CN108683657A - Safety access method, device, terminal device and the readable storage medium storing program for executing of data - Google Patents

Safety access method, device, terminal device and the readable storage medium storing program for executing of data Download PDF

Info

Publication number
CN108683657A
CN108683657A CN201810447105.XA CN201810447105A CN108683657A CN 108683657 A CN108683657 A CN 108683657A CN 201810447105 A CN201810447105 A CN 201810447105A CN 108683657 A CN108683657 A CN 108683657A
Authority
CN
China
Prior art keywords
data
matching field
request
performing environment
credible performing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810447105.XA
Other languages
Chinese (zh)
Other versions
CN108683657B (en
Inventor
刘钦根
陈吉
韩建安
桂家海
许可
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Information Technology Co Ltd
Original Assignee
Touchstone Credit Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Touchstone Credit Service Co Ltd filed Critical Touchstone Credit Service Co Ltd
Priority to CN201810447105.XA priority Critical patent/CN108683657B/en
Publication of CN108683657A publication Critical patent/CN108683657A/en
Application granted granted Critical
Publication of CN108683657B publication Critical patent/CN108683657B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of safety access method of data, device, terminal device and readable storage medium storing program for executing.The present invention is when request of data mechanism needs to access the data of data offer mechanism offer, the matching field that request of data mechanism provides the second data that mechanism obtains by the matching field for the first data that will be locally stored and from the data responded does intersection, obtain a complete matching field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible performing environment can obtain from the Data Mining alliance chain built in advance according to the matching field in the matching field data set recorded in security catalog and store the corresponding data of each matching field, so as to so that request of data mechanism directly accesses the corresponding data of each matching field stored in credible performing environment, carry out data transmission without copy mode, data are avoided to be leaked and the illegal generation using phenomenon.

Description

Safety access method, device, terminal device and the readable storage medium storing program for executing of data
Technical field
The present invention relates to network communication technology fields more particularly to a kind of safety access method of data, device, terminal to set Standby and readable storage medium storing program for executing.
Background technology
With the development of network communication technology, the access of data is carried out based on network to be become increasingly to facilitate.However in side Just while user carries out data access, also there are many network problems, for example the problems such as server attack, leaking data becomes It obtains increasingly tighter more.Therefore, each enterprise institution is not attacked, is revealed to ensure the core data of oneself, it will usually which setting is each Kind fire wall will not even be connected in internet.Based on the considerations of safety, enterprise institutions different at present is carrying out data When shared, access operation, it will usually desensitize to sensitive data, then be encrypted, copy, pass to the data after desensitization Defeated, use.
However, in data transmission procedure, due to mostly using transmission mode under line at present, this is easy for leading to same data The case where file is copied by more people, to cause leaking data, by illegal use.
In addition, in data desensitization, the key of desensitization is needed since data desensitize, and existing data access side Key will transmit between multi-party mechanism in formula, this is difficult to ensure that key is not leaked.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill Art.
Invention content
The main purpose of the present invention is to provide a kind of safety access method of data, device, terminal device and readable deposit Storage media, it is intended to solve in the prior art by the way of transmission data under line, be easy to cause leaking data, be used by illegal Technical problem.
To achieve the above object, the present invention provides a kind of safety access method of data, the method includes following steps Suddenly:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Preferably, the identifier that mechanism is provided according to the data provides mechanism to the data and sends the first number According to matching field before, the method further includes:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Preferably, the matching field to first data carries out desensitization operation, specifically includes:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation Match field.
Preferably, described before the corresponding data of each matching field stored in the access credible performing environment Method further includes:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment Data.
Preferably, before the request of data mechanism publication request of data, the method further includes:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Preferably, the request of data mechanism carries out Data Mining alliance chain perfect, specifically includes:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain Alliance's chain carries out perfect.
Preferably, the security catalog in the credible performing environment is created by the credible performing environment, and described in utilization The security catalog key that credible performing environment is generated in advance is encrypted.
In addition, to achieve the above object, the present invention also provides a kind of secure access device of data, described device packets It includes:
Release module, the request of data for issuing request of data structure;
Receiving module, the response message for receiving the identifier for providing mechanism comprising data, the response message is by institute Data offer mechanism is stated to be generated according to the request of data;
Sending module, the identifier for providing mechanism according to the data provide mechanism to the data and send first The matching field of data;
Acquisition module provides the matching field for the second data that mechanism provides for obtaining the data;
Generation module, for the matching field of the matching field of first data and second data to be done intersection, Generate matching field data set;
Transmission module is used for the security catalog in the matching field data set transmissions to credible performing environment, so that The credible performing environment can according to the matching field in the matching field data set recorded in the security catalog from It is obtained in the Data Mining alliance chain built in advance and stores the corresponding data of each matching field;
Access modules, for accessing the corresponding data of each matching field stored in the credible performing environment.
In addition, to achieve the above object, the present invention also provides a kind of terminal device, the terminal device includes:Storage Device, processor and the secure access program for being stored in the data that can be run on the memory and on the processor, institute State the step of secure access programs of data is arranged for carrying out the safety access method of the data.
In addition, to achieve the above object, the present invention also provides a kind of readable storage medium storing program for executing, the readable storage medium storing program for executing is Computer readable storage medium is stored with the secure access program of data, the data on the computer readable storage medium Secure access program the step of realizing the safety access method of the data when being executed by processor.
When request of data mechanism needs to access the data of data offer mechanism offer, request of data mechanism passes through the present invention The matching of second data of mechanism acquisition is provided by the matching field for the first data being locally stored and from the data responded Field does intersection, obtains a complete matching field data set, then will match field data set transmissions to credible execution ring Security catalog in border, so that credible performing environment can be according to the matching in the matching field data set recorded in security catalog Field obtains from the Data Mining alliance chain built in advance and stores the corresponding data of each matching field, thus by Liang Ge mechanisms Between data access be transferred in credible performing environment, since request of data mechanism can directly access in credible performing environment Corresponding data of each matching field of storage, therefore each mechanism is when carrying out data sharing, without transmission mode under line into Row copy, and then can fall into the not user hand of access rights to avoid data, lead to leaking data and illegal use phenomenon Generation.
Description of the drawings
Fig. 1 is the structural schematic diagram of the terminal device for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the safety access method first embodiment of data of the present invention;
Fig. 3 be data of the present invention safety access method in Data Mining alliance chain schematic diagram;
Fig. 4 is the flow diagram of the safety access method second embodiment of data of the present invention;
Fig. 5 be data of the present invention safety access method in carry out desensitize operation schematic diagram;
Fig. 6 is the flow diagram of the safety access method 3rd embodiment of data of the present invention;
Fig. 7 provides mechanism and credible execution ring for request of data mechanism, data in the safety access method of data of the present invention Interaction schematic diagram between border;
Fig. 8 is the high-level schematic functional block diagram of the secure access device of data of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific implementation mode
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the structural representation of the terminal device for the hardware running environment that the embodiment of the present invention is related to Figure.
As shown in Figure 1, the terminal device may include:Processor 1001, such as central processing unit (Central Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein, Communication bus 1002 is for realizing the connection communication between these components.User interface 1003 may include display screen (Display), input unit such as keyboard (Keyboard), mouse (Mouse), optionally, user interface 1003 can also wrap Include standard wireline interface and wireless interface.Network interface 1004 may include optionally standard wireline interface and wireless interface (such as Wireless Fidelity (WIreless-FIdelity, WI-FI) interface, blue tooth interface etc.).Memory 1005 can be high-speed RAM Memory can also be stable memory (non-volatile memory), such as magnetic disk storage.Memory 1005 can The storage device that can also be independently of aforementioned processor 1001 of choosing.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to terminal device, can wrap It includes than illustrating more or fewer components, either combines certain components or different components arrangement.
Therefore, as shown in Figure 1, as may include in a kind of memory 1005 of computer storage media operating system, The secure access program of network communication module, Subscriber Interface Module SIM and data.
In terminal device shown in Fig. 1, network interface 1004 mainly with establish terminal device and credible performing environment with And the communication connection of the terminal device for providing data;User interface 1003 is mainly used for receiving the input instruction of user;Institute The secure access program that terminal device calls the data stored in memory 1005 by processor 1001 is stated, and executes following behaviour Make:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold The following operation of row:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold The following operation of row:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation Match field.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold The following operation of row:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment Data.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold The following operation of row:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold The following operation of row:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain Alliance's chain carries out perfect.
This implementation through the above scheme, when request of data mechanism needs to access the data of data offer mechanism offer, counts There is provided what mechanism obtained by the matching field for the first data that will be locally stored and from the data responded according to request mechanism The matching field of second data does intersection, obtains a complete matching field data set, then passes matching field data set The security catalog in credible performing environment is transported to, so that credible performing environment can be according to the matching field recorded in security catalog Matching field in data set obtains from the Data Mining alliance chain built in advance and stores the corresponding data of each matching field, To which the data access between Liang Ge mechanisms to be transferred in credible performing environment, since request of data mechanism can be accessed directly The corresponding data of each matching field stored in credible performing environment, therefore each mechanism is when carrying out data sharing, without Transmission mode is copied under line, and then can be fallen into avoid data in the not user hand of access rights, and leaking data is caused With the illegal generation using phenomenon.
Based on above-mentioned hardware configuration, the safety access method embodiment of data of the present invention is proposed.
It is the flow diagram of the safety access method first embodiment of data of the present invention with reference to Fig. 2, Fig. 2.
In the first embodiment, the safety access method of the data includes the following steps:
S10:Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, The response message provides mechanism by the data and is generated according to the request of data.
Specifically, the request of data of request of data mechanism publication is specifically to be published to the Data Mining alliance pre-established On chain.
Correspondingly, what is received provides the response message of the identifier of mechanism comprising data, is by Data Mining alliance chain On data provide mechanism generate.
Such as all data providings for being capable of providing data can active search and oneself phase on Data Mining alliance chain The request of data of pass, such as the data dictionary for including in request of data are identical as the data dictionary for the data that oneself is provided, when searching When rope is to oneself relevant request of data, data providing will generate the response message added with oneself identifier, with number According to request, mechanism establishes matching relationship.
In addition, it is necessary to explanation, above-mentioned described Data Mining alliance chain is specifically to be based on block chain, by each number It is registered and is issued according to the identifier of request mechanism and each data offer mechanism and is built-up.
In addition, in order to ensure that the data stored in Data Mining alliance chain are perfect enough, the institute that alliance's chain is added is organic Structure is required for periodically by oneself local data publication to Data Mining alliance, to improve the number in Data Mining alliance chain According to.
It is described since the present embodiment stands request of data mechanism, the request of data mechanism publication data are asked Need to carry out Data Mining alliance chain before asking it is perfect, such as using first data publication is visited to the data Mode in rope alliance chain is perfect to be carried out to Data Mining alliance chain.
In addition, when improving Data Mining alliance chain, whether request of data mechanism or data provide mechanism, on The data of biography have been required for corresponding data dictionary, that is, the data item to data, data structure, data flow, data is needed to store, Processing logic, external entity etc. are defined and describe, and so as to facilitate subsequent operation, such as model.
It can timely respond to, send out in addition, request of data mechanism provides mechanism when issuing request of data, for the ease of data Can include in the request of data of cloth need the data dictionary of data that ask and data area (need the data volume asked, Such as the data in one month).
It should be noted that these are only for example, any restriction is not constituted to technical scheme of the present invention, in reality In the application of border, those skilled in the art can be arranged as needed.
Further, since in practical applications, request of data mechanism is same or provides mechanism as data, therefore data provide The realization method of mechanism side to the mode of data access be accordingly arranged i.e. with reference to request of data mechanism in the present embodiment Can, details are not described herein again, is also not particularly limited.
S20:The identifier that mechanism is provided according to the data provides the matching that mechanism sends the first data to the data Field, and obtain the matching field that the data provide the second data that mechanism provides.
Specifically, the first data described in the present embodiment are specially the data that request of data mechanism is locally stored, the Two data are specially that data provide the data that mechanism is locally stored.
In addition, the matching field of the first data and the matching field of the second data specifically refer in each storage table in each row The index name of storage, for example it is that shipping room title, third are classified as customer name, that first row, which is trade name, secondary series, Four are classified as delivery employee number etc..
It should be noted that these are only for example, any restriction is not constituted to technical scheme of the present invention, in reality In the application of border, those skilled in the art can be arranged as needed.
S30:The matching field of the matching field of first data and second data is done into intersection, generates matching column Position data set.
Specifically, in this example by by first data matching field and second data matching field Intersection is done to obtain matching field data set, it is hereby achieved that a complete matched data collection, ensures the visit of follow-up data It is able to access that complete data during asking.
S40:By the security catalog in the matching field data set transmissions to credible performing environment, credible held so that described Row environment can be according to matching field in the matching field data set recorded in the security catalog from building in advance It is obtained in Data Mining alliance chain and stores the corresponding data of each matching field.
Specifically, credible performing environment described in the present embodiment (Trusted Execution Environment, TEE) it can be specifically the third party's trust authority disposed in a network.
In addition, in order to ensure data safe enough of the follow-up storage in the credible performing environment, it is not illegally used, When specific implementation, credible performing environment can create a security catalog, then by the matching in the matching field data set Field is stored in the security catalog.
Further, in order to promote security level, credible performing environment can also be raw according to internal key generation procedure At a security catalog key, then using security catalog key pair, the security catalog is encrypted, so that follow-up need The request of data mechanism for accessing the data stored in it must have corresponding access rights, or must be Data Mining connection A member in alliance's chain.
It should be noted that being given above only a kind of concrete implementation mode, in a particular application, the skill of this field Art personnel can be arranged as required to, and not be limited herein.
S50:Access the corresponding data of each matching field stored in the credible performing environment.
By foregoing description it is not difficult to find that the safety access method of the data provided in the present embodiment, in request of data machine Structure needs to access data when providing the data that mechanism provides, matching that request of data mechanism passes through the first data that will be locally stored Field and the matching field that the second data that mechanism obtains are provided from the data responded do intersection, obtain one complete With field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible execution Environment can join according to the matching field in the matching field data set recorded in security catalog from the Data Mining built in advance The corresponding data of each matching field are obtained and stored in alliance's chain, to which the data access between Liang Ge mechanisms is transferred to credible hold In row environment, since request of data mechanism can directly access the corresponding number of each matching field stored in credible performing environment According to, therefore each mechanism is copied when carrying out data sharing without transmission mode under line, and then can be fallen to avoid data Enter in the not user hand of access rights, leads to leaking data and the illegal generation using phenomenon.
Further, as shown in figure 4, proposing the second reality of the safety access method of data of the present invention based on first embodiment Example is applied, in the present embodiment, in the identifier for providing mechanism according to the data, mechanism is provided to the data and sends the first number According to matching field before, need the matching field to first data to carry out desensitization operation.
