A data hierarchical encryption method, device, equipment and medium

CN119720238BActive Publication Date: 2026-06-19CHINA TELECOM CLOUD TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CLOUD TECH CO LTD
Filing Date
2024-12-02
Publication Date
2026-06-19

Smart Images

  • Figure CN119720238B_ABST
    Figure CN119720238B_ABST
Patent Text Reader

Abstract

This invention provides a data hierarchical encryption method, apparatus, device, and medium. The method includes: acquiring target data and its usage scenarios; determining the security level and exposure level of the target data; the security level characterizing the importance of the data; the exposure level characterizing the exposure risk of the data; determining the number of encryption rounds based on the security level and exposure level of the target data; determining at least one target encryption algorithm; and performing hierarchical encryption on the target data according to the number of encryption rounds and the at least one target encryption algorithm to obtain encrypted data. This invention analyzes the target data and its usage scenarios to determine its security level and exposure level, and accordingly determines the number of encryption rounds. It combines at least one target encryption algorithm to perform hierarchical encryption on the data. This allows for personalized encryption schemes tailored to the characteristics and needs of different data, effectively improving data encryption and decryption performance and security, ensuring sufficient protection of sensitive information while optimizing encryption efficiency.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of encryption technology, and in particular to a data hierarchical encryption method and a data hierarchical encryption device. Background Technology

[0002] In cloud computing environments, servers store massive amounts of user data. To ensure data security, a unified symmetric encryption algorithm is typically used to encrypt the data before storing it on storage media. However, with the explosive growth of user data volume and the significant increase in access frequency, decryption operations place a heavy performance burden on servers. While a unified encryption algorithm can guarantee security, its high computational resource consumption makes it difficult to meet users' efficiency demands. Faced with massive amounts of data and frequent access, existing encryption methods are gradually becoming performance bottlenecks, affecting system response speed and service quality. Therefore, there is an urgent need for more efficient encryption solutions that can optimize decryption performance and reduce computational resource consumption while ensuring data security, in order to cope with the ever-increasing data processing demands and improve user experience and overall system performance. Summary of the Invention

[0003] In view of the above problems, embodiments of the present invention are proposed to provide a data hierarchical encryption method and a corresponding data hierarchical encryption device to overcome or at least partially solve the above problems.

[0004] According to a first aspect of the present invention, a data hierarchical encryption method is provided, the method comprising:

[0005] Acquiring target data and the use cases for said target data;

[0006] The security level and exposure level of the target data are determined; the security level characterizes the importance of the target data; the exposure level characterizes the risk of exposure of the target data in the usage scenario.

[0007] The number of encryption rounds is determined based on the security level and exposure level of the target data;

[0008] Determine at least one target encryption algorithm from a variety of preset encryption algorithms;

[0009] The target data is hierarchically encrypted according to the number of encryption rounds and at least one target encryption algorithm to obtain encrypted data.

[0010] Optionally, determining the number of encryption rounds based on the security level and exposure level of the target data includes:

[0011] Obtain the mapping table; the mapping table represents the relationship between the security level and exposure level of the target data and the number of encryption rounds;

[0012] Based on the mapping table, the security level and exposure level of the target data, the number of encryption rounds for the target data is determined.

[0013] Optionally, the method further includes:

[0014] When the use case of the target data changes, the exposure level of the target data should be redefined.

[0015] Based on the mapping table, the security level of the target data, and the redefined exposure level, the number of encryption rounds for the target data is redefined;

[0016] When the newly determined number of encryption rounds remains unchanged from the original number of encryption rounds, the encrypted data is determined to be suitable for the changed use case.

[0017] When the redefined number of encryption rounds changes relative to the original number of encryption rounds, it is determined that the encrypted data is not suitable for the changed use case; the difference between the redefined number of encryption rounds and the original number of encryption rounds is determined; and the encrypted data is encrypted or decrypted based on the difference in the number of encryption rounds.

[0018] Optionally, determining the difference between the re-determined number of encryption rounds and the original number of encryption rounds includes:

[0019] When the difference is greater than zero, the target data is encrypted based on the difference; when the difference is less than zero, the target data is decrypted based on the difference.

[0020] Optionally, the method further includes:

[0021] After the encrypted data is decrypted, determine the remaining number of decryption rounds for the encrypted data;

[0022] Generate a cache file of the encrypted data for the remaining decryption rounds, and configure the exposure time corresponding to the cache file; the exposure time represents the time during which the cache file is allowed to be decrypted;

[0023] If the cached file of the encrypted data is not decrypted within the specified exposure time, the cached file of the encrypted data is deleted.

