Data processing method and device, computer device, readable storage medium and program product
By integrating a preset encryption unit locally on the microservice node, batch encryption and decryption of target fields in business requests is performed, solving the inefficiency problem caused by network interaction between the microservice node and the cryptographic platform, and achieving efficient data encryption and decryption processing.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SICHUAN RURAL COMMERCIAL UNITED BANK CO LTD
- Filing Date
- 2026-03-02
- Publication Date
- 2026-06-23
AI Technical Summary
In microservice nodes, as data security requirements increase, the increased data volume of target fields leads to high network overhead between microservice nodes and the cryptographic platform, resulting in low encryption and decryption efficiency.
By integrating a pre-defined encryption unit locally on the microservice node, the business requests are traversed and parsed through the encryption call unit, and the target fields are identified and transmitted in batches to the local encryption unit for encryption and decryption processing, reducing network interaction with external cryptographic platforms.
It reduces the network overhead of microservice nodes, alleviates concurrency pressure, and improves the efficiency of encryption and decryption processing.
Smart Images

Figure CN122268618A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data processing technology, and in particular to a data processing method, apparatus, computer equipment, computer-readable storage medium, and computer program product. Background Technology
[0002] With the development of information security, the requirements for personal information security are becoming increasingly stringent. Therefore, it is necessary to encrypt and store user-related data in bank information systems.
[0003] In traditional technology, when processing business requests in a microservice node, the microservice node sends the business data corresponding to the target field that needs to be encrypted or decrypted in the business request to the cryptographic platform. The cryptographic platform encrypts or decrypts the business data to obtain the encrypted or decrypted data and then applies it.
[0004] However, with increasing data security requirements, the amount of data in the target field is growing, resulting in significant network overhead between the microservice nodes and the cryptographic platform, which in turn leads to lower efficiency in encrypting and decrypting the target field. Summary of the Invention
[0005] Therefore, it is necessary to provide a data processing method, apparatus, computer equipment, computer-readable storage medium, and computer program product to address the aforementioned technical problems.
[0006] Firstly, this application provides a data processing method applied to a microservice node, comprising:
[0007] Obtain the business request;
[0008] The encrypted invocation unit traverses and parses the business request to identify the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0009] The initial business data is batch encrypted or decrypted using the preset encryption unit and the encryption key to obtain the target business data.
[0010] In one embodiment, prior to obtaining the service request, the method further includes:
[0011] In response to application operations in the microservice node, a key acquisition request is initiated to the cryptographic platform according to the encrypted invocation unit;
[0012] Receive the encryption key fed back by the cryptographic platform and configure the encryption key to a preset encryption unit.
[0013] In one embodiment, the step of traversing and parsing the business request according to the encrypted calling unit to identify the target fields contained in the business request includes:
[0014] The business request is intercepted based on the aspect ratio in the encrypted calling unit;
[0015] In the aspect-oriented programming process, the method annotations of the persistent object corresponding to the business request are parsed to obtain the target field identifier;
[0016] Based on the target field identifier, each candidate field carried in the business request is identified and filtered to obtain the target field in the business request.
[0017] In one embodiment, the step of batch transmitting the initial business data corresponding to each of the target fields to the preset encryption unit integrated in the microservice node includes:
[0018] Based on the encrypted calling unit, the target fields are aggregated to obtain the initial business data corresponding to each target field;
[0019] The initial business data is transmitted in batches to the preset encryption unit integrated in the microservice node.
[0020] In one embodiment, the aggregation of the target fields based on the encrypted calling unit to obtain the initial business data corresponding to each target field includes:
[0021] In the aspect-oriented programming of the encrypted calling unit, the field values corresponding to each target field are summarized;
[0022] Based on the field values and the correspondence between the field values and the target field, a data structure to be processed containing the target field and the field values is constructed to obtain the initial business data.
[0023] In one embodiment, after batch encrypting or decrypting the initial business data according to the preset encryption unit and the encryption key to obtain the target business data, the method further includes:
[0024] If the target business data is encrypted data obtained after encryption, the target business data will be stored in a database or transmitted to other application services;
[0025] If the target business data is decrypted data obtained after decryption, business processing is performed based on the decrypted data.
[0026] Secondly, this application also provides a data processing apparatus, comprising:
[0027] The acquisition module is used to acquire business requests;
[0028] The identification module is used to traverse and parse the business request according to the encrypted calling unit, identify the target fields contained in the business request, and transmit the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0029] The first processing module is used to perform batch encryption or decryption processing on the initial business data according to the preset encryption unit and the encryption key to obtain the target business data.
[0030] In one embodiment, the device further includes:
[0031] The request module is used to respond to application operations in the microservice node and initiate a key acquisition request to the cryptographic platform according to the encrypted calling unit;
[0032] The receiving module is used to receive the encryption key fed back by the cryptographic platform and configure the encryption key to a preset encryption unit.
[0033] In one embodiment, the identification module is specifically used to intercept the business request based on the aspect ratio in the encrypted calling unit;
[0034] In the aspect-oriented programming process, the method annotations of the persistent object corresponding to the business request are parsed to obtain the target field identifier;
[0035] Based on the target field identifier, each candidate field carried in the business request is identified and filtered to obtain the target field in the business request.
[0036] In one embodiment, the identification module is specifically used to aggregate each of the target fields based on the encrypted calling unit to obtain the initial business data corresponding to each of the target fields;
[0037] The initial business data is transmitted in batches to the preset encryption unit integrated in the microservice node.
[0038] In one embodiment, the identification module is specifically used to summarize the field values corresponding to each target field in the aspect program of the encrypted calling unit;
[0039] Based on the field values and the correspondence between the field values and the target field, a data structure to be processed containing the target field and the field values is constructed to obtain the initial business data.
[0040] In one embodiment, the device further includes:
[0041] The second processing module is used to store the target business data in a database or transmit it to other application services if the target business data is encrypted data obtained after encryption.
[0042] The third processing module is used to perform business processing based on the decrypted data if the target business data is decrypted data obtained after decryption.
[0043] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0044] Obtain the business request;
[0045] The encrypted invocation unit traverses and parses the business request to identify the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0046] The initial business data is batch encrypted or decrypted using the preset encryption unit and the encryption key to obtain the target business data.
[0047] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:
[0048] Obtain the business request;
[0049] The encrypted invocation unit traverses and parses the business request to identify the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0050] The initial business data is batch encrypted or decrypted using the preset encryption unit and the encryption key to obtain the target business data.
[0051] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:
[0052] Obtain the business request;
[0053] The encrypted invocation unit traverses and parses the business request to identify the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0054] The initial business data is batch encrypted or decrypted using the preset encryption unit and the encryption key to obtain the target business data.
[0055] The aforementioned data processing method, apparatus, computer equipment, computer-readable storage medium, and computer program product acquire business requests; traverse and parse the business requests according to the encryption calling unit, identify the target fields contained in the business requests, and batch transmit the initial business data corresponding to each target field to a preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key; and the initial business data is batch encrypted or decrypted according to the preset encryption unit and the encryption key to obtain the target business data. Using this method, by batch identifying and locally encrypting / decrypting all target fields in the business requests through a preset encryption unit integrated locally in the microservice node, the high-frequency network interaction between the microservice node and the external cryptographic platform is reduced, thus lowering the network overhead of the microservice node. Furthermore, in scenarios where the amount of target field data is increasing, batch processing of target fields requiring encryption or decryption further alleviates the concurrent pressure of processing business data for target fields, thereby improving the efficiency of encryption or decryption of target fields. Attached Figure Description
[0056] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0057] Figure 1 This is a diagram illustrating the application environment of a data processing method in one embodiment.
[0058] Figure 2 This is a flowchart illustrating the process of configuring the encryption key for an encrypted calling unit in one embodiment;
[0059] Figure 3 This is a schematic diagram illustrating the process of encrypting or decrypting business transaction requests at the database application layer using the encryption call unit SDK in one embodiment.
[0060] Figure 4 This is a flowchart illustrating the interception and parsing of business requests in an aspect-oriented programming (AOP) procedure, as shown in one embodiment.
[0061] Figure 5 This is a schematic diagram of annotations for DAO in one embodiment;
[0062] Figure 6 This is a schematic diagram illustrating the annotation of a PO in one embodiment;
[0063] Figure 7 This is a schematic diagram illustrating the mapping between POs and table fields in one embodiment;
[0064] Figure 8 This is a flowchart illustrating the process by which the encrypted calling unit summarizes the target fields in one embodiment;
[0065] Figure 9 This is a flowchart illustrating how the field values of a target field are summarized in an aspect-oriented programming process to construct the data structure to be processed, as shown in one embodiment.
[0066] Figure 10 This is a flowchart illustrating the subsequent processing of encrypted data or decrypted data in one embodiment.
[0067] Figure 11 This is a structural block diagram of a data processing device in one embodiment;
[0068] Figure 12 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0069] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0070] It should be noted that the terms "first," "second," etc., used in this application can be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish the first element from the second element. The terms "comprising" and "having," and any variations thereof, used in this application, are intended to cover non-exclusive inclusion. The term "multiple" used in this application refers to two or more. The term "and / or" used in this application refers to one of the embodiments, or any combination of multiple embodiments.
[0071] In one embodiment, such as Figure 1 As shown, a data processing method is provided. This embodiment illustrates the method by applying it to a microservice node. It can be understood that the method can also be applied to systems including terminals and servers, and implemented through interaction between the terminal and the server. In this embodiment, the method includes the following steps:
[0072] Step 102: Obtain the business request.
[0073] In this embodiment, taking a financial business processing scenario as an example, each application microservice on the cloud includes an encrypted calling unit and a preset encryption unit. The application microservice can be a software unit of a specific business capability, such as an account service, transaction service, or customer information service. A microservice node is a specific instance of the application microservice at runtime. When an application microservice is deployed to a cloud platform, multiple replicas may be started to achieve high availability or load balancing; each running replica serves as a microservice node.
[0074] Microservice nodes that apply microservices receive business requests (such as checking balances, updating accounts, and processing transactions) initiated by upstream systems or other microservice applications through API (Application Programming Interface) interfaces.
[0075] Step 104: The business request is traversed and parsed according to the encrypted calling unit, the target fields contained in the business request are identified, and the initial business data corresponding to each target field is transmitted in batches to the preset encrypted unit integrated in the microservice node.
[0076] The preset encryption unit is equipped with an encryption key.
[0077] In this embodiment, during the business processing of business requests by the microservice node, the business requests received by the microservice node typically contain several pieces of personal information data involving user privacy or compliance requirements, such as ID card number, bank card number, mobile phone number, transaction amount, or customer name. This personal information data remains in its original plaintext form when it enters the microservice node. Under the rigid requirements of personal financial data confidentiality, during the transaction process, the microservice node performs a structured traversal and parsing of the business request through its local encrypted calling unit, and identifies the target fields requiring encryption / decryption processing in the current business request based on a security policy (which includes pre-set dynamic sensitive fields). Then, the microservice node aggregates the initial business data corresponding to each target field through the encrypted calling unit and transmits it in batches to the pre-set encryption unit integrated within the microservice node.
[0078] Taking a financial risk control scenario as an example, a loan approval request includes multiple fields such as customer name, ID number, mobile phone number, bank card number, home address, and hash value of income verification document. The loan service node then identifies the "ID number," "mobile phone number," and "bank card number" as target fields based on security policies. When parsing the loan approval request, the loan service node matches the target field paths through an encrypted call unit, extracts the initial business data in plaintext state corresponding to each target field, and aggregates the initial business data corresponding to the "ID number," "mobile phone number," and "bank card number." Finally, the initial business data corresponding to the "ID number," "mobile phone number," and "bank card number" are batched and transmitted to the local preset encrypted unit of the current microservice node.
[0079] In an optional embodiment, the microservice node can also filter target fields according to the type of business request, dynamically aggregate sensitive data from multiple similar business requests based on business semantic context and processing timeliness requirements, form an encrypted batch with business consistency, thereby improving encryption and decryption throughput efficiency while ensuring security, and enhancing the system's adaptability to high-concurrency scenarios.
[0080] Specifically, when a microservice node receives multiple business requests of the same type, it aggregates the target fields contained in those requests and uses them as the initial business data for the current batch. For example, a microservice node maintains a lightweight buffer queue divided by business type at runtime, such as a "transfer request queue," "account opening request queue," and "identity verification request queue." When a microservice node receives a new business request, it first assigns the new request to a pre-defined lightweight buffer queue based on the business type identifier and temporarily stores it there. Then, the microservice node triggers batch transmission based on a time window or a quantity threshold. That is, if a buffer queue for a certain business type accumulates at least one business request within a pre-defined time window (e.g., 50 milliseconds), batch encryption is triggered; or, if requests of the same business type reach a pre-defined quantity threshold (e.g., 10 requests) within a pre-defined time window, batch transmission is triggered.
[0081] Step 106: Perform batch encryption or decryption of the initial business data according to the preset encryption unit and encryption key to obtain the target business data.
[0082] The preset encryption unit can be a software cryptographic module, which is provided by a qualified manufacturer and complies with national commercial cryptography management requirements.
[0083] In this embodiment, the microservice node performs batch encryption or decryption of the initial business data transmitted in batches using a software cryptographic module and an encryption key to obtain the target business data that has been encrypted or decrypted. The encryption key is generated by the cryptographic platform and is requested from the unified cryptographic platform when the microservice node starts up or needs encryption for the first time. The SM2 digital envelope mechanism is used to securely obtain the SM4 symmetric key for data encryption and decryption, which serves as the encryption key for the preset encryption unit.
[0084] The microservice node's local pre-configured encryption unit performs encryption (or decryption) operations on batch data item by item according to a pre-defined block pattern, based on the encryption key (SM4 key) loaded in the internal security context. The pre-defined block pattern can be ECB (Electronic Codebook) or CBC (Cipher-block chaining). After encryption, the pre-configured encryption unit returns the generated ciphertext or the restored plaintext to the business processing layer in the original field order to obtain the target business data.
[0085] In one embodiment, to ensure that different software cryptographic modules used by the preset encryption unit can perform encryption or decryption processing while maintaining consistency in the key and encryption / decryption algorithm, a unified set of interface methods is defined in the microservice node. This includes interface methods for module initialization, single-field encryption / decryption, batch encryption / decryption, key refresh, and key migration. This allows for integration with different software cryptographic modules and cryptographic platforms, providing the ability to flexibly switch between local software algorithms and cryptographic platforms for data encryption / decryption. For example, these interface methods are shown in Table 1 below.
[0086] Table 1
[0087]
[0088] In the above data processing method, by using a preset encryption unit integrated locally on the microservice node to perform batch identification and local batch encryption / decryption of all target fields in the business request, the high-frequency network interaction between the microservice node and the external cryptographic platform is reduced, thereby reducing the network overhead of the microservice node. At the same time, in scenarios where the amount of data in the target fields is increasing, batch processing of the target fields that need to be encrypted or decrypted can further alleviate the concurrent pressure of processing the business data of the target fields, thereby improving the efficiency of encrypting or decrypting the target fields.
[0089] In one exemplary embodiment, such as Figure 2 As shown, before step 102, the method further includes steps 202 to 204. Wherein:
[0090] Step 202: In response to the application operation in the microservice node, initiate a key acquisition request to the cryptographic platform according to the encryption calling unit.
[0091] In this embodiment, the microservice node responds to application operations of the application service. For example, when the application service starts or processes a request that requires data encryption for the first time, the encryption call unit integrated within the microservice node actively initiates a key acquisition request to the cryptographic platform. This key acquisition request can be tailored to the application service type of the current microservice node. For instance, different application service types correspond to different encryption methods, thus requiring different encryption keys from different microservice nodes.
[0092] In one exemplary embodiment, such as Figure 3 As shown, the encryption call unit can be a pre-built SDK (Software Development Kit), which triggers the key acquisition request through lifecycle events of the business application. Specifically, during the application startup phase, the microservice node reads its local configuration parameters to determine whether the "local encryption / decryption" mode is enabled. If the microservice node has enabled the "local encryption / decryption" mode, the encryption call unit automatically executes the key initialization process, that is, sends a key acquisition request to the cryptographic platform to obtain the symmetric encryption key used for the SM4 algorithm. This encryption key is generated by the cryptographic platform based on the national cryptographic standard and is returned after being encapsulated through the SM2 digital envelope mechanism to ensure security during transmission.
[0093] Step 204: Receive the encryption key fed back by the cryptographic platform and configure the encryption key to the preset encryption unit.
[0094] In this embodiment, the microservice node receives the encryption key from the cryptographic platform and loads it into the memory space of a preset encryption unit. This encryption key is stored only within the cryptographic platform, which is isolated from the business code. This prevents the encryption key from being stored on disk in the business application and ensures that the application layer of the business application is unaware of the encryption key, thus decoupling encryption processing from business processing.
[0095] In an optional embodiment, this embodiment supports flexible switching of encryption and decryption execution locations at runtime: if the configuration is dynamically adjusted from "local encryption and decryption on microservice nodes" to "invoking cryptographic platform for encryption and decryption", the microservice node can seamlessly route subsequent encryption and decryption requests to the remote cryptographic service without restarting or shutting down; however, if the "whether to enable encryption and decryption" configuration is changed, since it involves a fundamental change in data state (for example, it needs to be converted from plaintext storage to ciphertext storage), the microservice node needs to perform corresponding shutdown migration processing to ensure data consistency.
[0096] In this embodiment, the interaction between the microservice node and the cryptographic platform is realized through the encrypted calling unit, and the encryption key in the cryptographic platform is obtained to the microservice node, which provides a basis for data encryption and decryption processing on the microservice node locally.
[0097] In one exemplary embodiment, such as Figure 4 As shown, step 104 includes steps 402 to 406. Wherein:
[0098] Step 402: Intercept business requests based on the aspect ratio in the encrypted calling unit.
[0099] In this embodiment, the encrypted invocation unit is integrated into the microservice node via an SDK, and custom annotations are added to the methods in the data access layer, such as database query methods or database write methods. At this time, as shown... Figure 3 As shown, when a microservice node processes a business request and calls a data access layer method annotated with a custom annotation, the microservice node automatically intercepts the data access layer method to be called in the business request through the aspect-oriented programming (AOP) function in the encrypted call unit (SDK).
[0100] In one specific embodiment, annotations are pre-added to the DAO (Data Access Object, a data access interface for the data access layer) and PO (Persistent Object), such as... Figure 5 As shown, annotations on the DAO are placed on methods, enabling aspects to clearly identify the data access layer methods to be intercepted in the current business request and to perform subsequent processing on the candidate fields carried in that method. This business request refers to an internal application operation request on a persistent object (PO), i.e., the input and output parameters of the DAO method, and for the output parameters, the aspect in the encryption calling unit decrypts the business data of the target field in the output parameter; for the input parameters, the aspect in the encryption calling unit encrypts the business data of the target field in the output parameter. Additionally, this embodiment can recursively support PO object Lists and PO object Maps (where the value is a PO).
[0101] Step 404: In the aspect-oriented programming, parse the method annotations of the persistent object corresponding to the business request to obtain the target field identifier.
[0102] In the embodiments of this application, such as Figure 6As shown, annotations on the PO class are placed on the fields. After the aspect program intercepts the annotated DAO method, it does not directly obtain the range of the target field from the DAO method annotation. Instead, it further analyzes the persistent object PO operated by the DAO method. The persistent object PO can confirm whether each field has the annotation. That is, in the aspect program, the aspect program parses the business request and realizes the identification of the method annotation in the persistent object PO to obtain the target field identifier.
[0103] Furthermore, the annotations for PO classes differ across different persistence layer frameworks. Taking Mybatis as an example, the mapping between POs and table fields is as follows: Figure 7 As shown, Column represents the field name in the table, property is the field in the PO, and the target field to be encrypted in the database carries the target field identifier "_SCR". By uniformly adding the "_SCR" suffix to the field name of the database table, it is possible to intuitively identify which fields in the PO class are encrypted fields. On the one hand, this facilitates the identification and processing of sensitive fields to be encrypted in scenarios without the participation of PO objects (e.g., existing data encryption migration, DBAs directly manipulating tables using database query tools), avoiding the need to maintain additional field mapping parameters. On the other hand, when transforming existing systems, there is no need to modify the original PO class definition, and the upper-level business code does not need to be adjusted, so the encryption and decryption mechanism can be seamlessly integrated, which can reduce transformation costs and improve operational readability.
[0104] Step 406: Identify and filter each candidate field carried in the business request based on the target field identifier to obtain the target field in the business request.
[0105] In this embodiment, the annotation on the PO class serves as the encryption / decryption trigger switch for the application service, and the scope of the target field is defined by the field-level annotation in the PO class. The microservice node then identifies candidate fields based on the target field identifier in the persistent object PO, determines the candidate fields marked with the target field identifier as the target fields, and filters out the target fields in the business request.
[0106] In this embodiment, the identification and filtering of target fields corresponding to key financial data are realized during the process of microservice nodes processing business requests by using aspect programming. Since aspect programming only requires adding annotations and aspect dependencies and aspect configurations, it can achieve the business application's unawareness of encryption and decryption processing and reduce the code intrusion of aspect programming.
[0107] In one exemplary embodiment, such as Figure 8 As shown, step 104 includes steps 802 to 804. Wherein:
[0108] Step 802: Aggregate the target fields based on the encrypted calling unit to obtain the initial business data corresponding to each target field.
[0109] In this embodiment of the application, the microservice node aggregates the target fields identified in the business request through the encrypted calling unit, that is, aggregates the annotation fields marked in the PO object, and extracts the original values of the plaintext or ciphertext of each target field to form structured initial business data.
[0110] When a microservice node receives a business request containing sensitive information (e.g., customer identity verification, account information query, or batch data import), the encrypted calling unit performs structured aggregation on multiple target fields (e.g., ID card number, mobile phone number, bank card number, etc.) contained in the business request to obtain initial business data that can be processed in batches.
[0111] Step 804: Transmit the initial business data in batches to the preset encryption unit integrated in the microservice node.
[0112] In this embodiment, the microservice node transmits the initial business data obtained from the aggregation to a pre-defined encryption unit integrated within the microservice node in batches. This encryption unit is a locally deployed software cryptographic module that supports national cryptographic algorithms (e.g., SM4) and is responsible for uniformly performing encryption or decryption operations.
[0113] In this embodiment, the batch transmission mechanism avoids the performance overhead caused by field-by-field calls, improves the efficiency of the preset encryption unit in encrypting and decrypting the initial business data, and ensures that sensitive data completes security processing within the preset encryption unit in the microservice node, thus preventing the leakage of business data.
[0114] In one exemplary embodiment, such as Figure 9 As shown, step 802 includes steps 902 to 904. Wherein:
[0115] Step 902: In the aspect program of the encrypted calling unit, the field values corresponding to each target field are summarized.
[0116] In this embodiment, after obtaining the input or output parameters of the intercepted DAO method, the microservice node, in the aspect program of the encryption call unit, first determines whether the input or output parameter is a PO type object. If the input or output parameter is a PO type object, it indicates that the input or output parameter in the current business request is the target field, meaning that the business processing of the current business request contains sensitive fields that need to be encrypted or decrypted. The microservice node then extracts the field value corresponding to the target field through the encryption call unit. This field value includes plaintext business data to be encrypted, or ciphertext business data extracted from the database that needs to be decrypted. Finally, the microservice node summarizes and records the field value of the target field in the aspect program.
[0117] Step 904: Based on the field values and the correspondence between the field values and the target fields, construct the data structure to be processed, which includes the target fields and field values, to obtain the initial business data.
[0118] In this embodiment, after obtaining the aggregated field values, the microservice node further establishes a clear association between each data value and its semantic identifier, and combines the target field and field value to construct a data structure to be processed containing the target field and field value, thus obtaining the initial business data. For example, the "ID number: 1XX1XX19XXXXXXXXXX" in a certain record is marked as "Field type = ID number, Record ID = EMP_20250107_003", and multiple records are organized into a structured list to be processed. This list to be processed not only contains the original data values, but also retains sufficient business context information (e.g., field purpose, data source, record ownership, etc.) so that the subsequent encryption unit can accurately fill the results back into the correct position in the original business process after completing the encryption and decryption operations. The resulting structured data packet serves as the initial business data to support subsequent efficient and reliable secure computation, ensuring the data integrity and security of the entire business chain.
[0119] In this embodiment, by summarizing the field values corresponding to the target field and constructing a data structure to be processed containing the relationship between the target field and the field value as the initial business data, the summarization of business data that needs to be encrypted and decrypted is realized, so that the preset encryption unit can perform batch encryption and decryption processing on the initial business data. Only one call to the preset encryption unit is needed, which can improve the efficiency of encryption and decryption processing on the initial business data.
[0120] In one exemplary embodiment, such as Figure 10 As shown, after step 106, the method further includes steps 1002 to 1004. Wherein:
[0121] Step 1002: If the target business data is encrypted data obtained after encryption, store the target business data in the database or transmit it to other application services.
[0122] In this embodiment of the application, in a microservice node, the business requests processed by the application service may contain sensitive information such as customer name, ID card number, and mobile phone number. The field corresponding to the sensitive information is the target field. After the business data of the target field is encrypted by a preset encryption unit, the encryption calling unit SDK receives the encrypted data in the aspect program as the target business data. At this time, the encryption calling unit SDK stores the encrypted data in the database for persistent storage, or transmits it to other application services in other microservice nodes, so that the encrypted data can be decrypted in other application services to realize the business processing of other transaction requests.
[0123] In an exemplary embodiment, taking a money transfer transaction as an example, the application service of the microservice node is a transaction processing application. When a customer initiates an interbank transfer request via mobile banking, the request includes the recipient's name, bank account number, and registered mobile phone number. This field is identified as the target field. Using a preset encryption unit and a pre-configured encryption key, the SM4 algorithm is used to batch encrypt the recipient's name, bank account number, and registered mobile phone number, generating corresponding encrypted data. After balance checking and transaction processing, the encrypted recipient's name, bank account number, registered mobile phone number, transaction amount, time, and other transaction data are written into the transaction record and stored in the database.
[0124] During the transfer process, the microservice node also needs to transmit the transaction information of the transaction request to the monitoring system service such as "anti-fraud monitoring". The microservice node currently processing the transaction will transmit the encrypted data to the microservice node where the monitoring system is located.
[0125] Step 1004: If the target business data is decrypted data obtained after decryption, perform business processing based on the decrypted data.
[0126] In this embodiment of the application, when it is necessary to read and use encrypted data stored in history, for example, when the business request is a request such as a monetary amount query, after the microservice node obtains the encrypted data from the database, it securely decrypts the encrypted data using preset encrypted data. The microservice node then obtains readable decrypted data as the target business data and performs business processing based on the decrypted data.
[0127] In this embodiment, by encrypting or decrypting the business data of the target field in the business request within the microservice node, the encrypted data is stored in the database or forwarded to other application services, and the decrypted data is processed for business purposes. This improves the efficiency of data encryption or decryption, thereby improving the efficiency of processing business requests.
[0128] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps. It is understood that the steps in different embodiments can be freely combined as needed, and all non-contradictory solutions formed by such combinations are within the scope of protection of this application.
[0129] Based on the same inventive concept, this application also provides a data processing apparatus for implementing the data processing method described above. The solution provided by this apparatus is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more data processing apparatus embodiments provided below can be found in the limitations of the data processing method described above, and will not be repeated here.
[0130] In one exemplary embodiment, such as Figure 11 As shown, a data processing device 1100 is provided, including: an acquisition module 1101, an identification module 1102, and a first processing module 1103, wherein:
[0131] Module 1101 is used to obtain business requests;
[0132] The identification module 1102 is used to traverse and parse the business request according to the encrypted calling unit, identify the target fields contained in the business request, and transmit the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0133] The first processing module 1103 is used to perform batch encryption or decryption processing on the initial business data according to the preset encryption unit and encryption key to obtain the target business data.
[0134] In one embodiment, the device 1100 further includes:
[0135] The request module is used to respond to application operations in microservice nodes and initiate a key acquisition request to the cryptographic platform based on the encrypted calling unit;
[0136] The receiving module is used to receive the encryption key fed back by the cryptographic platform and configure the encryption key into the preset encryption unit.
[0137] In one embodiment, the identification module 1102 is specifically used to intercept business requests based on the aspect ratio in the encrypted calling unit;
[0138] In the aspect-oriented programming, the method annotations of the persistent object corresponding to the business request are parsed to obtain the target field identifier;
[0139] Based on the target field identifier, the candidate fields carried in the business request are identified and filtered to obtain the target field in the business request.
[0140] In one embodiment, the identification module 1102 is specifically used to aggregate each target field based on the encrypted calling unit to obtain the initial business data corresponding to each target field;
[0141] Initial business data is transmitted in batches to a pre-defined encryption unit integrated in the microservice node.
[0142] In one embodiment, the identification module 1102 is specifically used to summarize the field values corresponding to each target field in the aspect program of the encrypted calling unit;
[0143] Based on the field values and the correspondence between the field values and the target fields, a data structure containing the target fields and field values is constructed to obtain the initial business data.
[0144] In one embodiment, the device 1100 further includes:
[0145] The second processing module is used to store the target business data in the database or transmit it to other application services if the target business data is encrypted data obtained after encryption.
[0146] The third processing module is used to perform business processing based on the decrypted data if the target business data is decrypted data.
[0147] Each module in the aforementioned data processing device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the operations corresponding to each module.
[0148] In one exemplary embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 12 As shown, the computer device includes a processor, memory, input / output interfaces, a communication interface, a display unit, and an input device. The processor, memory, and input / output interfaces are connected via a system bus, and the communication interface, display unit, and input device are also connected to the system bus via the input / output interfaces. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The input / output interfaces are used for exchanging information between the processor and external devices. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, Near Field Communication (NFC), or other technologies. When the computer program is executed by the processor, it implements a data processing method. The display unit is used to form a visually visible image and can be a display screen, a projection device, or a virtual reality imaging device. The display screen can be an LCD screen or an e-ink screen. The input device of the computer device can be a touch layer covering the display screen, or buttons, trackballs, or touchpads set on the casing of the computer device, or external keyboards, touchpads, or mice, etc.
[0149] Those skilled in the art will understand that Figure 12 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0150] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0151] Obtain the business request;
[0152] The encrypted calling unit traverses and parses the business request, identifies the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key.
[0153] The initial business data is batch encrypted or decrypted based on the preset encryption unit and encryption key to obtain the target business data.
[0154] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0155] In response to application operations in the microservice node, a key retrieval request is initiated from the cryptographic platform based on the encrypted invocation unit;
[0156] Receive the encryption key from the cryptographic platform and configure the encryption key into the preset encryption unit.
[0157] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0158] The business requests are intercepted based on the aspect ratio in the encrypted call unit;
[0159] In the aspect-oriented programming, the method annotations of the persistent object corresponding to the business request are parsed to obtain the target field identifier;
[0160] Based on the target field identifier, the candidate fields carried in the business request are identified and filtered to obtain the target field in the business request.
[0161] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0162] Based on the encrypted calling unit, the target fields are aggregated to obtain the initial business data corresponding to each target field;
[0163] Initial business data is transmitted in batches to a pre-defined encryption unit integrated in the microservice node.
[0164] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0165] In the aspect-oriented programming of the encrypted calling unit, the field values corresponding to each target field are summarized;
[0166] Based on the field values and the correspondence between the field values and the target fields, a data structure containing the target fields and field values is constructed to obtain the initial business data.
[0167] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0168] If the target business data is encrypted data obtained after encryption, store the target business data in the database or transmit it to other application services;
[0169] If the target business data is decrypted data obtained after decryption, business processing is performed based on the decrypted data.
[0170] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the steps in the above method embodiments.
[0171] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.
[0172] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0173] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.
[0174] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.
[0175] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A data processing method, characterized in that, The method is applied to microservice nodes, and the method includes: Obtain the business request; The encrypted invocation unit traverses and parses the business request to identify the target fields contained in the business request, and transmits the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key. The initial business data is batch encrypted or decrypted according to the preset encryption unit and the encryption key to obtain the target business data.
2. The method according to claim 1, characterized in that, Before obtaining the service request, the method further includes: In response to application operations in the microservice node, a key acquisition request is initiated to the cryptographic platform based on the encrypted invocation unit; Receive the encryption key fed back by the cryptographic platform and configure the encryption key to a preset encryption unit.
3. The method according to claim 1, characterized in that, The step of traversing and parsing the business request according to the encrypted calling unit to identify the target fields contained in the business request includes: The business request is intercepted based on the aspect ratio in the encrypted calling unit; In the aspect-oriented programming process, the method annotations of the persistent object corresponding to the business request are parsed to obtain the target field identifier; Based on the target field identifier, each candidate field carried in the business request is identified and filtered to obtain the target field in the business request.
4. The method according to claim 1, characterized in that, The step of batch transmitting the initial business data corresponding to each of the target fields to the preset encryption unit integrated in the microservice node includes: Based on the encrypted calling unit, the target fields are aggregated to obtain the initial business data corresponding to each target field; The initial business data is transmitted in batches to the preset encryption unit integrated in the microservice node.
5. The method according to claim 4, characterized in that, The aggregation of each target field based on the encrypted calling unit to obtain the initial business data corresponding to each target field includes: In the aspect-oriented programming of the encrypted calling unit, the field values corresponding to each target field are summarized; Based on the field values and the correspondence between the field values and the target field, a data structure to be processed containing the target field and the field values is constructed to obtain the initial business data.
6. The method according to claim 1, characterized in that, After the initial business data is batch encrypted or decrypted according to the preset encryption unit and the encryption key to obtain the target business data, the method further includes: If the target business data is encrypted data obtained after encryption, the target business data will be stored in a database or transmitted to other application services; If the target business data is decrypted data obtained after decryption, business processing is performed based on the decrypted data.
7. A data processing apparatus, characterized in that, The device is applied to a microservice node, and the device includes: The acquisition module is used to acquire business requests; The identification module is used to traverse and parse the business request according to the encrypted calling unit, identify the target fields contained in the business request, and transmit the initial business data corresponding to each target field in batches to the preset encryption unit integrated in the microservice node; the preset encryption unit is configured with an encryption key. The first processing module is used to perform batch encryption or decryption processing on the initial business data according to the preset encryption unit and the encryption key to obtain the target business data.
8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.