CN-122001687-A - Data encryption method, device, equipment and storage medium

Abstract

The application discloses a data encryption method, a device, equipment and a storage medium, which relate to the technical field of information security and comprise the steps of receiving a data encryption request which is sent by a service application and carries tenant identification, application identification and data to be encrypted, inquiring an application key ciphertext corresponding to the application identification and a tenant key ciphertext corresponding to the tenant identification from a tenant security layer, acquiring a platform master key from the platform security layer, decrypting a target tenant key ciphertext by utilizing the platform master key in the tenant security layer to obtain a tenant key plaintext, decrypting the application key ciphertext by utilizing the tenant key plaintext to obtain an application key plaintext, sending the application key plaintext and the data to be encrypted to a virtual cipher machine which is allocated for a current tenant in advance, encrypting the data to be encrypted based on the application key plaintext to obtain a data ciphertext, and sending the data ciphertext to the service application. The application can improve the security of the data encryption process and avoid the data leakage.

Inventors

• LIN YUE

Assignees

• 杭州弗兰科信息安全科技有限公司

Dates

Publication Date

20260508

Application Date

20260409

Claims (10)

1. 1. The data encryption method is characterized by being applied to a password service management platform, wherein the password service management platform comprises a password hardware layer, a platform security layer and a tenant security layer, the password hardware layer comprises a cloud server password machine and a plurality of virtual password machines created by the cloud server password machine, and the method comprises the following steps: Receiving a data encryption request sent by any business application in a target tenant, wherein the data encryption request carries a tenant identification of the target tenant, an application identification of any business application and data to be encrypted; Inquiring a target application key ciphertext corresponding to the application identifier and a target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and acquiring a platform master key which is created in advance for the password service management platform from the platform security layer; decrypting the target tenant key ciphertext by using the platform master key in the tenant security layer to obtain a target tenant key plaintext, and decrypting the target application key ciphertext by using the target tenant key plaintext to obtain a target application key plaintext; And sending the target application key plaintext and the data to be encrypted to a target virtual cryptographic machine which is pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the target application key plaintext, obtain a data ciphertext, and sending the data ciphertext to any service application.
2. 2. The data encryption method according to claim 1, wherein decrypting the target tenant key ciphertext using the platform master key in the tenant security layer to obtain a target tenant key plaintext, and decrypting the target application key ciphertext using the target tenant key plaintext to obtain a target application key plaintext, comprises: Routing the data encryption request to a tenant security sub-domain corresponding to the application identifier and the tenant identifier, wherein the tenant security sub-domain is a logically isolated security domain created for the target tenant in the tenant security layer by utilizing a security domain isolation technology; the platform master key is positioned in a platform security domain, and the platform security domain is a logically isolated security domain created in the platform security layer by utilizing a security domain isolation technology; decrypting the target application key ciphertext based on the target tenant key plaintext and by utilizing the SM4 algorithm to obtain a target application key plaintext; Correspondingly, the decrypting the target application key ciphertext by using the target tenant key plaintext, after obtaining the target application key plaintext, further includes: and storing the target tenant key plaintext and the target application key plaintext into a temporary storage area of the tenant security layer.
3. 3. The data encryption method according to claim 2, wherein the sending the target application key plaintext and the data to be encrypted to a target virtual cryptographic machine previously allocated for the target tenant comprises: Encrypting the target application key plaintext and the data to be encrypted by using an SM2 algorithm based on a public key in a cloud crypto key of the crypto hardware layer to obtain an encrypted data packet, and transmitting the encrypted data packet to a cloud server crypto in the crypto hardware layer; And decrypting the encrypted data packet by using the SM2 algorithm based on a private key in the cloud cryptographic machine key through the cloud server cryptographic machine to obtain the target application key plaintext and the data to be encrypted, and sending the target application key plaintext and the data to be encrypted to a target virtual cryptographic machine which is allocated for the target tenant in advance.
4. 4. The data encryption method according to claim 3, wherein encrypting the data to be encrypted based on the target application key plaintext to obtain a data ciphertext, and transmitting the data ciphertext to the any one of the service applications comprises: Encrypting the data to be encrypted by using the SM4 algorithm based on the target application key plaintext to obtain a data ciphertext; The data ciphertext is sent to the tenant security layer, the tenant security layer is sent to the platform security layer, and then the data ciphertext is sent to any business application through a service gateway in the platform security layer; Correspondingly, after the data ciphertext is sent to any one of the service applications, the method further includes: and deleting the target tenant key plaintext and the target application key plaintext in the temporary storage area.
5. 5. A data encryption method according to claim 3, further comprising: Generating an SM4 symmetric key through a password card in a cloud server password machine, obtaining a password machine master key aiming at the cloud server password machine, and storing the password machine master key into the password card; generating a preset key pair, encrypting the preset key pair by utilizing the cipher machine master key to obtain a cloud cipher machine key, and storing the cloud cipher machine key into the cloud server cipher machine; Generating an SM4 symmetric key pair through a virtual crypto machine in the cloud server crypto machine to obtain a platform master key aiming at the crypto service management platform, and storing the platform master key into a platform security domain of a platform security layer; When any tenant registration is monitored, calling the cloud server cryptographic machine to generate an SM4 symmetric key in a virtual cryptographic machine corresponding to any tenant, so as to obtain a tenant key plaintext of the any tenant; encrypting the tenant key plaintext based on the platform master key to obtain a tenant key ciphertext, and storing the tenant key ciphertext to a corresponding tenant security subdomain of a tenant security layer; When any service application of any tenant is monitored to be accessed, calling the cloud server cryptographic machine to generate an SM4 symmetric key in a virtual cryptographic machine corresponding to the any tenant, and obtaining an application key plaintext of the any service application; encrypting the application key plaintext based on the tenant key plaintext to obtain an application key ciphertext, and establishing a relationship between the platform master key and the tenant key ciphertext and between the tenant key ciphertext and the application key ciphertext.
6. 6. The data encryption method according to claim 1, characterized by further comprising: Acquiring a first random sequence generated by a virtual cipher machine in the cloud server cipher machine and a second random sequence generated inside platform software when the cipher service management platform is initialized for the first time; Encrypting the second random sequence by using the first random sequence to obtain an encrypted sequence; And performing involution transformation on the first random sequence by using an involution substitution table in the virtual cryptosystem to obtain a transformed sequence, and generating the platform master key based on the encrypted sequence and the transformed sequence.
7. 7. The data encryption method according to any one of claims 1 to 6, wherein the querying, from the tenant security layer, a target application key ciphertext corresponding to the application identifier and a target tenant key ciphertext corresponding to the tenant identifier, includes: Performing identity authentication on any business application based on the tenant identification in the data encryption request to obtain an application authentication result; And if the application authentication result is that the authentication is passed, inquiring a target application key ciphertext corresponding to the application identifier and a target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer.
8. 8. A data encryption device, characterized by being applied to a cryptographic service management platform, wherein the cryptographic service management platform comprises a cryptographic hardware layer, a platform security layer and a tenant security layer, the cryptographic hardware layer comprises a cloud server cryptographic machine and a plurality of virtual cryptographic machines created by the cloud server cryptographic machine, and the device comprises: the system comprises a receiving module, a receiving module and a data encryption module, wherein the receiving module is used for receiving a data encryption request sent by any business application in a target tenant, and the data encryption request carries a tenant identification of the target tenant, an application identification of any business application and data to be encrypted; the query module is used for querying a target application key ciphertext corresponding to the application identifier and a target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer; The acquisition module is used for acquiring a platform master key which is created for the password service management platform in advance from the platform security layer; the decryption module is used for decrypting the target tenant key ciphertext by utilizing the platform master key in the tenant security layer to obtain a target tenant key plaintext, and decrypting the target application key ciphertext by utilizing the target tenant key plaintext to obtain a target application key plaintext; and the sending module is used for sending the target application key plaintext and the data to be encrypted to a target virtual cryptographic machine which is allocated for the target tenant in advance, so as to encrypt the data to be encrypted based on the target application key plaintext, obtain a data ciphertext, and send the data ciphertext to any service application.
9. 9. An electronic device comprising a processor and a memory, wherein the processor implements the data encryption method of any one of claims 1 to 7 when executing a computer program stored in the memory.
10. 10. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the data encryption method according to any one of claims 1 to 7.

Description

Data encryption method, device, equipment and storage medium Technical Field The present application relates to the field of information security technologies, and in particular, to a data encryption method, device, apparatus, and storage medium. Background In the current cloud computing and digitizing environment, the cryptographic technology is a cornerstone for guaranteeing data security. Various applications (such as mobile payment, electronic contract, data encryption, etc.) in different application fields (such as government, finance, e-commerce, etc.) generally need to uniformly call the cryptographic operation capability through a cryptographic service management platform to realize security services such as key management, encryption, signature, etc. However, the traditional password service management platform is often interacted with the bottom password hardware directly, and takes the platform as a complex service system, and a key protection system thereof has the problems that the platform needs to intensively manage a large number of high-sensitivity keys, the keys can cause the decryption of all data protected by the keys once being leaked at a software level, an internal isolation mechanism is lacked, keys of different services and different tenants and use scenes are lacked in the platform to effectively logically isolate, so that chain reaction is easily generated due to the fact that a single module is broken, and a safety boundary is fuzzy, namely, the platform lacks structural safety protection measures when the computing power of a bottom VSM (virtual password machine, virtual security module) is called, and fine management and control of the key life cycle are difficult to realize. In addition, currently, a Cloud server crypto engine (Cloud-hosted Hardware Security Module, cloudHSM) based on GM/T0104 standard (a technical specification of Cloud server crypto engine) generally creates a plurality of mutually isolated virtual crypto modules through a hardware virtualization technology, and in this way, the key protection range is stopped at the boundary of the virtual crypto modules, so that the key and sensitive data inside the crypto service management platform cannot be effectively protected. In addition, the current cryptographic service management platform does not implement hierarchical protection on the secret key and sensitive data in the life cycle management of the secret key, so that risks of fuzzy security boundaries and attack surface diffusion are caused. Therefore, how to store and call the secret key and effectively isolate and control the secret key in the use process, so that the overall safety of the platform is ensured, the secret key is prevented from being leaked in a software layer, and the problem that the field needs to be further solved at present is improved. Disclosure of Invention Accordingly, the present application is directed to a data encryption method, apparatus, device and storage medium, which are applied to a cryptographic service management platform, and can improve the security of the data encryption process, and avoid data leakage, so as to greatly improve the overall security, reliability and compliance of the cryptographic service management platform. The specific scheme is as follows: In a first aspect, the present application discloses a data encryption method, applied to a cryptographic service management platform, where the cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer, the cryptographic hardware layer includes a cloud server cryptographic machine and a plurality of virtual cryptographic machines created by the cloud server cryptographic machine, and the method includes: Receiving a data encryption request sent by any business application in a target tenant, wherein the data encryption request carries a tenant identification of the target tenant, an application identification of any business application and data to be encrypted; Inquiring a target application key ciphertext corresponding to the application identifier and a target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and acquiring a platform master key which is created in advance for the password service management platform from the platform security layer; decrypting the target tenant key ciphertext by using the platform master key in the tenant security layer to obtain a target tenant key plaintext, and decrypting the target application key ciphertext by using the target tenant key plaintext to obtain a target application key plaintext; And sending the target application key plaintext and the data to be encrypted to a target virtual cryptographic machine which is pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the target application key plaintext, obtain a data ciphertext, and sending the data ciphertext t