of the ciphertext compared to using a non-standard data encryption algorithm to encrypt sensitive data.

可选的,在步骤301之前,该方法还可以包括:确定敏感数据。敏感数据具体可以为用户的手机号码、家庭住址、身份证号码、护照号和/或银行账号等。Optionally, before step 301, the method may further include: determining sensitive data. Sensitive data may specifically be the user's mobile phone number, home address, ID number, passport number, and/or bank account number, etc.

当本发明实施例的执行主体为大数据服务器时,在大数据服务器接收到用户设备发送的数据时,可以根据特定的协议确定出数据中的敏感数据。When the execution body of the embodiment of the present invention is a big data server, when the big data server receives the data sent by the user equipment, the sensitive data in the data can be determined according to a specific protocol.

302、采用分词算法对所述敏感数据进行分词得到目标关键词。302. Use a word segmentation algorithm to perform word segmentation on the sensitive data to obtain a target keyword.

其中,敏感数据可以为中文、英文或数字等,本发明实施例对此不进行限制,对不同类型的敏感数据可以采用不同的分词算法。例如,当敏感数据为英文时,由于英文句子中的单词一般被标点符号或空格分隔开,因此,可以利用标点符号和空格对该英文句子进行分词得到目标关键词,当敏感数据为中文句子时,可以根据中文句子中的词语的含义对该中文句子进行分词。The sensitive data may be Chinese, English, numbers, etc., which is not limited in the embodiment of the present invention, and different word segmentation algorithms may be used for different types of sensitive data. For example, when the sensitive data is in English, since words in an English sentence are generally separated by punctuation marks or spaces, the English sentence can be segmented by using punctuation marks and spaces to obtain the target keywords. When the sensitive data is a Chinese sentence , the Chinese sentence can be segmented according to the meaning of the words in the Chinese sentence.

303、根据所述目标关键词和哈希算法,生成哈希认证码。303. Generate a hash authentication code according to the target keyword and the hash algorithm.

优选的,哈希算法可以为带密钥的哈希算法,示例性的,带密钥的哈希算法可以为HMAC算法,具体可以为HMAC-MD5算法,HMAC-SHA1算法,HMAC-SHA256算法等。Preferably, the hash algorithm may be a hash algorithm with a key. Exemplarily, the hash algorithm with a key may be an HMAC algorithm, specifically an HMAC-MD5 algorithm, an HMAC-SHA1 algorithm, an HMAC-SHA256 algorithm, etc. .

一个目标关键词对应一个哈希认证码,将目标关键词和密钥作为哈希算法的输入进行计算后,即可得到该目标关键词对应的哈希认证码。A target keyword corresponds to a hash authentication code. After calculating the target keyword and the key as the input of the hash algorithm, the hash authentication code corresponding to the target keyword can be obtained.

304、采用预设编码方式对所述哈希认证码进行编码得到索引字符串,所述索引字符串为可打印字符串,所述索引字符串为所述密文的索引。304. Encode the hash authentication code in a preset encoding manner to obtain an index string, where the index string is a printable string, and the index string is an index of the ciphertext.

需要说明的是,对一个敏感数据进行分词后可以得到一个或多个目标关键词,一个目标关键词生成一个哈希认证码,一个哈希认证码生成一个索引字符串,则当对一个敏感数据进行分词后得到N(N≥1,N为整数)个目标关键词时,则根据N个目标关键词可以生成N个索引字符串,该N个索引字符串为该敏感数据的密文的N个索引。It should be noted that one or more target keywords can be obtained after tokenizing a sensitive data. A target keyword generates a hash authentication code, and a hash authentication code generates an index string. When N (N≥1, N is an integer) target keywords are obtained after word segmentation, N index strings can be generated according to the N target keywords, and the N index strings are N of the ciphertext of the sensitive data. index.

需要说明的是,基本的ASCII(American Standard Code for InformationInterchange,美国标准信息交换代码)字符集共有128个字符,其中有96个可打印字符,包括常用的字母、数字、标点符号等,另外还有32个控制字符。预设编码方式是指可以将8位字节编码成可打印字符串的编码方式,具体可以为Base64。It should be noted that the basic ASCII (American Standard Code for Information Interchange, American Standard Code for Information Interchange) character set has a total of 128 characters, of which 96 are printable characters, including commonly used letters, numbers, punctuation marks, etc., in addition to 32 control characters. The preset encoding method refers to an encoding method that can encode 8-bit bytes into a printable string, and specifically can be Base64.

305、向数据库服务器发送所述密文和所述索引字符串,以便于所述数据库服务器将所述密文和所述索引字符串存储在同一数据表中,所述索引字符串与所述密文是对应存储的。305. Send the ciphertext and the index string to the database server, so that the database server stores the ciphertext and the index string in the same data table, and the index string and the password are stored in the same data table. The text is stored correspondingly.

具体的,将索引字符串存储在数据库服务器中的同一数据表中后,由于索引字符串为可打印字符串,可以直接通过SQL(Structured Query Language,结构化查询语言)在数据库服务器中进行查询。Specifically, after the index string is stored in the same data table in the database server, since the index string is a printable string, the database server can be queried directly through SQL (Structured Query Language).

需要说明的是,步骤301可以执行在步骤302至步骤304中的任意一个步骤之前或之后。It should be noted that step 301 may be executed before or after any one of steps 302 to 304 .

需要说明的是,敏感数据可能有多个,每个敏感数据的密文都有对应的索引,每个敏感数据的密文对应的索引的个数可以相同也可以不同。示例性的,如表1所示,表1示出了2个不同的敏感数据的密文与其索引的对应关系,其中,X1和X2代表2个不同的敏感数据的密文,B11至B14为X1的4个索引,B21至B23为X2的3个索引。It should be noted that there may be multiple sensitive data, the ciphertext of each sensitive data has a corresponding index, and the number of indexes corresponding to the ciphertext of each sensitive data may be the same or different. Exemplarily, as shown in Table 1, Table1 shows the correspondence between the ciphertexts of two different sensitive data and their indexes, wherein X1 and X2 represent the ciphertexts oftwo different sensitive data,B11 To B14 are 4 indices of X1 , B21 to B23 are 3 indices of X2 .

表1Table 1

Figure BDA0000828992530000091
Figure BDA0000828992530000091

可选的,在步骤304之前,所述方法还包括:截取所述哈希认证码的前r位,得到子哈希认证码,1≤r≤R,R和r均为整数,R为所述哈希认证码的长度;该情况下,步骤304包括:采用预设编码方式对所述子哈希认证码进行编码得到索引字符串。Optionally, beforestep 304, the method further includes: intercepting the first r bits of the hash authentication code to obtain a sub-hash authentication code, where 1≤r≤R, R and r are both integers, and R is all the length of the hash authentication code; in this case,step 304 includes: encoding the sub-hash authentication code in a preset encoding manner to obtain an index string.

一般情况下,哈希认证码的长度很长,该可选的方法,可以减小运算量。In general, the length of the hash authentication code is very long, and this optional method can reduce the amount of computation.

可选的,所述方法还包括:11)获取搜索关键词;Optionally, the method further includes: 11) obtaining search keywords;

12)采用将所述目标关键词生成所述索引字符串的相同方法,将所述搜索关键词生成搜索字符串,所述搜索字符串为可打印字符串;12) using the same method of generating the index string from the target keyword, generating a search string from the search keyword, and the search string is a printable string;

13)向所述数据库服务器发送所述搜索字符串,以便于所述数据库服务器根据所述搜索字符串和存储的所述索引字符串搜索所述密文。13) Send the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.

可选的,在步骤11)之前,所述方法还包括:获取搜索语句;该情况下,步骤11)包括:采用所述分词算法对所述搜索语句进行分词得到搜索关键词。Optionally, before step 11), the method further includes: acquiring a search statement; in this case, step 11) includes: using the word segmentation algorithm to segment the search statement to obtain search keywords.

需要说明的是,对密文进行搜索时,可以直接通过搜索关键词进行搜索,也可以通过一句(段)话进行搜索,该情况下,需要对该句(段)话采用分词算法进行分词得到搜索关键词,搜索关键词可以有一个或多个,一个搜索关键词对应一个搜索字符串。It should be noted that, when searching for ciphertext, you can directly search through the search keywords, or you can search through a sentence (paragraph), in this case, you need to use the word segmentation algorithm for the sentence (paragraph) to obtain the word segmentation. Search keywords, there can be one or more search keywords, and one search keyword corresponds to one search string.

可选的,所述方法还包括:Optionally, the method further includes:

所述数据库服务器接收M个搜索字符串,当M≥2时,所述数据库服务器还获取搜索方式,所述搜索方式为与方式或者或方式;The database server receives M search strings, and when M≥2, the database server also obtains a search mode, and the search mode is an AND mode or an OR mode;

所述数据库服务器将所述M个搜索字符串与存储的所述索引字符串进行匹配;The database server matches the M search strings with the stored index strings;

若M=1,获取与所述搜索字符串相同的索引字符串对应的密文;If M=1, obtain the ciphertext corresponding to the same index string as the search string;

若M≥2、且所述搜索方式为与方式时,获取与所述M个搜索字符串相同的M个索引字符串所对应的密文;If M≥2, and the search mode is AND mode, obtain the ciphertext corresponding to the M index strings that are the same as the M search strings;

若M≥2、且所述搜索方式为或方式时,获取与所述M个搜索字符串中任一搜索字符串相同的索引字符串所对应的密文。If M≥2, and the search mode is the OR mode, obtain the ciphertext corresponding to the index string that is the same as any one of the M search strings.

