CN-122027245-A - Front-end RSA+AES hybrid encryption and decryption method and system for bedside system

Abstract

The invention provides a front-end RSA+AES mixed encryption and decryption method and system for a bedside system, which belong to the technical field of medical treatment, communication and software algorithm intersection, and the technology aims at the safety encryption requirements of the scenes such as patient privacy data transmission, equipment instruction interaction, medical information storage and the like in the bedside system of a hospital, realizes the RSA and AES mixed encryption, dynamic desensitization storage of keys, asynchronous encryption and decryption and multi-strategy fault tolerance, the problems of key hard coding leakage, large text encryption failure, encryption and decryption blocking of a main thread, unharmful exception handling and the like in encryption of the front end of a bedside system are solved, the safety and fluency of sensitive information such as patient vital sign data, nursing operation instructions, electronic medical record fragments and the like acquired by bedside equipment in the front end transmission and storage process are ensured, and the core requirements of high safety, high performance and high compatibility of data encryption under the bedside scene of a hospital are adapted.

Inventors

• HE YONGZHENG
• Lv Jiaoan
• CAI JINWEI
• LIU DI
• Feng Boqi

Assignees

• 杭州捷创睿医疗科技有限公司

Dates

Publication Date

20260512

Application Date

20260123

Claims (10)

1. 1. A front-end RSA+AES mixed encryption and decryption method for a bedside system is characterized by running at a bedside terminal and at least comprising the following steps: a key safety preparation step, namely acquiring an RSA public key in response to encryption operation trigger; the self-adaptive encryption decision and execution step is that the original data to be encrypted is received, and whether the length of the original data exceeds a preset RSA encryption length threshold value is judged; If not, encrypting the original data by using the RSA public key; If the first ciphertext exceeds the second ciphertext, generating or acquiring an AES key, encrypting the original data by using the AES key to obtain a first ciphertext, encrypting the AES key by using an RSA public key to obtain a second ciphertext, and combining the first ciphertext and the second ciphertext into a final ciphertext.
2. 2. A front-end data rsa+aes hybrid decryption method for a bedside system, characterized by running at a bedside terminal, comprising: a key safety preparation step, namely responding to the triggering of decryption operation to acquire an RSA private key; the self-adaptive decryption decision and execution step is that ciphertext data to be decrypted is received, and whether the ciphertext data contains a predefined mixed encryption format is judged; if not, decrypting the ciphertext data by using the RSA private key; If the first ciphertext part and the second ciphertext part are included, the first ciphertext part and the second ciphertext part are separated from the ciphertext data, the second ciphertext part is decrypted by using an RSA private key to obtain an AES key, and then the first ciphertext part is decrypted by using the AES key to obtain the original data.
3. 3. The method according to claim 1 or 2, characterized in that the key security preparation step comprises in particular: dynamically acquiring a plurality of key fragments of an RSA key from a server; signature verification, namely receiving a digital signature corresponding to the key fragment issued by the server, locally splicing the received key fragment, calculating a hash value, and comparing and verifying the hash value with the digital signature; And (3) desensitizing storage, namely splitting the spliced complete key into a plurality of desensitized fragments after signature verification is passed, and storing the fragments in different positions of a front-end memory in a scattered manner.
4. 4. The method according to claim 1 or 2, wherein the core encryption and decryption operations in the adaptive encryption decision and execution step or the adaptive decryption decision and execution step are scheduled to be executed in an asynchronous thread created by the Web Worker and separate from the front-end main thread.
5. 5. The method according to claim 1 or 2, further comprising the fault tolerant processing step of: the first error-tolerant layer is used for automatically performing retry for at most 3 times when encryption and decryption operations fail; the second error-tolerant layer is used for triggering algorithm degradation if the retry still fails, degrading the encryption operation to directly encrypt by using a local preset AES key, and degrading the decryption operation to attempt decryption by using the local preset AES key.
6. 6. The method according to claim 1 or 2, further comprising an initializing step before performing the key security preparation step: creating a single instance for managing encryption and decryption processes; detecting the support of a browser to a Web workbench; if the Web workbench is supported, creating a Web workbench asynchronous thread; if the Web workbench is not supported, marking as a synchronous encryption and decryption mode.
7. 7. The method according to claim 1 or 2, further comprising a cache management step of: generating a unique cache key for data to be encrypted or data to be decrypted; before encryption and decryption operations are executed, inquiring whether unexpired cache results exist in a cache according to a cache key; if yes, directly returning a caching result; If not, executing encryption and decryption calculation, binding the calculation result with the expiration time, and storing the calculation result into a cache; And setting a first buffer expiration time for the key and a second buffer expiration time for the encryption and decryption result.
8. 8. The method according to claim 1 or 2, further comprising the step of resource destruction, in response to a destruction instruction, of clearing key desensitization fragments stored in the memory, clearing all encryption and decryption buffers, terminating the Web workbench asynchronous thread, and destroying the encryption and decryption management instance.
9. 9. The method of claim 8, further comprising the step of key dynamic management: Periodically inquiring the key state from the server, and dynamically acquiring and switching to a new key when the key update is detected; When the server refuses to issue the secret key and returns the revocation instruction, executing the resource destroying step and stopping the encryption and decryption functions.
10. 10. A front-end rsa+aes hybrid encryption/decryption system for a bedside system, deployed at a bedside terminal, the system comprising: The key management module is used for dynamically acquiring a plurality of key fragments of an RSA key from the server, carrying out signature verification on the received key fragments, splitting the spliced complete key into a plurality of desensitized fragments after the verification is passed, and storing the desensitized fragments in the memory; the self-adaptive encryption and decryption engine module is connected with the key management module and comprises: The encryption unit is used for receiving the original data to be encrypted, and selecting to execute pure RSA encryption or generate an AES key for mixed encryption according to whether the length of the original data exceeds a preset threshold value; The decryption unit is used for receiving ciphertext data to be decrypted, and selecting to execute pure RSA decryption or parsing and decrypting to obtain original data according to whether the ciphertext data accords with a preset mixed encryption format or not; The asynchronous execution module is used for creating and managing the Web workbench asynchronous thread, and dispatching the core encryption and decryption operation in the encryption unit and the decryption unit to the Web workbench asynchronous thread for execution; The cache management module is used for generating a cache key for the encryption and decryption data to be processed, and storing, inquiring and expiration management of encryption and decryption results based on the cache key; The fault-tolerant processing module is used for triggering an automatic retry mechanism when encryption and decryption operations fail and triggering an algorithm degradation mechanism after the retry fails; And the resource management module is used for responding to the destroying instruction, clearing the storage contents in the key management module and the cache management module, and controlling the asynchronous execution module to terminate the Web Worker asynchronous thread.

Description

Front-end RSA+AES hybrid encryption and decryption method and system for bedside system Technical Field The invention relates to the technical field of communication, in particular to a front-end RSA+AES hybrid encryption and decryption method and system for a bedside system Background The bedside system is a medical informatization terminal system arranged beside a patient bed in a hospital ward, integrates core functions of vital sign acquisition, nursing operation execution, electronic medical record review, medical advice interaction, equipment linkage control and the like of the patient, and is a key node for connecting the patient, medical staff and a hospital core information system (HIS, EMR, LIS and the like). The core data of the bedside system comprises patient privacy information (such as identity information, medical history and examination report), medical operation instructions (such as nursing execution list and equipment control instructions), real-time acquisition data (such as body temperature, blood pressure and electrocardio data), and the like, and the safety of the data in the front-end transmission, storage and interaction processes is directly related to the patient privacy protection and the compliance of medical procedures, so that the data encryption becomes the core technical requirement of the front-end development of the bedside system. The RSA asymmetric encryption technology becomes a mainstream scheme of sensitive data encryption in a bedside system due to the characteristics of public key encryption and private key decryption, and the front-end RSA encryption is usually implemented by packaging based on an open source library (such as JSEncrypt, cryptoJS). In the prior art, a front-end RSA encryption scheme is widely applied to safety protection scenes of various Web systems, and the core implementation logic of the front-end RSA encryption scheme is that an RSA public key/private key is hard-coded in a front-end code, data encryption is completed by calling the public key through an open source library, data decryption is completed by the private key, and a part of schemes can be combined with AES symmetric encryption to realize large text processing, but a standardized mixed encryption strategy is not formed. Under the bedside system scene, the existing front-end RSA encryption technology has the following key defects and problems: 1. The key management has serious potential safety hazards that the public key/private key is generally hard-coded in a JS code or configuration file in a plaintext form by the traditional front-end RSA encryption scheme, the bedside system terminal is mostly public equipment, an attacker can easily steal the key in a decompilation mode, a code examination mode and the like, further, sensitive medical data in transmission is decrypted, and serious consequences such as privacy leakage of patients, falsified medical instructions and the like are caused. In addition, in the prior art, a dynamic distribution and desensitization storage mechanism for the key is lacking, the key cannot be quickly disabled once revealed, and the security risk is continuously present. 2. The encryption capability of the large text is limited, the adaptability is poor, the original RSA encryption only supports short character string encryption due to the algorithm characteristic (the 1024-bit RSA key can only encrypt about 117 bytes of data), and the electronic medical record fragments, the examination report summaries and the like which are needed to be encrypted in the bedside system are mostly large text data. In the prior art, although partial schemes attempt to combine AES to realize hybrid encryption, a service layer is required to manually distinguish text lengths and switch encryption logics, the operation is complex, configuration errors are easy to occur, the service requirement of 'non-inductive encryption' in a bedside system cannot be adapted, the partial open source hybrid encryption scheme (such as RSA-AES combination of CryptoJS) does not carry out secure encryption on an AES key, and the risk that large text data is cracked due to the leakage of the AES key exists. 3. The encryption and decryption operations block the front-end main thread, so that the interactive experience is affected, the front end of the bedside system needs to process high-frequency operations such as data acquisition, interface rendering, equipment linkage and the like, while the encryption of the existing front-end RSA is synchronous, when encryption and decryption are carried out for many times or large texts are processed, the JavaScript main thread is blocked, so that the problems of interface jamming, data acquisition delay, slow response of equipment instructions and the like occur at the bedside terminal, and the operation efficiency of medical staff is affected. In the prior art, although an asynchronous encryption scheme based on Web workbench is provided, the asynchrono