Search

CN-121984699-A - Data encryption method and device

CN121984699ACN 121984699 ACN121984699 ACN 121984699ACN-121984699-A

Abstract

The application relates to a data encryption method and device, which comprise the steps of obtaining ciphertext of a private key, associated information of the private key and data to be encrypted, sending the associated information of the private key to cloud equipment so that the cloud equipment can obtain a decryption password corresponding to the ciphertext of the private key according to the associated information of the private key, receiving the decryption password returned by the cloud equipment, decrypting the ciphertext of the private key by using the decryption password to obtain plaintext of the private key, and encrypting the data to be encrypted by using the plaintext of the private key. Therefore, in the application, the service end equipment locally stores only the ciphertext of the private key, and the decryption password corresponding to the ciphertext of the private key is stored in the cloud end equipment. When the data is required to be encrypted, the service end equipment needs to acquire a decryption password from the cloud end equipment, and then the ciphertext is decrypted through the decryption password to acquire the plaintext of the private key. And finally, the data encryption operation is completed by using the private key. Based on the scheme design, the attack path for data tampering by stealing the private key is blocked fundamentally, and the integrity and the safety of the data are effectively ensured.

Inventors

  • HE HUARONG
  • WANG DONGPING
  • HUANG JIE
  • WANG ZHI

Assignees

  • 深圳市联软科技股份有限公司

Dates

Publication Date
20260505
Application Date
20251211

Claims (10)

  1. 1. A data encryption method, wherein the method is applied to a service-side device, and the method comprises: Acquiring ciphertext of a private key, associated information of the private key and data to be encrypted; the related information of the private key is sent to cloud equipment, so that the cloud equipment obtains a first decryption password according to the related information of the private key, wherein the first decryption password is a decryption password corresponding to ciphertext of the private key; Receiving the first decryption password returned by the cloud device; Decrypting the ciphertext of the private key by using the first decryption password to obtain the plaintext of the private key; Encrypting the data to be encrypted using the plaintext of the private key.
  2. 2. The method of claim 1, wherein the sending the association information of the private key to the cloud device, so that the cloud device obtains the first decryption password according to the association information of the private key, includes: Encoding the association information of the private key into a preset visual carrier for the terminal equipment to analyze and send to the cloud equipment, so that the cloud equipment obtains the first decryption password according to the association information of the private key.
  3. 3. The method of claim 2, wherein the encoding the association information of the private key into a preset visualization carrier for the terminal device to parse and send to the cloud device, so that the cloud device obtains the first decryption password according to the association information of the private key, includes: Encoding the association information of the private key into a two-dimensional code for the terminal equipment to analyze and send to the cloud equipment, so that the cloud equipment obtains the first decryption password according to the association information of the private key.
  4. 4. The method of claim 1, wherein the receiving the first decryption password returned by the cloud device comprises: receiving a first ciphertext returned by the cloud device, wherein the first ciphertext is a ciphertext obtained by encrypting the first decryption password by the cloud device by using a first preset encryption algorithm; and decrypting the first ciphertext by using a first preset decryption algorithm to obtain the first decryption password, wherein the first preset decryption algorithm is matched with the first preset encryption algorithm.
  5. 5. The method according to any one of claims 1 to 4, wherein before the sending the association information of the private key to a cloud device, so that the cloud device obtains the first decryption password according to the association information of the private key, the method further comprises: encrypting the associated information of the private key by using a second preset encryption algorithm to obtain a second ciphertext; the sending the association information of the private key to the cloud device, so that the cloud device obtains a first decryption password according to the association information of the private key, including: And sending the second ciphertext to the cloud device, so that the cloud device decrypts the second ciphertext by using a second preset decryption algorithm to obtain the association information of the private key, and obtains the first decryption password according to the association information of the private key, wherein the second preset decryption algorithm is matched with the second encryption algorithm.
  6. 6. A method for encrypting data, the method being applied to a cloud device, the method comprising: Receiving associated information of a private key sent by service terminal equipment; Inquiring a preset private key information table according to the associated information of the private key to obtain the first decryption password, wherein the first decryption password is a decryption password corresponding to the ciphertext of the private key, the preset private key information table comprises at least one private key ciphertext and at least one decryption password of the private key ciphertext, and the at least one private key ciphertext corresponds to the at least one decryption password of the private key ciphertext one by one; And returning the first decryption password to the service end equipment so that the service end equipment obtains the plaintext of the private key according to the first decryption password and encrypts the data to be encrypted by using the plaintext of the private key.
  7. 7. The method of claim 6, wherein prior to said returning said first decryption password to said service-side device, said method further comprises: Encrypting the first decryption password by using a first preset encryption algorithm to obtain a first ciphertext, wherein the first ciphertext is the ciphertext of the first decryption password; the step of returning the first decryption password to the service end equipment comprises the following steps: and returning the first ciphertext to the service end device so that the service end uses a first preset decryption algorithm to decrypt the first ciphertext to obtain the first decryption password, wherein the first preset decryption algorithm is matched with the first preset encryption algorithm.
  8. 8. The method according to claim 6 or 7, wherein the receiving the association information of the private key sent by the service-side device includes: receiving a second ciphertext sent by the service end equipment, wherein the second ciphertext is a ciphertext obtained by encrypting the association information of the private key by the service end equipment by using a second preset encryption algorithm; And decrypting the second ciphertext by using a second preset decryption algorithm to obtain the association information of the private key.
  9. 9. A data encryption apparatus, wherein the apparatus is applied to a service-side device, the apparatus comprising: the acquisition unit is used for acquiring ciphertext of the private key, associated information of the private key and data to be encrypted; The sending unit is used for sending the association information of the private key to the cloud device so that the cloud device can acquire a first decryption password according to the association information of the private key, wherein the first decryption password is a decryption password corresponding to a ciphertext of the private key; The first receiving unit is used for receiving the first decryption password returned by the cloud device; The decryption unit is used for decrypting the ciphertext of the private key by using the first decryption password to obtain the plaintext of the private key; And the encryption unit is used for encrypting the data to be encrypted by using the plaintext of the private key.
  10. 10. A data encryption apparatus, the apparatus being applied to a cloud device, the apparatus comprising: the second receiving unit is used for receiving the associated information of the private key sent by the service terminal equipment; The query unit is used for querying a preset private key information table according to the associated information of the private key to obtain the first decryption password, wherein the first decryption password is a decryption password corresponding to the ciphertext of the private key, the preset private key information table comprises at least one private key ciphertext and at least one decryption password of the private key ciphertext, and the at least one private key ciphertext and the at least one decryption password of the private key ciphertext are in one-to-one correspondence; And the return unit is used for returning the first decryption password to the service end equipment so that the service end equipment obtains the plaintext of the private key according to the first decryption password and encrypts the data to be encrypted by using the plaintext of the private key.

