CN108683657A - Safety access method, device, terminal device and the readable storage medium storing program for executing of data - Google Patents
Safety access method, device, terminal device and the readable storage medium storing program for executing of data Download PDFInfo
- Publication number
- CN108683657A CN108683657A CN201810447105.XA CN201810447105A CN108683657A CN 108683657 A CN108683657 A CN 108683657A CN 201810447105 A CN201810447105 A CN 201810447105A CN 108683657 A CN108683657 A CN 108683657A
- Authority
- CN
- China
- Prior art keywords
- data
- matching field
- request
- performing environment
- credible performing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of safety access method of data, device, terminal device and readable storage medium storing program for executing.The present invention is when request of data mechanism needs to access the data of data offer mechanism offer, the matching field that request of data mechanism provides the second data that mechanism obtains by the matching field for the first data that will be locally stored and from the data responded does intersection, obtain a complete matching field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible performing environment can obtain from the Data Mining alliance chain built in advance according to the matching field in the matching field data set recorded in security catalog and store the corresponding data of each matching field, so as to so that request of data mechanism directly accesses the corresponding data of each matching field stored in credible performing environment, carry out data transmission without copy mode, data are avoided to be leaked and the illegal generation using phenomenon.
Description
Technical field
The present invention relates to network communication technology fields more particularly to a kind of safety access method of data, device, terminal to set
Standby and readable storage medium storing program for executing.
Background technology
With the development of network communication technology, the access of data is carried out based on network to be become increasingly to facilitate.However in side
Just while user carries out data access, also there are many network problems, for example the problems such as server attack, leaking data becomes
It obtains increasingly tighter more.Therefore, each enterprise institution is not attacked, is revealed to ensure the core data of oneself, it will usually which setting is each
Kind fire wall will not even be connected in internet.Based on the considerations of safety, enterprise institutions different at present is carrying out data
When shared, access operation, it will usually desensitize to sensitive data, then be encrypted, copy, pass to the data after desensitization
Defeated, use.
However, in data transmission procedure, due to mostly using transmission mode under line at present, this is easy for leading to same data
The case where file is copied by more people, to cause leaking data, by illegal use.
In addition, in data desensitization, the key of desensitization is needed since data desensitize, and existing data access side
Key will transmit between multi-party mechanism in formula, this is difficult to ensure that key is not leaked.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill
Art.
Invention content
The main purpose of the present invention is to provide a kind of safety access method of data, device, terminal device and readable deposit
Storage media, it is intended to solve in the prior art by the way of transmission data under line, be easy to cause leaking data, be used by illegal
Technical problem.
To achieve the above object, the present invention provides a kind of safety access method of data, the method includes following steps
Suddenly:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described
Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data
Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number
According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring
It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance
It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Preferably, the identifier that mechanism is provided according to the data provides mechanism to the data and sends the first number
According to matching field before, the method further includes:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Preferably, the matching field to first data carries out desensitization operation, specifically includes:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided
Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation
Match field.
Preferably, described before the corresponding data of each matching field stored in the access credible performing environment
Method further includes:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created
The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment
Data.
Preferably, before the request of data mechanism publication request of data, the method further includes:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block
Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Preferably, the request of data mechanism carries out Data Mining alliance chain perfect, specifically includes:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain
Alliance's chain carries out perfect.
Preferably, the security catalog in the credible performing environment is created by the credible performing environment, and described in utilization
The security catalog key that credible performing environment is generated in advance is encrypted.
In addition, to achieve the above object, the present invention also provides a kind of secure access device of data, described device packets
It includes:
Release module, the request of data for issuing request of data structure;
Receiving module, the response message for receiving the identifier for providing mechanism comprising data, the response message is by institute
Data offer mechanism is stated to be generated according to the request of data;
Sending module, the identifier for providing mechanism according to the data provide mechanism to the data and send first
The matching field of data;
Acquisition module provides the matching field for the second data that mechanism provides for obtaining the data;
Generation module, for the matching field of the matching field of first data and second data to be done intersection,
Generate matching field data set;
Transmission module is used for the security catalog in the matching field data set transmissions to credible performing environment, so that
The credible performing environment can according to the matching field in the matching field data set recorded in the security catalog from
It is obtained in the Data Mining alliance chain built in advance and stores the corresponding data of each matching field;
Access modules, for accessing the corresponding data of each matching field stored in the credible performing environment.
In addition, to achieve the above object, the present invention also provides a kind of terminal device, the terminal device includes:Storage
Device, processor and the secure access program for being stored in the data that can be run on the memory and on the processor, institute
State the step of secure access programs of data is arranged for carrying out the safety access method of the data.
In addition, to achieve the above object, the present invention also provides a kind of readable storage medium storing program for executing, the readable storage medium storing program for executing is
Computer readable storage medium is stored with the secure access program of data, the data on the computer readable storage medium
Secure access program the step of realizing the safety access method of the data when being executed by processor.
When request of data mechanism needs to access the data of data offer mechanism offer, request of data mechanism passes through the present invention
The matching of second data of mechanism acquisition is provided by the matching field for the first data being locally stored and from the data responded
Field does intersection, obtains a complete matching field data set, then will match field data set transmissions to credible execution ring
Security catalog in border, so that credible performing environment can be according to the matching in the matching field data set recorded in security catalog
Field obtains from the Data Mining alliance chain built in advance and stores the corresponding data of each matching field, thus by Liang Ge mechanisms
Between data access be transferred in credible performing environment, since request of data mechanism can directly access in credible performing environment
Corresponding data of each matching field of storage, therefore each mechanism is when carrying out data sharing, without transmission mode under line into
Row copy, and then can fall into the not user hand of access rights to avoid data, lead to leaking data and illegal use phenomenon
Generation.
Description of the drawings
Fig. 1 is the structural schematic diagram of the terminal device for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the safety access method first embodiment of data of the present invention;
Fig. 3 be data of the present invention safety access method in Data Mining alliance chain schematic diagram;
Fig. 4 is the flow diagram of the safety access method second embodiment of data of the present invention;
Fig. 5 be data of the present invention safety access method in carry out desensitize operation schematic diagram;
Fig. 6 is the flow diagram of the safety access method 3rd embodiment of data of the present invention;
Fig. 7 provides mechanism and credible execution ring for request of data mechanism, data in the safety access method of data of the present invention
Interaction schematic diagram between border;
Fig. 8 is the high-level schematic functional block diagram of the secure access device of data of the present invention.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific implementation mode
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is the structural representation of the terminal device for the hardware running environment that the embodiment of the present invention is related to
Figure.
As shown in Figure 1, the terminal device may include:Processor 1001, such as central processing unit (Central
Processing Unit, CPU), communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein,
Communication bus 1002 is for realizing the connection communication between these components.User interface 1003 may include display screen
(Display), input unit such as keyboard (Keyboard), mouse (Mouse), optionally, user interface 1003 can also wrap
Include standard wireline interface and wireless interface.Network interface 1004 may include optionally standard wireline interface and wireless interface
(such as Wireless Fidelity (WIreless-FIdelity, WI-FI) interface, blue tooth interface etc.).Memory 1005 can be high-speed RAM
Memory can also be stable memory (non-volatile memory), such as magnetic disk storage.Memory 1005 can
The storage device that can also be independently of aforementioned processor 1001 of choosing.
It will be understood by those skilled in the art that structure shown in Fig. 1 does not constitute the restriction to terminal device, can wrap
It includes than illustrating more or fewer components, either combines certain components or different components arrangement.
Therefore, as shown in Figure 1, as may include in a kind of memory 1005 of computer storage media operating system,
The secure access program of network communication module, Subscriber Interface Module SIM and data.
In terminal device shown in Fig. 1, network interface 1004 mainly with establish terminal device and credible performing environment with
And the communication connection of the terminal device for providing data;User interface 1003 is mainly used for receiving the input instruction of user;Institute
The secure access program that terminal device calls the data stored in memory 1005 by processor 1001 is stated, and executes following behaviour
Make:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described
Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data
Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number
According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring
It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance
It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold
The following operation of row:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold
The following operation of row:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided
Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation
Match field.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold
The following operation of row:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created
The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment
Data.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold
The following operation of row:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block
Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Further, processor 1001 can call the secure access program of the data stored in memory 1005, also hold
The following operation of row:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain
Alliance's chain carries out perfect.
This implementation through the above scheme, when request of data mechanism needs to access the data of data offer mechanism offer, counts
There is provided what mechanism obtained by the matching field for the first data that will be locally stored and from the data responded according to request mechanism
The matching field of second data does intersection, obtains a complete matching field data set, then passes matching field data set
The security catalog in credible performing environment is transported to, so that credible performing environment can be according to the matching field recorded in security catalog
Matching field in data set obtains from the Data Mining alliance chain built in advance and stores the corresponding data of each matching field,
To which the data access between Liang Ge mechanisms to be transferred in credible performing environment, since request of data mechanism can be accessed directly
The corresponding data of each matching field stored in credible performing environment, therefore each mechanism is when carrying out data sharing, without
Transmission mode is copied under line, and then can be fallen into avoid data in the not user hand of access rights, and leaking data is caused
With the illegal generation using phenomenon.
Based on above-mentioned hardware configuration, the safety access method embodiment of data of the present invention is proposed.
It is the flow diagram of the safety access method first embodiment of data of the present invention with reference to Fig. 2, Fig. 2.
In the first embodiment, the safety access method of the data includes the following steps:
S10:Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data,
The response message provides mechanism by the data and is generated according to the request of data.
Specifically, the request of data of request of data mechanism publication is specifically to be published to the Data Mining alliance pre-established
On chain.
Correspondingly, what is received provides the response message of the identifier of mechanism comprising data, is by Data Mining alliance chain
On data provide mechanism generate.
Such as all data providings for being capable of providing data can active search and oneself phase on Data Mining alliance chain
The request of data of pass, such as the data dictionary for including in request of data are identical as the data dictionary for the data that oneself is provided, when searching
When rope is to oneself relevant request of data, data providing will generate the response message added with oneself identifier, with number
According to request, mechanism establishes matching relationship.
In addition, it is necessary to explanation, above-mentioned described Data Mining alliance chain is specifically to be based on block chain, by each number
It is registered and is issued according to the identifier of request mechanism and each data offer mechanism and is built-up.
In addition, in order to ensure that the data stored in Data Mining alliance chain are perfect enough, the institute that alliance's chain is added is organic
Structure is required for periodically by oneself local data publication to Data Mining alliance, to improve the number in Data Mining alliance chain
According to.
It is described since the present embodiment stands request of data mechanism, the request of data mechanism publication data are asked
Need to carry out Data Mining alliance chain before asking it is perfect, such as using first data publication is visited to the data
Mode in rope alliance chain is perfect to be carried out to Data Mining alliance chain.
In addition, when improving Data Mining alliance chain, whether request of data mechanism or data provide mechanism, on
The data of biography have been required for corresponding data dictionary, that is, the data item to data, data structure, data flow, data is needed to store,
Processing logic, external entity etc. are defined and describe, and so as to facilitate subsequent operation, such as model.
It can timely respond to, send out in addition, request of data mechanism provides mechanism when issuing request of data, for the ease of data
Can include in the request of data of cloth need the data dictionary of data that ask and data area (need the data volume asked,
Such as the data in one month).
It should be noted that these are only for example, any restriction is not constituted to technical scheme of the present invention, in reality
In the application of border, those skilled in the art can be arranged as needed.
Further, since in practical applications, request of data mechanism is same or provides mechanism as data, therefore data provide
The realization method of mechanism side to the mode of data access be accordingly arranged i.e. with reference to request of data mechanism in the present embodiment
Can, details are not described herein again, is also not particularly limited.
S20:The identifier that mechanism is provided according to the data provides the matching that mechanism sends the first data to the data
Field, and obtain the matching field that the data provide the second data that mechanism provides.
Specifically, the first data described in the present embodiment are specially the data that request of data mechanism is locally stored, the
Two data are specially that data provide the data that mechanism is locally stored.
In addition, the matching field of the first data and the matching field of the second data specifically refer in each storage table in each row
The index name of storage, for example it is that shipping room title, third are classified as customer name, that first row, which is trade name, secondary series,
Four are classified as delivery employee number etc..
It should be noted that these are only for example, any restriction is not constituted to technical scheme of the present invention, in reality
In the application of border, those skilled in the art can be arranged as needed.
S30:The matching field of the matching field of first data and second data is done into intersection, generates matching column
Position data set.
Specifically, in this example by by first data matching field and second data matching field
Intersection is done to obtain matching field data set, it is hereby achieved that a complete matched data collection, ensures the visit of follow-up data
It is able to access that complete data during asking.
S40:By the security catalog in the matching field data set transmissions to credible performing environment, credible held so that described
Row environment can be according to matching field in the matching field data set recorded in the security catalog from building in advance
It is obtained in Data Mining alliance chain and stores the corresponding data of each matching field.
Specifically, credible performing environment described in the present embodiment (Trusted Execution Environment,
TEE) it can be specifically the third party's trust authority disposed in a network.
In addition, in order to ensure data safe enough of the follow-up storage in the credible performing environment, it is not illegally used,
When specific implementation, credible performing environment can create a security catalog, then by the matching in the matching field data set
Field is stored in the security catalog.
Further, in order to promote security level, credible performing environment can also be raw according to internal key generation procedure
At a security catalog key, then using security catalog key pair, the security catalog is encrypted, so that follow-up need
The request of data mechanism for accessing the data stored in it must have corresponding access rights, or must be Data Mining connection
A member in alliance's chain.
It should be noted that being given above only a kind of concrete implementation mode, in a particular application, the skill of this field
Art personnel can be arranged as required to, and not be limited herein.
S50:Access the corresponding data of each matching field stored in the credible performing environment.
By foregoing description it is not difficult to find that the safety access method of the data provided in the present embodiment, in request of data machine
Structure needs to access data when providing the data that mechanism provides, matching that request of data mechanism passes through the first data that will be locally stored
Field and the matching field that the second data that mechanism obtains are provided from the data responded do intersection, obtain one complete
With field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible execution
Environment can join according to the matching field in the matching field data set recorded in security catalog from the Data Mining built in advance
The corresponding data of each matching field are obtained and stored in alliance's chain, to which the data access between Liang Ge mechanisms is transferred to credible hold
In row environment, since request of data mechanism can directly access the corresponding number of each matching field stored in credible performing environment
According to, therefore each mechanism is copied when carrying out data sharing without transmission mode under line, and then can be fallen to avoid data
Enter in the not user hand of access rights, leads to leaking data and the illegal generation using phenomenon.
Further, as shown in figure 4, proposing the second reality of the safety access method of data of the present invention based on first embodiment
Example is applied, in the present embodiment, in the identifier for providing mechanism according to the data, mechanism is provided to the data and sends the first number
According to matching field before, need the matching field to first data to carry out desensitization operation.
For convenience of description, step S20 is refined as two sub-steps in the present embodiment, refers to Fig. 4.
In step s 201, desensitization operation is carried out to the matching field of first data.
In step S202, the identifier of mechanism is provided according to the data, providing mechanism to the data sends progress
The matching field of first data after desensitization operation, and obtain the data and second carried out after desensitization operation that mechanism provides is provided
The matching field of data.
Specifically, request of data mechanism carries out desensitization operation in the matching field to first data in the present embodiment
When, it can specifically be accomplished by the following way:
First, mechanism is provided with the data to negotiate to determine desensitization key.
Then, according to the desensitization key, desensitization operation is carried out to the matching field of first data.
It should be understood that since the matching field data set being subsequently generated is the matching field according to first data
Intersection acquisition is done with the matching field of second data, therefore according to the desensitization key, to first data
After matching field carries out desensitization operation, in order to ensure the desensitization of each matching field in the matching field data set being subsequently generated
Rule is consistent, therefore the data got provide the matching field for the second data that mechanism provides, specifically by institute
It states data and provides mechanism according to identical desensitization key, carry out the matching field of the second data obtained after desensitization operation.
In addition, for the ease of understanding desensitization operation described in this example, it is specifically described below in conjunction with Fig. 5.
Specifically, the HyperLedger in Fig. 5 specifically refers to the super account book in block chain technology.
The storage region that the areas DB specifically refer to be used to store local data is (if it is the desensitization behaviour for request of data mechanism
Make, this time storage is the matching field of above-mentioned first data and the first data;If it is the desensitization for providing mechanism for data
Operation, this time storage are the matching field of above-mentioned second data and the second data).
The areas APP provide for request of data mechanism or data can be for the application program of user's operation, correspondingly, DB in mechanism
The data of area's storage are the data that the application program in the areas APP generates.
DMZ refers to isolated area, i.e. the abbreviation of demilitarized zone, also referred to as " demilitarized zone ".It is mainly used
In constructing a safety area between internal network and external network.
As shown in Figure 5, when carrying out desensitization operation, first pass through whether step " 0, proving program signature " meets and want
It asks, if it is satisfied, then execute step " 1, start desensitization operation ", is performed simultaneously step " 2, verification caller whether legal ", i.e.,
Whether the mechanism for needing to carry out data access is a member in Data Mining alliance chain, or whether possesses the power for accessing data
Limit.In the case where above-mentioned steps all meet, execute step " 3, call data extractor extract initial data ", will be drawn into
Initial data transfer to desensitization procedure to desensitize, after desensitization initial data can be returned, that is, execute step " 4, return original number
According to ", while desensitization procedure can generate desensitization file, and the data after desensitization are written in this document folder, that is, execute step " 5, write-in
Data after desensitization ".
It should be noted that these are only for example, in practical applications, those skilled in the art can be in conjunction with figure
5 are specifically arranged, and details are not described herein again, are not also limited.
By foregoing description it is not difficult to find that the safety access method of data provided in this embodiment, according to the data
The identifier that mechanism is provided, before the matching field that mechanism sends the first data is provided to the data, by the first data
Matching field carry out desensitization operation, while obtain data provide mechanism provide for carrying out the second data after desensitization operation
With field, then according to carrying out the matching field of the first data after desensitization operation and the matching field of the second data does intersection,
So as to the deformation to certain sensitive informations by the rule progress data that desensitize, the reliably protecting of privacy-sensitive data is realized,
And then it ensure that the safety of data access.
In addition, request of data structure negotiates to determine desensitization key by providing mechanism with data, due to being not necessarily to artificially participate in
It is arranged, is determined according to the program of inside setting between the key that desensitizes, thereby may be ensured that the key that desensitizes is not leaked, and then ensure
The safety of matching field after being desensitized according to the desensitization key.
Further, as shown in fig. 6, proposing that the third of the safety access method of data of the present invention is real based on first embodiment
Example is applied, in the present embodiment, before the corresponding data of each matching field stored in accessing the credible performing environment, is increased newly
Step S00.
In order to make it easy to understand, being specifically described below referring to Fig. 6:
In step S00:Modeling instruction is sent to the credible performing environment, so that the credible performing environment can be created
Build the data value modeling of the value of each data for determining storage.
Correspondingly, after the value that data value models each data for determining storage, step S50 can be also varied from,
For convenience of description, step S50 is refined as two sub-steps in the present embodiment, refers to Fig. 6.
Specifically, in step S501:Obtain the value of the determining each data of the data value modeling.
In step S502:According to the value of each data, it is determined whether stored in the access credible performing environment each
Match the corresponding data of field.
It should be understood that the value of data described in the present embodiment, specifically needs according to request of data mechanism
Data determine, such as, a certain data are request of data mechanism (being issued according to request of data mechanism of wanting to obtain
Request of data determine), then the value of the data is high, otherwise it is assumed that the value of the data is not high.When the value of data is high, number
According to request, mechanism can determine the corresponding data of each matching field that needs to access and be stored in the credible performing environment, otherwise not
It accesses.
In addition, in order to simplify modeling process, in the concrete realization, data value modeling can be based on Jupyter
Notebook (being an interactive notebook, be referred to as IPython notebook before this) is created, and specifically creates mode, this
The technical staff in field can operate according to the exploitation document of Jupyter Notebook, and details are not described herein again.
In addition, in practical applications, those skilled in the art can also select other modeling languages to create as needed
Data value models, and is not limited herein.
It should be noted that these are only for example, not constituting any restriction to technical scheme of the present invention, having
When body is realized, those skilled in the art can based on the operation principle of block chain, in conjunction with request of data mechanism shown in Fig. 7,
The interaction schematic diagram that data are provided between mechanism and credible performing environment is realized that details are not described herein again, does not also do specific limit
It is fixed.
In addition, it is necessary to illustrate, the DAPP in Fig. 7 specifically refers to Distributed Application.Wherein, Distributed Application and
Intelligent contract in ether mill is similar, i.e. DAPP is a kind of application based on block chain.
By foregoing description it is not difficult to find that the safety access method of data provided in this embodiment, is accessing credible execution
Before the corresponding data of each matching field stored in environment, by sending modeling instruction to credible performing environment, so that credible
Performing environment can create the data value modeling of the value of each data for determining storage, to access credible execution ring
When the corresponding data of each matching field for being stored in border, the value determination of determining each data can be modeled according to data value be
It is no to access the corresponding data of each matching field stored in credible performing environment, while ensureing the access safety of data,
The facility of data sharing both sides is further facilitated.
In addition, the embodiment of the present invention also proposes a kind of secure access device of data.As shown in figure 8, the safety of the data
Access mechanism includes:Release module 8001, receiving module 8002, sending module 8003, acquisition module 8004, generation module
8005, transmission module 8006, access modules 8007.
Wherein, release module 8001, the request of data for issuing request of data structure.Receiving module 8002, for connecing
Packet receiving provides the response message of the identifier of mechanism containing data.Sending module 8003, for providing mechanism according to the data
Identifier provides the matching field that mechanism sends the first data to the data.Acquisition module 8004, for obtaining the data
The matching field for the second data that mechanism provides is provided.Generation module 8005, for by the matching field of first data and
The matching field of second data does intersection, generates matching field data set.Transmission module 8006 is used for the matching column
Position data set is transmitted to the security catalog in credible performing environment, so that the credible performing environment can be according to the safe mesh
Matching field in the matching field data set recorded in record is obtained and is deposited from the Data Mining alliance chain built in advance
Store up the corresponding data of each matching field.Access modules 8007, for accessing each matching column stored in the credible performing environment
The corresponding data in position.
In addition, it is noted that response message described in the present embodiment is specifically to provide mechanism root by the data
It is generated according to the request of data.
By foregoing description it is not difficult to find that the secure access device of the data provided in the present embodiment, in request of data machine
Structure needs to access data when providing the data that mechanism provides, matching that request of data mechanism passes through the first data that will be locally stored
Field and the matching field that the second data that mechanism obtains are provided from the data responded do intersection, obtain one complete
With field data set, then the security catalog in field data set transmissions to credible performing environment will be matched, so that credible execution
Environment can join according to the matching field in the matching field data set recorded in security catalog from the Data Mining built in advance
The corresponding data of each matching field are obtained and stored in alliance's chain, to which the data access between Liang Ge mechanisms is transferred to credible hold
In row environment, since request of data mechanism can directly access the corresponding number of each matching field stored in credible performing environment
According to, therefore each mechanism is copied when carrying out data sharing without transmission mode under line, and then can be fallen to avoid data
Enter in the not user hand of access rights, leads to leaking data and the illegal generation using phenomenon.
It should be noted that workflow described above is only schematical, not to the protection model of the present invention
Enclose composition limit, in practical applications, those skilled in the art can select according to the actual needs part therein or
It all achieves the purpose of the solution of this embodiment, is not herein limited.
In addition, the not technical detail of detailed description in the present embodiment, reference can be made to what any embodiment of the present invention was provided
The safety access method of data, details are not described herein again.
In addition, the embodiment of the present invention also proposes that a kind of readable storage medium storing program for executing, the readable storage medium storing program for executing are computer-readable
Storage medium is stored with the secure access program of data, the secure access of the data on the computer readable storage medium
Following operation is realized when program is executed by processor:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, described
Response message provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching column that mechanism sends the first data to the data
Position, and obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field number
According to collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible execution ring
It border can be according to the matching field in the matching field data set recorded in the security catalog from the data built in advance
It explores and is obtained in alliance's chain and store the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching column for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided
Position, specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the second data after desensitization operation
Match field.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Modeling instruction is sent to the credible performing environment, is deposited for determination so that the credible performing environment can be created
The data value modeling of the value of each data of storage;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether it is corresponding to access each matching field stored in the credible performing environment
Data.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block
Chain, the identifier by providing each request of data mechanism and each data mechanism are registered and are issued built-up.
Further, following operation is also realized when the secure access program of the data is executed by processor:
Request of data mechanism joins the Data Mining by first data publication to Data Mining alliance chain
Alliance's chain carries out perfect.
It should be noted that herein, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that process, method, article or system including a series of elements include not only those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including this
There is also other identical elements in the process of element, method, article or system.
The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical scheme of the present invention substantially in other words does the prior art
Going out the part of contribution can be expressed in the form of software products, which is stored in one as described above
In storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions use so that a station terminal equipment (can be mobile phone,
Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of safety access method of data, which is characterized in that the described method comprises the following steps:
Request of data mechanism issues request of data, receives the response message for the identifier that mechanism is provided comprising data, the response
Information provides mechanism by the data and is generated according to the request of data;
The identifier that mechanism is provided according to the data provides the matching field that mechanism sends the first data to the data, and
Obtain the matching field that the data provide the second data that mechanism provides;
The matching field of the matching field of first data and second data is done into intersection, generates matching field data
Collection;
By the security catalog in the matching field data set transmissions to credible performing environment, so that the credible performing environment energy
It is enough according to the matching field in the matching field data set recorded in the security catalog from the Data Mining built in advance
It is obtained in alliance's chain and stores the corresponding data of each matching field;
Access the corresponding data of each matching field stored in the credible performing environment.
2. the method as described in claim 1, which is characterized in that the identifier that mechanism is provided according to the data, to institute
Before stating the matching field that data provide mechanism the first data of transmission, the method further includes:
Desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for obtaining the data and providing the second data that mechanism provides, specifically includes:
It obtains the data and the matching field for carrying out the second data after desensitization operation that mechanism provides is provided.
3. method as claimed in claim 2, which is characterized in that the matching field to first data carries out desensitization behaviour
Make, specifically includes:
Mechanism is provided with the data to negotiate to determine desensitization key;
According to the desensitization key, desensitization operation is carried out to the matching field of first data;
Correspondingly, the matching field for carrying out the second data after desensitization operation for obtaining the data and mechanism offer being provided,
It specifically includes:
Obtain that the data provide that mechanism provides according to the desensitization key, carry out the matching of the second data after desensitization operation
Field.
4. method as described in any one of claims 1 to 3, which is characterized in that described access is deposited in the credible performing environment
Before the corresponding data of each matching field of storage, the method further includes:
Modeling instruction is sent to the credible performing environment, so that the credible performing environment can be created for determining storage
The data value of the value of each data models;
Correspondingly, described to access the corresponding data of each matching field stored in the credible performing environment, it specifically includes:
Obtain the value of the determining each data of the data value modeling;
According to the value of each data, it is determined whether access the corresponding number of each matching field stored in the credible performing environment
According to.
5. method as described in any one of claims 1 to 3, which is characterized in that the request of data mechanism issues request of data
Before, the method further includes:
Request of data mechanism Data Mining alliance chain is carried out it is perfect, Data Mining alliance chain be based on block chain, lead to
Cross each request of data mechanism and each data are provided mechanism identifier registered and issued it is built-up.
6. method as claimed in claim 5, which is characterized in that the request of data mechanism to Data Mining alliance chain into
Row is perfect, specifically includes:
Request of data mechanism is by first data publication to Data Mining alliance chain, to Data Mining alliance chain
It carries out perfect.
7. method as described in any one of claims 1 to 3, which is characterized in that the security catalog in the credible performing environment
It is created by the credible performing environment, and is encrypted using the security catalog key that the credible performing environment is generated in advance.
8. a kind of secure access device of data, which is characterized in that described device includes:
Release module, the request of data for issuing request of data structure;
Receiving module, the response message for receiving the identifier for providing mechanism comprising data, the response message is by the number
It is generated according to the request of data according to mechanism is provided;
Sending module, the identifier for providing mechanism according to the data provide mechanism to the data and send the first data
Matching field;
Acquisition module provides the matching field for the second data that mechanism provides for obtaining the data;
Generation module is generated for the matching field of the matching field of first data and second data to be done intersection
Match field data set;
Transmission module is used for by the security catalog in the matching field data set transmissions to credible performing environment, so that described
Credible performing environment can be according to the matching field in the matching field data set recorded in the security catalog from advance
It is obtained in the Data Mining alliance chain of structure and stores the corresponding data of each matching field;
Access modules, for accessing the corresponding data of each matching field stored in the credible performing environment.
9. a kind of terminal device, which is characterized in that the terminal device includes:Memory, processor and it is stored in described deposit
On reservoir and the secure access program of data that can run on the processor, the secure access program of the data are configured to
The step of realizing the safety access method of data as described in any one of claim 1 to 7.
10. a kind of readable storage medium storing program for executing, which is characterized in that the readable storage medium storing program for executing is computer readable storage medium, described
The secure access program of data is stored on computer readable storage medium, the secure access program of the data is held by processor
The step of safety access method of data as described in any one of claim 1 to 7 is realized when row.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810447105.XA CN108683657B (en) | 2018-05-11 | 2018-05-11 | Data security access method and device, terminal equipment and readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810447105.XA CN108683657B (en) | 2018-05-11 | 2018-05-11 | Data security access method and device, terminal equipment and readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108683657A true CN108683657A (en) | 2018-10-19 |
CN108683657B CN108683657B (en) | 2021-03-02 |
Family
ID=63805918
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810447105.XA Active CN108683657B (en) | 2018-05-11 | 2018-05-11 | Data security access method and device, terminal equipment and readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108683657B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111737724A (en) * | 2020-08-26 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Data processing method and device, intelligent equipment and storage medium |
CN111898156A (en) * | 2019-01-31 | 2020-11-06 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract calling in block chain |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105590066A (en) * | 2015-12-02 | 2016-05-18 | ***股份有限公司 | Big data safe integration method capable of protecting privacy |
CN107124268A (en) * | 2017-04-01 | 2017-09-01 | 中国人民武装警察部队工程大学 | A kind of privacy set common factor computational methods for resisting malicious attack |
CN107135209A (en) * | 2017-04-21 | 2017-09-05 | 天津理工大学 | A kind of data sharing method based on block chain |
CN107315967A (en) * | 2017-06-23 | 2017-11-03 | 北京小米移动软件有限公司 | Data matching method, device and computer-readable recording medium |
CN107947940A (en) * | 2017-11-29 | 2018-04-20 | 树根互联技术有限公司 | A kind of method and device of data exchange |
-
2018
- 2018-05-11 CN CN201810447105.XA patent/CN108683657B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105590066A (en) * | 2015-12-02 | 2016-05-18 | ***股份有限公司 | Big data safe integration method capable of protecting privacy |
CN107124268A (en) * | 2017-04-01 | 2017-09-01 | 中国人民武装警察部队工程大学 | A kind of privacy set common factor computational methods for resisting malicious attack |
CN107135209A (en) * | 2017-04-21 | 2017-09-05 | 天津理工大学 | A kind of data sharing method based on block chain |
CN107315967A (en) * | 2017-06-23 | 2017-11-03 | 北京小米移动软件有限公司 | Data matching method, device and computer-readable recording medium |
CN107947940A (en) * | 2017-11-29 | 2018-04-20 | 树根互联技术有限公司 | A kind of method and device of data exchange |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111898156A (en) * | 2019-01-31 | 2020-11-06 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract calling in block chain |
CN111898156B (en) * | 2019-01-31 | 2024-04-16 | 创新先进技术有限公司 | Method, node and storage medium for realizing contract call in block chain |
CN111737724A (en) * | 2020-08-26 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Data processing method and device, intelligent equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108683657B (en) | 2021-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104572263B (en) | A kind of page data exchange method, relevant apparatus and system | |
US9591000B2 (en) | Methods, systems, and computer readable media for authorization frameworks for web-based applications | |
Warf | Global geographies of the internet | |
CN103795745B (en) | The monitoring method and system of a kind of intelligent mobile terminal | |
Schelenz et al. | Digitalization in Africa: Interdisciplinary perspectives on technology, development, and justice | |
CN105830389A (en) | Single set of credentials for accessing multiple computing resource services | |
CN103002445A (en) | Safe mobile electronic equipment for providing application services | |
CN107276775A (en) | A kind of enterprise group sets up cube method and device | |
CN103366135A (en) | Tenant driven security system and method in a storage cloud | |
CN104838630A (en) | Policy-based application management | |
CN106471833A (en) | Carry out wireless flow process for each user | |
CN104123059A (en) | Cloud computing management system based on web desktop system | |
CN101924786A (en) | Dynamic content preference and behavior sharing between computing devices | |
Folk et al. | The security implications of the Internet of Things | |
EP4198783A1 (en) | Federated model training method and apparatus, electronic device, computer program product, and computer-readable storage medium | |
WO2015027907A1 (en) | Methods and systems for visiting user groups | |
CN103778379B (en) | Application in management equipment performs and data access | |
CN104580081A (en) | Integrated SSO (single sign on) system | |
CN106878244A (en) | A kind of authenticity proves information providing method and device | |
CN108319849A (en) | Equipment strategy management system based on Android twin containers system and management domain implementation method | |
Waschke | Cloud Standards: Agreements that hold together clouds | |
CN108683657A (en) | Safety access method, device, terminal device and the readable storage medium storing program for executing of data | |
CN113158196A (en) | Login verification method, device, equipment and medium | |
CN106339332B (en) | A kind of information processing method, device and terminal | |
CN106254226A (en) | A kind of information synchronization method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220922 Address after: Room 1006, Building 16, Yingcai North 3rd Street, Future Science City, Changping District, Beijing 102200 Patentee after: China Mobile Information Technology Co.,Ltd. Address before: 518000 Room 201, building A, No. 1, Qian Wan Road, Qianhai Shenzhen Hong Kong cooperation zone, Shenzhen, Guangdong (Shenzhen Qianhai business secretary Co., Ltd.) Patentee before: SHIJINSHI CREDIT SERVICE Co.,Ltd. |
|
TR01 | Transfer of patent right |