CN116743481A

CN116743481A - Service security management and control method, device, equipment and storage medium

Info

Publication number: CN116743481A
Application number: CN202310834450.XA
Authority: CN
Inventors: 刘亮; 樊巧云; 吴省身
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Group Jiangsu Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Group Jiangsu Co Ltd
Priority date: 2023-07-07
Filing date: 2023-07-07
Publication date: 2023-09-12

Abstract

The invention relates to the technical field of digital information transmission, and discloses a service security management and control method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring target service data corresponding to a user data request; determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting the data to be encrypted in the target service data; determining a segmentation result of the data to be encrypted according to the segmentation encryption rule; determining a public key and a private key based on the segmentation result, and encrypting data to be encrypted through an encryption public key in the public key and the private key; and sending the encrypted target service data to an initiating user corresponding to the user data request. Compared with the prior art, the method and the device effectively improve the safety of the user information in the multiparty service process.

Description

Service security management and control method, device, equipment and storage medium

Technical Field

The present invention relates to the field of digital information transmission technologies, and in particular, to a service security management and control method, apparatus, device, and storage medium.

Background

In recent years, more and more enterprises have self-capabilities as services for commercial exchange, and in the process of integrating API services with multiparty participation, how to ensure that sensitive data of the enterprises are not leaked, and how to ensure the security of user information in the multiparty service process are a problem of more concern in the industry at present.

Currently, three main types of methods are aimed at guaranteeing the security of user information in the multiparty service process: firstly, through the management of service registration information, automatic removal of the expired service is realized, but the problem of service content security is not considered; the problem of service management is solved through the thought of micro-service clustering, and the access right of a service requester is controlled and controlled through a black-and-white list, but the granularity of control is thicker; thirdly, clustering the API interface data by adopting a K-Means algorithm and searching abnormal points, and finding out abnormal content of the API interface to achieve the purpose of controlling the service content, wherein if the API interface data volume is large, clustering calculation has larger performance challenges, and has no practical significance for service scenes with large API interface data volume and high real-time requirements of a requester on services.

Therefore, a service security management and control method is needed to effectively ensure the security of user information in the multiparty service process.

Disclosure of Invention

The invention mainly aims to provide a service security management and control method, device, equipment and storage medium, which aim to solve the technical problem of how to effectively ensure the security of user information in the multiparty service process.

In order to achieve the above object, the present invention provides a service security management and control method, which includes the following steps:

acquiring target service data corresponding to a user data request;

determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting data to be encrypted in the target service data;

determining a segmentation result of the data to be encrypted according to the segmentation encryption rule;

determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key;

and sending the encrypted target service data to an initiating user corresponding to the user data request.

Optionally, the step of determining the segment encryption rule according to the request content of the user data request includes:

determining the user request purpose according to the request content of the user data request;

determining a first segmentation strategy according to the user request purpose, wherein the first segmentation strategy is used for determining that no encryption part exists in data to be encrypted in the target service data;

if the user request uses are list acquisition, identifying sensitive fields in the request content, and acquiring a request user name in the request content;

Based on the first segmentation strategy, determining a segmentation encryption rule through the sensitive field and the byte number of the request user name.

Optionally, after the step of determining the first segmentation policy according to the user request usage, the method further includes:

and if the user request purpose is not list acquisition, taking the first segmentation strategy as a segmentation encryption rule.

Optionally, the step of determining a public key based on the segmentation result and encrypting the data to be encrypted by using an encryption public key in the public key comprises the following steps:

determining the number of public and private keys according to the segmentation result;

sequentially acquiring segments to be encrypted of the data to be encrypted;

and determining the public and private keys according to the length of the to-be-encrypted segment, encrypting the to-be-encrypted data through the encryption public key in the public and private keys, and obtaining the ciphertext with the same length as the to-be-encrypted segment after the encryption public key in the public and private keys encrypts the to-be-encrypted segment.

Optionally, the encrypted target service data includes a first encrypted ciphertext, and the step of encrypting the data to be encrypted by using an encryption public key in the public-private key includes:

Sequentially obtaining encryption public keys corresponding to the segments to be encrypted;

encrypting the to-be-encrypted segment by the encryption public key based on an asymmetric encryption algorithm to obtain a segment ciphertext;

obtaining a mapping character corresponding to the segmented ciphertext according to a preset character mapping table;

and splicing the unencrypted fragments of the data to be encrypted with the mapping characters according to the segmentation result to obtain a first encrypted ciphertext.

Optionally, the step of identifying sensitive fields in the requested content includes:

acquiring request data in the request content;

and identifying the sensitive field in the request data according to a preset sensitive field configuration table.

