CN-122027356-A - Data security processing method, client, electronic device and storage medium

Abstract

The invention discloses a data security processing method, a client, electronic equipment and a storage medium, and relates to the technical field of information security. The method comprises the steps of intercepting a file uploading request of an application program through an adaptation library of a user-state file system, obtaining a physically isolated master key in hardware password equipment, deriving a unique file encryption key by combining target file information, calling a national encryption algorithm library, symmetrically encrypting file data by using the file encryption key, asymmetrically encrypting the file encryption key by using a public key, generating an encryption file header containing encryption parameters and a ciphertext file key, and uploading and storing the encryption file header. The invention realizes hardware-level physical isolation protection of the key, compliance support of the national encryption algorithm and transparent encryption and decryption through the deep fusion of the hardware password equipment and the user file system, effectively prevents the key from being revealed and improves the data security.

Inventors

• ZHOU YANG
• ZHANG NANXIN
• WU HUAIGU
• ZHA MING

Assignees

• 天府绛溪实验室

Dates

Publication Date

20260512

Application Date

20260410

Claims (10)

1. 1. A data security processing method applied to a client, wherein the client is in communication connection with a hardware cryptographic device, and the method comprises the following steps: intercepting a file uploading request initiated by an application program through an adaptation library of a user-mode file system to obtain target file information; Acquiring a master key in the hardware password equipment, and deriving to generate a file encryption key uniquely corresponding to the target file based on the master key and the target file information, wherein the master key is physically isolated and protected by the hardware password equipment; invoking a national encryption algorithm library, and encrypting the data of the target file by using a preset symmetric encryption algorithm and the file encryption key to obtain encrypted file data; Invoking an asymmetric encryption algorithm in the national encryption algorithm library, and encrypting the file encryption key by using a corresponding public key to obtain a ciphertext file key; generating an encrypted file header through an adaptation library of the user mode file system, wherein the encrypted file header comprises the encryption parameters of the target file and the ciphertext file key; And sending the encrypted file header and the encrypted file data to a remote storage side for storage.
2. 2. The method of claim 1, wherein deriving a file encryption key uniquely corresponding to the target file based on the master key and the target file information, comprises: acquiring a file unique identifier and a time stamp in the target file information; the master key is used as a key parameter, and the unique file identifier and the timestamp are spliced and then used as information input; and calling a password hash algorithm, and calculating and generating the file encryption key corresponding to the target file.
3. 3. The data security processing method according to claim 1, wherein the encryption parameters in the encrypted file header include at least the following field information: magic number field for checking file legitimacy; an encryption algorithm identification field for indicating a type of encryption algorithm; A mode field for indicating an encryption/decryption mode; A length field for recording the true size of the target file; vector fields for storing initialization vectors, and And a hash value field for storing the target file data integrity check value.
4. 4. The data security processing method according to claim 1, wherein before intercepting the file upload request initiated by the application program through the adaptation library of the user-mode file system, the method further comprises an application initialization step of: Monitoring that the hardware password equipment is accessed to the client; acquiring a personal identification code input by a user, and verifying the validity of the personal identification code through the hardware password equipment; reading a user certificate stored in the hardware password equipment, and verifying the validity period of the user certificate; after the personal identification code and the user certificate pass verification, loading a pre-configured security policy and establishing a security session.
5. 5. The data security processing method according to claim 4, further comprising an encrypted file download decryption step of: intercepting a file downloading request initiated by an application program through an adaptation library of the user mode file system; reading a corresponding encrypted file header from the remote storage side, and analyzing and acquiring a corresponding encrypted parameter and the ciphertext file key; Acquiring a corresponding decryption key, calling a national encryption algorithm library, and decrypting the downloaded encrypted file data by using the decryption key and the encryption parameter to obtain plaintext data; And returning the plaintext data to the application program according to the real size information of the target file analyzed from the encrypted file header, and recording an audit log of file decryption.
6. 6. The method for securely processing data according to claim 5, wherein said obtaining a corresponding decryption key comprises: Checking whether a file encryption key corresponding to the target file exists in a secure cache of the local client; If the file is cached, directly acquiring the file encryption key from the secure cache as the decryption key; If the cache is not hit, a decryption request is initiated to the hardware password equipment, the cipher text file key is decrypted by utilizing a private key in the hardware password equipment, the file encryption key is obtained to be used as the decryption key, and the file encryption key is stored in the secure cache; The client monitors the connection state of the hardware password equipment in real time, and when the hardware password equipment is monitored to be disconnected, the secure session is automatically locked and key data in the secure cache are cleaned.
7. 7. A client, wherein a hardware cryptographic device is communicatively coupled to the client, the client comprising: The request interception module is used for intercepting a file uploading request initiated by an application program through an adaptation library of the user-mode file system and acquiring target file information; the key derivation module is used for obtaining a master key in the hardware password equipment, deriving and generating a file encryption key uniquely corresponding to the target file based on the master key and the target file information, wherein the master key is physically isolated and protected by the hardware password equipment; The data encryption module is used for calling a national encryption algorithm library, carrying out encryption processing on the data of the target file by using a preset symmetric encryption algorithm and the file encryption key to obtain encrypted file data, calling an asymmetric encryption algorithm in the national encryption algorithm library, and carrying out encryption processing on the file encryption key by using a corresponding public key to obtain a ciphertext file key; The file header generation module is used for generating an encrypted file header through an adaptation library of the user mode file system, wherein the encrypted file header comprises the encryption parameters of the target file and the ciphertext file key; and the data transmitting module is used for transmitting the encrypted file header and the encrypted file data to a remote storage side for storage.
8. 8. The client of claim 7, wherein the system architecture of the client comprises, in order from bottom to top, a driver layer, a security service layer, and an application layer, wherein: The driving layer is used for providing a basic device communication driving and a cipher algorithm hardware acceleration driving of the hardware cipher device; the security service layer comprises a device management module, the key derivation module and a security policy management module, and is used for providing device discovery and authentication, a multi-level key layering protection mechanism and compliance audit support based on preset cipher algorithm specifications; The application layer comprises a state monitoring module, an adaptation library of the user state file system and a graphical user interface, and is used for processing interaction between a client and a user, managing the life cycle of a security session and executing a transparent encryption and decryption agent aiming at a file read-write request by utilizing the adaptation library of the user state file system.
9. 9. An electronic device, comprising: And a memory communicatively coupled to the at least one processor; Wherein the memory stores instructions executable by the at least one processor, by executing the instructions stored by the memory, causing the at least one processor to perform the method of any one of claims 1-6.
10. 10. A computer readable storage medium for storing instructions that, when executed, cause the method of any one of claims 1-6 to be implemented.

Description

Data security processing method, client, electronic device and storage medium Technical Field The invention relates to the technical field of information security, in particular to a data security processing method, a client, electronic equipment and a storage medium, which are particularly suitable for the fields of government, finance, scientific research and the like which need high-security-level data protection. Background The statements in this section merely provide background information related to the present disclosure and may not constitute prior art. The prior encryption and decryption file system unloading scheme based on the DPU mainly focuses on encryption processing of the DPU side and lacks deep integration of client side key management and identity authentication although high-performance file system encryption and unloading are realized, and particularly, the traditional secure data client has the following problems in terms of national encryption algorithm compliance and hardware-level key protection: 1) The encryption scheme realized by pure software is easy to be cracked by means of memory scanning, debugging attack and the like, and the plaintext storage of the secret key in the memory has security risk; 2) The traditional hardware encryption module (such as HSM) generally needs complicated driving integration and kernel modification, has high deployment and maintenance cost, and is difficult to flexibly apply in a user mode; 3) The key management is inconvenient, in the traditional scheme, the encryption key is usually stored in a configuration file or a database, the risk of being stolen exists, and the key rotation and updating mechanism is complex; 4) Under the national information security requirement, an encryption algorithm (such as SM2, SM3, SM4 and the like) meeting national secret standards is needed, but the existing open source file system encryption scheme mostly adopts an international standard algorithm and does not meet the national security compliance requirement. 5) The identity authentication is separated from the authorization, the conventional file system encryption scheme usually only pays attention to data encryption, lacks tight combination with user identity authentication, and is difficult to realize fine-grained authority control of who data who accesses. Therefore, a client security mechanism capable of combining a national cryptographic algorithm, hardware UKey protection and a user file system is urgently needed, so that a data protection scheme meeting national information security standards is provided while high-performance encryption and decryption are ensured, and therefore a plurality of defects in the prior art are overcome. Disclosure of Invention Aiming at the technical problems that the existing traditional data security client has insufficient security caused by plaintext storage of a key in a memory or a configuration file, compliance is not lost due to no encryption algorithm conforming to national standards, fine granularity authority control cannot be realized due to separation of identity authentication and data encryption, and the like, the invention provides a data security processing method, a client, electronic equipment and a storage medium, and an end-to-end security data processing scheme with high security and high flexibility is constructed by adopting a deep fusion architecture based on a hardware UKey and a user state encryption file system (UeFS) and combining a national encryption algorithm (SM 2, SM3 and SM 4) and a multi-level key protection system, so that the physical isolation and security layered management of the key are realized, the data protection meeting the national information security compliance requirement is realized, and the fine granularity security access control of 'human-key-data' is integrated. The technical scheme of the invention is as follows: a data security processing method applied to a client, wherein the client is in communication connection with a hardware cryptographic device, the method comprising: intercepting a file uploading request initiated by an application program through an adaptation library of a user-mode file system to obtain target file information; Acquiring a master key in the hardware password equipment, and deriving to generate a file encryption key uniquely corresponding to the target file based on the master key and the target file information, wherein the master key is physically isolated and protected by the hardware password equipment; invoking a national encryption algorithm library, and encrypting the data of the target file by using a preset symmetric encryption algorithm and the file encryption key to obtain encrypted file data; Invoking an asymmetric encryption algorithm in the national encryption algorithm library, and encrypting the file encryption key by using a corresponding public key to obtain a ciphertext file key; generating an encrypted file header through an