Data encryption method, device, equipment and storage medium
By generating user-specific encryption keys, dynamically combining password segments, and integrating symmetric and asymmetric encryption algorithms, the problems of symmetric encryption key leakage and the long length of asymmetric encryption keys are solved, achieving efficient and secure data encryption.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING HONGTENG INTELLIGENT TECH CO LTD
- Filing Date
- 2024-12-19
- Publication Date
- 2026-06-23
Smart Images

Figure CN122268569A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and in particular to data encryption methods, devices, equipment and storage media. Background Technology
[0002] In the modern information age, data privacy and security have become increasingly important. Whether during transmission or storage, data encryption is a key technology for protecting sensitive information from unauthorized access. Data encryption technology transforms plaintext into unreadable ciphertext, ensuring that only users with the decryption key can access the original data. Currently, data encryption technologies are mainly divided into two categories: symmetric encryption and asymmetric encryption. Although existing data encryption technologies have achieved significant progress, the security of symmetric encryption relies on the secure storage and distribution of keys; key leakage will compromise the security of encrypted data. While asymmetric encryption has advantages in key distribution, the keys are longer and more complex to manage, resulting in high key storage costs.
[0003] Therefore, how to improve information security while reducing the storage cost of keys is an urgent problem to be solved.
[0004] The above content is only used to help understand the technical solution of this application and does not represent an admission that the above content is prior art. Summary of the Invention
[0005] The main objective of this application is to provide a data encryption method, apparatus, device, and storage medium, aiming to solve the technical problems that the leakage of symmetric encryption keys will lead to the loss of encrypted data security, and the long key length of asymmetric encryption keys will lead to high key storage costs.
[0006] To achieve the above objectives, this application proposes a data encryption method, the method comprising:
[0007] In response to a received encryption request, user data is determined based on the encryption request;
[0008] Based on the user data, determine the user identifier and the data to be encrypted;
[0009] Retrieve multiple password segments;
[0010] The data to be encrypted is encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
[0011] In one embodiment, encrypting the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext includes:
[0012] An encryption key is generated based on the user identifier and multiple password segments;
[0013] The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
[0014] In one embodiment, generating an encryption key based on the user identifier and multiple password segments includes:
[0015] The initial cipher is generated by dynamically combining multiple cipher segments.
[0016] Generate the target password based on the initial password and the user identifier;
[0017] The target password is converted into an encryption key using a key derivation function.
[0018] In one embodiment, generating the target password based on the initial password and the user identifier includes:
[0019] Obtain the character at a preset position in the user identifier;
[0020] The initial password is associated with the characters to generate the target password.
[0021] In one embodiment, encrypting the data to be encrypted according to the encryption key to generate encrypted ciphertext includes:
[0022] Get the initialization vector;
[0023] The data to be encrypted is padded to obtain the padded data to be encrypted.
[0024] The padded data to be encrypted is encrypted using the encryption key and the initialization vector to generate encrypted ciphertext.
[0025] In one embodiment, before obtaining the multiple password segments, the method further includes:
[0026] Based on the user data, access permissions are verified for each password segment to obtain the verification results for each password segment.
[0027] When the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is performed.
[0028] In one embodiment, the step of verifying access permissions for each password segment based on the user data to obtain a verification result includes:
[0029] Determine the user's current access frequency and user IP based on the user data;
[0030] Obtain the access frequency threshold and IP whitelist corresponding to each password segment;
[0031] Access permissions for each password segment are verified based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
[0032] In one embodiment, the step of verifying access permissions for each password segment based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result includes:
[0033] When the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an authorized user;
[0034] When the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an unauthorized user.
[0035] In one embodiment, before obtaining the multiple password segments, the method further includes:
[0036] Retrieve password information;
[0037] The password information is split into multiple password segments;
[0038] The multiple cryptographic segments are stored in their respective cryptographic storage terminals.
[0039] In one embodiment, determining user data based on the received encryption request in response to the encryption request includes:
[0040] In response to a received encryption request, authentication information is determined based on the encryption request;
[0041] Two-factor authentication is performed based on the authentication information to obtain the authentication result;
[0042] When the authentication result is successful, the encryption service is started, and the user data is determined according to the encryption request.
[0043] Furthermore, to achieve the above objectives, this application also proposes a data encryption device, which includes:
[0044] The determination module is used to determine user data based on the received encryption request in response to the encryption request;
[0045] The determining module is further configured to determine the user identifier and the data to be encrypted based on the user data;
[0046] The acquisition module is used to acquire multiple password segments;
[0047] An encryption module is used to encrypt the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
[0048] In one embodiment, the encryption module is further configured to generate an encryption key based on the user identifier and the plurality of the password segments;
[0049] The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
[0050] In one embodiment, the encryption module is further configured to generate an encryption key based on the user identifier and the plurality of the password segments;
[0051] The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
[0052] In one embodiment, the encryption module is further configured to dynamically combine multiple password segments to generate an initial password;
[0053] Generate the target password based on the initial password and the user identifier;
[0054] The target password is converted into an encryption key using a key derivation function.
[0055] In one embodiment, the encryption module is further configured to obtain a character at a preset position in the user identifier;
[0056] The initial password is associated with the characters to generate the target password.
[0057] In one embodiment, the encryption module is further configured to obtain an initialization vector;
[0058] The data to be encrypted is padded to obtain the padded data to be encrypted.
[0059] The padded data to be encrypted is encrypted using the encryption key and the initialization vector to generate encrypted ciphertext.
