CN116760631A - Multi-service data hierarchical management and control method and system based on regulation and control cloud platform - Google Patents

Multi-service data hierarchical management and control method and system based on regulation and control cloud platform Download PDF

Info

Publication number
CN116760631A
CN116760631A CN202310999666.1A CN202310999666A CN116760631A CN 116760631 A CN116760631 A CN 116760631A CN 202310999666 A CN202310999666 A CN 202310999666A CN 116760631 A CN116760631 A CN 116760631A
Authority
CN
China
Prior art keywords
data
key
cloud platform
storage unit
temporary
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310999666.1A
Other languages
Chinese (zh)
Other versions
CN116760631B (en
Inventor
阙凌燕
金学奇
张静
卢敏
娄冰
孙志华
徐峰
俞佳乐
胡真瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Zhejiang Electric Power Co Ltd
Zhejiang Huayun Information Technology Co Ltd
Original Assignee
State Grid Zhejiang Electric Power Co Ltd
Zhejiang Huayun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Zhejiang Electric Power Co Ltd, Zhejiang Huayun Information Technology Co Ltd filed Critical State Grid Zhejiang Electric Power Co Ltd
Priority to CN202310999666.1A priority Critical patent/CN116760631B/en
Publication of CN116760631A publication Critical patent/CN116760631A/en
Application granted granted Critical
Publication of CN116760631B publication Critical patent/CN116760631B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a multi-service data hierarchical management and control method and a system based on a regulation and control cloud platform, which are characterized in that confidential data are decrypted and read through a multi-level temporary data container, a hierarchical encryption mode is utilized to ensure that a verification module code is necessarily executed before the data are read, verification is carried out according to the characteristics of an original storage unit, a read link is ensured to be carried out only in the original storage unit, a destruction mechanism is arranged, data transfer cannot be realized no matter whether copying is attempted before decryption or after decryption, and the whole-course risk control of confidential documents is ensured, so that the security and confidentiality are higher. The problem that in the prior art, after data grading is completed, the whole risk control of confidential documents is difficult to maintain is solved.

Description

Multi-service data hierarchical management and control method and system based on regulation and control cloud platform
Technical Field
The application relates to the field of data processing, in particular to a multi-service data hierarchical management and control method and system based on a regulation and control cloud platform.
Background
With the intellectualization of the power grid, more and more business information is stored in a memory of a computer or a server in the form of electronic data, and different information relates to different authorities and confidentiality, so that the data is often required to be classified into three grades of disclosure, interior and confidentiality according to different security grades, further, different encryption and isolation forms are adopted according to different grades to prevent data from being transmitted, and encryption means are more complex when the security grade is higher, so that the risk of leakage is reduced.
In general, existing encryption means are very reliable, and it is very difficult to crack an encrypted file. However, in the actual use process of such a grading system, security problems still occur, for example, a confidential document is encrypted in a complex manner, but a person with authority needs to decrypt the document when reading, and after decryption, until the period of re-encryption, the document has a secure vacuum period, namely, the document belongs to the confidential document, but is not encrypted in the period, at the moment, the document is read, copied, transferred and the like, the document is not limited, the unencrypted document can be obtained through copying by a mobile hard disk, and an attacker can obtain the confidential document without cracking an encryption algorithm by waiting for a proper time due to the existence of a vulnerability, so that the current grading system still has obvious security risks.
Therefore, how to maintain the whole risk control on the confidential document after grading is completed is a technical problem which is difficult to solve at present.
Disclosure of Invention
Aiming at the problem that the prior art is difficult to maintain the whole risk control on confidential documents after grading is completed, the application provides a multi-service data grading management and control method and system based on a regulation and control cloud platform, which are used for decrypting and reading confidential data through a multi-layer temporary data container, and ensuring that a verification module code is necessarily executed before reading the data and is verified according to the characteristics of an original storage unit by using a layering encryption mode, ensuring that a reading link is only carried out in the original storage unit, and setting a destruction mechanism, wherein data transfer cannot be realized no matter whether copying is attempted before decryption or after decryption, thereby ensuring the whole risk control on the confidential documents and having higher safety and confidentiality.
The following is a technical scheme of the application.
The multi-service data hierarchical management and control method based on the regulation and control cloud platform is applied to regulation and control cloud platform and a plurality of service terminals and comprises the following steps of:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit;
s2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out verification, if the verification is passed, the next step is executed, and otherwise, the request is returned;
s3: judging a storage unit and a secret-related grade of target data in a data reading request, waking up a service terminal of the storage unit, and selecting to execute S4 or S5 according to the secret-related grade;
s4: decrypting the target data by using a preset encryption algorithm, reading the target data by a service terminal, and ending the step;
s5: creating a temporary data container in a storage unit where target data are located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data are located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key;
s6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the target data is successfully obtained by decryption, S4 and S7 are executed at the same time, and otherwise, the target data cannot be decrypted;
s7: and performing continuous safety monitoring, and destroying the bottommost layer of the temporary data container if the data of the address pointed by the check pointer changes or a copy instruction is detected.
The application optimizes the reading process of the subsequent file based on the traditional grading mode, generates the first key through the characteristic data stored by the partial address of the storage unit where the target data is located, binds the first key with the storage unit, destroys the storage unit after encryption, and adopts a unique temporary data container structure. If the temporary data container is transferred before reading, the storage unit changes during reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
It should be noted that, the service data is encrypted and stored, so after the bottom layer is decrypted, the decryption is performed in S4 to obtain the target data of the plaintext for reading.
Preferably, the step S1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
Preferably, the step S2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
Preferably, the step S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
Preferably, the step S4: decrypting the target data by using a preset encryption algorithm, and reading the target data by a service terminal, wherein the method comprises the following steps:
searching a preset encryption algorithm adopted in encryption according to the secret-related grade of the target data;
and decrypting by using the same preset encryption algorithm to obtain target data, and reading by the service terminal.
Preferably, the step S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data;
creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
In the application, the first secret key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first secret key is destroyed, and the check pointer does not carry any data related to the first secret key, so that the first secret key cannot be directly restored, and the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, thereby restoring the third secret key consistent with the first secret key. In order to ensure smooth implementation of the function, the characteristic data generally selects a unique identifier of the storage unit, so as to ensure that the data of the address cannot be changed easily, and the verification pointer can play a role.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
Preferably, the step S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
Preferably, the step S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
Preferably, the preset encryption algorithm includes at least two of AES algorithm, 3DES algorithm, or RC4 algorithm.
Preferably, the security class includes at least two classes.
Preferably, the characteristic data is a unique identifier of the storage unit.
Preferably, the first key and the third key are generated by means of a key generator of the RC4 algorithm.
The application also provides a multi-service data hierarchical management and control system based on the regulation and control cloud platform, which comprises the regulation and control cloud platform and a plurality of service terminals, wherein the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform.
The application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform when calling the computer program in the memory.
The application also provides a storage medium, wherein the storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform are realized.
The essential effects of the application include:
the application optimizes the reading process of the subsequent file based on the traditional grading mode, generates the first key through the characteristic data stored by the partial address of the storage unit where the target data is located, binds the first key with the storage unit, destroys the storage unit after encryption, and adopts a unique temporary data container structure. Thus, if the temporary data container is transferred before reading, the storage unit changes at the time of reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container at the time of reading is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Furthermore, the first key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, and the third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
Drawings
FIG. 1 is a flow chart of an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solution will be clearly and completely described in the following in conjunction with the embodiments, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be understood that, in various embodiments of the present application, the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
It should be understood that in the present application, "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "plurality" means two or more. "and/or" is merely an association relationship describing an association object, and means that three relationships may exist, for example, and/or B may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. "comprising A, B and C", "comprising A, B, C" means that all three of A, B, C comprise, "comprising A, B or C" means that one of the three comprises A, B, C, and "comprising A, B and/or C" means that any 1 or any 2 or 3 of the three comprises A, B, C.
The technical scheme of the application is described in detail below by specific examples. Embodiments may be combined with each other and the same or similar concepts or processes may not be described in detail in some embodiments.
Embodiment one: as shown in fig. 1, the multi-service data hierarchical management and control method based on the regulation and control cloud platform provided in this embodiment is applied to the regulation and control cloud platform and a plurality of service terminals, and includes steps S1 to S7, where:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
It should be noted that, the present embodiment does not participate in the judgment of the secret related level, but only executes different steps according to different secret related levels. In this embodiment, the secret related level may be determined by any classification system in the prior art, or may be classified manually. For example, the security-related level may be classified into public, confidential, where confidential indicates that the authority to be audited is required for viewing, and public, internal, confidential, where internal this level indicates that no restrictions are placed on some internal personnel. The confidential level of this embodiment will be described by taking the public and confidential levels as examples.
The preset encryption algorithm comprises at least two of an AES algorithm, a 3DES algorithm or an RC4 algorithm.
Specifically, DES (Triple Data Encryption Algorithm): an encryption algorithm developed on the basis of DES uses three different keys to encrypt data three times, so that the encryption strength is improved, but the encryption and decryption speed is slower.
AES (Advanced Encryption Standard): one of the most widely used symmetric encryption algorithms at present has the key length of 128 bits, 192 bits or 256 bits, is safer and more reliable than DES and 3DES, has higher encryption and decryption speeds, and is widely applied to data encryption protection in various fields.
RC4: is a symmetric stream encryption algorithm with variable key length, typically 40 bits to 2048 bits. The RC4 algorithm is simple and easy to implement, encryption and decryption use the same key, and encryption of data streams of any length can be achieved without a fixed block size.
In this embodiment, AES is selected as the preset encryption algorithm of the public level, and DES is selected as the preset encryption algorithm of the secret level.
S2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
For example, the data reading request provides a reading request for the file a, the file a is a confidential file, and the authority corresponding to the department management layer is required, at this time, the cloud platform is regulated to check the identity of the operator, if the operator is the department management layer or above, the check is passed, otherwise, the request is returned.
S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
In this embodiment, the regulation cloud platform is in communication connection with a plurality of service terminals, so that a request made by a certain service terminal may need to access another service terminal, so that it is required to determine the service terminal where the target data in the data reading request is located, further determine the storage unit where the data is located, and wake up if the service terminal is in a dormant state.
In this embodiment, if the secret related level is public, the continuous security monitoring is not required, and S4 is executed; if the secret related level is confidential, continuous security monitoring is required, and S5 is executed.
S4: and decrypting the target data by using a preset encryption algorithm, reading by the service terminal, and ending the step.
In this embodiment, the file that does not need to be continuously monitored for security is of a public level, and is thus decrypted using AES.
S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
s51: reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data; wherein the first key is generated by means of a key generator of the RC4 algorithm, i.e. the characteristic data is input to the key generator, the first key is output.
In this embodiment, when the characteristic data of a plurality of addresses are read from the storage unit, the address where the specific data is located, such as the address where the unique identifier of each storage unit is located, or the address where the relatively fixed data related to the system of the service terminal where the storage unit is located, is generally selected. That is, when some of the addresses in the memory cells are unique and not easily changed, the addresses can be read. In addition, when the check code and the check pointer are split, for example, a plurality of addresses of the storage unit store unique identifiers, and characteristic data composed of the unique identifiers is ABC, wherein A, B, C each represents a string of data, the data a can be used as the check code, and addresses where the data B and the data C are located can be used as the check pointer.
S52: creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
In the embodiment, the first key is generated by the feature data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, and the original feature data can be obtained only when the storage unit is unchanged according to the check pointer, so that a third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the embodiment forcedly limits the reading sequence of the temporary time zone through a specific encryption means, and can continue only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, and ensuring that the code of the verification module is executed first so as to ensure the normal execution of the subsequent flow and ensure the effectiveness of the whole-process safety monitoring.
S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
In this embodiment, the first key and the third key are both generated by means of the key generator of the RC4 algorithm, so that if the data (unique identifier) of the check pointer to the address is still identical if it is still the original storage unit, the resulting third key must be identical to the first key.
S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
According to the embodiment, on the basis of a traditional hierarchical mode, the reading process of a subsequent file is optimized, a first key is generated through characteristic data stored by part of addresses of storage units where target data are located, the first key is bound with the storage units and destroyed after encryption, and meanwhile, a unique temporary data container structure is adopted, under the encryption mechanism of the application, a temporary data container can only be read from the topmost layer, so that a verification module code is activated, and further, data of corresponding addresses of the storage units where the current storage module is located are searched through pointers, so that a third key is generated, and only when the storage units are unchanged, the third key is possibly consistent with the first key, and the target data of the bottommost layer can be successfully decrypted. If the temporary data container is transferred before reading, the storage unit changes during reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Embodiment two: the embodiment provides a multi-service data hierarchical management and control system based on a regulation and control cloud platform, which comprises the regulation and control cloud platform and a plurality of service terminals, wherein the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform. The service terminal comprises a customized computer, a tablet computer or a mobile terminal.
Embodiment III: the embodiment provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform when calling the computer program in the memory.
Embodiment four: the embodiment provides a storage medium, in which computer executable instructions are stored, and when the computer executable instructions are loaded and executed by a processor, the steps of the multi-service data hierarchical management and control method based on the regulation and control cloud platform are realized.
In summary, the essential effects of the present embodiment include:
on the basis of a traditional hierarchical mode, the reading process of a subsequent file is optimized, a first key is generated through characteristic data stored by a part of addresses of storage units where target data are located, the first key is bound with the storage units and destroyed after encryption, and meanwhile, a unique temporary data container structure is adopted. Thus, if the temporary data container is transferred before reading, the storage unit changes at the time of reading to cause decryption failure, and if the temporary data container is transferred after reading, the temporary data container at the time of reading is destroyed. The application can ensure that the data is in a safe and reliable environment when being read.
Furthermore, the first key is generated by the characteristic data of the specific address of the storage unit, only the check pointer and the check code are reserved after the first key is destroyed, and the check pointer does not carry any data related to the first key, so that the first key cannot be directly restored, the original characteristic data can be obtained according to the check pointer only when the storage unit is unchanged, and the third key consistent with the first key is restored.
In addition, unlike the traditional sequential execution instruction, the method forcibly limits the reading sequence of the temporary time zone through a specific encryption means, and can be continued only by unlocking the previous temporary time zone, thereby preventing malicious bypass of the sequential execution instruction, ensuring that the code of the verification module is executed first, ensuring the normal execution of the subsequent flow and ensuring the effectiveness of the safety monitoring of the whole process.
From the foregoing description of the embodiments, it will be appreciated by those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of a specific apparatus is divided into different functional modules to implement all or part of the functions described above.
In the embodiments provided in the present application, it should be understood that the disclosed structures and methods may be implemented in other manners. For example, the embodiments described above with respect to structures are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another structure, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, structures or units, which may be in electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and the parts shown as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (15)

1. The multi-service data hierarchical management and control method based on the regulation and control cloud platform is applied to the regulation and control cloud platform and a plurality of service terminals and is characterized by comprising the following steps of:
s1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit;
s2: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out verification, if the verification is passed, the next step is executed, and otherwise, the request is returned;
s3: judging a storage unit and a secret-related grade of target data in a data reading request, waking up a service terminal of the storage unit, and selecting to execute S4 or S5 according to the secret-related grade;
s4: decrypting the target data by using a preset encryption algorithm, reading the target data by a service terminal, and ending the step;
s5: creating a temporary data container in a storage unit where target data are located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data are located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key;
s6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the target data is successfully obtained by decryption, S4 and S7 are executed at the same time, and otherwise, the target data cannot be decrypted;
s7: and performing continuous safety monitoring, and destroying the bottommost layer of the temporary data container if the data of the address pointed by the check pointer changes or a copy instruction is detected.
2. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S1: encrypting by adopting a corresponding preset encryption algorithm according to the secret-related grade of the service data and storing the encrypted service data in a designated storage unit, wherein the method comprises the following steps:
respectively presetting an encryption algorithm according to the appointed interference density level;
when new service data is acquired, encrypting by using a corresponding preset encryption algorithm according to the secret-related grade;
the encryption result is stored in a designated storage unit.
3. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S2 is: when the service terminal acquires the data reading request, the data reading request is forwarded to the regulation and control cloud platform, the regulation and control cloud platform carries out auditing, if the auditing is passed, the next step is executed, otherwise, the request is returned, and the method comprises the following steps:
when a service terminal acquires a data reading request, forwarding the data reading request to a regulation and control cloud platform;
and the regulation cloud platform carries out auditing on the authority information in the data reading request and the confidential level of the target data, if the authority information meets the minimum authority requirement of the confidential level, the auditing is passed, and otherwise, the request is returned.
4. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S3: judging a storage unit and a secret related grade of target data in a data reading request, waking up a service terminal of the storage unit, and executing S4 or S5 according to the secret related grade, wherein the method comprises the following steps:
judging a storage unit where target data in a data reading request are located, and waking up a service terminal where the storage unit is located;
and judging the secret related level of the target data, judging whether continuous safety monitoring is needed or not based on the secret related level, if so, executing S5, and if not, executing S4.
5. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S4: decrypting the target data by using a preset encryption algorithm, and reading the target data by a service terminal, wherein the method comprises the following steps:
searching a preset encryption algorithm adopted in encryption according to the secret-related grade of the target data;
and decrypting by using the same preset encryption algorithm to obtain target data, and reading by the service terminal.
6. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 1, wherein the step S5: creating a temporary data container in a storage unit where target data is located, generating a first key by utilizing characteristic data stored in a partial address of the storage unit where the target data is located, simultaneously converting the first key into a corresponding check code and a check pointer to serve as an intermediate layer of the temporary data container, presetting a second key and a check module code to serve as a topmost layer, sealing the target data in the bottommost layer, encrypting the bottommost layer by utilizing the first key respectively, and encrypting the intermediate layer by utilizing the second key, wherein the method comprises the following steps:
reading characteristic data of a plurality of addresses from a storage unit where target data are located, forming a first key, splitting part of the characteristic data into a plurality of check codes, and creating a plurality of check pointers to point to addresses of other characteristic data;
creating a temporary data container in a storage unit where target data are located, and dividing the temporary data container into a plurality of temporary areas, wherein a second key and a verification module code are preset in a first temporary area and serve as the topmost layer; presetting a check code and a check pointer in a second temporary area as an intermediate layer, wherein the second temporary area is encrypted by a second key; the third temporary area stores target data copied from the storage unit as the bottommost layer, and the third temporary area is encrypted by the first key, and the first key is destroyed after encryption.
7. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 6, wherein the step S6: when the temporary data container is read, the middle layer is decrypted by using the second key at the top layer, the check code and the check pointer of the middle layer are processed by the check module code to form a third key, the bottom layer is decrypted by using the third key, if the third key is consistent with the first key, the decryption is successful to obtain target data, and S4 and S7 are executed simultaneously, otherwise, the decryption cannot be performed, and the method comprises the following steps:
when the temporary data container is read, executing the check codes in the first temporary time zone, decrypting the second temporary time zone by using the second key, and reading a plurality of check codes and check pointers of the second temporary time zone;
reading data of the address corresponding to the storage unit where the data is located as a feature code according to the address pointed by the check pointer, combining the feature code with the check code to obtain feature data, and forming a third key;
and attempting to decrypt the third temporary zone by using the third key, if the third key is consistent with the first key, successfully decrypting to obtain the target data, and executing S4 and S7 at the same time, otherwise, failing to decrypt.
8. The multi-service data hierarchical management and control method based on the regulatory cloud platform according to claim 7, wherein the step S7: and performing continuous safety monitoring, if the data of the address pointed by the check pointer changes or a copy instruction is detected, destroying the bottommost layer of the temporary data container, wherein the method comprises the following steps:
after the decryption is successful, the check code continues to run and re-reads the address pointed by the check pointer at intervals of preset time, if the data of the address changes, or if a copy instruction is detected, the third temporary zone is destroyed.
9. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the preset encryption algorithm comprises at least two of AES algorithm, 3DES algorithm or RC4 algorithm.
10. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the security class comprises at least two classes.
11. The multi-service data hierarchical management and control method based on a regulatory cloud platform according to claim 1, wherein the characteristic data is a unique identifier of a storage unit.
12. The multi-service data hierarchical management method based on a regulated cloud platform according to claim 1, wherein the first key and the third key are generated by means of a key generator of an RC4 algorithm.
13. The multi-service data hierarchical management and control system based on the regulation and control cloud platform comprises the regulation and control cloud platform and a plurality of service terminals, and is characterized in that the regulation and control cloud platform and the service terminals are configured to execute the multi-service data hierarchical management and control method based on the regulation and control cloud platform according to any one of claims 1-12.
14. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the multi-service data hierarchical management and control method based on the regulatory cloud platform according to any one of claims 1 to 12 when calling the computer program in the memory.
15. A storage medium having stored therein computer executable instructions which, when loaded and executed by a processor, implement the steps of the regulatory cloud platform based multi-service data hierarchical management method according to any one of claims 1 to 12.
CN202310999666.1A 2023-08-09 2023-08-09 Multi-service data hierarchical management and control method and system based on regulation and control cloud platform Active CN116760631B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310999666.1A CN116760631B (en) 2023-08-09 2023-08-09 Multi-service data hierarchical management and control method and system based on regulation and control cloud platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310999666.1A CN116760631B (en) 2023-08-09 2023-08-09 Multi-service data hierarchical management and control method and system based on regulation and control cloud platform

Publications (2)

Publication Number Publication Date
CN116760631A true CN116760631A (en) 2023-09-15
CN116760631B CN116760631B (en) 2023-10-31

Family

ID=87951618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310999666.1A Active CN116760631B (en) 2023-08-09 2023-08-09 Multi-service data hierarchical management and control method and system based on regulation and control cloud platform

Country Status (1)

Country Link
CN (1) CN116760631B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080107271A1 (en) * 2006-11-03 2008-05-08 Verizon Services Organization Inc. Systems and Methods for Document Control Using Public Key Encryption
CN104796290A (en) * 2015-04-24 2015-07-22 广东电网有限责任公司信息中心 Data security control method and data security control platform
CN109525570A (en) * 2018-11-06 2019-03-26 东南大学 A kind of data hierarchy safety access control method of Cargo Oriented on Group client
US20200193017A1 (en) * 2016-10-24 2020-06-18 Nubeva, Inc. Leveraging Instrumentation Capabilities to Enable Monitoring Services
US20200250318A1 (en) * 2018-04-10 2020-08-06 Bushra Abbas Mohammed AL BELOOSHI System and Method For Cryptographic Keys Security in the Cloud
CN112269970A (en) * 2020-10-28 2021-01-26 国能日新科技股份有限公司 Script encryption method and device, server and storage medium
CN112615816A (en) * 2020-11-30 2021-04-06 中科热备(北京)云计算技术有限公司 Cloud document transmission encryption and decryption method
US20210117342A1 (en) * 2020-12-26 2021-04-22 Intel Corporation Encoded pointer based data encryption
US20220069983A1 (en) * 2020-08-31 2022-03-03 Hitachi, Ltd. Encryption key management system and encryption key management method
CN115270182A (en) * 2022-07-29 2022-11-01 国家电网有限公司 Power grid project closed-loop control file management system
CN116260606A (en) * 2021-12-10 2023-06-13 英特尔公司 Secret computation with legacy peripheral

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080107271A1 (en) * 2006-11-03 2008-05-08 Verizon Services Organization Inc. Systems and Methods for Document Control Using Public Key Encryption
CN104796290A (en) * 2015-04-24 2015-07-22 广东电网有限责任公司信息中心 Data security control method and data security control platform
US20200193017A1 (en) * 2016-10-24 2020-06-18 Nubeva, Inc. Leveraging Instrumentation Capabilities to Enable Monitoring Services
US20200250318A1 (en) * 2018-04-10 2020-08-06 Bushra Abbas Mohammed AL BELOOSHI System and Method For Cryptographic Keys Security in the Cloud
CN109525570A (en) * 2018-11-06 2019-03-26 东南大学 A kind of data hierarchy safety access control method of Cargo Oriented on Group client
US20220069983A1 (en) * 2020-08-31 2022-03-03 Hitachi, Ltd. Encryption key management system and encryption key management method
CN112269970A (en) * 2020-10-28 2021-01-26 国能日新科技股份有限公司 Script encryption method and device, server and storage medium
CN112615816A (en) * 2020-11-30 2021-04-06 中科热备(北京)云计算技术有限公司 Cloud document transmission encryption and decryption method
US20210117342A1 (en) * 2020-12-26 2021-04-22 Intel Corporation Encoded pointer based data encryption
CN114692176A (en) * 2020-12-26 2022-07-01 英特尔公司 Data encryption based on encoded pointers
CN116260606A (en) * 2021-12-10 2023-06-13 英特尔公司 Secret computation with legacy peripheral
CN115270182A (en) * 2022-07-29 2022-11-01 国家电网有限公司 Power grid project closed-loop control file management system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FENGMING ZHANG: "Rolling-Horizon Robust Economic Dispatch Under High Penetration Wind Power", 《2022 4TH INTERNATIONAL CONFERENCE ON POWER AND ENERGY TECHNOLOGY (ICPET)》 *
顾正义;黄皓;: "新加密文件***的研究与实现", 计算机工程与设计, no. 14 *

Also Published As

Publication number Publication date
CN116760631B (en) 2023-10-31

Similar Documents

Publication Publication Date Title
CN109033855B (en) Data transmission method and device based on block chain and storage medium
US6598161B1 (en) Methods, systems and computer program products for multi-level encryption
CN103189872B (en) Safety in networked environment and the effectively method and apparatus of Content Selection
CN101853363B (en) File protection method and system
US9647843B2 (en) System and method for secure database queries
US5991406A (en) System and method for data recovery
CN202795383U (en) Device and system for protecting data
CN105740725B (en) A kind of document protection method and system
CN1326629A (en) Method and system for authenticating and utilizing secure resources in computer system
KR20100133953A (en) System and method for securing data
CN101938497A (en) Multistage security file structure as well as file access control and secret key management user terminal, service terminal, system and method thereof
CN104239820A (en) Secure storage device
CN1322431C (en) Encryption retention and data retrieve based on symmetric cipher key
CN202872828U (en) A circulation control system of files
CN106682521A (en) File transparent encryption and decryption system and method based on driver layer
CN114942729A (en) Data safety storage and reading method for computer system
CN104376270A (en) File protection method and system
US20150074823A1 (en) Server, terminal and digital copyright management method
CN112039876A (en) Data ferrying method, device, equipment and medium
CN116760631B (en) Multi-service data hierarchical management and control method and system based on regulation and control cloud platform
JP2008242665A (en) Encryption processing device, encryption processing method and file dividing and storing system
CN113901507B (en) Multi-party resource processing method and privacy computing system
Rangaraj et al. Protection of mental healthcare documents using sensitivity-based encryption
KR20210143846A (en) encryption systems
CN105046174A (en) Disk data protection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant