CN112528311A - Data management method and device and terminal - Google Patents

Data management method and device and terminal Download PDF

Info

Publication number
CN112528311A
CN112528311A CN202011545716.1A CN202011545716A CN112528311A CN 112528311 A CN112528311 A CN 112528311A CN 202011545716 A CN202011545716 A CN 202011545716A CN 112528311 A CN112528311 A CN 112528311A
Authority
CN
China
Prior art keywords
sensitive data
storage space
backed
server
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011545716.1A
Other languages
Chinese (zh)
Other versions
CN112528311B (en
Inventor
任实
王滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Haikang Auto Software Co ltd
Original Assignee
Hangzhou Haikang Auto Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Haikang Auto Software Co ltd filed Critical Hangzhou Haikang Auto Software Co ltd
Priority to CN202011545716.1A priority Critical patent/CN112528311B/en
Publication of CN112528311A publication Critical patent/CN112528311A/en
Application granted granted Critical
Publication of CN112528311B publication Critical patent/CN112528311B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a data management method, a data management device and a data management terminal, and belongs to the technical field of data processing. The method comprises the following steps: receiving sensitive data sent by a server; acquiring a public key of the server, and encrypting the sensitive data based on the public key of the server to obtain backed-up sensitive data; the sensitive data and the backed-up sensitive data are stored in local equipment, and the sensitive data are used for processing a service request by the local equipment, so that the sensitive data which should be backed up by a server are migrated to a terminal, and data backup is realized by the local equipment, thereby overcoming the problem of high storage pressure of the server caused by the fact that the server needs to back up the sensitive data of a plurality of local equipment, and reducing the storage pressure of the server.

Description

Data management method and device and terminal
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a data management method, an apparatus, and a terminal.
Background
In the terminal, there are some sensitive data such as driver information and vehicle information of the vehicle, and the terminal can process the service request through the sensitive data. When the service request is processed, if sensitive data stored in the terminal is tampered by malicious personnel, an error occurs in a service processing result, and therefore the sensitive data in the terminal needs to be recovered.
In the related art, in order to improve the security of data, sensitive data is generally stored in a terminal, and the sensitive data is backed up in a server. And when the sensitive data stored in the terminal is tampered, the backed-up sensitive data can be acquired from the server.
In the related art, since the server is to serve a plurality of terminals, the server needs to store sensitive data of the plurality of terminals, which results in a large storage pressure of the server.
Disclosure of Invention
The embodiment of the application provides a data management method, a data management device and a terminal, which can reduce the storage pressure of a server. The technical scheme is as follows:
in one aspect, a data management method is provided, and the method includes:
receiving sensitive data sent by a server;
acquiring a public key of the server, and encrypting the sensitive data based on the public key of the server to obtain backed-up sensitive data;
and storing the sensitive data and the backed up sensitive data into local equipment, wherein the sensitive data is used for processing a service request by the local equipment.
In one possible implementation, the method further includes:
acquiring a private key of the local device, and signing the sensitive data based on the private key of the local device to obtain signature information, wherein the signature information is used for verifying whether the sensitive data is tampered;
associating the signature information with the sensitive data, and storing the signature information in the local device.
In one possible implementation, the local device includes a first storage space and a second storage space; the storing the sensitive data and the backed up sensitive data into a local device includes:
storing the sensitive data in the first storage space, and backing up the backed up sensitive data in the second storage space;
the sensitive data in the first storage space is used for the local device to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data when the local device fails to verify the label of the sensitive data in the first storage space.
In another aspect, a data management method is provided, the method including:
responding to a sensitive data verification failure in a first storage space of a local device, and acquiring backed-up sensitive data from a second storage space of the local device, wherein the backed-up sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
sending the backed up sensitive data to the server, wherein the server is used for decrypting the backed up sensitive data based on a private key of the server to obtain decrypted sensitive data;
and receiving the decrypted sensitive data sent by the server, and storing the decrypted sensitive data in the first storage space, wherein the sensitive data in the first storage space is used for the local device to process the service request.
In one possible implementation, the method further includes:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and verifying and signing the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
in response to the local device starting, performing label checking on the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
in response to the local device initialization, performing signature verification on the sensitive data in the first storage space; or;
and in response to reaching a signature verification period, verifying the sensitive data in the first storage space.
In one possible implementation manner, the verifying the sensitive data in the first storage space includes:
acquiring signature information associated with the sensitive data;
and verifying the sensitive data in the first storage space based on the signature information.
In one possible implementation, the sending the backed up sensitive data to the server includes:
in response to that the data length of the backed-up sensitive data is larger than a preset threshold value, fragmenting the backed-up sensitive data to obtain a plurality of data packets, and sending the plurality of data packets to the server;
and responding to the fact that the data length of the backed-up sensitive data is not larger than the preset threshold value, and sending the backed-up sensitive data to the server.
In another aspect, there is provided a data management apparatus, the apparatus including:
the first receiving module is used for receiving the sensitive data sent by the server;
the first acquisition module is used for acquiring a public key of the server and encrypting the sensitive data based on the public key of the server to obtain backed-up sensitive data;
the first storage module is configured to store the sensitive data and the backed-up sensitive data in a local device, where the sensitive data is used for the local device to process a service request.
In one possible implementation, the apparatus further includes:
the second obtaining module is used for obtaining a private key of the local device, signing the sensitive data based on the private key of the local device to obtain signature information, and the signature information is used for verifying whether the sensitive data is tampered;
and the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the local equipment.
In one possible implementation, the local device includes a first storage space and a second storage space; the first storage module is used for storing the sensitive data into the first storage space and backing up the backed-up sensitive data into the second storage space; the sensitive data in the first storage space is used for the local device to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data when the local device fails to verify the label of the sensitive data in the first storage space.
In another aspect, there is provided a data management apparatus, the apparatus including:
the third obtaining module is used for obtaining backup sensitive data from a second storage space of the local device in response to a sensitive data signature verification failure in a first storage space of the local device, wherein the backup sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
the sending module is used for sending the backed up sensitive data to the server, and the server is used for decrypting the backed up sensitive data based on a private key of the server to obtain decrypted sensitive data;
and a third storage module, configured to receive the decrypted sensitive data sent by the server, and store the decrypted sensitive data in the first storage space, where the sensitive data in the first storage space is used by the local device to process a service request.
In one possible implementation, the apparatus further includes:
the system comprises a signature verification module, a signature verification module and a signature verification module, wherein the signature verification module is used for receiving a service request, and the service request is used for calling sensitive data from the first storage space and verifying signatures of the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is further used for responding to the starting of the local equipment and verifying the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is further used for responding to the initialization of the local equipment and verifying the sensitive data in the first storage space; or;
and the signature verification module is also used for responding to the reaching of a signature verification period and verifying the sensitive data in the first storage space.
In a possible implementation manner, the signature verification module is configured to obtain signature information associated with the sensitive data; and verifying the sensitive data in the first storage space based on the signature information.
In a possible implementation manner, the sending module is configured to segment the backed-up sensitive data to obtain a plurality of data packets in response to that the data length of the backed-up sensitive data is greater than a preset threshold, and send the plurality of data packets to the server; and responding to the fact that the data length of the backed-up sensitive data is not larger than the preset threshold value, and sending the backed-up sensitive data to the server.
In another aspect, a terminal is provided, where the terminal includes a processor and a memory, and the memory stores at least one program code, and the at least one program code is loaded and executed by the processor to implement the operations performed by the data management method.
In another aspect, a computer-readable storage medium is provided, in which at least one program code is stored, and the at least one program code is loaded and executed by a processor to implement the operations performed by the data management method described above.
In another aspect, a computer program product or a computer program is provided, the computer program product or the computer program comprising computer program code, the computer program code being stored in a computer readable storage medium. The processor of the terminal reads the computer program code from the computer-readable storage medium, and executes the computer program code, so that the terminal performs the operations performed by the data management method described above.
In the embodiment of the application, the sensitive data backed up by the local device is encrypted by using the public key of the server, so that the encryption key of the backed up sensitive data is not easy to crack, the safety of the locally backed up sensitive data can be ensured, the sensitive data which should be backed up by the server can be migrated to the terminal, the data backup is realized by the local device, the problem of higher storage pressure of the server caused by the need of the server to backup the sensitive data of a plurality of local devices is solved, and the storage pressure of the server is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present application;
fig. 2 is a flowchart of a data management method provided in an embodiment of the present application;
fig. 3 is a flowchart of a data management method provided in an embodiment of the present application;
fig. 4 is a flowchart of a data management method provided in an embodiment of the present application;
FIG. 5 is a diagram illustrating a data management method according to an embodiment of the present application;
FIG. 6 is a diagram illustrating a data management method according to an embodiment of the present application;
FIG. 7 is a flowchart of a data management method according to an embodiment of the present application;
FIG. 8 is a diagram illustrating a data management method according to an embodiment of the present application;
fig. 9 is a schematic diagram of a data management method provided in an embodiment of the present application;
fig. 10 is a block diagram of a data management apparatus according to an embodiment of the present application;
fig. 11 is a block diagram of a data management apparatus according to an embodiment of the present application;
fig. 12 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The terms "first," "second," "third," and "fourth," etc. in the description and claims of this application and in the accompanying drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present application. Referring to fig. 1, the implementation environment includes a local device 10 and a server 20. The local device 10 and the server 20 are connected via a wireless network.
The local device 10 is a local device used by an owner of any vehicle. The local device 10 comprises a first memory space 101, a second memory space 102 and a data management component 103. The first storage space 101 is a main storage space for storing sensitive data, which is sensitive data that is not encrypted. The second storage space 102 is a backup storage space for storing backed up sensitive data. The data management component 103 is configured to perform data interaction with the server 20 and perform read and write operations on the first storage space 101 and the second storage space 102.
The backed-up sensitive data is encrypted based on the public key of the server 20, and after the sensitive data in the first storage space 101 is tampered subsequently, the local device 10 may request the server 20 to decrypt the backed-up sensitive data in the second storage space 102; thus, functionally, the server 20 may be a decryption server or an encryption/decryption server. The server 20 may be a server, a server cluster composed of a plurality of servers, or a cloud computing service center, which is not particularly limited in this embodiment of the present application.
In the embodiment of the present application, the local device 10 is taken as an example of a terminal.
In the embodiment of the present application, advantages of the independent memory of the local device 10 are fully utilized, the sensitive data to be backed up is encrypted and stored in the second storage space 102 different from a storage space of the unencrypted sensitive data, and the sensitive data does not need to be stored in the server 20 while the security of the sensitive data storage is ensured, so that the storage pressure of the server 20 on the sensitive data of the plurality of local devices 10 is reduced.
Fig. 2 is a flowchart of a data management method according to an embodiment of the present application. In the embodiment of the present application, a local device is taken as an example to describe. Referring to fig. 2, the embodiment includes:
step 201: the terminal receives sensitive data sent by the server;
step 202: the terminal acquires the public key of the server, and encrypts the sensitive data based on the public key of the server to obtain the backed-up sensitive data;
step 203: and the terminal stores the sensitive data and the backed up sensitive data into a local area, wherein the sensitive data is used for the terminal to process the service request.
In one possible implementation, the method further includes:
acquiring a private key of the terminal, and signing the sensitive data based on the private key of the terminal to obtain signature information, wherein the signature information is used for verifying whether the sensitive data is tampered;
associating the signature information with the sensitive data and storing the signature information in the terminal.
In one possible implementation, the terminal includes a first storage space and a second storage space; the storing the sensitive data and the backed up sensitive data into the terminal includes:
storing the sensitive data into the first storage space, and backing up the backed up sensitive data into the second storage space;
the sensitive data in the first storage space is used for the terminal to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the terminal fails to verify the label of the sensitive data in the first storage space.
In the embodiment of the application, the sensitive data backed up locally by the terminal is encrypted by using the public key of the server, so that the encryption key of the backed up sensitive data is not easy to crack, the safety of the locally backed up sensitive data can be ensured, the sensitive data which should be backed up by the server can be migrated to the terminal, the data backup is realized by the terminal, the problem of high storage pressure of the server caused by the fact that the server needs to back up the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 3 is a flowchart of a data management method according to an embodiment of the present application. In the embodiment of the present application, a local device is taken as an example to describe. Referring to fig. 3, the embodiment includes:
step 301: the terminal responds to the failure of the sensitive data in the first storage space of the terminal in the signature verification, and acquires the backed-up sensitive data from the second storage space of the terminal, wherein the backed-up sensitive data is obtained by encrypting the sensitive data by using the public key of the server;
step 302: the terminal sends the backed up sensitive data to the server, and the server is used for decrypting the backed up sensitive data based on the private key of the server to obtain the decrypted sensitive data;
step 303: and the terminal receives the decrypted sensitive data sent by the server, stores the decrypted sensitive data in the first storage space, and uses the sensitive data in the first storage space for the terminal to process the service request.
In one possible implementation, the method further includes:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and verifying and signing the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
responding to the terminal starting, and checking and signing the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
responding to the initialization of the terminal, and checking and signing the sensitive data in the first storage space; or;
and in response to reaching the signature verification period, verifying the sensitive data in the first storage space.
In one possible implementation, the verifying the sensitive data in the first storage space includes:
acquiring signature information associated with the sensitive data;
and verifying the sensitive data in the first storage space based on the signature information.
In one possible implementation, the sending the backed up sensitive data to the server includes:
in response to that the data length of the backed-up sensitive data is larger than a preset threshold value, fragmenting the backed-up sensitive data to obtain a plurality of data packets, and sending the plurality of data packets to the server;
and sending the backed up sensitive data to the server in response to the fact that the data length of the backed up sensitive data is not larger than the preset threshold.
In the embodiment of the application, if the sensitive data in the first storage space of the terminal fails to be checked and signed, the server performs decryption operation on the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, that is, the recovery of the sensitive data is realized by using an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
Fig. 4 is a flowchart of a data management method provided in an embodiment of the present application, and in the embodiment of the present application, a local device is taken as a terminal, and data backup is performed by the terminal as an example. As shown in fig. 4, the data management method includes the steps of:
step 401: and the terminal receives the sensitive data sent by the server.
The sensitive data is original sensitive data, that is, sensitive data which is not encrypted. For example, the sensitive data may include at least one of driver information and vehicle information of the vehicle, etc.; the vehicle information comprises at least one of vehicle violation information, vehicle annual inspection information and license plate information. In one possible implementation, the server sends the updated sensitive data to the terminal in response to the sensitive data update.
Before the server sends the sensitive data to the terminal, the server and the terminal negotiate a key pair, and for the convenience of distinguishing, the key pair is called a first key pair, and the first key pair comprises a first public key and a first private key of the terminal; the server stores a first public key and the terminal stores a first private key. Correspondingly, the steps can be as follows:
the server encrypts the sensitive data through the first public key to obtain encrypted sensitive data, and sends the encrypted sensitive data to the terminal; and the terminal receives the encrypted sensitive data sent by the server, acquires a first private key, and decrypts the encrypted sensitive data through the first private key to obtain the sensitive data.
Step 402: and the terminal acquires the public key of the server, and encrypts the sensitive data based on the public key of the server to obtain the backed-up sensitive data.
Before the server sends sensitive data to the terminal, the server and the terminal negotiate a key pair, which is called a second key pair for easy distinction, the second key pair includes a second public key and a second private key, the second private key is stored in the server, and the second public key is stored in the terminal. In this step, the terminal directly obtains the stored second public key from the local. Correspondingly, the terminal encrypts the sensitive data based on the second public key to obtain the backed-up sensitive data.
Step 403: the terminal comprises a first storage space, and the terminal stores the sensitive data into the first storage space.
Wherein the sensitive data is used for the terminal to process the service request. In this step, the terminal stores the sensitive data in the first storage space, so that the terminal can call the sensitive data from the first storage space when processing the service request.
Step 404: the terminal also comprises a second storage space, and the terminal backs up the backed-up sensitive data to the second storage space.
The backed-up sensitive data is used for recovering the sensitive data in the first storage space based on the backed-up sensitive data under the condition that the terminal fails in the sensitive data signature verification in the first storage space.
Referring to fig. 5, the implementation of step 404 may be:
in a possible implementation manner, the data in the second storage space is empty, and the terminal directly stores the backed-up sensitive data into the second storage space. In another possible implementation manner, the data in the second storage space is non-empty, and the terminal compares the backed-up sensitive data with the data in the second storage space to obtain a comparison result; and the terminal determines whether to store the backed-up sensitive data into the second storage space based on the comparison result.
Wherein the comparison results comprise one of the same or different. The terminal responds to the comparison result to be the same, and the data in the second storage space are kept unchanged; and the terminal responds to the difference of the comparison result, deletes the data in the second storage space and stores the backed-up sensitive data into the second storage space.
In the embodiment of the application, if the backed-up sensitive data is consistent with the data in the second storage space, the encrypted data does not need to be stored in the second storage space, so that the operation steps of the terminal are reduced, and the backup efficiency of the sensitive data is improved.
In the embodiment of the application, the sensitive data and the backed-up sensitive data are respectively stored in different storage spaces of the terminal, so that the operation of calling the sensitive data does not influence the storage of the backed-up sensitive data when the terminal processes the service request, and even if the sensitive data fails to be checked, the data can be recovered through the backed-up sensitive data, thereby improving the safety of data storage.
In the embodiment of the application, the terminal can also store the signature information of the sensitive data into the terminal; accordingly, this step is realized by the following steps (1) to (2):
(1) the terminal obtains a private key of the terminal, signs the sensitive data based on the private key of the terminal to obtain signature information, and the signature information is used for verifying whether the sensitive data is tampered.
In this step, the terminal signs the sensitive data based on the private key of the terminal, and the implementation manner of obtaining the signature information is realized by the following steps a1-a 2:
a1: the terminal determines a first characteristic value of the sensitive data.
The first characteristic value is a digital abstract, and the digital abstract is a hash value obtained by calculating the sensitive data through a hash function. For example, the first characteristic value is 0.
A2: the terminal signs the first characteristic value based on the private key of the terminal to obtain the signature information.
In this step, the terminal stores a key pair in advance, and for convenience of distinguishing, the key pair is called a third key pair, and the third key pair includes a third private key and a third public key of the terminal. The third key pair stored in the terminal may be generated by the terminal itself or generated by the server. The third key pair may be the same as the first key pair or may be different from the first key pair.
The signature information is a digital signature, that is, the digital signature is obtained by encrypting the first characteristic value through a private key of the terminal. Referring to fig. 6, the terminal performs a hash operation on the sensitive data to obtain the first characteristic value, and signs the first characteristic value through a private key of the terminal to obtain the signature information.
(2) The terminal associates the signature information with the sensitive data and stores the signature information in the terminal.
The implementation manner of the terminal associating the signature information with the sensitive data may be as follows: the terminal can splice the signature information and the sensitive data to obtain spliced sensitive data. In this step, the terminal may store the signature information in the first storage space; correspondingly, the terminal stores the spliced sensitive data into the first storage space.
In the embodiment of the application, the signature information of the sensitive data is determined, and the signature information is associated with the sensitive data stored in the first storage space, so that the terminal can confirm whether the sensitive data is tampered by malicious personnel by taking the signature information as a basis, and further data support is provided for security verification of the sensitive data.
It should be noted that step 403 does not have a strict time sequence with steps 402 and 404, and the sensitive data may be stored in the first storage space first, then encrypted and backed up in the second storage space, that is, step 403 is executed first, and then steps 402 and 404 are executed; or the sensitive data may be encrypted and backed up to the second storage space, and then the sensitive data is stored in the first storage space, that is, steps 402 and 404 are performed first, and then step 403 is performed.
In the embodiment of the application, the sensitive data backed up locally by the terminal is encrypted by using the public key of the server, so that the encryption key of the backed up sensitive data is not easy to crack, the safety of the locally backed up sensitive data can be ensured, the sensitive data which should be backed up by the server can be migrated to the terminal, the data backup is realized by the terminal, the problem of high storage pressure of the server caused by the fact that the server needs to back up the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 7 is a flowchart of a data management method according to an embodiment of the present application, and in the embodiment of the present application, a terminal is taken as a terminal and data recovery is performed by the terminal as an example. As shown in fig. 7, the data management method includes the steps of:
step 701: the terminal responds to the failure of the sensitive data in the first storage space of the terminal in the signature verification, and obtains the backed-up sensitive data from the second storage space of the terminal, wherein the backed-up sensitive data is obtained by encrypting the sensitive data by using the public key of the server.
Wherein the sensitive data comprises at least one of driver information and vehicle information, etc. The content of the sensitive data can be set and changed as needed, which is not specifically limited in the embodiment of the present application.
In this step, the terminal needs to check the sensitive data in the first storage space of the terminal to obtain a result of checking the signature. The signature verification result comprises one of signature verification success and signature verification failure. And the terminal responds to the signature verification result that the signature verification fails, and executes the operation in the step 701.
Correspondingly, the implementation mode of the terminal for verifying the sensitive data in the first storage space comprises the following steps (1) to (2):
(1) and the terminal acquires the signature information associated with the sensitive data.
The signature information is obtained by the terminal signing the first characteristic value based on the private key of the terminal. In this step, the terminal acquires the signature information from the first storage space.
(2) And the terminal checks the sensitive data in the first storage space based on the signature information.
Wherein, the implementation mode of the step comprises the following steps A1-A3:
a1: the terminal determines a second characteristic value of the sensitive data.
Referring to fig. 8, the terminal obtains the sensitive data from the first storage space, and performs a hash operation on the sensitive data to obtain the second feature value.
A2: and the terminal decrypts the signature information through the public key of the terminal to obtain the first characteristic value.
With continued reference to fig. 8, since the signature information is obtained by encrypting based on the second private key of the terminal, the terminal decrypts the signature information through the second public key to obtain the first characteristic value.
A3: in response to the second characteristic value being different from the first characteristic value, the terminal determines that the sensitive data in the first storage space fails to be checked; in response to the second characteristic value being the same as the first characteristic value, the terminal determines that the sensitive data in the first storage space is successfully signed.
For example, if the first characteristic value of the sensitive data is 0, the first characteristic value obtained after decryption is 0', and the second characteristic value is 1, it can be seen that the first characteristic value obtained after decryption is different from the second characteristic value, the terminal determines that the signature verification of the sensitive data fails.
In the embodiment of the application, because the signature information of the sensitive data is stored in the first storage space, the terminal can verify the correctness of the sensitive data based on the signature information, thereby avoiding the occurrence of service request processing failure caused by calling wrong sensitive data when a service request is subsequently processed, and further improving the efficiency of service request processing.
In the step, the terminal responds to the received signature verification request, and executes the step of verifying the sensitive data in the first storage space of the terminal. Correspondingly, the steps can be as follows:
in a possible implementation manner, the terminal receives a service request, where the service request is used to invoke sensitive data from the first storage space and perform a signature verification on the sensitive data in the first storage space.
For example, in response to the sensitive data including driver information, the service request may be at least one of a query for credential status, a query for driver license remaining points, a query for driver license cumulative credits, and the like, based on the driver information. For another example, in response to the sensitive data including vehicle information, the service request may be at least one of a vehicle violation query, a vehicle annual inspection query, a vehicle license plate query, and the like, based on the vehicle information.
In another possible implementation manner, the terminal responds to the terminal starting, and the sensitive data in the first storage space is subjected to signature verification.
In another possible implementation manner, the terminal responds to the terminal initialization and conducts label verification on the sensitive data in the first storage space.
In another possible implementation manner, the terminal verifies the sensitive data in the first storage space in response to reaching the verification period.
The signature verification period can be set and changed according to requirements, and the embodiment of the application is not particularly limited to this; for example, the signature verification period may be 24 hours.
It should be noted that, when the terminal receives the service request, the implementation manner of calling the sensitive data from the first storage space includes the following several manners:
in the first case, the terminal calls the sensitive data directly from the first memory space. That is, the terminal does not check the sensitive data in the first storage space, and directly calls the sensitive data.
And in the second situation, the terminal checks the sensitive data in the first storage space, and calls the sensitive data from the first storage space based on the sensitive data obtained after checking the label.
In the third case, the terminal calls the sensitive data from the first storage space based on the time of the last signature verification operation.
The latest signature verification operation can be triggered by any triggering mode of the latest terminal receiving the service request, the terminal starting, the terminal initialization or reaching the signature verification period. Accordingly, the steps may be: the terminal acquires the time of the latest signature verification operation, and in response to the fact that the difference between the time and the current time is not larger than the preset time length, the terminal directly calls sensitive data from the first storage space; responding to the fact that the difference value between the time and the current time is larger than the preset time length, the terminal conducts label checking on the sensitive data in the first storage space, and calling the sensitive data from the first storage space based on the sensitive data obtained after label checking.
In the embodiment of the application, because the terminal can be triggered to check the sensitive data in the first storage space based on different modes, the terminal does not need to perform a check operation every time when a service request is processed, so that the operation time for processing the service request is reduced, and the service processing efficiency is improved.
Since the backed up sensitive data in the second storage space is encrypted based on the first public key of the server, the terminal needs to decrypt the backed up sensitive data by means of the server, and accordingly, step 701 is executed, and step 702 is executed.
Step 702: and the terminal sends the backed up sensitive data to the server, and the server is used for decrypting the backed up sensitive data based on the private key of the server to obtain the decrypted sensitive data.
The terminal can send the backed up sensitive data to the server based on the data length of the backed up sensitive data; correspondingly, the step comprises the following two implementation modes:
firstly, the method comprises the following steps: and the terminal responds that the data length of the backed-up sensitive data is greater than a preset threshold value, fragments the backed-up sensitive data to obtain a plurality of data packets, and sends the plurality of data packets to the server.
And the terminal performs data transmission with the server through a wireless network. The preset threshold is the maximum transmission unit of the network link of the wireless network. Referring to fig. 9, in response to that the data length of the backed-up sensitive data D0 is greater than the maximum transmission unit, the terminal fragments the backed-up sensitive data D0 to obtain a plurality of data packets, i.e., fragment 1, fragment 2, and fragment … ….
Secondly, the method comprises the following steps: and the terminal responds that the data length of the backed up sensitive data is not greater than the preset threshold value and sends the backed up sensitive data to the server.
For example, in response to the data length of the backed up sensitive data D0 not being greater than the maximum transmission unit of the network link, the terminal directly sends D0 to the server.
In this step, the implementation manner of the server receiving the backed up sensitive data may be: in a possible implementation manner, in response to that the backed-up sensitive data is not fragmented, the server directly receives the backed-up sensitive data sent by the terminal. In another possible implementation manner, in response to that the backed up sensitive data is fragmented into a plurality of data packets, the server splices the plurality of data packets to obtain the backed up sensitive data.
Wherein the server needs to decrypt the backed up sensitive data. Correspondingly, the server decrypts the backed up sensitive data through the first private key of the server to obtain the decrypted sensitive data, and sends the decrypted sensitive data to the terminal.
In a possible implementation manner, after the server decrypts the backed-up sensitive data through the first private key, the server firstly verifies the correctness of the decrypted sensitive data, and sends the decrypted sensitive data to the terminal after the verification is passed. The process of verifying the correctness of the decrypted sensitive data by the server is as follows:
the server may store the third characteristic value of the sensitive data in advance, and after the server acquires the decrypted sensitive data, determine the fourth characteristic value of the decrypted sensitive data; in response to the third characteristic value being the same as the fourth characteristic value, the server determines that the decrypted sensitive data is correct; in response to the third characteristic value and the fourth characteristic value being the same, the server determines that the decrypted sensitive data is incorrect.
In another possible implementation manner, the server directly decrypts the backed up sensitive data through the first private key; and in response to the server successfully decrypting the backed up sensitive data through the first private key of the server, determining that the sensitive data is correct sensitive data, and sending the decrypted sensitive data to the terminal.
In this step, the implementation manner of sending the decrypted sensitive data to the terminal by the server may be: in a possible implementation manner, in response to that the data length of the decrypted sensitive data is greater than a preset threshold, the server fragments the decrypted sensitive data to obtain a plurality of data packets, and sends the plurality of data packets to the terminal. In another possible implementation manner, the server sends the decrypted sensitive data to the terminal in response to that the data length of the sensitive data is not greater than the preset threshold.
It should be noted that, when the server sends the decrypted sensitive data to the terminal, the server encrypts the decrypted sensitive data through the public key of the terminal, so as to ensure the security of the data in the data transmission process.
In the embodiment of the application, when the data length of the backed-up sensitive data is large, the backed-up sensitive data is fragmented, and when the data length of the backed-up sensitive data is small, the backed-up sensitive data is directly sent to the server, so that the mode of sending the backed-up sensitive data to the server is flexibly set, and the diversity of the modes of sending the data to the server is further improved.
Step 703: and the terminal receives the decrypted sensitive data sent by the server, stores the decrypted sensitive data in the first storage space, and uses the sensitive data in the first storage space for the terminal to process the service request.
In this step, the implementation manner of the terminal receiving the decrypted sensitive data sent by the server may be: in a possible implementation manner, in response to that the decrypted sensitive data is not fragmented, the terminal directly receives the decrypted sensitive data sent by the server. In another possible implementation manner, in response to that the decrypted sensitive data is fragmented into a plurality of data packets, the terminal splices the plurality of data packets to obtain the decrypted sensitive data.
It should be noted that, because the server encrypts the decrypted sensitive data through the public key of the terminal, the terminal needs to decrypt the decrypted sensitive data through the private key of the terminal when receiving the decrypted sensitive data, thereby ensuring the security of the data in the data transmission process.
In this step, the implementation manner of the terminal storing the decrypted sensitive data in the first storage space includes: and the terminal replaces the sensitive data in the first storage space with the decrypted sensitive data.
For example, the decrypted sensitive data is ZX11XXX, and the sensitive data is YX11XXX, the terminal replaces YX11XXX in the first storage space with ZX11 XXX.
In the embodiment of the application, the decrypted sensitive data in the first storage space is replaced by the decrypted sensitive data, so that the data in the first storage space is correct sensitive data, and therefore, when a service request is subsequently processed, the correct sensitive data can be called by a terminal, and further, the occurrence of service request processing failure caused by that the sensitive data is not updated in time is avoided.
In this embodiment, the terminal processes the service request based on the decrypted sensitive data, for example, the service request is an inquiry of a driver license remaining point, the decrypted sensitive data is driver information, the terminal extracts the driver license remaining point of the driver from the driver information, and sends the driver license remaining point of the driver to the service website.
In the embodiment of the application, if the sensitive data in the first storage space of the terminal fails to be checked and signed, the server performs decryption operation on the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, that is, the recovery of the sensitive data is realized by using an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
Fig. 10 is a block diagram of a data management apparatus according to an embodiment of the present application. Referring to fig. 10, the apparatus includes: a first receiving module 1001, a first obtaining module 1002 and a first storing module 1003.
A first receiving module 1001, configured to receive sensitive data sent by a server;
a first obtaining module 1002, configured to obtain a public key of the server, and encrypt the sensitive data based on the public key of the server to obtain backed-up sensitive data;
the first storage module 1003 is configured to store the sensitive data and the backed-up sensitive data in a local device, where the sensitive data is used for the local device to process a service request.
In one possible implementation, the apparatus further includes:
the second acquisition module is used for acquiring a private key of the local device, signing the sensitive data based on the private key of the local device to obtain signature information, and the signature information is used for verifying whether the sensitive data is tampered;
and the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the local equipment.
In one possible implementation, the local device includes a first storage space and a second storage space; the first storage module 1003 is configured to store the sensitive data in the first storage space, and back up the backed up sensitive data in the second storage space; the sensitive data in the first storage space is used for the local device to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data when the local device fails to verify the label of the sensitive data in the first storage space.
In the embodiment of the application, the sensitive data backed up locally by the terminal is encrypted by using the public key of the server, so that the encryption key of the backed up sensitive data is not easy to crack, the safety of the locally backed up sensitive data can be ensured, the sensitive data which should be backed up by the server can be migrated to the terminal, the data backup is realized by the terminal, the problem of high storage pressure of the server caused by the fact that the server needs to back up the sensitive data of a plurality of terminals is solved, and the storage pressure of the server is reduced.
Fig. 11 is a block diagram of a data management apparatus according to an embodiment of the present application. Referring to fig. 11, the apparatus includes: a third obtaining module 1101, a sending module 1102 and a third storing module 1103.
A third obtaining module 1101, configured to, in response to a failure of a sensitive data signature verification in a first storage space of a local device, obtain backed-up sensitive data from a second storage space of the local device, where the backed-up sensitive data is obtained by encrypting the sensitive data using a public key of a server;
a sending module 1102, configured to send the backed-up sensitive data to the server, where the server is configured to decrypt the backed-up sensitive data based on a private key of the server to obtain decrypted sensitive data;
a third storage module 1103, configured to receive the decrypted sensitive data sent by the server, and store the decrypted sensitive data in the first storage space, where the sensitive data in the first storage space is used for the local device to process the service request.
In one possible implementation, the apparatus further includes:
the system comprises a signature checking module, a signature checking module and a signature checking module, wherein the signature checking module is used for receiving a service request, and the service request is used for calling sensitive data from the first storage space and checking the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is also used for responding to the starting of the local equipment and verifying the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is also used for responding to the initialization of the local equipment and verifying the sensitive data in the first storage space; or;
the signature verification module is further used for responding to the reaching of a signature verification period and verifying the sensitive data in the first storage space.
In a possible implementation manner, the signature verification module is configured to obtain signature information associated with the sensitive data; and verifying the sensitive data in the first storage space based on the signature information.
In a possible implementation manner, the sending module 1102 is configured to segment the backed-up sensitive data to obtain a plurality of data packets in response to that the data length of the backed-up sensitive data is greater than a preset threshold, and send the plurality of data packets to the server; and sending the backed up sensitive data to the server in response to the fact that the data length of the backed up sensitive data is not larger than the preset threshold.
In the embodiment of the application, if the sensitive data in the first storage space of the terminal fails to be checked and signed, the server performs decryption operation on the backed-up sensitive data in the second storage space, so that the encryption operation and the decryption operation of the sensitive data are completed by different devices, that is, the recovery of the sensitive data is realized by using an asymmetric encryption and decryption technology, and the security of the data recovery process of the sensitive data is further improved.
It should be noted that: in the data management apparatus provided in the foregoing embodiment, when performing data management, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the terminal may be divided into different functional modules to complete all or part of the functions described above. In addition, the data management apparatus and the data management method provided in the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
In the embodiment of the present application, the local device 10 may be provided as a terminal; fig. 12 is a block diagram of a terminal 120 according to an embodiment of the present disclosure. Generally, the terminal 120 includes: a processor 1201 and a memory 1202.
In one possible implementation, the processor 1201 includes one or more processing cores, such as a 4-core processor, an 8-core processor, or the like. In one possible implementation, the processor 1201 is implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). In a possible implementation manner, the processor 1201 also includes a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In one possible implementation, the processor 1201 is integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the display screen. In some embodiments, processor 1201 further includes an AI (Artificial Intelligence) processor for processing computational operations related to machine learning.
In one possible implementation, the memory 1202 includes one or more computer-readable storage media that are non-transitory. In one possible implementation, the memory 1202 also includes high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In one possible implementation, a non-transitory computer readable storage medium in the memory 1202 is used to store at least one instruction for execution by the processor 1201 to implement the data management method provided by the method embodiments of the present application.
The first storage space 121 and the second storage space 122 may be different memories 1202, or may be different storage areas in the same memory 1202.
In a possible implementation manner, the terminal 12 may further optionally include: a peripheral interface 1203 and at least one peripheral. In one possible implementation, the processor 1201, the memory 1202, and the peripheral interface 1203 are connected by a bus or signal line. In one possible implementation, each peripheral device is connected to the peripheral device interface 1203 by a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1204, display 1205, camera assembly 1206, audio circuitry 1207, positioning assembly 1208, and power supply 1209.
The peripheral interface 1203 may be used to connect at least one peripheral associated with I/O (Input/Output) to the processor 1201 and the memory 1202. In one possible implementation, the processor 1201, the memory 1202, and the peripheral interface 1203 are integrated on the same chip or circuit board; in some other embodiments, any one or both of the processor 1201, the memory 1202, and the peripheral interface 1203 are implemented on a separate chip or circuit board, which is not limited in this embodiment.
The data management component 123 includes a processor 1201 and a peripheral device interface 1203.
The Radio Frequency circuit 1204 is used for receiving and transmitting RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuit 1204 communicates with a communication network and other communication devices by electromagnetic signals. The radio frequency circuit 1204 converts an electric signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electric signal. In one possible implementation, the rf circuit 1204 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. In one possible implementation, the radio frequency circuit 1204 communicates with other terminals through at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: the world wide web, metropolitan area networks, intranets, generations of mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In one possible implementation, the radio frequency circuit 1204 further includes a circuit related to NFC (Near Field Communication), which is not limited in this application.
The display screen 1205 is used to display a UI (User Interface). In one possible implementation, the UI includes graphics, text, icons, video, and any combination thereof. When the display screen 1205 is a touch display screen, the display screen 1205 also has the ability to acquire touch signals on or over the surface of the display screen 1205. In one possible implementation, the touch signal is input to the processor 1201 as a control signal for processing. At this point, the display 1205 is also used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In one possible implementation, the display 1205 is one and is disposed on the front panel of the terminal 12; in other embodiments, the display 1205 is at least two, respectively disposed on different surfaces of the terminal 12 or in a folded design; in other embodiments, the display 1205 is a flexible display disposed on a curved surface or on a folded surface of the terminal 12. Even more, the display screen 1205 is also arranged in a non-rectangular irregular figure, i.e., a shaped screen. In one possible implementation, the Display panel 1205 is made of a material such as an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), and the like.
Camera assembly 1206 is used to capture images or video. In one possible implementation, camera assembly 1206 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In a possible implementation manner, the number of the rear cameras is at least two, and the rear cameras are respectively any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and a VR (Virtual Reality) shooting function or other fusion shooting functions. In one possible implementation, camera assembly 1206 also includes a flash. In one possible implementation, the flash is a single color temperature flash, and in one possible implementation, the flash is a dual color temperature flash. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp and is used for light compensation under different color temperatures.
In one possible implementation, the audio circuitry 1207 includes a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals into the processor 1201 for processing or inputting the electric signals into the radio frequency circuit 1204 to achieve voice communication. For stereo sound acquisition or noise reduction purposes, in one possible implementation, a plurality of microphones are provided at different locations of the terminal 12. In one possible implementation, the microphone is an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 1201 or the radio frequency circuit 1204 into sound waves. In one possible implementation, the speaker is a conventional membrane speaker, and in one possible implementation, the speaker is a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to human, but also the electric signal can be converted into a sound wave inaudible to human for use in distance measurement or the like. In one possible implementation, the audio circuit 1207 also includes a headphone jack.
The positioning component 1208 is used to locate the current geographic Location of the terminal 12 to implement navigation or LBS (Location Based Service). In one possible implementation, the Positioning component 1207 is a Positioning component based on the united states GPS (Global Positioning System), the chinese beidou System, or the russian galileo System.
The power supply 1209 is used to power various components in the terminal 12. In one possible implementation, the power source 1209 is alternating current, direct current, a disposable battery, or a rechargeable battery. When the power source 1209 includes a rechargeable battery, the rechargeable battery is a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery is also used to support fast charge technology.
In one possible implementation, the terminal 12 further includes one or more sensors 1212. The one or more sensors 1212 include, but are not limited to: acceleration sensor 1211, gyro sensor 1210, pressure sensor 1213, fingerprint sensor 1214, optical sensor 1215, and proximity sensor 1216.
In one possible implementation, the acceleration sensor 1211 detects magnitudes of accelerations on three coordinate axes of a coordinate system established with the terminal 12. For example, the acceleration sensor 1211 is used to detect components of the gravitational acceleration on three coordinate axes. In one possible implementation, the processor 1201 controls the display screen 1205 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 1211. In one possible implementation, the acceleration sensor 1211 is also used for the acquisition of motion data of the game or the user.
In one possible implementation manner, the gyroscope sensor 1210 detects the body direction and the rotation angle of the terminal 12, and the gyroscope sensor 1210 and the acceleration sensor 1211 cooperate to acquire the 3D motion of the user on the terminal 12. The processor 1201 can implement the following functions according to the data collected by the gyro sensor 1210: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.
In one possible implementation, pressure sensors 1213 are disposed on the side frames of terminal 12 and/or underlying display 1205. When the pressure sensor 1213 is disposed on the side frame of the terminal 12, the user's holding signal of the terminal 12 can be detected, and the processor 1201 performs left-right hand recognition or shortcut operation according to the holding signal collected by the pressure sensor 1213. When the pressure sensor 1213 is disposed at a lower layer of the display screen 1205, the processor 1201 controls the operability control on the UI interface according to the pressure operation of the user on the display screen 1205. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.
The fingerprint sensor 1214 is used for collecting a fingerprint of the user, and the processor 1201 identifies the user according to the fingerprint collected by the fingerprint sensor 1214, or the fingerprint sensor 1214 identifies the user according to the collected fingerprint. When the user identity is identified as a trusted identity, the processor 1201 authorizes the user to perform relevant sensitive operations, including unlocking a screen, viewing encrypted information, downloading software, paying, changing settings, and the like. In one possible implementation, the fingerprint sensor 1214 is disposed on the front, back, or side of the terminal 12. When a physical key or vendor Logo is provided on the terminal 12, the fingerprint sensor 1214 is integrated with the physical key or vendor Logo.
The optical sensor 1215 is used to collect the ambient light intensity. In one embodiment, the processor 1201 controls the display brightness of the display 1205 according to the ambient light intensity collected by the optical sensor 1215. Specifically, when the ambient light intensity is high, the display luminance of the display panel 1205 is increased; when the ambient light intensity is low, the display brightness of the display panel 1205 is turned down. In another embodiment, processor 1201 also dynamically adjusts the camera head 1206 shooting parameters based on the ambient light intensity collected by optical sensor 1215.
A proximity sensor 1216, also known as a distance sensor, is typically disposed on the front panel of the terminal 12. The proximity sensor 1216 is used to collect the distance between the user and the front face of the terminal 12. In one embodiment, when the proximity sensor 1216 detects that the distance between the user and the front surface of the terminal 12 gradually decreases, the processor 1201 controls the display 1205 to switch from the bright screen state to the dark screen state; when the proximity sensor 1216 detects that the distance between the user and the front surface of the terminal 12 gradually becomes larger, the processor 1201 controls the display 1205 to switch from the rest state to the bright state.
Those skilled in the art will appreciate that the configuration shown in fig. 12 is not intended to be limiting of terminal 12, and can include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be used.
In an embodiment of the present application, a computer-readable storage medium is further provided, where at least one program code is stored in the computer-readable storage medium, and the at least one program code is loaded and executed by a processor to implement the operations performed by the data management method in the foregoing embodiments. The computer readable storage medium may be a memory. For example, the computer-readable storage medium may be a ROM (Read-Only Memory), a RAM (Random Access Memory), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an embodiment of the present application, a computer program product or a computer program is also provided, which comprises computer program code, which is stored in a computer readable storage medium. The processor of the terminal reads the computer program code from the computer-readable storage medium, and executes the computer program code, so that the terminal performs the operations performed by the data management method.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only exemplary of the present application and should not be taken as limiting, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (15)

1. A method for managing data, the method comprising:
receiving sensitive data sent by a server;
acquiring a public key of the server, and encrypting the sensitive data based on the public key of the server to obtain backed-up sensitive data;
and storing the sensitive data and the backed up sensitive data into local equipment, wherein the sensitive data is used for processing a service request by the local equipment.
2. The method of claim 1, further comprising:
acquiring a private key of the local device, and signing the sensitive data based on the private key of the local device to obtain signature information, wherein the signature information is used for verifying whether the sensitive data is tampered;
associating the signature information with the sensitive data, and storing the signature information in the local device.
3. The method of claim 1, wherein the local device comprises a first memory space and a second memory space; the storing the sensitive data and the backed up sensitive data into a local device includes:
storing the sensitive data in the first storage space, and backing up the backed up sensitive data in the second storage space;
the sensitive data in the first storage space is used for the local device to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data when the local device fails to verify the label of the sensitive data in the first storage space.
4. A method for managing data, the method comprising:
responding to a sensitive data verification failure in a first storage space of a local device, and acquiring backed-up sensitive data from a second storage space of the local device, wherein the backed-up sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
sending the backed up sensitive data to the server, wherein the server is used for decrypting the backed up sensitive data based on a private key of the server to obtain decrypted sensitive data;
and receiving the decrypted sensitive data sent by the server, and storing the decrypted sensitive data in the first storage space, wherein the sensitive data in the first storage space is used for the local device to process the service request.
5. The method of claim 4, further comprising:
receiving a service request, wherein the service request is used for calling sensitive data from the first storage space and verifying and signing the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
in response to the local device starting, performing label checking on the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
in response to the local device initialization, performing signature verification on the sensitive data in the first storage space; or;
and in response to reaching a signature verification period, verifying the sensitive data in the first storage space.
6. The method of claim 5, wherein said verifying sensitive data in the first storage space comprises:
acquiring signature information associated with the sensitive data;
and verifying the sensitive data in the first storage space based on the signature information.
7. The method of claim 4, wherein sending the backed up sensitive data to the server comprises:
in response to that the data length of the backed-up sensitive data is larger than a preset threshold value, fragmenting the backed-up sensitive data to obtain a plurality of data packets, and sending the plurality of data packets to the server;
and responding to the fact that the data length of the backed-up sensitive data is not larger than the preset threshold value, and sending the backed-up sensitive data to the server.
8. A data management apparatus, characterized in that the apparatus comprises:
the first receiving module is used for receiving the sensitive data sent by the server;
the first acquisition module is used for acquiring a public key of the server and encrypting the sensitive data based on the public key of the server to obtain backed-up sensitive data;
the first storage module is configured to store the sensitive data and the backed-up sensitive data in a local device, where the sensitive data is used for the local device to process a service request.
9. The apparatus of claim 8, further comprising:
the second obtaining module is used for obtaining a private key of the local device, signing the sensitive data based on the private key of the local device to obtain signature information, and the signature information is used for verifying whether the sensitive data is tampered;
and the second storage module is used for associating the signature information with the sensitive data and storing the signature information into the local equipment.
10. The apparatus of claim 8, wherein the local device comprises a first memory space and a second memory space; the first storage module is used for storing the sensitive data into the first storage space and backing up the backed-up sensitive data into the second storage space; the sensitive data in the first storage space is used for the local device to process the service request, and the backed-up sensitive data in the second storage space is used for restoring the sensitive data in the first storage space based on the backed-up sensitive data when the local device fails to verify the label of the sensitive data in the first storage space.
11. A data management apparatus, characterized in that the apparatus comprises:
the third obtaining module is used for obtaining backup sensitive data from a second storage space of the local device in response to a sensitive data signature verification failure in a first storage space of the local device, wherein the backup sensitive data is obtained by encrypting the sensitive data by using a public key of a server;
the sending module is used for sending the backed up sensitive data to the server, and the server is used for decrypting the backed up sensitive data based on a private key of the server to obtain decrypted sensitive data;
and a third storage module, configured to receive the decrypted sensitive data sent by the server, and store the decrypted sensitive data in the first storage space, where the sensitive data in the first storage space is used by the local device to process a service request.
12. The apparatus of claim 11, further comprising:
the system comprises a signature verification module, a signature verification module and a signature verification module, wherein the signature verification module is used for receiving a service request, and the service request is used for calling sensitive data from the first storage space and verifying signatures of the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is further used for responding to the starting of the local equipment and verifying the sensitive data in the first storage space; alternatively, the first and second electrodes may be,
the signature verification module is further used for responding to the initialization of the local equipment and verifying the sensitive data in the first storage space; or;
and the signature verification module is also used for responding to the reaching of a signature verification period and verifying the sensitive data in the first storage space.
13. The apparatus of claim 12, wherein the signature verification module is configured to obtain signature information associated with the sensitive data; and verifying the sensitive data in the first storage space based on the signature information.
14. The apparatus according to claim 11, wherein the sending module is configured to segment the backed-up sensitive data to obtain a plurality of data packets in response to that a data length of the backed-up sensitive data is greater than a preset threshold, and send the plurality of data packets to the server; and responding to the fact that the data length of the backed-up sensitive data is not larger than the preset threshold value, and sending the backed-up sensitive data to the server.
15. A terminal, characterized in that it comprises a processor and a memory, in which at least one program code is stored, which is loaded and executed by the processor to implement the data management method according to any one of claims 1 to 7.
CN202011545716.1A 2020-12-23 2020-12-23 Data management method, device and terminal Active CN112528311B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011545716.1A CN112528311B (en) 2020-12-23 2020-12-23 Data management method, device and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011545716.1A CN112528311B (en) 2020-12-23 2020-12-23 Data management method, device and terminal

Publications (2)

Publication Number Publication Date
CN112528311A true CN112528311A (en) 2021-03-19
CN112528311B CN112528311B (en) 2024-02-20

Family

ID=74976160

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011545716.1A Active CN112528311B (en) 2020-12-23 2020-12-23 Data management method, device and terminal

Country Status (1)

Country Link
CN (1) CN112528311B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499954A (en) * 2021-12-21 2022-05-13 海光信息技术股份有限公司 Management device and method for sensitive data

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101908024A (en) * 2010-08-17 2010-12-08 湖南源科高新技术有限公司 Encrypting method, device and hard disk
US20110185435A1 (en) * 2010-01-28 2011-07-28 Phison Electronics Corp. Flash memory storage system, and controller and anti-falsifying method thereof
CN104699559A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Distributed data backup method and system
US9594652B1 (en) * 2013-12-19 2017-03-14 Veritas Technologies Systems and methods for decreasing RAID rebuilding time
CN108133150A (en) * 2018-02-05 2018-06-08 北京公共交通控股(集团)有限公司 Safety management system, storage medium and electric terminal based on contract dataset
CN109510860A (en) * 2018-08-31 2019-03-22 深圳市元征科技股份有限公司 A kind of data processing method, relevant device and system
CN109525989A (en) * 2017-09-19 2019-03-26 阿里巴巴集团控股有限公司 Data processing, identity identifying method and system, terminal
CN110086609A (en) * 2019-03-27 2019-08-02 华为技术有限公司 The method and electronic equipment of data safety backup and security recovery
CN110138749A (en) * 2019-04-23 2019-08-16 华为技术有限公司 Data security protection method and related equipment
CN111368328A (en) * 2020-02-27 2020-07-03 北京三快在线科技有限公司 Data storage method and device, computer readable storage medium and electronic equipment
CN111625396A (en) * 2019-02-27 2020-09-04 阿里巴巴集团控股有限公司 Backup data verification method, server and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185435A1 (en) * 2010-01-28 2011-07-28 Phison Electronics Corp. Flash memory storage system, and controller and anti-falsifying method thereof
CN101908024A (en) * 2010-08-17 2010-12-08 湖南源科高新技术有限公司 Encrypting method, device and hard disk
CN104699559A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Distributed data backup method and system
US9594652B1 (en) * 2013-12-19 2017-03-14 Veritas Technologies Systems and methods for decreasing RAID rebuilding time
CN109525989A (en) * 2017-09-19 2019-03-26 阿里巴巴集团控股有限公司 Data processing, identity identifying method and system, terminal
CN108133150A (en) * 2018-02-05 2018-06-08 北京公共交通控股(集团)有限公司 Safety management system, storage medium and electric terminal based on contract dataset
CN109510860A (en) * 2018-08-31 2019-03-22 深圳市元征科技股份有限公司 A kind of data processing method, relevant device and system
CN111625396A (en) * 2019-02-27 2020-09-04 阿里巴巴集团控股有限公司 Backup data verification method, server and storage medium
CN110086609A (en) * 2019-03-27 2019-08-02 华为技术有限公司 The method and electronic equipment of data safety backup and security recovery
CN110138749A (en) * 2019-04-23 2019-08-16 华为技术有限公司 Data security protection method and related equipment
CN111368328A (en) * 2020-02-27 2020-07-03 北京三快在线科技有限公司 Data storage method and device, computer readable storage medium and electronic equipment

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
SANTOSH KUMAR 等: "Privacy preserving security using biometrics in cloud computing", MULTIMED TOOLS APPL (2018), vol. 978, pages 11017 - 44 *
孟小冬: "大数据背景下链路网络敏感数据防窃取方法", 西安工程大学学报, vol. 2, no. 33, pages 212 - 217 *
编程指北: "一文彻底搞懂加密、数字签名、数字证书!", pages 3, Retrieved from the Internet <URL:https://juejin.cn/post.6874563218862276621> *
董新华;李瑞轩;何亨;周湾湾;薛正元;王聪;: "一种大数据平台敏感数据安全共享的框架", 科技导报, no. 34, pages 49 - 54 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499954A (en) * 2021-12-21 2022-05-13 海光信息技术股份有限公司 Management device and method for sensitive data
CN114499954B (en) * 2021-12-21 2024-05-10 海光信息技术股份有限公司 Management device and method for sensitive data

Also Published As

Publication number Publication date
CN112528311B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
CN111444528B (en) Data security protection method, device and storage medium
CN108306771B (en) Log reporting method, device and system
CN108833607B (en) Physical address acquisition method, device and readable medium
CN111245745B (en) Message sending method, device, node equipment and storage medium
CN109547495B (en) Sensitive operation processing method, device, server, terminal and storage medium
CN110689460A (en) Traffic accident data processing method, device, equipment and medium based on block chain
CN107959727B (en) Method and device for communication between webpage and client
CN111190748A (en) Data sharing method, device, equipment and storage medium
CN110826103A (en) Block chain-based document authority processing method, device, equipment and storage medium
CN111062323A (en) Face image transmission method, numerical value transfer method, device and electronic equipment
CN111062725B (en) Face payment method, device and system and computer readable storage medium
CN111193702B (en) Method and device for data encryption transmission
CN111523878A (en) Service processing method, device, system and storage medium
CN111145034A (en) Block chain-based social security management method, device and system and storage medium
CN110677262A (en) Block chain-based information notarization method, device and system
CN112528311B (en) Data management method, device and terminal
CN111881423A (en) Method, device and system for limiting function use authorization
CN111198922A (en) Game resource management method and device based on block chain
CN110597840A (en) Partner relationship establishing method, device, equipment and storage medium based on block chain
CN115329309A (en) Verification method, verification device, electronic equipment and storage medium
CN111131619B (en) Account switching processing method, device and system
CN110971692B (en) Method and device for opening service and computer storage medium
CN108683684B (en) Method, device and system for logging in target instant messaging application
CN114124405A (en) Business processing method, system, computer equipment and computer readable storage medium
CN112764824A (en) Method, device, equipment and storage medium for triggering identity authentication in application program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant