A data stream conversion verification method and device for unstructured data
By verifying user information and combining it with user operations to encrypt and decrypt unstructured data, the security issues of unstructured data during transmission and storage are solved, flexible access control and data privacy protection are achieved, and the risks of data leakage and tampering are reduced.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- JIANGSU TIANYUAN TENERING CO LTD
- Filing Date
- 2025-04-01
- Publication Date
- 2026-07-10
AI Technical Summary
Existing technologies cannot effectively verify and control the security of unstructured data during transmission and storage on internal and external networks, posing risks of data leakage and tampering. Furthermore, user information is easily obtained by hackers, and there is a lack of effective access control mechanisms.
By acquiring user actions and information, and using a pre-set user database to verify user accounts, passwords, hardware tokens, and IP addresses, the system encrypts or decrypts unstructured data based on the verification results, thereby enabling flexible access control over unstructured data and ensuring that only authorized users can download and browse the data.
It enables flexible control over access permissions to unstructured data, reduces potential security risks, protects the privacy and security of unstructured data, and improves data processing efficiency and security.
Smart Images

Figure CN120337251B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the technical field of data security, specifically relating to a method and apparatus for verifying the flow of unstructured data. Background Technology
[0002] Unstructured data refers to data with irregular or incomplete structures, lacking a predefined data model, and inconvenient to represent using two-dimensional logical tables in a database. Power data includes unstructured data. Power data security is crucial for ensuring the stable operation of the power system; data leakage and data tampering can severely impact the normal operation of the power system. Power data transmission involves a long data transmission chain and involves transmission between internal and external network environments.
[0003] Due to the unique nature of unstructured data, there is a significant risk of data leakage and tampering when large unstructured files are transmitted and stored between an enterprise's intranet and extranet. However, existing technologies cannot effectively verify whether unstructured data is leaked or tampered with during transmission and storage between intranet and extranet.
[0004] Patent CN111475845A discloses an unstructured data identity authorization access system and method. The system grants access permissions to unstructured data through digital identity authentication. The unstructured raw data is hashed, and the unstructured data is encrypted using the public key used during digital identity registration. The hash value and the public key representing the digital identity registration are stored on the blockchain to ensure the immutability of the unstructured data hash fingerprint. The key encryption of the unstructured data on the off-chain archiving server ensures the security of unstructured data storage. Furthermore, the identity access control of unstructured data can be sub-authorized, realizing information sharing under data encryption protection.
[0005] Currently, there are no effective mechanisms to ensure the immutability of unstructured data storage and access authorization, nor to control access permissions, resulting in numerous security vulnerabilities. Furthermore, because unstructured data is easily obtained by hackers and other individuals through illegal means, it poses a significant threat to user information security.
[0006] Therefore, how to provide flexible control over access permissions for unstructured data, so that only authorized users can download and browse the data, in order to reduce potential tampering and security risks and protect the privacy and security of unstructured data, is a problem that needs to be solved. Summary of the Invention
[0007] To address the shortcomings of existing technologies, this invention provides a method and apparatus for verifying the flow of unstructured data. The method includes: acquiring user operations and user information, wherein user operations include writing and / or reading unstructured data, and user information includes user account, user password, hardware token, and user IP; verifying the user account, user password, hardware token, and user IP based on a preset user database to obtain a verification result; and encrypting / decrypting the unstructured data based on the verification result and the user operations to complete the flow of the unstructured data. By acquiring user operations and user information, verifying user information using a user database, and encrypting and / or decrypting the unstructured data based on the verification result, the invention achieves flexible control over access permissions for unstructured data, ensuring that only authorized users can download and browse data, reducing potential security risks, and protecting the privacy and security of unstructured data.
[0008] In a first aspect, the present invention provides a data flow verification method for unstructured data, specifically including the following steps:
[0009] Acquire user actions and user information, wherein user actions include writing and / or reading unstructured data, and user information includes user account, user password, hardware token and user IP;
[0010] Based on a pre-set user database, the system verifies user accounts, passwords, hardware tokens, and user IPs to obtain verification results.
[0011] Based on the verification results and user actions, unstructured data is encrypted and / or decrypted to complete the flow of unstructured data.
[0012] Furthermore, based on the verification results and user actions, unstructured data is encrypted / decrypted to complete the flow of unstructured data, specifically including:
[0013] If the user's operation is to read unstructured data and the verification result is successful, then the unstructured data will be decrypted to complete the reading of the unstructured data.
[0014] If the user's operation is to write unstructured data and the verification result is successful, then the unstructured data is encrypted, and the writing of the unstructured data is completed.
[0015] Furthermore, the unstructured data is decrypted to complete the reading of the unstructured data, specifically including:
[0016] Based on user actions, retrieve the encrypted data of the corresponding unstructured data;
[0017] Using the decryption private key corresponding to the unstructured data, the ciphertext of the data is decrypted, thus completing the reading of the unstructured data. Specifically, this is represented as follows:
[0018] M1=(C1 d )mod n
[0019] Where M1 is unstructured data, C1 is encrypted data, (n, d) is the decryption private key, and mod is the modulo operation.
[0020] Furthermore, the unstructured data is decrypted to complete the reading of the unstructured data, specifically including:
[0021] Based on user actions, obtain multiple sub-data ciphertexts of the corresponding unstructured data;
[0022] By combining the decryption private key corresponding to the unstructured data, the ciphertext of multiple sub-data is decrypted to obtain multiple unstructured sub-data.
[0023] Multiple unstructured sub-data are concatenated to complete the reading of unstructured data.
[0024] Furthermore, encryption is performed on the unstructured data to complete the writing of the unstructured data, specifically including:
[0025] Perform volume determination on unstructured data and obtain the volume determination result;
[0026] Based on the volume judgment results, the unstructured data is analyzed to obtain unstructured intermediate data;
[0027] Obtain the encryption / decryption modulus and provide the Euler totient function. Combine this with a random encryption exponent to encrypt the unstructured intermediate data, thus completing the writing of the unstructured data.
[0028] Furthermore, the encryption / decryption modulus is obtained, and the Euler's totient function is given. Combined with a random encryption exponent, the unstructured intermediate data is encrypted, completing the writing of the unstructured data. Specifically, this includes:
[0029] Two distinct prime numbers are randomly selected, and the product of the two prime numbers is taken to obtain the encryption / decryption modulus;
[0030] Based on two distinct prime numbers and the encryption / decryption modulus, the Euler totient function is determined.
[0031] Randomly obtain the encryption exponent and combine it with Euler's totient function to give the decryption exponent, where 1 < encryption exponent < Euler's totient function, and the encryption exponent and Euler's totient function are coprime.
[0032] Based on the encryption / decryption modulus and encryption index, unstructured intermediate data is encrypted, and the encrypted unstructured intermediate data is stored together with the decryption index to complete the writing of unstructured data.
[0033] Furthermore, based on the volume judgment results, the unstructured data is analyzed to obtain unstructured intermediate data, specifically including:
[0034] If the volume determination result is less than the volume threshold, then the hash value of the unstructured data is given;
[0035] Use unstructured data and the hash value of unstructured data as unstructured intermediate data;
[0036] If the volume judgment result is greater than or equal to the volume threshold, the unstructured data is split to obtain multiple unstructured intermediate data.
[0037] Furthermore, the unstructured data is split into multiple unstructured intermediate data sets, specifically including:
[0038] Based on the punctuation marks in the unstructured data, the unstructured data is split into multiple sub-segments;
[0039] Based on the order of sub-segments, multiple consecutive sub-segments are combined to form candidate sub-texts. Each candidate sub-text consists of m consecutive sub-segments. The text volume of each candidate sub-text is less than a preset sub-text threshold, and the text volume of the candidate sub-text and the (m+1)th sub-segment is greater than the preset sub-text threshold, where m∈N. + ;
[0040] Construct a directed acyclic graph based on the order of candidate subtexts, where each node in the directed acyclic graph includes at least one candidate subtext, and the edges in the directed acyclic graph are the intersection degree of two candidate subtexts.
[0041] Based on the directed acyclic graph, we analyze the forward shortest path from the source to the sink and the reverse shortest path from the sink to the source, and determine the forward split point corresponding to the forward shortest path and the reverse split point corresponding to the reverse shortest path.
[0042] By comparing the forward shortest path and the reverse shortest path, the target split point is determined from the forward split point and the reverse split point, and the unstructured data is split to obtain unstructured intermediate data.
[0043] Furthermore, the encrypted unstructured intermediate data is stored, specifically including: storing the encrypted unstructured intermediate data in a file database, wherein the file database includes multiple blocks, each block including a block header and a block body; the block header is used to store the hash value of the current unstructured data, the hash value of the previous unstructured data, and the timestamp of the write time; the block body is used to store the current unstructured data.
[0044] Secondly, the present invention also provides a data flow verification apparatus for unstructured data, employing any one of the data flow verification methods for unstructured data described above, comprising:
[0045] The data acquisition module is used to acquire user operations and user information. User operations include writing and / or reading unstructured data, and user information includes user account, user password, hardware token and user IP.
[0046] The user authentication module is used to verify user accounts, user passwords, hardware tokens and user IPs based on a preset user database, and obtain the verification results.
[0047] The data flow module is used to encrypt and / or decrypt unstructured data based on the verification results and user operations, so as to complete the flow of unstructured data.
[0048] The present invention provides a data flow verification method and apparatus for unstructured data, which has at least the following beneficial effects:
[0049] (1) By acquiring user operations and user information, and verifying user information in conjunction with the user database, the unstructured data is encrypted / decrypted based on the verification results, thus completing the flow of unstructured data and enabling flexible control over access permissions for unstructured data. This allows authorized users to download and browse data, reducing potential security risks and protecting the privacy and security of unstructured data.
[0050] (2) By splitting large unstructured data into smaller parts, each part of the split unstructured data is encrypted and stored separately, which ensures the security of unstructured data and improves the processing efficiency of unstructured data. Attached Figure Description
[0051] Figure 1 A flowchart of a data flow verification method for unstructured data provided in an embodiment of the present invention;
[0052] Figure 2 The flowcharts for analysis and verification results and user operations provided in the embodiments of the present invention;
[0053] Figure 3 This is a flowchart of the decryption operation for unstructured data provided in an embodiment of the present invention;
[0054] Figure 4 This is a flowchart of an embodiment of the present invention for encrypting unstructured data;
[0055] Figure 5 This is a flowchart for obtaining unstructured intermediate data provided in an embodiment of the present invention;
[0056] Figure 6 This is a flowchart of splitting unstructured data provided in an embodiment of the present invention;
[0057] Figure 7 This is a flowchart of encrypting unstructured intermediate data provided in an embodiment of the present invention;
[0058] Figure 8 This is a schematic diagram of the structure of a file database provided in an embodiment of the present invention;
[0059] Figure 9 This is a schematic diagram illustrating the relationship between operations and hash values provided in an embodiment of the present invention;
[0060] Figure 10 This is a structural block diagram of a data flow verification device for unstructured data provided in an embodiment of the present invention.
[0061] Among them, 201 is the data acquisition module; 202 is the user verification module; and 203 is the data flow module. Detailed Implementation
[0062] To better understand the above technical solutions, a detailed description of the solutions will be provided below in conjunction with the accompanying drawings and specific embodiments. Obviously, the described embodiments are merely some, not all, of the embodiments of the present invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative effort are within the scope of protection of the present invention.
[0063] The terminology used in the embodiments of this invention is for the purpose of describing particular embodiments only and is not intended to limit the invention. The singular forms “a,” “the,” and “the” as used in the embodiments of this invention and the appended claims are also intended to include the plural forms, and “multiple” generally includes at least two unless the context clearly indicates otherwise.
[0064] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that an article or device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such an article or device. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the article or device that includes said element.
[0065] This invention provides a method and apparatus for verifying the flow of unstructured data. The method includes: acquiring user operations and user information, wherein the user operations include writing and / or reading unstructured data, and the user information includes user account, user password, hardware token, and user IP; verifying the user account, user password, hardware token, and user IP based on a preset user database to obtain a verification result; and encrypting and / or decrypting the unstructured data based on the verification result and the user operations to complete the flow of unstructured data. By verifying user information and, after successful verification, encrypting the unstructured data written by the user and decrypting the unstructured data read by the user, intelligent encryption and decryption during the writing and reading of unstructured data is achieved, ensuring the security of unstructured data usage. Simultaneously, during the writing and reading of unstructured data, the size of the unstructured data corresponding to the read / write operation is recorded, and intelligent operations are performed for read / write operations of unstructured data of different sizes to accelerate the reading and writing efficiency of unstructured data. Furthermore, unstructured data is monitored and verified in real time to avoid security issues.
[0066] like Figure 1 As shown in the figure, this embodiment of the invention provides a data flow verification method for unstructured data, the specific steps of which are as follows:
[0067] S101: Obtain user actions and user information.
[0068] Specifically, user operations include writing and / or reading unstructured data, and user information includes user account, user password, hardware token, and user IP (Internet protocol).
[0069] A user account is a unique identifier used to identify and manage a user's identity. It typically consists of a username or user ID, used to distinguish different users. A user password is the verification credential for the user account, used to verify the legitimacy of the user's identity. Passwords are usually a string of characters set by the user, including letters, numbers, and special symbols. A hardware token is a security device that enhances authentication by generating a one-time password, providing high security for scenarios requiring high security. Hardware tokens typically generate a random, one-time password periodically. This password is valid for a short time, usually only a few minutes. Users need to enter this password when logging in, and the system verifies its correctness. A user IP address is a unique identifier assigned to a user's device by the Internet Protocol (IP), used for network communication and device location, and is unique and globally universal.
[0070] Understandably, based on different user needs, user operations include writing and reading unstructured data. Different user operations will lead to different subsequent processing of the unstructured data. This unstructured data can be a single specific electricity file or a folder composed of multiple data files.
[0071] S102: Based on the preset user database, verify the user account, user password, hardware token and user IP, and obtain the verification result.
[0072] Specifically, when a user performs an operation on unstructured data, the system retrieves the user information and compares it with the user information already stored in the preset user database. If any of the user account, password, hardware token, or IP address fails to match, the verification result is "verification failed"; if all of these match successfully, the verification result is "verification passed".
[0073] Understandably, if none of the four items in the user information match, it indicates that the user is an unfamiliar user who has not read or written unstructured data, posing a certain risk; therefore, the verification result is "failed." If at least one item in the user information matches successfully, it means that some information of the user was entered incorrectly, and verification needs to be repeated until all user information matches successfully, thus passing the verification.
[0074] By comparing user information with information in the user database, user security is improved, thereby ensuring the security of using unstructured data.
[0075] S103: Based on the verification results and user operations, perform encryption and / or decryption operations on unstructured data to complete the flow of unstructured data.
[0076] Furthermore, referring to Figure 2If the user's operation is to read unstructured data and the verification result is successful, then the unstructured data will be decrypted to complete the reading of the unstructured data.
[0077] If the user's operation is to write unstructured data and the verification result is successful, then the unstructured data is encrypted, and the writing of the unstructured data is completed.
[0078] Furthermore, the unstructured data is decrypted, specifically including:
[0079] Based on user actions, retrieve the encrypted data of the corresponding unstructured data;
[0080] Using the decryption private key corresponding to the unstructured data, the ciphertext of the data is decrypted, thus completing the reading of the unstructured data. Specifically, this is represented as follows:
[0081] M1=(C1 d )mod n
[0082] Where M1 is unstructured data, C1 is encrypted data, (n, d) is the decryption private key, and mod is the modulo operation.
[0083] In one specific implementation, after user information is verified, when reading or writing a certain power file, the user needs to input the decryption private key of the power file to be read, and read the corresponding encrypted data C1 from the database based on the decryption private key. The encrypted data C1 is then decrypted using the decryption private key (n, d) corresponding to the power file. Substituting the decryption private key (n, d) and the encrypted data C1 into the decryption formula yields the unstructured data M1 corresponding to the power file. The decrypted unstructured data M1 is then returned to the user, completing the user's reading and viewing of the power file.
[0084] Furthermore, referring to Figure 3 Decryption of unstructured data includes:
[0085] Based on user actions, obtain multiple sub-data ciphertexts of the corresponding unstructured data;
[0086] By combining the decryption private key corresponding to the unstructured data, the ciphertext of multiple sub-data is decrypted to obtain multiple unstructured sub-data.
[0087] Multiple unstructured sub-data are concatenated to complete the reading of unstructured data.
[0088] In one possible implementation, when dealing with large amounts of unstructured data, the data is split into smaller parts for storage. Each part is then encrypted and stored separately. Therefore, when reading this type of unstructured data, it's necessary to obtain the decryption private key for each part, decrypt and concatenate the ciphertext of each sub-data element, and finally obtain the complete unstructured data. The decryption process for the sub-data elements is the same as the decryption process for the main data elements, and will not be elaborated here. The sub-data elements are decrypted and concatenated sequentially. Once all sub-data elements have been decrypted, they are concatenated to obtain the unstructured data.
[0089] The integrity of unstructured data is assessed. If the unstructured data is complete, the complete unstructured data is sent to the user, allowing them to read it. If the unstructured data is incomplete, the user's IP address and hardware token are added to a blacklist. In one specific example, integrity checks can be performed by comparing the size of the unstructured data. In other examples, integrity can be verified by calculating the checksum of the unstructured data (such as MD5, SHA-1, SHA-256, etc.). File integrity can also be verified by calculating the hash value of the unstructured data. A hash value is a digital fingerprint, possessing uniqueness and irreversibility.
[0090] Furthermore, referring to Figure 4 Encryption operations are performed on unstructured data, specifically including:
[0091] Perform volume determination on unstructured data and obtain the volume determination result;
[0092] Based on the volume judgment results, the unstructured data is analyzed to obtain unstructured intermediate data;
[0093] Obtain the encryption / decryption modulus and provide the Euler totient function. Combine this with a random encryption exponent to encrypt the unstructured intermediate data, thus completing the writing of the unstructured data.
[0094] Euler's totient function is the number of positive integers less than or equal to n that are relatively prime to n, where n is a positive integer.
[0095] Furthermore, referring to Figure 5 This yields unstructured intermediate data, specifically including:
[0096] If the volume determination result is less than the volume threshold, then the hash value of the unstructured data is given;
[0097] Use unstructured data and the hash value of unstructured data as unstructured intermediate data;
[0098] If the volume judgment result is greater than or equal to the volume threshold, the unstructured data is split to obtain multiple unstructured intermediate data.
[0099] Understandably, to improve the processing efficiency of unstructured data, ensure its security, and reduce the risk of data leakage, the volume of unstructured data needs to be assessed before writing it. If the unstructured data is small (less than the volume threshold), it can be written directly. If it is large (greater than or equal to the threshold), it needs to be split into smaller parts, each encrypted and stored separately. This ensures security while improving processing efficiency. The volume threshold can be set based on specific circumstances, such as the computing power of the device, and is not limited in this regard.
[0100] Furthermore, referring to Figure 6 The unstructured data is split into multiple unstructured intermediate data sets, specifically including:
[0101] Based on the punctuation marks in the unstructured data, the unstructured data is split into multiple sub-segments;
[0102] Based on the order of sub-segments, multiple consecutive sub-segments are combined to form candidate sub-texts. Each candidate sub-text consists of m consecutive sub-segments. The text volume of each candidate sub-text is less than a preset sub-text threshold, and the text volume of the candidate sub-text and the (m+1)th sub-segment is greater than the preset sub-text threshold, where m∈N. + ;
[0103] Construct a directed acyclic graph based on the order of candidate subtexts, where each node in the directed acyclic graph includes at least one candidate subtext, and the edges in the directed acyclic graph are the intersection degree of two candidate subtexts.
[0104] Based on the directed acyclic graph, we analyze the forward shortest path from the source to the sink and the reverse shortest path from the sink to the source, and determine the forward split point corresponding to the forward shortest path and the reverse split point corresponding to the reverse shortest path.
[0105] By comparing the forward shortest path and the reverse shortest path, the target split point is determined from the forward split point and the reverse split point, and the unstructured data is split to obtain unstructured intermediate data.
[0106] In one specific implementation, the unstructured file is split into multiple sub-segments based on the punctuation marks in the unstructured file. These sub-segments are then numbered sequentially as 1, 2, 3, 4, 5, ..., t. Then, based on a preset sub-text threshold, the sub-segments are recombined to obtain multiple candidate sub-texts, which are then labeled as p1, p2, p3, p4, p5, ..., py in sequence. In a specific example, for candidate sub-text p1, p1 consists of sub-segments 1, 2, and 3, and the total text volume of 1, 2, and 3 is less than the preset sub-text threshold, while the total text volume of 1, 2, 3, and 4 is greater than or equal to the preset sub-text threshold. That is, for candidate sub-text p1, m is 3. Candidate sub-text p1 has only this one combination method. For other candidate sub-texts, there may be multiple combination methods. Taking candidate sub-text p2 as an example, candidate sub-text p2 can be composed of sub-segments 2, 3, and 4; it can also be composed of sub-segments 3 and 4; or it can be composed of sub-segments 4 and 5. Understandably, in the above example, the combinations of candidate subtext p2 all satisfy the constraints regarding the subtext threshold. Based on the combinations of candidate subtext p2, it can be understood that other candidate subtexts may also include multiple combinations. After completing the combinations of all candidate subtexts, a directed acyclic graph (DAG) is constructed based on all candidate subtexts. The source node in the DAG is candidate subtext p1, and the node with an in-degree of zero is the candidate subtext p2 connected to candidate subtext p1. The edge between p1 and p2 is the intersection degree of p1 and p2, which is the square of the total number of characters in the intersection text of p1 and p2. For example, if p1 consists of sub-fragments 1, 2, and 3, and p2 consists of sub-fragments 2, 3, and 4, then the intersection text of p1 and p2 is sub-fragments 2 and 3. The square of the total number of characters in sub-fragments 2 and 3 is the intersection degree of p1 and the corresponding p2. Similarly, after constructing other candidate sub-texts, the directed acyclic graph is constructed. The sink node in the directed acyclic graph is the candidate sub-text py, and the sink node is the node with an out-degree of zero.
[0107] After constructing the directed acyclic graph (DAG), the source node is used as the starting point and the sink node as the ending point to find the forward shortest path from the source to the sink. Then, the sink node is used as the starting point and the source node as the ending point to find the reverse shortest path from the sink to the source. Both the forward and reverse shortest paths are composed of candidate sub-texts. The end of the intersection of any two candidate sub-texts in the forward shortest path is taken as the forward split point; similarly, the end of the intersection of any two candidate sub-texts in the reverse shortest path is taken as the reverse split point. The number of forward and reverse split points is determined. If the number of forward split points is less than or equal to the number of reverse split points, the unstructured data is split based on the forward split points; otherwise, if the number of forward split points is greater than the number of reverse split points, the unstructured data is split based on the reverse split points, resulting in multiple unstructured intermediate data sets.
[0108] Furthermore, if the volume determination result is less than the volume threshold, the hash value of the unstructured data is given;
[0109] Unstructured data and its hash value are used as unstructured intermediate data.
[0110] In the example provided by this invention, the hash value of the unstructured data is calculated using the MD5 hash function. In other embodiments, other hash functions may be used, and there is no limitation on this.
[0111] Furthermore, referring to Figure 7 Encryption of unstructured intermediate data includes:
[0112] Two distinct prime numbers are randomly selected, and the product of the two prime numbers is taken to obtain the encryption / decryption modulus;
[0113] Based on two distinct prime numbers and the encryption / decryption modulus, the Euler totient function is determined.
[0114] Randomly obtain the encryption exponent and combine it with Euler's totient function to give the decryption exponent, where 1 < encryption exponent < Euler's totient function, and the encryption exponent and Euler's totient function are coprime.
[0115] Based on the encryption / decryption modulus and encryption index, unstructured intermediate data is encrypted, and the encrypted unstructured intermediate data is stored together with the decryption index to complete the writing of unstructured data.
[0116] In one specific implementation, when a user operation involves writing unstructured data, the unstructured data to be written is obtained. Then, an encryption public key and a decryption private key corresponding to the unstructured data are generated. The encryption public key includes an encryption / decryption modulus and an encryption exponent, and the decryption private key includes an encryption / decryption modulus and a decryption exponent. The specific steps for determining the encryption public key and the decryption private key are as follows:
[0117] First, two distinct prime numbers p and q are randomly selected, and their product is calculated to obtain the encryption / decryption modulus n of the unstructured data. Based on the encryption / decryption modulus n, the Euler's totient function φ(n) corresponding to the unstructured data is given, specifically: φ(n) = (p-1) × (q-1). An encryption exponent w is randomly selected, where 1 < w < φ(n) and w and φ(n) are coprime. Using the Euler's totient function and the encryption exponent, the decryption exponent d is given, specifically: w × d ≡ 1 (mod φ(n)), where ≡ indicates congruence, and mod is the modulo operation, meaning w*d and 1 divided by φ(n) have the same remainder. Finally, the encryption public key (n, w) and decryption private key (n, d) are sent to the database for storage. Based on the encryption public key, the encryption of the unstructured intermediate data can be completed, obtaining the corresponding ciphertext C1, specifically:
[0118] C1=(M1 w )mod n
[0119] Where M1 is unstructured intermediate data, mod is modulo operation, n is the encryption / decryption modulus, and w is the encryption exponent.
[0120] After encrypting the unstructured intermediate data, the encrypted unstructured intermediate data is stored in the file database, where reference... Figure 8 The file database consists of multiple blocks, each block including a block header and a block body. The block header stores the hash value of the current unstructured data, the hash value of the previous unstructured data, and the timestamp of the write time. The block body stores the current unstructured data.
[0121] The data flow verification method based on unstructured data also includes determining whether the unstructured data has been tampered with. The specific steps are as follows:
[0122] Retrieve the hash value of each block in the file database and denote it as the leaf hash value i, where i is the number of the hash value of each block and i is a positive integer;
[0123] Calculate the root hash value in each block, where the root hash value is the sum of all the leaf hash values in the corresponding block, specifically expressed as: root hash value = leaf hash value 1 + leaf hash value 2 + ... + leaf hash value x, where x is the number of leaf hash values in the corresponding block;
[0124] Retrieve the historical root hash value and compare the historical hash value with the root hash value;
[0125] If the root hash value is not equal to the historical root hash value, it indicates that the unstructured file in the file database has been tampered with, generating an abnormal alert;
[0126] If the root hash value is equal to the historical root hash value, it means that the unstructured data in the file database has not been tampered with, and the monitoring or reading of the unstructured data can continue.
[0127] In other implementations, if the root hash value is not equal to the historical root hash value, indicating that the unstructured files in the file database have been tampered with, backup data is retrieved and the unstructured data in the corresponding block is repaired. After repair, monitoring or reading of the unstructured data continues. Simultaneously, the user IP address and hardware token corresponding to the user's operation are added to a blacklist.
[0128] In a specific example, refer to Figure 9 Operations 1 through 8 represent writing or modifying unstructured data. If any one of operations 1 through 8 succeeds, the hash value corresponding to the successful operation changes. Taking operations 1 and 2 as examples, hash 12 equals hash 1 plus hash 2. If either hash 1 or hash 2 changes, hash 12 will change. The root hash equals hash 1234 plus hash 5678. If any one of operations 1 through 8 succeeds, the root hash value will change.
[0129] It's important to clarify that the historical root hash value is the root hash value of all blocks when no operations have been performed on the unstructured data in the file database. This historical root hash value is stored in the file database. If a user performs normal operations on the unstructured data in the file database, the historical root hash value in the database is updated. If the unstructured data in the file database is tampered with, the corresponding hash value changes, causing the blocks to become unlinkable, thus further enhancing the security of the power files.
[0130] Reference Figure 10 This invention provides a data flow verification device for unstructured data, comprising:
[0131] The data acquisition module 201 is used to acquire user operations and user information. The user operations include writing and / or reading unstructured data, and the user information includes user account, user password, hardware token and user IP.
[0132] User verification module 202 is used to verify user account, user password, hardware token and user IP based on a preset user database and obtain verification results;
[0133] The data transfer module 203 is used to encrypt and / or decrypt unstructured data based on the verification results and user operations to complete the transfer of unstructured data.
[0134] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process of the described module can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.
[0135] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the invention. Clearly, those skilled in the art can make various alterations and modifications to the invention without departing from its spirit and scope. Thus, if these modifications and modifications of the invention fall within the scope of the claims and their equivalents, the invention is also intended to include these modifications and modifications.
Claims
1. A data flow verification method based on unstructured data, characterized in that, include: Acquire user actions and user information, where user actions include writing / reading unstructured data, and user information includes user account, user password, hardware token, and user IP; Based on a pre-set user database, the system verifies user accounts, passwords, hardware tokens, and user IPs to obtain verification results. If the user's operation is to read unstructured data and the verification result is successful, then the unstructured data will be decrypted to complete the reading of the unstructured data. If the user operation is to write unstructured data and the verification result is that the verification passed, then the volume of the unstructured data is judged to obtain the volume judgment result. If the volume determination result is less than the volume threshold, then the hash value of the unstructured data is given; Use unstructured data and the hash value of unstructured data as unstructured intermediate data; If the volume determination result is greater than or equal to the volume threshold, the unstructured data is split into multiple sub-segments based on the punctuation marks in the unstructured data. Based on the order of the sub-segments, consecutive sub-segments are combined to form candidate sub-texts. Each candidate sub-text consists of m consecutive sub-segments, and the text volume of each candidate sub-text is less than a preset sub-text threshold. Furthermore, the text volume of the candidate sub-text and the (m+1)th sub-segment is greater than the preset sub-text threshold. Based on the order of candidate sub-texts, a directed acyclic graph (DAG) is constructed, where each node in the DAG includes at least one candidate sub-text, and the edges in the DAG represent the intersection degree of two candidate sub-texts. Based on the DAG, the forward shortest path from the source to the sink and the reverse shortest path from the sink to the source are analyzed to determine the forward split point corresponding to the forward shortest path and the reverse split point corresponding to the reverse shortest path. The forward and reverse shortest paths are compared, and the target split point is determined from the forward and reverse split points to segment the unstructured data, obtaining unstructured intermediate data. Obtain the encryption / decryption modulus and provide the Euler totient function. Combine this with a random encryption exponent to encrypt the unstructured intermediate data, thus completing the writing of the unstructured data.
2. The data flow verification method based on unstructured data as described in claim 1, characterized in that, Decrypting unstructured data to complete the reading of unstructured data includes: Based on user actions, retrieve the encrypted data of the corresponding unstructured data; Using the decryption private key corresponding to the unstructured data, the ciphertext of the data is decrypted, thus completing the reading of the unstructured data. Specifically, this is represented as follows: ; Where M1 is unstructured data, C1 is encrypted data, (n, d) is the decryption private key, and mod is the modulo operation.
3. The data flow verification method based on unstructured data as described in claim 1, characterized in that, Decrypting unstructured data to complete the reading of unstructured data includes: Based on user actions, obtain multiple sub-data ciphertexts of the corresponding unstructured data; By combining the decryption private key corresponding to the unstructured data, the ciphertext of multiple sub-data is decrypted to obtain multiple unstructured sub-data. Multiple unstructured sub-data are concatenated to complete the reading of unstructured data.
4. The data flow verification method based on unstructured data as described in claim 1, characterized in that, Obtain the encryption / decryption modulus and provide the Euler's totient function. Combine this with a random encryption exponent to encrypt unstructured intermediate data, completing the writing of the unstructured data. Specifically, this includes: Two distinct prime numbers are randomly selected, and the product of the two prime numbers is taken to obtain the encryption / decryption modulus; Based on two distinct prime numbers and the encryption / decryption modulus, the Euler totient function is determined. Randomly obtain the encryption exponent and combine it with Euler's totient function to give the decryption exponent, where 1 < w < Euler's totient function and the encryption exponent and Euler's totient function are coprime. Based on the encryption / decryption modulus and encryption index, unstructured intermediate data is encrypted, and the encrypted unstructured intermediate data is stored together with the decryption index to complete the writing of unstructured data.
5. The data flow verification method based on unstructured data as described in claim 1, characterized in that, The encrypted unstructured intermediate data is stored in a file database, which consists of multiple blocks. Each block includes a block header and a block body. The block header stores the hash value of the current unstructured data, the hash value of the previous unstructured data, and a timestamp of the write time. The block body stores the current unstructured data.
6. A data flow verification device based on unstructured data, characterized in that, The data flow verification method based on unstructured data as described in any one of claims 1-5 includes: The data acquisition module is used to acquire user operations and user information. User operations include writing / reading unstructured data, and user information includes user account, user password, hardware token, and user IP. The user authentication module is used to verify user accounts, user passwords, hardware tokens and user IPs based on a preset user database, and obtain the verification results. The data flow module is used to encrypt / decrypt unstructured data based on the verification results and user operations, so as to complete the flow of unstructured data.