Summary of the invention
The main purpose of the present invention is to provide a kind of data processing method, equipment, system and storage mediums, it is intended to solveThe poor technical problem of privacy leakage increased risk, Information Security.
To achieve the above object, a kind of data processing method provided by the invention, comprising:
The storage that the first user is received for target data is requested, and the information of user identifier is carried in the storage request;
Determine code key build version ready for use;
According to the user identifier and the code key build version, encryption code key is generated;
It is encrypted using target data described in the encryption secret key pair, obtains target encryption data;
By target encryption data storage to cloud platform.
Optionally, described according to the user identifier and the code key build version, generate encryption code key, comprising:
Obtain the associated user's sequence of the user identifier;
Based on the user identifier, user's sequence and the code key build version, encryption code key is generated.
Optionally, the user identifier and user's sequence are included at least in the encryption code key.
Optionally, determination code key build version ready for use, comprising:
According to the selection of first user, code key build version ready for use is determined;
Alternatively, code key build version newest in database is determined as code key build version ready for use.
Optionally, after the storage to cloud platform by the target encryption data, further includes:
The access request that second user is directed to the target encryption data is received, carries the user in the access requestThe information of mark and the code key build version;
According to the user identifier and the code key build version, decryption code key is generated;
It is decrypted using target encryption data described in the decryption secret key pair, obtains the target data;
The target data is returned into the second user.
To achieve the above object, the present invention further provides a kind of data processing equipment, including memory and processor, institutesThe data processor for being stored with and being run on memory on the processor is stated, the data processor is by the processingDevice realizes following method when executing:
The storage that the first user is received for target data is requested, and the information of user identifier is carried in the storage request;
Determine code key build version ready for use;
According to the user identifier and the code key build version, encryption code key is generated;
It is encrypted using target data described in the encryption secret key pair, obtains target encryption data;
By target encryption data storage to cloud platform.
Optionally, it is also realized when the data processor is executed by the processor:
Obtain the associated user's sequence of the user identifier;
Based on the user identifier, user's sequence and the code key build version, encryption code key is generated.
Optionally, it is also realized when the data processor is executed by the processor:
According to the selection of first user, code key build version ready for use is determined;
Alternatively, code key build version newest in database is determined as code key build version ready for use.
Optionally, it is also realized when the data processor is executed by the processor:
After the storage to cloud platform by the target encryption data, receives second user and encrypted for the targetThe access request of data carries the information of the user identifier and the code key build version in the access request;
According to the user identifier and the code key build version, decryption code key is generated;
It is decrypted using target encryption data described in the decryption secret key pair, obtains the target data;
The target data is returned into the second user.
To achieve the above object, the present invention further provides a kind of data processing systems, comprising:
Request reception unit is stored, is requested for receiving the first user for the storage of target data, the storage requestThe middle information for carrying user identifier;
Code key build version determination unit, for determining code key build version ready for use;
Code key generation unit is encrypted, for generating encryption code key according to the user identifier and the code key build version;
Target encryption data obtaining unit, for being encrypted using target data described in the encryption secret key pair,Obtain target encryption data;
Target encryption data storage unit, for storing the target encryption data to cloud platform.
To achieve the above object, the present invention further provides a kind of computer readable storage mediums, described computer-readableData processor is stored on storage medium, the data processor can be executed by one or more processor, with realityExisting data processing method described in any of the above embodiments.
To achieve the above object, the present invention further provides a kind of computer program products, including computer instruction, when itWhen running on computers, computer is allowed to execute data processing method described in any of the above embodiments.
The present invention can determine that code key ready for use is raw when receiving storage request of first user for target dataEncryption code key can be generated, use encryption according to the user identifier and the code key build version carried in storage request at versionSecret key pair target data is encrypted, and can obtain target encryption data, by target encryption data storage to cloud platform.AddClose code key is generated according to user identifier and the code key build version ready for use determined, so that the encryption of different user is secretKey is different, and in cloud platform, the data of different user carry out encryption storage using different encryption code keys, plays buffer action,Privacy leakage risk can be reduced, the safety of data is improved.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, rightThe present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, notFor limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative workEvery other embodiment obtained is put, shall fall within the protection scope of the present invention.
The description and claims of this application and term " first " in above-mentioned attached drawing, " second " etc. are for distinguishingSimilar object, rather than be used to describe a particular order or precedence order.It should be understood that the data used in this way are in appropriate feelingsIt can be interchanged under condition, so that the embodiments described herein can be real with the sequence other than the content for illustrating or describing hereinIt applies.In addition, term " includes " and " having " and their any deformation, it is intended that cover it is non-exclusive include, for example, packetThe process, method, system, product or equipment for having contained a series of steps or units those of be not necessarily limited to be clearly listed step orUnit, but may include other steps being not clearly listed or intrinsic for these process, methods, product or equipment orUnit.
It should be noted that the description for being related to " first ", " second " etc. in the present invention is used for description purposes only, and cannotIt is interpreted as its relative importance of indication or suggestion or implicitly indicates the quantity of indicated technical characteristic.Define as a result, " theOne ", the feature of " second " can explicitly or implicitly include at least one of the features.In addition, the skill between each embodimentArt scheme can be combined with each other, but must be based on can be realized by those of ordinary skill in the art, when technical solutionWill be understood that the combination of this technical solution is not present in conjunction with there is conflicting or cannot achieve when, also not the present invention claimsProtection scope within.
The present invention provides a kind of data processing method.
Referring to Fig.1, Fig. 1 is a kind of implementation flow chart of data processing method provided by the embodiment of the present invention, this methodThe following steps are included:
S110: the storage for receiving the first user for target data is requested.
The information of user identifier is carried in storage request.
In practical applications, the storage that cloud platform carries out data can be used in user, and cloud platform can store multiple usersData.First user can issue the corresponding storage for target data and request, storage is asked when there is data storage requirementThe information of user identifier uid can be carried in asking.
When receiving storage request of first user for target data, storage request can be parsed, be obtainedThe user identifier wherein carried.The user identifier can be the user identifier of the first user, is also possible to the first user and is usedA user identifier.
S120: code key build version ready for use is determined.
In embodiments of the present invention, the data stored in cloud platform are all the data by encryption, that is to say, that rightData need that first data are encrypted before being stored.
When receiving the storage request for target data, a code key build version can be selected to make in the databaseFor code key build version ready for use.
Multiple code key build versions are can store in database, it is raw that different code key build versions correspond to different code keysAt logic.Different code key build version routine adjustment data encryption logics can be passed through.
S130: according to user identifier and code key build version, encryption code key is generated.
The user identifier in storage request is obtained, and after determining code key build version ready for use, can be marked according to userKnow and code key build version, generation encrypt code key.It is patrolled specifically, the generation of code key corresponding to code key build version can be usedVolume, corresponding operation is carried out to user identifier, generates encryption code key.It may include the part of user identifier in the encryption code key of generationOr full content, user identifier encryption code key in can disperse to arrange, or concentrate arrangement, specifically with code key build versionCorresponding code key generates logic and is consistent.
Different user mark represents different user, according to different user mark and identified code key build version, generatesEncryption code key also can be different, in this way, different user can be made to possess different encryption code keys.
S140: it is encrypted using encryption secret key pair target data, obtains target encryption data.
After generating encryption code key, encryption secret key pair target data can be used and be encrypted.Specific ciphering processFor the prior art, the embodiment of the present invention repeats no more this.After target data is encrypted, target encryption can be obtainedData.
S150: by target encryption data storage to cloud platform.
It is encrypted using encryption secret key pair target data, after obtaining target encryption data, target can be encryptedData are stored to cloud platform.In this way, the data stored in cloud platform are encryption data, the safety of data ensure that.
Using method provided by the embodiment of the present invention, requested receiving storage of first user for target dataWhen, it can determine code key build version ready for use, according to the user identifier and the code key build version that carry in storage request,Encryption code key can be generated, be encrypted using encryption secret key pair target data, target encryption data can be obtained, by meshEncryption data storage is marked to cloud platform.Encryption code key is raw according to user identifier and the code key build version ready for use determinedAt so that the encryption code key of different user is different, in cloud platform, the data of different user using different encryption code keys intoRow encryption storage, plays buffer action, can reduce privacy leakage risk, improve the safety of data.
In a kind of specific embodiment of the invention, step S130 be may comprise steps of:
Step 1: the associated user's sequence of user identifier is obtained;
Step 2: being based on user identifier, user's sequence and code key build version, generates encryption code key.
It is illustrated for ease of description, above-mentioned two step is combined.
In embodiments of the present invention, it can be generated for user user's sequence in user's registration, i.e. custom_key,User's sequence can be associated with user identifier.
It is requested receiving storage of first user for target data, obtains the user identifier carried in storage requestAfterwards, the associated user's sequence of available user identifier.Then, it is based on user identifier, user's sequence and code key build version, it is rawAt encryption code key.User's sequence can be used as a part of metadata of code key generation.
Specifically, user identifier and user's sequence can be included at least in encryption code key.
Encryption code key is generated based on user identifier, user's sequence and code key build version, can reinforce encrypting answering for code keyMiscellaneous degree improves the difficulty that encryption code key is cracked, to further increase Information Security.
In a kind of specific embodiment of the invention, step S120 be may comprise steps of:
According to the selection of the first user, code key build version ready for use is determined;
Alternatively, code key build version newest in database is determined as code key build version ready for use.
In embodiments of the present invention, the first user can choose current when sending the storage request for target dataWhich code key build version used.According to the selection of the first user, code key build version ready for use can be determined.First usesA used code key build version before the code key build version of family selection can be can also be newest one currentCode key build version.
Alternatively, defaulting when receiving storage request of first user for target data by code key newest in databaseBuild version is determined as code key build version ready for use.
In order to reinforce the safety of data, encryption policy can be adjusted according to actual needs.In embodiments of the present invention, may be usedCode key build version is updated, by the code key of update by realizing that relevant code key generates the adjustment that logic carries out encryption policyThe information of build version is inserted into database, subsequent when needing to carry out data encryption, can be automatically selected newest code key and be generatedVersion generates encryption code key, carries out new encryption logic.
In one embodiment of the invention, after step S150 stores target encryption data to cloud platform, the partyMethod can with the following steps are included:
First step: the access request that second user is directed to target encryption data is received, carries user in access requestThe information of mark and code key build version;
Second step: according to user identifier and code key build version, decryption code key is generated;
Third step: it is decrypted using decryption secret key pair target encryption data, obtains target data;
4th step: target data is returned into second user.
It is illustrated for ease of description, aforementioned four step is combined.
After the storage to cloud platform of target encryption data, user can access phase by cloud platform when there is requirements for accessAnswer data.
When receiving access request of the second user for target encryption data, access request can be parsed,Obtain the information of the user identifier and code key build version that carry in access request.That is, second user is in mesh to be accessedWhen marking encryption data, used user identifier and code key build version when the storage of target encryption data need to be provided.
According to user identifier and code key build version, decryption code key can be generated.Generate decryption code key method with it is above-mentionedThe method for generating encryption code key is corresponding, repeats no more herein.
After generating decryption code key, decryption secret key pair target encryption data can be used and be decrypted, obtain number of targetsAccording to target data is then returned to second user.Specific decrypting process is the prior art, the embodiment of the present invention to this no longerIt repeats.
In embodiments of the present invention, as long as user is capable of providing the encryption number when accessing the encryption data in cloud platformCorresponding user identifier and used code key build version when according to storage produce corresponding decryption code key, so as toTo use decryption code key to be decrypted.That is, passing through the management of code key build version, even if current crypto strategy has moreNewly, also perfect it can be compatible with old encryption data, realizes the decryption processing of old encryption data.With stronger flexibility and expansionMalleability.Moreover, even if can also smoothly decrypt the encryption data in cloud platform in Distributed Services scene.
In addition, the embodiment of the present invention is all to generate corresponding code key in real time for storing and accessing for data, and without secretThe storage of key, that is, each code key are calculated according to the condition provided, can reduce database in this way by behind de- libraryThe risk of privacy of user leakage.
In practical applications, the embodiment of the present invention can be applied particularly to cryptographic services system, which canTo be communicated to connect with cloud platform.The cryptographic services system can be requested receiving storage of first user for target dataWhen, it determines code key build version ready for use, according to user identifier and code key build version, generates encryption code key, use encryptionSecret key pair target data is encrypted, and obtains target encryption data, by target encryption data storage to cloud platform.
More specifically, which may include client and code key server-side, and client takes with code key respectivelyBusiness end and cloud platform communication connection.Client takes when receiving storage request of first user for target data to code keyEnd of being engaged in sends code key and generates request, which, which generates, can carry the information of user identifier in request, code key server-side determine toThe code key build version used generates encryption code key, the encryption code key of generation is returned according to user identifier and code key build versionBack to client, after client receives encryption code key, it is encrypted using encryption secret key pair target data, obtains targetEncryption data, by target encryption data storage to cloud platform.Micro services design is realized by code key server-side, can be decoupled in this wayMain business logic, so that the update of encryption policy will not influence main business logic.
