CN115834173A - Safe access desensitization method and system - Google Patents

Abstract

The invention discloses a safe access desensitization method and a system, wherein the method comprises the following steps: s1, a step for acquiring data; s2, encrypting the data and outputting an encrypted data file and a password; and S3, sending the encrypted data file and the password through different channels. The safety access desensitization method and the safety access desensitization system disclosed by the invention have the advantages that the required data are obtained through the OA process interface, so that the situation that a person knows the account number of the database secretly is not unique, in addition, the obtained data are encrypted, and then the encrypted data file and the password are sent to an acquirer through different channels, and the encrypted file and the password are sent separately, so that the data leakage can be prevented, and the safety of the data is greatly improved.

Description

Translated fromChinese

一种安全取数脱敏方法及系统Desensitization method and system for safe data retrieval

技术领域technical field

本发明涉及计算机领域，尤其涉及一种安全取数脱敏方法及系统。The invention relates to the field of computers, in particular to a method and system for safely fetching and desensitizing data.

背景技术Background technique

随着社会的发展，人们的生活离不开金融行业，其中贷款基本与每个人息息相关，如贷款买车买房或开创公司等等，因此贷款机构掌握着大量的用户信息。With the development of society, people's life is inseparable from the financial industry, and loans are basically closely related to everyone, such as loans to buy a car, buy a house or start a company, etc. Therefore, lending institutions have a lot of user information.

但是现有的很多企业开发人员在日常工作中，通过堡垒机直接连上数据库导出相关数据，虽然堡垒机能够保护数据不受来自外部和内部用户的入侵和破坏，但是开发人员在导出数据的过程中，难免会导致用户信息泄露，因此现有的这种直接从数据库中导出数据的方式存在很大的安全风险。However, many existing enterprise developers directly connect to the database through the bastion host to export relevant data in their daily work. Although the bastion host can protect the data from intrusion and damage from external and internal users, the developers are in the process of exporting data. In the process, it will inevitably lead to user information leakage, so the existing method of directly exporting data from the database has a great security risk.

本发明的目的是提供一种安全取数脱敏方法及系统。The purpose of the present invention is to provide a method and system for secure data desensitization.

本发明所提供的安全取数脱敏方法，包括如下步骤：The safe desensitization method provided by the present invention comprises the following steps:

S1用于获取数据的步骤；S1 is a step for obtaining data;

S2用于对数据进行加密，并输出加密数据文件及密码的步骤；S2 is used for encrypting data, and the step of outputting encrypted data file and password;

S3用于将加密数据文件和密码通过不同渠道进行发送的步骤。S3 is used to send encrypted data files and passwords through different channels.

优选的，所述S1用于获取数据的步骤，包括：Preferably, the step of S1 for acquiring data includes:

S11用于调用审批接口的步骤；S11 is a step for calling the approval interface;

S12用于通过审批接口获取数据包的步骤；S12 is a step for obtaining the data packet through the approval interface;

S13用于通过调用查询接口对数据包进行检索并输出检索出的数据的步骤。S13 is a step of retrieving the data packet by calling the query interface and outputting the retrieved data.

优选的，所述S2用于对数据进行加密，并输出加密数据文件及密码的步骤，包括：Preferably, said S2 is used to encrypt data, and the steps of outputting encrypted data files and passwords include:

S21用于调用检索出的数据的步骤；S21 is a step for calling the retrieved data;

S22用于对数据进行字段匹配，若数据中含有匹配字段，则将当前字段数据以特殊符号替换，如无，直接执行S23的步骤；S22 is used to perform field matching on the data, if the data contains a matching field, then the current field data is replaced with a special symbol, if not, directly execute the step of S23;

S23用于调用MD5算法接口对数据进行加密，并生成加密文件及密码的步骤。S23 is a step for calling the MD5 algorithm interface to encrypt data and generate encrypted files and passwords.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，包括：Preferably, said S3 is used to send encrypted data files and passwords through different channels, including:

S31用于调用加密文件的步骤；S31 is used to call the step of encrypted file;

S32用于将加密文件发送至取数人邮箱服务器的步骤。S32 is a step for sending the encrypted file to the mailbox server of the data fetcher.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，还包括：Preferably, said S3 is used to send encrypted data files and passwords through different channels, further comprising:

S33用于调用密码的步骤；S33 is used to call the step of password;

S34用于将密码发送至取数人钉钉服务器的步骤。S34 is a step for sending the password to the DingTalk server.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，还包括：用于生成日志的步骤。Preferably, said S3 is used to send the encrypted data files and passwords through different channels, and further includes: a step for generating logs.

本发明所提供的安全取数脱敏系统，包括如下模块：The safe number desensitization system provided by the present invention includes the following modules:

S1用于获取数据的模块；S1 is a module for acquiring data;

S2用于对数据进行加密，并输出加密数据文件及密码的模块；S2 is used to encrypt data and output encrypted data files and password modules;

S3用于将加密数据文件和密码通过不同渠道进行发送的模块。S3 is a module used to send encrypted data files and passwords through different channels.

优选的，所述S1用于获取数据的模块，包括：Preferably, said S1 module for acquiring data includes:

S11用于调用审批接口的子模块；S11 is used to call the sub-module of the approval interface;

S12用于通过审批接口获取数据包的子模块；S12 is used to obtain the submodule of the data packet through the approval interface;

S13用于通过调用查询接口对数据包进行检索并输出检索出的数据的子模块。S13 is a submodule for retrieving data packets by calling the query interface and outputting the retrieved data.

优选的，所述S2用于对数据进行加密，并输出加密数据文件及密码的模块，包括：Preferably, said S2 is used to encrypt data, and output encrypted data files and password modules, including:

S21用于调用检索出的数据的子模块；S21 is used to call the submodule of the retrieved data;

S22用于对数据进行字段匹配，若数据中含有匹配字段，则将当前字段数据以特殊符号替换，如无，直接执行S23的子模块；S22 is used to perform field matching on the data. If the data contains matching fields, the current field data will be replaced with special symbols. If not, the submodule of S23 will be executed directly;

S23用于调用MD5算法接口对数据进行加密，并生成加密文件及密码的子模块。S23 is a submodule used to call the MD5 algorithm interface to encrypt data and generate encrypted files and passwords.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，包括：Preferably, said S3 is used to send encrypted data files and passwords through different channels, including:

S31用于调用加密文件的子模块；S31 is used to call the submodule of the encrypted file;

S32用于将加密文件发送至取数人邮箱服务器的子模块。S32 is used to send the encrypted file to the submodule of the mailbox server of the data fetcher.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，还包括：Preferably, said S3 module for sending encrypted data files and passwords through different channels also includes:

S33用于调用密码的子模块；S33 is used to call the submodule of the password;

S34用于将密码发送至取数人钉钉服务器的子模块。S34 is used to send the password to the submodule of the DingTalk server.

优选的，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，还包括：用于生成日志的子模块。Preferably, said S3 is a module for sending encrypted data files and passwords through different channels, and further includes: a submodule for generating logs.

本发明所提供的安全取数脱敏方法及系统，通过OA流程审批接口获取所需数据，从而防止了数据库账号秘密掌握人员的不唯一，此外通过对获取到的数据进行加密处理，然后将加密数据文件和密码通过不同渠道发送至取数人，因加密文件和密码是分开发送的，可防止数据外泄，因此大大提高了数据的安全性。The safe access data desensitization method and system provided by the present invention obtains the required data through the OA process approval interface, thereby preventing the database account secret from being not unique. In addition, by encrypting the obtained data, the encrypted The data files and passwords are sent to the data collectors through different channels. Because the encrypted files and passwords are sent separately, data leakage can be prevented, thus greatly improving data security.

附图说明Description of drawings

图1为本发明实施例一所述的安全取数脱敏方法流程示意图；Fig. 1 is a schematic flow chart of the method for desensitizing safe data fetching described in Embodiment 1 of the present invention;

图2为本发明实施例一所述的S1用于获取数据的步骤示意图；FIG. 2 is a schematic diagram of the steps of S1 for acquiring data according to Embodiment 1 of the present invention;

图3为本发明实施例一所述的S2用于对数据进行加密，并输出加密数据文件及密码的步骤示意图；FIG. 3 is a schematic diagram of the steps of S2 for encrypting data and outputting encrypted data files and passwords according to Embodiment 1 of the present invention;

图4和图5为本发明实施例一所述的S3用于将加密数据文件和密码通过不同渠道进行发送的步骤示意图。FIG. 4 and FIG. 5 are schematic diagrams of the steps of S3 for sending encrypted data files and passwords through different channels according to Embodiment 1 of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚，下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

实施例一Embodiment one

如图1-5所示，本实施例所提供的安全取数脱敏方法，包括如下步骤：As shown in Figures 1-5, the secure access desensitization method provided in this embodiment includes the following steps:

S1用于获取数据的步骤；S1 is a step for obtaining data;

S2用于对数据进行加密，并输出加密数据文件及密码的步骤；S2 is used for encrypting data, and the step of outputting encrypted data file and password;

S3用于将加密数据文件和密码通过不同渠道进行发送的步骤。S3 is used to send encrypted data files and passwords through different channels.

本领域技术人员可以理解，通过对获取到的数据进行加密处理，然后将加密数据文件和密码通过不同渠道发送至取数人，因加密文件和密码是分开发送的，可防止数据外泄，因此大大提高了数据的安全性。Those skilled in the art can understand that by encrypting the obtained data, and then sending the encrypted data file and password to the data collector through different channels, since the encrypted file and password are sent separately, data leakage can be prevented, so Greatly improved data security.

进一步，所述S1用于获取数据的步骤，包括：Further, the step of S1 for obtaining data includes:

S11用于调用审批接口的步骤；S11 is a step for calling the approval interface;

S12用于通过审批接口获取数据包的步骤；S12 is a step for obtaining the data packet through the approval interface;

S13用于通过调用查询接口对数据包进行检索并输出检索出的数据的步骤。S13 is a step of retrieving the data packet by calling the query interface and outputting the retrieved data.

本领域技术人员可以理解，首先取数人可以将所需数据提交给OA流程，通过流程统一审批后，将所有取数人的数据打包成数据包，然后将数据包输入系统内，系统可根据数据包中的不同数据类型、ip或schema来查询取数人的所需数据并输出，从而获取到取数人的所需数据，这样就保证了掌握数据库账号密码人员的唯一性，同时不会因为开发人员随意的进入数据库，导致增加数据泄露的风险。Those skilled in the art can understand that firstly, the data collectors can submit the required data to the OA process, and after the unified approval of the process, the data of all data collectors will be packaged into data packets, and then the data packets will be input into the system, and the system can Different data types, ip or schema in the data packet are used to query and output the required data of the data fetcher, so as to obtain the required data of the data fetcher, which ensures the uniqueness of the person who has the database account password and does not Because developers enter the database at will, the risk of data leakage increases.

进一步，所述S2用于对数据进行加密，并输出加密数据文件及密码的步骤，包括：Further, said S2 is used for encrypting data, and the steps of outputting encrypted data files and passwords include:

S21用于调用检索出的数据的步骤；S21 is a step for calling the retrieved data;

S22用于对数据进行字段匹配，若数据中含有匹配字段，则将当前字段数据以特殊符号替换，如无，直接执行S23的步骤；S22 is used to perform field matching on the data, if the data contains a matching field, then the current field data is replaced with a special symbol, if not, directly execute the step of S23;

S23用于调用MD5算法接口对数据进行加密，并生成加密文件及密码的步骤。S23 is a step for calling the MD5 algorithm interface to encrypt data and generate encrypted files and passwords.

本领域技术人员可以理解，所述匹配字段包括手机号、银行卡号、身份证号等，例如手机号1打头且为11为数字则确定为手机号，则将手机号用特殊字符替代，所述特殊字符为*号，这样就可以保证取数人获取到的数据中不会出现用户的敏感数据，通过MD5算法将数据输出为32进制的从而进一步提高了用户的信息安全。Those skilled in the art can understand that the matching field includes mobile phone number, bank card number, ID card number, etc., for example, the mobile phone number starts with 1 and is determined as a mobile phone number if 11 is a number, then the mobile phone number is replaced with special characters, and the The special character is *, so that it can ensure that the user's sensitive data will not appear in the data obtained by the data collector, and the data will be output in 32 through the MD5 algorithm, thereby further improving the user's information security.

本领域技术人员可以理解，MD5，Message Digest Algorithm 5，是一种被广泛使用的信息摘要算法，可以将给定的任意长度数据通过一定的算法计算得出一个128位固定长度的散列值。Those skilled in the art can understand that MD5, Message Digest Algorithm 5, is a widely used message digest algorithm, which can calculate a 128-bit fixed-length hash value from given data of any length through a certain algorithm.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，包括：Further, said S3 is used to send encrypted data files and passwords through different channels, including:

S31用于调用加密文件的步骤；S31 is used to call the step of encrypted file;

S32用于将加密文件发送至取数人邮箱服务器的步骤。S32 is a step for sending the encrypted file to the mailbox server of the data fetcher.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，还包括：Further, the step of sending the encrypted data file and password through different channels in the S3 also includes:

S33用于调用密码的步骤；S33 is used to call the step of password;

S34用于将密码发送至取数人钉钉服务器的步骤。S34 is a step for sending the password to the DingTalk server.

本领域技术人员可以理解，将加密文件和密码通过不同渠道分开发送，进一步提高了数据的安全性。Those skilled in the art can understand that the encrypted file and password are sent separately through different channels, which further improves data security.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的步骤，还包括：用于生成日志的步骤。Further, the step of S3 for sending encrypted data files and passwords through different channels also includes: a step for generating logs.

本领域技术人员可以理解，可以将取数人、取数时间等信息存入日志中，方便工作人员审计使用。Those skilled in the art can understand that information such as the person who took the number and the time when the number was taken can be stored in the log, which is convenient for the staff to audit and use.

实施例二Embodiment two

本实施例所提供的安全取数脱敏系统，包括如下模块：The security desensitization system provided by this embodiment includes the following modules:

S1用于获取数据的模块；S1 is a module for acquiring data;

S2用于对数据进行加密，并输出加密数据文件及密码的模块；S2 is used to encrypt data and output encrypted data files and password modules;

S3用于将加密数据文件和密码通过不同渠道进行发送的模块。S3 is a module used to send encrypted data files and passwords through different channels.

本领域技术人员可以理解，通过对获取到的数据进行加密处理，然后将加密数据文件和密码通过不同渠道发送至取数人，因加密文件和密码是分开发送的，可防止数据外泄，因此大大提高了数据的安全性。Those skilled in the art can understand that by encrypting the obtained data, and then sending the encrypted data file and password to the data collector through different channels, since the encrypted file and password are sent separately, data leakage can be prevented, so Greatly improved data security.

进一步，所述S1用于获取数据的模块，包括：Further, said S1 is used to acquire data modules, including:

S11用于调用审批接口的子模块；S11 is used to call the sub-module of the approval interface;

S12用于通过审批接口获取数据包的子模块；S12 is used to obtain the submodule of the data packet through the approval interface;

S13用于通过调用查询接口对数据包进行检索并输出检索出的数据的子模块。S13 is a submodule for retrieving data packets by calling the query interface and outputting the retrieved data.

本领域技术人员可以理解，首先取数人可以将所需数据提交给OA流程，通过流程统一审批后，将所有取数人的数据打包成数据包，然后将数据包输入系统内，系统可根据数据包中的不同数据类型、ip或schema来查询取数人的所需数据并输出，从而获取到取数人的所需数据，这样就保证了掌握数据库账号密码人员的唯一性，同时不会因为开发人员随意的进入数据库，导致增加数据泄露的风险。Those skilled in the art can understand that firstly, the data collectors can submit the required data to the OA process, and after the unified approval of the process, the data of all data collectors will be packaged into data packets, and then the data packets will be input into the system, and the system can Different data types, ip or schema in the data packet are used to query and output the required data of the data fetcher, so as to obtain the required data of the data fetcher, which ensures the uniqueness of the person who has the database account password and does not Because developers enter the database at will, the risk of data leakage increases.

进一步，所述S2用于对数据进行加密，并输出加密数据文件及密码的模块，包括：Further, the S2 is used to encrypt data and output encrypted data files and password modules, including:

S21用于调用检索出的数据的子模块；S21 is used to call the submodule of the retrieved data;

S22用于对数据进行字段匹配，若数据中含有匹配字段，则将当前字段数据以特殊符号替换，如无，直接执行S23的子模块；S22 is used to perform field matching on the data. If the data contains matching fields, the current field data will be replaced with special symbols. If not, the submodule of S23 will be executed directly;

S23用于调用MD5算法接口对数据进行加密，并生成加密文件及密码的子模块。S23 is a submodule used to call the MD5 algorithm interface to encrypt data and generate encrypted files and passwords.

本领域技术人员可以理解，所述匹配字段包括手机号、银行卡号、身份证号等，例如手机号1打头且为11为数字则确定为手机号，则将手机号用特殊字符替代，所述特殊字符为*号，这样就可以保证取数人获取到的数据中不会出现用户的敏感数据，通过MD5算法将数据输出为32进制的从而进一步提高了用户的信息安全。Those skilled in the art can understand that the matching field includes mobile phone number, bank card number, ID card number, etc., for example, the mobile phone number starts with 1 and is determined as a mobile phone number if 11 is a number, then the mobile phone number is replaced with special characters, and the The special character is *, so that it can ensure that the user's sensitive data will not appear in the data obtained by the data collector, and the data will be output in 32 through the MD5 algorithm, thereby further improving the user's information security.

本领域技术人员可以理解，MD5，Message Digest Algorithm 5，是一种被广泛使用的信息摘要算法，可以将给定的任意长度数据通过一定的算法计算得出一个128位固定长度的散列值。Those skilled in the art can understand that MD5, Message Digest Algorithm 5, is a widely used message digest algorithm, which can calculate a 128-bit fixed-length hash value from given data of any length through a certain algorithm.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，包括：Further, the S3 is used to send encrypted data files and passwords through different channels, including:

S31用于调用加密文件的子模块；S31 is used to call the submodule of the encrypted file;

S32用于将加密文件发送至取数人邮箱服务器的子模块。S32 is used to send the encrypted file to the submodule of the mailbox server of the data fetcher.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，还包括：Further, the S3 module for sending encrypted data files and passwords through different channels also includes:

S33用于调用密码的子模块；S33 is used to call the submodule of the password;

S34用于将密码发送至取数人钉钉服务器的子模块。S34 is used to send the password to the submodule of the DingTalk server.

本领域技术人员可以理解，将加密文件和密码通过不同渠道分开发送，进一步提高了数据的安全性。Those skilled in the art can understand that the encrypted file and password are sent separately through different channels, which further improves data security.

进一步，所述S3用于将加密数据文件和密码通过不同渠道进行发送的模块，还包括：用于生成日志的子模块。Further, the S3 module for sending encrypted data files and passwords through different channels also includes: a submodule for generating logs.

本领域技术人员可以理解，可以将取数人、取数时间等信息存入日志中，方便工作人员审计使用。Those skilled in the art can understand that information such as the person who took the number and the time when the number was taken can be stored in the log, which is convenient for the staff to audit and use.

最后应说明的是：以上实施例仅用以说明本发明的技术方案，而非对其限制；尽管参照前述实施例对本发明进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (12)

1. A safe access desensitization method is characterized by comprising the following steps:

s1, a step for acquiring data;

s2, encrypting the data and outputting an encrypted data file and a password;

and S3, sending the encrypted data file and the password through different channels.

2. The method of desensitization of secure access to claim 1, wherein said step of S1 for acquiring data comprises:

s11, calling an approval interface;

s12, acquiring a data packet through an approval interface;

and S13, retrieving the data packet by calling the query interface and outputting the retrieved data.

3. The method for desensitizing secure access of claim 2, wherein said step S2 of encrypting data and outputting an encrypted data file and password comprises:

s21, calling the retrieved data;

s22 is used for carrying out field matching on the data, if the data contains a matching field, the data of the current field is replaced by a special symbol, and if the data does not contain the matching field, the step of S23 is directly executed;

and S23, calling the MD5 algorithm interface to encrypt the data and generating an encrypted file and a password.

4. The desensitization method of secure access to claim 3, wherein said step S3 of sending the encrypted data file and the password through different channels comprises:

s31, calling the encrypted file;

s32 is used for sending the encrypted file to the sender mailbox server.

5. The secure access desensitization method of claim 4, wherein said step S3 of sending the encrypted data file and the password through different channels, further comprises:

s33, a step for calling the password;

and S34, sending the password to the fetcher nailing server.

6. The secure access desensitization method of claim 5, wherein the step S3 of sending the encrypted data file and the password through different channels further comprises: a step for generating a log.

7. A secure access desensitization system, comprising the following modules:

s1, a module for acquiring data;

s2, a module used for encrypting data and outputting an encrypted data file and a password;

and S3, a module for sending the encrypted data file and the password through different channels.

8. The secure access desensitization system of claim 7, wherein said S1 modules for acquiring data, comprising:

s11, a sub-module of the approval interface is called;

s12, a submodule for acquiring the data packet through the approval interface;

and S13 is a submodule for retrieving the data packet by calling the query interface and outputting the retrieved data.

9. The secure access desensitization system of claim 8, wherein said S2 module for encrypting data and outputting encrypted data files and passwords comprises:

s21, a submodule for calling the retrieved data;

s22 is used for carrying out field matching on the data, if the data contains a matching field, the data of the current field is replaced by a special symbol, and if the data does not contain the matching field, the submodule of the S23 is directly executed;

and S23 is a submodule for calling the MD5 algorithm interface to encrypt the data and generating an encrypted file and a password.

10. The secure access desensitization system of claim 9, wherein the S3 module for transmitting the encrypted data file and the password through different channels comprises:

s31, calling a sub-module of the encrypted file;

and S32 is used for sending the encrypted file to a submodule of the sender mailbox server.

11. The secure access desensitization system of claim 10, wherein said S3 module for transmitting encrypted data files and passwords through different channels, further comprises:

s33, a submodule for calling the password;

and S34, sending the password to a submodule of the fetcher nailing server.

12. The secure access desensitization system of claim 11, wherein said S3 module for transmitting encrypted data files and passwords through different channels, further comprises: a submodule for generating a log.

Images