A data encryption method, device, apparatus and storage medium
By introducing a hierarchical key management architecture and multi-layered encryption algorithms into the cryptographic service management platform, the problems of insufficient key centralization and isolation in traditional platforms are solved, achieving higher data security and compliance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HANGZHOU FULANKE INFORMATION SECURITY TECH CO LTD
- Filing Date
- 2026-04-09
- Publication Date
- 2026-07-03
AI Technical Summary
Traditional cryptographic service management platforms suffer from risks of key centralization, lack of internal isolation mechanisms, and unclear security boundaries, resulting in insufficient data security and compliance.
A hierarchical key management architecture is adopted, including a cryptographic hardware layer, a platform security layer, and a tenant security layer. The keys are decrypted and encrypted through security domain isolation technology and multi-level encryption algorithms (such as SM4 and SM2) to ensure the isolation and protection of keys between different levels.
It improves the security of the data encryption process, prevents data leakage, and enhances the overall security, trustworthiness, and compliance of the cryptographic service management platform.
Smart Images

Figure CN122001687B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and in particular to a data encryption method, apparatus, device and storage medium. Background Technology
[0002] In today's cloud computing and digital environment, cryptography is the cornerstone of data security. Various applications in different fields (such as government affairs, finance, and e-commerce) (such as mobile payment, electronic contracts, and data encryption) typically need to use a cryptographic service management platform to uniformly access cryptographic computing capabilities in order to achieve security services such as key management, encryption, and signing.
[0003] However, traditional cryptographic service management platforms often interact directly with the underlying cryptographic hardware, treating themselves as complex business systems. Their key protection systems suffer from the following problems: Centralized key risk: The platform needs to centrally manage a large number of highly sensitive keys. If these keys are leaked at the software level, all the data they protect will be compromised; Lack of internal isolation mechanism: The keys and usage scenarios of different businesses and tenants lack effective logical isolation within the platform, making it easy for a single module to be compromised, resulting in a chain reaction; Ambiguous security boundaries: When the platform calls on the computing power of the underlying VSM (virtual security module), it lacks structured security protection measures, making it difficult to achieve fine-grained control over the key lifecycle.
[0004] Furthermore, current cloud-hosted hardware security modules (CloudHSMs) based on the GM / T 0104 standard (a technical specification for cloud server cryptographic machines) typically use hardware virtualization technology to create multiple isolated virtual cryptographic modules. This approach limits key protection to the boundaries of these virtual modules and fails to effectively protect keys and sensitive data within the cryptographic service management platform. Moreover, current cryptographic service management platforms do not implement layered and graded protection for keys and sensitive data during key lifecycle management, leading to blurred security boundaries and the risk of attack surface expansion.
[0005] Therefore, how to store and retrieve keys, and effectively isolate and manage them during use to ensure the overall security of the platform, prevent key leakage at the software layer, and thus improve data security encryption is a problem that still needs to be further solved in this field. Summary of the Invention
[0006] In view of this, the purpose of this application is to provide a data encryption method, apparatus, device, and storage medium, applied to a cryptographic service management platform, which can improve the security of the data encryption process, prevent data leakage, and thus greatly enhance the overall security, trustworthiness, and compliance of the cryptographic service management platform. The specific solution is as follows:
[0007] In a first aspect, this application discloses a data encryption method applied to a cryptographic service management platform. The cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. The method includes:
[0008] Receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted;
[0009] The system queries the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and obtains the platform master key pre-created for the cryptographic service management platform from the platform security layer.
[0010] In the tenant security layer, the platform master key is used to decrypt the target tenant key ciphertext to obtain the target tenant key plaintext, and the target application key ciphertext is decrypted using the target tenant key plaintext to obtain the target application key plaintext.
[0011] The plaintext of the target application key and the data to be encrypted are sent to the target virtual cryptographic machine pre-assigned to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain the ciphertext, and the ciphertext is sent to any of the business applications.
[0012] Optionally, the step of decrypting the ciphertext of the target tenant key using the platform master key in the tenant security layer to obtain the plaintext of the target tenant key, and then decrypting the ciphertext of the target application key using the plaintext of the target tenant key to obtain the plaintext of the target application key, includes:
[0013] The data encryption request is routed to the tenant security subdomain corresponding to the application identifier and the tenant identifier; the tenant security subdomain is a logically isolated security domain created for the target tenant in the tenant security layer using security domain isolation technology;
[0014] In the tenant security subdomain, the target tenant key ciphertext is decrypted based on the platform master key and using the SM4 algorithm to obtain the target tenant key plaintext; the platform master key is located in the platform security domain, which is a logically isolated security domain created in the platform security layer using security domain isolation technology;
[0015] Based on the plaintext of the target tenant key and using the SM4 algorithm, the ciphertext of the target application key is decrypted to obtain the plaintext of the target application key;
[0016] Accordingly, after decrypting the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext, the process further includes:
[0017] The plaintext of the target tenant key and the plaintext of the target application key are saved to the temporary storage area of the tenant security layer.
[0018] Optionally, sending the plaintext of the target application key and the data to be encrypted to a target virtual cryptographic machine pre-assigned to the target tenant includes:
[0019] Based on the public key in the cloud cryptographic machine key located in the cryptographic hardware layer and using the SM2 algorithm, the plaintext of the target application key and the data to be encrypted are encrypted to obtain an encrypted data packet, and the encrypted data packet is sent to the cloud server cryptographic machine in the cryptographic hardware layer.
[0020] Using the cloud server cryptographic machine, the encrypted data packet is decrypted based on the private key within the cloud cryptographic machine key and the SM2 algorithm to obtain the target application key plaintext and the data to be encrypted. The target application key plaintext and the data to be encrypted are then sent to the target virtual cryptographic machine pre-assigned to the target tenant.
[0021] Optionally, encrypting the data to be encrypted based on the plaintext of the target application key to obtain ciphertext, and sending the ciphertext to any of the business applications, includes:
[0022] Based on the plaintext of the target application key, the data to be encrypted is encrypted using the SM4 algorithm to obtain the ciphertext;
[0023] The encrypted data is sent to the tenant security layer, and then from the tenant security layer to the platform security layer. Finally, the encrypted data is sent to any of the business applications through the service gateway in the platform security layer.
[0024] Accordingly, after sending the encrypted data to any of the business applications, the process further includes:
[0025] Delete the plaintext of the target tenant key and the plaintext of the target application key from the temporary storage area.
[0026] Optionally, the data encryption method further includes:
[0027] An SM4 symmetric key is generated by the cryptographic card inside the cloud server cryptographic machine, and a cryptographic master key for the cloud server cryptographic machine is obtained and stored in the cryptographic card.
[0028] Generate a preset key pair, encrypt the preset key pair using the master key of the cryptographic machine to obtain the cloud cryptographic machine key, and store the cloud cryptographic machine key in the cloud server cryptographic machine;
[0029] The SM4 symmetric key pair is generated by the virtual cryptographic machine in the cloud server cryptographic machine to obtain the platform master key for the cryptographic service management platform, and the platform master key is saved to the platform security domain of the platform security layer.
[0030] When any tenant registration is detected, the cloud server cryptographic machine is invoked to generate an SM4 symmetric key in the virtual cryptographic machine corresponding to any tenant, thereby obtaining the tenant key plaintext of any tenant;
[0031] The tenant key plaintext is encrypted based on the platform master key to obtain the tenant key ciphertext, and the tenant key ciphertext is saved to the corresponding tenant security subdomain of the tenant security layer;
[0032] When any business application of any tenant is detected to be accessing the cloud server, the cloud server cryptographic machine is invoked to generate an SM4 symmetric key in the virtual cryptographic machine corresponding to any tenant, and the application key plaintext of any business application is obtained.
[0033] The application key plaintext is encrypted based on the tenant key plaintext to obtain the application key ciphertext, and an association is established between the platform master key and the tenant key ciphertext, as well as between the tenant key ciphertext and the application key ciphertext.
[0034] Optionally, the data encryption method further includes:
[0035] Obtain a first random sequence generated by the virtual cryptographic machine in the cloud server cryptographic machine, and a second random sequence generated internally by the platform software during the initial initialization of the cryptographic service management platform;
[0036] The second random sequence is encrypted using the first random sequence to obtain the encrypted sequence;
[0037] The first random sequence is subjected to an inductive transformation using an inductive permutation table located in the virtual cryptographic machine to obtain a transformed sequence, and the platform master key is generated based on the encrypted sequence and the transformed sequence.
[0038] Optionally, querying the ciphertext of the target application key corresponding to the application identifier and the ciphertext of the target tenant key corresponding to the tenant identifier from the tenant security layer includes:
[0039] Based on the tenant identifier in the data encryption request, the identity of any of the business applications is authenticated to obtain the application authentication result;
[0040] If the application authentication result is successful, then query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer.
[0041] Secondly, this application discloses a data encryption device applied to a cryptographic service management platform. The cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. The device includes:
[0042] The receiving module is used to receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted;
[0043] The query module is used to query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer;
[0044] The acquisition module is used to acquire the platform master key that has been pre-created for the cryptographic service management platform from the platform security layer;
[0045] The decryption module is used to decrypt the target tenant key ciphertext using the platform master key in the tenant security layer to obtain the target tenant key plaintext, and to decrypt the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext.
[0046] The sending module is used to send the plaintext of the target application key and the data to be encrypted to a target virtual cryptographic machine pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain ciphertext, and send the ciphertext to any of the business applications.
[0047] Thirdly, this application discloses an electronic device, including a processor and a memory; wherein, when the processor executes a computer program stored in the memory, it implements the aforementioned data encryption method.
[0048] Fourthly, this application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned data encryption method.
[0049] As can be seen, this application is applied to a cryptographic service management platform, which includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. When a data encryption request (carrying the tenant identifier of the target tenant, the application identifier of the any business application, and the data to be encrypted) is received from any business application in the target tenant, the platform security layer queries the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and then queries the platform security layer. The system retrieves the platform master key pre-created for the cryptographic service management platform in the tenant security layer. Then, in the tenant security layer, it uses the platform master key to decrypt the target tenant key ciphertext to obtain the target tenant key plaintext. The target tenant key plaintext is then used to decrypt the target application key ciphertext to obtain the target application key plaintext. Finally, the target application key plaintext and the data to be encrypted are sent to a target virtual cryptographic machine pre-assigned to the target tenant to encrypt the data based on the target application key plaintext, obtaining data ciphertext. The data ciphertext is then sent to any of the business applications. This application pre-creates three different layers in the cryptographic service management platform: a cryptographic hardware layer, a platform security layer, and a tenant security layer. When a data encryption request (including application identifier and tenant identifier) is received from any business application, the application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier are first retrieved from the tenant security layer. The platform master key is then obtained from the platform security layer. The tenant key ciphertext is then decrypted using the platform master key in the tenant security layer. The decrypted tenant key plaintext is then used to decrypt the application key ciphertext to obtain the target application key plaintext. Finally, the decrypted application key plaintext and the data to be encrypted are sent to the corresponding virtual cryptographic machine in the cryptographic hardware layer to perform encryption operations on the data using the application key plaintext. It is evident that this application encrypts data through the collaborative work of multiple different layers, and the keys stored in each layer are all in ciphertext form. This improves the security of the data encryption process, prevents data leakage, and greatly enhances the overall security, trustworthiness, and compliance of the cryptographic service management platform. Attached Figure Description
[0050] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of this application. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0051] Figure 1 This is a flowchart of a data encryption method disclosed in this application;
[0052] Figure 2 This is a schematic diagram of the process structure of a specific data encryption method disclosed in this application;
[0053] Figure 3 This is a flowchart of a specific data encryption method disclosed in this application;
[0054] Figure 4 This is a schematic diagram of the structure of a data encryption device disclosed in this application;
[0055] Figure 5 This is a structural diagram of an electronic device disclosed in this application. Detailed Implementation
[0056] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0057] This application discloses a data encryption method applied to a cryptographic service management platform. The cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. (See also...) Figure 1 As shown, the method includes:
[0058] Step S11: Receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted.
[0059] It should be noted that the data encryption scheme proposed in this application is specifically applied to a cryptographic service management platform, which contains three different layers: the cryptographic hardware layer, the platform security layer, and the tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine (CHSM) and a virtual cryptographic machine (VSM) created for different tenants through the cloud server cryptographic machine.
[0060] For details, see Figure 2 As shown, the key protection structure within the cryptographic service management platform of this application comprises three logical layers: a cryptographic hardware layer, a platform security layer, and a tenant security layer. These three layers, from bottom to top, progressively increase in security strength and trust granularity, collectively forming a defense-in-depth system. This overcomes the problems of concentrated attack surfaces and high lateral diffusion risks inherent in traditional cryptographic service management platforms due to their flat internal key management structure and lack of logical isolation. Furthermore, the three different logical layers can be isolated using security domain isolation technology to enhance the security of the data encryption process.
[0061] The cryptographic hardware layer serves as the root of trust and the cornerstone of security for the entire system. It can be composed of cloud server cryptographic machines with physical hardware structures conforming to standards such as GM / T 0104. This provides hardware-protected cryptographic computing resources, and the cryptographic hardware layer internally supports the generation of corresponding VSMs (Virtual Cryptographic Machines) for different tenants through the cloud server cryptographic machines, thereby providing hardware-level protected cryptographic computing capabilities to different tenants. It should be noted that the cryptographic service management platform can manage multiple cloud server cryptographic machines to form a resource pool.
[0062] Specifically, both the platform security layer and the tenant security layer reside in the software layer of the cryptographic service management platform. The platform security layer is the core of the platform's intrinsic security. Its key system is independent of business logic and employs a hierarchical management strategy. All keys are centrally stored within the platform's software layer and protected by the platform's security domain. Through the key structure within the platform security layer, separate management of the platform's own keys and tenant keys can be achieved, providing separate security protection for both the platform and tenants. The tenant security layer is located below the platform security layer. Through its internal key structure, separate management of tenant's own keys and application keys can be achieved, providing separate security protection for tenants and business applications. Furthermore, this layer does not directly process plaintext; all cryptographic operation requests are routed to the cryptographic hardware layer for processing. In addition, the three logical layers communicate through clearly defined, controlled secure channels to ensure the confidentiality and integrity of sensitive data during cross-layer transmission.
[0063] In this embodiment, when the cryptographic service management platform detects that a business application within any tenant (providing cryptographic services to the group) that has established a communication connection sends a data encryption request via a standard API (Application Programming Interface), it first verifies the identity of the tenant. If it detects that the tenant sending the request is the tenant providing the cryptographic service (i.e., a tenant with access rights), it receives the data encryption request and parses it to obtain the tenant identifier of the current tenant, the application identifier of the current business application, and the data to be encrypted carried in the request. The data to be encrypted includes, but is not limited to, images, text, video, audio, etc., and the data format includes, but is not limited to, JSON (key-value pair structure), XML (markup language), and TXT (plain text). The business applications include, but are not limited to, mobile payment applications, e-commerce applications, supply chain and logistics tracking applications, government data security applications, electronic health record and query applications, and medical device data security applications.
[0064] It should be noted that before data encryption, the process specifically includes: generating an SM4 symmetric key through a cryptographic card inside the cloud server cryptographic machine to obtain a cryptographic machine master key for the cloud server cryptographic machine, and storing the cryptographic machine master key in the cryptographic card; generating a preset key pair, encrypting the preset key pair using the cryptographic machine master key to obtain a cloud cryptographic machine key, and storing the cloud cryptographic machine key in the cloud server cryptographic machine; generating an SM4 symmetric key pair through a virtual cryptographic machine in the cloud server cryptographic machine to obtain a platform master key for the cryptographic service management platform, and saving the platform master key to the platform security domain of the platform security layer; when any tenant registration is detected, invoking the cloud server cryptographic machine to access the platform security domain. An SM4 symmetric key is generated in the virtual cryptographic machine corresponding to a tenant, resulting in the tenant key plaintext for any tenant. The tenant key plaintext is then encrypted using the platform master key to obtain the tenant key ciphertext, which is saved to the corresponding tenant security subdomain of the tenant security layer. When any business application of any tenant is detected to be accessing the system, the cloud server cryptographic machine is invoked to generate an SM4 symmetric key in the virtual cryptographic machine corresponding to that tenant, resulting in the application key plaintext for that business application. The application key plaintext is then encrypted using the tenant key plaintext to obtain the application key ciphertext, and an association is established between the platform master key and the tenant key ciphertext, as well as between the tenant key ciphertext and the application key ciphertext. In this embodiment, see [reference needed]. Figure 2As shown, a layered key protection architecture is adopted in the cryptographic hardware layer, platform security layer, and tenant security layer, pre-storing relevant keys to ensure data security during the data encryption process. The second-layer keys (such as tenant key ciphertext) are encrypted and protected by the upper-layer key (such as the platform master key). Specifically, during the initialization of the cloud server cryptographic machine (i.e., the CHSM device), an SM4 symmetric key is generated through the hardware cryptographic card inside the CHSM and used as the top-level management key of the cloud server cryptographic machine, i.e., the cryptographic machine master key (CHSM master key). This master key is then stored in the cryptographic card. The cryptographic machine master key (CHSM master key) is used to encrypt and protect other second-layer keys within the CHSM device, serving as the starting point for device-level security. Furthermore, the key structure within the CHSM, in addition to serving the security of the device itself, can also provide virtualization isolation. Next, a second-level key for the CHSM is generated, resulting in the cloud cryptographic machine key (CHSM device key). This key is protected by the CHSM master key. The generation process of the cloud cryptographic machine key (CHSM device key) can be as follows: a target key pair containing a set of signature key pairs and a set of encryption key pairs is generated (used to establish a two-way authentication and secure communication channel between the hardware of the cloud server cryptographic machine and the software of the upper-layer cryptographic service management platform). Then, the target key is encrypted using the cryptographic machine master key (CHSM master key) to obtain the cloud cryptographic machine key (CHSM device key). Finally, the cloud cryptographic machine key (CHSM device key) is stored in the cloud server cryptographic machine (i.e., the CHSM device). Additionally, during the platform software initialization phase, the cloud server cryptographic machine (i.e., CHSM device) can be invoked to generate an SM4 symmetric key pair in the current tenant's virtual cryptographic machine (i.e., VSM) to obtain the platform master key of the cryptographic service management platform (which is the root key of the platform-level key system, and its function is to encrypt and protect all other Layer 2 keys within the platform, such as the platform identity authentication key, the platform data protection key, and the plaintext of all tenant keys). Then, the platform master key is saved to the platform security domain of the platform security layer (this domain is responsible for the platform's own secure operation and global management, and its internal keys are completely isolated from tenant data). Furthermore, upon detecting any tenant registration or creation, the platform software calls the cloud server cryptographic machine hardware to create a 128-bit SM4 key in its corresponding VSM, obtaining the tenant's plaintext tenant key (the root key of the tenant key system, specifically used for encryption and decryption operations of this business application; multiple business applications of a tenant have their own independent application keys). Then, the platform master key is used to encrypt the tenant key plaintext using the SM4 algorithm to obtain the tenant key ciphertext, and the generated tenant key ciphertext is stored in the tenant security subdomain created for this tenant within the tenant security layer. It should be noted that different tenants cannot access other tenants' tenant keys.
[0065] It should be noted that the SM2 public key in the CHSM device key can be used to encrypt the transmission key and data, and the SM2 private key can be used to decrypt to achieve an end-to-end encrypted channel. All operations involving the plaintext of the key are completed inside the CHSM hardware, thereby achieving isolation between the physical and virtualized computing environments and ensuring that the plaintext of the key exists only within the hardware security boundary.
[0066] Additionally, when the platform detects that a tenant has connected any of its business applications to the platform, the platform will call the cloud server's cryptographic machine hardware to create a 128-bit SM4 key in the corresponding VSM, obtaining the application key plaintext for that business application. Then, based on the tenant's key plaintext and using the SM4 algorithm, the platform will encrypt the application key plaintext to obtain the application key ciphertext (a Layer 2 key within the tenant's security subdomain). Furthermore, the platform will establish the association between the platform master key and the tenant key ciphertext, as well as between the tenant key ciphertext and the application key ciphertext. For details, please refer to [link to relevant documentation]. Figure 2 Key connection relationships in different layers.
[0067] As shown above, all key generation requests (including platform master keys, tenant keys, application keys, etc.) are ultimately routed to a specific VSM at the cryptographic hardware layer for execution. Furthermore, once the plaintext key is generated within the VSM's security boundary, it is immediately encrypted using its superior protection key (e.g., the platform master key protects the tenant master key (i.e., the tenant key plaintext), and the tenant master key (i.e., the tenant key plaintext) protects the application key), based on its type and ownership. The encrypted key ciphertext is then transmitted securely to the cryptographic service management platform software and stored in a dedicated storage area within the corresponding security domain (a logical area composed of mutually trusting network components with the same security protection requirements). This process ensures that the plaintext key generated throughout the entire process never appears in the platform software's general memory or storage area.
[0068] It should be noted that within the software layer of the cryptographic service management platform, an independent security subdomain is pre-defined for each tenant. Enforced access control between different tenant security subdomains is implemented through the platform's tenant-level key security policy, ensuring logical isolation of tenant data. Furthermore, each tenant's security subdomain possesses an independent key system (i.e., its own tenant key and application key). Additionally, the private key portion of the platform master key is exclusively accessible to the platform's security domain; it cannot be directly accessed by any tenant's security subdomain or application layer.
[0069] For details, see Figure 2As shown, when creating a VSM (i.e., a VSM instance), a management key (i.e., the VSM master key) can also be independently generated and stored within its virtualization security boundary. This management key is used to protect all tenant keys (such as tenant key plaintext) generated within the VSM instance. Furthermore, a second-layer key protected by the platform master key can be created within the platform security layer, such as a platform identity authentication key and a platform data protection key. The platform identity authentication key can be an SM2 asymmetric key pair (e.g., containing a 256-bit SM2 private key and a matching 512-bit SM2 public key, where the SM2 private key can be encrypted and stored using the SM4 encryption algorithm by the platform master key). This is used to establish a two-way authentication and secure channel between the platform and each managed cryptographic machine (such as CHSM or VSM) at the underlying level, ensuring the legitimacy and confidentiality of communication between the platform and the hardware layer. The SM2 private key can be encrypted and stored using the SM4 encryption algorithm by the platform master key. The platform data protection key can be one or more symmetric or asymmetric keys protected by the platform master key, used to encrypt and protect the platform's own critical sensitive data. Different data protection keys can be further subdivided according to the data type and sensitivity level of the protected object, such as log protection keys and user information protection keys.
[0070] By adopting Figure 2 The layered asymmetric / symmetric encryption nested key storage method shown can achieve logical storage isolation. The key ciphertext of any level is protected by the key of the level above, forming a logical access barrier, so that the keys of different tenants cannot be accessed across tenants in the storage state.
[0071] In one specific implementation, the process of generating the platform master key may include: obtaining a first random sequence generated by a virtual cryptographic machine in the cloud server cryptographic machine, and a second random sequence generated internally by the platform software during the initial initialization of the cryptographic service management platform; encrypting the second random sequence using the first random sequence to obtain an encrypted sequence; performing a transposition transformation on the first random sequence using a transposition permutation table located in the virtual cryptographic machine to obtain a transformed sequence, and generating the platform master key based on the encrypted sequence and the transformed sequence. In this embodiment, firstly, a random sequence (denoted as P1) generated by the virtual cryptographic machine (VSM) in the cloud server cryptographic machine (CHSM) and a random sequence (denoted as P2) generated internally by the platform software during the initial initialization of the cryptographic service management platform are obtained. Next, a preset encryption algorithm (including but not limited to DSA (Digital Signature Algorithm) and AES (Advanced Encryption Standard)) is used to encrypt the random sequence P2 based on the random sequence P1 to obtain the encrypted sequence (denoted as P3). P3 can be securely stored internally by the platform software. Furthermore, the random sequence P1 is protected by scrambling and segmentation. Specifically, the random sequence P1 can be subjected to involutory transformation (a special type of powerless transformation) using an involutory permutation table (S-box) pre-created in the virtual cryptographic machine (VSM) corresponding to the current tenant to obtain the transformed sequence. Finally, the encrypted sequence and the transformed sequence are combined to generate the platform master key.
[0072] In one specific implementation, the transformation of the first random sequence by using the involutional permutation table located in the virtual cryptographic machine to obtain the transformed sequence can be achieved through the following steps: First, the random sequence P1 is split into four 32-bit data blocks. These four 32-bit data blocks, as well as the hash values of sequences P4 and P1 obtained by combining random sequence P1 with random sequence P2, can be stored in different areas of the cryptographic module of the virtual cryptographic machine (VSM) for subsequent verification of the platform master key. Next, the four 32-bit data blocks obtained after splitting P1 are processed using an integrative permutation table (which can be a randomly generated integrative permutation table with 8 bits of input and 8 bits of output, i.e., for any 0≤a≤255, the permutation satisfies a = sbox(sbox(a)), and the permutation table is stored in the cryptographic module of the Virtual Cryptographic Machine (VSM)). Linear transformation (LT) is performed on each data block to obtain the first transformed sequence U (U=L(P1)). Then, a nonlinear transformation (represented as S) is performed on U to obtain the second transformed sequence V, i.e., V=S(sbox, U). Finally, a linear transformation L is performed on V to obtain the third transformed sequence.
[0073] For example, Step 1: Divide the 128-bit P1 (as input, i.e., X) into four 32-bit data blocks from left to right, denoted as X = X0 || X1 || X2 || X3, and denote the output after linear transformation of X as Y = Y0 || Y1 || Y2 || Y3, Y = L(X). Step 2: Perform the following transformations on Y0, Y1, Y2, and Y3: Y0 = X0⊕X1⊕X2, Y1 = X0⊕X1⊕X3, Y2 = X0⊕X2⊕X3, Y3 = X1⊕X2⊕X3, where ⊕ is the XOR mathematical operator; Step 3: Return Y = Y0 || Y1 || Y2 || Y3, and the matrix representation of the linear transformation L is as follows:
[0074] ;
[0075] Step 4: Perform a nonlinear transformation S using the involutional permutation table sbox. This is also an involutional transformation. The steps for performing the nonlinear transformation S are as follows: Divide the 128-bit input Y and output Z into 16 8-bit groups from left to right, denoted as Y = Y0 || Y1 || ... || Y15. Step 5: Perform the following transformation on Y0 to Y15: Zi = sbox(Yi), i = 0, 1, ..., 15, resulting in Z = Z0 || Z1 || ... || Z15. Step 6: Perform a linear transformation L on Z to obtain the transformed sequence.
[0076] Step S12: Query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and obtain the platform master key pre-created for the cryptographic service management platform from the platform security layer.
[0077] In this embodiment, after receiving the data encryption request, see [link to documentation]. Figure 2 As shown, the target application key ciphertext corresponding to the application identifier (token) carried in the request and the target tenant key ciphertext corresponding to the tenant identifier can be queried from the tenant security layer, and then the platform master key pre-created for the cryptographic service management platform can be obtained from the platform security layer.
[0078] Step S13: In the tenant security layer, the platform master key is used to decrypt the target tenant key ciphertext to obtain the target tenant key plaintext, and the target application key ciphertext is decrypted using the target tenant key plaintext to obtain the target application key plaintext.
[0079] In this embodiment, after retrieving the target application key ciphertext, the target tenant key ciphertext, and the platform master key, the data encryption request can be routed to a logically isolated tenant security subdomain corresponding to the application token and tenant token, which is pre-created in the tenant security layer using security domain isolation technology. Then, in this tenant security subdomain, the target tenant key ciphertext is decrypted based on the platform master key and using the SM4 algorithm to obtain the target tenant key plaintext. The platform master key is located in a logically isolated platform security domain created in the platform security layer using security domain isolation technology. Next, the target application key ciphertext is decrypted based on the target tenant key plaintext and using the SM4 algorithm to obtain the target application key plaintext.
[0080] By creating logically isolated platform security domains and multiple tenant security subdomains (isolated within each domain), and using these as the basic security boundary and least privilege execution environment for key and sensitive data management within the platform, a shift from the traditional centralized sharing model to a distributed least privilege model can be achieved. Furthermore, the layered key protection structure enforces least privilege access, eliminating the risk of high-privilege key sharing among internal platform components. This addresses the lack of inherent security protection at the platform software level and provides an effective solution for building more secure cloud cryptographic services. Additionally, the security subdomains directly achieve storage and access isolation between different tenant keys and sensitive data. Simultaneously, storing the platform management key (i.e., the platform master key) and tenant business keys separately in different security domains enables the cryptographic separation of management rights and usage rights.
[0081] Accordingly, after decrypting the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext, the process may further include: saving the target tenant key plaintext and the target application key plaintext to a temporary storage area of the tenant security layer. It should be noted that the key plaintext is only stored in a temporary secure area of the tenant security layer, such as being temporarily generated in memory.
[0082] Step S14: Send the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-assigned to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain the ciphertext, and send the ciphertext to any of the business applications.
[0083] In this embodiment, the plaintext of the target application key and the data to be encrypted (such as government public data, including key sensitive data such as citizens' names, ID numbers, home addresses, and other privacy information) are sent to the target virtual cryptographic machine (VSM) pre-assigned to the target tenant (a tenant of a government unit). The VSM is then used to encrypt the data to be encrypted based on the plaintext of the target application key (the encryption algorithm can be either a symmetric encryption algorithm or an asymmetric encryption algorithm) to obtain the encrypted data. The encrypted data is then returned to the corresponding business application.
[0084] Specifically, sending the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-allocated to the target tenant may include: encrypting the plaintext of the target application key and the data to be encrypted using the SM2 algorithm based on the public key in the cloud cryptographic machine key located in the cryptographic hardware layer to obtain an encrypted data packet, and sending the encrypted data packet to the cloud server cryptographic machine in the cryptographic hardware layer; and decrypting the encrypted data packet using the private key in the cloud cryptographic machine key and the SM2 algorithm through the cloud server cryptographic machine to obtain the plaintext of the target application key and the data to be encrypted, and sending the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-allocated to the target tenant. That is, based on the public key in the cloud cryptographic machine key and using the SM2 algorithm, the application key plaintext and the data to be encrypted are encrypted to obtain an encrypted data packet. Then, the encrypted data packet is sent to the cloud server cryptographic machine (CHSM) in the cryptographic hardware layer. The CHSM then decrypts the encrypted data packet based on the private key in the cloud cryptographic machine key and using the SM2 algorithm to obtain the application key plaintext and the data to be encrypted. Finally, the application key plaintext and the data to be encrypted are sent to the virtual cryptographic machine (VSM) pre-assigned to the current tenant.
[0085] Specifically, encrypting the data to be encrypted based on the plaintext of the target application key to obtain ciphertext, and then sending the ciphertext to any of the business applications, may include: encrypting the data to be encrypted based on the plaintext of the target application key using the SM4 algorithm to obtain ciphertext; sending the ciphertext to the tenant security layer, which then sends it to the platform security layer, and finally, through the service gateway in the platform security layer, sends the ciphertext to any of the business applications. That is, encrypting the data to be encrypted based on the plaintext of the application key using the SM4 algorithm to obtain ciphertext, then sending the ciphertext to the tenant security layer, which then sends it to the platform security layer, and finally, through the service gateway in the platform security layer, sends the ciphertext to the business application that initiated the request.
[0086] Accordingly, after sending the encrypted data to any of the business applications, the process may further include: deleting the plaintext of the target tenant key and the plaintext of the target application key from the temporary storage area. For example, the plaintext key is obtained after computation in memory and erased immediately after use, thereby achieving time-dimensional isolation and eliminating the risk of persistent key storage in a general computing environment.
[0087] As can be seen, this embodiment of the application pre-creates three different layers in the cryptographic service management platform: the cryptographic hardware layer, the platform security layer, and the tenant security layer. When a data encryption request (including application identifier and tenant identifier) is received from any business application, the application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier are first queried from the tenant security layer. The platform master key is then obtained from the platform security layer. The tenant key ciphertext is then decrypted using the platform master key in the tenant security layer. The decrypted tenant key plaintext is then used to decrypt the application key ciphertext to obtain the target application key plaintext. Finally, the decrypted application key plaintext and the data to be encrypted are sent to the corresponding virtual cryptographic machine in the cryptographic hardware layer to perform encryption operations on the data to be encrypted using the application key plaintext. It can be seen that this embodiment of the application encrypts the data to be encrypted through the collaborative work of multiple different layers, and the keys stored in each layer are stored in ciphertext form. In this way, the security of the data encryption process can be improved, data leakage can be avoided, and the overall security, trustworthiness, and compliance of the cryptographic service management platform can be greatly improved.
[0088] This application discloses a specific data encryption method applied to a cryptographic service management platform. The cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. (See also...) Figure 3 As shown, the method includes:
[0089] Step S21: Receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted.
[0090] Step S22: Perform identity authentication on any of the business applications based on the tenant identifier in the data encryption request to obtain the application authentication result.
[0091] In this embodiment, after receiving a data encryption request, it can be parsed to obtain the tenant identifier, application identifier, and data to be encrypted. Then, based on the tenant identifier, the business application that initiated the request is authenticated to obtain the application authentication result. The authentication method can be data signature or authentication can be performed by matching a pre-created whitelist.
[0092] Step S23: If the application authentication result is successful, query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and obtain the platform master key pre-created for the cryptographic service management platform from the platform security layer.
[0093] Step S24: In the tenant security layer, the platform master key is used to decrypt the target tenant key ciphertext to obtain the target tenant key plaintext, and the target application key ciphertext is decrypted using the target tenant key plaintext to obtain the target application key plaintext.
[0094] Step S25: Send the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-assigned to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain the ciphertext, and send the ciphertext to any of the business applications.
[0095] For more detailed processing procedures of steps S21, S23 to S25, please refer to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.
[0096] As can be seen, this embodiment first authenticates the business application that initiated the request, and then performs data encryption operations through a service management platform that includes a cryptographic hardware layer, a platform security layer, and a tenant security layer after successful authentication. This further enhances the security of the data encryption process. Furthermore, by adopting a clearly layered, strictly isolated, and finely controlled key protection structure, the platform's resistance to penetration is significantly enhanced, limiting the impact of security incidents from global to local. Moreover, the platform supports the separation of responsibilities in multi-tenant scenarios, providing a technical foundation for meeting compliance requirements for data isolation. In addition, all key operations can be precisely associated with specific security domains, greatly improving the accuracy and traceability of security audits. Furthermore, this structure effectively disperses and isolates the security risks of a single, large platform software into multiple independent security domains, thus ensuring that even if some components (such as a tenant's front-end application) or modules are breached, attacks are unlikely to spread laterally to the platform's core key system or other tenant data, thereby greatly improving the overall security, trustworthiness, and compliance of the cryptographic service management platform.
[0097] Accordingly, this application also discloses a data encryption device applied to a cryptographic service management platform. The cryptographic service management platform includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. See [link to relevant documentation]. Figure 4 As shown, the device includes:
[0098] The receiving module 11 is used to receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted;
[0099] The query module 12 is used to query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer;
[0100] The acquisition module 13 is used to obtain the platform master key that has been pre-created for the cryptographic service management platform from the platform security layer;
[0101] The decryption module 14 is used to decrypt the target tenant key ciphertext using the platform master key in the tenant security layer to obtain the target tenant key plaintext, and to decrypt the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext.
[0102] The sending module 15 is used to send the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain ciphertext, and send the ciphertext to any of the business applications.
[0103] The specific workflow of each of the above modules can be found in the relevant content disclosed in the foregoing embodiments, and will not be repeated here.
[0104] Furthermore, embodiments of this application also disclose an electronic device, Figure 5 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application.
[0105] Figure 5 This is a schematic diagram of the structure of an electronic device 20 provided in an embodiment of this application. Specifically, the electronic device 20 may include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input / output interface 25, and a communication bus 26. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the data encryption method disclosed in any of the foregoing embodiments. Furthermore, the electronic device 20 in this embodiment may specifically be an electronic computer.
[0106] In this embodiment, the power supply 23 is used to provide operating voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 25 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.
[0107] In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk or optical disk, etc. The resources stored thereon can include operating system 221, computer program 222, etc., and the storage method can be temporary storage or permanent storage.
[0108] The operating system 221 is used to manage and control the various hardware devices on the electronic device 20 and the computer program 222, which may be Windows Server, Netware, Unix, Linux, etc. In addition to including a computer program capable of performing the data encryption method executed by the electronic device 20 as disclosed in any of the foregoing embodiments, the computer program 222 may further include a computer program capable of performing other specific tasks.
[0109] Furthermore, this application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned disclosed data encryption method. Specific steps of this method can be found in the corresponding content disclosed in the foregoing embodiments, and will not be repeated here.
[0110] Furthermore, embodiments of this application also disclose a computer program product, including a computer program / instructions, which, when executed by a processor, implement the steps of the data encryption method disclosed above.
[0111] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.
[0112] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0113] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.
[0114] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0115] The above provides a detailed description of a data encryption method, apparatus, device, and storage medium provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A data encryption method, characterized in that, The method is applied to a cryptographic service management platform, which includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. Receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted; The system queries the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer, and obtains the platform master key pre-created for the cryptographic service management platform from the platform security layer. In the tenant security layer, the platform master key is used to decrypt the target tenant key ciphertext to obtain the target tenant key plaintext, and the target application key ciphertext is decrypted using the target tenant key plaintext to obtain the target application key plaintext. The target application key plaintext and the data to be encrypted are sent to the target virtual cryptographic machine pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the target application key plaintext to obtain data ciphertext, and the data ciphertext is sent to any of the business applications; The process of decrypting the ciphertext of the target tenant key using the platform master key in the tenant security layer to obtain the plaintext of the target tenant key, and then decrypting the ciphertext of the target application key using the plaintext of the target tenant key to obtain the plaintext of the target application key, includes: The data encryption request is routed to the tenant security subdomain corresponding to the application identifier and the tenant identifier; the tenant security subdomain is a logically isolated security domain created for the target tenant in the tenant security layer using security domain isolation technology; In the tenant security subdomain, the target tenant key ciphertext is decrypted based on the platform master key and using the SM4 algorithm to obtain the target tenant key plaintext; the platform master key is located in the platform security domain, which is a logically isolated security domain created in the platform security layer using security domain isolation technology; Based on the plaintext of the target tenant key and using the SM4 algorithm, the ciphertext of the target application key is decrypted to obtain the plaintext of the target application key; Accordingly, after decrypting the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext, the process further includes: The plaintext of the target tenant key and the plaintext of the target application key are saved to the temporary storage area of the tenant security layer.
2. The data encryption method according to claim 1, characterized in that, Sending the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-assigned to the target tenant includes: Based on the public key in the cloud cryptographic machine key located in the cryptographic hardware layer and using the SM2 algorithm, the plaintext of the target application key and the data to be encrypted are encrypted to obtain an encrypted data packet, and the encrypted data packet is sent to the cloud server cryptographic machine in the cryptographic hardware layer. Using the cloud server cryptographic machine, the encrypted data packet is decrypted based on the private key within the cloud cryptographic machine key and the SM2 algorithm to obtain the target application key plaintext and the data to be encrypted. The target application key plaintext and the data to be encrypted are then sent to the target virtual cryptographic machine pre-assigned to the target tenant.
3. The data encryption method according to claim 2, characterized in that, The step of encrypting the data to be encrypted based on the plaintext of the target application key to obtain ciphertext, and sending the ciphertext to any of the business applications, includes: Based on the plaintext of the target application key, the data to be encrypted is encrypted using the SM4 algorithm to obtain the ciphertext; The encrypted data is sent to the tenant security layer, and then from the tenant security layer to the platform security layer. Finally, the encrypted data is sent to any of the business applications through the service gateway in the platform security layer. Accordingly, after sending the encrypted data to any of the business applications, the process further includes: Delete the plaintext of the target tenant key and the plaintext of the target application key from the temporary storage area.
4. The data encryption method according to claim 2, characterized in that, Also includes: An SM4 symmetric key is generated by the cryptographic card inside the cloud server cryptographic machine, and a cryptographic master key for the cloud server cryptographic machine is obtained and stored in the cryptographic card. Generate a preset key pair, encrypt the preset key pair using the master key of the cryptographic machine to obtain the cloud cryptographic machine key, and store the cloud cryptographic machine key in the cloud server cryptographic machine; The SM4 symmetric key pair is generated by the virtual cryptographic machine in the cloud server cryptographic machine to obtain the platform master key for the cryptographic service management platform, and the platform master key is saved to the platform security domain of the platform security layer. When any tenant registration is detected, the cloud server cryptographic machine is invoked to generate an SM4 symmetric key in the virtual cryptographic machine corresponding to any tenant, thereby obtaining the tenant key plaintext of any tenant; The tenant key plaintext is encrypted based on the platform master key to obtain the tenant key ciphertext, and the tenant key ciphertext is saved to the corresponding tenant security subdomain of the tenant security layer; When any business application of any tenant is detected to be accessing the cloud server, the cloud server cryptographic machine is invoked to generate an SM4 symmetric key in the virtual cryptographic machine corresponding to any tenant, and the application key plaintext of any business application is obtained. The application key plaintext is encrypted based on the tenant key plaintext to obtain the application key ciphertext, and an association is established between the platform master key and the tenant key ciphertext, as well as between the tenant key ciphertext and the application key ciphertext.
5. The data encryption method according to claim 1, characterized in that, Also includes: Obtain a first random sequence generated by the virtual cryptographic machine in the cloud server cryptographic machine, and a second random sequence generated internally by the platform software during the initial initialization of the cryptographic service management platform; The second random sequence is encrypted using the first random sequence to obtain the encrypted sequence; The first random sequence is subjected to an inductive transformation using an inductive permutation table located in the virtual cryptographic machine to obtain a transformed sequence, and the platform master key is generated based on the encrypted sequence and the transformed sequence.
6. The data encryption method according to any one of claims 1 to 5, characterized in that, The step of querying the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer includes: Based on the tenant identifier in the data encryption request, the identity of any of the business applications is authenticated to obtain the application authentication result; If the application authentication result is successful, then query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer.
7. A data encryption device, characterized in that, This device is applied to a cryptographic service management platform, which includes a cryptographic hardware layer, a platform security layer, and a tenant security layer. The cryptographic hardware layer includes a cloud server cryptographic machine and multiple virtual cryptographic machines created by the cloud server cryptographic machine. The device includes: The receiving module is used to receive a data encryption request sent by any business application in the target tenant; the data encryption request carries the tenant identifier of the target tenant, the application identifier of any business application, and the data to be encrypted; The query module is used to query the target application key ciphertext corresponding to the application identifier and the target tenant key ciphertext corresponding to the tenant identifier from the tenant security layer; The acquisition module is used to acquire the platform master key that has been pre-created for the cryptographic service management platform from the platform security layer; The decryption module is used to decrypt the target tenant key ciphertext using the platform master key in the tenant security layer to obtain the target tenant key plaintext, and to decrypt the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext. The sending module is used to send the plaintext of the target application key and the data to be encrypted to the target virtual cryptographic machine pre-allocated to the target tenant, so as to encrypt the data to be encrypted based on the plaintext of the target application key to obtain the ciphertext, and send the ciphertext to any of the business applications; The process of decrypting the ciphertext of the target tenant key using the platform master key in the tenant security layer to obtain the plaintext of the target tenant key, and then decrypting the ciphertext of the target application key using the plaintext of the target tenant key to obtain the plaintext of the target application key, includes: The data encryption request is routed to the tenant security subdomain corresponding to the application identifier and the tenant identifier; the tenant security subdomain is a logically isolated security domain created for the target tenant in the tenant security layer using security domain isolation technology; In the tenant security subdomain, the target tenant key ciphertext is decrypted based on the platform master key and using the SM4 algorithm to obtain the target tenant key plaintext; the platform master key is located in the platform security domain, which is a logically isolated security domain created in the platform security layer using security domain isolation technology; Based on the plaintext of the target tenant key and using the SM4 algorithm, the ciphertext of the target application key is decrypted to obtain the plaintext of the target application key; Accordingly, after decrypting the target application key ciphertext using the target tenant key plaintext to obtain the target application key plaintext, the process further includes: The plaintext of the target tenant key and the plaintext of the target application key are saved to the temporary storage area of the tenant security layer.
8. An electronic device, characterized in that, It includes a processor and a memory; wherein, when the processor executes a computer program stored in the memory, it implements the data encryption method as described in any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that, Used for storing computer programs; wherein, when the computer program is executed by a processor, it implements the data encryption method as described in any one of claims 1 to 6.