In practical applications, cryptographic services system can be arranged in Intranet, can isolate safety wind in intranet environmentDanger.Intranet environment is as shown in Fig. 2, firewall can prevent extranet access, and access white list can carry out IP filtering, and service layer can be used forUser's registration obtains latest edition number and obtains code key, and operation layer can carry out specific user's registration, code key generation and version controlSystem, data Layer can be written and read database, data buffer storage, issued transaction etc., and MS SQL database can be used in database, specificallyRunning environment may include cloud host, separate server, third party's fictitious host computer etc., in access white list layer, service layer, industryBusiness layer, data Layer can carry out log recording and monitoring alarm etc..
Corresponding to above method embodiment, the embodiment of the invention also provides a kind of data processing equipment, the equipment packetsMemory and processor are included, the data processor that can be run on a processor, data processor quilt are stored on memoryProcessor realizes following method when executing:
The storage that the first user is received for target data is requested, and the information of user identifier is carried in storage request;
Determine code key build version ready for use;
According to user identifier and code key build version, encryption code key is generated;
It is encrypted using encryption secret key pair target data, obtains target encryption data;
By target encryption data storage to cloud platform.
Using equipment provided by the embodiment of the present invention, requested receiving storage of first user for target dataWhen, it can determine code key build version ready for use, according to the user identifier and the code key build version that carry in storage request,Encryption code key can be generated, be encrypted using encryption secret key pair target data, target encryption data can be obtained, by meshEncryption data storage is marked to cloud platform.Encryption code key is raw according to user identifier and the code key build version ready for use determinedAt so that the encryption code key of different user is different, in cloud platform, the data of different user using different encryption code keys intoRow encryption storage, plays buffer action, can reduce privacy leakage risk, improve the safety of data.
In a kind of specific embodiment of the invention, also realized when data processor is executed by processor:
Obtain the associated user's sequence of user identifier;
Based on user identifier, user's sequence and code key build version, encryption code key is generated.
In a kind of specific embodiment of the invention, also realized when data processor is executed by processor:
According to the selection of the first user, code key build version ready for use is determined;
Alternatively, code key build version newest in database is determined as code key build version ready for use.
In a kind of specific embodiment of the invention, also realized when data processor is executed by processor:
After by the storage to cloud platform of target encryption data, the access for receiving second user for target encryption data is askedIt asks, the information of user identifier and code key build version is carried in access request;
According to user identifier and code key build version, decryption code key is generated;
It is decrypted using decryption secret key pair target encryption data, obtains target data;
Target data is returned into second user.
In the present embodiment, data processing equipment can be PC (Personal Computer, PC), can also be withIt is smart phone, tablet computer, palm PC, portable computer, intelligent router, mine machine, network storage equipment, terminal deviceDeng.
Shown in Figure 3, which may include memory 11, processor 12 and bus 13.
Wherein, memory 11 includes at least a type of readable storage medium storing program for executing, and readable storage medium storing program for executing includes flash memory, hardDisk, multimedia card, card-type memory (for example, SD or DX memory etc.), magnetic storage, disk, CD etc..Memory 11 existsIt can be the internal storage unit of data processing equipment, such as the hard disk of the data processing equipment in some embodiments.Memory11 are also possible to the External memory equipment of data processing equipment in further embodiments, such as be equipped on data processing equipmentPlug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card dodgeDeposit card (Flash Card) etc..Further, memory 11 can also both including data processing equipment internal storage unit orIncluding External memory equipment.Memory 11 can be not only used for storing the application software for being installed on data processing equipment and all kinds of numbersAccording to, such as code of data processor etc., it can be also used for temporarily storing the data that has exported or will export.
Processor 12 can be in some embodiments a central processing unit (Central Processing Unit,CPU), controller, microcontroller, microprocessor or other data processing chips, the program for being stored in run memory 11Code or processing data, such as execute data processor etc..
The bus 13 can be Peripheral Component Interconnect standard (peripheral component interconnect, abbreviationPCI) bus or expanding the industrial standard structure (extended industry standard architecture, abbreviation EISA)Bus etc..The bus can be divided into address bus, data/address bus, control bus etc..For convenient for indicating, in Fig. 3 only with one slightlyLine indicates, it is not intended that an only bus or a type of bus.
Further, data processing equipment can also include network interface, and network interface optionally may include wired connectsMouth and/or wireless interface (such as WI-FI interface, blue tooth interface), commonly used in being set in the data processing equipment and other electronicsCommunication connection is established between standby.
Optionally, which can also include user interface, and user interface may include display(Display), input unit such as keyboard (Keyboard), optional user interface can also include standard wireline interface,Wireless interface.Optionally, in some embodiments, it is aobvious to can be light-emitting diode display, liquid crystal display, touch control type LCD for displayShow that device and OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) touch device etc..Wherein, displayAppropriate it can also be known as display screen or display unit, for showing the information handled in the data processing apparatus and for showingShow visual user interface.
Fig. 3 illustrates only the data processing equipment with component 11-13, it will be appreciated by persons skilled in the art that Fig. 3The restriction of the structure shown not structure paired data processing equipment, may include than illustrate less perhaps more components orCombine certain components or different component layouts.
Referring to Fig. 4, Fig. 4 is a kind of data processing system provided by the embodiment of the present invention, which includes:
Request reception unit 410 is stored, is requested for receiving the first user for the storage of target data, in storage requestCarry the information of user identifier;
Code key build version determination unit 420, for determining code key build version ready for use;
Code key generation unit 430 is encrypted, for generating encryption code key according to user identifier and code key build version;
Target encryption data obtaining unit 440 obtains mesh for being encrypted using encryption secret key pair target dataMark encryption data;
Target encryption data storage unit 450, for storing target encryption data to cloud platform.
Using system provided by the embodiment of the present invention, requested receiving storage of first user for target dataWhen, it can determine code key build version ready for use, according to the user identifier and the code key build version that carry in storage request,Encryption code key can be generated, be encrypted using encryption secret key pair target data, target encryption data can be obtained, by meshEncryption data storage is marked to cloud platform.Encryption code key is raw according to user identifier and the code key build version ready for use determinedAt so that the encryption code key of different user is different, in cloud platform, the data of different user using different encryption code keys intoRow encryption storage, plays buffer action, can reduce privacy leakage risk, improve the safety of data.
Corresponding to embodiments described above, the embodiment of the invention also provides a kind of computer readable storage mediums, calculateData processor is stored on machine readable storage medium storing program for executing, data processor can be executed by one or more processor, withRealize the data processing method of any of the above-described.
Corresponding to embodiments described above, the embodiment of the invention also provides a kind of computer program products, including calculateMachine instruction, when run on a computer, allows computer to execute the data processing method of any of the above-described.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof realIt is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.
Computer program product includes one or more computer instructions.Load and execute on computers computer programWhen instruction, the process or function according to the embodiment of the present invention are entirely or partly generated.Computer can be general purpose computer, speciallyWith computer, computer network or other programmable devices.Computer instruction can store in computer readable storage mediumIn, or transmit from a computer readable storage medium to another computer readable storage medium, for example, computer instruction canTo pass through wired (such as coaxial cable, optical fiber, Digital Subscriber Line from a web-site, computer, server or data center(DSL)) or wireless (such as infrared, wireless, microwave etc.) mode is into another web-site, computer, server or dataThe heart is transmitted.Computer readable storage medium can be any usable medium or include one that computer can storeOr the data storage devices such as integrated server, data center of multiple usable mediums.Usable medium can be magnetic medium (exampleSuch as, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk Solid StateDisk (SSD)) etc..
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,The specific work process of equipment and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be withIt realizes by another way.For example, system embodiment described above is only schematical, for example, the division of unit,Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be withIn conjunction with or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or discussedMutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING of device or unit orCommunication connection can be electrical property, mechanical or other forms.
Unit may or may not be physically separated as illustrated by the separation member, shown as a unitComponent may or may not be physical unit, it can and it is in one place, or may be distributed over multiple networksOn unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unitIt is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated listMember both can take the form of hardware realization, can also realize in the form of software functional units.
It, can if integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent productTo be stored in a computer readable storage medium.Based on this understanding, the technical solution of the application substantially orSay that all or part of the part that contributes to existing technology or the technical solution can embody in the form of software productsOut, which is stored in a storage medium, including some instructions are used so that a computer equipmentThe all or part of (can be personal computer, server or the network equipment etc.) execution each embodiment method of the applicationStep.And storage medium above-mentioned include: USB flash disk, it is mobile hard disk, read-only memory (ROM, Read-Only Memory), randomAccess various Jie that can store program code such as memory (RAM, Random Access Memory), magnetic or diskMatter.
It should be noted that the serial number of the above embodiments of the invention is only for description, do not represent the advantages or disadvantages of the embodiments.AndThe terms "include", "comprise" herein or any other variant thereof is intended to cover non-exclusive inclusion, so that packetProcess, device, article or the method for including a series of elements not only include those elements, but also including being not explicitly listedOther element, or further include for this process, device, article or the intrinsic element of method.Do not limiting moreIn the case where, the element that is limited by sentence "including a ...", it is not excluded that including process, device, the article of the elementOr there is also other identical elements in method.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hairEquivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skillsArt field, is included within the scope of the present invention.