由于索引字符串是根据目标关键词生成的,而目标关键词是利用分词算法对敏感数据进行分词后得到的,因此,当有一个搜索关键词时,采用目标关键词生成索引字符串的相同方法,将该搜索关键词生成搜索字符串后,假设密文的索引有N个,则当搜索字符串与N个索引字符串中的一个相同时,说明该搜索关键词为密文对应的敏感数据中的一个词,该情况下,获取密文;当搜索字符串与N个索引字符串中的任意一个都不相同时,说明该搜索关键词不是密文对应的敏感数据中的词,该情况下,不获取密文。当有多个搜索关键词、且搜索方式为或方式时,说明用户需要的敏感数据为包含多个搜索关键词中的任意一个搜索关键词的敏感数据,该情况下,只要多个搜索关键词中的任意一个搜索关键词对应的搜索字符串与N个索引字符串中的一个相同时,获取密文,否则,不获取密文;当有多个搜索关键词、且搜索方式为与方式时,说明用户需要的敏感数据为包含多个搜索关键词的敏感数据,该情况下,多个搜索关键词对应的多个搜索字符串与N个索引字符串中的多个搜索字符串分别相同时,获取密文,否则,不获取密文。Since the index string is generated according to the target keyword, and the target keyword is obtained by segmenting the sensitive data with the word segmentation algorithm, when there is a search keyword, the same method as the target keyword to generate the index string is used. , after the search keyword is generated into a search string, assuming that there are N indexes of the ciphertext, when the search string is the same as one of the N index strings, it means that the search keyword is the sensitive data corresponding to the ciphertext In this case, the ciphertext is obtained; when the search string is different from any one of the N index strings, it means that the search keyword is not a word in the sensitive data corresponding to the ciphertext, in this case , the ciphertext is not obtained. When there are multiple search keywords and the search method is OR, it means that the sensitive data required by the user is sensitive data containing any one of the multiple search keywords. In this case, only multiple search keywords are required. When the search string corresponding to any one of the search keywords is the same as one of the N index strings, the ciphertext is obtained, otherwise, the ciphertext is not obtained; when there are multiple search keywords and the search mode is AND mode , indicating that the sensitive data required by the user is sensitive data containing multiple search keywords. In this case, when multiple search strings corresponding to multiple search keywords are the same as multiple search strings in the N index strings, respectively , get the ciphertext, otherwise, don't get the ciphertext.

需要说明的是,当一个搜索关键词为多个敏感数据中的词时,服务器获取多个敏感数据的密文。示例性的,基于表1所述的示例,若密文X1的明文为“0501”,“0501”的4个目标关键词为{0,05,050,0501},密文X2的明文为“052”,“052”的3个目标关键词为{0,05,052}。每个目标关键词对应的索引字符串如表2所示。当搜索关键词为“05”时,搜索关键词对应的搜索字符串为B1′,将B1′分别与密文X1和密文X2的索引进行匹配,由于B1′与B12和B22相同,则获取密文X1和X2。当搜索关键词为“052”时,搜索关键词对应的搜索字符串为B2′,则将B2′分别与密文X1和密文X2的索引进行匹配,由于B2′与B23相同,则获取密文X2It should be noted that when a search keyword is a word in multiple sensitive data, the server obtains ciphertexts of multiple sensitive data. Exemplarily, based on the example described in Table 1, if the plaintext of the ciphertext X1 is "0501", and the four target keywords of "0501" are {0, 05, 050, 0501}, the plaintext of the ciphertext X2 is "052", and the three target keywords of "052" are {0, 05, 052}. The index string corresponding to each target keyword is shown in Table 2. When the search keyword is "05", the search string corresponding to the search keyword is B1 ', and B1 ' is matched with the indices of ciphertext X1 and ciphertext X2 respectively. Since B1 ' and B12 The same as B22 , the ciphertexts X1 and X2 are obtained. When the search keyword is "052", and the search string corresponding to the search keyword is B2 ', then B2 ' is matched with the indices of the ciphertext X1 and the ciphertext X2 respectively. Since B2 ' and B23 is the same, then obtain the ciphertext X2 .

表2Table 2

索引字符串index string目标关键词target keywordB<sub>11</sub>B<sub>11</sub>00B<sub>12</sub>B<sub>12</sub>0505B<sub>13</sub>B<sub>13</sub>050050B<sub>14</sub>B<sub>14</sub>05010501B<sub>21</sub>B<sub>21</sub>00B<sub>22</sub>B<sub>22</sub>0505B<sub>23</sub>B<sub>23</sub>052052

基于表2所述的示例,当搜索关键词为“05”和“052”时,其分别对应的搜索字符串为B1′和B2′,则将B1′和B2′分别与密文X1和密文X2的索引进行匹配,B1′与B12和B22相同,B2′与B23相同;则当搜索方式为与方式时,获取密文X2,当搜索方式为或方式,获取密文X1和X2Based on the examples described in Table 2, when the search keywords are "05" and "052", the corresponding search strings are B1 ' and B2 ', respectively, then B1 ' and B2 ' are respectively associated with the password The index of text X1 and cipher text X2 are matched, B1 ' is the same as B12 and B22 , and B2 ' is the same as B23 ; then when the search mode is AND mode, the cipher text X2 is obtained, and when the search mode is For the OR method, obtain the ciphertexts X1 and X2 .

可选的,当所述索引字符串的个数为N时,在步骤304之后,所述方法还包括:将N个索引字符串随机置乱,N≥1,N为整数;将随机置乱后的所述N个索引字符串串连起来,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开。Optionally, when the number of the index strings is N, afterstep 304, the method further includes: randomly scrambling the N index strings, N≥1, N is an integer; The subsequent N index strings are concatenated, and adjacent index strings in the concatenated N index strings are separated by printable characters not in the preset encoding mode.

该情况下,步骤305具体包括:向数据库服务器发送所述密文和串连后的所述N个索引字符串。数据库服务器在存储串连后的N个索引字符串时,可以占用数据表中的一个字段中的一个存储单元存储,该字段用于存储一个或多个密文的索引。In this case, step 305 specifically includes: sending the ciphertext and the concatenated N index strings to the database server. When storing the concatenated N index strings, the database server may occupy a storage unit in a field in the data table for storage, and the field is used to store the indexes of one or more ciphertexts.

其中,"字段"是指数据库服务器中的数据表的"列",一列包括一个或多个存储单元,本发明实施例中,一个密文对应的N个索引字符串在串连后可以存储在一个存储单元中。The "field" refers to the "column" of the data table in the database server, and a column includes one or more storage units. In this embodiment of the present invention, the N index strings corresponding to one ciphertext can be stored in the in a storage unit.

需要说明的是,由于需要将N个索引字符串串连后存储,而N个索引字符串是根据N个目标关键词生成的,N个索引字符串顺序排放可能泄露密文的内容,因此,为了提高密文的安全性,在将N个索引字符串串连之前,将N个索引字符串随机置乱。本发明实施例中将N个索引字符串串连起来,在存储N个索引字符串时,可以只占用一个字段中的一个存储单元进行存储,节约了数据库服务器的资源。It should be noted that, since N index strings need to be concatenated and stored, and N index strings are generated based on N target keywords, the sequential arrangement of N index strings may reveal the content of the ciphertext. Therefore, In order to improve the security of the ciphertext, before concatenating the N index strings, the N index strings are randomly scrambled. In the embodiment of the present invention, N index strings are connected in series, and when N index strings are stored, only one storage unit in one field can be occupied for storage, which saves the resources of the database server.

同时,通过非预设编码方式中的可打印字符将N个索引字符串间隔开可以防止匹配出错。例如,2个索引字符串分别为AAAA和BBBB,一个搜索字符串为AABB,假设非预设编码方式中的可打印字符为“!”,那么若2个索引字符串直接串连,则串连后的2个索引字符串为AAAABBBB,在将搜索字符串AABB与AAAABBBB进行匹配时,由于AABB与AAAABBBB中间的部分相同,则可能使得匹配结果出错;若2个索引字符串采用“!”间隔开,则串连后的2个索引字符串为AAAA!BBBB,在将搜索字符串AABB与AAAA!BBBB进行匹配时,只会匹配被“!”间隔开的索引字符串,因此,可以防止匹配结果出错。At the same time, the N index strings are spaced apart by the printable characters in the non-preset encoding mode to prevent matching errors. For example, two index strings are AAAA and BBBB respectively, and one search string is AABB. Assuming that the printable character in the non-preset encoding mode is "!", then if the two index strings are directly concatenated, the concatenation The last two index strings are AAAABBBB. When matching the search string AABB with AAAABBBB, since the middle part of AABB and AAAABBBB is the same, the matching result may be wrong; if the two index strings are separated by "!" , then the concatenated 2 index strings are AAAA! BBBB, will search for strings AABB with AAAA! When BBBB matches, it only matches the index strings separated by "!", so it can prevent the matching result from being wrong.

另外,对密文进行搜索时,也可以通过几句(段)话进行搜索,该几句(段)话之间的搜索方式可以为与方式或者或方式。该情况下,若有W句(段)话,可以采用分词算法对W句(段)话分别进行分词得到每句(段)话对应的搜索关键词,采用目标关键词生成索引字符串的相同方法,将每句(段)话对应的搜索关键词生成搜索字符串;其中,一个搜索关键词对应一个搜索字符串。假设W句(段)话中的第i(1≤i≤W,i为整数)句话对应的搜索字符串的个数为wi(wi≥1,wi为整数),W句(段)话对应的所有不同的搜索字符串的总个数为w(w≥1,w为整数),在对密文进行搜索的过程中,具体的:In addition, when searching the ciphertext, the search may also be performed by several sentences (paragraphs), and the search mode between the several sentences (paragraphs) may be an AND mode or an OR mode. In this case, if there are W sentences (paragraphs), the word segmentation algorithm can be used to segment the W sentences (paragraphs) to obtain the search keywords corresponding to each sentence (paragraph), and the target keywords are used to generate the same index string. The method is to generate a search string with the search keyword corresponding to each sentence (paragraph); wherein, one search keyword corresponds to one search string. Suppose the number of search strings corresponding to the i-th (1≤i≤W, i is an integer) sentence in the W sentence (paragraph) iswi (wi ≥1,wi is an integer), and the W sentence ( The total number of all different search strings corresponding to the segment) is w (w≥1, w is an integer). In the process of searching the ciphertext, the specific:

当W句(段)话之间的搜索方式为与方式、且每句话对应的搜索关键词之间的搜索方式为与方式时,当w个搜索字符串分别与N个索引字符串中的w个索引字符串相同时,获取密文;When the search mode between W sentences (paragraphs) is AND mode, and the search mode between the search keywords corresponding to each sentence is AND mode, when the w search strings are respectively associated with the N index strings When the w index strings are the same, obtain the ciphertext;

当W句(段)话之间的搜索方式为或方式、且每句话对应的搜索关键词之间的搜索方式为或方式时,当w个搜索字符串中任意一个搜索字符串与N个索引字符串中的一个索引字符串相同时,获取密文;When the search mode between W sentences (paragraphs) is OR mode, and the search mode between the search keywords corresponding to each sentence is OR mode, when any one of the w search strings is searched with N When one of the index strings is the same, obtain the ciphertext;

当W句(段)话之间的搜索方式为与方式、且每句话对应的搜索关键词之间的搜索方式为或方式时,当W句(段)话对应的W个搜索字符串分别与N个索引字符串中的W个索引字符串相同时,获取密文;其中,W个搜索字符串分别对应W句(段)话;When the search mode between W sentences (paragraphs) is AND mode, and the search mode between search keywords corresponding to each sentence is OR mode, when the W search strings corresponding to W sentences (paragraphs) are respectively When the W index strings are the same as the N index strings, the ciphertext is obtained; wherein, the W search strings correspond to W sentences (segments) respectively;

当W句(段)话之间的搜索方式为或方式、且每句话对应的搜索关键词之间的搜索方式为与方式时,当第i句(段)话对应的wi个搜索字符串分别与N个索引字符串中的wi个索引字符串相同时,获取密文,第i句(段)话可以为W句(段)话中的任意一句话。When the search mode between W sentences (paragraphs) is OR mode, and the search mode between the search keywords corresponding to each sentence is AND mode, when the ith sentence (paragraph) corresponds to wi search characters When the strings are respectively the same as thewi index strings in the N index strings, the ciphertext is obtained, and the ith sentence (segment) can be any sentence in the W sentence (segment).

可选的,步骤303包括:根据第一结果和哈希算法,生成哈希认证码,所述第一结果为将目标参数与所述目标关键词直接串连后得到的结果,所述目标参数为所述密文或加密所述敏感数据时采用的初始向量;该情况下,步骤12)包括:采用将所述第一结果生成所述索引字符串的相同方法,将第二结果生成搜索字符串,所述第二结果为将目标参数与所述搜索关键词直接串连后得到的结果。Optionally, step 303 includes: generating a hash authentication code according to a first result and a hash algorithm, where the first result is a result obtained by directly concatenating the target parameter and the target keyword, and the target parameter is the initial vector used when encrypting the ciphertext or the sensitive data; in this case, step 12) includes: using the same method for generating the index string from the first result, generating a search character from the second result The second result is a result obtained by directly concatenating the target parameter and the search keyword.

需要说明的是,在对安全性要求非常高的应用场景下,由于不同的用户可能上传包含相同词语的敏感数据,若采用相同的方法生成所有用户的敏感数据的密文,并采用相同的方法生成所有用户的敏感数据的密文的索引,当根据一个搜索关键词对密文进行搜索时,可能会将其他用户的包含该搜索关键词的密文获取到,使得密文的安全性降低。It should be noted that in application scenarios with very high security requirements, since different users may upload sensitive data containing the same words, if the same method is used to generate the ciphertext of all users' sensitive data, and the same method is used Generate an index of ciphertexts of all users' sensitive data. When searching ciphertexts according to a search keyword, other users' ciphertexts containing the search keywords may be obtained, which reduces the security of ciphertexts.

基于该问题,可以使得生成的不同的用户(或租户)的敏感数据的密文和该密文的索引不同来提高密文的安全性。具体的,采用AES算法或DES算法时,在生成不同用户的敏感数据的密文时使用随机的初始向量,那么生成的不同的用户的敏感数据的密文必然不同。在生成密文的索引时,根据第一结果和哈希算法生成,由于第一结果中包含的目标参数不同,使得生成的不同的用户的敏感数据的密文的索引必然不同。Based on this problem, the generated ciphertext of the sensitive data of different users (or tenants) and the index of the ciphertext can be made different to improve the security of the ciphertext. Specifically, when the AES algorithm or the DES algorithm is used, a random initial vector is used when generating the ciphertext of the sensitive data of different users, so the generated ciphertext of the sensitive data of different users must be different. When generating the index of the ciphertext, it is generated according to the first result and the hash algorithm. Since the target parameters contained in the first result are different, the indexes of the ciphertext of the sensitive data of different users are inevitably different.

背景技术中提到的现有技术中,在搜索匹配阶段,需要将哈希认证码构造为平衡28叉树,因此,需要将N个哈希认证码载入到服务器的内存中,在内存中构造每个哈希认证码对应的平衡28叉树的索引结构,并与根据搜索关键词生成的平衡28叉树进行匹配,因此,需要花费额外的内存空间,并且会大大的降低密文搜索的速度。In the prior art mentioned in the background art, in the search and matching stage, the hash authentication code needs to be constructed as a balanced2 -octet tree. Therefore, N hash authentication codes need to be loaded into the memory of the server, and the hash authentication codes need to be loaded into the memory of the server. The index structure of the balanced 28 -ary tree corresponding to each hash authentication code is constructed in , and matched with the balanced 28 -ary tree generated according to the search keyword. Therefore, additional memory space is required, and the password will be greatly reduced. text search speed.

本发明实施例提供的方法,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the method provided by the embodiment of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string. When there are N index strings, N The index string is the N indexes of the ciphertext of the sensitive data. The database server stores the ciphertext and the N index strings in the same data table. Since the index string is a printable string, it can be directly The query index string in the database server. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

实施例二Embodiment 2

需要说明的是,在大数据平台中,数据库服务器一般置于大数据服务器内,该实施例以该情况为例对实施例一中提供的创建密文索引的方法进行说明,该实施例中的相关解释可以参见上述实施例,如图4所示,该方法包括:It should be noted that, in the big data platform, the database server is generally placed in the big data server. This embodiment takes this situation as an example to describe the method for creating a ciphertext index provided inEmbodiment 1. For related explanations, refer to the above-mentioned embodiments. As shown in FIG. 4 , the method includes:

401、用户设备向大数据服务器发送数据。401. The user equipment sends data to the big data server.

具体的,当用户设备所属的用户需要将数据存储在大数据服务器中时,可以通过用户设备向大数据服务器发送数据。Specifically, when the user to which the user equipment belongs needs to store data in the big data server, the data can be sent to the big data server through the user equipment.

402、大数据服务器接收用户设备发送的数据,并确定该数据中的敏感数据。402. The big data server receives the data sent by the user equipment, and determines sensitive data in the data.

需要说明的是,用户设备向大数据服务器发送的数据中可能包括多个敏感数据,本发明实施例中以一个敏感数据为例进行说明。It should be noted that the data sent by the user equipment to the big data server may include multiple sensitive data, and one sensitive data is used as an example for description in the embodiment of the present invention.

403、大数据服务器采用可逆加密算法对敏感数据进行加密,得到敏感数据的密文X。403. The big data server encrypts the sensitive data by using a reversible encryption algorithm, and obtains the ciphertext X of the sensitive data.

具体的,可逆加密算法可以为AES、DES或其他可逆加密算法,本发明实施例对此不进行限制。Specifically, the reversible encryption algorithm may be AES, DES, or other reversible encryption algorithms, which are not limited in this embodiment of the present invention.

404、大数据服务器采用分词算法对敏感数据进行分词得到N个目标关键词K1、K2、…、KN404. The big data server uses a word segmentation algorithm to segment the sensitive data to obtain N target keywords K1 , K2 , ..., KN .

具体的,当敏感数据不同时,采用的分词算法也可以不同。当敏感数据为中文时,可以采用智能分词算法或细粒度分词算法,当敏感数据为数字时,可以采用前缀分词算法或后缀分词算法。Specifically, when the sensitive data is different, the word segmentation algorithm used can also be different. When the sensitive data is Chinese, an intelligent word segmentation algorithm or a fine-grained word segmentation algorithm can be used. When the sensitive data is a number, a prefix word segmentation algorithm or a suffix word segmentation algorithm can be used.

下面介绍几种分词算法分词的原理:The following describes the principles of several word segmentation algorithms:

1、智能分词:把句子中有意义的最大词分割出来作为目标关键词。1. Intelligent word segmentation: Segment the largest meaningful word in the sentence as the target keyword.

例如:“优秀工程师”的分词结果为{优秀,工程师}。For example: the word segmentation result of "excellent engineer" is {excellent, engineer}.

2、细粒度分词:把句子中从有意义的最大词到有意义的最小词全部分割出来作为目标关键词。2. Fine-grained word segmentation: Segment the sentences from the largest meaningful words to the smallest meaningful words as target keywords.

例如:“优秀工程师”的分词结果为{优秀,工程师,工程,师}。For example: the word segmentation result of "excellent engineer" is {excellent, engineer, engineer, division}.

具体的,可以采用中文分词工具IKAnalyze实现智能分词算法和细粒度分词算法。Specifically, the Chinese word segmentation tool IKAnalyze can be used to implement an intelligent word segmentation algorithm and a fine-grained word segmentation algorithm.

3、前缀分词:从长度为L(L≥1,L为整数)的句子中依次截取连续前1、2、…、L个字符分别作为目标关键词。3. Prefix word segmentation: From the sentence of length L (L≥1, L is an integer), successively intercept the first 1, 2, ..., L characters as target keywords respectively.

例如:“050119”的分词结果为{0,05,050,0501,05011,050119}。For example: the word segmentation result of "050119" is {0, 05, 050, 0501, 05011, 050119}.

405、大数据服务器根据N个目标关键词K1、K2、…、KN和带密钥的哈希算法生成N个哈希认证码H1、H2、…、HN405. The big data server generatesN hash authentication codes H1 , H2 , . . . , HN according to the N target keywords K1 , K2 , .

示例性的,带密钥的哈希算法可以为HMAC算法,具体可以为HMAC-MD5算法,HMAC-SHA1算法,HMAC-SHA256算法等。Exemplarily, the hash algorithm with a key may be an HMAC algorithm, specifically an HMAC-MD5 algorithm, an HMAC-SHA1 algorithm, an HMAC-SHA256 algorithm, and the like.

406、大数据服务器截取N个哈希认证码H1、H2、…、HN中的每个哈希认证码的前r位,得到N个子哈希认证码S1、S2、…、SN406. The big data server intercepts the first r bits of each hash authentication code in the N hash authentication codes H1 , H2 , ..., HN to obtain N sub-hash authentication codes S1 , S2 , ..., SN .

其中,1≤r≤R,R和r均为整数,R为哈希认证码的长度。Among them, 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code.

需要说明的是,哈希认证码可以有256位,为了减小运算量,可以将哈希认证码截取前r位用来计算。It should be noted that the hash authentication code can have 256 bits. In order to reduce the amount of computation, the first r bits of the hash authentication code can be intercepted and used for calculation.

407、大数据服务器采用预设编码方式对N个子哈希认证码S1、S2、…、SN分别进行编码得到N个索引字符串B1、B2、…、BN407.The big data server encodes theN sub- hash authentication codes S1 ,S2 , .

具体的,预设编码方式可以为Base64,子哈希认证码经过Base64编码后得到的字符串为可打印字符串。Specifically, the preset encoding method may be Base64, and the character string obtained after the sub-hash authentication code is encoded by Base64 is a printable character string.

408、大数据服务器将N个索引字符串B1、B2、…、BN随机置乱,得到乱序的N个索引字符串C1、C2、…、CN408. The big data server randomly scrambles the N index strings B1 , B2 , ..., BN to obtain N index strings C1 , C2 , ...,CN in disorder.

需要说明的是,由于B1、B2、…、BN是根据N个目标关键词生成的,B1、B2、…、BN顺序排放可能泄露密文的内容,因此,为了提高密文的安全性,将N个索引字符串B1、B2、…、BN随机置乱。It should be noted that since B1 , B2 , ..., BN are generated according to N target keywords, B1 , B2 , ... , BN sequentially arrange the contents of the ciphertext that may leak. Therefore, in order to improve the encryption In order to ensure the security of the text, the N index strings B1 , B2 , ..., BN are randomly scrambled.

409、大数据服务器将随机置乱后的所述N个索引字符串C1、C2、…、CN串连起来。409. The big data server concatenates the randomly scrambled N index strings C1 , C2 , ...,CN .

其中,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开,具体的,当预设编码方式为Base64时,字符“!”不是Base64中使用的可打印字符,则该可打印字符可以为“!”。Wherein, adjacent index strings in the N index strings that are concatenated are separated by printable characters that are not in the preset encoding mode. Specifically, when the preset encoding mode is Base64 , the character "!" is not a printable character used in Base64, then the printable character can be "!".

410、大数据服务器将串连后的N个索引字符串C1、C2、…、CN和密文X存储在数据库服务器中的同一数据表中。410. The big data server stores the concatenated N index strings C1 , C2 , . . . ,CN and the ciphertext X in the same data table in the database server.

其中,N个索引字符串为密文的N个索引,密文的索引与密文对应存储,需要说明的是,现有技术中在生成敏感数据的密文的N个索引后,在数据表中每个索引占用一个字段中的一个存储单元来存储,本发明实施例中将密文的N个索引串连起来,在存储N个索引时,可以只占用数据表中的一个字段中的一个存储单元进行存储。同时,通过非预设编码方式中的可打印字符将索引字符串之间间隔开可以防止匹配出错。The N index strings are N indices of the ciphertext, and the indices of the ciphertext are stored correspondingly to the ciphertext. It should be noted that in the prior art, after the N indices of the ciphertext of the sensitive data are generated, the ciphertext indices are stored in the data table. Each index occupies one storage unit in one field for storage. In this embodiment of the present invention, N indexes of the ciphertext are concatenated, and when N indexes are stored, only one of a field in the data table may be occupied. storage unit for storage. At the same time, spacing the index strings with printable characters in non-preset encodings can prevent matching errors.

当用户需要获取敏感数据时,可以通过用户设备向大数据服务器发送搜索关键词,使得大数据服务器根据搜索关键词搜索出密文并解密得到敏感数据后向用户设备发送,如图5所示,具体的过程包括:When users need to obtain sensitive data, they can send search keywords to the big data server through the user equipment, so that the big data server searches for the ciphertext according to the search keywords, decrypts the sensitive data, and sends the sensitive data to the user equipment, as shown in Figure 5. The specific process includes:

501、用户设备向大数据服务器发送M个搜索关键词,当M≥2时,用户设备还向大数据服务器发送搜索方式,搜索方式为与方式或者或方式;M≥1,M为整数。501. The user equipment sends M search keywords to the big data server, and when M≥2, the user equipment also sends a search method to the big data server, and the search method is AND or OR; M≥1, M is an integer.

502、大数据服务器接收M个搜索关键词,当M≥2时,大数据服务器还接收搜索方式。502. The big data server receives M search keywords, and when M≥2, the big data server also receives a search method.

503、大数据服务器采用目标关键词生成索引字符串的相同方法,将M个搜索关键词生成M个搜索字符串B1′、B2′、…、BM′。503. The big data server generatesM search strings B1 ′, B2 ′, .

504、大数据服务器将M个搜索字符串B1′、B2′、…、BM′与C1!C2!…!CN中包括的N个索引字符串进行匹配。504. The big data server associates the M search strings B1 ′, B2 ′, . . . , BM ′ with C1 !C2 ! …! TheN index strings included in CN are matched.

具体的,若M=1,当所述M个搜索字符串与N个索引字符串中的一个索引字符串相同时,获取所述密文;Specifically, if M=1, when the M search strings are the same as one of the N index strings, obtain the ciphertext;

若M≥2、且所述搜索方式为与方式时,当所述M个搜索字符串与N个索引字符串中的M个索引字符串相同时,获取所述密文;If M≥2, and the search mode is AND mode, when the M search strings are the same as the M index strings in the N index strings, obtain the ciphertext;

若M≥2、且所述搜索方式为或方式时,当所述M个搜索字符串中的任意一个搜索字符串与N个索引字符串中的一个索引字符串相同时,获取所述密文。If M≥2, and the search mode is OR mode, when any one of the M search strings is the same as one of the N index strings, obtain the ciphertext .

当大数据服务器获取到密文时,执行步骤505至步骤507;当大数据服务器未获取到密文时,大数据服务器向用户设备发送搜索失败的消息。图5中以大数据服务器获取到密文为例进行绘制。When the big data server obtains the ciphertext, steps 505 to 507 are performed; when the big data server does not obtain the ciphertext, the big data server sends a search failure message to the user equipment. In Figure 5, the ciphertext obtained by the big data server is drawn as an example.

505、大数据服务器采用可逆加密算法对应的解密算法将获取到的密文进行解密,得到敏感数据。505. The big data server uses a decryption algorithm corresponding to the reversible encryption algorithm to decrypt the obtained ciphertext to obtain sensitive data.

506、大数据服务器向用户设备发送敏感数据。506. The big data server sends sensitive data to the user equipment.

507、用户设备接收大数据服务器发送的敏感数据。507. The user equipment receives the sensitive data sent by the big data server.

具体的,获取密文的示例可参见表2所述的示例。Specifically, for an example of obtaining the ciphertext, please refer to the example described in Table 2.

本发明实施例提供的方法,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the method provided by the embodiment of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string. When there are N index strings, N The index string is the N indexes of the ciphertext of the sensitive data. The database server stores the ciphertext and the N index strings in the same data table. Since the index string is a printable string, it can be directly The query index string in the database server. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

实施例三Embodiment 3

需要说明的是,在公有云平台中,数据库服务器一般置于公有云服务器内,该实施例以该情况为例对实施例一中提供的创建密文索引的方法进行说明,该实施例中的相关解释可以参见上述实施例,如图6所示,该方法包括:It should be noted that, in the public cloud platform, the database server is generally placed in the public cloud server. This embodiment takes this situation as an example to describe the method for creating a ciphertext index provided in the first embodiment. For relevant explanations, refer to the above-mentioned embodiments. As shown in FIG. 6 , the method includes:

601、租户设备确定敏感数据。601. The tenant device determines sensitive data.

本发明实施例中以一个敏感数据为例进行说明。In the embodiment of the present invention, a sensitive data is used as an example for description.

602、租户设备采用可逆加密算法对敏感数据进行加密,得到敏感数据的密文X。602. The tenant device uses a reversible encryption algorithm to encrypt the sensitive data to obtain the ciphertext X of the sensitive data.

具体的,可逆加密算法可以为AES、DES或其他可逆加密算法,本发明实施例对此不进行限制。Specifically, the reversible encryption algorithm may be AES, DES, or other reversible encryption algorithms, which are not limited in this embodiment of the present invention.

603、租户设备采用分词算法对敏感数据进行分词得到N个目标关键词K1、K2、…、KN603. The tenant device uses a word segmentation algorithm to segment the sensitive data to obtain N target keywords K1 , K2 , . . . , KN .

具体的,当敏感数据不同时,采用的分词算法也可以不同。当敏感数据为中文时,可以采用智能分词算法或细粒度分词算法,当敏感数据为数字时,可以采用前缀分词算法或后缀分词算法。具体的几种分词算法的原理可参见实施例二中的描述。Specifically, when the sensitive data is different, the word segmentation algorithm used can also be different. When the sensitive data is Chinese, an intelligent word segmentation algorithm or a fine-grained word segmentation algorithm can be used. When the sensitive data is a number, a prefix word segmentation algorithm or a suffix word segmentation algorithm can be used. For specific principles of several word segmentation algorithms, refer to the description in the second embodiment.

604、租户设备根据N个目标关键词K1、K2、…、KN和带密钥的哈希算法生成N个哈希认证码H1、H2、…、HN604. The tenant device generates N hash authentication codes H1 , H2 , . . . , HN according to the N target keywords K1 , K2 , ..., KN and the hash algorithm with the key.

示例性的,带密钥的哈希算法可以为HMAC算法,具体可以为HMAC-MD5算法,HMAC-SHA1算法,HMAC-SHA256算法等。Exemplarily, the hash algorithm with a key may be an HMAC algorithm, specifically an HMAC-MD5 algorithm, an HMAC-SHA1 algorithm, an HMAC-SHA256 algorithm, and the like.

605、租户设备截取N个哈希认证码H1、H2、…、HN中的每个哈希认证码的前r位,得到N个子哈希认证码S1、S2、…、SN605. The tenant device intercepts the first r bits of each hash authentication code in the N hash authentication codes H1 , H2 , ..., HN to obtain N sub-hash authentication codes S1 , S2 , ..., SN.

其中,1≤r≤R,R和r均为整数,R为哈希认证码的长度。Among them, 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code.

需要说明的是,哈希认证码可以有256位,为了减小运算量,可以将哈希认证码截取前r位用来计算。It should be noted that the hash authentication code can have 256 bits. In order to reduce the amount of computation, the first r bits of the hash authentication code can be intercepted and used for calculation.

606、租户设备采用预设编码方式对N个子哈希认证码S1、S2、…、SN分别进行编码得到N个索引字符串B1、B2、…、BN606.The tenant device encodes theN sub- hash authentication codes S1 ,S2 , .

具体的,预设编码方式可以为Base64,子哈希认证码经过Base64编码后得到的字符串为可打印字符串。Specifically, the preset encoding method may be Base64, and the character string obtained after the sub-hash authentication code is encoded by Base64 is a printable character string.

607、租户设备将N个索引字符串B1、B2、…、BN随机置乱,得到乱序的N个索引字符串C1、C2、…、CN607. The tenant device randomly scrambles the N index strings B1 , B2 , ..., BN to obtain N index strings C1 , C2 , ...,CN in disorder.

需要说明的是,由于B1、B2、…、BN是根据N个目标关键词生成的,B1、B2、…、BN顺序排放可能泄露密文的内容,因此,为了提高密文的安全性,将N个索引字符串B1、B2、…、BN随机置乱。It should be noted that since B1 , B2 , ..., BN are generated according to N target keywords, B1 , B2 , ... , BN sequentially arrange the contents of the ciphertext that may leak. Therefore, in order to improve the encryption In order to ensure the security of the text, the N index strings B1 , B2 , ..., BN are randomly scrambled.

608、租户设备将随机置乱后的所述N个索引字符串C1、C2、…、CN串连起来。608. The tenant device concatenates the randomly scrambled N index strings C1 , C2 , ...,CN .

其中,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开,具体的,当预设编码方式为Base64时,字符“!”不是Base64中使用的可打印字符,则该可打印字符可以为“!”。Wherein, adjacent index strings in the N index strings that are concatenated are separated by printable characters that are not in the preset encoding mode. Specifically, when the preset encoding mode is Base64 , the character "!" is not a printable character used in Base64, then the printable character can be "!".

609、租户设备向公有云服务器发送串连后的N个索引字符串C1、C2、…、CN和密文X。609. The tenant device sends the concatenated N index strings C1 , C2 , . . . ,CN and the ciphertext X to the public cloud server.

610、公有云服务器接收租户设备发送的串连后的N个索引字符串C1、C2、…、CN和密文X,并将串连后的N个索引字符串C1、C2、…、CN和密文X存储在数据库服务器中的同一数据表中。610.The public cloud server receives the concatenatedN index strings C1 , C2 ,. , ...,CN and ciphertext X are stored in the same data table in the database server.

其中,N个索引字符串为密文的N个索引,密文的索引与密文对应存储,需要说明的是,现有技术中在生成敏感数据的密文的N个索引后,在数据表中每个索引占用一个字段中的一个存储单元来存储,本发明实施例中将密文的N个索引串连起来,在存储N个索引时,可以只占用数据表中的一个字段中的一个存储单元进行存储。同时,通过非预设编码方式中的可打印字符将索引字符串之间间隔开可以防止匹配出错。The N index strings are N indices of the ciphertext, and the indices of the ciphertext are stored correspondingly to the ciphertext. It should be noted that in the prior art, after the N indices of the ciphertext of the sensitive data are generated, the ciphertext indices are stored in the data table. Each index occupies one storage unit in one field for storage. In this embodiment of the present invention, N indexes of the ciphertext are concatenated, and when N indexes are stored, only one of a field in the data table may be occupied. storage unit for storage. At the same time, spacing the index strings with printable characters in non-preset encodings can prevent matching errors.