[0024] Optionally, the step of performing hierarchical encryption on the target data according to the number of encryption rounds and at least one target encryption algorithm to obtain encrypted data includes:

[0025] Based on the number of encryption rounds and at least one target encryption algorithm, the target data is subjected to hierarchical encryption to obtain encrypted data content;

[0026] The target encryption algorithm and the number of encryption rounds are used as the header;

[0027] The header and the encrypted data content are combined to obtain the encrypted data.

[0028] Optional, also includes:

[0029] The encrypted version information symbol, random symmetric key, and digest are determined from the encrypted data content;

[0030] Add the encrypted version information symbol, the random symmetric key, and the digest to the information header.

[0031] According to a second aspect of the present invention, a data hierarchical encryption device is provided, the device comprising:

[0032] The first acquisition module is used to acquire target data and the usage scenarios of the target data;

[0033] The first determining module is used to determine the security level and exposure level of the target data; the security level characterizes the importance of the target data; the exposure level characterizes the exposure risk of the target data in the usage scenario;

[0034] The second determining module is used to determine the number of encryption rounds based on the security level and exposure level of the target data;

[0035] The third determining module is used to determine at least one target encryption algorithm from a variety of preset encryption algorithms;

[0036] The first encryption module is used to perform hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data.

[0037] Optionally, the second determining module includes:

[0038] The first acquisition submodule is used to acquire a mapping relationship table; the mapping relationship table represents the relationship between the security level and exposure level of the target data and the number of encryption rounds.

[0039] The first determining submodule is used to determine the number of encryption rounds of the target data based on the mapping relationship table, the security level and exposure level of the target data.

[0040] Optionally, the device further includes:

[0041] The third determining module is used to redetermine the exposure level of the target data when the usage scenario of the target data changes;

[0042] The fourth determining module is used to redetermine the number of encryption rounds for the target data based on the mapping table, the security level of the target data, and the redefined exposure level;

[0043] The fifth determining module is used to determine that the encrypted data is suitable for the changed use scenario when the re-determined number of encryption rounds is no different from the original number of encryption rounds.

[0044] The sixth determining module is used to determine that the encrypted data is not suitable for the changed use scenario when the re-determined number of encryption rounds changes relative to the original number of encryption rounds; determine the difference in the number of encryption rounds between the re-determined number of encryption rounds and the original number of encryption rounds; and encrypt or decrypt the encrypted data according to the difference in the number of encryption rounds.

[0045] Optionally, the sixth determining module includes:

[0046] The first encryption submodule is used to encrypt the target data according to the difference when the difference is greater than zero, and to decrypt the target data according to the difference when the difference is less than zero.

[0047] Optionally, the device further includes:

[0048] The seventh determining module is used to determine the remaining number of decryption rounds of the encrypted data after the encrypted data has been decrypted;

[0049] The first configuration module is used to generate a cache file of the encrypted data for the remaining decryption rounds, and configure the exposure time corresponding to the cache file; the exposure time represents the time during which the cache file is allowed to be decrypted;

[0050] The first deletion module is used to delete the cache file of the encrypted data if the cache file of the encrypted data is not decrypted within the specified exposure time.

[0051] Optionally, the first encryption module includes:

[0052] The second encryption submodule is used to perform hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data content;

[0053] The first module, as a submodule, is used to include the target encryption algorithm and the number of encryption rounds as the header.

[0054] The first merging submodule is used to merge the information header and the encrypted data content to obtain encrypted data.

[0055] Optionally, the first encryption module further includes:

[0056] The second determining submodule is used to determine the encryption version information character, random symmetric key, and digest based on the encrypted data content;

[0057] The first adding submodule is used to add the encrypted version information symbol, the random symmetric key, and the digest to the information header.

[0058] According to a third aspect of the present invention, an electronic device is provided, the electronic device comprising: a processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein the computer program, when executed by the processor, implements the steps of the data hierarchical encryption method as described in any of the preceding claims.

[0059] According to a fourth aspect of the present invention, a computer-readable storage medium is provided, on which a computer program is stored, which, when executed by a processor, implements the steps of the data hierarchical encryption method as described in any of the preceding claims.

[0060] The technical solutions provided by the embodiments of the present invention may include the following beneficial effects:

[0061] This invention provides a hierarchical data encryption method. The method involves: acquiring target data and its usage scenarios; determining the security level and exposure level of the target data; the security level representing the importance of the data; the exposure level representing the risk of data exposure; determining the number of encryption rounds based on the security level and exposure level of the target data; determining at least one target encryption algorithm; and performing hierarchical encryption on the target data according to the number of encryption rounds and the at least one target encryption algorithm to obtain encrypted data. This invention analyzes the target data and its usage scenarios to determine its security level and exposure level, and accordingly determines the number of encryption rounds. It combines at least one target encryption algorithm to perform hierarchical encryption on the data. This method can provide personalized encryption schemes for different data characteristics and needs, effectively improving data encryption and decryption performance and security, ensuring sufficient protection of sensitive information while optimizing encryption efficiency. Attached Figure Description

[0062] Figure 1 This is a flowchart illustrating the steps of a data hierarchical encryption method provided in an embodiment of the present invention;

[0063] Figure 2 This is a structural block diagram of a mapping relationship provided in an embodiment of the present invention;

[0064] Figure 3 This is a structural block diagram of a data hierarchical encryption device provided in an embodiment of the present invention. Detailed Implementation

[0065] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

[0066] One of the core concepts of this invention is that it analyzes target data and its usage scenarios to determine its security level and exposure level, and accordingly determines the number of encryption rounds. It then combines at least one target encryption algorithm to perform hierarchical encryption on the data. This allows for personalized encryption schemes tailored to the characteristics and needs of different data, effectively improving data encryption and decryption performance and security, ensuring sufficient protection of sensitive information while optimizing encryption efficiency.

[0067] Reference Figure 1 The diagram illustrates a flowchart of a data hierarchical encryption method provided by an embodiment of the present invention. The method may specifically include the following steps:

[0068] Step 101: Obtain the target data and the use cases of the target data;

[0069] Different data types and service scenarios have significantly different security requirements. For example, financial transaction data requires extremely high security, while general log files may only require basic protection. Understanding the use cases of data helps the system identify which data is most sensitive and which data can be handled with lower levels of encryption, thus avoiding the waste of resources caused by a "one-size-fits-all" encryption scheme. Obtaining target data and its use cases allows for a comprehensive assessment of the data's importance and exposure risks, thereby accurately determining the security level and exposure level. Based on these assessment results, the system can reasonably set the number of encryption rounds and select the most suitable encryption algorithm to implement tiered encryption.

[0070] Step 102: Determine the security level and exposure level of the target data; the security level characterizes the importance of the target data; the exposure level characterizes the risk of exposure of the target data in the usage scenario;

[0071] Security levels reflect the sensitivity and importance of the target data to the business. For example, critical data such as financial transaction records and personal privacy information require the highest level of protection, while general log files or public information can accept a lower level of encryption. By classifying data, it becomes clear which data is most critical and must be subject to high-strength encryption measures, and which data can use lighter-weight encryption methods while ensuring basic security. This not only improves the effectiveness of encryption but also optimizes the allocation of computing resources and reduces unnecessary performance overhead.

[0072] Exposure level characterizes the risk of data exposure in a specific use case, i.e., the likelihood of data being accessed or leaked without authorization. The risk of data exposure varies significantly across different use cases. For example, data transmitted in a public network environment faces a higher risk than data in a closed internal network. By assessing the exposure level, encryption strength and rounds can be adjusted to ensure high-risk data is adequately protected while reducing the encryption cost of low-risk data. Furthermore, exposure level can help identify potential security vulnerabilities, allowing for proactive preventative measures and reducing the risk of data breaches.

[0073] Step 103: Determine the number of encryption rounds based on the security level and exposure level of the target data;

[0074] The number of encryption rounds refers to the series of encryption operations used in an encryption algorithm. More encryption rounds increase the difficulty of cracking the algorithm, but also require more computing resources and time. Encryption rounds include: the initial round, normal rounds, and the final round. The initial round is the first round operation in a block cipher algorithm, generally performing simple processing on the input data to increase its complexity and randomness. Normal rounds, also called repeating rounds, perform operations on the input data multiple times, typically including byte substitution, row shifting, column obfuscation, and round key addition. The final round is the last round operation in a block cipher algorithm, generally a simplification of the normal round operations.

[0075] Data with high security levels requires stronger protection measures, while data with high exposure levels faces greater risks. Therefore, for data with both high security and high exposure levels, the number of encryption rounds needs to be increased to enhance encryption strength and prevent data theft or tampering. Conversely, for data with low security and low exposure levels, the number of encryption rounds can be reduced to improve encryption efficiency and reduce computational resource consumption. By determining the number of encryption rounds based on the security and exposure levels of the target data, personalized configuration of data encryption can be achieved, ensuring data security and reliability in different usage scenarios. This flexible encryption strategy not only improves the effectiveness of data protection but also optimizes the utilization of encryption resources, maximizing cost-effectiveness.

[0076] Step 104: Determine at least one target encryption algorithm from a variety of preset encryption algorithms;

[0077] From a variety of preset encryption algorithms, at least one target encryption algorithm is selected. Publicly available, mature block encryption algorithms can be chosen based on business needs, such as Triple Encryption Standard (DES), Advanced Encryption Standard (AES), International Data Encryption (IDS), Symmetric Key Block Encryption (SDI), and Chinese National Cryptography Algorithm 4 (CNRS 4). Alternatively, user-designed private block encryption algorithms can be used. Furthermore, multiple different block encryption algorithms can be combined for encryption to improve encryption effectiveness and security, depending on business requirements.

[0078] Publicly available, mature block encryption algorithms have been widely validated and applied, offering high security and reliability suitable for most business scenarios. User-designed private block encryption algorithms can be customized to meet specific needs, providing greater flexibility and security. Hybrid encryption combines the advantages of multiple encryption algorithms, further enhancing data security and reliability through multi-layered encryption protection. By selecting at least one target encryption algorithm from a range of preset algorithms and choosing an appropriate encryption strategy based on business needs, data security and reliability can be ensured across various usage scenarios. This flexible encryption strategy not only improves data protection effectiveness but also optimizes the utilization of encryption resources, maximizing cost-effectiveness.

[0079] Step 105: Based on the number of encryption rounds and at least one target encryption algorithm, perform hierarchical encryption on the target data to obtain encrypted data.

[0080] The number of encryption rounds determines the encryption strength; more rounds result in higher encryption strength, but also greater computational resource consumption. The choice of the target encryption algorithm depends on business needs and data characteristics. User-designed proprietary encryption algorithms can also be customized to meet specific requirements, providing greater flexibility and security. By tiered encryption of target data based on the number of encryption rounds and at least one target encryption algorithm, personalized data encryption configurations can be achieved, ensuring data security and reliability in different usage scenarios. This flexible encryption strategy not only improves data protection effectiveness but also optimizes the utilization of encryption resources, maximizing cost-effectiveness.

[0081] Reference Figure 2 The diagram illustrates a structural block diagram of a mapping relationship provided by an embodiment of the present invention.

[0082] In one embodiment, determining the number of encryption rounds based on the security level and exposure level of the target data includes: obtaining a mapping table; the mapping table characterizing the relationship between the security level and exposure level of the target data and the number of encryption rounds; and determining the number of encryption rounds of the target data based on the mapping table, the security level and exposure level of the target data.

[0083] Data security levels are categorized based on its importance and the severity of damage (attacks, leaks, tampering, etc.). In practice, data is generally classified into four security levels: core data, important data, general data, and public data. This avoids complexity and arbitrariness, facilitating data assessment and management. Users can also categorize data according to industry-specific data security standards, or add more granular data security levels based on business-specific data, compliance requirements, or other business needs.

[0084] For example, the "Guidelines for Data Security Classification of Financial Data" standard in the financial industry classifies data security levels from high to low into Level 5, Level 4, Level 3, Level 2, and Level 1, based on the affected entities and the degree of impact caused by the breach of data security of financial institutions. Level 5 involves data that affects national security, Level 4 is the highest level of data for ordinary financial institutions, Level 3 and above can be identified as important / sensitive data in the public's perception, Level 2 is commonly used data for internal office work of enterprises and institutions, and Level 1 is basically publicly available data.

[0085] Data exposure levels can be categorized based on the risks exposed in different use cases. Data exposure can be broadly divided into three levels according to storage and access scenarios: data storage exposure, external access exposure, and internal access exposure. Users can also control the duration of data exposure in different business scenarios to reduce risk exposure; further granular data exposure levels can be defined based on specific business use cases.

[0086] An encryption rounds matrix table can be created based on data security level and data exposure level to meet the business's requirements for data encryption strength. Alternatively, other forms of mapping tables can be used. Generally, public data does not require encryption. Core data typically uses full encryption across all exposures, employing standard block encryption algorithms plus a set number of encryption rounds. For important and general data, the encryption algorithm is simplified, using a custom number of encryption rounds. Different data security levels and data exposure levels can use the same number of encryption rounds. The data encryption rounds matrix information can be stored in a database and dynamically adjusted according to business needs, with adjustments taking effect immediately for new data. During adjustments, the differences between the old and new encryption rounds matrix information can be compared, and all encrypted data requiring adjusted encryption rounds can be iterated and updated. Furthermore, the data encryption rounds matrix information can be loaded into memory for caching during use, improving access efficiency.

[0087] The mapping table provides a correspondence between security levels, exposure levels, and the number of encryption rounds. By querying the mapping table, the appropriate number of encryption rounds can be quickly determined to achieve the best encryption effect. This method of determining the number of encryption rounds based on the mapping table not only improves the flexibility and accuracy of encryption strategies but also ensures the security and reliability of data in different use cases.

[0088] In one embodiment, the method further includes: when the use case of the target data changes, redetermining the exposure level of the target data; redetermining the number of encryption rounds of the target data based on the mapping table, the security level of the target data, and the redetermined exposure level; determining that the encrypted data is suitable for the changed use case when the redetermined number of encryption rounds is unchanged from the original number of encryption rounds; determining that the encrypted data is not suitable for the changed use case when the redetermined number of encryption rounds changes from the original number of encryption rounds; determining the difference between the redetermined number of encryption rounds and the original number of encryption rounds; and encrypting or decrypting the encrypted data based on the difference in the number of encryption rounds.

[0089] Changes in usage scenarios may alter the exposure risk of data, necessitating a reassessment of the exposure level and determination of an appropriate number of encryption rounds based on the new level. When the reassessed number of encryption rounds increases, additional encryption operations are required to enhance encryption strength and prevent theft or tampering. Conversely, when the reassessed number of encryption rounds decreases, decryption operations are necessary to reduce encryption strength, improve encryption efficiency, and minimize computational resource consumption. By reassessing the exposure level and number of encryption rounds based on changes in usage scenarios and encrypting or decrypting data according to the round difference, dynamic adjustments to data encryption can be achieved, ensuring data security and reliability across different usage scenarios. This flexible encryption strategy not only improves data protection effectiveness but also optimizes the utilization of encryption resources, maximizing cost-effectiveness.

[0090] In one embodiment, determining the difference between the re-determined number of encryption rounds and the original number of encryption rounds includes: encrypting the target data based on the difference when the difference is greater than zero; and decrypting the target data based on the difference when the difference is less than zero.

[0091] When the difference is greater than zero, it indicates that the number of encryption rounds needs to be increased, performing additional encryption operations on the target data to improve encryption strength and prevent data theft or tampering. When the difference is less than zero, it indicates that the number of encryption rounds needs to be reduced, performing decryption operations on the target data to reduce encryption strength, improve encryption efficiency, and reduce the consumption of computing resources. In different block encryption algorithms, the role of the final round may vary; the number of encryption rounds can be adjusted only for repeated rounds, while the final round is retained. This flexible encryption strategy not only improves the effectiveness of data protection but also optimizes the utilization of encryption resources, maximizing cost-effectiveness. By encrypting or decrypting the target data based on the difference, dynamic adjustment of data encryption can be achieved, ensuring the security and reliability of data in different usage scenarios.

[0092] In one embodiment, the method further includes: after the encrypted data is decrypted, determining the remaining number of decryption rounds of the encrypted data; generating a cache file of the encrypted data for the remaining number of decryption rounds, and configuring an open time corresponding to the cache file; the open time represents the time during which the cache file is allowed to be decrypted; and deleting the cache file of the encrypted data if the cache file of the encrypted data is not decrypted within the open time.

[0093] By determining the remaining decryption rounds, the decryption strength of encrypted data can be assessed, ensuring the security and reliability of the data after decryption. Generating cache files and configuring exposure time limits the decryption time of these cache files, preventing data from being exposed to risk for extended periods after decryption. If a cache file is not decrypted within the exposure time, it is deleted to ensure data security and reliability. This flexible decryption strategy not only improves data protection effectiveness but also optimizes the utilization of decryption resources, maximizing cost-effectiveness. By configuring exposure time and deleting undecrypted cache files, the security and reliability of data after decryption can be ensured, preventing unauthorized access or tampering.

[0094] For example, file A contains important data for a user. When stored, it is encrypted using the Advanced Encryption Standard (AES) algorithm for 10 rounds to ensure confidentiality in the event of a leak. When the file is authorized for external access by 10 users, each user accessing the file must undergo a complete decryption using the AES algorithm, requiring a total of 100 rounds of decryption. Using the tiered encryption scheme in this approach, when the first user accesses the file, a cache file with 6 rounds of encryption is generated by performing 4 rounds of decryption on the original encrypted file. The cache file's timeout is set to 5 minutes, thus the cache file's exposure time is 5 minutes. When subsequent users access the encrypted file within 5 minutes, they can directly perform 6 rounds of decryption on the cache file to obtain the plaintext file. Therefore, access to the file by 10 users requires a total of 64 rounds of decryption. When the file is authorized for internal user access, the number of encryption rounds for the cache file can be adjusted to 3 rounds, requiring a total of 37 rounds of decryption for access by 10 users. By comparison, it can be found that the hierarchical encryption scheme of the present invention can provide security for data in different scenarios while effectively improving data decryption performance.

[0095] In one embodiment, the step of performing hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data includes: performing hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data content; using the target encryption algorithm and the encryption round number as a header; and merging the header and the encrypted data content to obtain encrypted data.

[0096] The number of encryption rounds determines the encryption strength; more rounds result in higher encryption strength, but also greater computational resource consumption. The choice of the target encryption algorithm depends on business requirements and data characteristics. By using the target encryption algorithm and the number of encryption rounds as the header, subsequent decryption operations can be facilitated, ensuring the accuracy and consistency of the decryption process. The header contains key information about the encrypted data, such as the encryption algorithm and the number of encryption rounds. During decryption, the decryption strategy can be quickly determined based on the header, improving decryption efficiency and security. When the number of encryption rounds or the target encryption algorithm needs to be changed, the header and the encrypted data itself are updated accordingly.

[0097] In one embodiment, an encrypted version information symbol, a random symmetric key, and a digest are determined from the encrypted data content; the encrypted version information symbol, the random symmetric key, and the digest are added to the information header.

[0098] The encrypted version information flag can be used to inspect encrypted data. Based on the encrypted version information flag in the header, it can be determined whether the data is hierarchically encrypted. The random symmetric key is a randomly generated encryption key for each piece of data. It can be used for asymmetric encryption of data, achieving independent keys for each piece of data and separating data encryption / decryption permissions. The digest contains the one-way hash value of the data, used to check data integrity. The one-way hash value changes when the data is corrupted or modified.

[0099] The header provides key information about the encrypted data, enabling rapid determination of the decryption strategy and ensuring accuracy and consistency during the decryption process. Determining the encryption version identifier, random symmetric key, and digest from the encrypted data content and adding this information to the header further enhances the security and reliability of the encrypted data. Based on the encryption round number and at least one target encryption algorithm, the target data is hierarchically encrypted. The target encryption algorithm and encryption round number are used as the header. The header and encrypted data content are merged to obtain the encrypted data. The encryption version identifier, random symmetric key, and digest are determined from the encrypted data content and added to the header. This not only improves data protection effectiveness but also optimizes the utilization of encryption resources, maximizing cost-effectiveness.

[0100] This invention provides a hierarchical data encryption method. The method involves: acquiring target data and its usage scenarios; determining the security level and exposure level of the target data; the security level representing the importance of the data; the exposure level representing the risk of data exposure; determining the number of encryption rounds based on the security level and exposure level of the target data; determining at least one target encryption algorithm; and performing hierarchical encryption on the target data according to the number of encryption rounds and the at least one target encryption algorithm to obtain encrypted data. This invention analyzes the target data and its usage scenarios to determine its security level and exposure level, and accordingly determines the number of encryption rounds. It combines at least one target encryption algorithm to perform hierarchical encryption on the data. This method can provide personalized encryption schemes for different data characteristics and needs, effectively improving data encryption and decryption performance and security, ensuring sufficient protection of sensitive information while optimizing encryption efficiency.

[0101] It should be noted that, for the sake of simplicity, the method embodiments are all described as a series of actions. However, those skilled in the art should understand that the embodiments of the present invention are not limited to the described order of actions, because according to the embodiments of the present invention, some steps can be performed in other orders or simultaneously. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are preferred embodiments, and the actions involved are not necessarily essential to the embodiments of the present invention.

[0102] Reference Figure 3 The diagram shows a structural block diagram of a data hierarchical encryption device provided by an embodiment of the present invention, which may specifically include the following modules:

[0103] The first acquisition module 301 is used to acquire target data and the usage scenario of the target data;

[0104] The first determining module 302 is used to determine the security level and exposure level of the target data; the security level characterizes the importance of the target data; the exposure level characterizes the exposure risk of the target data in the usage scenario;

[0105] The second determining module 303 is used to determine the number of encryption rounds based on the security level and exposure level of the target data;

[0106] The third determining module 304 is used to determine at least one target encryption algorithm from a variety of preset encryption algorithms;

[0107] The first encryption module 305 is used to perform hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data.

[0108] Optionally, the second determining module includes:

[0109] The first acquisition submodule is used to acquire a mapping relationship table; the mapping relationship table represents the relationship between the security level and exposure level of the target data and the number of encryption rounds.

[0110] The first determining submodule is used to determine the number of encryption rounds of the target data based on the mapping relationship table, the security level and exposure level of the target data.

[0111] Optionally, the device further includes:

[0112] The third determining module is used to redetermine the exposure level of the target data when the usage scenario of the target data changes;

[0113] The fourth determining module is used to redetermine the number of encryption rounds for the target data based on the mapping table, the security level of the target data, and the redefined exposure level;

[0114] The fifth determining module is used to determine that the encrypted data is suitable for the changed use scenario when the re-determined number of encryption rounds is no different from the original number of encryption rounds.

[0115] The sixth determining module is used to determine that the encrypted data is not suitable for the changed use scenario when the re-determined number of encryption rounds changes relative to the original number of encryption rounds; determine the difference in the number of encryption rounds between the re-determined number of encryption rounds and the original number of encryption rounds; and encrypt or decrypt the encrypted data according to the difference in the number of encryption rounds.

[0116] Optionally, the sixth determining module includes:

[0117] The first encryption submodule is used to encrypt the target data according to the difference when the difference is greater than zero, and to decrypt the target data according to the difference when the difference is less than zero.

[0118] Optionally, the device further includes:

[0119] The seventh determining module is used to determine the remaining number of decryption rounds of the encrypted data after the encrypted data has been decrypted;

[0120] The first configuration module is used to generate a cache file of the encrypted data for the remaining decryption rounds, and configure the exposure time corresponding to the cache file; the exposure time represents the time during which the cache file is allowed to be decrypted;

[0121] The first deletion module is used to delete the cache file of the encrypted data if the cache file of the encrypted data is not decrypted within the specified exposure time.

[0122] Optionally, the first encryption module includes:

[0123] The second encryption submodule is used to perform hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data content;

[0124] The first module, as a submodule, is used to include the target encryption algorithm and the number of encryption rounds as the header.

[0125] The first merging submodule is used to merge the information header and the encrypted data content to obtain encrypted data.

[0126] Optionally, the first encryption module further includes:

[0127] The second determining submodule is used to determine the encryption version information character, random symmetric key, and digest based on the encrypted data content;

[0128] The first adding submodule is used to add the encrypted version information symbol, the random symmetric key, and the digest to the information header.

[0129] This invention provides a hierarchical data encryption method. The method involves: acquiring target data and its usage scenarios; determining the security level and exposure level of the target data; the security level representing the importance of the data; the exposure level representing the risk of data exposure; determining the number of encryption rounds based on the security level and exposure level of the target data; determining at least one target encryption algorithm; and performing hierarchical encryption on the target data according to the number of encryption rounds and the at least one target encryption algorithm to obtain encrypted data. This invention analyzes the target data and its usage scenarios to determine its security level and exposure level, and accordingly determines the number of encryption rounds. It combines at least one target encryption algorithm to perform hierarchical encryption on the data. This method can provide personalized encryption schemes for different data characteristics and needs, effectively improving data encryption and decryption performance and security, ensuring sufficient protection of sensitive information while optimizing encryption efficiency.

[0130] As the device embodiment is basically similar to the method embodiment, the description is relatively simple, and relevant parts can be found in the description of the method embodiment.

[0131] This invention also provides an electronic device, comprising:

[0132] It includes a processor, a memory, and a computer program stored in the memory and capable of running on the processor. When the computer program is executed by the processor, it implements the various processes of the above-described data hierarchical encryption method embodiments and achieves the same technical effect. To avoid repetition, it will not be described again here.

[0133] This invention also provides a computer-readable storage medium storing a computer program. When the computer program is executed by a processor, it implements the various processes of the above-described data hierarchical encryption method embodiments and achieves the same technical effect. To avoid repetition, it will not be described again here.

[0134] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.

[0135] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, apparatus, or computer program products. Therefore, embodiments of the present invention can take the form of entirely hardware embodiments, entirely software embodiments, or embodiments combining software and hardware aspects. Furthermore, embodiments of the present invention can take the form of computer program products implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0136] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0137] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0138] These computer program instructions can also be loaded onto a computer or other programmable data processing terminal equipment, causing a series of operational steps to be performed on the computer or other programmable terminal equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable terminal equipment for implementing the process. Figure 1One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0139] Although preferred embodiments of the present invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of the embodiments of the present invention.

[0140] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or terminal device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or terminal device. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or terminal device that includes said element.

[0141] The above provides a detailed description of a data hierarchical encryption method and a data hierarchical encryption device provided by the present invention. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only for the purpose of helping to understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.

Claims

1. A data hierarchical encryption method, the method comprising: Acquiring target data and the use cases for said target data; Determine the security level and exposure level of the target data; The security level indicates the importance of the target data; The exposure level characterizes the risk of the target data being exposed in the usage scenario; The data is classified into exposure levels based on the risks exposed in different use cases; The number of encryption rounds is determined based on the security level and exposure level of the target data; Determine at least one target encryption algorithm from a variety of preset encryption algorithms; The target data is subjected to hierarchical encryption based on the number of encryption rounds and at least one target encryption algorithm to obtain encrypted data; The step of determining the number of encryption rounds based on the security level and exposure level of the target data includes: Obtain the mapping table; the mapping table represents the relationship between the security level and exposure level of the target data and the number of encryption rounds; Based on the mapping table, the security level and exposure level of the target data, the number of encryption rounds for the target data is determined.

2. The method according to claim 1, characterized in that, The method further includes: When the use case of the target data changes, the exposure level of the target data should be redefined. Based on the mapping table, the security level of the target data, and the redefined exposure level, the number of encryption rounds for the target data is redefined; When the newly determined number of encryption rounds remains unchanged from the original number of encryption rounds, the encrypted data is determined to be suitable for the changed use case. When the redefined number of encryption rounds changes relative to the original number of encryption rounds, it is determined that the encrypted data is not suitable for the changed use case; the difference between the redefined number of encryption rounds and the original number of encryption rounds is determined; and the encrypted data is encrypted or decrypted based on the difference in the number of encryption rounds.

3. The method according to claim 2, characterized in that, Determining the difference between the re-determined number of encryption rounds and the original number of encryption rounds includes: When the difference is greater than zero, the target data is encrypted based on the difference; when the difference is less than zero, the target data is decrypted based on the difference.

4. The method according to claim 1, characterized in that, The method further includes: After the encrypted data is decrypted, determine the remaining number of decryption rounds for the encrypted data; Generate a cache file of the encrypted data for the remaining decryption rounds, and configure the exposure time corresponding to the cache file; the exposure time represents the time during which the cache file is allowed to be decrypted; If the cached file of the encrypted data is not decrypted within the specified exposure time, the cached file of the encrypted data is deleted.

5. The method according to claim 1, characterized in that, The step of performing hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data includes: Based on the number of encryption rounds and at least one target encryption algorithm, the target data is subjected to hierarchical encryption to obtain encrypted data content; The target encryption algorithm and the number of encryption rounds are used as the header; The header and the encrypted data content are combined to obtain the encrypted data.

6. The method according to claim 5, characterized in that, Also includes: The encrypted version information symbol, random symmetric key, and digest are determined from the encrypted data content; Add the encrypted version information symbol, the random symmetric key, and the digest to the information header.

7. A data hierarchical encryption device, the device comprising: The first acquisition module is used to acquire target data and the usage scenarios of the target data; The first determining module is used to determine the security level and exposure level of the target data; The security level characterizes the importance of the target data; the exposure level characterizes the risk of exposure of the target data in the usage scenario. The second determining module is used to determine the number of encryption rounds based on the security level and exposure level of the target data; The third determining module is used to determine at least one target encryption algorithm from a variety of preset encryption algorithms; The first encryption module is used to perform hierarchical encryption on the target data according to the encryption round number and at least one target encryption algorithm to obtain encrypted data; The second determining module includes: The first acquisition submodule is used to acquire a mapping relationship table; the mapping relationship table represents the relationship between the security level and exposure level of the target data and the number of encryption rounds. The first determining submodule is used to determine the number of encryption rounds of the target data based on the mapping relationship table, the security level and exposure level of the target data; The device is also used to classify data exposure levels based on the risks exposed in different use scenarios.

8. An electronic device, characterized in that, include: A processor, a memory, and a computer program stored in the memory and capable of running on the processor, wherein the computer program, when executed by the processor, implements the steps of the data hierarchical encryption method as described in any one of claims 1-6.

9. A computer-readable storage medium, characterized in that, A computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the data hierarchical encryption method as described in any one of claims 1-6.