Archive data secure encryption transmission method and system
By identifying sensitive information in multidimensional archive data packets, employing a differentiated encryption strategy library for asymmetric encryption, and adjusting symmetric encryption parameters in conjunction with real-time network quality, the problem of coarse-grained and poorly adaptable encryption strategies in existing technologies is solved, achieving fine-grained security protection and efficient transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING NORTHERN SKY EAGLE TECH CO LTD
- Filing Date
- 2026-03-23
- Publication Date
- 2026-06-05
AI Technical Summary
Existing encryption strategies are coarse and poorly adapted to network conditions and the inherent structure of data, making it difficult to balance transmission efficiency and security. They cannot provide fine-grained protection based on the differences in sensitive information within the data, and the transmission process lacks dynamic collaborative optimization.
By identifying sensitive information in multidimensional archive data packets, asymmetric encryption is performed using a differentiated encryption strategy library. The symmetric encryption parameters are dynamically adjusted in conjunction with real-time network quality characteristics to generate target encrypted archive data packets and transmit them in fragments.
It enables fine-grained encryption based on differences in sensitive information within the data, optimizes security resource allocation, ensures the security of core secrets while avoiding unnecessary computational overhead for low-sensitivity data, and improves transmission efficiency and reliability.
Smart Images

Figure CN122160149A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security transmission technology, and in particular to a method and system for secure encrypted transmission of archival data. Background Technology
[0002] With the rapid growth in demand for digitization and remote collaboration in government, finance, and healthcare, a large number of archival documents containing personal identities, trade secrets, or sensitive instructions need to be transmitted over networks within or between institutions. This archival data typically consists of scanned images, identified structured text, and descriptive metadata, and the distribution of sensitive information within it is heterogeneous and varied. Therefore, sophisticated requirements are placed on transmission technology. It is necessary not only to encrypt the overall data to ensure the security of the transmission channel, but also to implement differentiated and strength-matched encryption protection based on the sensitivity of different elements within the data and their context. Furthermore, it is necessary to adaptively optimize encryption and transmission strategies based on real-time network conditions and document types, thereby ensuring high security of core sensitive information while also considering the overall efficiency and reliability of the transmission process.
[0003] Currently, the existing solution for this type of requirement is a static encrypted transmission method based on a predefined strategy. This method first performs a uniform, one-time encryption process on the complete file data packet, usually using a fixed encryption algorithm and key strength. Then, based on the rough classification of the files or a preset fixed routing table, a network link is selected for the transmission of the entire data. During the transmission process, in order to cope with network fluctuations, the encrypted data packet may be simply fragmented into fixed-size segments before being sent.
[0004] However, this method still has significant drawbacks. First, a uniform static encryption strategy cannot differentiate between sensitive information in different data layers within the file package. It may cause unnecessary computational overhead for low-sensitivity content, while the protection strength for high-sensitivity information may be insufficient, lacking fine-grained security adaptability. Second, the encryption strategy and the determination of the transmission link are isolated from each other and based on static presets. They fail to dynamically and collaboratively optimize according to the real-time quality of the specific network faced by this transmission, which may lead to the use of high-overhead encryption modes on high-latency or unstable links, exacerbating the risk of transmission delay or packet loss. Third, the simple overall encryption followed by fragmentation has a fragmentation strategy that is unrelated to the distribution of sensitive information within the data or the encryption strength used. The fragmentation process fails to consider the security attributes and structure of the data itself, and the reliability guarantee of transmission is disconnected from the security logic of the data. Summary of the Invention
[0005] This application provides a method and system for secure encrypted transmission of archival data, which addresses the problems in existing technologies such as crude encryption strategies, poor adaptability to network conditions and the inherent structure of data, and lack of dynamic coordination between security processing and transmission, resulting in an inability to balance transmission efficiency and security assurance.
[0006] Firstly, this application provides a method for secure encrypted transmission of archival data, including: Acquire the multidimensional archive data packet to be transmitted, and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive. Based on the entity information of the preset sensitive type, and according to the target data layer to which the entity information belongs in the multidimensional archive data packet, a first set of encryption parameters matching the sensitivity level of the target data layer and the entity information is selected from the preset differentiated encryption strategy library; The first round of asymmetric encryption is performed on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set to generate the first intermediate ciphertext data packet. Based on the archive classification code in the original metadata layer of the multidimensional archive data packet, the target network transmission link is determined from the preset transmission channel mapping rules, and the real-time network quality characteristics of the target network transmission link are extracted, wherein the real-time network quality characteristics include the current link latency and available bandwidth fluctuation value. Based on the real-time network quality characteristics, the key parameters that are related to the first encryption parameter set are dynamically adjusted to generate the second encryption parameter set; The second set of encryption parameters is used to perform a second round of symmetric encryption on the first intermediate ciphertext data packet to generate a target encrypted archive data packet, and the encrypted archive data packet is transmitted in fragments through the target network transmission link.
[0007] Optionally, a multidimensional archive data packet to be transmitted is acquired, and entity information belonging to a preset sensitive type in the multidimensional archive data packet is identified. The preset sensitive type entity information includes personal identification identifiers and security classification information in the archive, including: Receive multidimensional archive data packets output by the archive scanning and structuring system, and decompose the multidimensional archive data packets to separate the image data portion, the structured text data portion, and the original metadata portion; Scan the text content in the structured text data section and compare it with a preset first sensitive word list to mark all matching text fragments and the position of the text fragments in the structured text data section as the first type of sensitive entity information; Locate a specified image region containing a security level marker in the image data portion, extract text information from the specified image region, compare the text information with a preset second sensitive word list, mark all matching text information and the region coordinates of the text information in the image data portion, and use them as second type of sensitive entity information; The first type of sensitive entity information and the second type of sensitive entity information are combined to generate an entity information recognition result that includes entities belonging to a preset sensitive type.
[0008] Optionally, based on the entity information of the preset sensitive type, and according to the target data layer to which the entity information belongs in the multidimensional archive data packet, a first set of encryption parameters matching the sensitivity level of the target data layer and the entity information is selected from a preset differentiated encryption strategy library, including: The type marker of the entity information of the preset sensitive type and the data layer marker of the entity information in the multidimensional archive data packet are parsed, wherein the type marker includes personal identification identifier or security classification information, and the data layer marker points to the image data part or the structured text data part; Based on the type marker of the entity information and the specific content of the entity information, the sensitivity level of the entity information is determined. When the type marker of the entity information is a personal identification identifier, different sensitivity level values are assigned to different personal identification identifier contents according to preset rules. When the type marker of the entity information is a security classification marker, different security classification marker contents are mapped to different sensitivity level values according to preset rules. The entity information type marker, the data layer marker, and the sensitivity level are used together as the query index; The query index is used to retrieve a preset differentiated encryption strategy library, find a target record that completely matches the query index, and extract the set of encryption parameters bound in the target record as a candidate encryption parameter set. According to the preset conflict handling rules, a first encryption parameter set is determined from all candidate encryption parameter sets. The first encryption parameter set is used to perform encryption processing on the target data block carrying the entity information in the multidimensional archive data packet.
[0009] Optionally, the first intermediate ciphertext data packet is subjected to a second round of symmetric encryption using the second encryption parameter set to generate a target encrypted archive data packet, and the encrypted archive data packet is transmitted in fragments through the target network transmission link, including: Extract the encryption operation mode and target key length from the second set of encryption parameters; Based on the target key length, a temporary symmetric key is generated. Using the temporary symmetric key and the encryption operation mode, a symmetric encryption operation is performed on the binary data stream of the first intermediate ciphertext data packet to obtain the final ciphertext data. The final ciphertext data, the position index header in the first intermediate ciphertext data packet, and the encryption operation mode identifier in the second encryption parameter set are jointly encapsulated to generate the target encrypted archive data packet; Based on the current link latency and available bandwidth fluctuation values in the real-time network quality characteristics of the target network transmission link, the fragmentation size threshold is calculated. According to the fragment size threshold, the target encrypted archive data packet is cut into multiple sequentially arranged data fragments, and a fragment header containing the sequence number and the total number of fragments is added to each data fragment; According to the order in which the data fragments were generated, each data fragment with a fragment header is transmitted sequentially on the target network transmission link according to the sequence number.
[0010] Secondly, this application provides a secure encrypted transmission system for archival data, comprising: The acquisition module is used to acquire the multidimensional archive data packet to be transmitted and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive. The selection module is used to select a first set of encryption parameters that matches the sensitivity level of the target data layer and the entity information from a preset differential encryption strategy library, based on the entity information of the preset sensitive type and according to the target data layer to which the entity information belongs in the multidimensional archive data packet. The encryption module is used to perform a first round of asymmetric encryption on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set, and generate a first intermediate ciphertext data packet; The extraction module is used to determine the target network transmission link from the preset transmission channel mapping rules based on the archive classification code in the original metadata layer of the multidimensional archive data packet, and extract the real-time network quality characteristics of the target network transmission link, wherein the real-time network quality characteristics include the current link latency and available bandwidth fluctuation value. The adjustment module is used to dynamically adjust the key parameters that are related to the first encryption parameter set based on the real-time network quality characteristics to generate a second encryption parameter set; The transmission module is configured to perform a second round of symmetric encryption on the first intermediate ciphertext data packet using the second encryption parameter set to generate a target encrypted archive data packet, and to transmit the encrypted archive data packet in fragments through the target network transmission link.
[0011] Thirdly, this application provides a computing device, including a processing component and a storage component; the storage component stores one or more computer instructions; the one or more computer instructions are invoked and executed by the processing component to implement a secure encrypted transmission method for archival data as described in the first aspect above.
[0012] Fourthly, this application provides a computer storage medium storing a computer program, which, when executed by a computer, implements a secure encrypted transmission method for archival data as described in the first aspect.
[0013] The beneficial effects of this application are: This application first deconstructs and deeply scans the archive data packets to accurately identify key sensitive entities such as personal identification identifiers and security classification markers distributed in different data layers. Based on the data layer to which they belong and the sensitivity of the content, it matches differentiated asymmetric encryption parameters from a pre-set policy library to implement precise encryption with variable strength for specific data blocks carrying sensitive information. This process changes the traditional approach of uniformly encrypting the entire data packet, allowing the stamp area in the image layer and the identity information in the text layer to receive cryptographic protection matching their actual sensitivity. While ensuring the security of core secrets, it avoids imposing unnecessary computational overhead on non-sensitive or low-sensitivity data, and achieves optimized allocation and fine-grained control of security resources.
[0014] These or other aspects of this application will become more apparent in the following description of the embodiments. Attached Figure Description
[0015] To more clearly illustrate the technical solutions in this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0016] Figure 1 A flowchart of a secure encrypted transmission method for archival data provided in this application is shown; Figure 2 This application provides a schematic diagram of the structure of a secure encrypted transmission system for archival data. Figure 3 A schematic diagram of the structure of a computing device provided in this application is shown. Detailed Implementation
[0017] To enable those skilled in the art to better understand the present application, the technical solution of the present application will be clearly and completely described below with reference to the accompanying drawings.
[0018] In some of the processes described in the specification, claims, and accompanying drawings of this application, multiple operations appearing in a specific order are included. However, it should be clearly understood that these operations may not be executed in the order they appear herein, or may be executed in parallel. The operation numbers, such as 101, 102, etc., are merely used to distinguish different operations and do not themselves represent any execution order. Furthermore, these processes may include more or fewer operations, and these operations may be executed sequentially or in parallel. It should be noted that the descriptions such as "first," "second," etc., in this document are used to distinguish different messages, devices, modules, etc., and do not represent a chronological order, nor do they limit "first" and "second" to different types.
[0019] The technical solutions of this application will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0020] Figure 1 A flowchart of a method for securely encrypting and transmitting archival data is provided in this application, such as... Figure 1 As shown, the method includes: Step 101: Obtain the multidimensional archive data packet to be transmitted, and identify entity information belonging to the preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive.
[0021] Optionally, step 101 may specifically include: Step 1011: Receive the multidimensional archive data packet output by the archive scanning and structuring system, and decompose the multidimensional archive data packet to separate the image data portion, the structured text data portion, and the original metadata portion.
[0022] Step 1012: Scan the text content in the structured text data section and compare it with the preset first sensitive word list, mark all matching text fragments and their positions in the structured text data section, as the first type of sensitive entity information.
[0023] Step 1013: Locate the specified image region containing the security level marker in the image data section, extract text information from the specified image region, compare the text information with the preset second sensitive word list, mark all matching text information and the region coordinates of the text information in the image data section, and use them as the second type of sensitive entity information.
[0024] Step 1014: Collect information on the first type of sensitive entities and information on the second type of sensitive entities to generate an identification result containing entity information belonging to a preset sensitive type.
[0025] In this application, a multidimensional archival data package refers to a digital data set formed by scanning and structuring original paper or electronic archival documents. In this application scenario, the data package specifically includes three logical parts: the image data part is a dot matrix image of a complete page or a local area obtained after scanning the original archival document; the structured text data part is editable text with text content and formatting information obtained by optical character recognition of the image data part; and the original metadata part is information used to describe the attributes of the archive itself, including but not limited to the archive number, generation date, and archive classification code.
[0026] Pre-defined sensitive entity information refers to pre-defined information categories that need to be specially identified and protected in archival data. In the context of this application, the pre-defined sensitive entity information specifically includes personal identification identifiers and security classification information. Personal identification identifiers refer to a string of characters or codes that can directly or indirectly identify a specific natural person, such as a resident identity card number or social security number. Security classification information refers to text or graphic symbols that identify the confidentiality level of the archive, such as the words "secret" or "confidential" or the corresponding seal pattern.
[0027] The first type of sensitive entity information refers to entity information that belongs to a preset sensitive type and is identified from the structured text data. Its recorded content includes the content of the matched text fragment and the start and end positions of the characters in the structured text data.
[0028] The second type of sensitive entity information refers to entity information that is identified from the image data portion and belongs to a preset sensitive type. Its recorded content includes text information extracted from a specified image area and the pixel coordinate range of the specified image area in the image data portion.
[0029] In this step, a complete multidimensional archive data packet is first received from the upstream system, and the multidimensional archive data packet is decomposed according to the predetermined data format specifications, breaking it down into independent image data, structured text data, and raw metadata, so that each part of the data can be analyzed and processed independently in the future. Secondly, the text content contained in the structured text data obtained after decomposition is scanned line by line or as a whole. Using string exact matching or regular expression matching algorithms, each scanned text fragment is compared with a pre-configured first sensitive word list. This first sensitive word list stores various text pattern templates related to personal identification identifiers. When a text fragment matches any template in the list, it is marked as the first type of sensitive entity information, and the specific position of the text fragment in the structured text data is recorded. Next, the image data is processed. Using a preset image coordinate range or template-based image recognition technology, a designated image area that is usually used for affixing or writing security classification marks is located in the image. Then, optical character recognition is performed on the designated image area to extract the text information. The extracted text information is then compared with a pre-configured second sensitive word list. This second sensitive word list stores keywords related to the file's security classification, such as "internal," "secret," and "confidential." When the extracted text information matches the keywords in the list, it is marked as second-class sensitive entity information, and the coordinate range of the designated image area in the complete image is recorded. Finally, all the first-category sensitive entity information and all the second-category sensitive entity information are gathered together and organized into a structured identification result list. This identification result list fully records all entity information belonging to the preset sensitive types found in the current multidimensional archive data package, as well as their respective type, content, and location data.
[0030] For example, a personnel file from Company A needs to be transmitted. After scanning and structuring, the file forms a multidimensional file data package. First, the system receives this data package and decomposes it to obtain a JPG image data portion of an employee registration form, a structured text data portion identified from the image containing fields such as "Name: Zhang San, ID number: 110101199003071234", and a raw metadata portion recording the file classification code "RS-DA-2023-001". Next, the structured text data section is scanned, and the text “110101199003071234” is matched with the ID number regular expression template in the first sensitive word list. Since it is a complete match, the text fragment is marked as the first type of sensitive entity information, and its position in the text section is recorded as the 102nd to 121st characters. Subsequently, a red stamp pattern was located in the upper right corner of the image data (pixel coordinate range assumed to be [1800, 50, 1900, 100]). The word "secret" was extracted by OCR. The word "secret" was compared with the second sensitive word list and a match was found. "Secret" was marked as the second type of sensitive entity information and its source area coordinates were recorded as [1800, 50, 1900, 100]. Finally, the two records (ID number information and its location, and confidentiality level "secret" information and its coordinates) are combined to generate entity information recognition results.
[0031] Step 102: Based on the entity information of the preset sensitive type, and according to the target data layer to which the entity information belongs in the multidimensional archive data packet, select the first set of encryption parameters that matches the sensitivity level of the target data layer and the entity information from the preset differentiated encryption strategy library.
[0032] Optionally, step 101 may specifically include: Step 1021: parse the type marker of the entity information of the preset sensitive type and the data layer marker of the entity information in the multidimensional archive data packet. The type marker includes personal identification identifier or security classification information, and the data layer marker points to the image data part or the structured text data part.
[0033] Step 1022: Determine the sensitivity level of the entity information based on the type marker and the specific content of the entity information. When the type marker of the entity information is a personal identification identifier, assign different sensitivity level values to different personal identification identifier contents according to preset rules. When the type marker of the entity information is a security classification marker, map different security classification marker contents to different sensitivity level values according to preset rules.
[0034] Step 1023: Use the entity information type tag, data layer tag, and sensitivity level together as the query index.
[0035] Step 1024: Use the query index to retrieve the preset differentiated encryption strategy library, find the target record that completely matches the query index, and extract the set of encryption parameters bound in the target record as the candidate encryption parameter set.
[0036] Step 1025: According to the preset conflict handling rules, determine the first encryption parameter set from all candidate encryption parameter sets. The first encryption parameter set is used to perform encryption processing on the target data block carrying entity information in the multidimensional archive data packet.
[0037] In this application, the target data layer refers to the logical part to which the entity information of the preset sensitive type specifically belongs in the multidimensional archive data packet. In the scenario of this application, the target data layer is specifically indicated by the data layer marker, and its value is either the image data part or the structured text data part, which is directly related to whether the entity information comes from the image scan of the archive or the recognized text.
[0038] The pre-built differential encryption strategy library is a pre-built and stored rule database. Each rule record in the library clearly specifies the encryption method to be used for entity information of a specific type, located in a specific data layer and with a specific sensitivity level. Each target record in the library contains at least a query index field and a set of bound encryption parameters.
[0039] The query index is a composite keyword used to retrieve target records in a pre-defined differentiated encryption strategy library. It consists of three parts: entity information type marker, data layer marker, and sensitivity level.
[0040] Sensitivity level is a numerical identifier used to quantify the sensitivity of entity information. In this application, the value is assigned according to preset rules. For personal identification identifiers, different values may be assigned according to the identifier type (such as ID card number, passport number). For classified information, different values are mapped according to the classified text content. The larger the value, the higher the sensitivity usually is.
[0041] An encryption parameter set refers to a set of configuration parameters required to perform an encryption operation. In the context of this application, the set includes at least an encryption algorithm identifier, a working mode identifier, and a key length identifier, wherein the encryption algorithm identifier is used to indicate which encryption algorithm is used, the working mode identifier is used to indicate the working mode of the algorithm, and the key length identifier is used to indicate the number of bits in the encryption key.
[0042] The first encryption parameter set is the set of encryption parameters that are finally determined through querying and conflict resolution, and are used to perform the first round of encryption on the target data block in the current multidimensional archive data packet.
[0043] The preset conflict handling rules are the decision logic used to select a final parameter set when multiple candidate encryption parameter sets are obtained for multiple entity information queries; for example, the rule can be to select the parameter set with the highest security level in all candidate sets, or to select the parameter set that matches the most entity information.
[0044] In this step, the entity information recognition results are first read, and each entity information record is parsed to extract whether the type marker of the entity information is a personal identification identifier or a security classification marker, and at the same time, the data layer marker of the entity information is extracted whether it is an image data part or a structured text data part. Secondly, for each piece of entity information, a preset sensitivity level mapping table is queried based on its parsed type marker and its specific content string to determine its sensitivity level value. For example, when the type marker is a personal identification identifier and the content is a complete 18-digit ID number, the mapping table may assign a sensitivity level value of 3, while when the content is a mobile phone number, it may assign a sensitivity level value of 2. When the type marker is a security level marker and the content is confidential, the mapping table may assign a sensitivity level value of 5, and when the content is secret, it may assign a value of 4. Next, the parsed type marker, data layer marker, and sensitivity level value are combined to form a unique query index triple. Then, this query index triple is used as the retrieval key to compare and search the preset differential encryption strategy library record by record. This strategy library can be a relational database table or a list of configuration files. The search logic requires that the query index field of the record is completely consistent with the provided query index. When a matching target record is found, the set of encryption parameters bound to that record is read and used as the candidate set of encryption parameters for the current entity information. Finally, if only one entity information is identified in the current multidimensional archive data packet, then the corresponding unique candidate encryption parameter set is determined as the first encryption parameter set. If multiple entity information is identified and multiple candidate encryption parameter sets are obtained as a result, arbitration is carried out according to the preset conflict handling rules. For example, if the rule is defined as "always select the parameter set with the largest key length identifier value", then the key lengths of all candidate sets are compared, and the candidate encryption parameter set with the largest value is determined as the final first encryption parameter set.
[0045] Following the previous embodiment, the first entity information is parsed to obtain a type labeled "personal identifier" and a data layer labeled "structured text data part"; the second entity information is parsed to obtain a type labeled "security level information" and a data layer labeled "image data part". Next, the mapping is performed according to preset rules. For the first entity information, since its type is ID card number, it is mapped to a sensitivity level of 3 according to the rules; for the second entity information, since its content is "secret", it is mapped to a sensitivity level of 4 according to the rules. Subsequently, query indexes are generated for the two entity information entries: Index 1 is "Personal Identifier, Structured Text Data Part, 3", and Index 2 is "Security Classification Information, Image Data Part, 4". In step 1024, the system uses Index 1 to query the preset differential encryption strategy library. Assuming a matching record is found, its bound encryption parameter set is "Algorithm Identifier: RSA_2048"; using Index 2, the system queries, assuming the found matching record is bound encryption parameter set "Algorithm Identifier: RSA_4096". Since two candidate encryption parameter sets are obtained, the preset conflict handling rule "select the parameter set with the largest key length" will be applied. After comparison, it is found that the key length of RSA_4096 is greater than that of RSA_2048. Therefore, the encryption parameter set "algorithm identifier: RSA_4096" is determined as the final first encryption parameter set.
[0046] Step 103: Perform the first round of asymmetric encryption on the target data block carrying entity information in the multidimensional archive data packet according to the first encryption parameter set to generate the first intermediate ciphertext data packet.
[0047] Optionally, step 103 may specifically include: Step 1031: Extract the public key data and encryption algorithm identifier for asymmetric encryption operations from the first set of encryption parameters.
[0048] Step 1032: Based on the location coordinates of the entity information of the preset sensitive type in the multidimensional archive data packet, delineate the target data block containing all entity information and the context boundary of the entity information from the corresponding data part of the multidimensional archive data packet.
[0049] Step 1033: Based on the encryption processing method corresponding to the encryption algorithm identifier, use the public key data to perform encryption operations on the binary data of the target data block to generate the encrypted ciphertext data block.
[0050] Step 1034: Replace the original binary data corresponding to the target data block in the multidimensional archive data packet with the encrypted ciphertext data block to obtain the target data packet after the replacement operation.
[0051] Step 1035: Add a position index header to each encrypted ciphertext data block in the target data packet to obtain the first intermediate ciphertext data packet.
[0052] In this application, public key data refers to the portion of the key used for encryption operations in an asymmetric encryption algorithm. In this application scenario, the public key data is extracted from a pre-deployed or acquired asymmetric key pair, paired with a private key data, and after the target data block is encrypted using the public key data, only the authorized party holding the corresponding private key data can decrypt it.
[0053] An encryption algorithm identifier is a string or code used to uniquely specify a certain asymmetric encryption algorithm; for example, the identifier "RSA_2048" represents the use of the RSA algorithm and a key length of 2048 bits, and the identifier "RSA_4096" represents the use of the RSA algorithm and a key length of 4096 bits. This identifier is used to call the corresponding encryption function library in the program logic.
[0054] Context boundaries refer to the logical scope that, in order to ensure semantic integrity and prevent information leakage, when defining target data blocks, includes not only the entity information of the preset sensitive type itself, but also the related data within a certain range around it; for example, for an ID number in text, its context boundaries may include the few characters before and after or the entire sentence.
[0055] The target data block refers to a continuous segment of binary data that is precisely extracted from the corresponding data portion of the multidimensional archive data packet based on the location coordinates and context boundaries of the entity information; this data block is the direct object of subsequent encryption operations.
[0056] An encrypted ciphertext data block refers to a binary data block that cannot be directly read, generated after the original binary data of the target data block has been converted using a specified asymmetric encryption algorithm and public key data.
[0057] The location index header is a structured data appended to the beginning of the encrypted ciphertext data block, used to record the location information of the ciphertext data block in the original data packet and the encrypted metadata; in this application, the location index header at least includes the original data start offset, the original data length, and the identifier of the encryption algorithm used.
[0058] The first intermediate ciphertext data packet refers to the data packet form after the first round of asymmetric encryption. The structure of this data packet is that the areas in the original multidimensional archive data packet that are not identified as sensitive remain unchanged, while the target data blocks carrying sensitive entity information are replaced with the corresponding encrypted ciphertext data blocks, and each encrypted ciphertext data block has its own location index header.
[0059] In this step, two key elements for asymmetric encryption are first read and extracted from the first set of encryption parameters: one is the public key data string or file used for encryption operations, and the other is the encryption algorithm identifier that specifies which encryption algorithm is used. Secondly, based on the entity information recognition results, for each piece of recognized entity information, it is located in the corresponding data part of the multidimensional archive data packet according to its recorded location coordinates, and according to the preset context boundary rules, such as extending forward and backward by several bytes or pixels, a continuous target data block that completely wraps the entity information is delineated. Next, based on the extracted encryption algorithm identifier, the encryption function corresponding to the identifier is called, the extracted public key data is used as the encryption key input, and mathematical transformation calculations are performed on the original binary data of the defined target data block to generate a new encrypted ciphertext data block whose length may change. Then, in the original multidimensional archive data packet, find the original binary data segment that completely corresponds to the target data block, and replace the original data segment with the generated encrypted ciphertext data block, so as to obtain a target data packet after the replacement operation of part plaintext and part ciphertext. Finally, for each newly replaced encrypted ciphertext data block, a position index header generated according to a predetermined format is inserted before its data start position. This position index header records the position and length information of the original data block being replaced, as well as the encryption algorithm used. All data blocks, together with their position index headers, are repackaged into a logically complete new data packet, namely the first intermediate ciphertext data packet.
[0060] Following the previous example, the corresponding public key data (assumed to be a long string of Base64 encoded string) and the encryption algorithm identifier "RSA_4096" are first extracted from the parameter set and the associated key library; Next, the two entity information pieces are processed. For the ID card number entity information, its position in the structured text data part is characters 102 to 121. According to the rule "extend by 5 characters before and after", the context boundary is defined. The final target data block is the binary data corresponding to the text from characters 97 to 126. For the "secret" entity information, its region coordinates in the image data part are [1800, 50, 1900, 100]. According to the rule "extend by 10 pixels", the context boundary is defined. The final target data block is the binary pixel data corresponding to the rectangular region with coordinates [1790, 40, 1910, 110] in the image. Then, the RSA-4096 encryption library function is called, and the extracted public key data is used to encrypt the binary data of the two target data blocks respectively, generating two independent, irregular encrypted ciphertext data blocks. Next, in the original multidimensional archive data packet, the corresponding binary data segment from character 97 to 126 is found and replaced with the first ciphertext data block. The image binary data at coordinates [1790, 40, 1910, 110] is found and replaced with the second ciphertext data block, resulting in the target data packet after the replacement operation. In step 1035, a position index header is added to the first ciphertext data block with the content "Offset: 97, Length: 30, Algorithm: RSA_4096"; a position index header is added to the second ciphertext data block with the content "Starting coordinates: [1790, 40], Ending coordinates: [1910, 110], Algorithm: RSA_4096"; finally, all parts are repackaged to generate the first intermediate ciphertext data packet.
[0061] Step 104: Based on the archive classification code in the original metadata layer of the multidimensional archive data packet, determine the target network transmission link from the preset transmission channel mapping rules, and extract the real-time network quality characteristics of the target network transmission link. The real-time network quality characteristics include the current link latency and available bandwidth fluctuation values.
[0062] Optionally, step 104 may specifically include: Step 1041: Read the archive classification code from the raw metadata layer of the multidimensional archive data package.
[0063] Step 1042: Match the archive classification code with the preset transmission channel mapping rules, and obtain all candidate network transmission links associated with the archive classification code based on the successfully matched records.
[0064] Step 1043: Perform a performance detection operation on each candidate network transmission link, send a set of test data packets to the peer node of the candidate network transmission link and receive reply data packets, calculate the current link delay based on the time difference between sending and receiving, monitor the available data transmission rate of the candidate network transmission link within a preset time window, and calculate the available bandwidth fluctuation value based on the difference between the maximum and minimum data transmission rates.
[0065] Step 1044: From all candidate network transmission links that have completed the performance detection operation, select candidate network transmission links whose current link latency meets the first preset condition to form a target transmission link set.
[0066] Step 1045: Based on the preset priority strategy corresponding to the archive classification code, select a candidate network transmission link from the target transmission link set as the target network transmission link, and record the current link latency and available bandwidth fluctuation value of the target network transmission link as real-time network quality characteristics.
[0067] In this application, the archive classification code refers to a string or code stored in the original metadata layer, used to uniquely identify the business attributes, departmental affiliation, or security classification of the archive. In the scenario of this application, the code is a key index for classifying and managing archives in the archive management system, and its format is, for example, "RS-DA-2023-001", where "RS" may represent personnel category and "DA" represents archive type.
[0068] The preset transmission channel mapping rule is a predefined and configured correspondence table or configuration file; the rule clarifies one or more specific network communication paths that are allowed or recommended for different file classification codes (or encoding modes).
[0069] Candidate network transmission links refer to specific network connection channels that are matched with the current archive classification code according to the transmission channel mapping rules; each link is represented by a unique network link identifier, corresponding to an actual network path such as a specific virtual private network tunnel, leased line interface or designated Internet access point.
[0070] A peer node refers to the network address of the network device or service that receives test data packets and returns a response when establishing communication with a candidate network transmission link.
[0071] Current link latency refers to the total time it takes for a data packet to travel from the sending end through the candidate network transmission link to the peer node and immediately receive a reply from the peer node. It is usually measured in milliseconds and reflects the instantaneous response speed of the link.
[0072] Available data transmission rate refers to the rate at which valid data can be successfully transmitted through candidate network transmission links within a preset time window, usually measured in megabits per second.
[0073] Available bandwidth fluctuation is an indicator used to quantify the stability of available data transmission rate. It is obtained by calculating the difference between the maximum and minimum data transmission rate observed within a monitoring time window. The smaller the difference, the more stable the link bandwidth.
[0074] The first preset condition is a latency threshold criterion used to filter candidate network transmission links, such as "the current link latency is less than 100 milliseconds".
[0075] The target transmission link set refers to the set of network transmission links that meet the basic latency requirements, which are retained from all candidate network transmission links after performance detection and screening based on the first preset conditions.
[0076] The preset priority policy is a rule that is bound to the file classification code and is used to make the final choice among multiple eligible links; for example, for high-security files, the policy may prioritize the dedicated intranet line, while for ordinary files, the policy may prioritize the line with the lowest current latency.
[0077] In this step, the original metadata layer is first located and parsed from the first intermediate ciphertext data packet that has completed the first round of encryption processing, and the specific string value of the file classification code is read from the multiple fields stored in this layer. Next, the read file classification code string is compared row by row with a transmission channel mapping rule table pre-loaded into memory or database. The table is checked to see if the "classification code" field of a certain record completely matches the current code or conforms to the wildcard matching rule. When a matching record is found, the value of the "associated link" field is extracted from the record. This field value is usually a list containing multiple network link identifiers. The network paths represented by these identifiers constitute all candidate network transmission links. Next, for each candidate network transmission link obtained, a network performance detection operation is executed sequentially. This operation includes two concurrent or sequential subtasks. The first subtask is to send a set of small test data packets containing precise sending timestamps to the peer node of the link, and record the timestamp of the reply received by the peer for each data packet. The round-trip time of a single data packet is obtained by subtracting the sending timestamp from the reply timestamp. The average round-trip time of all data packets is then calculated, and the average value is divided by 2 to obtain the current link latency of the link. The second subtask is to continuously send test data streams through the link within a preset fixed-duration time window and count the amount of data successfully received per unit time, thereby calculating a series of instantaneous available data transmission rates in real time. The maximum and minimum values of all instantaneous rates observed within the time window are recorded, and the available bandwidth fluctuation value of the link is obtained by subtracting the minimum value from the maximum value. Then, a list is created, and all candidate network transmission links and their detected current link latency and available bandwidth fluctuation values are stored as records. This list is traversed, and each record is checked according to the first preset condition (e.g., "current link latency is less than 50 milliseconds"). The link identifiers of the records that meet the conditions are extracted to form a new set of target transmission links. Finally, based on the current file classification code, a preset priority policy configuration is queried to obtain the link selection rules for this type of code. For example, the rule is "prioritize dedicated intranet lines, and if there are multiple lines, select the one with the lowest latency". Then, the links in the target transmission link set are sorted and selected according to this rule. The link with the highest ranking is selected as the final target network transmission link for transmission. The current link latency and available bandwidth fluctuation value corresponding to this link are recorded as real-time network quality features to be used in subsequent steps.
[0078] Following the previous embodiment, the encoding is first read from the metadata layer, and the preset transmission channel mapping rule table is queried. Assuming that there is a matching record in the table with the value of "Associated Link" field "VPN_Tunnel_1,MPLS_Line_A,Internet_Backup_B", then three candidate network transmission links are obtained. Next, each link was probed, with 5 test packets sent to the peer node of VPN_Tunnel_1. The calculated round-trip times were 52 milliseconds, 50 milliseconds, 55 milliseconds, 51 milliseconds, and 53 milliseconds, with an average of 52.2 milliseconds. Therefore, the current link latency was 26.1 milliseconds. At the same time, the maximum instantaneous data transmission rate monitored within the 2-second time window was 95 Mbps, and the minimum was 88 Mbps, so the available bandwidth fluctuation was 7 Mbps. The same probe was performed on MPLS_Line_A, and the current link latency was found to be 15.3 milliseconds, with an available bandwidth fluctuation of 2 Mbps. The probe was performed on Internet_Backup_B, and the current link latency was found to be 105 milliseconds, with an available bandwidth fluctuation of 25 Mbps. Assuming the first preset condition is "current link latency is less than 50 milliseconds", VPN_Tunnel_1 and MPLS_Line_A are selected to form a target transmission link set. In step 1045, the preset priority policy is queried according to the file classification code "RS-DA-2023-001". Assuming the policy is "prioritize dedicated lines, then select the one with the lowest latency", MPLS_Line_A is a dedicated line, so it is selected as the target network transmission link. Its current link latency of 15.3 milliseconds and available bandwidth fluctuation of 2 Mbps are recorded as real-time network quality characteristics.
[0079] Step 105: Based on real-time network quality characteristics, dynamically adjust the key parameters that are related to the first encryption parameter set to generate the second encryption parameter set.
[0080] Optionally, step 105 may specifically include: Step 1051: Extract the basic key parameters and initial working mode parameters for symmetric encryption operations from the first set of encryption parameters.
[0081] Step 1052: Match the current link latency value and available bandwidth fluctuation value in the real-time network quality characteristics with the intervals defined in the pre-stored mapping table to find the corresponding key length adjustment amount and mode switching indication. The mapping table predefines the key length adjustment amount and mode switching indication corresponding to different current link latency intervals and different available bandwidth fluctuation value intervals.
[0082] Step 1053: Based on the found key length adjustment amount, perform numerical increment or decrement operations on the initial key length in the basic key parameters to obtain the adjusted target key length value.
[0083] Step 1054: Based on the found mode switching instruction, determine whether it is necessary to switch the initial working mode parameter. If it is necessary to switch, select a new working mode parameter from the preset mode library according to the mode switching instruction.
[0084] Step 1055: The adjusted key length value and the new working mode parameters are merged with the original parameters in the first encryption parameter set, excluding the basic key parameters and the initial working mode parameters, to form the second encryption parameter set.
[0085] In this application, the basic key parameter refers to a core configuration item extracted from the first encryption parameter set for use in symmetric encryption algorithms. It specifically specifies the initial key length used in the encryption operation, usually in bits, such as 256 bits.
[0086] The initial working mode parameter refers to another core configuration item extracted from the first encryption parameter set for symmetric encryption algorithms. It defines the specific working mode of the algorithm when encrypting data blocks, such as whether to use chain encryption mode or counter mode.
[0087] The pre-stored mapping table is a two-dimensional lookup table pre-configured based on network transmission experience and security policies. The rows of the table define different ranges of current link latency values, and the columns define different ranges of available bandwidth fluctuation values. Each cell stores two values: one is the key length adjustment amount, and the other is the mode switching indicator.
[0088] The key length adjustment amount is a signed integer that represents the number of bits to be added or removed from the initial key length. Positive numbers indicate increasing the key length to improve security, while negative numbers indicate decreasing the key length to reduce computational overhead.
[0089] The mode switching indicator is a boolean value or a specific enumeration value that indicates whether the initial working mode parameter needs to be switched to another different working mode, such as switching from chain encryption mode to counter mode, or indicates that no switching is required.
[0090] The target key length value is the new key length value obtained after the initial key length is adjusted by the key length adjustment operation. This value will be used as the basis for generating the final encryption key.
[0091] The new working mode parameter is a specific working mode identifier selected from the preset mode library according to the mode switching instruction, used to replace the initial working mode parameter.
[0092] The second encryption parameter set is a new and complete set of parameters that is formed by combining the adjusted target key length value, the new working mode parameters, and other original parameters inherited from the first encryption parameter set (such as the encryption algorithm family identifier). It is specifically used to guide the second round of symmetric encryption operations.
[0093] In this step, the first set of encryption parameters is parsed to extract the configuration items used for subsequent symmetric encryption operations, mainly the basic key parameters and the initial working mode parameters. Secondly, the real-time network quality characteristics obtained from the measurement are obtained, namely the current link latency value and the available bandwidth fluctuation value. These two values are used as input keys to query a mapping table that is pre-stored in memory or configuration file. The query logic of this table is to first determine which preset latency interval the current link latency value falls into, and then determine which preset fluctuation interval the available bandwidth fluctuation value falls into, thereby locating the unique corresponding cell in the table, and reading the pre-configured key length adjustment amount and mode switching indication from that cell. Next, the initial key length value contained in the extracted basic key parameters is arithmetically added to the found key length adjustment amount. That is, the initial key length is added to the key length adjustment amount to obtain a new value as the adjusted target key length value. Here, it is necessary to ensure that the operation result is a valid key length supported by the encryption algorithm. Then check the found mode switching indication. If the indication clearly requires switching, select a corresponding working mode identifier from a preset mode library list as the new working mode parameter according to the indication content. If the indication is not to switch, retain the extracted initial working mode parameter as the new working mode parameter. Finally, a new set of parameters is created, into which the obtained target key length value and the new working mode parameters are placed. At the same time, all other original parameters from the first encryption parameter set, except for the basic key parameters and the initial working mode parameters that have been extracted and replaced, are also copied into this new set. All these parameters together constitute a complete second encryption parameter set adapted to the current network conditions.
[0094] Following the previous embodiment, the basic key parameter "256" and the initial working mode parameter "CBC" are first extracted from the first encryption parameter set. Then, the pre-stored mapping table is queried. Assuming that the table defines the cell where the delay interval "0-20 milliseconds" and the fluctuation interval "0-5 Mbps" intersect, the stored key length adjustment amount is "+0", and the mode switching indication is "No". Since 15.3 milliseconds falls into the 0-20 milliseconds interval and 2 Mbps falls into the 0-5 Mbps interval, the key length adjustment amount is found to be 0, and the mode switching indication is "No". Next, the initial key length of 256 is added to the adjustment amount of 0, resulting in an adjusted target key length value that is still 256 bits. Since the mode switching indicator is "No", the new working mode parameter remains the initial "CBC" mode. In step 1055, the target key length value "256", the working mode parameter "CBC", and other parameters inherited from the first encryption parameter set (such as the algorithm identifier "AES") are combined to form the second encryption parameter set.
[0095] Step 106: Perform a second round of symmetric encryption on the first intermediate ciphertext data packet using the second encryption parameter set to generate the target encrypted archive data packet, and then transmit the encrypted archive data packet in fragments through the target network transmission link.
[0096] Optionally, step 106 may specifically include: Step 1061: Extract the encryption operation mode and target key length from the second encryption parameter set.
[0097] Step 1062: Generate a temporary symmetric key according to the target key length. Using the temporary symmetric key and the encryption operation mode, perform symmetric encryption operation on the binary data stream of the first intermediate ciphertext data packet to obtain the final ciphertext data.
[0098] Step 1063: The final ciphertext data, the position index header in the first intermediate ciphertext data packet, and the encryption operation mode identifier in the second encryption parameter set are jointly encapsulated to generate the target encrypted archive data packet.
[0099] Step 1064: Calculate the fragmentation size threshold based on the current link latency and available bandwidth fluctuation values in the real-time network quality characteristics of the target network transmission link.
[0100] Step 1065: According to the fragment size threshold, the target encrypted archive data packet is cut into multiple sequentially arranged data fragments, and a fragment header containing the sequence number and the total number of fragments is added to each data fragment.
[0101] Step 1066: According to the order in which the data fragments were generated, each data fragment with a fragment header is transmitted sequentially on the target network transmission link according to its sequence number.
[0102] In this application, the encryption operation mode refers to the specific working method identifier of the symmetric encryption algorithm for processing data, extracted from the second encryption parameter set, such as chain encryption mode or counter mode. This mode determines how the algorithm links data blocks together or performs randomized encryption.
[0103] The target key length refers to the specified length value extracted from the second set of encryption parameters for generating the temporary symmetric key. This value is in bits, such as 128 bits or 256 bits, and directly determines the complexity and strength of the temporary symmetric key.
[0104] A temporary symmetric key is a string of binary key data generated in real time by a secure random number generator according to the target key length. This key is specifically used for the encryption operation of the first intermediate ciphertext data packet and is discarded after a transmission task is completed.
[0105] The final ciphertext data refers to the completely unreadable encrypted binary data generated after the entire binary data stream of the first intermediate ciphertext data packet has been fully processed by the symmetric encryption algorithm specified by the temporary symmetric key and the encryption operation mode.
[0106] The target encrypted archive data packet refers to a complete data packet to be transmitted, which is formed by combining the final ciphertext data as the main body, together with the position index header information inherited from the first intermediate ciphertext data packet and the encryption operation mode identifier extracted from the second encryption parameter set, according to a predetermined data encapsulation format.
[0107] The fragment size threshold is a reference number of bytes calculated based on real-time network quality characteristics. It is used to guide the segmentation of large target encrypted archive data packets into multiple smaller data units suitable for network transmission. Its value is related to the current link latency and available bandwidth fluctuations.
[0108] A data fragment refers to a series of continuous data blocks of fixed or approximately fixed size obtained by sequentially cutting the binary data of a target encrypted archive data packet according to a fragment size threshold.
[0109] The fragment header is a short piece of structured data appended to the beginning of each data fragment. It contains at least the fragment's sequential number within the entire data packet and the total number of fragments after the data packet is divided. It is used to sort and reassemble the data fragments at the receiving end.
[0110] In this step, the second encryption parameter set is first parsed to extract two core parameters for performing encryption: the encryption operation mode and the target key length. Secondly, a cryptographically secure pseudo-random number generator is invoked to generate a random binary sequence whose length is exactly equal to the number of bits of the target key as a temporary symmetric key. Then, according to the algorithm specified by the encryption operation mode, such as the Advanced Encryption Standard algorithm, this temporary symmetric key is used to encrypt the entire binary data stream of the first intermediate ciphertext data packet block by block to obtain a complete final ciphertext data that is the same length as or slightly longer than the original data. Next, a new data packet structure is created, with the final ciphertext data as the packet body, and all the position index header information carried in the first intermediate ciphertext data packet as metadata appended to the front or back of the packet body. At the same time, the encryption operation mode identifier in the second encryption parameter set is also encapsulated as part of the metadata, together forming the final target encrypted archive data packet to be sent. Then, real-time network quality characteristics are obtained, namely the current link latency and available bandwidth fluctuation values. Through a preset calculation formula or lookup table, these two values are mapped to a specific fragment size threshold. For example, the formula may make it possible to use larger fragments when the latency is low and the fluctuation is small, and to use smaller fragments when the latency is high and the fluctuation is large. Subsequently, with reference to the calculated fragment size threshold, starting from the first byte of the target encrypted archive data packet, its binary data is sequentially cut into multiple data fragments. The last fragment is allowed to be smaller than the threshold. For each data fragment generated by the cutting, a fragment header is added at the beginning of its data. This header contains at least the current fragment's sequence number and the total number of fragments obtained by dividing the total data size by the fragment threshold and rounding up. Finally, according to the order in which the data segments were cut, that is, the order in which their sequence numbers are from 1 to N, each data segment with a fragment header attached is sent out through the determined target network transmission link in turn, thereby completing the fragmentation and transmission process of the entire encrypted archive data packet.
[0111] Following the previous embodiment, the encryption operation mode "CBC" and the target key length "256" are first extracted from the second encryption parameter set; a 256-bit random number is generated as a temporary symmetric key, and the entire first intermediate ciphertext data packet (assuming its size is 1.5MB) is encrypted using the AES-256 algorithm in conjunction with the CBC mode to obtain the final ciphertext data; Then, the final ciphertext data, the two position index headers obtained from the first intermediate ciphertext data packet, and the encryption operation mode identifier "CBC" are encapsulated together to generate a complete target encrypted archive data packet; Next, based on the current link latency L=15.3 milliseconds and the available bandwidth fluctuation value V=2Mbps, the fragment size threshold S is calculated using a preset formula, where the preset formula is S=B×(1-k×V / Vmax), where B is the basic fragment size of 1500 bytes, k is the adjustment coefficient of 0.5, and Vmax is the maximum reference fluctuation value of 10Mbps. The calculation process is S=1500×(1-0.5×2 / 10)=1500×(1-0.1)=1500×0.9=1350 bytes; Therefore, the fragment size threshold S is 1350 bytes. Then, the target encrypted archive data packet (assuming the encrypted size is 1.52MB, or 1592524 bytes) is divided into 1350-byte segments, resulting in 1592524 / 1350≈1179.65. Rounding up, the total number of segments is N=1180. The first 1179 segments are 1350 bytes in size, and the 1180th segment is 574 bytes in size. Finally, a fragment header is added to each segment. For example, the header of the first segment is written as "Sequence number: 1, Total number: 1180". Then, each data segment with a fragment header is sent to the receiving end through the target network transmission link "MPLS_Line_A" in the order of sequence number from 1 to 1180.
[0112] Figure 2 This application provides a schematic diagram of the structure of a secure encrypted transmission system for archival data, such as... Figure 2 As shown, the system includes: The acquisition module 21 is used to acquire the multidimensional archive data packet to be transmitted and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive. Selection module 22 is used to select a first set of encryption parameters that matches the sensitivity level of the target data layer and the entity information from a preset differential encryption strategy library based on the entity information of the preset sensitive type and the target data layer to which the entity information belongs in the multidimensional archive data packet; Encryption module 23 is used to perform a first round of asymmetric encryption on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set, and generate a first intermediate ciphertext data packet; Extraction module 24 is used to determine the target network transmission link from the preset transmission channel mapping rules according to the archive classification code in the original metadata layer of the multidimensional archive data packet, and extract the real-time network quality characteristics of the target network transmission link, wherein the real-time network quality characteristics include the current link latency and available bandwidth fluctuation value. Adjustment module 25 is used to dynamically adjust the key parameters that are related to the first encryption parameter set based on the real-time network quality characteristics to generate a second encryption parameter set; Transmission module 26 is used to perform a second round of symmetric encryption on the first intermediate ciphertext data packet using the second encryption parameter set to generate a target encrypted archive data packet, and to transmit the encrypted archive data packet in fragments through the target network transmission link.
[0113] Figure 2 The aforementioned secure encrypted transmission system for archival data can perform... Figure 1 The implementation principle and technical effects of the secure encrypted transmission method for archival data described in the illustrated embodiment will not be repeated here. The specific methods by which each module and unit of the secure encrypted transmission system for archival data in the above embodiments perform operations have been described in detail in the embodiments related to this method, and will not be elaborated upon here.
[0114] In one possible design, Figure 2 The archival data secure encryption transmission system of the illustrated embodiment can be implemented as a computing device, such as... Figure 3 As shown, the computing device may include a storage component 31 and a processing component 32; The storage component 31 stores one or more computer instructions, wherein the one or more computer instructions are invoked and executed by the processing component 32.
[0115] The processing component 32 is used for the above Figure 1 The embodiment describes a method for secure encrypted transmission of archival data.
[0116] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A method for secure encrypted transmission of archival data, characterized in that, include: Acquire the multidimensional archive data packet to be transmitted, and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive. Based on the entity information of the preset sensitive type, and according to the target data layer to which the entity information belongs in the multidimensional archive data packet, a first set of encryption parameters matching the sensitivity level of the target data layer and the entity information is selected from the preset differentiated encryption strategy library; The first round of asymmetric encryption is performed on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set to generate the first intermediate ciphertext data packet. Based on the archive classification code in the original metadata layer of the multidimensional archive data packet, the target network transmission link is determined from the preset transmission channel mapping rules, and the real-time network quality characteristics of the target network transmission link are extracted, wherein the real-time network quality characteristics include the current link latency and available bandwidth fluctuation value. Based on the real-time network quality characteristics, the key parameters that are related to the first encryption parameter set are dynamically adjusted to generate the second encryption parameter set; The second set of encryption parameters is used to perform a second round of symmetric encryption on the first intermediate ciphertext data packet to generate a target encrypted archive data packet, and the encrypted archive data packet is transmitted in fragments through the target network transmission link.
2. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, Acquire the multidimensional archive data packet to be transmitted, and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The preset sensitive type entity information includes personal identification identifiers and security classification information in the archive, including: Receive multidimensional archive data packets output by the archive scanning and structuring system, and decompose the multidimensional archive data packets to separate the image data portion, the structured text data portion, and the original metadata portion; Scan the text content in the structured text data section and compare it with a preset first sensitive word list to mark all matching text fragments and the position of the text fragments in the structured text data section as the first type of sensitive entity information; Locate a specified image region containing a security level marker in the image data portion, extract text information from the specified image region, compare the text information with a preset second sensitive word list, mark all matching text information and the region coordinates of the text information in the image data portion, and use them as second type of sensitive entity information; The first type of sensitive entity information and the second type of sensitive entity information are combined to generate an entity information recognition result that includes entities belonging to a preset sensitive type.
3. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, Based on the entity information of the preset sensitive type, and according to the target data layer to which the entity information belongs in the multidimensional archive data packet, a first set of encryption parameters matching the sensitivity level of the target data layer and the entity information is selected from a preset differentiated encryption strategy library, including: The type marker of the entity information of the preset sensitive type and the data layer marker of the entity information in the multidimensional archive data packet are parsed, wherein the type marker includes personal identification identifier or security classification information, and the data layer marker points to the image data part or the structured text data part; Based on the type marker of the entity information and the specific content of the entity information, the sensitivity level of the entity information is determined. When the type marker of the entity information is a personal identification identifier, different sensitivity level values are assigned to different personal identification identifier contents according to preset rules. When the type marker of the entity information is a security classification marker, different security classification marker contents are mapped to different sensitivity level values according to preset rules. The entity information type marker, the data layer marker, and the sensitivity level are used together as the query index; The query index is used to retrieve a preset differentiated encryption strategy library, find a target record that completely matches the query index, and extract the set of encryption parameters bound in the target record as a candidate encryption parameter set. According to the preset conflict handling rules, a first encryption parameter set is determined from all candidate encryption parameter sets. The first encryption parameter set is used to perform encryption processing on the target data block carrying the entity information in the multidimensional archive data packet.
4. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, The first round of asymmetric encryption is performed on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set to generate a first intermediate ciphertext data packet, including: Extract the public key data and encryption algorithm identifier used for asymmetric encryption operations from the first set of encryption parameters; Based on the position coordinates of the entity information of the preset sensitive type in the multidimensional archive data packet, a target data block containing all the entity information and the context boundary of the entity information is delineated from the corresponding data part of the multidimensional archive data packet; Based on the encryption processing method corresponding to the encryption algorithm identifier, the public key data is used to perform encryption operations on the binary data of the target data block to generate an encrypted ciphertext data block; The original binary data corresponding to the target data block in the multidimensional archive data packet is replaced with the encrypted ciphertext data block to obtain the target data packet after the replacement operation is completed. A position index header is added to each encrypted ciphertext data block in the target data packet to obtain the first intermediate ciphertext data packet.
5. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, Based on the archive classification code in the original metadata layer of the multidimensional archive data packet, the target network transmission link is determined from the preset transmission channel mapping rules, and the real-time network quality characteristics of the target network transmission link are extracted. These real-time network quality characteristics include current link latency and available bandwidth fluctuation values, including: The archive classification code is read from the original metadata layer of the multidimensional archive data package; The file classification code is matched with a preset transmission channel mapping rule, and based on the successfully matched records, all candidate network transmission links associated with the file classification code are obtained. For each candidate network transmission link, a performance detection operation is performed. A set of test data packets is sent to the peer node of the candidate network transmission link and a reply data packet is received. The current link delay is calculated based on the time difference between sending and receiving. The available data transmission rate of the candidate network transmission link is monitored within a preset time window. The available bandwidth fluctuation value is calculated based on the difference between the maximum and minimum values of the data transmission rate. From all candidate network transmission links that have completed the performance detection operation, candidate network transmission links whose current link latency meets the first preset condition are selected to form a target transmission link set; According to the preset priority strategy corresponding to the file classification code, a candidate network transmission link is selected from the target transmission link set as the target network transmission link, and the current link latency and available bandwidth fluctuation value of the target network transmission link are recorded as real-time network quality characteristics.
6. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, Based on the real-time network quality characteristics, the key parameters that are associated with the first encryption parameter set are dynamically adjusted to generate a second encryption parameter set, including: Extract the basic key parameters and initial working mode parameters for symmetric encryption operations from the first set of encryption parameters; The current link latency value and available bandwidth fluctuation value in the real-time network quality characteristics are matched with the intervals defined in the pre-stored mapping table to find the corresponding key length adjustment amount and mode switching indication. The mapping table predefines the key length adjustment amount and mode switching indication corresponding to different current link latency intervals and different available bandwidth fluctuation value intervals. Based on the found key length adjustment amount, the initial key length in the basic key parameters is numerically increased or decreased to obtain the adjusted target key length value. Based on the found mode switching instruction, determine whether the initial working mode parameter needs to be switched. If a switch is required, select a new working mode parameter from the preset mode library according to the mode switching instruction. The adjusted key length value and the new working mode parameters are combined with the original parameters in the first encryption parameter set, excluding the basic key parameters and the initial working mode parameters, to form the second encryption parameter set.
7. The method for secure encrypted transmission of archival data according to claim 1, characterized in that, The first intermediate ciphertext data packet is subjected to a second round of symmetric encryption using the second encryption parameter set to generate a target encrypted archive data packet, and the encrypted archive data packet is fragmented and transmitted through the target network transmission link, including: Extract the encryption operation mode and target key length from the second set of encryption parameters; Based on the target key length, a temporary symmetric key is generated. Using the temporary symmetric key and the encryption operation mode, a symmetric encryption operation is performed on the binary data stream of the first intermediate ciphertext data packet to obtain the final ciphertext data. The final ciphertext data, the position index header in the first intermediate ciphertext data packet, and the encryption operation mode identifier in the second encryption parameter set are jointly encapsulated to generate the target encrypted archive data packet; Based on the current link latency and available bandwidth fluctuation values in the real-time network quality characteristics of the target network transmission link, the fragmentation size threshold is calculated. According to the fragment size threshold, the target encrypted archive data packet is cut into multiple sequentially arranged data fragments, and a fragment header containing the sequence number and the total number of fragments is added to each data fragment; According to the order in which the data fragments were generated, each data fragment with a fragment header is transmitted sequentially on the target network transmission link according to the sequence number.
8. A secure encrypted transmission system for archival data, characterized in that, include: The acquisition module is used to acquire the multidimensional archive data packet to be transmitted and identify entity information belonging to a preset sensitive type in the multidimensional archive data packet. The entity information of the preset sensitive type includes personal identification identifiers and security classification information in the archive. The selection module is used to select a first set of encryption parameters that matches the sensitivity level of the target data layer and the entity information from a preset differential encryption strategy library, based on the entity information of the preset sensitive type and according to the target data layer to which the entity information belongs in the multidimensional archive data packet. The encryption module is used to perform a first round of asymmetric encryption on the target data block carrying the entity information in the multidimensional archive data packet according to the first encryption parameter set, and generate a first intermediate ciphertext data packet; The extraction module is used to determine the target network transmission link from the preset transmission channel mapping rules based on the archive classification code in the original metadata layer of the multidimensional archive data packet, and extract the real-time network quality characteristics of the target network transmission link, wherein the real-time network quality characteristics include the current link latency and available bandwidth fluctuation value. The adjustment module is used to dynamically adjust the key parameters that are related to the first encryption parameter set based on the real-time network quality characteristics to generate a second encryption parameter set; The transmission module is configured to perform a second round of symmetric encryption on the first intermediate ciphertext data packet using the second encryption parameter set to generate a target encrypted archive data packet, and to transmit the encrypted archive data packet in fragments through the target network transmission link.
9. A computing device, characterized in that, It includes a processing component and a storage component; the storage component stores one or more computer instructions; the one or more computer instructions are invoked and executed by the processing component to implement a secure encrypted transmission method for archive data as described in any one of claims 1 to 7.
10. A computer storage medium, characterized in that, The system contains a computer program that, when executed by a computer, implements a secure encrypted transmission method for archival data as described in any one of claims 1 to 7.