Search

CN-121984771-A - Encryption method and related device for service data corresponding to interface

CN121984771ACN 121984771 ACN121984771 ACN 121984771ACN-121984771-A

Abstract

The application discloses a method for encrypting business data corresponding to an interface and a related device, and relates to the technical field of data security, wherein the method receives an interface access request aiming at an interface to be accessed, which is sent by a request party system, and acquires a security event count of which an interface identifier field is an interface identifier of the interface to be accessed, and the interface access request of the interface to be accessed comprises the interface identifier and an initial encryption method; the risk value of the interface access request is calculated based on the obtained flow ring ratio, flow homonymy and equipment temperature and equipment power consumption of the service equipment in the service system and the safety event count, and the encryption method is dynamically adjusted by calculating the risk value in real time through comprehensive multidimensional indexes, so that the high-risk request can be more strongly protected, the low-risk request is prevented from being excessively protected, the safety of service data corresponding to the interface is ensured, and the waste of calculation resources is avoided.

Inventors

  • YU MINGRUI
  • WANG LUCHEN
  • LIU SHUO
  • WANG SIYUAN

Assignees

  • 农银金融科技有限责任公司

Dates

Publication Date
20260505
Application Date
20260228

Claims (10)

  1. 1. An encryption method of service data corresponding to an interface is characterized in that the method is applied to a server system, and the method comprises the following steps: Receiving an interface access request for an interface to be accessed, which is sent by a request party system, and acquiring a security event count of an interface identifier field as an interface identifier of the interface to be accessed, wherein the interface access request of the interface to be accessed comprises the interface identifier of the interface to be accessed and an initial encryption method of service data corresponding to the interface to be accessed; Calculating to obtain a risk value of an interface access request of the interface to be accessed based on the acquired flow ring ratio between the server system and the requester system, the flow homonymy between the server system and the requester system, the equipment temperature of service equipment in the server system, the equipment power consumption of the service equipment in the server system and the security event count; Determining a target encryption method of the service data corresponding to the interface to be accessed based on an initial encryption method of the service data corresponding to the interface to be accessed and a risk value of an interface access request of the interface to be accessed; Encrypting the service data corresponding to the interface to be accessed based on a target encryption method of the service data corresponding to the interface to be accessed and an interface identifier of the interface to be accessed to obtain encrypted service data corresponding to the interface to be accessed; And sending the encrypted service data corresponding to the interface to be accessed to the requester system.
  2. 2. The method for encrypting service data corresponding to an interface according to claim 1, wherein calculating the risk value of the interface access request of the interface to be accessed based on the acquired traffic loop ratio between the server system and the requester system, the traffic homonymy between the server system and the requester system, the device temperature of the service device in the server system, the device power consumption of the service device in the server system, and the security event count includes: acquiring a flow ring ratio between the server system and the requester system, a flow homonymy between the server system and the requester system, a device temperature of service devices in the server system and a device power consumption of the service devices in the server system; Respectively distributing corresponding weights for a preset qubit threshold value, the flow ring ratio, the flow homonymy, the equipment temperature, the equipment power consumption and the security event count by using a transform algorithm; And calculating a risk value of an interface access request of the interface to be accessed based on the qubit threshold, the weight corresponding to the qubit threshold, the flow ring ratio, the weight corresponding to the flow ring ratio, the flow homonymy, the weight corresponding to the flow homonymy, the equipment temperature, the weight corresponding to the equipment temperature, the equipment power consumption, the weight corresponding to the equipment temperature, the security event count and the weight corresponding to the security event count.
  3. 3. The method for encrypting the service data corresponding to the interface according to claim 1, wherein the determining the target encryption method for the service data corresponding to the interface to be accessed based on the initial encryption method for the service data corresponding to the interface to be accessed and the risk value of the interface access request of the interface to be accessed includes: When the risk value of the interface access request of the interface to be accessed is not greater than a preset first risk threshold value, judging whether the grade of the initial encryption method of the service data corresponding to the interface to be accessed is the lowest grade; If the grade of the initial encryption method of the service data corresponding to the interface to be accessed is not the lowest grade, determining the encryption method corresponding to a first target grade as the target encryption method of the service data corresponding to the interface to be accessed, wherein the first target grade is lower than the grade of the initial encryption method of the service data corresponding to the interface to be accessed by one grade; When the risk value of the interface access request of the interface to be accessed is larger than the first risk threshold and smaller than a preset second risk threshold, determining the initial encryption method of the interface access request as the target encryption method of the interface access request; When the risk value of the interface access request of the interface to be accessed is not smaller than the first risk threshold, whether the grade of the initial encryption method of the service data corresponding to the interface to be accessed is the highest grade or not; And if the grade of the initial encryption method of the service data corresponding to the interface to be accessed is not the highest grade, determining the encryption method corresponding to a second target grade as the target encryption method of the service data corresponding to the interface to be accessed, wherein the second target grade is higher than the grade of the initial encryption method of the service data corresponding to the interface to be accessed by one grade.
  4. 4. A method for encrypting service data corresponding to an interface according to claim 3, wherein said method further comprises: if the grade of the initial encryption method of the service data corresponding to the interface to be accessed is the lowest grade, determining the initial encryption method of the service data corresponding to the interface to be accessed as a target encryption method of the service data corresponding to the interface to be accessed; and if the grade of the initial encryption method of the service data corresponding to the interface to be accessed is the highest grade, determining the initial encryption method of the service data corresponding to the interface to be accessed as the target encryption method of the service data corresponding to the interface to be accessed.
  5. 5. The method for encrypting the service data corresponding to the interface according to claim 1, wherein the encrypting the service data corresponding to the interface to be accessed based on the target encryption method for the service data corresponding to the interface to be accessed and the interface identifier of the interface to be accessed to obtain the encrypted service data corresponding to the interface to be accessed includes: Based on a key negotiation protocol corresponding to a target encryption method of the service data corresponding to the interface to be accessed, performing key negotiation with the requester system to generate a master key of the service data corresponding to the interface to be accessed; generating a session key of the service data corresponding to the interface to be accessed through a preset key derivation function based on a master key of the service data corresponding to the interface to be accessed and an interface identifier of the interface to be accessed; Encrypting the service data corresponding to the interface to be accessed by using the session key of the service data corresponding to the interface to be accessed, and adding the method identifier of the target encryption method to the encrypted service data corresponding to the interface to be accessed to obtain the encrypted service data corresponding to the interface to be accessed.
  6. 6. The method for encrypting service data corresponding to an interface according to claim 5, wherein after said receiving an interface access request for an interface to be accessed sent by said requester system, said method further comprises: receiving an SM2 public key certificate of the requester system sent by the requester system, and carrying out identity authentication on the requester system based on the SM2 public key certificate of the requester system; And sending the SM2 public key certificate of the server system to the requester system so that the requester system can carry out identity authentication on the server system based on the SM2 public key certificate of the server system.
  7. 7. The method for encrypting service data according to the interface of claim 6, wherein an extension field of the SM2 public key certificate of the requester system includes Kyber public keys of the requester system, and an extension field of the SM2 public key certificate of the server system includes Kyber public keys of the server system; The key negotiation protocol corresponding to the target encryption method based on the acquired service data corresponding to the interface to be accessed performs key negotiation with the requester system to generate a master key of the service data corresponding to the interface to be accessed, and the key negotiation protocol comprises the following steps: Generating a temporary shared secret key of the service data corresponding to the temporary interface to be accessed by utilizing a secure random number generator, and packaging the temporary shared secret key by utilizing Kyber public keys of the requester system to obtain a packaging ciphertext; Digitally signing the encapsulated ciphertext by using an SM2 private key of the server system to obtain a signed encapsulated ciphertext, and sending the signed encapsulated ciphertext to the requester system, so that the requester system verifies the signed encapsulated ciphertext by using an SM2 public key of the server system, and unseals the verified encapsulated ciphertext by using a Kyber private key of the requester system to obtain the temporary shared secret key; And responding to the key confirmation information returned by the requester system, and determining the temporary shared key as a master key of the service data corresponding to the interface to be accessed.
  8. 8. A computer program product comprising computer readable instructions which, when run on an electronic device, cause the electronic device to implement a method of encrypting traffic data corresponding to an interface as claimed in any one of claims 1 to 7.
  9. 9. An electronic device comprising at least one processor and a memory coupled to the processor, wherein: The memory is used for storing a computer program; The processor is configured to execute the computer program to enable the electronic device to implement the encryption method of service data corresponding to the interface according to any one of claims 1 to 7.
  10. 10. A computer storage medium carrying one or more computer programs which, when executed by an electronic device, enable the electronic device to implement a method of encrypting traffic data corresponding to an interface as claimed in any one of claims 1 to 7.

Description

Encryption method and related device for service data corresponding to interface Technical Field The present application relates to the field of data security technologies, and in particular, to a method and an apparatus for encrypting service data corresponding to an interface. Background With the rapid development of information technology, data interaction between systems through interfaces has become a business collaboration state. Such interfaces, while supporting efficient traffic data flows, face increasingly stringent security challenges. Once the interface is illegally invoked or data is tampered with, the enterprise core asset and the user privacy are directly threatened. Therefore, the encryption method of the service data corresponding to the interface is particularly important. Currently, a static security policy is generally adopted in an encryption scheme of service data corresponding to an interface, wherein a unified encryption algorithm is preset in a system deployment or configuration stage and is applied to all interface calling scenes. Partial schemes also introduce access control based on role, address or access frequency. However, the same encryption scheme is used for interfaces with different sensitivity levels, which may not only result in insufficient security protection of the high-risk interfaces, but also result in waste of computing resources of the low-risk interfaces. Disclosure of Invention In view of the above problems, the present application provides a method and related device for encrypting service data corresponding to an interface, in order to ensure security of service data corresponding to an interface and avoid waste of computing resources, the specific scheme is as follows: the first aspect of the present application provides a method for encrypting service data corresponding to an interface, where the method is applied to a server system, and the method includes: Receiving an interface access request for an interface to be accessed, which is sent by a request party system, and acquiring a security event count of an interface identifier field as an interface identifier of the interface to be accessed, wherein the interface access request of the interface to be accessed comprises the interface identifier of the interface to be accessed and an initial encryption method of service data corresponding to the interface to be accessed; Calculating to obtain a risk value of an interface access request of the interface to be accessed based on the acquired flow ring ratio between the server system and the requester system, the flow homonymy between the server system and the requester system, the equipment temperature of service equipment in the server system, the equipment power consumption of the service equipment in the server system and the security event count; Determining a target encryption method of the service data corresponding to the interface to be accessed based on an initial encryption method of the service data corresponding to the interface to be accessed and a risk value of an interface access request of the interface to be accessed; Encrypting the service data corresponding to the interface to be accessed based on a target encryption method of the service data corresponding to the interface to be accessed and an interface identifier of the interface to be accessed to obtain encrypted service data corresponding to the interface to be accessed; And sending the encrypted service data corresponding to the interface to be accessed to the requester system. In one possible implementation, the calculating, based on the acquired traffic loop ratio between the server system and the requester system, the traffic homonymy between the server system and the requester system, the device temperature of the service device in the server system, the device power consumption of the service device in the server system, and the security event count, a risk value of the interface access request of the interface to be accessed includes: acquiring a flow ring ratio between the server system and the requester system, a flow homonymy between the server system and the requester system, a device temperature of service devices in the server system and a device power consumption of the service devices in the server system; Respectively distributing corresponding weights for a preset qubit threshold value, the flow ring ratio, the flow homonymy, the equipment temperature, the equipment power consumption and the security event count by using a transform algorithm; And calculating a risk value of an interface access request of the interface to be accessed based on the qubit threshold, the weight corresponding to the qubit threshold, the flow ring ratio, the weight corresponding to the flow ring ratio, the flow homonymy, the weight corresponding to the flow homonymy, the equipment temperature, the weight corresponding to the equipment temperature, the equipment power consumption, the weight