当用户需要获取密文时,如图7所示,可以通过以下过程获取:When the user needs to obtain the ciphertext, as shown in Figure 7, it can be obtained through the following process:

701、租户设备确定M个搜索关键词,并采用目标关键词生成索引字符串的相同方法,将M个搜索关键词生成M个搜索字符串B1′、B2′、…、BM′,当M≥2时,租户设备还确定搜索方式,搜索方式为与方式或者或方式,M≥1,M为整数。701. The tenant device determines M search keywords, and generatesM search strings B1 ′, B2 ′, . When M≥2, the tenant device also determines a search mode, and the search mode is an AND mode or an OR mode, where M≥1, and M is an integer.

702、租户设备向公有云服务器发送M个搜索字符串B1′、B2′、…、BM′和搜索方式。702. The tenant device sends the M search strings B1 ', B2 ', . . . , BM ' and the search method to the public cloud server.

703、公有云服务器接收租户设备发送的M个搜索字符串B1′、B2′、…、BM′和搜索方式。703. The public cloud server receives the M search strings B1 ', B2 ', . . . , BM ' and the search mode sent by the tenant device.

704、公有云服务器将M个搜索字符串B1′、B2′、…、BM′与C1!C2!…!CN中包括的N个索引字符串进行匹配;704. The public cloud server associates the M search strings B1 ′, B2 ′, . . . , BM ′ with C1 !C2 ! …! TheN index strings included in CN are matched;

若M=1,当所述M个搜索字符串与N个索引字符串中的一个索引字符串相同时,获取所述密文;If M=1, when the M search strings are the same as one of the N index strings, obtain the ciphertext;

若M≥2、且所述搜索方式为与方式时,当所述M个搜索字符串与N个索引字符串中的M个索引字符串相同时,获取所述密文;If M≥2, and the search mode is AND mode, when the M search strings are the same as the M index strings in the N index strings, obtain the ciphertext;

若M≥2、且所述搜索方式为或方式时,当所述M个搜索字符串中的任意一个搜索字符串与N个索引字符串中的一个索引字符串相同时,获取所述密文。If M≥2, and the search mode is OR mode, when any one of the M search strings is the same as one of the N index strings, obtain the ciphertext .

当公有云服务器获取到密文时,执行步骤705至步骤707;当公有云服务器未获取到密文时,公有云服务器向租户设备发送搜索失败的消息。图7中以公有云服务器获取到密文为例进行绘制。When the public cloud server obtains the ciphertext, steps 705 to 707 are performed; when the public cloud server does not obtain the ciphertext, the public cloud server sends a search failure message to the tenant device. Figure 7 takes the ciphertext obtained by the public cloud server as an example for drawing.

705、公有云服务器向租户设备发送获取到的密文。705. The public cloud server sends the obtained ciphertext to the tenant device.

706、租户设备接收公有云服务器发送的密文。706. The tenant device receives the ciphertext sent by the public cloud server.

707、租户设备采用可逆加密算法对应的解密算法将获取到的密文进行解密,得到敏感数据。707. The tenant device uses a decryption algorithm corresponding to the reversible encryption algorithm to decrypt the obtained ciphertext to obtain sensitive data.

具体的,获取密文的示例可参见表2所述的示例。Specifically, for an example of obtaining the ciphertext, please refer to the example described in Table 2.

本发明实施例提供的方法,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the method provided by the embodiment of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string. When there are N index strings, N The index string is the N indexes of the ciphertext of the sensitive data. The database server stores the ciphertext and the N index strings in the same data table. Since the index string is a printable string, it can be directly The query index string in the database server. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

实施例四Embodiment 4

本发明实施例提供一种创建密文索引的装置80,用于执行图3所示的方法,如图8所示,该装置80包括:An embodiment of the present invention provides an apparatus 80 for creating a ciphertext index for executing the method shown in FIG. 3 . As shown in FIG. 8 , the apparatus 80 includes:

加密单元801,用于采用可逆加密算法对敏感数据进行加密得到所述敏感数据的密文;An encryption unit 801, configured to encrypt sensitive data by adopting a reversible encryption algorithm to obtain ciphertext of the sensitive data;

分词单元802,用于采用分词算法对所述敏感数据进行分词得到目标关键词;A word segmentation unit 802, configured to perform word segmentation on the sensitive data using a word segmentation algorithm to obtain target keywords;

第一生成单元803,用于根据所述目标关键词和哈希算法,生成哈希认证码;a first generating unit 803, configured to generate a hash authentication code according to the target keyword and the hash algorithm;

编码单元804,用于采用预设编码方式对所述哈希认证码进行编码得到索引字符串,所述索引字符串为可打印字符串,所述索引字符串为所述密文的索引;An encoding unit 804, configured to encode the hash authentication code in a preset encoding manner to obtain an index string, where the index string is a printable string, and the index string is an index of the ciphertext;

发送单元805,用于向数据库服务器发送所述密文和所述索引字符串,以便于所述数据库服务器将所述密文和所述索引字符串存储在同一数据表中,所述索引字符串与所述密文是对应存储的。The sending unit 805 is configured to send the ciphertext and the index string to a database server, so that the database server stores the ciphertext and the index string in the same data table, and the index string It is stored corresponding to the ciphertext.

可选的,如图9所示,所述装置80还包括:Optionally, as shown in FIG. 9 , the device 80 further includes:

截取单元806,用于截取所述哈希认证码的前r位,得到子哈希认证码,1≤r≤R,R和r均为整数,R为所述哈希认证码的长度;An intercepting unit 806, configured to intercept the first r bits of the hash authentication code to obtain a sub-hash authentication code, where 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code;

所述编码单元804,具体用于采用预设编码方式对所述子哈希认证码进行编码得到索引字符串。The encoding unit 804 is specifically configured to encode the sub-hash authentication code in a preset encoding manner to obtain an index string.

可选的,如图9所示,当所述索引字符串的个数为N时,所述装置80还包括:Optionally, as shown in FIG. 9, when the number of the index strings is N, the device 80 further includes:

置乱单元807,用于将N个索引字符串随机置乱,N≥1,N为整数;A scrambling unit 807, configured to randomly scramble the N index strings, where N≥1, and N is an integer;

串连单元808,用于将随机置乱后的所述N个索引字符串串连起来,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开。The concatenation unit 808 is configured to concatenate the N index strings that have been randomly scrambled, and the adjacent index strings in the concatenated N index strings pass through non-pre-prediction strings. Set the printable characters in the encoding method to be spaced apart.

可选的,如图9所示,所述装置80还包括:Optionally, as shown in FIG. 9 , the device 80 further includes:

第一获取单元809,用于获取搜索关键词;a first obtaining unit 809, configured to obtain search keywords;

第二生成单元810,用于采用将所述目标关键词生成所述索引字符串的相同方法,将所述搜索关键词生成搜索字符串,所述搜索字符串为可打印字符串;A second generating unit 810, configured to generate a search string from the search keyword by using the same method for generating the index string from the target keyword, and the search string is a printable string;

所述发送单元805,还用于向所述数据库服务器发送所述搜索字符串,以便于所述数据库服务器根据所述搜索字符串和存储的所述索引字符串搜索所述密文。The sending unit 805 is further configured to send the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.

可选的,如图9所示,所述装置80还包括:Optionally, as shown in FIG. 9 , the device 80 further includes:

第二获取单元811,用于获取搜索语句;The second obtaining unit 811 is used to obtain the search statement;

所述第一获取单元809,具体用于采用所述分词算法对所述搜索语句进行分词得到搜索关键词。The first obtaining unit 809 is specifically configured to perform word segmentation on the search sentence by using the word segmentation algorithm to obtain search keywords.

本发明实施例提供的装置,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the device provided by the embodiment of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string. When there are N index strings, N The index string is the N indexes of the ciphertext of the sensitive data. The database server stores the ciphertext and the N index strings in the same data table. Since the index string is a printable string, it can be directly The query index string in the database server. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

实施例五Embodiment 5

在硬件实现上,上述装置中的各个单元可以以硬件形式内嵌于或独立于该装置的处理器中,也可以以软件形式存储于该装置的存储器中,以便于处理器调用执行以上各个单元对应的操作,该处理器可以为中央处理单元(CPU)、微处理器、单片机等。In terms of hardware implementation, each unit in the above device can be embedded in or independent of the processor of the device in the form of hardware, or can be stored in the memory of the device in the form of software, so that the processor can call and execute the above units. For corresponding operations, the processor may be a central processing unit (CPU), a microprocessor, a single-chip microcomputer, or the like.

如图10所示,本发明实施例提供另一种创建密文索引的装置100,用于执行如图3所示的方法,该装置100包括:存储器1001、处理器1002、发送器1003和总线系统1004。As shown in FIG. 10 , an embodiment of the present invention provides another apparatus 100 for creating a ciphertext index, for executing the method shown in FIG. 3 , the apparatus 100 includes: amemory 1001 , aprocessor 1002 , atransmitter 1003 and abus system 1004.

其中,存储器1001、处理器1002和发送器1003之间是通过总线系统1004耦合在一起的,其中存储器1001可能包含随机存取存储器,也可能还包括非易失性存储器,例如至少一个磁盘存储器。总线系统1004,可以是ISA总线、PCI总线或EISA总线等。该总线系统1004可以分为地址总线、数据总线、控制总线等。为便于表示,图10中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。Thememory 1001, theprocessor 1002 and thetransmitter 1003 are coupled together through abus system 1004, wherein thememory 1001 may include random access memory, and may also include non-volatile memory, such as at least one disk memory. Thebus system 1004 may be an ISA bus, a PCI bus, an EISA bus, or the like. Thebus system 1004 can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 10, but it does not mean that there is only one bus or one type of bus.

存储器1001内存储一组代码,该代码用于控制处理器1002执行以下动作:A set of codes are stored in thememory 1001, and the codes are used to control theprocessor 1002 to perform the following actions:

采用可逆加密算法对敏感数据进行加密得到所述敏感数据的密文;Encrypting sensitive data using a reversible encryption algorithm to obtain the ciphertext of the sensitive data;

采用分词算法对所述敏感数据进行分词得到目标关键词;A word segmentation algorithm is used to segment the sensitive data to obtain target keywords;

根据所述目标关键词和哈希算法,生成哈希认证码;Generate a hash authentication code according to the target keyword and the hash algorithm;

采用预设编码方式对所述哈希认证码进行编码得到索引字符串,所述索引字符串为可打印字符串,所述索引字符串为所述密文的索引;The hash authentication code is encoded in a preset encoding manner to obtain an index string, the index string is a printable string, and the index string is an index of the ciphertext;

所述发送器1003,用于向数据库服务器发送所述密文和所述索引字符串,以便于所述数据库服务器将所述密文和所述索引字符串存储在同一数据表中,所述索引字符串与所述密文是对应存储的。Thetransmitter 1003 is configured to send the ciphertext and the index string to the database server, so that the database server stores the ciphertext and the index string in the same data table, and the index The character string and the ciphertext are stored correspondingly.

可选的,所述处理器1002还用于:Optionally, theprocessor 1002 is further configured to:

截取所述哈希认证码的前r位,得到子哈希认证码,1≤r≤R,R和r均为整数,R为所述哈希认证码的长度;Intercepting the first r bits of the hash authentication code to obtain a sub-hash authentication code, where 1≤r≤R, R and r are both integers, and R is the length of the hash authentication code;

所述处理器1002,具体用于采用预设编码方式对所述子哈希认证码进行编码得到索引字符串。Theprocessor 1002 is specifically configured to encode the sub-hash authentication code in a preset encoding manner to obtain an index string.

可选的,当所述索引字符串的个数为N时,所述处理器1002还用于:Optionally, when the number of the index strings is N, theprocessor 1002 is further configured to:

将N个索引字符串随机置乱,N≥1,N为整数;Randomly scramble N index strings, N≥1, N is an integer;

将随机置乱后的所述N个索引字符串串连起来,串连后的所述N个索引字符串中的相邻的索引字符串之间通过非所述预设编码方式中的可打印字符间隔开。The randomly scrambled N index strings are concatenated, and the adjacent index strings in the concatenated N index strings pass the printable non-preset encoding method. characters are spaced apart.

可选的,所述处理器1002还用于:Optionally, theprocessor 1002 is further configured to:

获取搜索关键词;Get search keywords;

采用将所述目标关键词生成所述索引字符串的相同方法,将所述搜索关键词生成搜索字符串,所述搜索字符串为可打印字符串;Using the same method of generating the index string from the target keyword, generating a search string from the search keyword, and the search string is a printable string;

所述发送器1003,还用于向所述数据库服务器发送所述搜索字符串,以便于所述数据库服务器根据所述搜索字符串和存储的所述索引字符串搜索所述密文。Thetransmitter 1003 is further configured to send the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.

可选的,所述处理器1002还用于:Optionally, theprocessor 1002 is further configured to:

获取搜索语句;get the search statement;

所述处理器1002,具体用于采用所述分词算法对所述搜索语句进行分词得到搜索关键词。Theprocessor 1002 is specifically configured to perform word segmentation on the search sentence by using the word segmentation algorithm to obtain search keywords.

本发明实施例提供的装置,在将目标关键词生成哈希认证码之后,采用预设的编码方式对哈希认证码进行编码,得到索引字符串,当索引字符串有N个时,N个索引字符串为敏感数据的密文的N个索引,数据库服务器将密文和N个索引字符串对应存储在同一数据表中,由于索引字符串为可打印字符串,因此,可以直接通过SQL在数据库服务器中查询索引字符串。若需要对包含某个关键词的密文进行搜索时,采用目标关键词生成索引字符串的相同方法,将搜索关键词生成搜索字符串,通过SQL可以直接在数据库服务器中将搜索字符串与N个索引字符串进行匹配,确定是否获取密文,与现有技术相比,不用将密文的索引载入内存,节约了内存空间,并且可以提高密文搜索的速度。In the device provided by the embodiment of the present invention, after generating the hash authentication code for the target keyword, the hash authentication code is encoded by a preset encoding method to obtain an index string. When there are N index strings, N The index string is the N indexes of the ciphertext of the sensitive data. The database server stores the ciphertext and the N index strings in the same data table. Since the index string is a printable string, it can be directly The query index string in the database server. If you need to search the ciphertext containing a certain keyword, use the same method as the target keyword to generate the index string to generate the search string from the search keyword. Through SQL, you can directly compare the search string with N in the database server. Compared with the prior art, the index of the ciphertext does not need to be loaded into the memory, which saves memory space and improves the speed of ciphertext searching.

本发明实施例还提供了一种创建密文索引的系统,该系统包括上述装置80和上述数据库服务器,或者,该系统包括上述装置100和上述数据库服务器。An embodiment of the present invention further provides a system for creating a ciphertext index, where the system includes the foregoing apparatus 80 and the foregoing database server, or the system includes the foregoing apparatus 100 and the foregoing database server.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的装置和模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of the description, only the division of the above-mentioned functional modules is used for illustration. In practical applications, the above-mentioned functions can be allocated to different functional modules as required. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the above-described apparatuses and modules, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described herein again.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接。In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection of devices or units through some interfaces.

另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist physically alone, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules.

以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand: The technical solutions described in the embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.

Claims (12)

1. A method of creating a ciphertext index, comprising:
encrypting the sensitive data by adopting a reversible encryption algorithm to obtain a ciphertext of the sensitive data;
performing word segmentation on the sensitive data by adopting a word segmentation algorithm to obtain target keywords;
generating a Hash authentication code according to the target keyword and a Hash algorithm;
encoding the Hash authentication code by adopting a preset encoding mode to obtain an index character string, wherein the index character string is a printable character string, and the index character string is an index of the ciphertext;
sending the ciphertext and the index character string to a database server so that the database server stores the ciphertext and the index character string in the same data table, wherein the index character string and the ciphertext are stored correspondingly;
when the number of the index character strings is N, after the hash authentication code is encoded by using a preset encoding mode to obtain the index character strings, the method further includes: randomly scrambling N index character strings, wherein N is more than or equal to 1 and is an integer; and connecting the N index character strings after random scrambling, wherein adjacent index character strings in the N index character strings after the random scrambling are separated by printable characters in a non-preset coding mode.
2. The method according to claim 1, wherein before the encoding the hash authentication code in a preset encoding manner to obtain the index string, the method further comprises:
intercepting the front R bits of the Hash authentication code to obtain a sub-Hash authentication code, wherein R is more than or equal to 1 and is less than or equal to R, R and R are integers, and R is the length of the Hash authentication code;
the encoding of the hash authentication code by adopting a preset encoding mode to obtain an index character string comprises the following steps:
and coding the sub-hash authentication code by adopting a preset coding mode to obtain an index character string.
3. The method of claim 1,
and occupying a storage unit in one field in the data table to store the N index character strings.
4. The method according to claim 1 or 2, characterized in that the method further comprises:
acquiring a search keyword;
generating a search character string from the search keyword by adopting the same method for generating the index character string from the target keyword, wherein the search character string is a printable character string;
and sending the search character string to the database server so that the database server can search the ciphertext according to the search character string and the stored index character string.
5. The method of claim 4, wherein prior to said obtaining search keywords, the method further comprises:
acquiring a search statement;
the acquiring of the search keyword comprises: and performing word segmentation on the search sentence by adopting the word segmentation algorithm to obtain a search keyword.
6. The method of claim 4, further comprising:
the database server receives M search character strings, and when M is larger than or equal to 2, the database server also acquires a search mode, wherein the search mode is an AND mode or an OR mode;
the database server matches the M search strings with the stored index strings;
if M is 1, obtaining a ciphertext corresponding to the index character string which is the same as the search character string;
if M is more than or equal to 2 and the searching mode is the same mode, acquiring ciphertext corresponding to M index character strings which are the same as the M searching character strings;
and if M is more than or equal to 2 and the searching mode is the OR mode, acquiring the ciphertext corresponding to the index character string which is the same as any searching character string in the M searching character strings.
7. The method of claim 5, further comprising:
the database server receives M search character strings, and when M is larger than or equal to 2, the database server also acquires a search mode, wherein the search mode is an AND mode or an OR mode;
the database server matches the M search strings with the stored index strings;
if M is 1, obtaining a ciphertext corresponding to the index character string which is the same as the search character string;
if M is more than or equal to 2 and the searching mode is the same mode, acquiring ciphertext corresponding to M index character strings which are the same as the M searching character strings;
and if M is more than or equal to 2 and the searching mode is the OR mode, acquiring the ciphertext corresponding to the index character string which is the same as any searching character string in the M searching character strings.
8. An apparatus for creating a ciphertext index, comprising:
the encryption unit is used for encrypting the sensitive data by adopting a reversible encryption algorithm to obtain a ciphertext of the sensitive data;
the word segmentation unit is used for segmenting the sensitive data by adopting a word segmentation algorithm to obtain a target keyword;
the first generation unit is used for generating a Hash authentication code according to the target keyword and a Hash algorithm;
the encoding unit is used for encoding the Hash authentication code by adopting a preset encoding mode to obtain an index character string, wherein the index character string is a printable character string, and the index character string is an index of the ciphertext;
a sending unit, configured to send the ciphertext and the index string to a database server, so that the database server stores the ciphertext and the index string in the same data table, where the index string and the ciphertext are stored correspondingly;
when the number of the index character strings is N, the device further comprises:
the scrambling unit is used for randomly scrambling N index character strings, wherein N is not less than 1 and is an integer;
and the serial connection unit is used for connecting the N index character strings after random scrambling, and adjacent index character strings in the N index character strings after serial connection are spaced by printable characters in a non-preset coding mode.
9. The apparatus of claim 8, further comprising:
the intercepting unit is used for intercepting the first R bits of the Hash authentication code to obtain a sub-Hash authentication code, R is more than or equal to 1 and less than or equal to R, R and R are integers, and R is the length of the Hash authentication code;
the encoding unit is specifically configured to encode the sub-hash authentication code in a preset encoding manner to obtain an index string.
10. The apparatus according to any one of claims 8-9, further comprising:
a first acquisition unit configured to acquire a search keyword;
a second generating unit, configured to generate a search string from the search keyword by using the same method as that used to generate the index string from the target keyword, where the search string is a printable string;
the sending unit is further configured to send the search string to the database server, so that the database server searches the ciphertext according to the search string and the stored index string.
11. The apparatus of claim 10, further comprising:
a second acquisition unit configured to acquire a search sentence;
the first obtaining unit is specifically configured to perform word segmentation on the search sentence by using the word segmentation algorithm to obtain a search keyword.
12. A system for creating a ciphertext index, comprising: the apparatus and database server of any of claims 8-11.
CN201510698146.2A2015-10-232015-10-23 A method, device and system for creating ciphertext indexActiveCN106610995B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN201510698146.2ACN106610995B (en)2015-10-232015-10-23 A method, device and system for creating ciphertext index

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN201510698146.2ACN106610995B (en)2015-10-232015-10-23 A method, device and system for creating ciphertext index

Publications (2)

Publication NumberPublication Date
CN106610995A CN106610995A (en)2017-05-03
CN106610995Btrue CN106610995B (en)2020-07-07

Family

ID=58613085

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN201510698146.2AActiveCN106610995B (en)2015-10-232015-10-23 A method, device and system for creating ciphertext index

Country Status (1)

CountryLink
CN (1)CN106610995B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN107423341B (en)*2017-05-082020-10-16上海泥娃通信科技有限公司Ciphertext full-text search system
CN107463848B (en)*2017-07-182021-10-12北京邮电大学Application-oriented ciphertext search method, device, proxy server and system
SG10201706106QA (en)*2017-07-262019-02-27Huawei Int Pte LtdSearchable Encryption with Hybrid Index
CN108768994B (en)*2018-05-222021-07-27北京小米移动软件有限公司 Data matching method, apparatus and computer readable storage medium
CN108920967B (en)*2018-06-282022-08-05深信服科技股份有限公司Data processing method, device, terminal and computer storage medium
CN110516460B (en)*2019-08-292021-05-14重庆市筑智建信息技术有限公司Encryption security method and system for BIM data
CN110689349B (en)*2019-10-082023-07-11深圳前海微众银行股份有限公司 Method and device for storing and searching transaction hash value in blockchain
CN110889017B (en)*2019-10-152022-09-13福建联迪商用设备有限公司Retrieval method and terminal for information encrypted through base64
CN111193723B (en)*2019-12-132022-10-14上海数据交易中心有限公司Data transmission, matching and storage method and device, storage medium and terminal
CN112711648B (en)*2020-12-232024-07-02航天信息股份有限公司Database character string ciphertext storage method, electronic equipment and medium
CN114792009B (en)*2021-01-252025-09-12华为技术有限公司 Data management method, device and system
CN117390014B (en)*2023-09-272024-05-31希维科技(广州)有限公司Method, device and storage medium for generating battery passport identification
CN118898082B (en)*2024-09-302024-12-31杭州海康威视数字技术股份有限公司 A method, device and system for implementing encrypted database ciphertext index

Citations (3)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN1617584A (en)*2004-12-062005-05-18武汉大学 A Dynamic Random Scrambling Encryption and Decryption Method for Video Information
CN101155128A (en)*2006-09-292008-04-02华为技术有限公司 Method and system for realizing mobile data service
EP2499562A1 (en)*2009-11-092012-09-19Arcsight, Inc.Enabling faster full-text searching using a structured data store

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
TWI501580B (en)*2009-08-072015-09-21Dolby Int AbAuthentication of data streams
CN103064844A (en)*2011-10-202013-04-24北京中搜网络技术股份有限公司Indexing equipment, indexing method, search device, search method and search system
US20130238646A1 (en)*2012-03-062013-09-12Evrichart, Inc.Partial-Match Searches of Encrypted Data Sets
EP3364316B1 (en)*2012-08-152019-10-02Visa International Service AssociationSearchable encrypted data
US9069986B2 (en)*2013-06-182015-06-30International Business Machines CorporationProviding access control for public and private document fields
CN103345526B (en)*2013-07-222016-12-28武汉大学A kind of efficient secret protection cryptogram search method under cloud environment
IN2013CH05538A (en)*2013-12-022015-06-12Infosys Ltd
CN104394155B (en)*2014-11-272017-12-12暨南大学It can verify that multi-user's cloud encryption keyword searching method of integrality and completeness
CN104992124A (en)*2015-08-032015-10-21电子科技大学Document safety access method for cloud storage environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN1617584A (en)*2004-12-062005-05-18武汉大学 A Dynamic Random Scrambling Encryption and Decryption Method for Video Information
CN101155128A (en)*2006-09-292008-04-02华为技术有限公司 Method and system for realizing mobile data service
EP2499562A1 (en)*2009-11-092012-09-19Arcsight, Inc.Enabling faster full-text searching using a structured data store

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Achieving effective cloud search services: multi-keyword ranked search over encrypted cloud data supporting synonym query;Zhangjie Fu,等;《IEEE Transactions on Consumer Electronics》;20140402;第60卷(第1期);全文*
可搜索加密技术研究综述;李经纬,等;《软件学报》;20150131;第26卷(第1期);全文*

Also Published As

Publication numberPublication date
CN106610995A (en)2017-05-03

Similar Documents

PublicationPublication DateTitle
CN106610995B (en) A method, device and system for creating ciphertext index
US10284372B2 (en)Method and system for secure management of computer applications
CN110326253B (en)Method and system for fuzzy keyword search of encrypted data
US9977918B2 (en)Method and system for verifiable searchable symmetric encryption
US10021078B2 (en)System, apparatus and method for encryption and decryption of data transmitted over a network
CN106161006B (en)Digital encryption algorithm
US11695740B2 (en)Anonymization method and apparatus, device, and storage medium
US9313023B1 (en)Format-preserving cipher
KR101989813B1 (en)Generating and verifying the alternative data in a specified format
JP2012164031A (en)Data processor, data storage device, data processing method, data storage method and program
US20180262474A1 (en)Systems and Methods for Secure Online Communication
CN112235104B (en) A data encryption transmission method, system, terminal and storage medium
US20160301524A1 (en)Methods and apparatuses of digital data processing
CN110830261B (en) Encryption method, device, computer equipment and storage medium
CN108170753A (en)A kind of method of Key-Value data base encryptions and Safety query in shared cloud
CN115310125A (en)Encrypted data retrieval system, method, computer equipment and storage medium
CN114499859A (en) Password verification method, device, device and storage medium
US20220222332A1 (en)Systems and methods for providing secure passwords
KR100910303B1 (en) Data encryption / decryption apparatus using variable code table and its method
CN117762994A (en) Data query method, device, electronic equipment and storage medium
CN115146315A (en)Private data protection method, device, equipment and storage medium of low-code platform
CN113141347B (en)Social work information protection method and device, electronic equipment and storage medium
CN117459326B (en)Network safety protection system
CN117112503B (en) An end-to-end encrypted file search system without privacy leakage
TWI743457B (en)Method and computer program product for generating secure alternative representation for numerical datum

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
GR01Patent grant
[8]ページ先頭
©2009-2025 Movatter.jp