CN117668870A

CN117668870A - Information encryption storage method and system

Info

Publication number: CN117668870A
Application number: CN202311546693.XA
Authority: CN
Inventors: 张凌涵; 李凯祥; 肖翔; 戚梦婷
Original assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Current assignee: China Construction Bank Corp; CCB Finetech Co Ltd
Priority date: 2023-11-20
Filing date: 2023-11-20
Publication date: 2024-03-08

Abstract

The embodiment of the application provides an information encryption storage method and system, and belongs to the technical field of encryption. The method comprises the following steps: collecting non-encrypted data generated in real time in the business handling process; verifying the user identity of the current non-encrypted data, identifying the service single number at the current verification moment after the verification is passed, and generating a key pair based on the state information; constructing an indistinguishable specific trapdoor based on the key pair, and encrypting the non-encrypted data based on the key pair and the indistinguishable specific trapdoor to obtain encrypted data; and determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet, and storing the encrypted data packet to a cloud server. The proposal of the invention also improves the information encryption and decryption efficiency on the premise of ensuring that the encryption security of the transaction service information meets the requirement.

Description

Information encryption storage method and system

Technical Field

The application relates to the technical field of encryption, in particular to an information encryption storage method and an information encryption storage system.

Background

In the transaction related business field, a relatively perfect foreground business processing system exists, but the manual operation is gradually changed into automatic processing in the current stage, and a large amount of data is continuously generated in the operation process, so that the problems of unsafe data information and difficult guarantee of confidentiality are necessarily existed in the process. In order to cope with this problem, it is necessary to encrypt data, because there must be a large amount of user sensitive information during the transaction, and leakage of the sensitive information may pose a great threat to the information security of the user. In order to avoid that the user sensitive information is maliciously stolen and then analyzed to obtain the private information about the user, the corresponding data encryption is needed in the corresponding user business handling process.

At present, the development of information encryption technology is very rapid, but no encryption algorithm aiming at the characteristics of transaction business industry exists, and users have to make a trade-off in the common algorithm of high encryption grade, complex encryption process, high encryption and decryption time delay, and simple encryption algorithm. However, in the transaction service, since the traffic is large, it is necessary to efficiently encrypt and decrypt information, and it is also necessary to perform high-level security encryption. The key length of the traditional encryption method is too short and is easy to crack, and the encryption and decryption process of the traditional encryption algorithm is reversible and easy to attack. Aiming at the problems of low security level and low encryption and decryption efficiency of the existing encryption method, a new information encryption and storage method aiming at transaction business needs to be created.

Disclosure of Invention

The embodiment of the application aims to provide an information encryption storage method and system, so as to solve the problems of low security level and low encryption and decryption efficiency of the existing encryption method.

In order to achieve the above object, a first aspect of the present application provides an information encryption storage method, including: collecting non-encrypted data generated in real time in the business handling process; verifying the user identity of the current non-encrypted data, and extracting a corresponding key pair after the verification is passed; encrypting the non-encrypted data based on the key pair and the indistinguishability to obtain encrypted data; and determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet, and storing the encrypted data packet to a cloud server.

In this embodiment of the present application, the collecting non-encrypted data generated in real time during the service handling process includes: identifying all business interaction data based on each preset data acquisition scheme; judging the encryption state of all the business interaction data, and filtering the encrypted data to obtain a candidate non-encrypted data set; and on the basis of a sensitivity judgment rule, carrying out sensitivity judgment on each data in the candidate non-encrypted data set, and reserving the data with sensitivity exceeding a preset sensitivity threshold as the non-encrypted data set.

In this embodiment of the present application, the identifying all service interaction data based on each preset data acquisition scheme includes: judging the triggering condition of each data acquisition scheme at each sampling moment, and identifying the data acquisition scheme with successful triggering; based on each data acquisition scheme successfully triggered, recovering service interaction data acquired by each data acquisition scheme to form a service interaction data set under each data acquisition scheme; executing union processing on each service interaction data set to obtain a combined service interaction data set as all service interaction data; the preset data acquisition scheme comprises the following steps: and one or more of user initiative uploading, mechanism data pulling, page data uploading, file pushing and photographing identification.

In an embodiment of the present application, the verifying the user identity of the current unencrypted data includes: determining a data source based on a data acquisition scheme selected by the current unencrypted data; accessing identification information of the initiating data interaction terminal equipment through the data source, determining the user identity based on the identification information, and reading the corresponding relation between the current non-encrypted data and the corresponding user identity; reading data information based on the corresponding relation, and classifying the acquired non-encrypted data based on the attribute information to obtain non-encrypted data related to each user; judging the business identity checking result of each user, and adding the user identification to each non-encrypted data after the checking is passed.

In the embodiment of the application, the key pair comprises a public key and a private key; the generation rule of the key pair comprises: responding to the user identity verification passing signal, and identifying the service list number at the current verification moment; generating a key pair based on the state information; wherein the service list number includes unique state information of the current time, and the unique state information includes: timestamp, user identity, authentication initiation request end identification.

In an embodiment of the present application, encrypting the non-encrypted data based on the key pair and the indistinguishability to obtain encrypted data includes: extracting a public key based on the key pair, and constructing a trapdoor function based on the extracted public key; constructing a specific trapdoor of indistinguishability aiming at the trapdoor function; based on the extracted public key and the specific trapdoor, performing encryption of the unencrypted data to obtain encrypted data; wherein the indistinguishability includes: ciphertext indistinguishability and trapdoor indistinguishability.

In the embodiment of the application, the key exchange protocol is a Diffie-Hellman key exchange protocol; the determining the key exchange protocol of the encrypted data, obtaining the encrypted data packet, includes: writing the determined key exchange protocol into the encrypted data to obtain an integrated data packet; executing protocol writing to the integrated data packet, and executing compression processing to the integrated data packet with the completed protocol writing to obtain a compressed data packet as an encrypted data packet; and in the integrated data packet compression process, executing the compression packet data head protocol calibration.

In an embodiment of the present application, the method further includes: responding to a cloud server storage data access request, and obtaining user identity information of an access user; searching the cloud server for encrypted data with corresponding user identification based on the user identity information; checking the user identity information, and pushing the encrypted data with the corresponding user identifier to the user terminal after the user identity information passes the checking; and based on the determined key exchange protocol and the shared key pair of the user side, the user side decrypts the encrypted data based on the shared key pair to obtain corresponding non-encrypted data.

A second aspect of the present application provides an information encryption storage system, comprising: the collecting unit is used for collecting non-encrypted data generated in real time in the business handling process; the verification unit is used for verifying the user identity of the current non-encrypted data and extracting a corresponding key pair after the verification is passed; an encryption unit configured to encrypt the non-encrypted data based on the key pair and indistinguishability, to obtain encrypted data; and the storage unit is used for determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet and storing the encrypted data packet to the cloud server.

A third aspect of the present application provides a processor configured to perform the above-described information encryption storage method.

A fourth aspect of the present application provides a machine-readable storage medium having stored thereon instructions that, when executed by a processor, cause the processor to be configured to perform the information encryption storage method described above.

A fifth aspect of the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described information encryption storage method.

By the technical scheme, the key pair is introduced to encrypt data, and the information encryption grade of transaction service is ensured based on the security advantage of asymmetric encryption. The scheme of the invention synchronously introduces indistinguishability and a key exchange protocol to encrypt and decrypt data, thereby ensuring the high efficiency of the information encryption and decryption process. The scheme of the invention can solve the problems of unsafe and easy attack of data encryption in banking industry, and can perfect the data security and improve the information storage security by adding a certificate-free encryption scheme.

Additional features and advantages of embodiments of the present application will be set forth in the detailed description that follows.

Drawings

The accompanying drawings are included to provide a further understanding of embodiments of the present application and are incorporated in and constitute a part of this specification, illustrate embodiments of the present application and together with the description serve to explain, without limitation, the embodiments of the present application. In the drawings:

FIG. 1 schematically illustrates a flow chart of steps of an information encryption storage method according to an embodiment of the present application;

FIG. 2 schematically illustrates a system architecture diagram of an information encryption storage system in accordance with an embodiment of the present application;

fig. 3 schematically shows an internal structural diagram of a computer device according to an embodiment of the present application.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it should be understood that the specific implementations described herein are only for illustrating and explaining the embodiments of the present application, and are not intended to limit the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.

It should be noted that, in the embodiment of the present application, directional indications (such as up, down, left, right, front, and rear … …) are referred to, and the directional indications are merely used to explain the relative positional relationship, movement conditions, and the like between the components in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indications are correspondingly changed.

In addition, if there is a description of "first", "second", etc. in the embodiments of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be regarded as not exist and not within the protection scope of the present application.

At present, the development of information encryption technology is very rapid, but no encryption algorithm aiming at the characteristics of transaction business industry exists, and users have to make a trade-off in the common algorithm of high encryption grade, complex encryption process, high encryption and decryption time delay, and simple encryption algorithm. However, in the transaction service, since the traffic is large, it is necessary to efficiently encrypt and decrypt information, and it is also necessary to perform high-level security encryption. The key length of the traditional encryption method is too short and is easy to crack, and the encryption and decryption process of the traditional encryption algorithm is reversible and easy to attack.

Aiming at the problems of low security level and low encryption and decryption efficiency of the existing encryption method, the scheme of the invention provides a novel information encryption storage method. The scheme of the invention synchronously introduces indistinguishability and a key exchange protocol to encrypt and decrypt data, thereby ensuring the high efficiency of the information encryption and decryption process. The scheme of the invention can solve the problems of unsafe and easy attack of data encryption in banking industry, and can perfect the data security and improve the information storage security by adding a certificate-free encryption scheme.

Fig. 1 schematically shows a flow diagram of an information encryption storage method according to an embodiment of the present application. As shown in fig. 1, in an embodiment of the present application, there is provided an information encryption storage method, including the steps of:

step S10: and collecting non-encrypted data generated in real time in the business handling process.

Specifically, the scheme of the invention adopts a self-designed certificate-free encryption scheme, and adopts public and private key pairs in asymmetric encryption to achieve the irreversibility in the encryption and decryption process; based on Diffie-Hellman assumption, the indistinguishability of ciphertext can be met, so that the ciphertext is not easy to attack; the encryption mode can effectively ensure the data security. Because the information encryption storage scheme provided by the scheme of the invention aims at transaction business, in order to improve the efficiency of data storage, transaction information is collected in the business handling process of a user.

Preferably, in the process of information acquisition, the information of the whole transaction process is acquired indiscriminately so as to avoid missing key information, and complete detail record of the interaction process is carried out aiming at information and file interaction between a user and a transacting person, so that complete business transacting data can be traced when follow-up business tracing is ensured.

Specifically, the non-encrypted data generated in real time in the service collecting and handling process includes: identifying all business interaction data based on each preset data acquisition scheme; judging the encryption state of all the interactive data, and filtering the encrypted data to obtain a candidate non-encrypted data set; and on the basis of a sensitivity judgment rule, carrying out sensitivity judgment on each data in the candidate non-encrypted data set, and reserving the data with sensitivity exceeding a preset sensitivity threshold as the non-encrypted data set.

Preferably, the preset data acquisition scheme includes: and one or more of user initiative uploading, mechanism data pulling, page data uploading, file pushing and photographing identification.

In the embodiment of the present invention, the foregoing has explained that in the existing encryption algorithm, the encryption level and the encryption speed cannot be considered, because the traffic volume will increase the encrypted data volume, the increase of the encrypted data volume will also tend to cause the encryption speed to be slower and the time delay to be higher. The two are contradictory, so even though the scheme of the application self-defines the corresponding encryption algorithm, the improvement of the encryption delay problem is limited. Based on the above, in order to further reduce the time delay, after the business transaction detail is completely acquired, the scheme of the invention encrypts all data, but encrypts the sensitive data in the business transaction detail, and when a subsequent user accesses the data, only needs to decrypt the sensitive data, and can obtain the complete data after the sensitive data is combined and spliced with the non-sensitive data in the public library.

Based on the sensitivity judgment rule, the scheme of the invention judges the sensitivity of each data in the candidate non-encrypted data set, and reserves the data with the sensitivity exceeding the preset sensitivity threshold as the non-encrypted data set. By filtering the majority of the non-encrypted data, the amount of data to be encrypted is greatly reduced. Therefore, the encryption efficiency is improved on the traffic level, the encryption time delay is reduced, and the information management efficiency can be remarkably improved when dealing with a large amount of transaction services.

Preferably, in the business handling process, various information or file interactions may exist between the user and the handling personnel, and in order to ensure the integrity of the data record, the scheme of the invention presets various data acquisition schemes, so as to realize complete acquisition of the data.

Step S20: and verifying the user identity of the current unencrypted data, and extracting a corresponding key pair after the verification is passed.

Specifically, a data source is determined based on a data acquisition scheme selected by the current non-encrypted data; determining a user identity based on a data source, and determining a corresponding relationship between current non-encrypted data and a corresponding user identity; acquiring non-encrypted data related to each user based on the non-encrypted data classification acquired by the corresponding relation; judging the business identity checking result of each user, and adding the user identification to each non-encrypted data after the checking is passed.

Preferably, the key pair includes: public and private keys; the key pair is dynamically generated on a per encryption request basis.

Preferably, the extracting the corresponding key pair after the verification is passed includes: generating a unique service list number based on an encryption request initiated by current non-encryption data; and generating a corresponding key pair based on the unique service single number.

In the embodiment of the invention, the scheme encrypts the information based on an asymmetric encryption algorithm, and uses two pairs of keys, namely a public key and a private key, which are completely different but completely matched. When the file is encrypted by using the asymmetric encryption algorithm, the encryption and decryption process of the plaintext can be completed only by using the matched pair of public key and private key. Common asymmetric encryption algorithms are RSA algorithm, elliptic curve cryptography algorithm, elGamal algorithm. For example, the RSA algorithm is widely used, and the security is mainly based on the problem of large prime number decomposition. In the RSA algorithm, the public key consists of two parameters: one is the modulus n and the other is the public key exponent e. The private key consists of a modulus n and a private key exponent d. The security of the RSA algorithm depends on the key length, which generally requires the use of a longer key length to ensure security. The scheme of the invention can be applied to various asymmetric encryption algorithms.

Step S30: encrypting the non-encrypted data based on the key pair and the indistinguishability to obtain encrypted data.

Specifically, based on the key pair, generating a specific trapdoor with indistinguishability; encrypting the unencrypted data based on the trapdoor; wherein the indistinguishability includes: ciphertext indistinguishability and trapdoor indistinguishability.

In the embodiment of the invention, the indistinguishability comprises two modes of ciphertext indistinguishability and trapdoor indistinguishability, a specific trapdoor is generated from a given public key through an algorithm, and the trapdoors of the two are indistinguishable when a malicious attack occurs, so that the malicious attack fails, and the strong security of an encryption scheme is ensured. Under the private key system, the security of a certain private key Q encryption scheme is generally illustrated by the probability advantage (Adv) that ciphertext is indistinguishable from a random sequence. Closely related to this advantage (Adv) is the computation time t, the number of challenges q, the length of the challenge, etc. (adjective of the computing power of the attacker). If Adv is below a certain probability we give, it is stated that under this computing power the ciphertext is indistinguishable from the random sequence, i.e. the encryption scheme is secure. Under the public key regime, it is generally required that the indistinguishable probability of ciphertext from random sequences be negligible. Here we generally require that the computational power of the attacker be PPT (the computational power of the probability polynomial on the input). The negligible function is a function of the security parameters, and the public key system can be defined in a negligible way because the common public key encryption scheme uses a trapdoor function (special one-way function), and when the security parameters become larger, the secret key correspondingly increases, and the related relation enables the security definition to be defined in a negligible way. The reason that the private key cannot be defined negligibly is that the input, output and key are both fixed values in the private key encryption scheme, since the fixed values are not likely to be negligible. That is, as the computing power of an attacker increases over time, the private key encryption scheme has to be redefined, just like DES to AES. Whereas public key encryption schemes only require a longer key to be replaced.

Further, the encrypting the non-encrypted data based on the key pair and the indistinguishability to obtain encrypted data includes: extracting a public key based on the key pair, and constructing a trapdoor function based on the extracted public key; constructing a specific trapdoor of indistinguishability aiming at the trapdoor function; based on the extracted public key and the specific trapdoor, performing encryption of the unencrypted data to obtain encrypted data; wherein the indistinguishability includes: ciphertext indistinguishability and trapdoor indistinguishability.

In the embodiment of the invention, the trapdoor function is composed of three algorithms, a key generation algorithm, the trapdoor function itself and an inverse function of the trapdoor function. For example, performing trapdoor generation based on RSA trapdoor substitution is widely used in cryptographic applications, such as SSL and TLS, where RSA is used for certificate and key exchange, there are many secure email systems and secure file systems where RSA is used to encrypt files in email and file systems. The specific working process is that the key generation algorithm, the function f and the inverse function f ^-1 The key generation algorithm works as follows, generating two prime numbers p and q, each approximately 1000 bits, about 300 decimal bits, and then the RSA modulus is the product of these two prime numbers. Next two indices e and d are chosen, satisfying e times d equal to 1 modulo. This means that e and d must first be mutually prime and second they must be mutually modulo inverse. The public key bit (N, e) is then output, while the private key is (N, d). The exponent e advantage is referred to as the encryption exponent, while the exponent d is sometimes referred to as the decryption exponent. The definition of the RSA function itself is very simple. For simplicity, it is defined as a function from z_n to z_n. The function has an input x, only x is needed to calculate the power e of x in Z_N, then only x is needed to calculate ^e modN is done. At decryption, given the input y, the d-th power of y modulo N is calculated. The inverse of the function f can be verified quickly when we calculate y ^d At this time, it is assumed that y itself is exactly the value of the RSA function at a certain value x, when y ^d Namely RSA (x) ^d And x itself will become x ^e mod n, therefore, according to the euler theorem, the result x is finally obtained. It has been demonstrated that if the output of the RSA function is taken and then calculated to the power d, i can get x, which means that the power d is calculated as the inverse of RSA.

Step S40: and determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet, and storing the encrypted data packet to a cloud server.

Preferably, the key exchange protocol is a Diffie-Hellman key exchange protocol.

In the embodiment of the invention, the Diffie-Hellman key exchange protocol solves the problem that the key exchange is completed under the condition that the two parties do not directly transmit the key, and is a secure protocol, so that the two parties establish a key through an unsafe channel under the condition that the two parties do not have any prior information of the other party, the key is generally used by the two parties as a key of symmetric encryption in subsequent data transmission, and the mathematical principle of the Diffie-Hellman key exchange protocol is a base discrete logarithm problem.

Preferably, the determining the key exchange protocol of the encrypted data, obtaining the encrypted data packet includes: writing the determined key exchange protocol into the encrypted data, and generating an encrypted data packet based on the encrypted data written into the key exchange protocol.

Preferably, the method further comprises: responding to a cloud server storage data access request, and obtaining user identity information of an access user; searching the cloud server for encrypted data with corresponding user identification based on the user identity information; checking the user identity information, and pushing the encrypted data with the corresponding user identifier to a user side after the user identity information passes the checking; and based on the determined key exchange protocol and the shared key pair of the user side, the user side decrypts the encrypted data based on the shared key pair to obtain corresponding non-encrypted data.

In the embodiment of the invention, the user may have access requirements on stored data later, when the data is accessed, the identity information of the user needs to be verified, the data is prevented from being maliciously subjected to a scheme, and the data scheme authority is opened to the corresponding requesting user after the less identity verification is passed.

Fig. 1 is a flow chart of an information encryption storage method in one embodiment. It should be understood that, although the steps in the flowchart of fig. 1 are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in fig. 1 may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of other steps or sub-steps of other steps.

In one embodiment, as shown in FIG. 2, there is provided an information encryption storage system comprising:

the collecting unit is used for collecting the non-encrypted data generated in real time in the business handling process.

And the verification unit is used for verifying the user identity of the current unencrypted data and extracting the corresponding key pair after the verification is passed.

And the encryption unit is used for encrypting the non-encrypted data based on the key pair and the indistinguishability to obtain encrypted data.

And the storage unit is used for determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet and storing the encrypted data packet to the cloud server.

The embodiment of the application provides a storage medium, on which a program is stored, which when executed by a processor, implements the above-described information encryption storage method.

The embodiment of the application provides a processor for running a program, wherein the program executes the information encryption storage method.

In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 3. The computer device includes a processor a01, a network interface a02, a memory (not shown) and a database (not shown) connected by a system bus. Wherein the processor a01 of the computer device is adapted to provide computing and control capabilities. The memory of the computer device includes internal memory a03 and nonvolatile storage medium a04. The nonvolatile storage medium a04 stores an operating system B01, a computer program B02, and a database (not shown in the figure). The internal memory a03 provides an environment for the operation of the operating system B01 and the computer program B02 in the nonvolatile storage medium a04. The network interface a02 of the computer device is used for communication with an external terminal through a network connection. The computer program B02 is executed by the processor a01 to implement an information encryption storage method.

The present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the above described information encryption storage method.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.

Computer-readable media include both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims

1. An information encryption storage method, characterized in that the method comprises:

collecting non-encrypted data generated in real time in the business handling process;

verifying the user identity of the current non-encrypted data, identifying the service single number at the current verification moment after the verification is passed, and generating a key pair based on the state information;

constructing an indistinguishable specific trapdoor based on the key pair, and encrypting the non-encrypted data based on the key pair and the indistinguishable specific trapdoor to obtain encrypted data;

and determining a key exchange protocol of the encrypted data, obtaining an encrypted data packet, and storing the encrypted data packet to a cloud server.

2. The method of claim 1, wherein collecting unencrypted data generated in real-time during business processing comprises:

identifying all business interaction data based on each preset data acquisition scheme;

Judging the encryption state of all the business interaction data, and filtering the encrypted data to obtain a candidate non-encrypted data set;

and on the basis of a sensitivity judgment rule, carrying out sensitivity judgment on each data in the candidate non-encrypted data set, and reserving the data with sensitivity exceeding a preset sensitivity threshold as the non-encrypted data set.

3. The method of claim 2, wherein identifying all business interaction data based on each preset data collection scheme comprises:

judging the triggering condition of each data acquisition scheme at each sampling moment, and identifying the data acquisition scheme with successful triggering;

based on each data acquisition scheme successfully triggered, recovering service interaction data acquired by each data acquisition scheme to form a service interaction data set under each data acquisition scheme;

executing union processing on each service interaction data set to obtain a combined service interaction data set as all service interaction data; wherein,

the preset data acquisition scheme comprises the following steps:

and one or more of user initiative uploading, mechanism data pulling, page data uploading, file pushing and photographing identification.

4. The method of claim 2, wherein verifying the user identity of the current unencrypted data comprises:

Determining a data source based on a data acquisition scheme selected by the current unencrypted data;

accessing identification information of the initiating data interaction terminal equipment through the data source, determining the user identity based on the identification information, and reading the corresponding relation between the current non-encrypted data and the corresponding user identity;

reading data information based on the corresponding relation, and classifying the acquired non-encrypted data based on the attribute information to obtain non-encrypted data related to each user;

judging the business identity checking result of each user, and adding the user identification to each non-encrypted data after the checking is passed.

5. The method of claim 1, wherein the key pair comprises a public key and a private key;

the generation rule of the key pair comprises:

responding to the user identity verification passing signal, and identifying the service list number at the current verification moment;

generating a key pair based on the state information; wherein,

the service list number includes unique state information of the current time, and the unique state information includes:

timestamp, user identity, authentication initiation request end identification.

6. The method of claim 1, wherein encrypting the non-encrypted data based on the key pair and indistinguishability to obtain encrypted data comprises:

Extracting a public key based on the key pair, and constructing a trapdoor function based on the extracted public key;

constructing a specific trapdoor of indistinguishability aiming at the trapdoor function;

based on the extracted public key and the specific trapdoor, performing encryption of the unencrypted data to obtain encrypted data; wherein,

the indistinguishability includes: ciphertext indistinguishability and trapdoor indistinguishability.

7. The method of claim 1, wherein the key exchange protocol is a Diffie-Hellman key exchange protocol.

The determining the key exchange protocol of the encrypted data, obtaining the encrypted data packet, includes:

writing the determined key exchange protocol into the encrypted data to obtain an integrated data packet;

executing protocol writing to the integrated data packet, and executing compression processing to the integrated data packet with the completed protocol writing to obtain a compressed data packet as an encrypted data packet;

and in the integrated data packet compression process, executing the compression packet data head protocol calibration.

8. The method according to claim 4, wherein the method further comprises:

responding to a cloud server storage data access request, and obtaining user identity information of an access user;

Searching the cloud server for encrypted data with corresponding user identification based on the user identity information;

checking the user identity information, and pushing the encrypted data with the corresponding user identifier to the user terminal after the user identity information passes the checking;

and based on the determined key exchange protocol and the shared key pair of the user side, the user side decrypts the encrypted data based on the shared key pair to obtain corresponding non-encrypted data.

9. An information encryption storage system, the system comprising:

the collecting unit is used for collecting non-encrypted data generated in real time in the business handling process;

the verification unit is used for verifying the user identity of the current non-encrypted data and extracting a corresponding key pair after the verification is passed;

an encryption unit configured to encrypt the non-encrypted data based on the key pair and indistinguishability, to obtain encrypted data;

10. A processor configured to perform the information encryption storage method of any one of claims 1 to 8.

11. A machine-readable storage medium having instructions stored thereon, which when executed by a processor cause the processor to be configured to perform the information encryption storage method of any one of claims 1 to 8.

12. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the information encryption storage method according to any one of claims 1 to 8.