Nothing Special   »   [go: up one dir, main page]

CN109325360B - Information management method and device - Google Patents

Information management method and device Download PDF

Info

Publication number
CN109325360B
CN109325360B CN201811039097.1A CN201811039097A CN109325360B CN 109325360 B CN109325360 B CN 109325360B CN 201811039097 A CN201811039097 A CN 201811039097A CN 109325360 B CN109325360 B CN 109325360B
Authority
CN
China
Prior art keywords
information
data
management method
abstract value
information management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811039097.1A
Other languages
Chinese (zh)
Other versions
CN109325360A (en
Inventor
李振东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Sankuai Online Technology Co Ltd
Original Assignee
Beijing Sankuai Online Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sankuai Online Technology Co Ltd filed Critical Beijing Sankuai Online Technology Co Ltd
Priority to CN201811039097.1A priority Critical patent/CN109325360B/en
Publication of CN109325360A publication Critical patent/CN109325360A/en
Priority to CA3054213A priority patent/CA3054213A1/en
Application granted granted Critical
Publication of CN109325360B publication Critical patent/CN109325360B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Strategic Management (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Development Economics (AREA)
  • Accounting & Taxation (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure provides an information management method and device. The information management method comprises the following steps: responding to the data query request to determine the abstract value of the information to be queried; sending an information query request including the abstract value to a first terminal; and acquiring the information to be inquired according to the return information determined by the first terminal through inquiring a rainbow table. The information management method can improve the storage safety of the sensitive information.