Optionally, the encrypted target service data includes a second encrypted ciphertext, and before the step of sending the encrypted target service data to the initiating user corresponding to the user data request, the method further includes:

determining corresponding sensitive content in the target service data according to the sensitive field in the request data;

encrypting the sensitive content except the data to be encrypted by a symmetric encryption algorithm to obtain a symmetric encryption ciphertext;

and converting the symmetric encryption ciphertext into a base64 format to obtain a second encryption ciphertext.

In addition, to achieve the above object, the present invention also proposes a service security management and control apparatus, the apparatus comprising:

the data acquisition module is used for acquiring target service data corresponding to the user data request;

the rule determining module is used for determining a segment encryption rule according to the request content of the user data request, and the segment encryption rule is used for segmenting data to be encrypted in the target service data;

the segmentation determining module is used for determining a segmentation result of the data to be encrypted according to the segmentation encryption rule;

the data encryption module is used for determining a public key and a private key based on the segmentation result and encrypting the data to be encrypted through an encryption public key in the public key and the private key;

and the data sending module is used for sending the encrypted target service data to an initiating user corresponding to the user data request.

In addition, to achieve the above object, the present invention also proposes a service security management and control apparatus, the apparatus comprising: the system comprises a memory, a processor and a service security management program stored on the memory and capable of running on the processor, wherein the service security management program is configured to realize the steps of the service security management method.

In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a service security management program which, when executed by a processor, implements the steps of the service security management method as described above.

The invention obtains the target service data corresponding to the user data request; determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting data to be encrypted in the target service data; determining a segmentation result of the data to be encrypted according to the segmentation encryption rule; determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key; and sending the encrypted target service data to an initiating user corresponding to the user data request. The invention determines the segmentation encryption rule according to the request content of the user data request, segments the field to be encrypted in the target service data according to the segmentation encryption rule, encrypts according to the segmentation result, and sends the encrypted target service data to the initiating user corresponding to the user data request.

Drawings

FIG. 1 is a schematic diagram of a service security management and control device of a hardware running environment according to an embodiment of the present invention;

FIG. 2 is a flowchart of a first embodiment of a service security management and control method according to the present invention;

FIG. 3 is a diagram of mobile phone number containing information;

FIG. 4 is a timing diagram illustrating the implementation of the service security control method according to the present invention;

FIG. 5 is a flowchart illustrating a second embodiment of a service security management and control method according to the present invention;

fig. 6 is a schematic diagram of a scenario of mobile phone number segment encryption in the service security management and control method of the present invention.

FIG. 7 is a flowchart illustrating a third embodiment of a service security management and control method according to the present invention;

FIG. 8 is a functional architecture diagram of a service security management and control device according to the present invention;

FIG. 9 is a schematic diagram of a scenario of multi-party algorithm risk detection in a service security management and control apparatus according to the present invention;

FIG. 10 is a schematic diagram of a multi-party algorithm risk detection flow in the service security management and control apparatus of the present invention;

FIG. 11 is a schematic diagram of a DDL and DML operation probe flow in multi-party algorithm risk detection in the service security management and control device of the present invention;

FIG. 12 is a functional schematic diagram of a security control method in a production state of the service security control apparatus according to the present invention;

fig. 13 is a block diagram of a first embodiment of a service security management and control apparatus according to the present invention.

The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.

Detailed Description

It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.

Referring to fig. 1, fig. 1 is a schematic structural diagram of a service security management and control device of a hardware running environment according to an embodiment of the present invention.

As shown in fig. 1, the service security management apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.

Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the service security management apparatus, and may include more or fewer components than shown, or may combine certain components, or may be arranged in different components.

As shown in fig. 1, an operating system, a network communication module, a user interface module, and a service security management program may be included in the memory 1005 as one type of storage medium.

In the service security management and control apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the service security management and control device of the present invention may be disposed in the service security management and control device, where the service security management and control device invokes a service security management and control program stored in the memory 1005 through the processor 1001, and executes the service security management and control method provided by the embodiment of the present invention.

An embodiment of the present invention provides a service security management and control method, and referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the service security management and control method of the present invention.

In this embodiment, the service security control method includes the following steps:

Step S10: and acquiring target service data corresponding to the user data request.

It should be noted that, the execution body of the embodiment may be a computing service device having functions of data processing, network communication and program running, such as a server, a gateway, a tablet computer, a personal computer, a mobile phone, or an electronic device, a service security management and control device, etc. capable of implementing the above functions. The present embodiment and the following embodiments will be described by way of example using a gateway.

In a specific implementation, a user sends a user data request to a gateway, and the gateway obtains target service data corresponding to the user data request by accessing a corresponding data service after receiving the user data request, wherein the target service data may be service data to be obtained in the user data request.

Step S20: and determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting the data to be encrypted in the target service data.

It should be noted that, the request content of the user data request may be as shown in table 1:

table 1 request content of user data request

It should be explained that, different segmentation encryption rules can be adopted for the request content of the user data request according to different request conditions in the request message, the data to be encrypted in the target service data corresponding to the user data request is segmented through the different segmentation encryption rules, and then the part which is not needed to be encrypted and the part which is needed to be encrypted in the data to be encrypted are determined according to different segmentation results.

It should be noted that, the data to be encrypted in the target service data may be a mobile phone number, or may be other core data, which is not limited in this embodiment, and the mobile phone number is taken as an example to illustrate this embodiment and the following embodiments.

As shown in fig. 3, the mobile phone number is just one number for a partner, but for an operator, the mobile phone number can contain family interaction circle information, friend circle information, common mobile phone numbers of users, regional information or other information, for example, banks can contact customers through common mobile phone numbers and the like to recommend financial products, government departments can also analyze urban population through regional information, and the operator analyzes the user proportion of the operator through number segment information to allocate resources. Therefore, in the external API service data, the mobile phone number, the rule of the mobile phone number and the daily use behavior of the user are unique assets of the operator.

In a specific implementation, in order to effectively implement the step of determining different segment encryption rules according to the difference of the request contents of the user data request, the method includes:

step S201: and determining the user request purpose according to the request content of the user data request.

It can be understood that the user request purpose in the request content can be obtained by analyzing the request message of the user data request.

Step S202: and determining a first segmentation strategy according to the user request purpose, wherein the first segmentation strategy is used for determining that no encryption part exists in the data to be encrypted in the target service data.

According to table 1, it can be known that the request message of the user includes a request condition and request data, and the asking use in the request condition is classified into three types, namely, operator judgment, attribution judgment and list acquisition, and the first segmentation strategy is determined according to the user request use, as shown in table 2:

TABLE 2 user request usage and first segment policy correspondence table

It will be appreciated that the first segmentation strategy is determined from the requesting user, for example:

the requester uses the service data to adjust the proportion of operators to adjust social resources such as the quantity distribution of base stations, the power supply distribution and the like, so that ciphertext returned by the system only needs to be reserved for the first 4-bit text without encryption and the last 7-bit text without private key restoration. Because of the chinese telephone numbers, 3 major correspondents, mobile, corporate, and telecommunications. There is its own network identification number and the first 4 can roughly identify the operator's home location for this number.

The requester analyzes the personnel attribution of a certain area by using the service data, so that the ciphertext returned by the system only needs to keep the original text of the first 7 bits without encryption and the encryption of the last 4 bits without providing private key restoration. Because the mobile phone is 4-7 th bit-area code (the home is a city); representing the area number, each city, district, town, all having a different number.

The request party uses the service data to reach the user for telemarketing, satisfaction retrieval and other purposes, and then the ciphertext returned by the system needs to be restored, so that full-segment encryption is adopted, and private key restoration is provided.

It should be noted that, if the user request is not a list, the first segmentation policy is used as a segmentation encryption rule.

Step S203: and if the user request purpose is list acquisition, identifying a sensitive field in the request content, and acquiring a request user name in the request content.

In a specific implementation, the number of sensitive fields is obtained by acquiring the request data in the request content and then identifying the sensitive fields in the request data according to a preset sensitive field configuration table.

For example, the preset sensitive field configuration table includes the mobile phone number, the consumption amount, the number of calls, the name, the sex, the consumption amount, the address, the occupation, the unit address, and the common mobile phone number as the sensitive fields, and the number of the corresponding sensitive fields in the user request is as shown in table 3:

TABLE 3 number of sensitive fields corresponding to user request

It should be explained that if the request purpose is list acquisition, the secondary segmentation needs to be performed on the basis of the first segmentation strategy by the sensitive field in the request content and the request user name in the request content.

Step S204: based on the first segmentation strategy, determining a segmentation encryption rule through the sensitive field and the byte number of the request user name.

It can be understood that, based on the first segmentation policy, if the requested application is list acquisition, the 11 digits of the mobile phone number need to be encrypted, and on the basis of the second segmentation, the mobile phone number is segmented secondarily.

In a specific implementation, the number of sensitive fields in the request data and the number of bytes of the request user name in the request condition are used as variables, and the secondary segmentation is performed by the following formula:

the first section: a=mod (11, y);

and a second section: b=mod (11-mod (11, y), X); b=0 if the value of B is greater than or equal to 11-mod (11, y);

third section: c=11-a-B;

wherein x=the number of sensitive fields, y=the number of bytes of the request user name, a is the number of bits in the first segment, B is the number of bits in the second segment, and C is the number of bits in the third segment.

It should be appreciated that typically the requested use is three segments for manifest retrieval, but there are two segments due to the second segment being 0. Therefore, the segmentation rules of the scene needing original text restoration are changeable, and the security of private data of the client is guaranteed.

Step S30: and determining the segmentation result of the data to be encrypted according to the segmentation encryption rule.

The segmentation result may include a portion (number of original digits) that does not need decryption and a portion (number of ciphertext digits) that needs encryption after segmentation.

The segmentation result of the data to be encrypted (cell phone number) is shown in table 4:

TABLE 4 segmentation results of data to be encrypted in user data request

Step S40: and determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key.

And determining the number of public and private keys according to the number of the ciphertext segments in the segmentation result of the mobile phone number in the target service data, and carrying out segmented encryption on the data to be encrypted by the encryption public key in the public and private keys.

Step S50: and sending the encrypted target service data to an initiating user corresponding to the user data request.

It can be understood that if the scenario of mobile phone number restoration is required, a decryption private key in the public private key is provided to decrypt the mobile phone number in the encrypted target service data.

In a specific implementation, referring to fig. 4, fig. 4 is a timing diagram of an execution process of the service security control method of the present invention, 1, a caller sends a data request to a gateway platform, and after the gateway obtains the data request, the gateway obtains service data (or receives returned service data) according to the data request; 2. analyzing the request message to obtain a user request type (user request purpose); 3. identifying sensitive fields to obtain the number of the sensitive fields; then the data information in the step 2 and the step 3 is transmitted to an encryption algorithm; 4. determining a segmentation encryption rule of the request data by combining the step 2 and the step 3; 5. obtaining a plurality of pairs of public and private keys according to the segmentation encryption rule and an encryption algorithm; 6. according to the encryption algorithm, the service data is encrypted in a segmented mode by combining a public key; 7. returning the encrypted service data to the corresponding requesting party, and providing a private key if a scene needs to be restored; 8. the user decrypts based on the ciphertext (encrypted service data) and the private key.

The embodiment obtains the target service data corresponding to the user data request; determining the user request purpose according to the request content of the user data request; determining a first segmentation strategy according to the user request purpose, wherein the first segmentation strategy is used for determining that no encryption part exists in data to be encrypted in the target service data; if the user request uses are list acquisition, identifying sensitive fields in the request content, and acquiring a request user name in the request content; determining a segmentation encryption rule through the sensitive field and the byte number of the request user name based on the first segmentation strategy; if the user request purpose is not the list acquisition, the first segmentation strategy is used as a segmentation encryption rule; determining a segmentation result of the data to be encrypted according to the segmentation encryption rule; determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key; and sending the encrypted target service data to an initiating user corresponding to the user data request. The invention determines the segmentation encryption rule according to the request content of the user data request, segments the field to be encrypted in the target service data according to the segmentation encryption rule, encrypts according to the segmentation result, and sends the encrypted target service data to the initiating user corresponding to the user data request.

Referring to fig. 5, fig. 5 is a flowchart of a second embodiment of the service security management method according to the present invention.

Based on the first embodiment, in this embodiment, the step S40 includes:

step S401: determining the number of public and private keys according to the segmentation result;

it should be noted that, since the number of ciphertext segments in the segmentation result is equal to the number of public and private keys, the number of public and private keys can be determined according to the segmentation result.

Step S402: sequentially acquiring segments to be encrypted of the data to be encrypted;

step S403: and determining the public and private keys according to the length of the to-be-encrypted segment, encrypting the to-be-encrypted data through the encryption public key in the public and private keys, and obtaining the ciphertext with the same length as the to-be-encrypted segment after the encryption public key in the public and private keys encrypts the to-be-encrypted segment.

For example, if the segmentation result of the mobile phone number is [ original text (7 bits) ] [ ciphertext (4 bits) ], encrypting the last 4 bits of the mobile phone number, and obtaining a public key and a private key; the steps for obtaining the public and private keys are as follows:

1. two different prime numbers p, q are randomly selected. And defines that these two primes multiply exactly 4 bits (exactly consistent with the number of data bits to be encrypted), let us choose p=103, q=97;

2. Multiplying p and q, n=103×97=9991;

3. the euler function formula for n is calculated,；

4. randomly selecting a number e=1213, which satisfies the following conditionsIs of the same nature as e and 1<e</>；

5. Calculating e forD=4117;

6. the public and private keys are encapsulated, the resulting public key being (1213,9991), private key (d, n) = (4117, 9991).

It should be noted that, the algorithm for encrypting the data to be encrypted is implemented based on an asymmetric encryption algorithm, and the ciphertext is C, and the encryption process is c=（mod n）。

Assuming that the original text is 2331, the ciphertext is 2621; since n is limited to 4 bits, the resulting ciphertext value would be within a 4-bit range of values; since the segmentation principle is: [ original text (7 bits) ] [ ciphertext (4 bits) ], then the last 4 bits are encrypted to obtain an integer value. However, since the front 7 bits of the original text are not encrypted, after being spliced with the integer value of the ciphertext, the formed ciphertext may be wrongly pointed to the mobile phone numbers of other users, so that a character mapping table is required to be established for conversion; the steps are divided into two sections, and only one section of encryption flow is adopted, so that the data request scene which can be analyzed without restoration is oriented, and if the segmentation result is: and (4) ciphertext 1 segment (3) ciphertext 3 segment, and so on, and finally realizing the segmented encryption of the mobile phone number.

In a specific implementation, the step of encrypting the data to be encrypted by using the encryption public key in the public-private keys includes: sequentially obtaining encryption public keys corresponding to the segments to be encrypted; encrypting the to-be-encrypted segment by the encryption public key based on an asymmetric encryption algorithm to obtain a segment ciphertext; obtaining a mapping character corresponding to the segmented ciphertext according to a preset character mapping table; and splicing the unencrypted fragments of the data to be encrypted with the mapping characters according to the segmentation result to obtain a first encrypted ciphertext.

For example, referring to fig. 6, fig. 6 is a schematic diagram of a mobile phone number segmentation encryption scenario in the service security management and control method of the present invention, the mobile phone number 13861392331 is first 7 bits, which are not encrypted, and the last 4 bits need to be encrypted, the non-encryption portion 1386139 and the encryption portion 2332 are segmented, then the to-be-encrypted segment is encrypted by the encryption public key based on an asymmetric encryption algorithm to obtain a segmented ciphertext 9940, an integer mapping character aode corresponding to the segmented ciphertext is obtained according to a preset character mapping table, and then the segmented ciphertext is spliced to generate a final generated ciphertext 1386139aode, the first 7 bits are unchanged and can be used for area analysis, and the last 4 bits are ciphertexts.

According to the segmentation result, the number of public and private keys is determined; sequentially acquiring segments to be encrypted of the data to be encrypted; determining the public and private keys according to the length of the to-be-encrypted segment, and sequentially acquiring the encryption public keys corresponding to the to-be-encrypted segment; encrypting the to-be-encrypted segment by the encryption public key based on an asymmetric encryption algorithm to obtain a segment ciphertext; obtaining a mapping character corresponding to the segmented ciphertext according to a preset character mapping table; and splicing the unencrypted segment of the data to be encrypted with the mapping character according to the segmentation result to obtain a first encrypted ciphertext, wherein the length of the ciphertext obtained by encrypting the segment to be encrypted by the encryption public key in the public-private key is the same as the length of the segment to be encrypted. Compared with the prior art that after the data are encrypted, the original data original character is destroyed by the encrypted data, the data value provided by operators to the outside is reduced, and after the secret key is provided, the security risk of illegal decryption exists.

Referring to fig. 7, fig. 7 is a flowchart of a third embodiment of a service security management method according to the present invention.

Based on the above embodiment, in this embodiment, before step S50, the method further includes:

step S411: and determining corresponding sensitive content in the target service data according to the sensitive field in the request data.

For example, the mobile phone number, the consumption amount, the number of calls, the name, the sex, the consumption amount, the address, the occupation, the unit address and the common mobile phone number in the preset sensitive field configuration table are sensitive fields, and then the content corresponding to the sensitive field in the target service data is the sensitive content.

Step S412: and encrypting the sensitive content except the data to be encrypted by using a symmetric encryption algorithm to obtain a symmetric encryption ciphertext.

It can be understood that the data to be encrypted (mobile phone number) is encrypted by an asymmetric encryption algorithm, so that only sensitive contents except the data to be encrypted need to be encrypted, and repeated encryption is avoided. The symmetric ciphertext is a ciphertext obtained by encrypting by a symmetric encryption algorithm.

It should be appreciated that the symmetric encryption algorithm may be a DES, 3DES, AES, or the like public encryption algorithm.

Step S413: and converting the symmetric encryption ciphertext into a base64 format to obtain a second encryption ciphertext.

It should be noted that, since the second encrypted ciphertext obtained by converting into the base64 format is a string encoded by the base64, which is more suitable for transmission of different platforms and different languages, the applicability of the present invention can be improved by converting the symmetric encrypted ciphertext into the base64 format.

According to the sensitive field in the request data, the embodiment determines the corresponding sensitive content in the target service data; encrypting the sensitive content except the data to be encrypted by a symmetric encryption algorithm to obtain a symmetric encryption ciphertext; converting the symmetric encryption ciphertext into a base64 format to obtain a second encryption ciphertext; and then the encrypted target service data is sent to an initiating user corresponding to the user data request, compared with the prior art, the security of a sensitive field in the target service data is further ensured, and the symmetric encryption ciphertext is converted into a base64 format, so that the applicability of the invention is improved.

In addition, the embodiment of the invention also provides a storage medium, wherein the storage medium is stored with a service security control program, and the service security control program realizes the steps of the service security control method when being executed by a processor.

Referring to fig. 8, fig. 8 is a schematic diagram of a functional architecture of the service security management and control apparatus of the present invention in fig. 8. The device realizes the exploration of dangerous operation of the service and the sensitive data encryption of the content data in the multi-party service sharing scene, and the construction of the device consists of a capability layer, a functional layer and an application layer.

The capability layer is a device basic capability support, wherein a service framework provides basic capabilities of a service environment based on a micro-service architecture (Nacos, gateway, sentinel, F5/Nginx+keep), and the basic capabilities comprise basic capabilities of service registration, routing, authentication, load balancing and the like, and a database comprises MySQL, ORACRE and REDIS, and provides capabilities of data management and data storage.

The function layer is divided into two large modules of service basic risk control and service content sensitive information encryption, wherein the service integrated risk control comprises DDL, DML operation probes, service adjustment and measurement, service release and service risk early warning functions, and the service content sensitive information encryption comprises data security management, message analysis, sensitive data identification, data security control and message assembly functions.

The application layer is divided into a test state and a production state, the test state provides a service integration environment, and the service risk is pre-found in the service integration process by means of the capability of the functional layer; the production state utilizes the capabilities of message analysis, sensitive data identification and the like of the device to encrypt the sensitive data. Sensitive data management and control in the service sharing process are realized.

It should be explained that, in general, the use of enterprise data in the process of generating a service by using a third party algorithm is not allowed to change the enterprise data, but there is a risk that the third party algorithm is mishandled and even maliciously tampered to cause the enterprise asset to be lost. On the other hand, the third party algorithm usually has independent property rights, enterprises cannot deeply check whether the third party algorithm has risk operation or not, so the device provides a service integration environment for deployment and debugging of a plurality of third party algorithms, the algorithm of the provider is used as a black box for service debugging in the integration environment in the debugging process, risks are found in the debugging process, and safety release and early warning work is completed.

Referring to fig. 9, fig. 9 is a schematic diagram of a scenario of risk detection of a multiparty algorithm in a service security management and control device according to the present invention, a third party algorithm (a vendor algorithm (jar package), a B vendor algorithm (script), etc.) completes deployment of the algorithm in a third party algorithm deployment area in a test state, and in this process, the multiparty algorithm is used as a black box to coexist in the deployment area, and service adjustment and test work is independently performed through service integration. In the service debugging process, an algorithm performs data operation on sampling data (enterprise data capital) in a test state, at the moment, a log recorder of a sampling database in the device generates data operation records corresponding to a third-party algorithm in real time, DDL and DML operation probes of the device capture and probe whether illegal operations (modification, data destruction and the like) exist in the third-party algorithm, and early warning is performed when the illegal operations are probed to realize service risk early warning; if the detection is carried with the MD5 code after no-violation operation, the algorithm is issued to the production state on line, the verification between the two states (the test state and the production state) is completed, the algorithm is issued to a third-party algorithm deployment area of the production state, and the third-party algorithm deployment area is integrated to a service gateway through a service. Algorithms in the service gateway operate on enterprise data capital in the production state.

Referring to fig. 10, fig. 10 is a schematic diagram of a multi-party algorithm risk detection flow in the service security management and control apparatus according to the present invention. Algorithm a deploys to the deployment environment of the device [ test state ]; the algorithm A runs by using test data prepared by a test library in a test state [ service modulation test ]; real-time monitoring the data operation of the user corresponding to each algorithm in the test library; if the detection of delete, update operation of the algorithm A on the test data is detected by the DDL and DML operation probes, starting a service risk early warning module to inform the algorithm A of risk operation, and carrying out service debugging again after transformation; if the DDL and the DML operation probes probe that the algorithm A does not have delete, update operation on the test data, starting the program package (such as jar package) with the function of the algorithm A to bind the MD5 value; the algorithm A is issued to the algorithm by the function of the algorithm issue; the function of the algorithm A is automatically triggered after the algorithm A is released in the production state, the MD5 value of the program package in the production state is recalculated, and the program package is compared with the program package in the legal test state. MD5 comparison is not passed, the device considers that the algorithm A is illegal, and the algorithm A is restarted in a test state after being rectified; and the algorithm A is compared through MD5, and the device task algorithm A is legal. In the flow process (DDL, DML operation probe) and (algorithm issue), two functional modules play a core detection role.

Referring to fig. 11, fig. 11 is a schematic flow diagram of DDL and DML operation probes in multi-party algorithm risk detection in a service security management and control device according to the present invention, in which (DDL, DML operation probes) monitor data operations of different user algorithms (algorithm a of user 1, algorithm B of user 2, algorithm C of user 3, algorithm N of user N) in a test library in real time, determine whether there is a risk operation in a log queue of algorithm a of user 1, a log queue of algorithm B of user 2, and a log queue of algorithm N of user N in a message queue reserved in a log according to operations of (DDL, DML operation probes), and push a determination result to algorithm risk prediction. The risk detection can be simultaneously carried out for a plurality of users and a plurality of algorithms, and the implementation method adopts a non-invasive mode, so that the probe can detect the final operation level of the test data only in the algorithm, and the detection logic is not invaded into the algorithm.

Because the functions of DDL and DML operation probes are not invaded into the algorithms of a plurality of users in a test state, the transformation cost of the device for the users is reduced, and the algorithms of different users can be rapidly deployed on the test state environment. In the test state implementation scheme, the invention selects HIVE as a basic platform of the test state, establishes a set of authentication and access control system of the user in a kerberos+range mode, and stores test data of the user in a separate storage mode. Through the design, data isolation and algorithm isolation of different users are realized.

In the authentication aspect, a Key Distribution Center (KDC) is established by using a kerberos authentication protocol, a user is used as a client, a test state is used as a server, and a multiparty-oriented algorithm debugging environment is established; when each algorithm user accesses the test state service, he needs to carry a secret key which is specially used for accessing the service and can prove the identity of the user, and when the test state service end receives the secret key, he can identify the identity of the client end to be correct and provide the service for the client end. And in the aspect of access control, a resource-based control strategy is added by using the range access control configuration, so that different HDFS and HIVE resource services are bound for different users. In the aspect of log collection, due to the non-invasive design, a log collector is added to the test state service, data operation of different user algorithms is standardized, and the data operation is recorded in a message queue to finally complete risk judgment action.

In addition, the function of the algorithm issue can also be used for issuing the algorithm passing through the risk detection from the test state to the production state, consistency is ensured in the implementation process, for example, an algorithm A which passes through the risk operation detection is taken as an example, the whole algorithm issue process can be completed in 4 steps, firstly, the calculated MD5 value of the algorithm A is taken as a reference and is stored in an MD5 value library of the algorithm issue, then the algorithm is issued, the algorithm A in the production library is recalculated with the MD5 value after the issuing is completed, the comparison is carried out with the reference value in the value library, and the issuing failure is judged if the result is inconsistent.

Referring to fig. 12, fig. 12 is a functional schematic diagram of a security management and control method in a production state of a service security management and control device according to the present invention, the service security management and control method provided by the present invention obtains target service data corresponding to a user data request of a requester (the obtained service data obtains non-sensitive data and plaintext of sensitive data through message parsing); determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting data to be encrypted in the target service data; determining a segmentation result of the data to be encrypted according to the segmentation encryption rule; determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key; and sending the encrypted target service data (the encrypted target service data comprises the non-sensitive data and the ciphertext of the sensitive data) to a requester corresponding to the user data request. The desensitization encryption action of the data is realized in the production state of a service layer, wherein the data security control is realized by acquiring security configuration in the data security management, the data security control is deployed as a functional component of encryption processing in a data gateway server as a service, algorithms (an A manufacturer algorithm (jar package), a B manufacturer algorithm (script) and an N manufacturer algorithm (script) of each manufacturer in a third-party algorithm deployment area only need to carry out business logic processing, the data do not need to be respectively desensitized encrypted in the respective algorithms, and the messages are rearranged after encryption is finished. The device realizes the safety control of the service full life cycle, and the control granularity reaches the field level. On the other hand, the device greatly reduces the transformation amount of the third party service related to safety control, improves the integration efficiency of the third party service, and is favorable for better playing the enterprise data value.

Referring to fig. 13, fig. 13 is a block diagram illustrating a first embodiment of a service security management and control apparatus according to the present invention.

As shown in fig. 13, a service security management and control apparatus according to an embodiment of the present invention includes: a data acquisition module 601, a rule determination module 602, a segment determination module 603, a data encryption module 604, and a data transmission module 605.

The data obtaining module 601 is configured to obtain target service data corresponding to a user data request.

The rule determining module 602 is configured to determine a segment encryption rule according to a request content of the user data request, where the segment encryption rule is used to segment data to be encrypted in the target service data.

The segment determining module 603 is configured to determine a segment result of the data to be encrypted according to the segment encryption rule.

The data encryption module 604 is configured to determine a public key and a private key based on the segmentation result, and encrypt the data to be encrypted by using an encrypted public key in the public key and the private key.

The data sending module 605 is configured to send the encrypted target service data to an initiating user corresponding to the user data request.

The rule determining module 602 is further configured to determine a user request purpose according to the request content of the user data request; determining a first segmentation strategy according to the user request purpose, wherein the first segmentation strategy is used for determining that no encryption part exists in data to be encrypted in the target service data; if the user request uses are list acquisition, identifying sensitive fields in the request content, and acquiring a request user name in the request content; based on the first segmentation strategy, determining a segmentation encryption rule through the sensitive field and the byte number of the request user name.

The rule determining module 602 is further configured to use the first segmentation policy as a segmentation encryption rule if the user request usage is not manifest acquisition.

The embodiment obtains the target service data corresponding to the user data request; determining a segment encryption rule according to the request content of the user data request, wherein the segment encryption rule is used for segmenting data to be encrypted in the target service data; determining a segmentation result of the data to be encrypted according to the segmentation encryption rule; determining a public key and a private key based on the segmentation result, and encrypting the data to be encrypted through an encryption public key in the public key and the private key; and sending the encrypted target service data to an initiating user corresponding to the user data request. The invention determines the segmentation encryption rule according to the request content of the user data request, segments the field to be encrypted in the target service data according to the segmentation encryption rule, encrypts according to the segmentation result, and sends the encrypted target service data to the initiating user corresponding to the user data request.

Based on the first embodiment of the service security management and control apparatus of the present invention, a second embodiment of the service security management and control apparatus of the present invention is provided.

In this embodiment, the data encryption module 604 is further configured to determine the number of public and private keys according to the segmentation result; sequentially acquiring segments to be encrypted of the data to be encrypted; and determining the public and private keys according to the length of the to-be-encrypted segment, encrypting the to-be-encrypted data through the encryption public key in the public and private keys, and obtaining the ciphertext with the same length as the to-be-encrypted segment after the encryption public key in the public and private keys encrypts the to-be-encrypted segment.

The data encryption module 604 is further configured to sequentially obtain an encryption public key corresponding to the segment to be encrypted; encrypting the to-be-encrypted segment by the encryption public key based on an asymmetric encryption algorithm to obtain a segment ciphertext; obtaining a mapping character corresponding to the segmented ciphertext according to a preset character mapping table; and splicing the unencrypted fragments of the data to be encrypted with the mapping characters according to the segmentation result to obtain a first encrypted ciphertext.

Other embodiments or specific implementation manners of the service security management and control apparatus of the present invention may refer to the above method embodiments, and are not described herein.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.

The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims

1. A method of service security management, the method comprising the steps of:

acquiring target service data corresponding to a user data request;

2. The service security management method according to claim 1, wherein the step of determining a segment encryption rule according to a request content of the user data request comprises:

3. The service security management method of claim 2, wherein after the step of determining a first segmentation policy according to the user request purpose, further comprising:

4. The service security management method according to claim 2, wherein the step of determining a public-private key based on the segmentation result and encrypting the data to be encrypted by an encryption public key of the public-private keys includes:

Sequentially acquiring segments to be encrypted of the data to be encrypted;

5. The service security management and control method according to claim 4, wherein the encrypted target service data includes a first encrypted ciphertext, and the step of encrypting the data to be encrypted by an encryption public key in the public-private key includes:

6. The service security management method of claim 2, wherein the step of identifying sensitive fields in the requested content comprises:

Acquiring request data in the request content;

7. The service security management and control method according to claim 6, wherein the encrypted target service data includes a second encrypted ciphertext, and before the step of sending the encrypted target service data to the originating user corresponding to the user data request, the method further comprises:

8. A service security management and control apparatus, the apparatus comprising:

9. A service security management apparatus, the apparatus comprising: a memory, a processor and a service security management program stored on the memory and executable on the processor, the service security management program being configured to implement the steps of the service security management method of any of claims 1 to 7.

10. A storage medium having stored thereon a service security management program which when executed by a processor implements the steps of the service security management method of any of claims 1 to 7.