CN-122027140-A - Data encryption method, system and storage medium

Abstract

The invention discloses a data encryption method, a system and a storage medium, wherein a central coordination node generates an initial master key, derives a first data encryption key, creates a global key version chain first version node and distributes the global key version chain first version node, each node creates a local key version chain copy, marks the local key version chain copy as the first node, sets a local active pointer to point to the node, encrypts a plaintext by using a current version key, embeds a serial number and a hash, verifies continuity and hash by a receiver, generates version use evidence after decryption and reports the version use evidence, the central coordination node gathers the version use evidence as a global version state track, when the track triggers an update condition, the central coordination node generates a new key and a candidate version node through a chain cryptography algorithm and a distribution barrier coefficient based on the current version, distributes the new key and calculates overtime time, each node is used as a candidate to be selected to be succeeded, and finally, each node performs multi-stage activation verification based on a local observation distribution completion rate and feeds back a processing result to the candidate node according to the local chain and overtime.

Inventors

• LI CHAO
• WANG XIAO

Assignees

• 北京迅嘉数据技术有限公司

Dates

Publication Date

20260512

Application Date

20260310

Claims (10)

1. 1. A method of encrypting data, comprising the steps of: The central coordination node generates a system initial master key, processes the initial master key through a key derivation function in combination with an initial salt value to obtain a first data encryption key, creates a first version node of a global key version chain based on the first data encryption key, distributes the first version node to all the participating nodes, locally establishes key version chain copies by all the nodes, marks the first version node as a current effective version node, and sets a local active pointer to point to the current effective version node; when data encryption transmission is executed, a sender and a receiver sequentially execute encryption transmission, verification and decryption processing according to a current effective version and a key version and copy of the receiver to obtain plaintext data, and then the receiver generates version use evidence information and generates global version state tracks through a central coordination node; the central coordination node monitors the global version state track in real time, when the use condition information of the current effective version node in the global version state track reaches the trigger key updating condition, a new generation key and a candidate version node corresponding to the new generation key are generated based on the analysis of the current effective version node through a chained cryptography algorithm, the candidate version node is distributed to all the participating nodes by combining with a distribution barrier coefficient, and the overtime time is obtained through analysis; And each participating node performs multistage activation verification on the candidate version nodes based on the local observation distribution completion rate according to the locally established key version chain copy and the timeout time to obtain a verification result, and performs feedback processing according to the verification result.
2. 2. The method according to claim 1, wherein when performing data encryption transmission, the sender and the receiver sequentially perform encryption transmission, verification and decryption processing according to the current valid version and the key version of the receiver, to obtain plaintext data, and then the receiver generates version use evidence information and generates a global version state track from the version use evidence information via the central coordination node, comprising the following steps: The method comprises the steps of enabling a sender to encrypt plaintext data to be sent by the sender according to a first data encryption key corresponding to a current effective version node pointed by a local active pointer to obtain ciphertext data, embedding a serial number corresponding to the current effective version node and version hashes into the head of the ciphertext data to form an encrypted data packet, after the encrypted data packet is sent to a receiver, extracting the serial number and the version hashes from the head of the encrypted data packet by the receiver, verifying the numerical continuity of the serial number and the validity of the version hashes according to the extracted serial number and version hashes through a key version chain copy locally established by the receiver, decrypting the encrypted data packet by the receiver by using the first data encryption key of the key version chain copy locally established after verification is successful, obtaining plaintext data, generating version use evidence information formed by the serial number, a communication time stamp and the current effective version node in the communication process by the receiver, sending the version use evidence information to a central coordination node, and collecting the version use evidence information obtained by the central coordination node according to duration to obtain a global version state track.
3. 3. A method of encrypting data according to claim 2, wherein the triggering key update condition refers to the arrival of a current timestamp at a failure timestamp corresponding to the current valid version node; Or the frequency of the current effective version node in the version use evidence information of the global version state track reaches a preset use frequency threshold; Or in a preset time window, the decryption failure times reported by the receiver exceeds a preset decryption failure times threshold.
4. 4. A method of encrypting data according to claim 3, wherein the steps of generating a new generation key and candidate version nodes corresponding to the new generation key based on the analysis of the currently validated version nodes by a chained cryptographic algorithm, and distributing the candidate version nodes to all the participating nodes in combination with the distribution barrier coefficients, comprise the steps of: Acquiring a communication delay record between every two participating nodes, and constructing an inter-node delay matrix according to the communication delay record; calculating the average communication delay and the standard deviation of the delay of the whole network according to the delay matrix among the nodes, and simultaneously obtaining the maximum value of the communication delay value between any two participating nodes as the network diameter; acquiring a high-intensity random number and a current time stamp; the method comprises the steps of encoding a serial number of a node in a current effective version, a first data encryption key, a current time stamp and a high-strength random number, combining the serial number, the first data encryption key, the current time stamp and the high-strength random number to form a key derivative input character string, performing k rounds of iterative hash operation on the key derivative input character string, and outputting to obtain a target hash value; Calculating new version hash of a new data encryption key, determining candidate serial numbers according to the serial numbers of nodes of the current effective version, calculating estimated activation time stamps according to network diameters and delay standard deviations, and calculating estimated failure time stamps according to the estimated activation time stamps and preset key validity periods; Constructing the new version hash, the candidate serial number, the estimated activation time stamp and the estimated failure time stamp to obtain a candidate version node; And judging and determining a distribution form according to the distribution obstacle coefficient, executing the distribution processing of the candidate version nodes according to the distribution form, and simultaneously calculating the overtime time corresponding to the distribution form.
5. 5. The method of data encryption according to claim 4, wherein the judging and determining the distribution form according to the distribution obstacle coefficient, and executing the distribution processing of the candidate version nodes according to the distribution form, and simultaneously calculating the timeout time corresponding to the distribution form, comprises the steps of: Judging whether the distribution obstacle coefficient is smaller than a preset obstacle risk threshold, if yes, sending the candidate version nodes to each participating node in a broadcast mode, and calculating to obtain a broadcast timeout time according to the average communication delay of the whole network and a preset safety buffer time; if not, the candidate version nodes are sent to each participating node through hierarchical distribution processing, and meanwhile, the hierarchical distribution timeout time is calculated according to the network diameter, the delay standard deviation and the preset safe buffer time.
6. 6. A method of encrypting data according to claim 5, wherein the candidate version nodes are transmitted to each participating node by a hierarchical distribution process, comprising the steps of: the method comprises the steps of calculating the average delay degree of each participating node through a delay matrix among nodes, taking the first N participating nodes as a core node set after the average delay degree is arranged in an ascending order, and obtaining an edge node set; Obtaining a key distribution history database, and respectively calculating according to each record in the key distribution history database to obtain the attenuation ratio corresponding to each record; According to the initial distribution relation mapping table, counting the number of the edge nodes corresponding to each core node respectively to obtain the initial load of the core node; Calculating according to the number of all the participating nodes and the number of the core nodes to obtain the average load of the whole network; calculating a load balancing tolerance according to a preset reference load tolerance and a current efficiency attenuation factor, and calculating a first load tolerance threshold of each core node according to the average load of the whole network and the load balancing tolerance; The method comprises the steps of judging and screening according to initial load of core nodes and a first load tolerance threshold, screening to obtain a plurality of edge nodes to be adjusted, analyzing and processing the edge nodes to be adjusted according to the core node fitness scores of the edge nodes to be adjusted and the core nodes of the core nodes, reconstructing an initial distribution relation mapping table to obtain a final distribution relation mapping table, and sending candidate version nodes to the participating nodes according to the final distribution relation mapping table.
7. 7. The method of encrypting data according to claim 6, wherein after the initial load of the core node and the first load tolerance threshold are determined and filtered, a plurality of edge nodes to be adjusted are obtained by filtering, the edge nodes to be adjusted reconstruct an initial distribution relation mapping table according to the degree of adaptation score analysis processing of the core nodes to each core node, and a final distribution relation mapping table is obtained, comprising the following steps: When the initial load of the core node is larger than a first load tolerance threshold, determining the core node as an overload core node, and calculating to obtain excess load capacity based on the initial load of the core node and the first load tolerance threshold; Calculating a second load tolerance threshold of each core node according to the average load and the load balancing tolerance of the whole network; Traversing each edge node e to be adjusted, and calculating the core node fitness scores of the core nodes aiming at the edge nodes e to be adjusted respectively; Screening all core nodes meeting the condition that the current load of the core nodes is smaller than a second load tolerance threshold value as candidate light load core node sets, if the candidate light load core node sets are not empty, selecting the core node with the highest core node fitness score from the candidate light load core node sets as a new responsible core node of the edge node e to be adjusted, and if the candidate light load core node sets are empty, directly selecting all the core nodes The highest core node is used as a new responsible core node of the edge node e to be adjusted; Updating the initial allocation relation mapping table based on the new responsible core node of each edge node to obtain a final allocation relation mapping table; and sending the candidate version nodes to each participating node according to the final distribution relation mapping table.
8. 8. The method of claim 7, wherein the current efficiency decay factor is calculated by obtaining M historical key distribution task records of the latest continuous time period from a key distribution historical database, numbering 1 st to M th in sequence from early to late according to record generation time, extracting corresponding decay rate for the M-th historical key distribution task records Calculating initial weight corresponding to the mth record according to preset attenuation coefficient beta, calculating the sum of initial weights of all M records, dividing the initial weight of the mth record by the sum of the initial weights to obtain normalized weight of the mth record, and attenuating the attenuation ratio of each record Multiplying the obtained weighted attenuation ratios of all M records by corresponding normalized weights to obtain weighted attenuation ratios of all records, and adding the weighted attenuation ratios of all M records to obtain a result which is the current efficiency attenuation factor lambda; The historical dimension index statistics include a base delay dimension index Dimension index of link stability Node load dimension index 。
9. 9. The method for encrypting data according to claim 8, wherein each of the participating nodes performs multi-level activation verification based on a local observation distribution completion rate on the candidate version node according to the locally established key version chain copy in combination with the timeout time to obtain a verification result, and performs feedback processing according to the verification result, comprising the steps of: each participation node receives a candidate version node distributed by the central coordination node, and carries out chain type continuity verification and version hash validity verification on the candidate version node, after verification is passed, each participation node stores the candidate version node to a to-be-determined area of a local key version chain copy, records a receiving time stamp of the participation node, marks the state of the candidate version node in the local key version chain copy as to-be-activated, takes the receiving time stamp of the participation node as a starting point and takes timeout time as a timing duration, and starts a local timeout timer; Each time a candidate version node confirmation message is received, the participant node extracts a sender node identification from the candidate version node confirmation message, adds the sender node identification into a confirmed node list maintained locally, and records a receiving time stamp of the candidate version node confirmation message; Each participating node reads the total number of the participating nodes of the whole network from the global participating node list, and calculates the local observation distribution completion rate in real time according to the number of the nodes in the confirmed node list; each participating node reads a preset multilevel activation threshold value from a local system parameter configuration table, and executes hierarchical activation processing according to the local observation distribution completion rate and the multilevel activation threshold value to obtain a hierarchical activation processing result; And determining the node of the current effective version according to the hierarchical activation processing result and combining the activation completion rate, and carrying out feedback processing according to the local timeout timer and the analysis of the synchronization failure log.
10. 10. The method of claim 9, wherein determining the currently active version node based on the hierarchical activation process result in combination with the activation completion rate and performing the feedback process based on the local timeout timer and the sync failure log analysis, comprises the steps of: When the activation processing result is activation, generating an activation confirmation message and sending the activation confirmation message to a central coordination node, wherein the central coordination node counts the full-network activation completion rate according to the received activation confirmation message, and when the activation completion rate reaches a system preset activation success threshold value, the central coordination node uniformly marks the state of the candidate version node in the full-network range as a current effective version node; If the local overtime timer returns to zero, the local observation distribution completion rate of the participated node still does not reach a third activation threshold T3 in the multi-stage activation threshold, the participated node judges that the synchronization of the key update fails, marks the state of the candidate version node stored in the pending area of the local key version chain copy as activation failure, and maintains the local active pointer at the original current effective version node; and the network security monitoring system of the central coordination node updates the failure record in the key distribution history database according to the received synchronization failure log, returns to the processing step of calculating the current efficiency attenuation factor lambda to obtain a new current efficiency attenuation factor, and returns the new current efficiency attenuation factor to be re-executed.

Description

Data encryption method, system and storage medium Technical Field The present invention relates to the field of data encryption, and in particular, to a method, a system, and a storage medium for encrypting data. Background The dynamic key updating is a core mechanism for guaranteeing the long-term communication safety in the distributed encryption system, the traditional dynamic key updating method generally generates a new key periodically by a central coordination node, the new key is issued to all the participating nodes in a broadcast mode, and each node completes version switching according to a fixed time window or immediately after receiving the new key. However, when applied to large-scale, cross-regional, heterogeneous distributed systems of network environments, conventional methods suffer from the following significant technical drawbacks: First, in a real large-scale distributed system, the network topology between nodes changes dynamically, and the communication delays of cross-machine room and cross-region links often differ by tens of times or even hundreds of times. The broadcast distribution adopts the same push path to all nodes, so that the high-delay nodes become integral synchronous bottlenecks, the completion time of key distribution is seriously prolonged, and more seriously, part of edge nodes can not complete reception all the time within a preset timeout window, and the key update failure is directly caused. Although some schemes attempt to introduce hierarchical distribution, the core node selection is only based on static configuration, the distribution path and load distribution cannot be dynamically adjusted according to the real-time network state, when the core node is overloaded or the link quality is degraded, nonlinear attenuation occurs to the forwarding efficiency along with the increase of the relay layer number, the packet loss rate and delay accumulation of the edge node are further aggravated, and finally the candidate version node cannot cover the whole network in a reasonable time. And secondly, the hierarchical distribution essentially depends on the step-by-step forwarding of a core node to an edge node, and when the relay jump is added once, the transmission delay is overlapped, the packet loss probability is increased, and the attenuation degree is strongly related to the congestion degree, the link stability, the node processing capacity and other dynamic factors of the current network. The traditional scheme does not establish a mathematical model for measuring the attenuation severity degree, and does not feed back the historical distribution efficiency to the current decision, so that the overtime parameter is fixed, the load balancing strategy is stiff, namely the overload core node cannot be identified in time, the idle capacity of the light load core node is idle, and the link with higher receiving difficulty of the edge node is reused. The distribution execution makes the system have no robustness in the face of network fluctuation, and the key updating success rate is exponentially reduced along with node scale expansion. Thirdly, in the traditional method, when the key version is activated, each participating node receives the candidate version node and then independently completes the version switching based on the locally preset activation condition (such as fixed delay and only local clock), and the synchronization progress of other nodes is not perceived at all. The distributed activation is very easy to cause the state splitting of the whole network version, wherein part of nodes are switched to the new version too early due to the superior network condition, the other part of nodes still use the old version due to the receiving delay, and the data packet encrypted by the key of the new version and the key of the old version are subjected to frequent decryption failure and retransmission request during the cross transmission among the nodes, so that the oscillation cycle of repeated switching-failure-re-switching is formed. More deadly, the traditional scheme only carries out simple discarding treatment on the node which is not activated in time-out, neither any traceable failure record is generated, nor the feedback is acted on the subsequent distribution decision, so that similar problems repeatedly occur in the same network environment, and the system cannot be self-optimized from historical experience all the time. In summary, the existing dynamic key updating technology has systematic defects in terms of network isomerism coping, attenuation sensing distribution, load balancing optimization, node cooperative activation, closed loop feedback self-adaption and the like, and a key updating method capable of sensing network states in real time, quantifying distribution barriers, dynamically adjusting layering strategies and completing smooth switching based on full-node observation cooperation is needed. Disclosure of Invention The invention ai