For convenience of description, step S20 is refined as two sub-steps in the present embodiment, refers to Fig. 4.
In step s 201, desensitization operation is carried out to the matching field of first data.
In step S202, the identifier of mechanism is provided according to the data, providing mechanism to the data sends progress The matching field of first data after desensitization operation, and obtain the data and second carried out after desensitization operation that mechanism provides is provided The matching field of data.
Specifically, request of data mechanism carries out desensitization operation in the matching field to first data in the present embodiment When, it can specifically be accomplished by the following way:
First, mechanism is provided with the data to negotiate to determine desensitization key.
Then, according to the desensitization key, desensitization operation is carried out to the matching field of first data.
It should be understood that since the matching field data set being subsequently generated is the matching field according to first data Intersection acquisition is done with the matching field of second data, therefore according to the desensitization key, to first data After matching field carries out desensitization operation, in order to ensure the desensitization of each matching field in the matching field data set being subsequently generated Rule is consistent, therefore the data got provide the matching field for the second data that mechanism provides, specifically by institute It states data and provides mechanism according to identical desensitization key, carry out the matching field of the second data obtained after desensitization operation.
In addition, for the ease of understanding desensitization operation described in this example, it is specifically described below in conjunction with Fig. 5.
Specifically, the HyperLedger in Fig. 5 specifically refers to the super account book in block chain technology.
The storage region that the areas DB specifically refer to be used to store local data is (if it is the desensitization behaviour for request of data mechanism Make, this time storage is the matching field of above-mentioned first data and the first data;If it is the desensitization for providing mechanism for data Operation, this time storage are the matching field of above-mentioned second data and the second data).
The areas APP provide for request of data mechanism or data can be for the application program of user's operation, correspondingly, DB in mechanism The data of area's storage are the data that the application program in the areas APP generates.
DMZ refers to isolated area, i.e. the abbreviation of demilitarized zone, also referred to as " demilitarized zone ".It is mainly used In constructing a safety area between internal network and external network.
As shown in Figure 5, when carrying out desensitization operation, first pass through whether step " 0, proving program signature " meets and want It asks, if it is satisfied, then execute step " 1, start desensitization operation ", is performed simultaneously step " 2, verification caller whether legal ", i.e., Whether the mechanism for needing to carry out data access is a member in Data Mining alliance chain, or whether possesses the power for accessing data Limit.In the case where above-mentioned steps all meet, execute step " 3, call data extractor extract initial data ", will be drawn into Initial data transfer to desensitization procedure to desensitize, after desensitization initial data can be returned, that is, execute step " 4, return original number According to ", while desensitization procedure can generate desensitization file, and the data after desensitization are written in this document folder, that is, execute step " 5, write-in Data after desensitization ".
It should be noted that these are only for example, in practical applications, those skilled in the art can be in conjunction with figure 5 are specifically arranged, and details are not described herein again, are not also limited.
By foregoing description it is not difficult to find that the safety access method of data provided in this embodiment, according to the data The identifier that mechanism is provided, before the matching field that mechanism sends the first data is provided to the data, by the first data Matching field carry out desensitization operation, while obtain data provide mechanism provide for carrying out the second data after desensitization operation With field, then according to carrying out the matching field of the first data after desensitization operation and the matching field of the second data does intersection, So as to the deformation to certain sensitive informations by the rule progress data that desensitize, the reliably protecting of privacy-sensitive data is realized, And then it ensure that the safety of data access.
In addition, request of data structure negotiates to determine desensitization key by providing mechanism with data, due to being not necessarily to artificially participate in It is arranged, is determined according to the program of inside setting between the key that desensitizes, thereby may be ensured that the key that desensitizes is not leaked, and then ensure The safety of matching field after being desensitized according to the desensitization key.
Further, as shown in fig. 6, proposing that the third of the safety access method of data of the present invention is real based on first embodiment Example is applied, in the present embodiment, before the corresponding data of each matching field stored in accessing the credible performing environment, is increased newly Step S00.
In order to make it easy to understand, being specifically described below referring to Fig. 6:
In step S00:Modeling instruction is sent to the credible performing environment, so that the credible performing environment can be created Build the data value modeling of the value of each data for determining storage.
Correspondingly, after the value that data value models each data for determining storage, step S50 can be also varied from, For convenience of description, step S50 is refined as two sub-steps in the present embodiment, refers to Fig. 6.
Specifically, in step S501:Obtain the value of the determining each data of the data value modeling.
In step S502:According to the value of each data, it is determined whether stored in the access credible performing environment each Match the corresponding data of field.
It should be understood that the value of data described in the present embodiment, specifically needs according to request of data mechanism Data determine, such as, a certain data are request of data mechanism (being issued according to request of data mechanism of wanting to obtain Request of data determine), then the value of the data is high, otherwise it is assumed that the value of the data is not high.When the value of data is high, number According to request, mechanism can determine the corresponding data of each matching field that needs to access and be stored in the credible performing environment, otherwise not It accesses.
In addition, in order to simplify modeling process, in the concrete realization, data value modeling can be based on Jupyter Notebook (being an interactive notebook, be referred to as IPython notebook before this) is created, and specifically creates mode, this The technical staff in field can operate according to the exploitation document of Jupyter Notebook, and details are not described herein again.
In addition, in practical applications, those skilled in the art can also select other modeling languages to create as needed Data value models, and is not limited herein.
It should be noted that these are only for example, not constituting any restriction to technical scheme of the present invention, having When body is realized, those skilled in the art can based on the operation principle of block chain, in conjunction with request of data mechanism shown in Fig. 7, The interaction schematic diagram that data are provided between mechanism and credible performing environment is realized that details are not described herein again, does not also do specific limit It is fixed.
In addition, it is necessary to illustrate, the DAPP in Fig. 7 specifically refers to Distributed Application.Wherein, Distributed Application and Intelligent contract in ether mill is similar, i.e. DAPP is a kind of application based on block chain.
By foregoing description it is not difficult to find that the safety access method of data provided in this embodiment, is accessing credible execution Before the corresponding data of each matching field stored in environment, by sending modeling instruction to credible performing environment, so that credible Performing environment can create the data value modeling of the value of each data for determining storage, to access credible execution ring When the corresponding data of each matching field for being stored in border, the value determination of determining each data can be modeled according to data value be It is no to access the corresponding data of each matching field stored in credible performing environment, while ensureing the access safety of data, The facility of data sharing both sides is further facilitated.
In addition, the embodiment of the present invention also proposes a kind of secure access device of data.As shown in figure 8, the safety of the data Access mechanism includes:Release module 8001, receiving module 8002, sending module 8003, acquisition module 8004, generation module 8005, transmission module 8006, access modules 8007.
Wherein, release module 8001, the request of data for issuing request of data structure.Receiving module 8002, for connecing Packet receiving provides the response message of the identifier of mechanism containing data.Sending module 8003, for providing mechanism according to the data Identifier provides the matching field that mechanism sends the first data to the data.Acquisition module 8004, for obtaining the data The matching field for the second data that mechanism provides is provided.Generation module 8005, for by the matching field of first data and The matching field of second data does intersection, generates matching field data set.Transmission module 8006 is used for the matching column Position data set is transmitted to the security catalog in credible performing environment, so that the credible performing environment can be according to the safe mesh Matching field in the matching field data set recorded in record is obtained and is deposited from the Data Mining alliance chain built in advance Store up the corresponding data of each matching field.Access modules 8007, for accessing each matching column stored in the credible performing environment The corresponding data in position.
In addition, it is noted that response message described in the present embodiment is specifically to provide mechanism root by the data It is generated according to the request of data.
By foregoing description it is not difficult to find that the secure access device of the data provided in the present embodiment, in request of data machine Structure needs to access data when providing the data that mechanism provides, matching that request of data mechanism passes through the first data that will be locally stored Field and the matching field that the second data that mechanism obtains are provided from the data responded do intersection, obtain one complete With field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible execution Environment can join according to the matching field in the matching field data set recorded in security catalog from the Data Mining built in advance The corresponding data of each matching field are obtained and stored in alliance's chain, to which the data access between Liang Ge mechanisms is transferred to credible hold In row environment, since request of data mechanism can directly access the corresponding number of each matching field stored in credible performing environment According to, therefore each mechanism is copied when carrying out data sharing without transmission mode under line, and then can be fallen to avoid data Enter in the not user hand of access rights, leads to leaking data and the illegal generation using phenomenon.
It should be noted that workflow described above is only schematical, not to the protection model of the present invention Enclose composition limit, in practical applications, those skilled in the art can select according to the actual needs part therein or It all achieves the purpose of the solution of this embodiment, is not herein limited.
In addition, the not technical detail of detailed description in the present embodiment, reference can be made to what any embodiment of the present invention was provided The safety access method of data, details are not described herein again.
In addition, the embodiment of the present invention also proposes that a kind of readable storage medium storing program for executing, the readable storage medium storing program for executing are computer-readable Storage medium is stored with the secure access program of data, the secure access of the data on the computer readable storage medium Following operation is realized when program is executed by processor:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation Match field.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment Data.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain Alliance's chain carries out perfect.
It should be noted that herein, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that process, method, article or system including a series of elements include not only those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including this There is also other identical elements in the process of element, method, article or system.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical scheme of the present invention substantially in other words does the prior art Going out the part of contribution can be expressed in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions use so that a station terminal equipment (can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of safety access method of data, which is characterized in that the described method comprises the following steps:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, the response Information provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching field that mechanism sends the first data to the data, and Obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field data Collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible performing environment energy It is enough according to the matching field in the matching field data set recorded in the security catalog from the Data Mining built in advance It is obtained in alliance's chain and stores the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
2. the method as described in claim 1, which is characterized in that the identifier that mechanism is provided according to the data, to institute Before stating the matching field that data provide mechanism the first data of transmission, the method further includes:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
3. method as claimed in claim 2, which is characterized in that the matching field to first data carries out desensitization behaviour Make, specifically includes:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided, It specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the matching of the second data after desensitization operation Field.
4. method as described in any one of claims 1 to 3, which is characterized in that described access is deposited in the credible performing environment Before the corresponding data of each matching field of storage, the method further includes:
Modeling instruction is sent to the credible performing environment, so that the credible performing environment can be created for determining storage The data value of the value of each data models;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether access the corresponding number of each matching field stored in the credible performing environment According to.
5. method as described in any one of claims 1 to 3, which is characterized in that the request of data mechanism issues request of data Before, the method further includes:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block chain, lead to Cross each request of data mechanism and each data are provided mechanism identifier registered and issued it is built-up.
6. method as claimed in claim 5, which is characterized in that the request of data mechanism to Data Mining alliance chain into Row is perfect, specifically includes:
Request of data mechanism is by first data publication to Data Mining alliance chain, to Data Mining alliance chain It carries out perfect.
7. method as described in any one of claims 1 to 3, which is characterized in that the security catalog in the credible performing environment It is created by the credible performing environment, and is encrypted using the security catalog key that the credible performing environment is generated in advance.
8. a kind of secure access device of data, which is characterized in that described device includes:
Release module, the request of data for issuing request of data structure;
Receiving module, the response message for receiving the identifier for providing mechanism comprising data, the response message is by the number It is generated according to the request of data according to mechanism is provided;
Sending module, the identifier for providing mechanism according to the data provide mechanism to the data and send the first data Matching field;
Acquisition module provides the matching field for the second data that mechanism provides for obtaining the data;
Generation module is generated for the matching field of the matching field of first data and second data to be done intersection Match field data set;
Transmission module is used for by the security catalog in the matching field data set transmissions to credible performing environment, so that described Credible performing environment can be according to the matching field in the matching field data set recorded in the security catalog from advance It is obtained in the Data Mining alliance chain of structure and stores the corresponding data of each matching field;
Access modules, for accessing the corresponding data of each matching field stored in the credible performing environment.
9. a kind of terminal device, which is characterized in that the terminal device includes:Memory, processor and it is stored in described deposit On reservoir and the secure access program of data that can run on the processor, the secure access program of the data are configured to The step of realizing the safety access method of data as described in any one of claim 1 to 7.
10. a kind of readable storage medium storing program for executing, which is characterized in that the readable storage medium storing program for executing is computer readable storage medium, described The secure access program of data is stored on computer readable storage medium, the secure access program of the data is held by processor The step of safety access method of data as described in any one of claim 1 to 7 is realized when row.
CN201810447105.XA 2018-05-11 2018-05-11 Data security access method and device, terminal equipment and readable storage medium Active CN108683657B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810447105.XA CN108683657B (en) 2018-05-11 2018-05-11 Data security access method and device, terminal equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810447105.XA CN108683657B (en) 2018-05-11 2018-05-11 Data security access method and device, terminal equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN108683657A true CN108683657A (en) 2018-10-19
CN108683657B CN108683657B (en) 2021-03-02

Family

ID=63805918

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810447105.XA Active CN108683657B (en) 2018-05-11 2018-05-11 Data security access method and device, terminal equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN108683657B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111737724A (en) * 2020-08-26 2020-10-02 腾讯科技(深圳)有限公司 Data processing method and device, intelligent equipment and storage medium
CN111898156A (en) * 2019-01-31 2020-11-06 创新先进技术有限公司 Method, node and storage medium for realizing contract calling in block chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105590066A (en) * 2015-12-02 2016-05-18 ***股份有限公司 Big data safe integration method capable of protecting privacy
CN107124268A (en) * 2017-04-01 2017-09-01 中国人民武装警察部队工程大学 A kind of privacy set common factor computational methods for resisting malicious attack
CN107135209A (en) * 2017-04-21 2017-09-05 天津理工大学 A kind of data sharing method based on block chain
CN107315967A (en) * 2017-06-23 2017-11-03 北京小米移动软件有限公司 Data matching method, device and computer-readable recording medium
CN107947940A (en) * 2017-11-29 2018-04-20 树根互联技术有限公司 A kind of method and device of data exchange

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105590066A (en) * 2015-12-02 2016-05-18 ***股份有限公司 Big data safe integration method capable of protecting privacy
CN107124268A (en) * 2017-04-01 2017-09-01 中国人民武装警察部队工程大学 A kind of privacy set common factor computational methods for resisting malicious attack
CN107135209A (en) * 2017-04-21 2017-09-05 天津理工大学 A kind of data sharing method based on block chain
CN107315967A (en) * 2017-06-23 2017-11-03 北京小米移动软件有限公司 Data matching method, device and computer-readable recording medium
CN107947940A (en) * 2017-11-29 2018-04-20 树根互联技术有限公司 A kind of method and device of data exchange

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111898156A (en) * 2019-01-31 2020-11-06 创新先进技术有限公司 Method, node and storage medium for realizing contract calling in block chain
CN111898156B (en) * 2019-01-31 2024-04-16 创新先进技术有限公司 Method, node and storage medium for realizing contract call in block chain
CN111737724A (en) * 2020-08-26 2020-10-02 腾讯科技(深圳)有限公司 Data processing method and device, intelligent equipment and storage medium

Also Published As

Publication number Publication date
CN108683657B (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN104572263B (en) A kind of page data exchange method, relevant apparatus and system
US9591000B2 (en) Methods, systems, and computer readable media for authorization frameworks for web-based applications
Warf Global geographies of the internet
CN103795745B (en) The monitoring method and system of a kind of intelligent mobile terminal
Schelenz et al. Digitalization in Africa: Interdisciplinary perspectives on technology, development, and justice
CN105830389A (en) Single set of credentials for accessing multiple computing resource services
CN103002445A (en) Safe mobile electronic equipment for providing application services
CN107276775A (en) A kind of enterprise group sets up cube method and device
CN103366135A (en) Tenant driven security system and method in a storage cloud
CN104838630A (en) Policy-based application management
CN106471833A (en) Carry out wireless flow process for each user
CN104123059A (en) Cloud computing management system based on web desktop system
CN101924786A (en) Dynamic content preference and behavior sharing between computing devices
Folk et al. The security implications of the Internet of Things
EP4198783A1 (en) Federated model training method and apparatus, electronic device, computer program product, and computer-readable storage medium
WO2015027907A1 (en) Methods and systems for visiting user groups
CN103778379B (en) Application in management equipment performs and data access
CN104580081A (en) Integrated SSO (single sign on) system
CN106878244A (en) A kind of authenticity proves information providing method and device
CN108319849A (en) Equipment strategy management system based on Android twin containers system and management domain implementation method
Waschke Cloud Standards: Agreements that hold together clouds
CN108683657A (en) Safety access method, device, terminal device and the readable storage medium storing program for executing of data
CN113158196A (en) Login verification method, device, equipment and medium
CN106339332B (en) A kind of information processing method, device and terminal
CN106254226A (en) A kind of information synchronization method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220922

Address after: Room 1006, Building 16, Yingcai North 3rd Street, Future Science City, Changping District, Beijing 102200

Patentee after: China Mobile Information Technology Co.,Ltd.

Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.)

Patentee before: SHIJINSHI CREDIT SERVICE Co.,Ltd.

TR01 Transfer of patent right