[0060] In one embodiment, the data encryption device further includes a verification module, which is used to verify the access permissions of each password segment based on the user data and obtain the verification result of each password segment;
[0061] When the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is performed.
[0062] In one embodiment, the verification module is further configured to determine the user's current access frequency and user IP based on the user data;
[0063] Obtain the access frequency threshold and IP whitelist corresponding to each password segment;
[0064] Access permissions for each password segment are verified based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
[0065] In one embodiment, the verification module is further configured to determine that the verification result of the corresponding password segment is that the current user is an authorized user when the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist;
[0066] When the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an unauthorized user.
[0067] In addition, to achieve the above objectives, this application also proposes a data encryption device, the device comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being configured to implement the steps of the data encryption method as described above.
[0068] In addition, to achieve the above objectives, this application also proposes a storage medium, which is a computer-readable storage medium, on which a computer program is stored, and which, when executed by a processor, implements the steps of the data encryption method described above.
[0069] In addition, to achieve the above objectives, this application also provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of the data encryption method described above.
[0070] This application provides a data encryption method. The method involves first responding to a received encryption request, determining user data based on the encryption request, determining a user identifier and data to be encrypted based on the user data, obtaining multiple password segments, and encrypting the data to be encrypted according to the user identifier and the multiple password segments to generate encrypted ciphertext. This method effectively improves information security while significantly reducing key storage costs.
[0071] In summary, this application determines user data based on the received encryption request, accurately identifies the user identifier and the data to be encrypted within the user data, obtains multiple cryptographic segments, and generates a unique encryption key for each user based on these multiple cryptographic segments and the user identifier. This eliminates the need to store a large number of general-purpose keys, thereby reducing the complexity and cost of key management while ensuring data security. By encrypting the data to be encrypted using the encryption key, information security is effectively improved. This overcomes the technical shortcomings of symmetric encryption, where key leakage leads to compromised encryption security, and asymmetric encryption, where long key lengths result in high key storage costs. It effectively improves information security while significantly reducing key storage costs. Attached Figure Description
[0072] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0073] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0074] Figure 1 This is a flowchart illustrating an embodiment of the data encryption method of this application.
[0075] Figure 2 A simplified flowchart illustrating the data encryption process provided in one embodiment of the data encryption method of this application;
[0076] Figure 3 This is a flowchart illustrating Embodiment 2 of the data encryption method of this application;
[0077] Figure 4 This is a flowchart illustrating Embodiment 3 of the data encryption method of this application;
[0078] Figure 5 A detailed flowchart illustrating the data encryption process provided in one embodiment of the data encryption method of this application;
[0079] Figure 6 This is a schematic diagram of the module structure of the data encryption device according to an embodiment of this application;
[0080] Figure 7 This is a schematic diagram of the device structure of the hardware operating environment involved in the data encryption method of this application embodiment.
[0081] The purpose, features, and advantages of this application will be further explained in conjunction with the embodiments and with reference to the accompanying drawings. Detailed Implementation
[0082] It should be understood that the specific embodiments described herein are merely illustrative of the technical solutions of this application and are not intended to limit this application.
[0083] To better understand the technical solution of this application, a detailed description will be provided below in conjunction with the accompanying drawings and specific implementation methods.
[0084] The main solution of this application embodiment is: in response to a received encryption request, determine user data according to the encryption request; determine user identifier and data to be encrypted based on the user data; obtain multiple password segments; encrypt the data to be encrypted according to the user identifier and the multiple password segments to generate encrypted ciphertext.
[0085] In the modern information age, data privacy and security have become increasingly important. Whether during transmission or storage, data encryption is a key technology for protecting sensitive information from unauthorized access. Data encryption technology transforms plaintext into unreadable ciphertext, ensuring that only users with the decryption key can access the original data. Currently, data encryption technologies are mainly divided into two categories: symmetric encryption and asymmetric encryption. Although existing data encryption technologies have achieved significant progress, the security of symmetric encryption relies on the secure storage and distribution of keys; key leakage will compromise the security of encrypted data. While asymmetric encryption has advantages in key distribution, the keys are longer and more complex to manage, resulting in high key storage costs. Therefore, how to improve information security while reducing key storage costs is a pressing issue that needs to be addressed.
[0086] This application determines user data based on the received encryption request, and then accurately identifies the user identifier and the data to be encrypted in the user data, obtains multiple password segments, and generates a unique encryption key for each user based on the multiple password segments and the user identifier. This eliminates the need to store a large number of general keys, thereby reducing the complexity and cost of key management while ensuring data security. By encrypting the data to be encrypted using the encryption key, information security is effectively improved. This overcomes the technical shortcomings of symmetric encryption, where key leakage leads to compromised encryption data security, and asymmetric encryption, where long key lengths result in high key storage costs. It effectively improves information security while significantly reducing key storage costs.
[0087] Based on this, the embodiments of this application provide a data encryption method, referring to... Figure 1 , Figure 1 This is a flowchart illustrating the first embodiment of the data encryption method of this application.
[0088] In this embodiment, the data encryption method includes steps S10 to S40:
[0089] Step S10: In response to the received encryption request, determine the user data according to the encryption request.
[0090] It should be noted that the encryption request can come from a user input through the user interface or from an automatically triggered encryption task; this embodiment does not impose any specific restrictions on this.
[0091] It is understood that the encryption request carries user data, which may include authentication information for starting the encryption service, user identity information, access history, user network information, and data to be encrypted, etc. This embodiment does not impose specific limitations on this.
[0092] In one feasible implementation, step S10 specifically includes: responding to a received encryption request, determining authentication information based on the encryption request; performing two-factor authentication based on the authentication information to obtain an authentication result; and when the authentication result is successful, determining that the encryption service is started and determining user data based on the encryption request.
[0093] It should be noted that authentication information refers to information used to verify the authorization to start the encryption service, such as a fixed password, biometrics, dynamic password, or any combination of the above authentication information. This embodiment does not impose specific restrictions on this. This embodiment takes a fixed password + dynamic password as the authentication information as an example for explanation.
[0094] Understandably, two-factor authentication refers to using two different types of authentication methods to verify access to encrypted services. In this implementation, a combination of a fixed password and a one-time password (OTP) is used to authenticate access to encrypted services. The fixed password, also known as a traditional password, is a password set by the user and is typically used for the first layer of authentication, falling under the "knowledge factor" category. The one-time password (OTP) is usually a one-time password; it is a password generated and used temporarily. OTPs are typically generated by an authentication application (such as Google Authenticator, Authy, etc.) or sent to the user via SMS or email, falling under the "possession factor" category.
[0095] It is worth noting that the user is only considered to have permission to start the encryption service when both the fixed password and the dynamic password are correct. The combination of fixed password and dynamic password can effectively prevent the vulnerability of single authentication method, thus greatly improving security, because even if one is cracked, the attacker still needs the other to successfully authenticate.
[0096] In the actual implementation, after successful authentication, the encryption service is started. At this time, the user data carried in the encryption request can be obtained, including but not limited to the user's identity information, access history, network information, and the data to be encrypted.
[0097] Step S20: Determine the user identifier and the data to be encrypted based on the user data.
[0098] It should be noted that the user identifier, or user ID, is used to identify the user's identity. It can be a unique identifier set when the user registers, or an identifier automatically generated by the system based on the user's information. This embodiment does not impose any specific restrictions on this.
[0099] Understandably, the data to be encrypted is the specific data content that the user requests to be encrypted. After determining the user identifier and the data to be encrypted, further encryption processing can be performed.
[0100] Step S30: Obtain multiple password segments.
[0101] It should be noted that the multiple password segments are derived from the complete password, with each segment containing a portion of the password information. Each password segment is stored independently in a different password storage terminal. In this embodiment, the acquisition of password segments can be random or according to predetermined rules to ensure that these password segments can be effectively combined during the encryption process to recover the complete password.
[0102] It is understood that the password segment can be obtained by accessing a database, calling an API interface, or other means, and this embodiment does not impose specific restrictions on this.
[0103] In one feasible implementation, before step S30, the method further includes: obtaining password information; splitting the password information into multiple password segments; and storing the multiple password segments into corresponding password storage terminals.
[0104] It should be noted that there are various strategies for splitting and storing password segments. For example, the password can be evenly divided into several segments, each stored on a different server, or the password can be divided according to a specific algorithm to ensure that each password segment has a certain degree of complexity, thereby increasing the difficulty of cracking. No specific restrictions are imposed on this.
[0105] It is understood that a cryptographic storage terminal refers to a device or system used to store cryptographic segments, which can be a physical server, cloud storage service, or other form of data storage solution. The security of cryptographic storage terminals is crucial because they store critical information used for data encryption. To further enhance security, cryptographic storage terminals can implement multi-layered security measures, such as physical security, network security, data encryption, and access control; this embodiment does not impose specific limitations on these. In this embodiment, the storage and management of cryptographic segments follow strict security protocols to ensure that even if the cryptographic storage terminal is illegally accessed, attackers will find it difficult to obtain complete cryptographic information.
[0106] In the actual implementation, the complete password is split into multiple segments and stored independently in different physical locations with encryption. After the encryption service starts, it initiates a request to retrieve the password segment by segment.
[0107] It is worth noting that the password storage terminal is isolated from the outside world at both the physical and network levels, and uses a dedicated network and encrypted communication to prevent the leakage and tampering of password information.
[0108] Step S40: Encrypt the data to be encrypted according to the user identifier and multiple password segments to generate encrypted ciphertext.
[0109] It should be noted that the encrypted ciphertext is the encrypted data, which, even if intercepted during transmission or storage, cannot be deciphered by an unauthorized third party. In this embodiment, the encryption process can employ symmetric encryption algorithms, such as AES (Advanced Encryption Standard), to ensure encryption efficiency and security. Alternatively, asymmetric encryption algorithms, such as RSA, can be used; this embodiment does not impose specific limitations on either approach.
[0110] As is understandable, encrypted ciphertext is obtained by processing the data to be encrypted using an encryption algorithm, which combines a user identifier and multiple cipher segments into an encryption key. Encrypted ciphertext can be used to securely transmit or store user data; only users with the correct user identifier and cipher segments can decrypt and access the original data.
[0111] like Figure 2 As shown, Figure 2 The simplified flowchart of data encryption is as follows: Upon receiving a user request, read and write user data, determine whether the table requires encryption service. If encryption service is not required, return the data directly. If encryption service is required, obtain the fields to be encrypted, and then determine whether the encryption machine is started. If not started, return the data directly. If started, start the encryption machine service. Determine whether the encryption machine service responds normally. If it responds normally, return the data. If it does not respond normally, control the write operation - pause writing encrypted data, compensate for subsequent writes, and confirm the read operation - failed.
[0112] This embodiment provides a data encryption method. This embodiment first responds to a received encryption request, determines user data based on the encryption request, determines a user identifier and data to be encrypted based on the user data, obtains multiple password segments, and encrypts the data to be encrypted according to the user identifier and the multiple password segments to generate encrypted ciphertext. This method can effectively improve information security while effectively reducing the storage cost of the key.
[0113] In summary, this embodiment determines user data based on the received encryption request, accurately identifies the user identifier and the data to be encrypted within the user data, obtains multiple password segments, and generates a unique encryption key for each user based on these password segments and the user identifier. This eliminates the need to store a large number of general-purpose keys, thereby reducing the complexity and cost of key management while ensuring data security. By encrypting the data to be encrypted using the encryption key, information security is effectively improved. This overcomes the technical shortcomings of symmetric encryption, where key leakage leads to compromised encryption security, and asymmetric encryption, where long key lengths result in high key storage costs. It effectively improves information security while significantly reducing key storage costs.
[0114] Based on the first embodiment of this application, in the second embodiment of this application, the content that is the same as or similar to that in Embodiment 1 above can be referred to the above description, and will not be repeated hereafter. Based on this, please refer to... Figure 3 Step S40 further includes steps S401-S402:
[0115] Step S401: Generate an encryption key based on the user identifier and the multiple password segments.
[0116] It's important to note that combining the user identifier with multiple password segments ensures that each user has their own encryption key. The generated encryption key is unique and closely related to the user identifier and password segments, thus guaranteeing the personalization and security of the encryption process. Each user's encryption key is dynamically generated, meaning that even in different encryption requests, a user's encryption key can be different, further enhancing security.
[0117] In one feasible implementation, step S401 may include: dynamically combining multiple password segments to generate an initial password; generating a target password based on the initial password and the user identifier; and converting the target password into an encryption key through a key derivation function.
[0118] It should be noted that the process of dynamically combining multiple cipher segments to generate the initial cipher can employ various algorithms, such as hash functions and XOR operations, to ensure the randomness and unpredictability of the initial cipher generation. In this way, even if an attacker obtains a portion of the cipher segments, it is difficult to deduce the complete initial cipher, thereby enhancing system security.
[0119] Understandably, dynamically combining multiple password segments can include: dynamically concatenating password segments, which involves concatenating or arranging multiple password segments according to specific rules to generate a complete and dynamically changing password. For example, combining segmented passwords such as partA, partB, and partC in a sequential or random manner, such as partA+partB+partC or partC+partA+partB; dynamically rearranging password fragments, which involves rearranging the order of segmented passwords to dynamically generate a password that is different for each login or operation. For example, dynamically arranging or shuffling part1, part2, and part3 according to a certain algorithm or condition (such as timestamp, user behavior, etc.) to generate a new password; and rule-based dynamic combination, which involves dynamically synthesizing multiple password segments according to preset rules or algorithms. The rules can be adjusted according to factors such as time and user input. For example, based on the current timestamp... The combination of password segments is determined by parameters such as hours or minutes, or by a user-inputted parameter (such as the last digit of a phone number), like partA + timestamp % 10 + partB; alternating password segment merging involves merging multiple password segments in a specific order, where the generation of each combination can depend on external conditions (such as login count, date, etc.), for example, merging partA, partB, and partC alternately into partA + partB + partC or partB + partA + partC, with the order dynamically generated according to rules each time a login occurs; dynamic combination based on encryption algorithms involves combining multiple password segments with a certain encryption algorithm to generate an encrypted dynamic password, ensuring that each combination is unpredictable, for example, encrypting partA, partB, and partC, or encrypting them using a hash algorithm before combining them to generate a new password.
[0120] Understandably, a key derivation function is an algorithm used to generate encryption keys from a cipher. Common key derivation functions include PBKDF2, bcrypt, and scrypt. These functions typically incorporate a salt to increase the complexity of the cipher, prevent rainbow table attacks, and increase the difficulty of cracking through multiple iterations. In this embodiment, any one or more key derivation functions can be used to ensure that the generated encryption key has sufficient strength and security.
[0121] In one feasible implementation, generating a target password based on the initial password and the user identifier includes: obtaining a character at a preset position in the user identifier; associating the initial password with the character to generate the target password.
[0122] It should be noted that the character at the preset position in the user identifier can be the first or third character of the user ID. This ensures a certain correlation between the target password and the user identifier, while also increasing password complexity, making it difficult for attackers to deduce the target password solely from the user identifier even if it is leaked.
[0123] Understandably, dynamically combining segmented passwords and combining them with the first or third character of the user ID ensures that each user has their own encryption key, improving information security while reducing key storage costs.
[0124] Step S402: Encrypt the data to be encrypted according to the encryption key to generate encrypted ciphertext.
[0125] It should be noted that the data to be encrypted can be a user's personal information, or sensitive information such as important corporate documents and trade secrets. The encryption method provided in this embodiment ensures the security of this data during transmission and storage, preventing unauthorized access and data leakage. The encryption process not only improves data security, but also, due to the dynamic generation and personalization of the encryption key, ensures that the encryption key for each user or each file is unique, thereby greatly enhancing the overall system security.
[0126] Understandably, symmetric encryption algorithms, such as AES (Advanced Encryption Standard), can be used during the encryption process to ensure both encryption efficiency and security. Since each user's encryption key is unique, even if encrypted data is intercepted, it cannot be decrypted without the corresponding key, thus protecting user data privacy. Furthermore, because the encryption key is dynamically generated, a different key may be used for each encryption operation, further enhancing system security.
[0127] It is worth noting that encrypted ciphertext can be stored on a server or transmitted to users through a secure channel to ensure data security during transmission.
[0128] In one feasible implementation, step S402 may include: obtaining an initialization vector; padding the data to be encrypted to obtain padded data to be encrypted; encrypting the padded data to be encrypted according to the encryption key and the initialization vector to generate encrypted ciphertext.
[0129] It should be noted that the initialization vector is an additional input used during the encryption process to increase the randomness of the encryption algorithm. The use of the initialization vector ensures that even if the same data block is encrypted multiple times, the resulting encryption will be different each time, thus preventing the emergence of patterns and increasing the difficulty of cracking the encryption.
[0130] Understandably, initialization vectors are typically used in conjunction with encryption keys, but unlike keys, they do not need to be kept secret and can be publicly transmitted or stored. In this embodiment, the initialization vector can be randomly generated or determined according to a specific algorithm or rule to ensure the uniqueness of each encryption operation. For example, the current timestamp or a user-specific identifier can be used as part of the initialization vector, so that different results are produced each time encryption is performed.
[0131] It's worth noting that when padding the data, PKCS#7 padding or other padding schemes can be used to ensure that the length of the data to be encrypted meets the requirements of the encryption algorithm. The length of the padded data should match the block size of the encryption algorithm to ensure the correct execution of the encryption process. By following these steps, the security of the data during the encryption process can be ensured, preventing data leakage and unauthorized access.
[0132] In this embodiment, by generating an encryption key based on the user identifier and multiple password segments, the exclusivity of the encryption key is effectively improved, eliminating the need to store a large number of general keys. This reduces the complexity and cost of key management while ensuring data security. Furthermore, by encrypting the data to be encrypted according to the encryption key to generate encrypted ciphertext, encryption efficiency and security are effectively improved. At the same time, it can prevent information leakage and unauthorized access, further enhancing information security.
[0133] Based on the first embodiment of this application, in the third embodiment of this application, the content that is the same as or similar to that in the first embodiment described above can be referred to the above description, and will not be repeated hereafter. Based on this, please refer to... Figure 4 Before step S30, steps S01-S02 are also included:
[0134] Step S01: Based on the user data, perform access permission verification on each password segment to obtain the verification result of each password segment.
[0135] It should be noted that in this implementation, access control is implemented for each terminal. Each access requires authorization verification, allowing only users with specific permissions to access relevant password information. Access attempts are recorded and reviewed, and abnormal access triggers security alerts, effectively improving password security. In this way, it is ensured that only authorized users can access and use password segments, thereby further strengthening the security of the entire encryption system.
[0136] In one feasible implementation, step S01 may include: determining the user's current access frequency and user IP based on the user data; obtaining the access frequency threshold and IP whitelist corresponding to each password segment; verifying the access permissions of each password segment based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist, and obtaining the verification result.
[0137] It's important to note that a user's current access frequency refers to the number of times a user accesses the system or service within a certain time period. Setting a reasonable access frequency threshold can effectively prevent malicious attacks, such as brute-force attempts, while also preventing frequent access due to accidental actions by legitimate users. Furthermore, setting an IP whitelist ensures that only access requests from specific trusted IP addresses can pass verification, further enhancing system security. This comprehensive access permission verification mechanism ensures that only users meeting specific conditions can access password segments, thereby effectively protecting the security of encryption keys.
[0138] In one feasible implementation, the step of verifying access permissions for each password segment based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain a verification result includes: when the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist, determining that the verification result of the corresponding password segment is that the current user is an authorized user; when the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist, determining that the verification result of the corresponding password segment is that the current user is an unauthorized user.
[0139] It's important to note that comparing the current access frequency with the access frequency threshold for each password segment ensures that the number of times a user accesses a specific password segment within a given timeframe does not exceed the set threshold. If a user's access frequency exceeds the threshold, the access request will be rejected, thus preventing potential malicious attacks, such as password guessing attacks. Simultaneously, by checking whether the user's IP address is on the IP whitelist, the system can identify and allow access from specific trusted networks while rejecting access from unknown or untrusted sources. This dual-verification mechanism significantly enhances system security, ensuring that only legitimate users who comply with security policies can access sensitive data. Furthermore, by recording each access attempt, access behavior can be monitored and audited, allowing for timely detection and response to abnormal access patterns, further strengthening the system's protection capabilities.
[0140] Step S02: When the verification result indicates that the current user is an authorized user, perform the step of obtaining multiple password segments.
[0141] It's important to note that a password segment can only be accessed when the verification result confirms it's from an authorized user. This ensures that only verified users have access to the password segment, adding an extra layer of security to the encryption process. In this way, the encryption system not only protects the data itself but also the password segment upon which the encryption key is generated, ensuring the security of the entire encryption process.
[0142] It is understood that a cipher segment can be a combination of numbers, characters, or other symbols, and is a basic element constituting an encryption key. In this embodiment, the generation and management of cipher segments can be accomplished through a secure cryptographic management system that ensures the security of the generation, storage, and distribution processes of cipher segments. The cryptographic management system can employ various security measures, such as encrypted storage, access control, and audit trails, to prevent cipher segments from being obtained or tampered with by unauthorized users.
[0143] like Figure 5 As shown, Figure 5 This is a detailed flowchart illustrating the data encryption process. Data encryption consists of four parts: encryption service, one-time dynamic key verification, verification module, and user data. When the administrator starts the encryption service, a dynamic password verification is performed in the cloud. After successful verification, the encryption service starts, retrieving the password in segments through a dedicated network and encrypted channel. When the verification module detects a password retrieval request, it controls password storage and performs authorization authentication based on the IP whitelist and frequency control. If authentication fails, the encryption service fails to start; if authentication succeeds, the encryption service starts successfully and the password is issued. The encryption service encrypts private data based on the key and the first or third digit of the user ID (useid [1 / 3 digits]).
[0144] In this embodiment, by verifying access permissions for each password segment based on user data, it can be ensured that only users who meet specific conditions can access the password segment, thereby effectively protecting the security of the password and further improving the security of the encryption process.
[0145] It should be noted that the above examples are only for understanding this application and do not constitute a limitation on the data encryption method of this application. Any simple modifications based on this technical concept are within the protection scope of this application.
[0146] This application also provides a data encryption device, please refer to... Figure 6 The data encryption device includes:
[0147] The determination module 10 is used to determine user data based on the received encryption request.
[0148] The determining module 10 is also used to determine the user identifier and the data to be encrypted based on the user data.
[0149] Module 20 is used to obtain multiple password segments.
[0150] The encryption module 30 is used to encrypt the data to be encrypted according to the user identifier and multiple password segments to generate encrypted ciphertext.
[0151] This embodiment provides a data encryption device. In response to a received encryption request, this embodiment determines user data based on the encryption request; determines a user identifier and data to be encrypted based on the user data; obtains multiple password segments; and encrypts the data to be encrypted based on the user identifier and the multiple password segments to generate encrypted ciphertext. This can effectively improve information security and effectively reduce the storage cost of the key.
[0152] In summary, this embodiment determines user data based on the received encryption request, accurately identifies the user identifier and the data to be encrypted within the user data, obtains multiple password segments, and generates a unique encryption key for each user based on these password segments and the user identifier. This eliminates the need to store a large number of general-purpose keys, thereby reducing the complexity and cost of key management while ensuring data security. By encrypting the data to be encrypted using the encryption key, information security is effectively improved. This overcomes the technical shortcomings of symmetric encryption, where key leakage leads to compromised encryption security, and asymmetric encryption, where long key lengths result in high key storage costs. It effectively improves information security while significantly reducing key storage costs.
[0153] Optionally, the encryption module 30 is further configured to generate an encryption key based on the user identifier and multiple password segments; and encrypt the data to be encrypted based on the encryption key to generate encrypted ciphertext.
[0154] Optionally, the encryption module 30 is further configured to dynamically combine multiple password segments to generate an initial password; generate a target password based on the initial password and the user identifier; and convert the target password into an encryption key through a key derivation function.
[0155] Optionally, the encryption module 30 is further configured to obtain a character at a preset position in the user identifier; associate the initial password with the character to generate a target password.
[0156] Optionally, the encryption module 30 is further configured to: obtain an initialization vector; fill the data to be encrypted to obtain the filled data to be encrypted; and encrypt the filled data to be encrypted according to the encryption key and the initialization vector to generate encrypted ciphertext.
[0157] Optionally, the data encryption device further includes a verification module, which is used to verify the access permissions of each password segment based on the user data to obtain the verification result of each password segment; when the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is executed.
[0158] Optionally, the verification module is further configured to determine the user's current access frequency and user IP based on the user data; obtain the access frequency threshold and IP whitelist corresponding to each password segment; and perform access permission verification on each password segment based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
[0159] Optionally, the verification module is further configured to determine that the verification result of the corresponding password segment is that the current user is an authorized user when the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist; and to determine that the verification result of the corresponding password segment is that the current user is an unauthorized user when the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist.
[0160] Optionally, the data encryption device further includes a splitting module, which is used to obtain password information; split the password information into multiple password segments; and store the multiple password segments to corresponding password storage terminals.
[0161] Optionally, the determining module 10 is further configured to respond to the received encryption request, determine authentication information based on the encryption request; perform two-factor authentication based on the authentication information to obtain an authentication result; and when the authentication result is successful, determine that the encryption service is started and determine user data based on the encryption request.
[0162] The data encryption device provided in this application, employing the data encryption method described in the above embodiments, can solve the technical problems that key leakage in symmetric encryption leads to compromised security of encrypted data, and that the long key length in asymmetric encryption results in high key storage costs. Compared with the prior art, the beneficial effects of the data encryption device provided in this application are the same as those of the data encryption method provided in the above embodiments, and other technical features in the data encryption device are the same as those disclosed in the methods of the above embodiments, and will not be repeated here.
[0163] This application provides a data encryption device, which includes: at least one processor; and a memory communicatively connected to the at least one processor; wherein the memory stores instructions executable by the at least one processor, which are executed by the at least one processor to enable the at least one processor to perform the data encryption method in Embodiment 1 above.
[0164] The following is for reference. Figure 7 The diagram illustrates a structural schematic of a data encryption device suitable for implementing embodiments of this application. The data encryption device in the embodiments of this application may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (Personal Digital Assistants), PADs (Portable Application Description), PMPs (Portable Media Players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 7 The data encryption device shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.
[0165] like Figure 7 As shown, the data encryption device may include a processing unit 1001 (e.g., a central processing unit, a graphics processing unit, etc.), which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access memory (RAM) 1004. The RAM 1004 also stores various programs and data required for the operation of the data encryption device. The processing unit 1001, ROM 1002, and RAM 1004 are interconnected via a bus 1005. An input / output (I / O) interface 1006 is also connected to the bus. Typically, the following systems can be connected to the I / O interface 1006: input devices 1007 including, for example, a touchscreen, touchpad, keyboard, mouse, image sensor, microphone, accelerometer, gyroscope, etc.; output devices 1008 including, for example, a liquid crystal display (LCD), speaker, vibrator, etc.; storage devices 1003 including, for example, magnetic tape, hard disk, etc.; and communication devices 1009. Communication device 1009 allows the data encryption device to communicate wirelessly or wiredly with other devices to exchange data. While the figures show data encryption devices with various systems, it should be understood that implementation or possession of all the systems shown is not required. More or fewer systems may be implemented alternatively.
[0166] Specifically, according to the embodiments disclosed in this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments disclosed in this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device, or installed from storage device 1003, or installed from ROM 1002. When the computer program is executed by processing device 1001, it performs the functions defined in the methods of the embodiments disclosed in this application.
[0167] The data encryption device provided in this application, employing the data encryption method described in the above embodiments, can solve the technical problems that key leakage in symmetric encryption leads to compromised security of encrypted data, and that the long key length in asymmetric encryption results in high key storage costs. Compared with the prior art, the beneficial effects of the data encryption device provided in this application are the same as those of the data encryption method provided in the above embodiments, and other technical features of this data encryption device are the same as those disclosed in the previous embodiment method, and will not be repeated here.
[0168] It should be understood that the various parts disclosed in this application can be implemented using hardware, software, firmware, or a combination thereof. In the description of the above embodiments, specific features, structures, materials, or characteristics can be combined in any suitable manner in one or more embodiments or examples.
[0169] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that cannot be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0170] This application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon, the computer-readable program instructions being used to execute the data encryption method described in the above embodiments.
[0171] The computer-readable storage medium provided in this application may be, for example, a USB flash drive, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this embodiment, the computer-readable storage medium may be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, system, or device. The program code contained on the computer-readable storage medium may be transmitted using any suitable medium, including but not limited to: wires, optical cables, RF (Radio Frequency), etc., or any suitable combination thereof.
[0172] The aforementioned computer-readable storage medium may be included in the data encryption device; or it may exist independently and not assembled into the data encryption device.
[0173] The aforementioned computer-readable storage medium carries one or more programs that, when executed by a data encryption device, cause the data encryption device to: respond to a received encryption request, determine user data based on the encryption request; determine a user identifier and data to be encrypted based on the user data; acquire multiple password segments; and encrypt the data to be encrypted based on the user identifier and the multiple password segments to generate encrypted ciphertext.
[0174] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, and conventional procedural programming languages such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0175] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0176] The modules described in the embodiments of this application can be implemented in software or hardware. The names of the modules do not necessarily limit the functionality of the unit itself.
[0177] The readable storage medium provided in this application is a computer-readable storage medium that stores computer-readable program instructions (i.e., a computer program) for executing the above-described data encryption method. This solves the technical problems that key leakage in symmetric encryption leads to compromised security of encrypted data, and that the long key length in asymmetric encryption results in high key storage costs. Compared with the prior art, the beneficial effects of the computer-readable storage medium provided in this application are the same as those of the data encryption method provided in the above embodiments, and will not be repeated here.
[0178] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the steps of the data encryption method described above.
[0179] The computer program product provided in this application can solve the technical problems that the security of encrypted data will be compromised due to the leakage of symmetric encryption keys, and that the key length of asymmetric encryption is long, resulting in high key storage costs. Compared with the prior art, the beneficial effects of the computer program product provided in this application are the same as those of the data encryption methods provided in the above embodiments, and will not be repeated here.
[0180] The above description is only a part of the embodiments of this application and does not limit the patent scope of this application. All equivalent structural transformations made under the technical concept of this application and using the contents of the specification and drawings of this application, or direct / indirect applications in other related technical fields, are included in the patent protection scope of this application.
[0181] This invention discloses A1. A data encryption method, the method comprising:
[0182] In response to a received encryption request, user data is determined based on the encryption request;
[0183] Based on the user data, determine the user identifier and the data to be encrypted;
[0184] Retrieve multiple password segments;
[0185] The data to be encrypted is encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
[0186] A2. The method as described in A1, wherein encrypting the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext includes:
[0187] An encryption key is generated based on the user identifier and multiple password segments;
[0188] The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
[0189] A3. The method as described in A2, wherein generating the encryption key based on the user identifier and the plurality of the password segments includes:
[0190] The initial cipher is generated by dynamically combining multiple cipher segments.
[0191] Generate the target password based on the initial password and the user identifier;
[0192] The target password is converted into an encryption key using a key derivation function.
[0193] A4. The method as described in A3, wherein generating the target password based on the initial password and the user identifier includes:
[0194] Obtain the character at a preset position in the user identifier;
[0195] The initial password is associated with the characters to generate the target password.
[0196] A5. The method as described in A2, wherein encrypting the data to be encrypted according to the encryption key to generate encrypted ciphertext includes:
[0197] Get the initialization vector;
[0198] The data to be encrypted is padded to obtain the padded data to be encrypted.
[0199] The padded data to be encrypted is encrypted using the encryption key and the initialization vector to generate encrypted ciphertext.
[0200] A6. As described in A1, before obtaining the multiple password segments, the method further includes:
[0201] Based on the user data, access permissions are verified for each password segment to obtain the verification results for each password segment.
[0202] When the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is performed.
[0203] A7. As described in A6, the step of verifying access permissions for each password segment based on the user data to obtain the verification result includes:
[0204] Determine the user's current access frequency and user IP based on the user data;
[0205] Obtain the access frequency threshold and IP whitelist corresponding to each password segment;
[0206] Access permissions for each password segment are verified based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
[0207] A8. As described in A7, the step of verifying access permissions for each password segment based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result includes:
[0208] When the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an authorized user;
[0209] When the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an unauthorized user.
[0210] A9. The method as described in A1, further comprising, before obtaining the multiple password segments:
[0211] Retrieve password information;
[0212] The password information is split into multiple password segments;
[0213] The multiple cryptographic segments are stored in their respective cryptographic storage terminals.
[0214] A10. The method as described in A1, wherein the step of determining user data based on the received encryption request includes:
[0215] In response to a received encryption request, authentication information is determined based on the encryption request;
[0216] Two-factor authentication is performed based on the authentication information to obtain the authentication result;
[0217] When the authentication result is successful, the encryption service is started, and the user data is determined according to the encryption request.
[0218] The present invention also discloses B11. A data encryption device, the data encryption device comprising:
[0219] The determination module is used to determine user data based on the received encryption request in response to the encryption request;
[0220] The determining module is further configured to determine the user identifier and the data to be encrypted based on the user data;
[0221] The acquisition module is used to acquire multiple password segments;
[0222] An encryption module is used to encrypt the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
[0223] B12. The apparatus of B11, wherein the encryption module is further configured to generate an encryption key based on the user identifier and the plurality of the cryptographic segments;
[0224] The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
[0225] B13. The apparatus as described in B12, wherein the encryption module is further configured to dynamically combine multiple said password segments to generate an initial password;
[0226] Generate the target password based on the initial password and the user identifier;
[0227] The target password is converted into an encryption key using a key derivation function.
[0228] B14. The apparatus as described in B13, wherein the encryption module is further configured to obtain a character at a preset position in the user identifier;
[0229] The initial password is associated with the characters to generate the target password.
[0230] B15. The apparatus as described in B12, wherein the encryption module is further configured to obtain an initialization vector;
[0231] The data to be encrypted is padded to obtain the padded data to be encrypted.
[0232] The padded data to be encrypted is encrypted using the encryption key and the initialization vector to generate encrypted ciphertext.
[0233] B16. The device as described in B11, wherein the data encryption device further includes a verification module, the verification module being used to perform access permission verification on each password segment based on the user data, and to obtain the verification result of each password segment;
[0234] When the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is performed.
[0235] B17. The apparatus as described in B13, wherein the verification module is further configured to determine the user's current access frequency and user IP based on the user data;
[0236] Obtain the access frequency threshold and IP whitelist corresponding to each password segment;
[0237] Access permissions for each password segment are verified based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
[0238] B18. The apparatus as described in B17, wherein the verification module is further configured to determine that the verification result of the corresponding password segment is that the current user is an authorized user when the current access frequency does not reach the access frequency threshold and the user IP exists in the IP whitelist;
[0239] When the current access frequency reaches the access frequency threshold and / or the user IP does not exist in the IP whitelist, the verification result of the corresponding password segment is determined to be that the current user is an unauthorized user.
[0240] The present invention also discloses C19. A data encryption device, the data encryption device comprising: a memory, a processor, and a data encryption program stored on the memory and executable on the processor, the data encryption program being configured to implement the data encryption method as described above.
[0241] The present invention also discloses D20. A storage medium storing a data encryption program, wherein the data encryption program, when executed by a processor, implements the data encryption method described above.
Claims
1. A data encryption method, characterized in that, The method includes: In response to a received encryption request, user data is determined based on the encryption request; Based on the user data, determine the user identifier and the data to be encrypted; Retrieve multiple password segments; The data to be encrypted is encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
2. The method as described in claim 1, characterized in that, The step of encrypting the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext includes: An encryption key is generated based on the user identifier and multiple password segments; The data to be encrypted is encrypted using the encryption key to generate encrypted ciphertext.
3. The method as described in claim 2, characterized in that, The step of generating an encryption key based on the user identifier and multiple password segments includes: The initial cipher is generated by dynamically combining multiple cipher segments. Generate the target password based on the initial password and the user identifier; The target password is converted into an encryption key using a key derivation function.
4. The method as described in claim 3, characterized in that, The step of generating the target password based on the initial password and the user identifier includes: Obtain the character at a preset position in the user identifier; The initial password is associated with the characters to generate the target password.
5. The method as described in claim 2, characterized in that, The step of encrypting the data to be encrypted according to the encryption key to generate encrypted ciphertext includes: Get the initialization vector; The data to be encrypted is padded to obtain the padded data to be encrypted. The padded data to be encrypted is encrypted using the encryption key and the initialization vector to generate encrypted ciphertext.
6. The method as described in claim 1, characterized in that, Before obtaining multiple password segments, the process also includes: Based on the user data, access permissions are verified for each password segment to obtain the verification results for each password segment. When the verification result indicates that the current user is an authorized user, the step of obtaining multiple password segments is performed.
7. The method as described in claim 6, characterized in that, The access permission verification of each password segment based on the user data, to obtain the verification result, includes: Determine the user's current access frequency and user IP based on the user data; Obtain the access frequency threshold and IP whitelist corresponding to each password segment; Access permissions for each password segment are verified based on the current access frequency, the user IP, the access frequency threshold, and the IP whitelist to obtain the verification result.
8. A data encryption device, characterized in that, The data encryption device includes: The determination module is used to determine user data based on the received encryption request in response to the encryption request; The determining module is further configured to determine the user identifier and the data to be encrypted based on the user data; The acquisition module is used to acquire multiple password segments; An encryption module is used to encrypt the data to be encrypted based on the user identifier and multiple password segments to generate encrypted ciphertext.
9. A data encryption device, characterized in that, The data encryption device includes: a memory, a processor, and a data encryption program stored in the memory and executable on the processor, the data encryption program being configured to implement the data encryption method as described in any one of claims 1 to 7.
10. A storage medium, characterized in that, The storage medium stores a data encryption program, which, when executed by a processor, implements the data encryption method as described in any one of claims 1 to 7.