Description

Information management method and device
Technical Field
The present disclosure relates to the field of information technologies, and in particular, to an information management method and apparatus.
Background
Due to the requirements of financial industry supervision departments and various compliance, desensitization or encryption processing is required to be carried out on financial sensitive information during storage and use, and plaintext storage is forbidden, but in business, requirements on the use of plaintext for financial sensitive information such as bank card numbers, identity card numbers, signing mobile phone numbers and the like are frequently met, such as customer service, wind control identification, real name verification and the like. Generally, for a scene in which sensitive information is used as a query result, the method for storing the sensitive information (such as four elements of a name, a mobile phone, an identity card and a bank card) by a service party mainly comprises three methods of encryption, abstraction and desensitization; for the scene with sensitive information as the query keyword, other primary keys such as a client number and the like are needed to be used for conversion association.
Encryption is generally used in a scene where a service party needs to restore a plaintext, four elements are encrypted by using symmetric and asymmetric keys, and corresponding keys are used for decryption restoration when a query result is obtained. However, the service side can encrypt and decrypt, and hidden information leakage may occur. A high level of management and closing-in of the keys is required. For large internet companies with multiple lines of business, this management can result in inefficient query of sensitive information. The abstract is commonly used in links such as identity verification, most of the desensitization is used in tail number prompt of an interface, the two modes irreversibly shield or destroy the true meaning of a plaintext, and the application scene is limited.
Therefore, an information management method capable of satisfying the information security requirement and improving the sensitive information query efficiency is needed.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
An object of the present disclosure is to provide an information management method and an information management apparatus for overcoming, at least to some extent, the following problems due to the limitations and disadvantages of the related art:
1. the business side can encrypt and decrypt by itself, and the hidden danger of sensitive information internal leakage cannot be eliminated.
2. The management of the key is based on the product line of each business group, and real-time and effective audit supervision cannot be carried out.
3. The existing three methods have limitations, need to be adapted according to scenes, and have complicated and redundant pain points in construction.
4. Sensitive information is poorly available for use as a query.
According to a first aspect of the embodiments of the present disclosure, there is provided an information management method, including: responding to the data query request to determine the abstract value of the information to be queried; sending an information query request including the abstract value to a first terminal; and acquiring the information to be inquired according to the return information determined by the first terminal through inquiring a rainbow table.
In an exemplary embodiment of the present disclosure, further comprising:
and after the abstract value of the first information is acquired and recorded, deleting the first information.
In an exemplary embodiment of the present disclosure, further comprising:
acquiring mask data of the first information;
and acquiring the abstract value of the ciphertext in the mask data, recording the abstract value corresponding to the mask data, and deleting the first information.
In an exemplary embodiment of the present disclosure, further comprising:
and establishing an index for the plaintext in the mask data.
In an exemplary embodiment of the present disclosure, further comprising:
responding to a data retrieval request, and acquiring a plurality of mask data according to a retrieval key word and the index;
and acquiring a first abstract value of the retrieval key and second abstract values corresponding to the mask data, and determining a retrieval result in the mask data according to the first abstract value.
In an exemplary embodiment of the present disclosure, the sending of the information query request including the digest value to the first terminal includes:
generating a public key and a private key according to the data query request;
and sending an information inquiry request comprising the abstract value and the public key to the first terminal.
In an exemplary embodiment of the present disclosure, the obtaining the information to be queried according to the return information determined by the first terminal by querying a rainbow table includes:
and decrypting the returned information according to the private key to obtain the information to be inquired.
According to a second aspect of the embodiments of the present disclosure, there is provided an information management apparatus including:
the abstract value determining module is set to respond to the data query request to determine the abstract value of the information to be queried;
the information query module is arranged for sending an information query request comprising the abstract value to the first terminal;
and the information restoration module is arranged to acquire the information to be inquired according to the return information determined by the first terminal through inquiring the rainbow table.
According to a third aspect of the present disclosure, there is provided an information management apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above based on instructions stored in the memory.
According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a program which, when executed by a processor, implements the information management method as recited in any one of the above.
According to the information management method provided by the embodiment of the disclosure, the abstract value of the sensitive information is used as the form of the sensitive information stored by the business party and the query condition for querying the sensitive information, and the relation between the abstract value and the data is recorded in the rainbow table of the compliance supervisor, so that the monitoring of the compliance supervisor on the process of querying the sensitive information by the business party can be effectively ensured, the data security is guaranteed, and the business party can obtain the query result in time when the business party meets the query specification. In addition, the data and the abstract values are stored in a rainbow table form, so that a compliance supervisor can be prevented from acquiring complete sensitive information, and the safety of the data is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 is a flowchart of an information management method in an exemplary embodiment of the present disclosure.
Fig. 2 is a flowchart of a digest value saving process in an exemplary embodiment of the present disclosure.
Fig. 3 is a flowchart of another digest value saving process in an exemplary embodiment of the present disclosure.
Fig. 4 is a sub-flowchart of an information management method in an exemplary embodiment of the present disclosure.
Fig. 5 is a flowchart of an information management method in another exemplary embodiment of the present disclosure.
Fig. 6 is a schematic diagram of an information management method in an application scenario of the present disclosure.
Fig. 7 is a block diagram of an information management apparatus in an exemplary embodiment of the present disclosure.
FIG. 8 is a block diagram of an electronic device in an exemplary embodiment of the disclosure.
FIG. 9 is a schematic illustration of a computer-readable storage medium in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
Fig. 1 schematically shows a flowchart of an information management method in an exemplary embodiment of the present disclosure. Referring to fig. 1, the information management method 100 may include:
step S1, responding to the data inquiry request to determine the abstract value of the information to be inquired;
step S2, sending an information inquiry request including the abstract value to the first terminal;
and step S3, obtaining the information to be inquired according to the return information determined by the first terminal by inquiring the rainbow table.
According to the information management method provided by the embodiment of the disclosure, the abstract value of the sensitive information is used as the form of the sensitive information stored by the business party and the query condition for querying the sensitive information, and the relation between the abstract value and the data is recorded in the rainbow table of the compliance supervisor, so that the monitoring of the compliance supervisor on the process of querying the sensitive information by the business party can be effectively ensured, the data security is guaranteed, and the business party can obtain the query result in time when the business party meets the query specification. In addition, the data and the abstract values are stored in a rainbow table form, so that a compliance supervisor can be prevented from acquiring complete sensitive information, and the safety of the data is ensured.
The following describes each step of the information management method 100 in detail. In the embodiment of the present disclosure, the information management method 100 may be executed by a service party terminal, and the service party may be, for example, an object that collects and uses sensitive information, and a compliance supervisor that stores and verifies whether the service party is authorized to use the sensitive information, as opposed to the service party.
In step S1, a digest value of the information to be queried is determined in response to the data query request.
In a scenario where the sensitive information is used as a query result, that is, when the sensitive information of an object needs to be queried, an associated primary key corresponding to the information to be queried may be determined first. For example, when the data to be queried is the mobile phone number of the user a, the user name of the user a may be used as the associated key, and the digest value of the mobile phone number of the user corresponding to the associated key is determined.
Fig. 2 is a process of saving a digest value in an embodiment of the present disclosure.
Referring to fig. 2, in an exemplary embodiment of the present disclosure, the process of saving the digest value may include:
and step S01, after the abstract value of the first information is acquired and recorded, deleting the first information.
Wherein the first information is sensitive information. After the service party acquires the sensitive information, the abstract value of the sensitive information can be acquired according to a preset abstract algorithm and a preset salt value, the abstract value is recorded at the recording position of the sensitive information, and meanwhile, the sensitive information is deleted. Therefore, the service party only keeps the digest value of the sensitive information, and the service party cannot decrypt the digest value due to the irreversibility of the digest algorithm, so that the data security is effectively ensured.
In some cases, in order to deal with an application scenario in which sensitive information is used as a query key, a part of plaintext of the sensitive information needs to be retained. Fig. 3 is another summary value saving process in an embodiment of the disclosure.
Referring to fig. 3, in an embodiment of the present disclosure, the process of saving the digest value may further be:
step S02, acquiring mask data of the first information;
step S03, obtaining the digest value of the ciphertext in the mask data and recording the digest value in correspondence with the mask data, and deleting the first information.
The first information may be, for example, sensitive information that needs to extract a digest value.
Mask data of the sensitive information can be obtained through a preset mask algorithm, the mask data comprise a ciphertext and a plaintext with preset bits, and the ciphertext is covered data and is usually displayed as a mark; the plain text is the original text data. For example, if the first message is "123456789", the corresponding mask data may be "123 × 789", and the ciphertext may be "456".
After the mask data is determined, the digest value of the ciphertext portion, i.e., the digest value of the number "456" in the above example, may be obtained according to a preset digest algorithm and a preset salt value. After the digest value is obtained, the mask data and the corresponding ciphertext digest value can be recorded only at the recording position of the sensitive information, and the original sensitive data is deleted, so that the sensitive data can be safely stored.
At step S2, an information query request including the digest value is transmitted to the first terminal.
The first terminal may be, for example, a terminal of a compliance supervisor. In the embodiment of the disclosure, the service party only retains the data damaged by the digest algorithm, and can obtain the data from the compliance supervisor when the complete sensitive information needs to be queried, so that the compliance supervisor can effectively supervise the service party on the use condition of the sensitive data.
The business party may send an information query request including a digest value of the information to be queried to the compliance supervisor.
Fig. 4 is a sub-flowchart of sending an information query request to a first terminal in the embodiments of the present disclosure.
Referring to fig. 4, in an exemplary embodiment of the present disclosure, step S2 may include:
step S21, generating a public key and a private key according to the data query request;
step S22, sending an information query request including the digest value and the public key to the first terminal.
Corresponding to each data query request taking sensitive information as a query result, the compliance supervisor can generate a pair of public key and private key, and the public key and the digest value of the data to be queried are sent to the compliance supervisor together, so that the encryption of the communication process is realized, and the data security is further ensured.
In step S3, the information to be queried is obtained according to the return information determined by the first terminal by querying the rainbow table.
In the disclosed embodiment, the compliance supervisor maintains the relationship of the data to the digest values through a rainbow table. At a terminal of a compliance supervisor, a rainbow table comprising a plurality of independent data may be generated, the data in the rainbow table being unassociated with each other. Further, the abstract value of each datum in the rainbow table can be obtained according to the same abstract algorithm and the preset salt value as the service party, and the abstract value and the datum are correspondingly recorded.
Therefore, when the compliance supervisor receives an information query request including the digest value, and when the service party verifies that the use permission of the service party for the sensitive information is allowed to use, the compliance supervisor can retrieve the data corresponding to the digest value from the rainbow table and send the data to the service party as return information. For the compliance supervisor, because the data in the rainbow table are independent, the associated data of each data cannot be obtained from the association of each data, and further, the compliance supervisor can be effectively ensured not to obtain the sensitive information (such as four elements) of the user, so that the data security is improved. When the service party sends the public key and the digest value to the compliance supervisor, the compliance supervisor can also encrypt the return information according to the public key and send the encrypted return information to the service party.
And after the business party receives the returned information, if the public and private key encryption is set, the returned information is decrypted according to the private key corresponding to the public key, and the data corresponding to the digest value returned by the compliance supervisor is obtained. If the returned information is not encrypted, the data corresponding to the digest value returned by the compliance supervisor can be directly obtained.
After the data corresponding to the abstract value is obtained, if the full text of the sensitive information is abstracted in the abstract value obtaining process, the data corresponding to the abstract value can be directly returned as a query result; if the ciphertext part of the sensitive information is summarized in the summary value obtaining process, the data corresponding to the summary value can be spliced with the plaintext part of the data to be inquired, so that the complete sensitive information is obtained and returned as an inquiry result.
The above is a scenario in which the sensitive information is used as a query result, and is a scenario in which the sensitive information is used as a query keyword, and except for masking the sensitive information and storing a plaintext, an index can be established for the plaintext.
Fig. 5 is a flow chart in one embodiment of the present disclosure.
Referring to fig. 5, for a scenario in which sensitive information is used as a query key, the information management method may include:
step S4, responding to the data retrieval request, and acquiring a plurality of mask data according to the retrieval key word and the index;
step S5, obtaining a first digest value of the search key and a second digest value corresponding to the mask data, and determining a search result in the mask data according to the first digest value.
For example, when the mobile phone number of the user a is used as the search key to search the related information of the user a, since the index is already established for the plaintext of the mobile phone number, the mobile phone number can be directly searched in the index. Since the index is composed of plaintext, a plurality of search results, which are all mask data, may be returned by one search.
In order to determine mask data corresponding to the mobile phone number from the plurality of mask data, a digest value of a bit number corresponding to a ciphertext in the mobile phone number may be obtained according to the preset mask range, a preset digest algorithm, and a preset salt value, and a digest value corresponding to a ciphertext of a plurality of search results may be determined; or, the abstract value of the mobile phone number may be first obtained, and the abstract values corresponding to a plurality of search results are determined, so that the search result consistent with the abstract value of the mobile phone number to be queried is determined as the data to be queried, and the associated data according to the data to be queried may be further found in the system. The above process of querying a mobile phone number is only an example, and in practical application, other sensitive data may be used.
By masking sensitive information, establishing an index for plaintext and determining a unique retrieval result according to the digest value, low retrieval efficiency caused by mass data when retrieval is directly performed according to the digest value can be avoided, and the sensitive information query efficiency of a service party is effectively improved.
The method 100 is described in detail below with reference to specific implementation scenarios.
FIG. 6 is a schematic diagram of one embodiment of an application scenario of the present disclosure.
Referring to fig. 6, in the embodiment of the present disclosure, a sensitive information storage architecture based on an abstract algorithm is designed on a business side and a compliance monitor side, and a security and a practicality contradiction between desensitization storage and restoration of sensitive information is solved by using a relation between the abstract algorithm and a rainbow table according to a principle of responsibility cutting.
On the business side, firstly, a digest algorithm, a mask range and a reasonable salt value are determined, mask processing is carried out on externally input sensitive information (first information), a KMS salt is used for a mask part to obtain a digest value, the corresponding relation of four elements and a part of plaintext are reserved, and an index is established for a part of plaintext which is not masked.
When the sensitive information is used as a data query result, the document can be accessed to the data query environment of a compliance party to obtain returned plaintext data; when sensitive information is used as a retrieval key word, the sensitive information can be queried in the index, and then the abstract value of the query condition is compared with the abstract value of the retrieval result to determine the unique retrieval result, so that the query speed is increased, and high availability is realized. Since the plaintext data is damaged and irreversible, the service party cannot independently obtain the real content of the sensitive information, and the information security is effectively guaranteed.
On a compliance supervision party, a rainbow table is firstly generated, and then the rainbow table comprising abstract values-data is constructed according to an abstract algorithm, a mask range and a reasonable salt value which are consistent with a business party and by combining KMS salt, so that the corresponding relation of four elements is shielded. Because the data weights in the rainbow table are homogenized, a compliance monitor cannot independently obtain the real significance of the sensitive information, and the information safety is effectively guaranteed. In addition, a highly-concurrent and highly-available data query environment needs to be constructed on a compliance supervision party, and a query interface document is provided, so that the information query efficiency is improved; and establishing a strict monitoring and auditing system to improve the supervision of using sensitive data by a business party.
A single credit inquiry channel can be constructed between a business party and a compliance supervisor, so that the business party can carry out data inquiry or mask inquiry and data splicing to the compliance supervisor through the abstract value to adapt to a reduction scene of an output result. To ensure the security of the transmission, the business party may generate a public-private key pair and distribute the public key to the compliance supervisor. After the compliance monitor finishes the inquiry, the returned data is encrypted by the public key given by the service party and then returned to the service party, and the service party decrypts the returned data by using the private key corresponding to the public key after obtaining the ciphertext. The compliance party and the business party illustrated in the scheme are only one embodiment, and the scope of protection is not limited thereto.
The embodiment of the disclosure can meet the business requirements of plaintext restoration, conditional query and the like through a single deployment framework, simultaneously eliminates the hidden danger that sensitive information is leaked from an internal single channel, and has strong universality both inside large-scale companies and between industries.
In summary, the information management method provided by the present disclosure utilizes the characteristic of rainbow table weight homogenization to eliminate the directivity of sensitive information, thereby protecting data privacy; and a single information desensitization mode is adopted to meet various service application scenes, and the deployment process is greatly simplified. Therefore, the information management method of the present disclosure has at least the following advantageous effects:
1. the safety is strong: the service party has no plaintext data, the compliance supervision party has no data relation, and any party cannot peep the plaintext data in a complete manner in the technology;
2. the cost is low: the workload of terminal software modification of a business party and a compliance supervision party is small, and the existing framework is not required to be greatly changed;
3. the coverage is wide: due to the reusability of the rainbow table, the method can be widely applied to various service lines such as finance, take-out, wine travel and platforms, and the management pain point of managing sensitive information of each product line at present is solved at one stroke by setting single-caliber monitoring audit in a compliance party.
Corresponding to the above method embodiment, the present disclosure also provides an information management apparatus, which may be used to execute the above method embodiment.
Fig. 7 schematically shows a block diagram of an information management apparatus in an exemplary embodiment of the present disclosure.
Referring to fig. 7, the information management apparatus 70 may include:
a digest value determination module 71 configured to determine a digest value of the information to be queried in response to the data query request;
an information query module 72 configured to send an information query request including the digest value to the first terminal;
and the information restoring module 73 is configured to obtain the information to be queried according to the return information determined by the first terminal through querying the rainbow table.
In an exemplary embodiment of the present disclosure, further comprising:
the full-text abstract value recording module 701 is configured to acquire and record an abstract value of first information, and then delete the first information.
In an exemplary embodiment of the present disclosure, further comprising:
a mask module 702 configured to obtain mask data of the first information;
a mask digest value recording module 703 configured to acquire a digest value of a ciphertext in the mask data, record the digest value in correspondence with the mask data, and delete the first information.
In an exemplary embodiment of the present disclosure, further comprising:
an index building block 74 arranged to build an index into the plaintext in the masking data.
In an exemplary embodiment of the present disclosure, further comprising:
a retrieval response module 75 configured to respond to the data retrieval request and obtain a plurality of mask data according to the retrieval key and the index;
the result determining module 76 is configured to obtain a first digest value of the search key and a second digest value corresponding to the mask data, and determine a search result in the mask data according to the first digest value.
In an exemplary embodiment of the present disclosure, the information query module 72 includes:
a key generation unit 721 configured to generate a public key and a private key according to the data query request;
a key sending unit 722 configured to send an information query request including the digest value and the public key to the first terminal.
In an exemplary embodiment of the present disclosure, the information restoring module 73 includes:
and the data decryption unit 731 is configured to decrypt the returned information according to the private key to obtain the information to be queried.
Since the functions of the apparatus 70 have been described in detail in the corresponding method embodiments, the disclosure is not repeated herein.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to this embodiment of the invention is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the function and scope of use of the embodiments of the present invention.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: the at least one processing unit 810, the at least one memory unit 820, and a bus 830 that couples the various system components including the memory unit 820 and the processing unit 810.
Wherein the storage unit stores program code that is executable by the processing unit 810 to cause the processing unit 810 to perform steps according to various exemplary embodiments of the present invention as described in the above section "exemplary methods" of the present specification. For example, the processing unit 810 may perform step S1 as shown in fig. 1: responding to the data query request to determine the abstract value of the information to be queried; step S2: sending an information query request including the abstract value to a first terminal; step S3: and acquiring the information to be inquired according to the return information determined by the first terminal through inquiring a rainbow table.
The storage unit 820 may include readable media in the form of volatile memory units such as a random access memory unit (RAM)8201 and/or a cache memory unit 8202, and may further include a read only memory unit (ROM) 8203.
The storage unit 820 may also include a program/utility 8204 having a set (at least one) of program modules 8205, such program modules 8205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 700 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
Referring to fig. 9, a program product 900 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. An information management method, comprising:
responding to the data query request to determine the abstract value of the information to be queried;
sending an information query request including the abstract value to a first terminal;
and acquiring the information to be inquired according to the return information determined by the first terminal through inquiring a rainbow table.
2. The information management method according to claim 1, further comprising:
and after the abstract value of the first information is acquired and recorded, deleting the first information.
3. The information management method according to claim 1, further comprising:
acquiring mask data of the first information;
and acquiring the abstract value of the ciphertext in the mask data, recording the abstract value corresponding to the mask data, and deleting the first information.
4. The information management method according to claim 3, further comprising:
and establishing an index for the plaintext in the mask data.
5. The information management method according to claim 4, further comprising:
responding to a data retrieval request, and acquiring a plurality of mask data according to a retrieval key word and the index;
and acquiring a first abstract value of the retrieval key and second abstract values corresponding to the mask data, and determining a retrieval result in the mask data according to the first abstract value.
6. The information management method of claim 1, wherein the transmitting of the information query request including the digest value to the first terminal comprises:
generating a public key and a private key according to the data query request;
and sending an information inquiry request comprising the abstract value and the public key to the first terminal.
7. The information management method according to claim 6, wherein the obtaining the information to be queried according to the return information determined by the first terminal by querying a rainbow table comprises:
and decrypting the returned information according to the private key to obtain the information to be inquired.
8. An information management apparatus characterized by comprising:
the abstract value determining module is set to respond to the data query request to determine the abstract value of the information to be queried;
the information query module is arranged for sending an information query request comprising the abstract value to the first terminal;
and the information restoration module is arranged to acquire the information to be inquired according to the return information determined by the first terminal through inquiring the rainbow table.
9. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the information management method of any of claims 1-7 based on instructions stored in the memory.
10. A computer-readable storage medium on which a program is stored, the program, when executed by a processor, implementing the information management method according to any one of claims 1 to 7.
CN201811039097.1A 2018-09-06 2018-09-06 Information management method and device Active CN109325360B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201811039097.1A CN109325360B (en) 2018-09-06 2018-09-06 Information management method and device
CA3054213A CA3054213A1 (en) 2018-09-06 2019-09-05 Information management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811039097.1A CN109325360B (en) 2018-09-06 2018-09-06 Information management method and device

Publications (2)

Publication Number Publication Date
CN109325360A CN109325360A (en) 2019-02-12
CN109325360B true CN109325360B (en) 2020-05-26

Family

ID=65263902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811039097.1A Active CN109325360B (en) 2018-09-06 2018-09-06 Information management method and device

Country Status (2)

Country Link
CN (1) CN109325360B (en)
CA (1) CA3054213A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630237A (en) * 2021-07-26 2021-11-09 珠海格力电器股份有限公司 Data encryption method and device and data decryption method and device
CN113704816A (en) * 2021-08-05 2021-11-26 绿盟科技集团股份有限公司 Data desensitization method, device and storage medium
CN114003964B (en) * 2021-12-30 2022-03-25 云账户技术(天津)有限公司 Method and device for processing sensitive information mask

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103975333A (en) * 2011-12-01 2014-08-06 国际商业机器公司 Cross system secure logon
CN106845275A (en) * 2017-02-09 2017-06-13 中国科学院数据与通信保护研究教育中心 The electronic bill management system and method for a kind of secret protection

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7783046B1 (en) * 2007-05-23 2010-08-24 Elcomsoft Co. Ltd. Probabilistic cryptographic key identification with deterministic result
US8745705B2 (en) * 2012-02-01 2014-06-03 Amazon Technologies, Inc. Account management for multiple network sites
US20130290731A1 (en) * 2012-04-26 2013-10-31 Appsense Limited Systems and methods for storing and verifying security information
CN103049709B (en) * 2013-01-22 2015-08-19 上海交通大学 Based on password recovery system and the restoration methods thereof of generator expansion rainbow table
CN103731432B (en) * 2014-01-11 2017-02-08 西安电子科技大学昆山创新研究院 Multi-user supported searchable encryption method
CN103995834A (en) * 2014-04-24 2014-08-20 小米科技有限责任公司 Sensitive information detection method and related device
CN105681280B (en) * 2015-12-29 2019-02-22 西安电子科技大学 Encryption method can search for based on Chinese in a kind of cloud environment
CN106203099B (en) * 2016-07-26 2019-02-05 北京航空航天大学 A kind of guard method of hardware supported embedded system program cue mark
CN106357384B (en) * 2016-08-26 2019-10-18 广州慧睿思通信息科技有限公司 The system and method that word2003 document based on FPGA hardware cracks
CN106778292B (en) * 2016-11-24 2019-10-22 中国电子科技集团公司第三十研究所 A kind of quick restoring method of Word encrypted document

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103975333A (en) * 2011-12-01 2014-08-06 国际商业机器公司 Cross system secure logon
CN106845275A (en) * 2017-02-09 2017-06-13 中国科学院数据与通信保护研究教育中心 The electronic bill management system and method for a kind of secret protection

Also Published As

Publication number Publication date
CN109325360A (en) 2019-02-12
CA3054213A1 (en) 2020-03-06

Similar Documents

Publication Publication Date Title
CN110414268B (en) Access control method, device, equipment and storage medium
CN108632284B (en) User data authorization method, medium, device and computing equipment based on block chain
CN106971121B (en) Data processing method, device, server and storage medium
CN102945355B (en) Fast Data Encipherment strategy based on sector map is deferred to
CN102855452B (en) Fast Data Encipherment strategy based on encryption chunk is deferred to
CN106487763B (en) Data access method based on cloud computing platform and user terminal
CN113806777B (en) File access realization method and device, storage medium and electronic equipment
US11520905B2 (en) Smart data protection
CN112749412B (en) Processing method, system, equipment and storage medium for passenger identity information
CN112307515B (en) Database-based data processing method and device, electronic equipment and medium
CN109325360B (en) Information management method and device
CN110889130A (en) Database-based fine-grained data encryption method, system and device
US20190318118A1 (en) Secure encrypted document retrieval
CN110442654A (en) Promise breaking information query method, device, computer equipment and storage medium
CN110807205A (en) File security protection method and device
CN113946863A (en) Data encryption storage method, system, equipment and storage medium
CN112733180A (en) Data query method and device and electronic equipment
CN116150242A (en) Transparent encryption and access control method, device and equipment for database
CN110830428A (en) Block chain financial big data processing method and system
US10438003B2 (en) Secure document repository
CN110232570B (en) Information supervision method and device
CN109995774B (en) Key authentication method, system, device and storage medium based on partial decryption
CN116956308A (en) Database processing method, device, equipment and medium
CN116388970B (en) Centralized cloud computing implementation method and device based on multiparty data
CN112487462B (en) Data authorization method and device based on block chain vehicle tax purchasing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant