An information encryption method, device, equipment and computer readable storage medium
By using dynamic business keys and a two-layer encryption mechanism, combined with distributed locks and secret sharing algorithms, the problem of low security for sensitive information encryption under static binding mechanisms is solved, achieving high security and zero-perception key updates, ensuring the security and consistency of information encryption.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHENZHEN STREAMING VIDEO TECH
- Filing Date
- 2026-05-21
- Publication Date
- 2026-07-03
AI Technical Summary
Existing technologies have low encryption security for sensitive information, and static binding mechanisms are easily detected or stolen, resulting in low security.
A dynamic business key mechanism is adopted, which encrypts the information to be encrypted based on the plaintext business key, and uses a root key and a dynamic salt value to perform double encryption on the plaintext business key. The ciphertext business key is stored in the database. Combined with a distributed lock mechanism and a secret sharing algorithm, the dynamic updating and secure storage of the key are realized.
It improves the encryption security of sensitive information, prevents the theft of static identifiers, ensures that the ciphertext business key must be decrypted before obtaining the information to be encrypted, enhances the security and consistency of information, and avoids business interruption during key rotation.
Smart Images

Figure CN122339830A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data security technology, and in particular to an information encryption method, apparatus, device, and computer-readable storage medium. Background Technology
[0002] The governance of sensitive information (identity credentials, payment tokens, etc.) has evolved from simple encrypted storage to dynamic management throughout its entire lifecycle. Currently, the protection of sensitive information relies on static binding mechanisms. The core of static binding lies in permanently associating specific security policies, access credentials, encryption keys, or licenses with a set of container identifiers considered immutable during application deployment or startup. These static identifiers are extremely vulnerable to detection or theft from images, configurations, or runtime, offering virtually no confidentiality and thus resulting in low security.
[0003] It is evident that improving the security of encryption of sensitive information based on key pairs is a technical problem that urgently needs to be solved by those skilled in the art. Summary of the Invention
[0004] In view of this, the purpose of the present invention is to provide an information encryption method, apparatus, device and computer-readable storage medium, which solves the technical problem of low encryption security in the prior art.
[0005] To solve the above-mentioned technical problems, the present invention provides an information encryption method, comprising: The information to be encrypted is encrypted using a plaintext service key to obtain ciphertext information; wherein, the plaintext service key is a dynamic service key that can be updated according to set trigger conditions. The plaintext service key is encrypted using the root key and dynamic salt value to obtain the ciphertext service key; The encrypted service key is stored in the database.
[0006] As can be seen, this invention encrypts the information to be encrypted based on a plaintext service key to obtain ciphertext information. The plaintext service key is a dynamic service key that can be updated according to set trigger conditions. The plaintext service key is then encrypted using a root key and a dynamic salt value to obtain a ciphertext service key. The ciphertext service key is then stored in a database. The beneficial effects of this invention are: compared to the low security of current methods that encrypt sensitive information based on static identifiers, this invention encrypts the information to be encrypted using a plaintext service key, and then encrypts the plaintext service key again using a root key and a dynamic salt value, thereby storing the ciphertext service key in the database. Because the database stores the ciphertext service key, when retrieving the information to be encrypted, the ciphertext service key must be decrypted before the ciphertext information can be decrypted, thus greatly improving the security of information encryption.
[0007] Optionally, after encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the following steps are also included: The generated new version of the business key is distributed to all business nodes for caching; The current valid business key version pointer is updated through a distributed lock mechanism, and the pointer is switched from the historical version business key to the new version business key. After the valid business key version pointer is updated, for a new request to write information to be encrypted, the data is encrypted using the new version business key according to the valid business key version pointer; For historical data read requests, the encrypted information is decrypted according to the historical version business key to obtain the information to be encrypted, and the information to be encrypted is encrypted according to the new version business key to obtain new encrypted information.
[0008] Optionally, after encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the following steps are also included: Monitor the call frequency of the historical version service keys; When the call frequency is zero and the predetermined duration is reached, a destruction instruction is triggered to erase the historical version business key from each business node.
[0009] Optionally, before encrypting the plaintext service key based on the root key and dynamic salt value to obtain the ciphertext service key, the method further includes: Extract the container's unique identifier and host serial number in real time for the current environment; Based on the container's unique identifier and the host's serial number, an environment feature hash is generated using a secure hash algorithm, and the environment feature hash is used as the dynamic salt value.
[0010] Optionally, after storing the encrypted service key in the database, the method further includes: When decrypting the encrypted service key, the current dynamic salt value corresponding to the current environment feature hash is compared with the dynamic salt value when encrypting the service key; If the current dynamic salt value is inconsistent with the dynamic salt value, decryption is rejected, and the key generated by the root key and the dynamic salt value for decrypting the ciphertext service key is erased.
[0011] Optionally, after storing the encrypted service key in the database, the method further includes: After decrypting the information to be encrypted based on the plaintext business key, the return value of the business method is intercepted using aspect-oriented programming. The information to be encrypted in the return value is then dynamically masked, and the data after dynamic masking is then visualized. During the logging process, bytecode-level feature matching is performed on log messages and exception stack information to obtain the matched information to be encrypted; The matched information to be encrypted is masked.
[0012] Optionally, after encrypting the plaintext service key based on the root key and dynamic salt value to obtain the ciphertext service key, the method further includes: The root key is split into a predetermined number of key fragments using a secret sharing algorithm; Each of the key fragments is stored in a different location.
[0013] The present invention also provides an information encryption device, comprising: The encryption module for information to be encrypted is used to encrypt the information to be encrypted based on a plaintext business key to obtain ciphertext information; wherein, the plaintext business key is a dynamic business key that can be updated according to a set trigger condition; The business key encryption module is used to encrypt the plaintext business key based on the root key and the dynamic salt value to obtain the ciphertext business key; The encrypted service key storage module is used to store the encrypted service key into a database.
[0014] The present invention also provides an information encryption device, comprising: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the information encryption method described above.
[0015] The present invention provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the above-described information encryption method.
[0016] The present invention also provides a computer program product, including a computer program / instruction, which, when executed by a processor, implements the steps of the above-described information encryption method.
[0017] In addition, the present invention also provides an information encryption device, apparatus, and computer-readable storage medium, which also have the above-mentioned beneficial effects. Attached Figure Description
[0018] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0019] Figure 1 A flowchart of an information encryption method provided in an embodiment of the present invention; Figure 2 This invention provides a schematic diagram of a seamless hot rotation of service keys based on version mapping, as provided in an embodiment of the invention. Figure 3 A schematic diagram illustrating threshold recovery provided in an embodiment of the present invention; Figure 4 This is an overall framework diagram of an information encryption method provided in an embodiment of the present invention; Figure 5 This is a schematic diagram of the structure of an information encryption device provided in an embodiment of the present invention; Figure 6 This is a schematic diagram of the structure of an information encryption device provided in an embodiment of the present invention. Detailed Implementation
[0020] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0021] Please refer to Figure 1 , Figure 1 A flowchart illustrating an information encryption method provided in an embodiment of the present invention. The method may include: S101, encrypt the information to be encrypted based on the plaintext service key to obtain ciphertext information; wherein, the plaintext service key is a dynamic service key that can be updated according to the set trigger conditions.
[0022] Each step in this embodiment can be executed by a designated electronic device, which can be a server, a portable terminal, or other forms. The information to be encrypted in this embodiment is sensitive data, and this embodiment is not limited to specific information to be encrypted; for example, the information to be encrypted in this embodiment can be an identity credential, a payment token, etc. This embodiment does not limit the specific method for generating the plaintext business key; for example, it can be a symmetric key, an asymmetric key, etc. The setting trigger condition in this embodiment can be a set time period; or the setting trigger condition in this embodiment can be a set update command. It should be noted that the key type of the generated business key can be determined according to the business type of the information to be encrypted, thereby generating multiple business keys based on this key type to form a key pool, and then dynamically updating the business key based on the business keys in the key pool. The application technology fields of this embodiment can include token security management in financial payment systems, encryption of user privacy data in large e-commerce platforms, and distributed configuration security hardening and compliance auditing under cloud-native architecture, etc.
[0023] S102, encrypt the plaintext service key based on the root key and dynamic salt value to obtain the ciphertext service key.
[0024] In this embodiment, the CI (Continuous Integration) / CD (Continuous Delivery) pipeline dynamically injects the root key when the container starts. This embodiment does not limit the specific method for generating the dynamic salt value. For example, the dynamic salt value can be generated based on environmental characteristics; or it can be generated based on a timestamp, with an expiration period (e.g., 24 hours) set for the salt value, after which it automatically expires. Specifically, this embodiment can extract the K8s_Pod_UID (unique identifier) and Host_Serial (host serial number) of the current environment in real time, and use the SHA-256 algorithm (secure hash algorithm) to generate an environmental characteristic hash as the dynamic salt value. The dynamic salt value directly participates in the decryption calculation of the root key (MasterKey). The root key must be bound to this dynamic salt value to decrypt. If Pod (container) migration or illegal image operation is detected, resulting in a fingerprint mismatch (illegal drift), the system will refuse decryption and trigger a memory erase procedure, causing the lower-layer business key to automatically expire.
[0025] It should be further explained that, based on any of the above embodiments, before encrypting the plaintext business key based on the root key and dynamic salt to obtain the ciphertext business key, the method may further include: extracting the container's unique identifier and host serial number in real time; generating an environment feature hash using a secure hash algorithm based on the container's unique identifier and host serial number, and using the environment feature hash as the dynamic salt. This embodiment upgrades encryption from static locking to environment-dependent encryption, effectively addressing the risks of container image hijacking and offline cracking.
[0026] It should be further explained that, based on any of the above embodiments, after storing the encrypted service key in the database, the method may further include: when decrypting the encrypted service key, comparing the current dynamic salt value corresponding to the current environment feature hash with the dynamic salt value used when encrypting the service key; if the current dynamic salt value does not match the dynamic salt value, decryption is rejected, and the key generated by the root key and the dynamic salt value for decrypting the encrypted service key is erased. In this embodiment, if a Pod migration or illegal image operation causes a fingerprint mismatch (illegal drift), the system will reject decryption and trigger a memory erasure procedure, automatically invalidating the lower-level service key. This improves the security of decryption based on the service key.
[0027] S103, store the encrypted business key into the database.
[0028] This embodiment stores the business key (DataKey) in encrypted form in the database. The format of the business key (DataKey) stored in the database in encrypted form is: [Version_ID] + [Ciphertext: encrypted business key] + [HMAC: hash-based message authentication code].
[0029] It should be further noted that, based on any of the above embodiments, after encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the following may also be included: S1: Distribute the generated new version of the business key to all business nodes for caching.
[0030] This implementation distributes Vnew (the new version business key) to all nodes in the network cache during the pre-release period. At this time, all nodes have the ability to decrypt Vnew, but still use Vold (the historical version business key) for encryption.
[0031] S2: Update the current valid business key version pointer through a distributed lock mechanism, and switch the pointer to the new version of the business key from the historical version.
[0032] S3: After the valid business key version pointer is updated, for a new request to write information to be encrypted, the data is encrypted using the new version business key according to the valid business key version pointer.
[0033] S4: For historical data read requests, the encrypted information is decrypted according to the historical version business key to obtain the information to be encrypted, and the information to be encrypted is encrypted according to the new version business key to obtain new encrypted information.
[0034] This implementation uses a distributed lock (Redlock) to drive the atomic evolution of the version pointer during the grayscale transition period, encrypting the data to point to Vnew. New requests are encrypted and stored in the database using Vnew, while old requests are automatically routed to the corresponding version's key for decryption via the Version_ID (version identifier of the business key) in the header of the encrypted business key, ensuring the continuity of cross-version data interaction.
[0035] This embodiment completely solves the problem of service interruption and consistency during key rotation in large-scale distributed clusters by dynamically updating business keys through a distributed lock mechanism. For example, through a distributed lock, when node A triggers a key update, node B cannot update, preventing both nodes from modifying the key simultaneously. Traditional solutions require service restarts during key rotation, which cannot meet the zero-aware switching requirements of high-availability scenarios. In contrast, the business key update in this application is a zero-aware switching mechanism. It should be noted that this embodiment can be used to dynamically update the root key based on this method.
[0036] It should be further explained that, based on any of the above embodiments, in order to improve encryption security, after encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the method may further include: monitoring the call frequency of historical version business keys; when the call frequency is zero and a predetermined duration is reached, triggering a destruction command to erase the historical version business key from each business node. This embodiment can monitor the Vold usage frequency during the cleanup period. When it is detected that the existing old ciphertext has been completely overwritten or the life cycle has ended (frequency reaches zero), the old key cache is automatically destroyed.
[0037] For easier understanding, please refer to Figure 2 , Figure 2 This is a schematic diagram of a version-mapping-based service key seamless hot rotation provided in an embodiment of the present invention. Figure 2 It can be seen that by preloading and supporting re-encryption based on the new version of the business key, service unavailability during the switch is avoided, and the problem of coexistence of old and new data is solved (decryption is achieved through version number routing). Redlock is used to ensure the atomicity and consistency of the switch operation, preventing confusion caused by different nodes using different keys. During the cleanup period, frequency reporting ensures that the old key is safely removed without omission. Compared with existing technical solutions, which lack an effective mechanism to ensure strong consistency of key versions during rotation in a distributed environment, often leading to encryption and decryption failures, this application achieves key version consistency and avoids decryption failures. A version header (VersionHeader) is encapsulated in the ciphertext structure, and the version pointer evolution is driven by a distributed lock (Redlock) to achieve a smooth transition between old and new keys.
[0038] It should be further explained that, based on any of the above embodiments, after storing the encrypted business key in the database, the method may further include: after decrypting the information to be encrypted based on the plaintext business key, intercepting the return value of the business method using aspect-oriented programming (AOP), dynamically masking the information to be encrypted in the return value, and visually displaying the dynamically masked data; during log recording, performing bytecode-level feature matching on log messages and exception stack information to obtain the matched information to be encrypted; and masking the matched information to be encrypted. This embodiment performs AOP (Aspect-Oriented Programming) aspect filtering by intercepting the return value of the business method (data returned to the front end; during page interaction, the data returned to the page needs to be desensitized, and the returned data is...). This implementation dynamically masks sensitive fields (such as phone numbers and tokens) according to policies issued by a centralized configuration center. It also uses Logback bytecode interception as a second line of defense, employing a custom Logback converter to perform bytecode-level feature matching and masking of log streams and exception stacks, preventing decrypted plaintext from entering the disk logs. This implementation leverages AOP aspects and Logback bytecode enhancement technology to achieve real-time masking and desensitization of runtime data without modifying business logic.
[0039] It should be further explained that, based on any of the above embodiments, after encrypting the plaintext business key based on the root key and dynamic salt value to obtain the ciphertext business key, the process may further include: splitting the root key into a preset number of key fragments using a secret sharing algorithm; and storing each key fragment in a different location. In this embodiment, the root key is split into n fragments using the Shamir algorithm (secret sharing algorithm). During recovery, at least k fragments (e.g., a 3 / 5 threshold) must be collected and mathematically synthesized to restore the root key and recover the business decryption capability. The Shamir secret sharing algorithm achieves a weighted balance, eliminating the risk of single point of failure.
[0040] For easier understanding, please refer to Figure 3 , Figure 3This diagram illustrates a threshold recovery process according to an embodiment of the present invention. Phase 1: Root Key Splitting - Pre-segmentation. This phase occurs during system initialization or key updates. Its purpose is to distribute a highly sensitive root key across multiple storage locations to prevent single-point leakage. Master Key: This is the system's highest-authority key, located at the top of the pyramid. A secret (Master Key) is split into five fragments (Share1 to Share5), meaning these fragments are distributed to mutually untrusted or physically isolated entities: Operations Auditor A, Operations Auditor B, Region C (physical data center), Offline Vault D, and Cloud Security Module E. Phase 2: Threshold Recovery - Disaster Response. This phase occurs in emergency situations where the root key is lost, leaked, or the system needs to be rebuilt. When a disaster occurs, the fragments need to be collected from the aforementioned distributed custodians.
[0041] Figure 3 The document lists fragments 1, 2, and 3. This means that collecting any 3 out of 5 fragments (e.g., Operations Auditor A, Region C Data Center + Cloud Security Module) can trigger the recovery process. This mechanism ensures high system availability (allowing for the loss of 2 fragments) and security (the loss or theft of 2 fragments will not lead to data leakage). The collected k fragments are combined into the original Master Key. The recovered Master Key is used to decrypt the business keys it protects, thereby restoring the encrypted business operations of the entire system to normal.
[0042] In this embodiment, the data reading path can prioritize reading from local memory, followed by distributed cache, and finally the database. This three-tier acceleration architecture keeps the end-to-end latency increment under a load of 100,000 TPS (transaction processing system) within 2ms.
[0043] This invention provides an information encryption method, which may include: S101, encrypting the information to be encrypted based on a plaintext business key to obtain ciphertext information; wherein the plaintext business key is a dynamic business key that can be updated according to a set time period; S102, encrypting the plaintext business key based on a root key and a dynamic salt value to obtain a ciphertext business key; S103, storing the ciphertext business key in a database. Compared with the current method of encrypting sensitive information based on static identifiers, which has low security, this invention encrypts the plaintext business key based on a root key and a dynamic salt value, establishing a two-layer encryption architecture based on a root key and a business key, and adopting a dynamic salt value, which greatly improves the security of encrypting sensitive data.
[0044] For a clearer understanding of this invention, please refer to the following details. Figure 4 , Figure 4 This invention provides an overall framework diagram of an information encryption method, which may specifically include: In this embodiment, cloud-native runtime environment users provide dynamic identity credentials. K8s_Pod_UID and Host_Serial are real-time collected, unforgeable container and host identity identifiers. These two identifiers are hashed (e.g., SHA-256) to generate a unique dynamic salt value. This salt value binds the key to the current, specific runtime environment instance. The CI / CD pipeline provides a trusted source of root key injection. At container startup, the root key is securely injected into the system via a secure, automated pipeline. This ensures the auditability and immutability of the key source. A combined hash of the container's PodUID and host hardware information is used as the dynamic salt value for root key encryption and decryption. Memory is locked via the Linux (cloned system) kernel's mlock system call to prevent the key from being swapped to disk, ensuring that the key exists only in trusted memory runtime.
[0045] In this embodiment, the fingerprint verification module of the distributed key governance engine compares the dynamically calculated salt value (from the current environment) with historical dynamic salt values to verify the legitimacy of the current environment. Only after successful fingerprint verification is the session key for encryption and decryption derived within the memory lock area. This is crucial for implementing environment drift detection. The memory lock area uses system calls such as `mlock` (memory lock) to ensure that the Master Key and derived key materials exist only in locked memory and are never swapped to disk, thus mitigating the risk of physical memory leaks.
[0046] This embodiment employs a three-tiered accelerated storage architecture for high-speed access to keys and data: Local memory L1: Stores the plaintext key of the currently active version, protected by memory locks. Distributed cache (Redis) L2: Stores the ciphertext key and version mapping relationship, ensuring consistency across multiple nodes. Database L3: Persistently stores the double-encrypted ciphertext of the business key. The ingenuity of this architecture lies in the fact that the form and security of the data change as it flows: Write / update process (security first): New business key -> Encrypted with root key + dynamic salt -> Ciphertext stored in L3 database -> Synchronized to L2 cache, ensuring the ciphertext is securely persisted. Read / Use Flow (Performance Priority): Business Request -> L1 Query (None) -> L2 Query (Get Ciphertext -> Request Decryption from Key Engine -> Engine verifies environment, decrypts plaintext in memory lock -> Stores in L1 -> Returns for Use). Under strict environment verification, the ciphertext is securely converted into locally usable plaintext, accelerating subsequent access. In summary, this architecture achieves: Performance: L1 > L2 > L3, satisfying high concurrency millisecond-level response. Security: L3 > L2 > L1; the more persistent and shared the layer, the stronger the protection.
[0047] This embodiment demonstrates the final two lines of defense for sensitive data during business usage and output, showcasing the processing and secure output of business data. After receiving the plaintext Data Key from the key management engine, the business logic layer encrypts and decrypts the sensitive business data. AOP de-identification aspect: Before the business method returns data to the front end, this aspect automatically intercepts the return value and dynamically masks fields such as phone number and token according to a predefined strategy (e.g., displaying them as 138). (8000) Prevents sensitive information from being leaked in interface display and API transmission. Logback bytecode interceptor: During the logging process, it performs a deep scan of log messages and exception stacks at the bytecode level. If a sensitive information pattern (such as ID number, key fragment) is matched, it is masked and replaced to ensure that no plaintext sensitive information is ever written to the log file or console.
[0048] The embodiments of the present invention improve the results of technical solution detection and experimental verification: Stress test: With 1000 microservice nodes running concurrently, the Redis (open source in-memory database) cluster QPS (throughput) can reach 150,000 / s, and the latency is stable within 3ms.
[0049] Disaster recovery: Simulating root key corruption, the system successfully restored services within 15 minutes using a 3 / 5 threshold scheme.
[0050] Desensitization verification: When an exception is manually triggered, the log system automatically performs 100% masking of the stack information.
[0051] The following describes an information encryption device provided by an embodiment of the present invention. The information encryption device described below can be referred to in correspondence with the information encryption method described above.
[0052] Please refer to the details. Figure 5 , Figure 5 A schematic diagram of an information encryption device provided in an embodiment of the present invention may include: The encryption module 100 is used to encrypt the information to be encrypted based on the plaintext business key to obtain ciphertext information; wherein, the plaintext business key is a dynamic business key that can be updated according to a set time period. The business key encryption module 200 is used to encrypt the plaintext business key based on the root key and the dynamic salt value to obtain the ciphertext business key; The encrypted service key storage module 300 is used to store the encrypted service key into a database.
[0053] Furthermore, based on any of the above embodiments, the information encryption device may further include: The new version of the business key distribution module is used to distribute the generated new version of the business key to all business nodes for caching; The version update module is used to update the current valid business key version pointer through a distributed lock mechanism, switching the pointer from the historical version business key to the new version business key; Based on the new version of the encryption module, after the valid business key version pointer is updated, for a new request to write information to be encrypted, the new version of the business key is used to encrypt the data according to the valid business key version pointer and the new version of the business key. The new ciphertext information determination module is used to decrypt the ciphertext information according to the historical version business key to obtain the information to be encrypted, and encrypt the information to be encrypted according to the new version business key to obtain the new ciphertext information.
[0054] Furthermore, based on any of the above embodiments, the information encryption device may further include: The call frequency determination module is used to monitor the call frequency of the historical version business key; The erasure module is used to trigger a destruction command when the call frequency is zero and a predetermined duration is reached, thereby erasing the historical version business key from each business node.
[0055] Furthermore, based on any of the above embodiments, the information encryption device may further include: The environment information acquisition module is used to extract the container's unique identifier and host serial number in the current environment in real time. The dynamic salt value determination module is used to generate an environment feature hash based on the container's unique identifier and the host serial number using a secure hash algorithm, and to use the environment feature hash as the dynamic salt value.
[0056] Furthermore, based on any of the above embodiments, the information encryption device may further include: The comparison module is used to compare the current dynamic salt value corresponding to the current environment feature hash with the dynamic salt value when encrypting the business key when decrypting the encrypted business key. The decryption rejection module is used to reject decryption and erase the key generated by the root key and the dynamic salt value for decrypting the ciphertext service key if the current dynamic salt value is inconsistent with the dynamic salt value.
[0057] Furthermore, based on any of the above embodiments, the information encryption device may further include: The dynamic masking module is used to intercept the return value of the business method after decrypting the information to be encrypted based on the plaintext business key, and to perform dynamic masking processing on the information to be encrypted in the return value, and to visualize the data after dynamic masking processing. The module for determining matched information to be encrypted is used to perform bytecode-level feature matching on log messages and exception stack information during the log recording process to obtain matched information to be encrypted. The masking processing module is used to mask the matched information to be encrypted.
[0058] Furthermore, based on any of the above embodiments, the information encryption device may further include: The root key fragmentation module is used to split the root key into a preset number of key fragments using a threshold algorithm. A key fragment storage module is used to store each key fragment in a different location.
[0059] It should be noted that the order of the modules and units in the aforementioned information encryption device can be changed without affecting the logic.
[0060] This invention provides an information encryption device, which may include: an information encryption module 100 for encrypting information to be encrypted based on a plaintext business key to obtain ciphertext information; wherein the plaintext business key is a dynamic business key that can be updated according to a set time period; a business key encryption module 200 for encrypting the plaintext business key based on a root key and a dynamic salt value to obtain a ciphertext business key; and a ciphertext business key storage module 300 for storing the ciphertext business key in a database. Compared with the current method of encrypting sensitive information based on static identifiers, which has low security, this invention encrypts the plaintext business key based on a root key and a dynamic salt value, establishing a two-layer encryption architecture based on a root key and a business key, and employing a dynamic salt value, which greatly improves the security of encrypting sensitive data.
[0061] The following describes an information encryption device provided by an embodiment of the present invention. The information encryption device described below and the information encryption method described above can be referred to in correspondence.
[0062] Please refer to Figure 6 , Figure 6 A schematic diagram of the structure of an information encryption device provided in an embodiment of the present invention may include: Memory 10 is used to store computer programs; Processor 20 is used to execute computer programs to implement the above-described information encryption method.
[0063] The memory 10, processor 20, and communication interface 30 all communicate with each other through the communication bus 40.
[0064] In this embodiment of the invention, the memory 10 is used to store one or more programs. The programs may include program code, which includes computer operation instructions. In this embodiment of the invention, the memory 10 may store programs for implementing the following functions: The information to be encrypted is encrypted using the plaintext service key to obtain ciphertext information; wherein, the plaintext service key is a dynamic service key that can be updated according to a set time period. The plaintext service key is encrypted using the root key and dynamic salt value to obtain the ciphertext service key; Store the encrypted business key in the database.
[0065] In one possible implementation, the memory 10 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and applications required for at least one function; and the data storage area may store data created during use.
[0066] Furthermore, memory 10 may include read-only memory and random access memory, providing instructions and data to the processor. A portion of the memory may also include NVRAM. The memory stores operating systems and operating instructions, executable modules, or data structures, or subsets thereof, or extended sets thereof, wherein the operating instructions may include various operating instructions for implementing various operations. The operating system may include various system programs for implementing various basic tasks and handling hardware-based tasks.
[0067] Processor 20 can be a central processing unit (CPU), an application-specific integrated circuit, a digital signal processor, a field-programmable gate array, or other programmable logic device. Processor 20 can be a microprocessor or any conventional processor. Processor 20 can call programs stored in memory 10.
[0068] The communication interface 30 can be an interface for the communication module, used to connect with other devices or systems.
[0069] Of course, it should be noted that, Figure 6 The structure shown does not constitute a limitation on the information encryption device in the embodiments of the present invention. In practical applications, the information encryption device may include more than Figure 6 More or fewer components as shown, or combinations of certain components.
[0070] The following describes the computer-readable storage medium provided in the embodiments of the present invention. The computer-readable storage medium described below and the information encryption method described above can be referred to each other.
[0071] The present invention also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the above-described information encryption method.
[0072] The computer-readable storage medium may include various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0073] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.
[0074] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0075] Finally, it should be noted that in this document, relationships such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0076] The above provides a detailed description of the information encryption method, apparatus, device, and computer-readable storage medium provided by the present invention. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only for the purpose of helping to understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. An information encryption method characterized by, include: The information to be encrypted is encrypted using a plaintext service key to obtain ciphertext information; wherein, the plaintext service key is a dynamic service key that can be updated according to set trigger conditions. The plaintext service key is encrypted using the root key and dynamic salt value to obtain the ciphertext service key; The encrypted service key is stored in the database.
2. The information encryption method according to claim 1, characterized by, After encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the process also includes: The generated new version of the business key is distributed to all business nodes for caching; The current valid business key version pointer is updated through a distributed lock mechanism, and the pointer is switched from the historical version business key to the new version business key. After the valid business key version pointer is updated, for a new request to write information to be encrypted, the data is encrypted using the new version business key according to the valid business key version pointer; For historical data read requests, the encrypted information is decrypted according to the historical version business key to obtain the information to be encrypted, and the information to be encrypted is encrypted according to the new version business key to obtain new encrypted information.
3. The information encryption method according to claim 2, characterized by, After encrypting the information to be encrypted based on the plaintext business key to obtain the ciphertext information, the process also includes: Monitor the call frequency of the historical version service keys; When the call frequency is zero and the predetermined duration is reached, a destruction instruction is triggered to erase the historical version business key from each business node.
4. The information encryption method according to any one of claims 1 to 3, characterized by, Before encrypting the plaintext service key based on the root key and dynamic salt value to obtain the ciphertext service key, the process also includes: Extract the container's unique identifier and host serial number in real time for the current environment; Based on the container's unique identifier and the host's serial number, an environment feature hash is generated using a secure hash algorithm, and the environment feature hash is used as the dynamic salt value.
5. The information encryption method according to claim 4, characterized in that, After storing the encrypted service key in the database, the process also includes: When decrypting the encrypted service key, the current dynamic salt value corresponding to the current environment feature hash is compared with the dynamic salt value when encrypting the service key; If the current dynamic salt value is inconsistent with the dynamic salt value, decryption is rejected, and the key generated by the root key and the dynamic salt value for decrypting the ciphertext service key is erased.
6. The information encryption method according to claim 1, characterized in that, After storing the encrypted service key in the database, the process also includes: After decrypting the information to be encrypted based on the plaintext business key, the return value of the business method is intercepted using aspect-oriented programming. The information to be encrypted in the return value is then dynamically masked, and the data after dynamic masking is then visualized. During the logging process, bytecode-level feature matching is performed on log messages and exception stack information to obtain the matched information to be encrypted; The matched information to be encrypted is masked.
7. The information encryption method according to claim 1, characterized in that, After encrypting the plaintext service key based on the root key and dynamic salt value to obtain the ciphertext service key, the process further includes: The root key is split into a predetermined number of key fragments using a secret sharing algorithm; Each of the key fragments is stored in a different location.
8. An information encryption device, characterized in that, include: The encryption module for information to be encrypted is used to encrypt the information to be encrypted based on a plaintext business key to obtain ciphertext information; wherein, the plaintext business key is a dynamic business key that can be updated according to a set trigger condition; The business key encryption module is used to encrypt the plaintext business key based on the root key and the dynamic salt value to obtain the ciphertext business key; The encrypted service key storage module is used to store the encrypted service key into a database.
9. An information encryption device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the information encryption method as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the information encryption method as described in any one of claims 1 to 7.