Data processing method and device in anti-quantum encryption algorithm switching process
By implementing gray-scale switching rules and control rules, the database is converted from the national cryptographic algorithm to the quantum-resistant encryption algorithm in batches, which solves the downtime problem during the database switching process and achieves a smooth switching of encryption algorithms without downtime or any noticeable disruption.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- Fisherman Information Technology Co Ltd
- Filing Date
- 2026-06-12
- Publication Date
- 2026-07-14
AI Technical Summary
In existing technologies, when a database switches from a national cryptographic algorithm to a quantum-resistant encryption algorithm, system services need to be paused, resulting in long downtime and making it unsuitable for uninterrupted business application scenarios.
The system adopts a canary switching approach, which configures canary switching start rules by setting the switching execution time range, business busyness threshold, and processor utilization threshold. Combined with canary switching control rules that set the single batch data conversion percentage threshold and data encryption priority, the system performs the conversion of source encrypted data to target encrypted data in batches. The system also handles the database's data addition, modification, and query services through a data encryption converter/decryption converter.
It achieves a smooth, seamless switchover of the database during encryption algorithm switching without downtime or any noticeable disruption, ensuring that the database system can continue to provide services and solving the problem of database system service downtime.
Smart Images

Figure CN122389062A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of database security technology, and more specifically, to a data processing method and apparatus for switching quantum encryption algorithms. Background Technology
[0002] With the rapid development of quantum computing technology, traditional Chinese cryptographic algorithms (such as SM2 and SM4) are at risk of being cracked by quantum computers. In order to ensure the security of long-term data storage in the database, the data in the database that has been encrypted by Chinese cryptographic algorithms needs to be upgraded to data encrypted by quantum-resistant encryption algorithms (such as ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism)).
[0003] In existing technologies, database encryption algorithm switching schemes mostly adopt the "full shutdown conversion" mode, which requires pausing the database system service, then decrypting the national cryptographic data in batches, and then re-encrypting the decryption results using a quantum-resistant encryption algorithm. Due to the huge amount of data stored in the database, the database system service downtime is long, which cannot adapt to the technical problem of uninterrupted business application scenarios. Summary of the Invention
[0004] This application provides a data processing method and apparatus during the switching process of quantum-resistant encryption algorithms, so as to at least solve the technical problem that the database system service is interrupted and the database system service cannot be used during the switching process from the national cryptographic algorithm to the quantum-resistant encryption algorithm.
[0005] According to one aspect of this application, a data processing method is provided during the switching process of a quantum-resistant encryption algorithm, comprising: obtaining gray-scale switching rules for a database, wherein the gray-scale switching rules include gray-scale switching initiation rules and gray-scale switching control rules, the gray-scale switching initiation rules including at least a switching execution time range, a business busyness threshold, and a processor utilization threshold, and the gray-scale switching control rules including at least a single batch data conversion percentage threshold and a data encryption priority; when the system configuration data of the database meets the gray-scale switching initiation rules, using a data converter to convert source encrypted data in the database into target encrypted data in batches based on the gray-scale switching control rules, wherein the source encrypted data uses a preset encryption algorithm, and the target encrypted data uses a quantum-resistant encryption algorithm; during the batch conversion of the source encrypted data, using a data encryption converter / data decryption converter to convert data involved in the system services of the database, wherein the system services are one of the following: data addition service, data modification service, and data query service.
[0006] Optionally, obtaining the gray-scale switching rules for the database includes: after receiving a user's request to switch the database algorithm, parsing the request to obtain the algorithm identifier of the quantum-resistant encryption algorithm to which the database needs to switch; after querying the preset switching rules for the quantum-resistant encryption algorithm based on the algorithm identifier, returning the preset switching rules to the user's visual terminal for display; if the user adopts the preset switching rules, using the preset switching rules as the gray-scale switching rules for the database; if the user does not adopt the preset switching rules, redirecting to the preset rule configuration page corresponding to the quantum-resistant encryption algorithm, and generating the gray-scale switching rules for the database based on the user configuration data received from the preset rule configuration page.
[0007] Optionally, the database system configuration data includes at least system time, business activity level, and processor utilization. After obtaining the database's gray-scale switching rules, the data processing method during the quantum-resistant encryption algorithm switching process further includes: detecting whether the system time has reached the switching execution time range in the gray-scale switching start rule through a listener; if the system time has reached the switching execution time range, performing the following detection operations at preset time intervals based on the gray-scale switching start rule through a switching switch judge: a first detection operation to detect whether the system time is within the switching execution time range; a second detection operation to detect whether the business activity level is greater than the business activity level threshold; a third detection operation to detect whether the processor utilization rate is greater than the processor utilization rate threshold; if the system time is within the switching execution time range, the business activity level is less than or equal to the business activity level threshold, and the processor utilization rate is less than or equal to the processor utilization rate threshold, it is determined that the database system configuration data meets the gray-scale switching start rule.
[0008] Optionally, if the system configuration data of the database meets the gray-scale switching start rules, the source encrypted data in the database is converted into target encrypted data in batches by the data converter based on the gray-scale switching control rules. This includes: starting the data converter when the system configuration data of the database meets the gray-scale switching start rules, and sending the source encrypted data in the data queue processor to the data converter in sequence according to the data encryption priority in the gray-scale switching control rules; converting the sequentially received source encrypted data by the data converter, and detecting the data conversion percentage of the data converter in real time by the data processing degree calculator, wherein the data conversion percentage is the ratio of the amount of source encrypted data received sequentially by the data converter to the amount of all source encrypted data in the database; when the data conversion percentage reaches the single batch data conversion percentage threshold in the gray-scale switching control rules, notifying the data queue processor to stop sending data, and after the data converter has completed the conversion of the sequentially received source encrypted data, notifying the switch judge that the conversion of this batch of data is complete.
[0009] Optionally, the sequentially received source encrypted data is converted using a data converter, including: parsing the source encrypted data using the data converter to obtain a first key corresponding to a preset encryption algorithm; decrypting the source encrypted data based on the first key to obtain plaintext data; encrypting the plaintext data based on a second key corresponding to a quantum-resistant encryption algorithm to obtain initial encrypted data; decrypting the initial encrypted data based on the second key to obtain data to be detected; and if the data to be detected is consistent with the plaintext data, using the initial encrypted data as the target encrypted data obtained by converting the source encrypted data.
[0010] Optionally, the data involved in the system service of the database is converted by a data encryption converter, including: when a data addition service is received from the database, the encryption field judge detects whether there is a field to be encrypted in the data to be added by the data addition service; if there is a field to be encrypted in the data to be added, the data encryption converter encrypts the field to be encrypted based on the key corresponding to the encryption algorithm currently used by the database to obtain the encrypted field; the field to be encrypted in the data to be added is replaced with the corresponding encrypted field, and the data obtained by replacement is stored in the database.
[0011] Optionally, the data involved in the system service of the database is transformed by a data decryption converter, including: when a data query service is received from the database, detecting whether there is an encrypted field in the data queried by the data query service through an encrypted field detector; if there is an encrypted field in the queried data, detecting the algorithm identifier of the encryption algorithm bound to the encrypted field through the data decryption converter; decrypting the encrypted field based on the key indicated by the algorithm identifier of the encryption algorithm bound to the encrypted field to obtain the plaintext field corresponding to the encrypted field; replacing the encrypted field in the queried data with the corresponding plaintext field, and using the replaced data as the return result of the data query service.
[0012] According to another aspect of this application, a data processing apparatus for switching quantum-resistant encryption algorithms is also provided, comprising: a rule acquisition unit for acquiring gray-scale switching rules of a database, wherein the gray-scale switching rules include gray-scale switching initiation rules and gray-scale switching control rules, wherein the gray-scale switching initiation rules include at least a switching execution time range, a business busyness threshold, and a processor utilization threshold, and the gray-scale switching control rules include at least a single batch data conversion percentage threshold and a data encryption priority; a first conversion unit for converting source encrypted data in the database into target encrypted data in batches based on the gray-scale switching control rules by a data converter when the system configuration data of the database meets the gray-scale switching initiation rules, wherein the source encrypted data adopts a preset encryption algorithm, and the target encrypted data adopts a quantum-resistant encryption algorithm; and a second conversion unit for converting data involved in the system services of the database by a data encryption converter / data decryption converter during the batch conversion of the source encrypted data, wherein the system services are one of the following: data addition service, data modification service, and data query service.
[0013] According to another aspect of this application, a computer program product is also provided, which stores a computer program, wherein a data processing method is provided to control the computer program product to perform any of the above-mentioned quantum-resistant encryption algorithm switching processes during the execution of the computer program.
[0014] According to another aspect of this application, an electronic device is also provided, wherein the electronic device includes one or more processors and a memory for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors implement the data processing method during the quantum-resistant encryption algorithm switching process described above.
[0015] In this application, the gray-scale switching rules of the database are first obtained. These rules include gray-scale switching initiation rules and gray-scale switching control rules. The gray-scale switching initiation rules include at least the switching execution time range, business busyness threshold, and processor utilization threshold. The gray-scale switching control rules include at least the single-batch data conversion percentage threshold and data encryption priority. Then, if the database system configuration data meets the gray-scale switching initiation rules, the source encrypted data in the database is converted into target encrypted data in batches using a data converter based on the gray-scale switching control rules. The source encrypted data uses a preset encryption algorithm, and the target encrypted data uses a quantum-resistant encryption algorithm. During the batch conversion of the source encrypted data, the data involved in the database system services is converted using a data encryption converter / data decryption converter. The system services are one of the following: data addition service, data modification service, and data query service.
[0016] As described above, this application employs a canary switching approach. By configuring canary switching startup rules that include the switching execution time range, business busyness threshold, and processor utilization threshold, combined with canary switching control rules that include a single batch data conversion percentage threshold and data encryption priority, the data converter performs the conversion of source encrypted data to target encrypted data in batches. During the conversion process, the data encryption converter / data decryption converter processes the data involved in database data addition, modification, and query services in real time. This achieves the goal of ensuring that the database can continuously provide system services during the encryption algorithm switch, thus realizing the technical effect of smooth switching of database encryption algorithms in scenarios without downtime or business disruption. This solves the technical problem of database system service downtime and unavailability during the switch from national cryptographic algorithms to quantum-resistant encryption algorithms. Attached Figure Description
[0017] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:
[0018] Figure 1 This is a flowchart of an optional data processing method during the switching process of a quantum-resistant encryption algorithm according to an embodiment of this application;
[0019] Figure 2 This is a flowchart of an optional grayscale switching rule configuration method according to an embodiment of this application;
[0020] Figure 3 This is a flowchart of an optional grayscale switching method according to an embodiment of this application;
[0021] Figure 4 This is a flowchart of an optional data conversion processing method according to an embodiment of this application;
[0022] Figure 5 This is a flowchart of an optional data addition service processing method according to an embodiment of this application;
[0023] Figure 6 This is a flowchart of an optional data modification service processing method according to an embodiment of this application;
[0024] Figure 7 This is a flowchart of an optional data query service processing method according to an embodiment of this application;
[0025] Figure 8 This is a schematic diagram of a data processing device during an optional quantum-resistant encryption algorithm switching process according to an embodiment of this application;
[0026] Figure 9 This is a structural block diagram of an electronic device according to an embodiment of this application. Detailed Implementation
[0027] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.
[0028] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0029] It should also be noted that all information and data (including but not limited to information used for display and analysis) involved in this application are authorized by the user or fully authorized by all parties. For example, if there is an interface between this system and the relevant user or organization, before obtaining the relevant information, it is necessary to send a request to the aforementioned user or organization through the interface, and obtain the relevant information only after receiving consent from the aforementioned user or organization.
[0030] Furthermore, the collection, storage, use, processing, transmission, provision, disclosure, and application of relevant information and data involved in this application all comply with the relevant laws, regulations, and standards of the relevant regions, and necessary security measures have been taken. They do not violate public order and good morals. In addition, this application provides corresponding operation entry points for users to choose to agree to authorization or refuse authorization. If the user chooses to refuse authorization, the corresponding expert decision-making process will be initiated.
[0031] The present invention will now be described in detail with reference to various embodiments.
[0032] Example 1
[0033] According to an embodiment of this application, an embodiment of a data processing method during a quantum encryption algorithm switching process is provided. It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.
[0034] This application provides a data processing system (hereinafter referred to as the data processing system) for executing the data processing method for switching quantum-resistant encryption algorithms as described in this application. Figure 1 This is a flowchart of an optional data processing method during the switching process of a quantum-resistant encryption algorithm according to an embodiment of this application, such as... Figure 1 As shown, the method includes the following steps:
[0035] Step S101: Obtain the gray-scale switching rules of the database. The gray-scale switching rules include gray-scale switching start rules and gray-scale switching control rules. The gray-scale switching start rules include at least the switching execution time range, business busyness threshold, and processor utilization threshold. The gray-scale switching control rules include at least the single batch data conversion percentage threshold and data encryption priority.
[0036] Optionally, after logging into the data processing system, the user selects the algorithm identifier of the encryption algorithm (e.g., quantum-resistant encryption algorithm) to which the database system should switch. Then, based on the algorithm identifier selected by the user, the data processing system returns a preset switching rule corresponding to the quantum-resistant encryption algorithm. The preset switching rule includes default configuration parameters for execution time range, business busyness threshold, processor utilization threshold, single batch data conversion percentage threshold, and data encryption priority. The user can use the preset switching rule as the gray-scale switching rule, or can modify the default configuration parameters of execution time range, business busyness threshold, processor utilization threshold, single batch data conversion percentage threshold, and data encryption priority according to user needs. The data processing system determines the gray-scale switching rule based on the new configuration parameters modified by the user.
[0037] Optionally, the default configuration parameters for the execution time range are 20:00-05:00; the default configuration parameters for the business busyness threshold are 60%; the default configuration parameters for the processor utilization threshold are 60%; the default configuration parameters for the single batch data conversion percentage threshold are 5%; and the default configuration parameter for the data encryption priority is that all data have the same default priority.
[0038] Optionally, the steps for detecting business activity include: obtaining the maximum configurable number of service threads in the database system, and dividing the current number of service threads provided by the database system by the maximum number of service threads to obtain the current business activity of the database system.
[0039] Optionally, by setting the execution time range for switching, the data processing system can avoid conflicts between nighttime database maintenance and daytime business operations; by setting business busyness thresholds and processor utilization thresholds, it can ensure that the database starts during relatively idle periods, preventing a large number of database system services from experiencing response delays or timeouts due to encryption algorithm switching; by setting a single batch data conversion percentage threshold, it can limit the processing volume of each round of data conversion operations, ensuring a more even distribution of database resource consumption and reducing the operational risks of database table locking and connection pool exhaustion; by setting data encryption priorities, it can ensure that high-priority data in the database is switched to encryption algorithms first, thereby improving the security of critical business data (i.e., high-priority data) in the database, and thus improving the evolution efficiency of the overall data security level in the database.
[0040] Step S102: If the system configuration data of the database meets the gray-scale switching start rules, the source encrypted data in the database is converted into target encrypted data in batches by the data converter based on the gray-scale switching control rules. The source encrypted data adopts a preset encryption algorithm, and the target encrypted data adopts a quantum-resistant encryption algorithm.
[0041] Optionally, when the listener detects that the current database's system time, business activity, and processor utilization all meet the gray-scale switching start rules, it starts the data converter and sequentially retrieves unconverted source encrypted data from the data queue processor according to the data encryption priority in the gray-scale switching control rules for batch processing. The amount of data processed in each batch does not exceed the single batch data conversion percentage threshold.
[0042] Optionally, the data processing system can detect the switching process of encryption algorithms by setting gray-scale switching start rules and gray-scale switching control rules. This can ensure the stability of the conversion process, reduce the amount of data processed in a single batch of data conversion, thereby reducing transaction conflicts, lock contention and database operation pressure, avoiding performance impact on database system services, and thus supporting the data encryption algorithm switching needs of databases with massive amounts of data. In other words, the data conversion process can be executed over multiple days and cycles.
[0043] Step S103: During the batch conversion of the source encrypted data, the data involved in the system services of the database is converted by the data encryption converter / data decryption converter. The system services are one of the following: data addition service, data modification service, and data query service.
[0044] Optionally, during the batch conversion of the source encrypted data by the data converter, the database system can process business requests normally. That is, for the fields to be encrypted in the data involved in the data addition / modification service, the data processing system uses the data encryption converter to encrypt the fields based on the key corresponding to the encryption algorithm currently used by the database, and obtains the encrypted fields. Then, the fields to be encrypted in the data to be added / modified are replaced with the corresponding encrypted fields, and the replaced data is stored in the database. For the encrypted fields in the data involved in the data query service, the data processing system uses the data decryption converter to decrypt the encrypted fields based on the key corresponding to the encryption algorithm currently used by the database, and obtains the plaintext fields. Then, the encrypted fields in the data to be queried are replaced with the corresponding plaintext fields, and the replaced data is returned to the caller of the query service.
[0045] Optionally, by using a data encryption converter / data decryption converter to transform the data involved in the database system services, the following technical effects can be achieved:
[0046] (1) Achieve seamless service compatibility during the switchover: While existing data is being converted gradually, the data encryption converter encrypts new and modified data using a quantum-resistant encryption algorithm before storing them in the database. The data decryption converter can automatically identify and decrypt the ciphertext obtained by the national cryptographic algorithm / quantum-resistant encryption algorithm in the query data, thereby returning the correct query results.
[0047] (2) Avoid inconsistent database encryption methods caused by mixing old and new algorithms: New data written to the database always uses the currently effective database encryption algorithm (i.e., quantum-resistant encryption algorithm) to prevent data management chaos.
[0048] (3) Supports smooth transition: Even if some data in the database has not been converted, the database system can still respond normally to all system services, and there is no situation of "some database data is unavailable" or "some system services are unavailable".
[0049] As described above, this application employs a canary switching approach. By configuring canary switching startup rules that include the switching execution time range, business busyness threshold, and processor utilization threshold, combined with canary switching control rules that include a single batch data conversion percentage threshold and data encryption priority, the data converter performs the conversion of source encrypted data to target encrypted data in batches. During the conversion process, the data encryption converter / data decryption converter processes the data involved in database data addition, modification, and query services in real time. This achieves the goal of ensuring that the database can continuously provide system services during the encryption algorithm switch, thus realizing the technical effect of smooth switching of database encryption algorithms in scenarios without downtime or business disruption. This solves the technical problem of database system service downtime and unavailability during the switch from national cryptographic algorithms to quantum-resistant encryption algorithms.
[0050] In one optional embodiment, after receiving a user's request to switch the database algorithm, the data processing system first parses the request to obtain the algorithm identifier of the quantum-resistant encryption algorithm to which the database needs to switch. Based on the algorithm identifier, the system queries and obtains the preset switching rules for the quantum-resistant encryption algorithm, and then returns the preset switching rules to the user's visual terminal for display. If the user adopts the preset switching rules, the preset switching rules are used as the gray-scale switching rules for the database. If the user does not adopt the preset switching rules, the system redirects to the preset rule configuration page corresponding to the quantum-resistant encryption algorithm, and the data processing system generates the gray-scale switching rules for the database based on the user configuration data received from the preset rule configuration page.
[0051] Optionally, Figure 2 This is a flowchart of an optional grayscale switching rule configuration method according to an embodiment of this application, such as... Figure 2 As shown, the method includes the following steps:
[0052] (1) Users go to the data processing system to perform algorithm switching operations and select the data encryption algorithm to be switched, such as ML-KEM.
[0053] (2) The data processing system will automatically generate default grayscale switching rules. Users can choose whether to use them or not. If they do, the configuration will end.
[0054] (3) If you choose not to use it, you will be redirected to the grayscale rule configuration page of the corresponding data encryption algorithm. On this page, you can configure the rule parameters. After saving the parameters, you will complete the configuration of the grayscale switching rule.
[0055] Optionally, the data processing system parses the algorithm switching request to obtain the algorithm identifier of the quantum-resistant encryption algorithm to which the database should switch, avoiding misselection of encryption algorithms. Then, based on the algorithm identifier, it automatically queries and loads the preset switching rules corresponding to the quantum-resistant algorithm. When the user confirms the use of the preset switching rules, the system directly uses them as the gray-scale switching rules for the database, without requiring the user to manually input rule configuration parameters, thus reducing the complexity of rule configuration. When the user does not use the preset rules, the data processing system jumps to the preset rule configuration page dedicated to the quantum-resistant algorithm, allowing the user to modify various thresholds within a limited parameter range. This method supports customized adaptation for high-security, high-load scenarios, such as reducing the single-batch switching ratio to reduce the impact on core business, or adjusting the execution window to match the internal operation and maintenance cycle, thereby improving the scenario adaptability of the gray-scale switching rules.
[0056] In one optional embodiment, the system configuration data of the database includes at least system time, business activity level, and processor utilization. After obtaining the gray-scale switching rules of the database, the data processing system uses a listener to detect whether the system time has reached the switching execution time range in the gray-scale switching start rule.
[0057] Subsequently, when the system time reaches the switchover execution time range, the data processing system, through the switchover detector, performs the following detection operations at preset time intervals based on the grayscale switchover start rules:
[0058] The first detection operation is used to check whether the system time is within the switching execution time range;
[0059] The second detection operation is used to detect whether the business busyness level is greater than the business busyness threshold.
[0060] The third detection operation is used to detect whether the processor utilization rate is greater than the processor utilization rate threshold.
[0061] Optionally, if the system time is within the switching execution time range, the business busyness is less than or equal to the business busyness threshold, and the processor utilization is less than or equal to the processor utilization threshold, the system configuration data of the database is determined to meet the gray-scale switching startup rules.
[0062] Optionally, the data processing system uses a listener to detect whether the system time has reached the switching execution time range in the gray-scale switching start rule, ensuring that the data conversion operation is only activated within the preset time window, avoiding switching during peak business periods and reducing interference with online services. After the system time enters the switching execution time range, the switching switch judge periodically performs three detection operations at preset time intervals. By continuously detecting whether the real-time system time is within the switching execution time range, it prevents the rule from becoming invalid due to system clock drift or crossing days. By judging whether the current business busyness does not exceed the set threshold, it avoids starting data conversion when the request load is too high, which would affect user response. By judging whether the current processor utilization does not exceed the set threshold, it avoids the switching task competing for resources with business requests due to CPU resource shortage, which could lead to performance degradation or service timeouts.
[0063] Optionally, the data processing system determines that the database system configuration data meets the gray-scale switching start rules only when all three detection results are met simultaneously. This mechanism ensures that data conversion operations are only started in safe and low-risk periods and environments through triple constraints of time window, business load, and system resources, avoiding false triggering of switching due to a single condition. This control method isolates the resource competition between backend data migration and frontend business services, ensuring the continuous advancement of encryption algorithm upgrades while maintaining the stability and response performance of database services, and providing a reliable trigger control basis for achieving uninterrupted, seamless, and low-impact algorithm switching.
[0064] In one optional embodiment, if the system configuration data of the database meets the gray-scale switching start rules, the data converter is first started, and the source encrypted data in the data queue processor is sent to the data converter in sequence according to the data encryption priority in the gray-scale switching control rules. Then, the data converter converts the sequentially received source encrypted data, and the data conversion percentage of the data converter is detected in real time by the data processing degree calculator. The data conversion percentage is the ratio of the amount of data between the source encrypted data received by the data converter in sequence and all source encrypted data in the database. When the data conversion percentage reaches the single batch data conversion percentage threshold in the gray-scale switching control rules, the data queue processor is notified to stop sending data. After the data converter completes the conversion of the sequentially received source encrypted data, the switch judge is notified that the conversion of this batch of data is complete.
[0065] Optionally, after the system configuration data meets the gray-scale switching start rules, the data processing system starts the data converter and, according to the data encryption priority in the gray-scale switching control rules, sequentially retrieves source encrypted data from the data queue processor. This operation ensures that the encrypted data corresponding to high-priority fields (such as transaction accounts and identity information) is converted first, so that limited conversion resources can prioritize the security upgrade of core business data. The data converter performs decryption (national cryptography) and re-encryption (quantum-resistant) operations on the sequentially received source encrypted data one by one. During the processing, the data processing degree calculator calculates in real time the proportion of the currently processed data to the total amount of all source encrypted data in the database, i.e., the data conversion percentage. The detection of this indicator can ensure that the conversion scale of a single batch of encrypted data is controllable. When the data conversion percentage reaches the single batch data conversion percentage threshold set in the gray-scale switching control rules, the data queue processor is immediately notified to stop sending new data. This mechanism strictly limits the data conversion processing scale of each batch, prevents a single conversion task from occupying too much database connection, memory or other database resources, and ensures that the database system can still stably respond to business requests during data conversion.
[0066] In one optional embodiment, the step of converting sequentially received source encrypted data using a data converter includes: first, parsing the source encrypted data using the data converter to obtain a first key corresponding to a preset encryption algorithm; then, decrypting the source encrypted data based on the first key to obtain plaintext data; then, encrypting the plaintext data based on a second key corresponding to a quantum-resistant encryption algorithm to obtain initial encrypted data; subsequently, decrypting the initial encrypted data based on the second key to obtain data to be detected; and if the data to be detected is consistent with the plaintext data, using the initial encrypted data as the target encrypted data obtained by converting the source encrypted data.
[0067] Optionally, by converting the source encrypted data through the steps in the above embodiments, the following technical effects can be achieved:
[0068] (1) The source encrypted data is parsed by the data converter to obtain the first key corresponding to the preset encryption algorithm. This operation ensures that the system can correctly identify the national cryptographic algorithm (such as SM4) used in the source data and decrypt it using the matching key, thus avoiding decryption failure or data corruption due to key mismatch.
[0069] (2) Use the first key to decrypt the source encrypted data and restore the original plaintext data to ensure that subsequent encryption operations are based on the correct and complete original data, and to prevent information loss due to ciphertext damage or key error.
[0070] (3) The plaintext data is encrypted using the second key corresponding to the quantum-resistant encryption algorithm, thus completing the ciphertext conversion from the national cryptographic algorithm to the quantum-resistant algorithm and outputting ciphertext that conforms to the quantum-resistant encryption algorithm format.
[0071] (4) Decrypt the data to be tested and compare it with the original plaintext data. This comparison mechanism ensures the reliability of the encryption process. If the decryption result after encryption is inconsistent with the original plaintext, it indicates that the encryption process is abnormal (such as key error, algorithm implementation defect, data corruption). At this time, the data is not written back to the database to avoid introducing erroneous ciphertext.
[0072] In summary, the steps in the above embodiments collectively implement a source data security conversion mechanism based on key matching, encryption, and decryption self-verification. This mechanism ensures the correct correspondence between the algorithm and the key through a clear key calling process, verifies data integrity before writing back by immediately decrypting and comparing the encrypted data, and effectively prevents data tampering or loss caused by algorithm implementation errors, key management mistakes, or transmission anomalies.
[0073] In one alternative embodiment, Figure 3 This is a flowchart of an optional grayscale switching method according to an embodiment of this application, such as... Figure 3 As shown, the method includes the following steps:
[0074] (1) Start the listener. When the system time reaches the range of the configured time period (i.e., the switch execution time range), notify the switch start / stop judge to perform the judgment. This listener will only notify once a day.
[0075] (2) Switch start and stop judge to perform detection operation: Every minute, it will cyclically judge whether the system configuration factors of the database meet the configuration requirements of the gray-scale switching rules. The configuration factors to be detected include system time, business busyness and CPU utilization (i.e. processor utilization). If the switch judge detects that the current database system meets the configuration requirements of the gray-scale switching rules, it will notify the data converter to start. If any factor does not meet the requirements, it will notify the data converter to stop. After the data converter receives the stop notification, the data converter will complete the conversion of the remaining data and wait silently for the next start notification.
[0076] (3) When the data converter starts, it notifies the data queue processor to issue data. The data queue processor generates a data processing queue according to the pre-configured data priority and issues the data to be processed to the data converter. The data queue processor will determine whether the data in the data queue processor has been converted according to the ciphertext format of the encrypted data configured in the database system, and only take out the unconverted encrypted data for processing.
[0077] Optionally, the encrypted data uses the ASN.1 ciphertext format, as shown below:
[0078] EncryData::= SEQUENCE{
[0079] KeyOid OBJECT IDENTIFIER, -- Algorithm OID
[0080] Data BITSTRING -- Encrypted data
[0081] }
[0082] For example, the ML-KEM algorithm OID uses id-alg-ml-kem-512 as defined in RFC 9935, while the Chinese national cryptographic algorithm OID uses GMT 0006-2023.
[0083] (4) The data converter performs conversion processing on the data in the received data processing queue.
[0084] (5) The data queue processor notifies the data processing degree calculator of the amount of data that has been issued. The data processing degree calculator calculates the current processing progress (i.e., data conversion percentage). After determining that the configured level (i.e., the single batch data conversion percentage threshold) has been reached, it notifies the data converter to stop.
[0085] (6) After receiving the stop notification from the data queue processor, the data converter will complete the processing of the received data and notify the switch start / stop judge to complete the switch in this stage. The start / stop notification will no longer be executed.
[0086] (7) Once the data converter receives a stop notification, it will notify the data queue processor to stop sending data.
[0087] In one alternative embodiment, Figure 4 This is a flowchart of an optional data conversion processing method according to an embodiment of this application, such as... Figure 4 As shown, the method includes the following steps:
[0088] (1) Upon receiving the data to be converted, extract the original key of the data (e.g., SM4, SM2).
[0089] (2) Decrypt the data using the original key to obtain the plaintext.
[0090] (3) Take out a new key (i.e. a quantum-resistant key, such as ML-KEM), encrypt the plaintext with the new key, and obtain the new ciphertext.
[0091] (4) Perform data verification on the new ciphertext, including: decrypting the new ciphertext using a quantum-resistant key and comparing it with the original plaintext. If they match, the encryption is successful and the data verification is passed.
[0092] (5) After the new ciphertext passes the data verification, the original ciphertext of the data is replaced with the new ciphertext.
[0093] It should be noted that the above Figure 4 If any step in the process fails, the data conversion process will end directly without modifying the original data. At the same time, the initial original data and the reason for failure will be recorded for operation and maintenance personnel to query, analyze and handle.
[0094] In one optional embodiment, the step of converting the data involved in the system service of the database using a data encryption converter includes: when receiving a data addition service from the database, the data processing system detects whether there is a field to be encrypted in the data to be added by the data addition service using an encryption field judge; if there is a field to be encrypted in the data to be added, the data encryption converter encrypts the field to be encrypted based on the key corresponding to the encryption algorithm currently used by the database to obtain an encrypted field; the field to be encrypted in the data to be added is replaced with the corresponding encrypted field, and the replaced data is stored in the database.
[0095] Optionally, this data processing system adopts a field-key binding method, where each field has its own corresponding key. Keys can be manually bound when configuring encryption for a field. If a field is not bound to a key, the system will automatically assign a key for the corresponding algorithm. The workflow of the data encryption converter includes:
[0096] (1) Determine the encryption algorithm currently used by the system.
[0097] (2) Obtain the key of the corresponding algorithm bound to the current field.
[0098] (3) Use this key to encrypt the data, assemble EncryData, put the algorithm OID corresponding to the key on the KeyOid data, and put the encrypted ciphertext on the Data data.
[0099] Optionally, the database system uses column-based encryption, avoiding scenarios involving merging and encrypting multiple columns. During encryption configuration, the corresponding fields are selected to generate ciphertext columns. After configuration, all data is encrypted. Selecting to delete plaintext columns leaves only the ciphertext columns in the database, completing the encryption process. If a table has multiple encrypted fields, each field in the database system has its own ciphertext column. The data processing system identifies these as ciphertext columns and processes the data in that column.
[0100] Optionally, upon receiving a data addition service request from the database, the encryption field checker detects whether the data to be inserted in the request contains fields configured for encryption, ensuring that only the specified fields enter the encryption process and avoiding accidental operations on unencrypted fields. When a field to be encrypted is detected, the database may be in a transitional phase where national cryptographic algorithms and quantum-resistant algorithms coexist. The data processing system automatically selects the applicable algorithm and key (such as SM4 or ML-KEM) based on the current configuration, ensuring that newly written data is always encrypted using the current legitimate algorithm. Afterward, the plaintext content of the original field to be encrypted is replaced with the encrypted ciphertext (i.e., the encrypted field), and the insertion operation is performed with the replaced complete data structure. This replacement process is transparent to the business system, and the application layer still writes data according to the original field names without needing to be aware of the data encryption process.
[0101] In one alternative embodiment, Figure 5 This is a flowchart of an optional data addition service processing method according to an embodiment of this application, such as... Figure 5 As shown, the method includes the following steps:
[0102] (1) New data is detected by the encryption field judge. If there is a field to be encrypted, the data of the field to be encrypted is sent to the data encryption converter.
[0103] (2) Encrypt the data of the field to be encrypted into quantum-resistant ciphertext by using a data encryption converter.
[0104] (3) Place the quantum-resistant ciphertext into the data location of the field to be encrypted, and the data is stored in the database. At this time, the data of the field to be encrypted has been encrypted.
[0105] In an optional embodiment, the step of converting the data involved in the system service of the database using a data encryption converter further includes: upon receiving a data modification service from the database, the data processing system uses an encryption field detector to detect whether there is a field to be encrypted in the modified data; if there is a field to be encrypted in the modified data, the data encryption converter encrypts the field to be encrypted based on the key corresponding to the encryption algorithm currently used by the database to obtain an encrypted field; the field to be encrypted in the modified data is replaced with the corresponding encrypted field, and the replaced data is stored in the database.
[0106] In one alternative embodiment, Figure 6 This is a flowchart of an optional data modification service processing method according to an embodiment of this application, such as... Figure 6 As shown, the method includes the following steps:
[0107] (1) The query data is detected by the encryption field judge. If there is a field to be encrypted, the data of the field to be encrypted is sent to the data encryption converter.
[0108] (2) Encrypt the data of the field to be encrypted into quantum-resistant ciphertext by using a data encryption converter.
[0109] (3) Place the quantum-resistant ciphertext into the data location of the field to be encrypted, and then store the data in the database.
[0110] In one optional embodiment, the step of converting the data involved in the system service of the database using a data decryption converter includes: upon receiving a data query service from the database, the data processing system detects whether there is an encrypted field in the data queried by the data query service using an encrypted field detector; if there is an encrypted field in the queried data, the data decryption converter detects the algorithm identifier of the encryption algorithm bound to the encrypted field; based on the key indicated by the algorithm identifier of the encryption algorithm bound to the encrypted field, the encrypted field is decrypted to obtain the plaintext field corresponding to the encrypted field; the encrypted field in the queried data is replaced with the corresponding plaintext field, and the replaced data is used as the return result of the data query service.
[0111] Alternatively, the workflow of the data decryption converter is as follows:
[0112] (1) After obtaining the encrypted data, first parse the data and obtain the KeyOid field of the data.
[0113] (2) Obtain the algorithm type used based on the value of the KeyOid field.
[0114] (3) Based on the algorithm type, retrieve the key associated with the corresponding field of the algorithm from the system.
[0115] (4) Use the key to decrypt the Data field data and obtain the plaintext field.
[0116] Optionally, after receiving a data query service request from the database, the data processing system uses an encryption field detector to check whether the query results contain encrypted fields, ensuring that decryption is only performed on fields marked as encrypted, thus avoiding misprocessing of plaintext fields. When an encrypted field is detected, the data decryption converter reads the algorithm identifier (KeyOid) stored in the field to determine the type of algorithm used for encryption, providing a basis for selecting the correct key, thereby supporting the coexistence of national cryptographic standards and quantum-resistant ciphertext in the database. Then, based on the algorithm identifier, the corresponding algorithm key is called to decrypt the encrypted field, restoring it to the original plaintext content. The encrypted field in the query result is then replaced with the decrypted plaintext field, and the replaced complete data is returned as the query result. The entire decryption and replacement process is seamless, allowing the application to access it without being aware of it.
[0117] In one alternative embodiment, Figure 7 This is a flowchart of an optional data query service processing method according to an embodiment of this application, such as... Figure 7 As shown, the method includes the following steps:
[0118] (1) After the query data comes out of the database, it is first checked by the encrypted field judge. If there is an encrypted field, the ciphertext of the encrypted field is sent to the data decryption converter.
[0119] (2) Detect the encryption method of the ciphertext by using a data decryption converter, that is, determine whether the ciphertext is a national cryptographic ciphertext or a quantum-resistant ciphertext, and use the corresponding key to decrypt the ciphertext.
[0120] (3) Replace the encrypted fields with the plaintext obtained from decryption, that is, reassemble the plaintext data into the corresponding position of the encrypted field in the query data and return the data.
[0121] In summary, the steps in the above embodiments collectively implement a dynamic decryption mechanism based on field-level algorithm identifiers. This mechanism enables the system to automatically select the correct key for decryption based on the algorithm identifier of each ciphertext during the coexistence of national cryptographic ciphertext and quantum-resistant ciphertext in the database. Furthermore, it ensures that during the gradual switching of encryption algorithms from national cryptographic ciphertext to quantum-resistant ciphertext, all query requests can correctly obtain plaintext data, regardless of whether the data is encrypted using the old or new algorithm, thus achieving continuity, consistency, and seamless compatibility of the query service.
[0122] As described above, this application employs a canary switching approach. By configuring canary switching startup rules that include the switching execution time range, business busyness threshold, and processor utilization threshold, combined with canary switching control rules that include a single batch data conversion percentage threshold and data encryption priority, the data converter performs the conversion of source encrypted data to target encrypted data in batches. During the conversion process, the data encryption converter / data decryption converter processes the data involved in database data addition, modification, and query services in real time. This achieves the goal of ensuring that the database can continuously provide system services during the encryption algorithm switch, thus realizing the technical effect of smooth switching of database encryption algorithms in scenarios without downtime or business disruption. This solves the technical problem of database system service downtime and unavailability during the switch from national cryptographic algorithms to quantum-resistant encryption algorithms.
[0123] Example 2
[0124] This application embodiment also provides a data processing device for the switching process of quantum encryption algorithms. It should be noted that the data processing device for the switching process of quantum encryption algorithms in this application embodiment can be used to execute the data processing method for the switching process of quantum encryption algorithms provided in this application embodiment. The following describes the data processing device for the switching process of quantum encryption algorithms provided in this application embodiment.
[0125] According to embodiments of this application, an apparatus for implementing the data processing method during the switching process of the above-described quantum-resistant encryption algorithm is also provided. Figure 8 This is a schematic diagram of a data processing device during an optional quantum-resistant encryption algorithm switching process according to an embodiment of this application, as shown below. Figure 8 As shown, the device includes: a rule acquisition unit 801, a first conversion unit 802, and a second conversion unit 803.
[0126] Optionally, the rule acquisition unit 801 is used to acquire the gray-scale switching rules of the database, wherein the gray-scale switching rules include gray-scale switching start rules and gray-scale switching control rules. The gray-scale switching start rules include at least the switching execution time range, business busyness threshold, and processor utilization threshold. The gray-scale switching control rules include at least the single batch data conversion percentage threshold and data encryption priority. The first conversion unit 802 is used to convert the source encrypted data in the database into target encrypted data in batches based on the gray-scale switching control rules through a data converter, provided that the system configuration data of the database meets the gray-scale switching start rules. The source encrypted data adopts a preset encryption algorithm, and the target encrypted data adopts a quantum-resistant encryption algorithm. The second conversion unit 803 is used to convert the data involved in the system services of the database through a data encryption converter / data decryption converter during the batch conversion process of the source encrypted data. The system services are one of the following: data addition service, data modification service, and data query service.
[0127] In one optional embodiment, the rule acquisition unit 801 includes: a request parsing subunit, a rule display subunit, a first rule determination subunit, a rule configuration subunit, and a second rule determination subunit.
[0128] Optionally, the request parsing subunit is used to parse the algorithm switching request after receiving the user's request to switch the database algorithm, and obtain the algorithm identifier of the quantum-resistant encryption algorithm that the database needs to switch to; the rule display subunit is used to query the preset switching rules of the quantum-resistant encryption algorithm based on the algorithm identifier of the quantum-resistant encryption algorithm, and then return the preset switching rules to the user's visual terminal for display; the first rule determination subunit is used to use the preset switching rules as the gray-scale switching rules of the database when the user adopts the preset switching rules; the rule configuration subunit is used to jump to the preset rule configuration page corresponding to the quantum-resistant encryption algorithm when the user does not adopt the preset switching rules; and the second rule determination subunit is used to generate the gray-scale switching rules of the database based on the user configuration data received from the preset rule configuration page.
[0129] In one optional embodiment, the system configuration data of the database includes at least system time, business activity level, and processor utilization. The data processing device during the switching process of the quantum-resistant encryption algorithm further includes a detection unit and a switching initiation unit.
[0130] Optionally, the detection unit, after obtaining the gray-scale switching rules of the database, performs the following detection operations at preset time intervals based on the gray-scale switching startup rules when the system time reaches the switching execution time range: a first detection operation to detect whether the system time is within the switching execution time range; a second detection operation to detect whether the business busyness is greater than the business busyness threshold; and a third detection operation to detect whether the processor utilization rate is greater than the processor utilization rate threshold. The switching startup unit determines that the system configuration data of the database meets the gray-scale switching startup rules when the system time is within the switching execution time range, the business busyness is less than or equal to the business busyness threshold, and the processor utilization rate is less than or equal to the processor utilization rate threshold.
[0131] In one alternative embodiment, the first conversion unit 802 includes: a converter initiation subunit, a sequential conversion subunit, and a stop transmission subunit.
[0132] Optionally, the converter startup subunit is used to start the data converter when the system configuration data in the database meets the gray-scale switching startup rules, and to send the source encrypted data in the data queue processor to the data converter in sequence according to the data encryption priority in the gray-scale switching control rules; the sequential conversion subunit is used to convert the sequentially received source encrypted data through the data converter, and to detect the data conversion percentage of the data converter in real time through the data processing degree calculator, wherein the data conversion percentage is the ratio of the amount of source encrypted data sequentially received by the data converter to the amount of all source encrypted data in the database; the stop sending subunit is used to notify the data queue processor to stop sending data when the data conversion percentage reaches the single batch data conversion percentage threshold in the gray-scale switching control rules, and to notify the switch judge that the conversion of this batch of data is complete after the data converter has completed the conversion of the sequentially received source encrypted data.
[0133] In one optional embodiment, the sequence conversion subunit includes: a parsing module, a first decryption module, an encryption module, a second decryption module, and a detection module.
[0134] Optionally, the parsing module is used to parse the source encrypted data using a data converter to obtain a first key corresponding to a preset encryption algorithm; the first decryption module is used to decrypt the source encrypted data based on the first key to obtain plaintext data; the encryption module is used to encrypt the plaintext data based on a second key corresponding to a quantum-resistant encryption algorithm to obtain initial encrypted data; the second decryption module is used to decrypt the initial encrypted data based on the second key to obtain data to be detected; and the detection module is used to use the initial encrypted data as the target encrypted data obtained by converting the source encrypted data if the data to be detected is consistent with the plaintext data.
[0135] In one optional embodiment, the second conversion unit 803 includes: a first detection subunit, an encryption subunit, and a first replacement subunit.
[0136] Optionally, the first detection subunit is used to detect, upon receiving a data addition service from the database, whether there is a field to be encrypted in the data to be added by the data addition service; the encryption subunit is used to encrypt the field to be encrypted using a data encryption converter based on the key corresponding to the encryption algorithm currently used by the database, if there is a field to be encrypted in the data to be added, to obtain an encrypted field; the first replacement subunit is used to replace the field to be encrypted in the data to be added with the corresponding encrypted field, and store the replaced data in the database.
[0137] In one optional embodiment, the second conversion unit 803 includes: a second detection subunit, a third detection subunit, a decryption subunit, and a second replacement subunit.
[0138] Optionally, the second detection subunit is used to detect whether there is an encrypted field in the data queried by the data query service when a data query service is received from the database; the third detection subunit is used to detect the algorithm identifier of the encryption algorithm bound to the encrypted field by a data decryption converter when there is an encrypted field in the queried data; the decryption subunit is used to decrypt the encrypted field based on the key indicated by the algorithm identifier of the encryption algorithm bound to the encrypted field to obtain the plaintext field corresponding to the encrypted field; and the second replacement subunit is used to replace the encrypted field in the queried data with the corresponding plaintext field and use the replaced data as the return result of the data query service.
[0139] It should be noted here that the rule acquisition unit 801, the first conversion unit 802 and the second conversion unit 803 mentioned above correspond to steps S101 to S103 in the method embodiment. The instances and application scenarios implemented by the above units and the corresponding steps are the same, but are not limited to the content disclosed in the above embodiment.
[0140] Example 3
[0141] Embodiments of this application can also provide an electronic device. Figure 9 This is a structural block diagram of an electronic device according to an embodiment of this application, such as... Figure 9 As shown, the electronic device includes: one or more ( Figure 9 (Only one is shown) processor 902, memory 904, memory controller, and peripheral interface, wherein the peripheral interface is connected to the radio frequency module, audio module and display.
[0142] The memory can be used to store software programs and modules, such as the program instructions / modules corresponding to the methods and devices in the embodiments of this application. The processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, to realize the data processing method in the above-mentioned quantum encryption algorithm switching process.
[0143] The memory may include high-speed random access memory (RAM), and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory remotely located relative to the processor, which can be connected to the terminal via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks (LANs), mobile communication networks, and combinations thereof.
[0144] The processor can access information and applications stored in memory via a transmission device to execute the following steps: Obtain the gray-scale switching rules for the database, which include gray-scale switching initiation rules and gray-scale switching control rules. The gray-scale switching initiation rules include at least a switching execution time range, a business busyness threshold, and a processor utilization threshold. The gray-scale switching control rules include at least a single batch data conversion percentage threshold and a data encryption priority. If the database's system configuration data meets the gray-scale switching initiation rules, a data converter is used to convert the source encrypted data in the database into target encrypted data in batches based on the gray-scale switching control rules. The source encrypted data uses a preset encryption algorithm, and the target encrypted data uses a quantum-resistant encryption algorithm. During the batch conversion of the source encrypted data, a data encryption converter / data decryption converter is used to convert the data involved in the database's system services. The system services include one of the following: data addition service, data modification service, and data query service.
[0145] This application provides a data processing solution during the switching of quantum-resistant encryption algorithms. It employs a gray-scale switching approach, configuring gray-scale switching startup rules that include a switching execution time range, business busyness threshold, and processor utilization threshold. Combined with gray-scale switching control rules that include a single batch data conversion percentage threshold and data encryption priority, the data converter performs the conversion of source encrypted data to target encrypted data in batches. During the conversion process, the data encryption converter / decryption converter processes the data involved in database data addition, modification, and query services in real time. This achieves the goal of ensuring the database can continuously provide system services during encryption algorithm switching, thus realizing the technical effect of smooth switching of database encryption algorithms in scenarios without downtime or business disruption. Furthermore, it solves the technical problem of database system service downtime and unavailability during the switching from national cryptographic algorithms to quantum-resistant encryption algorithms.
[0146] Those skilled in the art will understand that Figure 9 The structure shown is for illustrative purposes only. Electronic devices can also be smartphones, tablets, PDAs, mobile internet devices, PADs, and other terminal devices. Figure 9 This does not limit the structure of the aforementioned electronic device. For example, electronic devices may also include components that are more... Figure 9 The more or fewer components shown (such as network interfaces, display devices, etc.), or having the same Figure 9 The different configurations shown.
[0147] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing the hardware related to the terminal device. The program can be stored in a computer-readable storage medium, which may include: flash drive, read-only memory (ROM), random access memory (RAM), disk or optical disk, etc.
[0148] Example 4
[0149] Embodiments of this application may also provide a storage medium.
[0150] Optionally, in this embodiment of the application, the storage medium can be used to store the program code executed by the data processing method during the switching process of the quantum-resistant encryption algorithm provided in the above method embodiment.
[0151] Optionally, in this embodiment, the storage medium may be located in any computer terminal in a group of computer terminals in a computer network, or in any mobile terminal in a group of mobile terminals.
[0152] This application also provides a computer program product that, when executed on a data processing device, is adapted to perform data processing method steps during a quantum-resistant encryption algorithm switching process.
[0153] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.
[0154] In the above embodiments of this application, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.
[0155] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual coupling, direct coupling, or communication connection may be through some interfaces; the indirect coupling or communication connection between units or modules may be electrical or other forms.
[0156] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0157] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0158] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.
[0159] The above description is only a preferred embodiment of this application. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of this application, and these improvements and modifications should also be considered within the scope of protection of this application.
Claims
1. A data processing method during the switching process of a quantum-resistant encryption algorithm, characterized in that, include: Obtain the gray-scale switching rules of the database, wherein the gray-scale switching rules include gray-scale switching start rules and gray-scale switching control rules. The gray-scale switching start rules include at least the switching execution time range, business busyness threshold, and processor utilization threshold. The gray-scale switching control rules include at least the single batch data conversion percentage threshold and data encryption priority. When the system configuration data in the database meets the gray-scale switching start rule, the source encrypted data in the database is converted into target encrypted data in batches by a data converter based on the gray-scale switching control rule. The source encrypted data adopts a preset encryption algorithm, and the target encrypted data adopts a quantum-resistant encryption algorithm. During the batch conversion process of the source encrypted data, the data involved in the system services of the database are converted by the data encryption converter / data decryption converter, wherein the system services are one of the following: data addition service, data modification service, and data query service.
2. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 1, characterized in that, Retrieve the gray-scale switching rules from the database, including: After receiving a user's request to switch the algorithm of the database, the request is parsed to obtain the algorithm identifier of the quantum-resistant encryption algorithm that the database needs to switch to. After querying the preset switching rules of the quantum-resistant encryption algorithm based on the algorithm identifier of the quantum-resistant encryption algorithm, the preset switching rules are returned to the user's visual terminal for display. When the user adopts the preset switching rule, the preset switching rule is used as the gray-scale switching rule for the database; If the user does not use the preset switching rule, the user will be redirected to the preset rule configuration page corresponding to the quantum-resistant encryption algorithm. The grayscale switching rules for the database are generated based on the user configuration data received by the preset rule configuration page.
3. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 1, characterized in that, The system configuration data of the database includes at least system time, business activity level, and processor utilization. After obtaining the gray-scale switching rules of the database, the data processing method during the switching process of the quantum-resistant encryption algorithm further includes: The system time is detected by a listener to see if it has reached the switching execution time range in the gray-scale switching startup rule; When the system time reaches the switching execution time range, the switching indicator performs the following detection operation at preset time intervals based on the grayscale switching start rule: The first detection operation is used to detect whether the system time is within the switching execution time range; The second detection operation is used to detect whether the business busyness is greater than the business busyness threshold. The third detection operation is used to detect whether the processor utilization rate is greater than the processor utilization rate threshold. If the system time is within the switching execution time range, the business busyness is less than or equal to the business busyness threshold, and the processor utilization is less than or equal to the processor utilization threshold, then the system configuration data of the database is determined to meet the gray-scale switching startup rules.
4. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 1, characterized in that, When the system configuration data in the database meets the gray-scale switching start rules, the source encrypted data in the database is converted into target encrypted data in batches by a data converter based on the gray-scale switching control rules, including: If the system configuration data of the database meets the gray-scale switching start rule, the data converter is started, and the source encrypted data in the data queue processor is sent to the data converter in sequence according to the data encryption priority in the gray-scale switching control rule; The data converter transforms the sequentially received source encrypted data, and the data conversion percentage of the data converter is detected in real time by the data processing degree calculator. The data conversion percentage is the ratio of the amount of data between the sequentially received source encrypted data and all source encrypted data in the database. When the data conversion percentage reaches the single-batch data conversion percentage threshold in the grayscale switching control rule, the data queue processor is notified to stop data transmission, and after the data converter completes the conversion of the sequentially received source encrypted data, the switching switch judge is notified that the conversion of this batch of data is complete.
5. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 4, characterized in that, The data converter transforms the sequentially received source encrypted data, including: The source encrypted data is parsed by the data converter to obtain the first key corresponding to the preset encryption algorithm; The source encrypted data is decrypted based on the first key to obtain plaintext data; The plaintext data is encrypted using the second key corresponding to the quantum-resistant encryption algorithm to obtain the initial encrypted data. The initial encrypted data is decrypted based on the second key to obtain the data to be detected; If the data to be detected is consistent with the plaintext data, the initial encrypted data is used as the target encrypted data obtained by converting the source encrypted data.
6. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 1, characterized in that, The data involved in the system services of the database is converted using a data encryption converter, including: Upon receiving a data addition service from the database, the encrypted field detector checks whether there is a field to be encrypted in the data to be added by the data addition service. If the field to be encrypted exists in the data that needs to be added, the data encryption converter encrypts the field to be encrypted based on the key corresponding to the encryption algorithm currently used by the database to obtain the encrypted field; Replace the fields to be encrypted in the data that need to be added with the corresponding encrypted fields, and store the replaced data in the database.
7. The data processing method during the switching process of the quantum-resistant encryption algorithm according to claim 1, characterized in that, The data involved in the system services of the database is converted using a data decryption converter, including: Upon receiving a data query service from the database, an encrypted field detector is used to check whether there are encrypted fields in the data retrieved by the data query service. If the encrypted field exists in the queried data, the algorithm identifier of the encryption algorithm bound to the encrypted field is detected by the data decryption converter; Based on the key indicated by the algorithm identifier of the encryption algorithm bound to the encrypted field, the encrypted field is decrypted to obtain the plaintext field corresponding to the encrypted field; The encrypted fields in the queried data are replaced with the corresponding plaintext fields, and the replaced data is used as the return result of the data query service.
8. A data processing device for switching quantum encryption algorithms, characterized in that, include: The rule acquisition unit is used to acquire the gray-scale switching rules of the database. The gray-scale switching rules include gray-scale switching start rules and gray-scale switching control rules. The gray-scale switching start rules include at least the switching execution time range, business busyness threshold, and processor utilization threshold. The gray-scale switching control rules include at least the single batch data conversion percentage threshold and data encryption priority. The first conversion unit is used to convert source encrypted data in the database into target encrypted data in batches based on the gray-scale switching control rules when the system configuration data in the database meets the gray-scale switching start rules. The source encrypted data adopts a preset encryption algorithm, and the target encrypted data adopts a quantum-resistant encryption algorithm. The second conversion unit is used to convert the data involved in the system services of the database through a data encryption converter / data decryption converter during the batch conversion process of the source encrypted data, wherein the system services are one of the following: data addition service, data modification service, and data query service.
9. A computer program product, characterized in that, The computer program product includes a computer program, wherein, when the computer program is running, it controls the computer program product to execute the data processing method during the switching process of the quantum-resistant encryption algorithm as described in any one of claims 1 to 7.
10. An electronic device, characterized in that, It includes one or more processors and a memory, the memory being used to store one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to implement the data processing method during the switching process of the quantum-resistant encryption algorithm as described in any one of claims 1 to 7.