Description

Data encryption method and device Technical Field The present application relates to the field of data encryption, and in particular, to a data encryption method and apparatus. Background With the deep integration of digital economy and internet technology, network space has become a core carrier of key production elements, and data security is becoming a core component of network security, and is becoming more and more important for personal users, enterprises and government institutions. To combat the increasingly complex threat of cyber attacks, users and organizations have deployed multiple security safeguards such as firewalls, intrusion detection systems, and access control. However, in data full lifecycle management, data leakage and tampering remain the most prominent security risks. In various data security protection means, data encryption becomes the most widely applied and core protection scheme at present because illegal access can be blocked from the source. At present, the existing mainstream data encryption scheme mostly adopts a local integrated encryption and decryption architecture. Specifically, the system equipment directly integrates an encryption algorithm, performs encryption processing on sensitive data and stores the sensitive data. When the data is required to be called, a preset decryption password is locally extracted from the system equipment, and the original data is restored through a corresponding decryption algorithm, so that local closed-loop operation of encryption, storage and decryption is realized. However, the encryption scheme of the "local integrated encryption and decryption" architecture is difficult to defend against targeted attacks. When the system equipment encounters malicious invasion, an attacker can easily acquire a locally stored decryption password through dump, configuration file cracking and other means, and can quickly finish decryption operation by combining the acquired encrypted data, so that the data is leaked. More seriously, an attacker can tamper the encrypted data by using the obtained decryption password and then re-encrypt the encrypted data, so that the authenticity of the data is damaged, and the service safety problem is further caused. Disclosure of Invention The embodiment of the application provides a data encryption method and device, which aim to solve the technical problem of data tampering caused by the storage of decryption keys and encrypted data in the same machine in the existing 'local integrated encryption and decryption' architecture. In a first aspect, an embodiment of the present application provides a data encryption method, where the method is applied to a service end device, and the method includes: Acquiring ciphertext of a private key, associated information of the private key and data to be encrypted; the related information of the private key is sent to cloud equipment, so that the cloud equipment obtains a first decryption password according to the related information of the private key, wherein the first decryption password is a decryption password corresponding to ciphertext of the private key; Receiving the first decryption password returned by the cloud device; Decrypting the ciphertext of the private key by using the first decryption password to obtain the plaintext of the private key; Encrypting the data to be encrypted using the plaintext of the private key. Optionally, the sending the association information of the private key to the cloud device, so that the cloud device obtains the first decryption password according to the association information of the private key, includes: Encoding the association information of the private key into a preset visual carrier for the terminal equipment to analyze and send to the cloud equipment, so that the cloud equipment obtains the first decryption password according to the association information of the private key. Optionally, the encoding the association information of the private key into a preset visualization carrier, so that the terminal device parses and sends the association information to the cloud device, so that the cloud device obtains the first decryption password according to the association information of the private key, including: Encoding the association information of the private key into a two-dimensional code for the terminal equipment to analyze and send to the cloud equipment, so that the cloud equipment obtains the first decryption password according to the association information of the private key. Optionally, the receiving the first decryption password returned by the cloud device includes: receiving a first ciphertext returned by the cloud device, wherein the first ciphertext is a ciphertext obtained by encrypting the first decryption password by the cloud device by using a first preset encryption algorithm; and decrypting the first ciphertext by using a first preset decryption algorithm to obtain the first decryption password, wherein the