CN114528545A - Data protection method, device, equipment and storage medium - Google Patents

Data protection method, device, equipment and storage medium Download PDF

Info

Publication number
CN114528545A
CN114528545A CN202210165337.2A CN202210165337A CN114528545A CN 114528545 A CN114528545 A CN 114528545A CN 202210165337 A CN202210165337 A CN 202210165337A CN 114528545 A CN114528545 A CN 114528545A
Authority
CN
China
Prior art keywords
protected
determining
key
file
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210165337.2A
Other languages
Chinese (zh)
Inventor
强建龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202210165337.2A priority Critical patent/CN114528545A/en
Publication of CN114528545A publication Critical patent/CN114528545A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data protection method, a device, equipment and a storage medium, wherein the method comprises the following steps: installing an application program needing data protection in the sandbox, and determining a file to be protected contained in the application program; determining an index value according to a serial number of equipment for installing an application program and a file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key; and encrypting the data to be protected through a target encryption algorithm, and storing the encrypted data to be protected into a file to be protected. According to the technical scheme, the sandbox provides an isolation environment for the executing application program, the target key is determined based on the index value, the target encryption algorithm is determined according to the target key, the data to be protected are encrypted based on the target encryption algorithm, the encrypted data to be protected are stored in the file to be protected, and the storage of the data to be protected is achieved. On the premise of not modifying the application program, the encryption protection of the data in the application program is realized.

Description

Data protection method, device, equipment and storage medium
Technical Field
Embodiments of the present invention relate to information processing technologies, and in particular, to a data protection method, apparatus, device, and storage medium.
Background
The rapid development of the application of the mobile internet changes the traditional business mode of an enterprise, improves the working efficiency, and greatly increases the possibility of various attacks. For Android applications, the most common security issue is whether other applications have unlimited access to the data that the user saves on the device.
In the prior art, the Android application can identify and isolate the application program by using a user-based Linux protection mechanism, so that different application programs are separated, and the application program and a system are protected from being attacked by a malicious application program. Applications cannot interact with each other and access to the operating system is limited.
Therefore, a data protection method is needed to protect the data of the application program by encryption without modifying the application program.
Disclosure of Invention
The invention provides a data protection method, a device, equipment and a storage medium, which can realize encryption protection on data of an application program on the premise of not transforming the application program.
In a first aspect, an embodiment of the present invention provides a data protection method, including:
installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program;
determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
The embodiment of the invention provides a data protection method, which comprises the following steps: installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program; determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key; and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected. According to the technical scheme, the application program needing data protection is installed in the sandbox, the sandbox can provide an isolation environment for the executing application program, meanwhile, the file to be protected needing data protection in the application program is determined, then after the index value is determined, the target key is determined based on the index value, the target encryption algorithm is determined according to the target key, the data to be protected are further encrypted based on the target encryption algorithm, the encrypted data to be protected are stored in the file to be protected, and storage of the data to be protected is achieved. On the premise of not modifying the application program, the encryption protection of the data in the application program is realized.
Further, determining a target key based on the index value and determining a target encryption algorithm based on the target key comprises:
searching a pre-generated key lookup table based on the index value to determine a target key;
and after the target key is decrypted to obtain a decrypted value, searching a pre-generated encryption algorithm lookup table based on the decrypted value to determine a target encryption algorithm.
Further, after storing the encrypted data to be protected into the file to be protected, the method further includes:
and decrypting the encrypted data to be protected based on the decryption value and the target encryption algorithm to obtain the data to be protected, and reading the data to be protected.
Further, before looking up a pre-generated key look-up table based on the index value, the method further includes: determining the key lookup table, wherein the key lookup table comprises an encryption key lookup table and an encryption key pair lookup table;
before searching a pre-generated encryption algorithm lookup table based on the decryption value, the method further comprises: determining the encryption algorithm look-up table.
Further, when the key lookup table is an encryption key lookup table, determining the key lookup table includes:
initializing a KeyGenerator to generate a key by using a secure random number generator, and encrypting the key by using a deterministic encryption algorithm to obtain an encryption key;
determining the encryption key lookup table according to an encryption key set and a lookup table index formed by the encryption key;
when the key lookup table includes, determining the key lookup table includes:
initializing a KeyPairGenerator by using a secure random number generator to generate a key pair, and encrypting the key pair by using a deterministic encryption algorithm to obtain an encryption key pair;
and determining the encryption key pair lookup table according to an encryption key pair set and a lookup table index formed by the encryption key pair.
Further, determining the file to be protected included in the application program includes:
determining the configuration items of the application program, and determining the file to be protected according to the configuration items.
Further, the configuration item includes an encryption item, and accordingly, determining the file to be protected according to the configuration item includes:
if the encrypted item is the file name of the file contained in the application program, determining the file to be protected according to the file name;
and if the encrypted item is null, determining that all files contained in the application program are the files to be protected.
In a second aspect, an embodiment of the present invention further provides a data protection apparatus, including:
the device comprises a determining module, a data protection module and a data protection module, wherein the determining module is used for installing an application program needing data protection in a sandbox and determining a file to be protected contained in the application program;
the execution module is used for determining an index value according to the serial number of the equipment for installing the application program and the file to be protected, then determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and the encryption module is used for encrypting the data to be protected through the target encryption algorithm and storing the encrypted data to be protected into the file to be protected.
In a third aspect, an embodiment of the present invention further provides a terminal device, where the terminal device includes:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a data protection method as described in any one of the first aspects.
In a fourth aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions for performing the data protection method according to any one of the first aspect when executed by a computer processor.
In a fifth aspect, the present application provides a computer program product comprising computer instructions which, when run on a computer, cause the computer to perform the method of data protection as provided in the first aspect.
It should be noted that all or part of the computer instructions may be stored on the computer readable storage medium. The computer-readable storage medium may be packaged with the processor of the data protection device, or may be packaged separately from the processor of the data protection device, which is not limited in this application.
For the descriptions of the second, third, fourth and fifth aspects in this application, reference may be made to the detailed description of the first aspect; in addition, for the beneficial effects described in the second aspect, the third aspect, the fourth aspect and the fifth aspect, reference may be made to the beneficial effect analysis of the first aspect, and details are not repeated here.
In the present application, the names of the above-mentioned data protection devices do not limit the devices or functional modules themselves, and in actual implementation, the devices or functional modules may appear by other names. Insofar as the functions of the respective devices or functional modules are similar to those of the present application, they fall within the scope of the claims of the present application and their equivalents.
These and other aspects of the present application will be more readily apparent from the following description.
Drawings
Fig. 1 is a flowchart of a data protection method according to an embodiment of the present invention;
fig. 2 is a flowchart of a data protection method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data protection device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone.
The terms "first" and "second" and the like in the description and drawings of the present application are used for distinguishing different objects or for distinguishing different processes for the same object, and are not used for describing a specific order of the objects.
Furthermore, the terms "including" and "having," and any variations thereof, as referred to in the description of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like. In addition, the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the present application, the meaning of "a plurality" means two or more unless otherwise specified.
Example one
Fig. 1 is a flowchart of a data protection method according to an embodiment of the present invention, where this embodiment is applicable to a situation that data in an application needs to be encrypted and stored, and the method may be executed by data protection, and specifically includes the following steps:
step 110, installing an application program needing data protection in the sandbox, and determining a file to be protected contained in the application program.
The sandbox provides a mechanism for providing an isolation environment for the executing application program, and can ensure the security of the application program and the system by strictly controlling the resources accessed by the executing application program.
Specifically, an application program needing to enhance data security is installed in the sandbox, and the state of the application program in the sandbox can be dynamically detected through Hook technology, for example, data is saved and data is read. When data is stored, it can be encrypted, and when data is read, it can be decrypted. Certainly, the configuration item can also be determined through the encryption configuration interface, and the file to be protected, the encryption policy and the like are determined according to the configuration item. The file to be protected can comprise a part of file or all file in the application program, and the encryption strategy can comprise symmetric encryption and asymmetric encryption.
In practical application, if the configuration item includes a file name, the file to be protected can be determined according to the file name; if the configuration item does not include a file name, all files contained by the application may be determined to be files to be protected.
In the embodiment of the invention, for the application program needing to strengthen data security, the data stored on the equipment can be encrypted only by running the application program in the sandbox without modifying the application program.
And step 120, after determining an index value according to the serial number of the device for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key.
The device may be a terminal device, for example, a computer or a mobile phone, and the terminal device may correspond to a unique serial number.
The target key may be used to determine a target encryption algorithm after decryption, and the target encryption algorithm may be used to encrypt the data to be protected. According to the configuration items, the target encryption algorithm can be determined to be a symmetric encryption algorithm or an asymmetric encryption algorithm, if the configured encryption strategy is symmetric encryption, the Hook method can determine an index value through the serial number and the file to be protected, and determine an encryption key based on the index value; if the configured encryption strategy is asymmetric encryption, the Hook method can determine an index value through the serial number and the file to be protected, and determine an encryption key pair based on the index value.
Hook technology is also called Hook method, and the Hook method is used for capturing and processing execution behaviors of changing storage files and reading files.
Specifically, the serial number of the terminal device installed with the application program and the file to be protected included in the application program may determine an index value used for the lookup table, and then a target key may be determined in the lookup table stored with the key based on the index value, where the target key may be an encryption key or an encryption key pair. After the target key is obtained by decrypting the encryption key or the encryption key pair, the target encryption algorithm may be determined based on the decrypted target key in a lookup table in which the encryption algorithm is stored.
In the embodiment of the invention, the target key and the target encryption algorithm can be further determined by the index value, the lookup table with the key and the lookup table with the encryption algorithm, and algorithm support is provided for encrypting the data to be protected.
And step 130, encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
The target encryption algorithm may be a symmetric encryption algorithm or an asymmetric encryption algorithm.
Specifically, the data to be protected may be encrypted through the determined symmetric encryption algorithm or asymmetric encryption algorithm, that is, the file stream in Hook is encrypted, so as to protect the data to be protected. Of course, after the data to be protected is encrypted, the data to be protected can be stored in the file to be protected, so that the data to be protected is prevented from being maliciously attacked or maliciously read and the like.
In the embodiment of the invention, the application program running in the sandbox is stored in the local data for encryption protection by applying the sandbox technology, the Hook technology and the lookup table technology without modifying the application program, so that the encryption protection of the sensitive data in the application program is realized, and the security of the sensitive data in the application program is improved.
The embodiment of the invention provides a data protection method, which comprises the following steps: installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program; determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key; and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected. According to the technical scheme, the application program needing data protection is installed in the sandbox, the sandbox can provide an isolation environment for the executing application program, meanwhile, the file to be protected needing data protection in the application program is determined, then after the index value is determined, the target key is determined based on the index value, the target encryption algorithm is determined according to the target key, the data to be protected are further encrypted based on the target encryption algorithm, the encrypted data to be protected are stored in the file to be protected, and storage of the data to be protected is achieved. On the premise of not modifying the application program, the encryption protection of the data in the application program is realized.
Example two
Fig. 2 is a flowchart of a data protection method according to a second embodiment of the present invention, which is embodied on the basis of the second embodiment. As shown in fig. 2, in this embodiment, the method may further include:
step 210, installing an application program needing data protection in the sandbox, and determining a file to be protected included in the application program.
In one embodiment, step 210 may specifically include:
installing an application program needing data protection in the sandbox; determining the configuration items of the application program, and determining the file to be protected according to the configuration items.
In one embodiment, the configuration item includes an encryption item, and accordingly, determining the file to be protected according to the configuration item includes:
if the encrypted item is the file name of the file contained in the application program, determining the file to be protected according to the file name; and if the encrypted item is null, determining that all files contained in the application program are the files to be protected.
Specifically, before data protection is performed on the application program, a file requiring data protection may be configured. If the encrypted item of the configuration item comprises the file name of the file contained in the application program, determining the file corresponding to the file name as the file to be protected; and if the encryption item of the configuration item is empty, determining that the encryption item is in an unconfigured state, at this time, encrypting all files contained in the application program by default, and determining all files contained in the application program as files to be protected.
In addition, the configuration item also comprises an encryption strategy, and the encryption strategy can comprise symmetric encryption or asymmetric encryption. If the encryption strategy is symmetric encryption, determining a target encryption algorithm in a lookup table of the symmetric encryption algorithm based on the index value; and if the encryption strategy is asymmetric encryption, determining a target encryption algorithm in the asymmetric encryption algorithm lookup table based on the index value.
In the embodiment of the invention, after the application program needing data protection is installed in the sandbox, the configuration item can be determined based on the encryption configuration interface, and the file to be protected is determined according to the encryption item contained in the configuration item.
Step 220, after determining an index value according to the serial number of the device for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key.
In one embodiment, step 220 may specifically include:
determining an index value according to a serial number of equipment for installing the application program and the file to be protected; determining a key lookup table; searching a pre-generated key lookup table based on the index value to determine a target key; determining an encryption algorithm look-up table; and after the target key is decrypted to obtain a decrypted value, searching a pre-generated encryption algorithm lookup table based on the decrypted value to determine a target encryption algorithm.
The key lookup table may include an encryption key lookup table and an encryption key pair lookup table.
In one embodiment, when the key lookup table comprises an encryption key lookup table, determining the key lookup table comprises:
initializing a KeyGenerator to generate a key by using a secure random number generator, and encrypting the key by using a deterministic encryption algorithm to obtain an encryption key; and determining the encryption key lookup table according to an encryption key set and a lookup table index formed by the encryption key.
In another embodiment, when the key lookup table includes an encryption key pair lookup table, determining the key lookup table includes:
initializing a KeyPairGenerator by using a secure random number generator to generate a key pair, and encrypting the key pair by using a deterministic encryption algorithm to obtain an encryption key pair; and determining the encryption key pair lookup table according to an encryption key pair set and a lookup table index formed by the encryption key pair.
Wherein the secure random number generator may be used to encrypt a basic random number generator, providing a strong random number that meets the encryption requirements. The KeyGenerator is used to generate the key. The KeyPairGenerator is used to generate the key pair.
In practical applications, the encryption key or the encryption key pair corresponding to the index value may be looked up in the encryption key lookup table and the encryption key pair lookup table.
It should be noted that the key lookup table may be generated before the key lookup table is searched, and the encryption algorithm lookup table may be generated before the encryption algorithm lookup table is searched.
Of course, the encryption algorithm can be determined to be a symmetric encryption algorithm or an asymmetric encryption algorithm through the encryption strategy, and then the encryption algorithm lookup table is determined to be a symmetric encryption algorithm lookup table or an asymmetric encryption algorithm lookup table.
Table 1 is a lookup table for a symmetric encryption algorithm, and as shown in table 1, an index value may uniquely correspond to the symmetric encryption algorithm, and if the lookup table for the encryption algorithm is a lookup table for a symmetric encryption algorithm, the unique symmetric encryption algorithm may be determined according to the index value.
Table 1 symmetric encryption algorithm look-up table
Figure BDA0003510700550000121
Table 2 is an asymmetric encryption algorithm lookup table, and as shown in table 2, the index value may also uniquely correspond to the asymmetric encryption algorithm, and if the encryption algorithm lookup table is an asymmetric encryption algorithm lookup table, the unique asymmetric encryption algorithm may also be determined according to the index value.
Table 2 asymmetric cryptographic algorithm look-up table
Index value Encryption algorithm
1 256-bit AES (such as AES256_ GCM _ HKDF _4KB)
2 RSA
3 DiffieHellman
4 RSASSA-PSS
... ...
n 256-bit public key elliptic curve encryption
Specifically, after the index value is determined, a target key corresponding to the index value may be determined in the encryption key lookup table and the encryption key pair lookup table, where the target key may be an encryption key or an encryption key pair. And decrypting the encryption key or the encryption key pair to obtain a decryption value, and determining an encryption algorithm corresponding to the decryption value in a symmetrical encryption algorithm lookup table or an asymmetrical encryption algorithm lookup table based on the decryption value.
In the embodiment of the invention, after the target key is determined in the key lookup table according to the index value, the target key is decrypted to obtain the decrypted value, and the target algorithm is further determined in the encryption algorithm lookup table according to the decrypted value.
And step 230, encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
And 240, decrypting the encrypted data to be protected based on the decryption value and the target encryption algorithm to obtain the data to be protected, and reading the data to be protected.
Specifically, the decrypted value obtained by decrypting the target key may be matched with a target encryption algorithm, and is used to decrypt the encrypted data to be protected to obtain the data to be protected, so as to facilitate reading of the data to be protected.
In the embodiment of the invention, the application program is not required to be transformed, the data to be protected of the application program running in the sandbox can be encrypted and stored locally by using the sandbox technology, the Hook technology and the lookup table technology, and the encrypted data to be protected can also be decrypted, so that the data to be protected can be read, and the security of sensitive data in the application program is improved.
The second embodiment of the present invention provides a data protection method, including: installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program; determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key; encrypting data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected; and decrypting the encrypted data to be protected based on the decryption value and the target encryption algorithm to obtain the data to be protected, and reading the data to be protected. According to the technical scheme, the application program needing data protection is installed in the sandbox, the sandbox can provide an isolation environment for the executing application program, meanwhile, the file to be protected needing data protection in the application program is determined, then after the index value is determined, the target key is determined based on the index value, the target encryption algorithm is determined according to the target key, the data to be protected are further encrypted based on the target encryption algorithm, the encrypted data to be protected are stored in the file to be protected, and storage of the data to be protected is achieved. Of course, the encrypted data to be protected can be decrypted based on the decryption value and the target encryption algorithm, so that the data to be protected can be read. On the premise of not modifying the application program, the encryption protection of the data in the application program is realized.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a data protection device according to a third embodiment of the present invention, where the device is suitable for a case where data in an application needs to be encrypted and stored. The apparatus may be implemented by software and/or hardware and is typically integrated in a terminal device, such as a computer device.
As shown in fig. 3, the apparatus includes:
a determining module 310, configured to install an application program that needs to perform data protection in a sandbox, and determine a file to be protected included in the application program;
an executing module 320, configured to determine an index value according to a serial number of a device in which the application program is installed and the file to be protected, determine a target key based on the index value, and determine a target encryption algorithm based on the target key;
the encryption module 330 is configured to encrypt data to be protected through the target encryption algorithm, and store the encrypted data to be protected in the file to be protected.
In the data protection device provided by this embodiment, an application program that needs data protection is installed in a sandbox, and a file to be protected included in the application program is determined; determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key; and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected. According to the technical scheme, the application program needing data protection is installed in the sandbox, the sandbox can provide an isolation environment for the executing application program, meanwhile, the file to be protected needing data protection in the application program is determined, then after the index value is determined, the target key is determined based on the index value, the target encryption algorithm is determined according to the target key, the data to be protected are further encrypted based on the target encryption algorithm, the encrypted data to be protected are stored in the file to be protected, and storage of the data to be protected is achieved. On the premise of not modifying the application program, the encryption protection of the data in the application program is realized.
On the basis of the foregoing embodiment, the execution module 320 is specifically configured to:
determining an index value according to a serial number of equipment for installing the application program and the file to be protected;
searching a pre-generated key lookup table based on the index value to determine a target key;
and after the target key is decrypted to obtain a decrypted value, searching a pre-generated encryption algorithm lookup table based on the decrypted value to determine a target encryption algorithm.
On the basis of the above embodiment, the apparatus further includes:
and the decryption module is used for decrypting the encrypted data to be protected based on the decryption value and the target encryption algorithm to obtain the data to be protected and reading the data to be protected.
On the basis of the above embodiment, the apparatus further includes:
a first generation module, configured to determine a key lookup table before searching a pre-generated key lookup table based on the index value, where the key lookup table includes an encryption key lookup table and an encryption key pair lookup table;
a second generation module to determine the encryption algorithm lookup table before looking up a pre-generated encryption algorithm lookup table based on the decryption value.
In one embodiment, when the key lookup table is an encryption key lookup table, the first generating module is specifically configured to:
initializing a KeyGenerator to generate a key by using a secure random number generator, and encrypting the key by using a deterministic encryption algorithm to obtain an encryption key;
determining the encryption key lookup table according to an encryption key set and a lookup table index formed by the encryption key;
in another embodiment, when the key lookup table is an encryption key pair lookup table, the first generating module is specifically configured to:
initializing a KeyPairGenerator by using a secure random number generator to generate a key pair, and encrypting the key pair by using a deterministic encryption algorithm to obtain an encryption key pair;
and determining the encryption key pair lookup table according to an encryption key pair set and a lookup table index formed by the encryption key pair.
On the basis of the foregoing embodiment, the determining module 310 is specifically configured to:
installing an application program needing data protection in the sandbox;
determining the configuration items of the application program, and determining the file to be protected according to the configuration items.
On the basis of the above embodiment, the configuration item includes an encryption item, and accordingly, determining the file to be protected according to the configuration item includes:
if the encrypted item is the file name of the file contained in the application program, determining the file to be protected according to the file name;
and if the encrypted item is null, determining that all files contained in the application program are the files to be protected.
The data protection device provided by the embodiment of the invention can execute the data protection method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
It should be noted that, in the embodiment of the data protection device, the included units and modules are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Example four
Fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present invention. Fig. 4 shows a block diagram of an exemplary terminal device 4 suitable for implementing an embodiment of the invention. The terminal device 4 shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiment of the present invention.
As shown in fig. 4, the terminal device 4 is represented in the form of a general-purpose computing terminal device. The components of terminal device 4 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Terminal device 4 typically includes a variety of computer system readable media. These media may be any available media that can be accessed by terminal device 4 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Terminal device 4 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Terminal device 4 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with terminal device 4, and/or with any devices (e.g., network card, modem, etc.) that enable terminal device 4 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the terminal device 4 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) through the network adapter 20. As shown in fig. 4, the network adapter 20 communicates with the other modules of the terminal device 4 via the bus 18. It should be appreciated that although not shown in fig. 4, other hardware and/or software modules may be used in conjunction with terminal device 4, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and page displays by running programs stored in the system memory 28, for example, to implement the data protection method provided by the embodiment of the present invention, the method includes:
installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program;
determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
Of course, those skilled in the art can understand that the processor can also implement the technical solution of the data protection method provided by any embodiment of the present invention.
EXAMPLE five
An embodiment five of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a data protection method provided in the embodiment, for example, where the method includes:
installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program;
determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
Computer storage media for embodiments of the present invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer-readable storage medium may be, for example but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It will be understood by those skilled in the art that the modules or steps of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and optionally they may be implemented by program code executable by a computing device, such that it may be stored in a memory device and executed by a computing device, or it may be separately fabricated into various integrated circuit modules, or it may be fabricated by fabricating a plurality of modules or steps thereof into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for protecting data, comprising:
installing an application program needing data protection in a sandbox, and determining a file to be protected contained in the application program;
determining an index value according to the serial number of equipment for installing the application program and the file to be protected, determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and encrypting the data to be protected through the target encryption algorithm, and storing the encrypted data to be protected into the file to be protected.
2. The data protection method of claim 1, wherein determining a target key based on the index value and determining a target encryption algorithm based on the target key comprises:
searching a pre-generated key lookup table based on the index value to determine a target key;
and after the target key is decrypted to obtain a decrypted value, searching a pre-generated encryption algorithm lookup table based on the decrypted value to determine a target encryption algorithm.
3. The data protection method according to claim 2, further comprising, after storing the encrypted data to be protected in the file to be protected:
and decrypting the encrypted data to be protected based on the decryption value and the target encryption algorithm to obtain the data to be protected, and reading the data to be protected.
4. The data protection method of claim 2, further comprising, prior to looking up a pre-generated key look-up table based on the index value: determining the key lookup table, wherein the key lookup table comprises an encryption key lookup table and an encryption key pair lookup table;
before searching a pre-generated encryption algorithm lookup table based on the decryption value, the method further comprises: determining the encryption algorithm look-up table.
5. The data protection method of claim 4,
when the key lookup table is an encryption key lookup table, determining the key lookup table, including:
initializing a KeyGenerator to generate a key by using a secure random number generator, and encrypting the key by using a deterministic encryption algorithm to obtain an encryption key;
determining the encryption key lookup table according to an encryption key set and a lookup table index formed by the encryption key;
when the key lookup table is an encryption key pair lookup table, determining the key lookup table, including:
initializing a KeyPairGenerator by using a secure random number generator to generate a key pair, and encrypting the key pair by using a deterministic encryption algorithm to obtain an encryption key pair;
and determining the encryption key pair lookup table according to an encryption key pair set and a lookup table index formed by the encryption key pair.
6. The data protection method according to claim 1, wherein determining the file to be protected included in the application program comprises:
determining the configuration items of the application program, and determining the file to be protected according to the configuration items.
7. The data protection method according to claim 6, wherein the configuration item comprises an encryption item, and accordingly, determining the file to be protected according to the configuration item comprises:
if the encrypted item is the file name of the file contained in the application program, determining the file to be protected according to the file name;
and if the encrypted item is null, determining that all files contained in the application program are the files to be protected.
8. A data protection device, comprising:
the device comprises a determining module, a data protection module and a data protection module, wherein the determining module is used for installing an application program needing data protection in a sandbox and determining a file to be protected contained in the application program;
the execution module is used for determining an index value according to the serial number of the equipment for installing the application program and the file to be protected, then determining a target key based on the index value, and determining a target encryption algorithm based on the target key;
and the encryption module is used for encrypting the data to be protected through the target encryption algorithm and storing the encrypted data to be protected into the file to be protected.
9. A terminal device, characterized in that the device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a data protection method as claimed in any one of claims 1-7.
10. A storage medium containing computer-executable instructions for performing the data protection method of any one of claims 1-7 when executed by a computer processor.
CN202210165337.2A 2022-02-18 2022-02-18 Data protection method, device, equipment and storage medium Pending CN114528545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210165337.2A CN114528545A (en) 2022-02-18 2022-02-18 Data protection method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210165337.2A CN114528545A (en) 2022-02-18 2022-02-18 Data protection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114528545A true CN114528545A (en) 2022-05-24

Family

ID=81625248

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210165337.2A Pending CN114528545A (en) 2022-02-18 2022-02-18 Data protection method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114528545A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116933275A (en) * 2023-09-18 2023-10-24 北京密码云芯科技有限公司 Data leakage prevention method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116933275A (en) * 2023-09-18 2023-10-24 北京密码云芯科技有限公司 Data leakage prevention method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US11088846B2 (en) Key rotating trees with split counters for efficient hardware replay protection
US10599489B2 (en) Processing a guest event in a hypervisor-controlled system
US20240126930A1 (en) Secure Collaboration Between Processors And Processing Accelerators In Enclaves
US9342705B1 (en) Systems and methods for searching shared encrypted files on third-party storage systems
TWI715619B (en) Processor, method and system for hardware enforced one-way cryptography
US10810138B2 (en) Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME)
CN106971121B (en) Data processing method, device, server and storage medium
JP2016523421A (en) Method, data processing program, computer program product, and data processing system for handling guest events in a system controlled by a hypervisor
CN106663150A (en) Securely storing content within public clouds
US11520905B2 (en) Smart data protection
US20170286320A1 (en) Avoiding redundant memory encryption in a cryptographic protection system
EP3930253A1 (en) High throughput post quantum aes-gcm engine for tls packet encryption and decryption
CN110955888B (en) Application program data protection method, device, equipment and storage medium
CN112256275A (en) Code obfuscation method, device, electronic device and medium
CN113544674A (en) Secure execution client owner control for secure interface controls
CN109325360B (en) Information management method and device
CN114528545A (en) Data protection method, device, equipment and storage medium
CN104182691B (en) data encryption method and device
US10970401B2 (en) Secure asset management system
CN112214784A (en) Resource processing method, device, electronic equipment and medium
WO2022267808A1 (en) Encrypted data processing design including local buffers
JP2023065323A (en) Computer-implemented method, system and computer program
CN111163056B (en) Data confidentiality method and system aiming at MapReduce calculation
US12008150B2 (en) Encrypted data processing design including cleartext register files
EP4202748A1 (en) Data oblivious cryptographic computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination