CN116933285A - Upgrading method, equipment, medium and computer program product for data encryption - Google Patents
Upgrading method, equipment, medium and computer program product for data encryption Download PDFInfo
- Publication number
- CN116933285A CN116933285A CN202310890731.7A CN202310890731A CN116933285A CN 116933285 A CN116933285 A CN 116933285A CN 202310890731 A CN202310890731 A CN 202310890731A CN 116933285 A CN116933285 A CN 116933285A
- Authority
- CN
- China
- Prior art keywords
- target
- encryption
- data table
- user
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004590 computer program Methods 0.000 title claims abstract description 13
- 238000012795 verification Methods 0.000 claims abstract description 88
- 230000007704 transition Effects 0.000 claims description 15
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000005012 migration Effects 0.000 description 3
- 238000013508 migration Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Abstract
The present disclosure provides an upgrade method for data encryption, including: constructing a new data table containing target encryption parameters based on the target encryption parameters generated by the target encryption mode, wherein the new data table also contains attribute categories and user codes associated with the target encryption parameters; responding to the judgment result that the target user has the verification mark, and calling the actual category information of the target user to verify the target encryption parameter so as to obtain a verification result; and when the verification result is that the verification fails, retrieving an original data table containing the actual category information to the client. The present disclosure also provides an electronic device, a storage medium, and a computer program product.
Description
Technical Field
The present disclosure relates to the field of data security technologies, and in particular, to a data encryption upgrade method, an electronic device, a storage medium, and a computer program product.
Background
The user information is a business secret which is critical to enterprises, and leakage of the sensitive information of the user information is also in the future with bad experience or serious potential safety hazard for the user, so that the user information needs to be stored in an encrypted mode to at least guarantee the safety of the sensitive data in the user information. With the development of the current encryption means, there is a need for upgrading and optimizing the original encryption mode, so as to further improve the encryption effect on the user information, for example, upgrading the conventional encryption mode base64 into an encryption mode AES-GCM conforming to the company standard.
However, in the process of upgrading the encryption mode, the related technology generally adds a new token directly in the original user data table, and further sets an encryption data field generated by the new encryption mode in the new token, so as to upgrade the encryption mode. However, because the user information needing to optimize the encryption mode has larger data volume, if the table structure is adjusted one by one, the upgrading time length can be increased, and the read-write interference on the service data such as the user information is caused; in addition, if new tokens are uniformly added for each attribute parameter indiscriminately, resource waste is definitely caused; furthermore, if the newly added token has encryption errors, the newly added token cannot be rolled back into the original user data table, and the service process is delayed. Based on this, the upgrading method of data encryption proposed by the related art cannot realize smooth upgrading of the data encryption mode.
Disclosure of Invention
The present disclosure provides an upgrade method for data encryption, an electronic device, a storage medium, and a computer program product.
According to one aspect of the present disclosure, there is provided a data encryption upgrade method, which may include: constructing a new data table containing target encryption parameters based on the target encryption parameters generated by the target encryption mode, wherein the new data table also contains attribute categories and user codes associated with the target encryption parameters; responding to a judging result that a target user has a verification mark, and calling actual category information of the target user to verify the target encryption parameter so as to obtain a verification result; and when the verification result is that verification fails, retrieving an original data table containing the actual category information to the client.
In some embodiments, the constructing a new data table containing the target encryption parameters based on the target encryption parameters generated by the target encryption mode includes: responding to the attribute category to be upgraded in the upgrading instruction, and calling actual category information and user codes thereof associated with the attribute category in an original data table of the target user; encrypting the actual category information by using the target encryption mode to generate the target encryption parameter; and integrating the target encryption parameter and the attribute category thereof, and the user code to construct the new data table.
In some embodiments, the responding to the judging result that the target user has the verification identifier, calling the actual category information of the target user to verify the target encryption parameter includes: when the target user has a verification mark, the actual category information of the target user is called; processing the target encryption parameters of the target user by using a target decryption mode to obtain a decryption result associated with the target encryption parameters; and judging the consistency of the actual category information and the decryption result to complete verification of the target encryption parameter.
In some embodiments, the invoking the actual category information of the target user when the target user has a verification identifier includes: when the target user has a verification mark, judging an attribute category corresponding to the verification mark; retrieving original encryption parameters associated with the attribute categories in an original data table of the target user; and processing the original encryption parameters by using an original decryption mode to decrypt out the actual category information corresponding to the original encryption parameters.
In some embodiments, before the constructing a new data table containing the target encryption parameters based on the target encryption parameters generated by the target encryption scheme, the method includes: and decrypting the original encryption parameters corresponding to the attribute categories in the original data table according to the attribute categories indicated by the upgrading instructions so as to obtain the actual category information associated with the attribute categories.
In some embodiments, after the constructing the new data table containing the target encryption parameters based on the target encryption parameters generated by the target encryption mode, the method further includes: and migrating the residual data in the original data table of the target user to the new data table, wherein the target user is the user associated with the new data table.
In some embodiments, before the step of responding to the determination result that the target user has the verification identifier, the step of calling the actual category information of the target user to verify the target encryption parameter further includes: and setting a preset number of double-reading users in a transition period, and setting the verification mark for the double-reading users, wherein the verification mark corresponds to the attribute category to be verified.
In some embodiments, after the retrieving the original data table containing the actual category information to the client when the verification result is verification failure, the method includes: and deleting the original data table of the target user in response to the ending time of the transition period.
In some embodiments, after the step of calling the actual category information of the target user to verify the target encryption parameter in response to the determination result that the target user has the verification identifier, the method further includes: and responding to the verification result as a judgment result of successful verification, and synchronizing the target encryption parameters in the new data table to the client as a reading object.
In some embodiments, after the retrieving the original data table containing the actual category information to the client when the verification result is verification failure, the method includes: and taking the target encryption parameter in the new data table as abnormal data, and constructing alarm information containing the abnormal data.
According to another aspect of the present disclosure, there is provided an electronic device including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor executing the program to implement the method for upgrading data encryption according to any of the embodiments described above.
According to yet another aspect of the present disclosure, there is provided a readable storage medium storing a computer program adapted to be loaded by a processor to perform the method of upgrading data encryption as described in any of the embodiments above.
According to yet another aspect of the present disclosure, there is provided a computer program product comprising a computer program/instruction which, when executed by a processor, implements the method of upgrading data encryption of any of the embodiments described above.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate exemplary embodiments of the disclosure and together with the description serve to explain the principles of the disclosure.
Fig. 1 is a schematic diagram of an upgrade method of related art data encryption.
Fig. 2 is a flow chart of an upgrade method of data encryption according to an exemplary embodiment of the present disclosure.
Fig. 3 is a schematic diagram of the construction of a new data table according to an exemplary embodiment of the present disclosure.
Fig. 4A to 4C are data writing diagrams of exemplary embodiments of the present disclosure, respectively.
Fig. 5 is a diagram of residual data migration according to an exemplary embodiment of the present disclosure.
Fig. 6 is a schematic diagram of data reading according to an exemplary embodiment of the present disclosure.
Fig. 7 is a block diagram of an upgrade apparatus for data encryption according to an exemplary embodiment of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the drawings and the embodiments. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant content and not limiting of the present disclosure. It should be further noted that, for convenience of description, only a portion relevant to the present disclosure is shown in the drawings.
In addition, embodiments of the present disclosure and features of the embodiments may be combined with each other without conflict. The technical aspects of the present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Unless otherwise indicated, the exemplary implementations/embodiments shown are to be understood as providing exemplary features of various details of some ways in which the technical concepts of the present disclosure may be practiced. Thus, unless otherwise indicated, features of the various implementations/embodiments may be additionally combined, separated, interchanged, and/or rearranged without departing from the technical concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Furthermore, when the terms "comprises" and/or "comprising," and variations thereof, are used in the present specification, the presence of stated features, integers, steps, operations, elements, components, and/or groups thereof is described, but the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof is not precluded. It is also noted that, as used herein, the terms "substantially," "about," and other similar terms are used as approximation terms and not as degree terms, and as such, are used to explain the inherent deviations of measured, calculated, and/or provided values that would be recognized by one of ordinary skill in the art.
Fig. 1 is a schematic diagram of an upgrade method of related art data encryption.
As shown in fig. 1, in the related art, when dealing with an upgrade problem of data encryption, a new encryption parameter field token_new is generally added at an encryption parameter corresponding to each attribute category of an original user data table. Taking the user with the user code uci being 100001 as an example, when the upgrading instruction only indicates to encrypt and upgrade the class information of the mobile phone number class type= "phone", the mailbox class type= "email" under the user name is also added with a new encryption parameter field token_new without distinction.
Wherein, the user code is represented by the user code, different users correspond to different user codes, and the category information of the attribute category of the target user can be accurately called according to the user code; the type characterizes the attribute categories of the user, such as a phone number category phone, a mailbox category email and the like, and the attribute categories belong to personal sensitive information of the user, so that the category information corresponding to each attribute category needs to be stored in an encrypted manner so as to ensure the privacy security of the user; the character string corresponding to the encryption parameter token is the encryption result of the category information of the corresponding attribute category, different encryption modes can generate different encryption results, for example, the token generated by the original encryption mode base64 is '5B 12DE8B65C844B 8', and the token_new generated by the new encryption mode AES-GCM is: "U2fsdgvkx1+42y7qx7 mmnnhnpxvl 72 bvmmqwvrx 8 lba=", and decrypting the encryption parameters by using the decryption method corresponding to each encryption method, so as to obtain the category information corresponding to the attribute category of the user. Of course, according to the result of obtaining the attribute category of the user, the attribute category is not limited to the mobile phone number category and the mailbox category, and is not listed here.
Obviously, the related art modifies the table structure of the original user data table when dealing with the upgrade problem of data encryption. If the upgrade method is used, if the new user data table has the problem of upgrade careless mistakes, the original version cannot be rolled back directly, the program codes need to be rolled back synchronously, and if the codes are not rolled back timely, the delay of reading related services such as the user data table is caused.
Of course, when the upgrade instruction is received, the class information of all the attribute classes in the original user data table is subjected to indiscriminate encryption upgrade without considering the attribute class indicated by the upgrade instruction, so that the situation that a blank field appears in a new encryption parameter corresponding to the attribute class not indicated by the upgrade instruction can be caused, and resource waste is caused.
In addition, the indiscriminate encryption upgrading of all attribute categories in each user data table can also cause the increase of the table structure space of each user data table and increase the pressure of the storage space; meanwhile, the upgrade time is prolonged, the read-write operation of the service data cannot be supported in a longer upgrade period, the handling process of related services can be influenced, and the user experience is reduced.
The present disclosure proposes an upgrade method for data encryption to solve the foregoing problems of the related art.
Fig. 2 is a flow chart of an upgrade method of data encryption according to an exemplary embodiment of the present disclosure. Fig. 3 is a schematic diagram of the construction of a new data table according to an exemplary embodiment of the present disclosure. Fig. 4A to 4C are data writing diagrams of exemplary embodiments of the present disclosure, respectively. Fig. 5 is a diagram of residual data migration according to an exemplary embodiment of the present disclosure. Fig. 6 is a schematic diagram of data reading according to an exemplary embodiment of the present disclosure. The upgrading method S100 of data encryption will be described in detail with reference to fig. 2 to 6.
Step S102, based on the target encryption parameters generated by the target encryption mode, a new data table containing the target encryption parameters is constructed.
The target encryption mode refers to an encryption mode indicated in the upgrade instruction, which is different from the original encryption mode, and is usually upgrade or optimization of the original encryption mode. Generally, the security performance of the encryption result generated by the target encryption mode is higher than that of the original encryption mode; or, the target encryption mode is more suitable for the current encryption scene, and is more convenient in the encryption process. In summary, the target encryption scheme is an upgrade result to the original encryption scheme.
The target encryption parameter is an encryption result of the actual category information by utilizing the target encryption parameter, and represents the actual category information corresponding to the corresponding attribute category, but the target encryption parameter is usually presented in a character string form, so that the confidentiality effect of the user information is achieved. Different encryption modes can generate different encryption parameters, and the target encryption parameters are decrypted by using a target decryption mode corresponding to the target encryption mode, so that the actual category information can be obtained.
The new data table at least comprises an attribute category of the encryption mode to be upgraded, a target encryption parameter after encrypting the attribute category and a user code of the target user. That is, compared to the related art, a new data table is constructed to store the result after encryption by the target encryption method, while avoiding modification of the table structure of the original data table. In this way, even if the new data table has upgrade errors, the new data table can be rolled back to the original data table to call the data, and reading delay or failure of the user data can not be caused.
The upgrade instruction is an upgrade signal of one or more attribute categories, and at least comprises an attribute category corresponding to category information needing to be upgraded by encryption and a target encryption mode. Under the control of an upgrade instruction, screening an original data table with the attribute category, and constructing a new data table based on the user code and the attribute category in the original data table; and simultaneously, encrypting the category information of the attribute category by using a target encryption mode in the upgrading instruction so as to generate a target encryption parameter.
Referring to fig. 3, the new data table includes a user code, the user code of the target user is 100001, and the user codes of different users are different, and the user code is a unique identifier of the user, so that information such as attribute category of each user can be searched and managed conveniently. The new data table also stores attribute type with encryption upgrading requirement indicated by the upgrading instruction, such as mobile phone type phone, wherein the attribute type is private information of the user, and the corresponding type information can be stored only by encryption so as to ensure personal information security of the user; there may be a plurality of attribute categories according to the acquisition result of the user information, but only the attribute category indicated by the upgrade instruction is stored in the initial stage of constructing the new data table. The new data table also includes a target encryption parameter generated by the target encryption method, wherein the target encryption parameter is an encryption result of category information and is presented in a character string form, for example, "U2FsdGVkX1+42Y7qx7MmNNHpnxvL72BvmqwvvRX8 LBA=": the corresponding category information can be displayed only after decryption. Compared with the encryption parameter '5B 12DE8B65C844B 8' in the original data table, the target encryption parameter has the attribute of being more difficult to crack, and the encryption effect on the related category information is improved.
And step S104, responding to the judgment result that the target user has the verification mark, and calling the actual category information of the target user to verify the target encryption parameters so as to obtain a verification result.
The target user refers to a user associated with the category information which is indicated by the upgrade instruction and needs to be encrypted and upgraded, and if the upgrade instruction is to encrypt and upgrade certain category information of all users, the target user can be all users with the attribute category, and the number of the target users is not limited.
The verification identifier is used for indicating that the indication identifier of the target encryption parameter in the new data table can be called when the user information is read, and because the data volume of the target user in the system is large, if the new data table is put into use at one time, the condition of large-range data reading failure can occur, and the reading service of the user information can be influenced. Thus, the verification flag is set to read the new data table for some users to control the read amount of the new data table. That is, only users with verification identifications can be called up the new data table; during reading, the accuracy of the new data table is checked to ensure the consistency of the data. Of course, the number of users with verification identifications increases gradually over the transition time until all users with encryption upgrade operations are covered. When the verification identifications are allocated to the users, the random or sequential extraction mode of the user codes can be adopted for selection, for example, the verification identifications are allocated to the users with the last positions of '1' and '5' in the user codes, and the verification identifications are allocated to the users with the last positions of '6' and '7' can be added along with the extension of the transition time so as to increase the user quantity for calling the new data table. Of course, other allocation methods may be used, and are not limited herein.
The actual category information is the real information of the attribute category for encryption upgrading in the target user, for example, the attribute category is the mobile phone number category, and then the actual category information is the actual mobile phone number of the target user. The actual type information can be obtained by decrypting the encryption parameters in the original data table, and is a judging standard for the accuracy of the decryption result of the target encryption parameters, when the decryption result of the target encryption parameters is consistent with the actual type information, the encryption effect of the target encryption parameters is proved to be stable and effective, and then the corresponding new data table can be used as a reading object.
The verification results are at least divided into verification success and verification failure, and the verification success represents that the decryption result of the target encryption parameter is consistent with the actual category information, and then the target encryption parameter in the new data table is taken as a reading object; if verification failure represents that the target encryption parameter is blank or the decryption result is deviated from the actual category information, the manual problem repair is required, the new data table cannot be used as the user data table, and the encryption parameter in the original data table is called as a reading object.
And S106, when the verification result is that the verification fails, the original data table containing the actual category information is called to the client.
The original data table contains attribute types, user codes and encryption parameters corresponding to the upgrading instruction, but the encryption parameters in the original data table are obtained through an original encryption mode. The original data table is a user data table put into user data reading service, and has been tested by encryption verification in construction, so that the encryption parameters contained in the original data table can stably decrypt out the actual category information.
In some embodiments, the step S102 is performed as follows: responding to the attribute category to be upgraded in the upgrading instruction, and calling actual category information and user codes thereof associated with the attribute category in an original data table of the target user; encrypting the actual category information by using a target encryption mode to generate a target encryption parameter; and integrating the target encryption parameters and attribute categories thereof, and the user codes to construct a new data table.
In other words, the attribute category and the user code associated with the upgrade instruction in the original data table are migrated to the blank table, category information of the related attribute category in the original data table is cracked, the category information is encrypted by using a target encryption mode, and target encryption parameters obtained by encryption are written in the blank table, so that a new data table containing the user code, the attribute category and the target encryption parameters thereof is obtained.
In some embodiments, the step S104 is performed as follows: when the target user has verification identification, the actual category information of the target user is called; processing the target encryption parameters of the target user by using a target decryption mode to obtain a decryption result associated with the target encryption parameters; and judging the consistency of the actual category information and the decryption result to complete verification of the target encryption parameters.
That is, when the verification identifier exists in the target user, the target encryption parameter in the new data table of the target user is called for decryption, and the consistency judgment is performed on the decryption result by using the actual category information, so that the verification success or verification failure verification result can be finally obtained. If the verification identifier does not exist, directly retrieving the encryption parameters in the original data table of the user for decryption so as to obtain the actual category information.
Only the user with verification mark is verified with the target encryption parameter, so that the calculation pressure of simultaneous verification is relieved, and the possibility of reading paralysis of upgrading problems on a large scale is avoided.
The manner of calling the actual category information of the target user can be as follows: when the target user has the verification mark, judging the attribute category corresponding to the verification mark; calling original encryption parameters associated with the attribute categories in an original data table of the target user; and processing the original encryption parameters by using an original decryption mode to decrypt out the actual category information corresponding to the original encryption parameters.
In some embodiments, prior to step S102, comprising: and decrypting the original encryption parameters corresponding to the attribute categories in the original data table according to the attribute categories indicated by the upgrading instructions so as to obtain the actual category information associated with the attribute categories.
In some embodiments, after the new data table is obtained, the writing action may be performed synchronously to the original data table and the new data table according to the actual change of the user information, and reference may be made to fig. 4A, 4B and 4C.
Referring to fig. 4A, if the user information includes a new type content of the attribute type indicated by the upgrade instruction, then the attribute type and the original encryption parameter field generated by the original encryption method are newly added in the original data table, and the attribute type and the field of the target encryption parameter generated by the target encryption method are newly added in the new data table. For example, adding attribute type to user code with user id 10001 as the type information of phone number phone, then adding field "5B12DE8B65C844B8" of encryption parameter token in original data table, and adding attribute type to user code with user id 10001 as the type information of phone number phone synchronously in new data table, then adding field "U2fsdgvkx1+42Y7qx7 mmnnhmnnhnxvl 72 bvmmqwvvrx 8 lba=", of target encryption parameter token in new data table.
Referring to fig. 4B, if the category content of the attribute category indicated by the upgrade instruction is modified in the user information, then the original encryption parameter field generated by the original encryption mode of the attribute category is modified in the original data table, and at the same time, the field of the target encryption parameter corresponding to the attribute category is replaced in the new data table. For example, the attribute type of the user with the user code ucid 10001 is modified as the type information of the phone number phone, then the encryption parameter token corresponding to the attribute type in the original data table can be adjusted to be '6E 23194F4D5EAF 97', and the related target encryption parameter token is synchronously modified for the user with the user code ucid 10001 in the new data table, and the adjusted character string is 'U2 FsdGVkX19 vqVAqlwAkCnUeSVRubvow 9 amdwjk='.
Referring to fig. 4C, if the category content of the attribute category indicated by the upgrade instruction exists in the user information, deleting the attribute category, the encryption parameter and the user code thereof in the original data table; synchronously, the attribute category, the target encryption parameter and the user code in the new data table are deleted.
In some embodiments, after step S102, further comprising: and migrating the residual data in the original data table of the target user into a new data table, wherein the target user is the user associated with the new data table.
Since the original data table may involve multiple attribute types and encryption parameters thereof, but the contents migrated in the foregoing steps are only the parts indicated in the upgrade instruction, after the new data table is constructed, other parts of the contents in the original data table may be used as remaining data and migrated into the new data table, so as to achieve the consistency of the new data table and the remaining data in the original data table. Finally, the difference between the new data table and the original data table is only reflected in the encryption parameter part of the attribute category indicated by the upgrade instruction, other parts are kept consistent, the content integrity of the new data table is ensured, and support is provided for the subsequent deletion of the original data table.
Referring to fig. 5, the "… …" in the original data table and the new data table omits the content of the remaining data, copies the remaining data in the original data table to the new data table through data migration, and the corresponding position and content are not changed, thereby facilitating the reading of user data.
In some embodiments, before step S104, further comprising: and setting a preset number of double-reading users in the transition period, and setting verification marks for the double-reading users, wherein the verification marks correspond to attribute categories to be verified.
The transition period is essentially a verification period for the new data table, and since the stability of the target encryption mode cannot be guaranteed after the new data table is constructed, by setting the transition period, a rollback room is provided for the condition that encryption or decryption offset exists in the new data table, and the reading reliability of the user information is guaranteed.
The double-read user refers to a user needing to check a new data table, which is determined by a determination mode of check identification, and the double-read user generally needs to read the new data table and the original data table of the user to judge the consistency of the target encryption parameters in the new data table and the actual category information mapped in the original data table. The rest of the users without verification identification only read their original data table.
Referring to fig. 6, for a double-read user with verification marks, when the attribute type of the user is queried for sensitive data such as a phone number, the original data table and the new data table need to be read, so as to decrypt the encryption parameters indicated by the verification marks in the original data table and the new data table respectively, obtain the actual type information corresponding to the original data table and the decryption result of the new data table, compare the two, and if the phone numbers of the user coded as 10001 in the original data table and the new data table are consistent, prove that the new data table is available, and return the data in the new data table to the client; otherwise, returning the data in the original data table to the client, and prompting related personnel to perform error calibration.
In some embodiments, after step S106, comprising: and deleting the original data table of the target user in response to the ending time of the transition period.
After the transition period ends, the original data table of the target user is deleted. At this time, verification identifications of the users are also canceled, and the new data table is read uniformly. Therefore, the memory space occupied by the original data table can be released, and compared with the mode of adding the token_new on the original data table, the method has the advantage of saving the memory space.
In some embodiments, after step S104, further comprising: and responding to the verification result as a judgment result of verification success, and synchronizing the target encryption parameters in the new data table to the client as a reading object.
In some embodiments, after step S106, further comprising: and taking the target encryption parameters in the new data table as abnormal data, and constructing alarm information containing the abnormal data.
By sending alarm information to related staff such as an administrator and the like, the occurrence reason of abnormal data can be improved and timely checked by the related staff, so that popularization of a target encryption mode and input of a new data table are accelerated.
According to the data encryption upgrading method, the new data table is constructed, so that structural adjustment of the original data table is avoided, rollback timeliness is guaranteed, and the possibility of synchronous progress is provided for upgrading of the encryption method and reading of user information. In addition, by setting a transition period, a verification mark is set for a user, so that stable transition of the new data table and the old data table is ensured, and errors of data reading generated by directly inputting the new data table are avoided; of course, deleting the original data table after the new data table is fully put into use will avoid the space occupation generated by the upgrade of the encryption method.
Fig. 7 is a block diagram of an upgrade apparatus for data encryption according to an exemplary embodiment of the present disclosure.
As shown in fig. 7, the present disclosure proposes an upgrade apparatus 1000 for data encryption, including: a new data table construction module, configured to construct a new data table containing target encryption parameters based on the target encryption parameters generated by the target encryption mode, where the new data table further contains attribute categories and user codes associated with the target encryption parameters; the verification module is used for responding to the judgment result that the target user has the verification mark, calling the actual category information of the target user and verifying the target encryption parameter so as to obtain a verification result; and the rollback module is used for calling the original data table containing the actual category information to the client when the verification result is that the verification fails.
In some embodiments of the present disclosure, an upgrade operator may perform an upgrade operation of data encryption through a client (e.g., a computer device, a cell phone device, etc.) based on an upgrade apparatus configured on, for example, a server.
The respective modules in the data encryption upgrade apparatus 1000 are provided for performing the respective steps of the data encryption upgrade method, and the principles and the performing steps thereof may refer to the foregoing, which is not repeated herein.
The apparatus 1000 may include corresponding modules that perform the steps of the flowcharts discussed above. Thus, each step or several steps in the flowcharts described above may be performed by respective modules, and the apparatus may include one or more of these modules. A module may be one or more hardware modules specifically configured to perform the respective steps, or be implemented by a processor configured to perform the respective steps, or be stored within a computer-readable medium for implementation by a processor, or be implemented by some combination.
The hardware architecture may be implemented using a bus architecture. The bus architecture may include any number of interconnecting buses and bridges depending on the specific application of the hardware and the overall design constraints. Bus 1100 connects together various circuits including one or more processors 1200, memory 1300, and/or hardware modules. Bus 1100 may also connect various other circuits 1400, such as peripherals, voltage regulators, power management circuits, external antennas, and the like.
Bus 1100 may be an industry standard architecture (ISA, industry Standard Architecture) bus, a peripheral component interconnect (PCI, peripheral Component) bus, or an extended industry standard architecture (EISA, extended Industry Standard Component) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one connection line is shown in the figure, but not only one bus or one type of bus.
The data encryption upgrading device provided by the disclosure avoids structural adjustment of an original data table by constructing a new data table, ensures timeliness of rollback, and provides possibility of synchronous progress for upgrading an encryption method and reading user information. In addition, by setting a transition period, a verification mark is set for a user, so that stable transition of the new data table and the old data table is ensured, and errors of data reading generated by directly inputting the new data table are avoided; of course, deleting the original data table after the new data table is fully put into use will avoid the space occupation generated by the upgrade of the encryption method.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and further implementations are included within the scope of the preferred embodiment of the present disclosure in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present disclosure. The processor performs the various methods and processes described above. For example, method embodiments in the present disclosure may be implemented as a software program tangibly embodied on a machine-readable medium, such as a memory. In some embodiments, part or all of the software program may be loaded and/or installed via memory and/or a communication interface. One or more of the steps of the methods described above may be performed when a software program is loaded into memory and executed by a processor. Alternatively, in other embodiments, the processor may be configured to perform one of the methods described above in any other suitable manner (e.g., by means of firmware).
Logic and/or steps represented in the flowcharts or otherwise described herein may be embodied in any readable storage medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
For the purposes of this description, a "readable storage medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable read-only memory (CDROM). In addition, the readable storage medium may even be paper or other suitable medium on which the program can be printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner if necessary, and then stored in a memory.
It should be understood that portions of the present disclosure may be implemented in hardware, software, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or part of the steps implementing the method of the above embodiment may be implemented by a program to instruct related hardware, and the program may be stored in a readable storage medium, where the program when executed includes one or a combination of the steps of the method embodiment.
Furthermore, each functional unit in each embodiment of the present disclosure may be integrated into one processing module, or each unit may exist alone physically, or two or more units may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. The storage medium may be a read-only memory, a magnetic disk or optical disk, etc.
It will be appreciated by those skilled in the art that the above-described embodiments are merely for clarity of illustration of the disclosure, and are not intended to limit the scope of the disclosure. Other variations or modifications will be apparent to persons skilled in the art from the foregoing disclosure, and such variations or modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. An upgrade method for data encryption, comprising:
constructing a new data table containing target encryption parameters based on the target encryption parameters generated by the target encryption mode, wherein the new data table also contains attribute categories and user codes associated with the target encryption parameters;
responding to a judging result that a target user has a verification mark, and calling actual category information of the target user to verify the target encryption parameter to obtain a verification result; and
and when the verification result is that verification fails, the original data table containing the actual category information is called to the client.
2. The method for upgrading data encryption according to claim 1, wherein the constructing a new data table containing the target encryption parameters based on the target encryption parameters generated by the target encryption mode includes:
responding to the attribute category to be upgraded in the upgrading instruction, and calling actual category information and user codes thereof associated with the attribute category in an original data table of the target user;
encrypting the actual category information by using the target encryption mode to generate the target encryption parameter; and
integrating the target encryption parameters and the attribute categories thereof, and the user codes to construct the new data table.
3. The method for upgrading data encryption according to claim 1, wherein the step of retrieving the actual category information of the target user to verify the target encryption parameter in response to the determination that the target user has the verification identifier includes:
when the target user has a verification mark, the actual category information of the target user is called;
processing the target encryption parameters of the target user by using a target decryption mode to obtain a decryption result associated with the target encryption parameters; and
and judging the consistency of the actual category information and the decryption result to complete verification of the target encryption parameters.
4. The method for upgrading data encryption according to claim 3, wherein when the target user has a verification identifier, the step of retrieving the actual category information of the target user includes:
when the target user has a verification mark, judging an attribute category corresponding to the verification mark;
retrieving original encryption parameters associated with the attribute categories in an original data table of the target user; and
and processing the original encryption parameters by using an original decryption mode to decrypt out the actual category information corresponding to the original encryption parameters.
5. The method for upgrading data encryption according to claim 1, comprising, before said constructing a new data table containing target encryption parameters based on the target encryption parameters generated by the target encryption scheme:
and decrypting the original encryption parameters corresponding to the attribute categories in the original data table according to the attribute categories indicated by the upgrading instructions so as to obtain the actual category information associated with the attribute categories.
6. The method for upgrading data encryption according to claim 1, further comprising, after the constructing a new data table containing the target encryption parameters based on the target encryption parameters generated by the target encryption scheme:
and migrating the residual data in the original data table of the target user to the new data table, wherein the target user is the user associated with the new data table.
7. The method for upgrading data encryption according to claim 1, further comprising, before the step of retrieving the actual category information of the target user to verify the target encryption parameter in response to the determination that the target user has the verification flag:
setting a preset number of double-reading users in a transition period, and setting the verification mark for the double-reading users, wherein the verification mark corresponds to an attribute category to be verified;
preferably, after the step of retrieving the original data table containing the actual category information to the client when the verification result is that the verification fails, the method includes: deleting an original data table of the target user in response to the ending time of the transition period;
preferably, after the response to the determination result that the target user has the verification identifier, the method further includes: responding to the verification result as a judgment result of successful verification, and synchronizing the target encryption parameter in the new data table to the client as a reading object;
preferably, after the step of retrieving the original data table containing the actual category information to the client when the verification result is that the verification fails, the method includes: and taking the target encryption parameter in the new data table as abnormal data, and constructing alarm information containing the abnormal data.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor when executing the program implementing a method of upgrading data encryption according to any of claims 1 to 7.
9. A readable storage medium, characterized in that the readable storage medium stores a computer program adapted to be loaded by a processor for performing the upgrade method of data encryption according to any one of claims 1 to 7.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of upgrading data encryption of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310890731.7A CN116933285A (en) | 2023-07-19 | 2023-07-19 | Upgrading method, equipment, medium and computer program product for data encryption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310890731.7A CN116933285A (en) | 2023-07-19 | 2023-07-19 | Upgrading method, equipment, medium and computer program product for data encryption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116933285A true CN116933285A (en) | 2023-10-24 |
Family
ID=88393724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310890731.7A Pending CN116933285A (en) | 2023-07-19 | 2023-07-19 | Upgrading method, equipment, medium and computer program product for data encryption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116933285A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160292427A1 (en) * | 2015-03-30 | 2016-10-06 | Airbnb, Inc. | Database Encryption to Provide Write Protection |
| CN108055127A (en) * | 2017-12-14 | 2018-05-18 | 吉旗(成都)科技有限公司 | It calculates and supports heat update Encryption Algorithm and key data encryption method with data separating |
| CN110162988A (en) * | 2019-05-22 | 2019-08-23 | 咪付(深圳)网络技术有限公司 | A kind of sensitive data encryption method based on operation system |
| CN112597165A (en) * | 2020-12-28 | 2021-04-02 | 中国建设银行股份有限公司 | Supervision data quality verification method and device, electronic equipment and storage medium |
| CN114765544A (en) * | 2021-01-11 | 2022-07-19 | ***通信有限公司研究院 | Trusted execution environment data offline migration method and device |
| CN115391805A (en) * | 2022-08-26 | 2022-11-25 | 建信金融科技有限责任公司 | Encrypted data migration method, device, equipment and storage medium |
-
2023
- 2023-07-19 CN CN202310890731.7A patent/CN116933285A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160292427A1 (en) * | 2015-03-30 | 2016-10-06 | Airbnb, Inc. | Database Encryption to Provide Write Protection |
| CN108055127A (en) * | 2017-12-14 | 2018-05-18 | 吉旗(成都)科技有限公司 | It calculates and supports heat update Encryption Algorithm and key data encryption method with data separating |
| CN110162988A (en) * | 2019-05-22 | 2019-08-23 | 咪付(深圳)网络技术有限公司 | A kind of sensitive data encryption method based on operation system |
| CN112597165A (en) * | 2020-12-28 | 2021-04-02 | 中国建设银行股份有限公司 | Supervision data quality verification method and device, electronic equipment and storage medium |
| CN114765544A (en) * | 2021-01-11 | 2022-07-19 | ***通信有限公司研究院 | Trusted execution environment data offline migration method and device |
| CN115391805A (en) * | 2022-08-26 | 2022-11-25 | 建信金融科技有限责任公司 | Encrypted data migration method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106843978B (en) | SDK access method and system | |
| CN103518196B (en) | The messaging device of management secret information and method | |
| CN109710695B (en) | Transaction request validity identification and initiation method, device, equipment and medium | |
| US10621070B2 (en) | Information processing system and updating method | |
| CN110719590B (en) | One-key login method, device, equipment and storage medium based on mobile phone number | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| CN104363112A (en) | Parameter management method and parameter management device | |
| CN108108633A (en) | A kind of data file and its access method, device and equipment | |
| CN110597662B (en) | Backup data automatic verification method and device, user equipment and storage medium | |
| CN112685743A (en) | Automatic reinforcing method and system for host security baseline | |
| CN114386853A (en) | Data auditing processing method, device and equipment based on universal auditing model | |
| CN112650689A (en) | Test method, test device, electronic equipment and storage medium | |
| US20230015273A1 (en) | Verification information revising device, verification information revising method, and verification information revising program | |
| CN116933285A (en) | Upgrading method, equipment, medium and computer program product for data encryption | |
| CN117149631A (en) | Parameter verification method, device, equipment and medium | |
| CN115238248A (en) | SDK (software development kit) offline authorization method, device, equipment and medium | |
| CN112732260A (en) | Method and device for generating business interface, readable medium and equipment | |
| CN114036491A (en) | Software management method, system and storage medium | |
| US20160275293A1 (en) | Information processing system and control method of the information processing system | |
| US20170301574A1 (en) | Recipe id management server, recipe id management system, and terminal device | |
| JP7102783B2 (en) | System management equipment, system management methods, and programs | |
| JP2018005415A (en) | Information processing device, information processing method, and program | |
| CN110908818A (en) | Verification method, device, equipment and storage medium | |
| CN112068779A (en) | Data storage system | |
| CN109814849B (en) | Information synchronization method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |