CN110138749A - Data security protection method and related equipment - Google Patents

Data security protection method and related equipment Download PDF

Info

Publication number
CN110138749A
CN110138749A CN201910329967.7A CN201910329967A CN110138749A CN 110138749 A CN110138749 A CN 110138749A CN 201910329967 A CN201910329967 A CN 201910329967A CN 110138749 A CN110138749 A CN 110138749A
Authority
CN
China
Prior art keywords
terminal
password
data
server
key server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910329967.7A
Other languages
Chinese (zh)
Other versions
CN110138749B (en
Inventor
刘红林
李高峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Device Co Ltd
Petal Cloud Technology Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201910329967.7A priority Critical patent/CN110138749B/en
Publication of CN110138749A publication Critical patent/CN110138749A/en
Application granted granted Critical
Publication of CN110138749B publication Critical patent/CN110138749B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/61Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a data security protection method and related equipment. The method comprises the following steps: the first terminal sends first ciphertext information to the key server; the first ciphertext information is obtained by encrypting a first password by the first terminal according to a public key from the key server; the first terminal receives second ciphertext information sent by the key server; the second ciphertext information is obtained by encrypting a second password of the key server according to the first password after the key server decrypts the first ciphertext information according to a private key corresponding to the public key to obtain the first password; the first terminal decrypts the second ciphertext information according to the first password to obtain a second password; and the first terminal sends the data encrypted by the second password to the storage server. By implementing the embodiment, the safety of the personal data of the user in the cloud backup process can be improved, and the risk of data leakage is avoided.

Description

一种数据安全保护方法及相关设备A data security protection method and related equipment

技术领域technical field

本发明涉及通信领域的数据传输技术,尤其涉及一种数据安全保护方法及相关设备。The invention relates to a data transmission technology in the communication field, in particular to a data security protection method and related equipment.

背景技术Background technique

云备份,就是把用户的个人数据,例如通讯录、短信、图片、视频等数据通过云存储的方式备份至网络。随着云备份技术的越来越成熟,越来越多的用户喜欢将手机中的个人数据备份至云端。这样,用户不仅能够腾出的大量的手机存储空间,而且在需要使用这些个人数据时可随时随地从云端下载。Cloud backup is to back up the user's personal data, such as contacts, text messages, pictures, videos and other data to the network through cloud storage. As cloud backup technology becomes more and more mature, more and more users like to back up personal data in their mobile phones to the cloud. In this way, users can not only free up a large amount of mobile phone storage space, but also download from the cloud anytime and anywhere when they need to use this personal data.

由于用户手机中的个人数据大多涉及个人隐私,我们需要对用户的个人数据有更高的保护要求,从而避免用户个人数据遭受窃取导致用户利益受损。然而,现有技术中,用户通过终端将个人数据传输至云端的过程中,以及个人数据在云端服务器的存储中,存在泄露风险。在享受云备份技术带来的便利的同时,如何保证用户个人数据的安全是目前亟待解决的问题。Since most of the personal data in the user's mobile phone involves personal privacy, we need to have higher protection requirements for the user's personal data, so as to avoid the user's personal data being stolen and the user's interests being damaged. However, in the prior art, there is a risk of leakage during the process that the user transmits personal data to the cloud through the terminal and the storage of the personal data in the cloud server. While enjoying the convenience brought by cloud backup technology, how to ensure the security of users' personal data is an urgent problem to be solved at present.

发明内容SUMMARY OF THE INVENTION

本发明实施例提供一种数据安全保护方法以及相关设备,以提高云备份过程中用户个人数据的安全性,避免数据泄露风险,实现对用户个人数据更好更安全地保护。Embodiments of the present invention provide a data security protection method and related equipment, so as to improve the security of user personal data in the cloud backup process, avoid the risk of data leakage, and achieve better and safer protection of user personal data.

第一方面,本发明实施例提供了一种数据安全保护方法,该方法包括:第一终端向秘钥服务器发送第一密文信息;所述第一密文信息是所述第一终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;所述第一终端接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;所述第一终端根据所述第一密码解密所述第二密文信息,获得所述第二密码;所述第一终端向存储服务器发送经所述第二密码加密的数据。In a first aspect, an embodiment of the present invention provides a data security protection method, the method includes: a first terminal sends first ciphertext information to a key server; the first ciphertext information is the first terminal obtained by encrypting the first password with the public key of the secret key server; the first terminal receives the second ciphertext information sent by the secret key server; the second ciphertext information is the secret key After the server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password, it is obtained by encrypting the second password of the secret key server according to the first password; A terminal decrypts the second ciphertext information according to the first password to obtain the second password; the first terminal sends the data encrypted by the second password to the storage server.

可以看到,第一终端根据秘钥服务器的公钥对第一密码进行加密,获得第一密文信息;第一密文信息只有根据秘钥服务器的公钥对应的私钥,才能对第一密文信息解密获得第一密码,这里只有秘钥服务器拥有所述私钥的使用权限,因此只有秘钥服务器才能解密得到第一密码;秘钥服务器解密得到第一密码后,根据第一密码对秘钥服务器的第二密码进行加密,得到第二密文信息,并将第二密文信息发送给第一终端;由于第一终端原本就存储有第一密码,因此第一终端可直接根据第一密码解密第二密文信息,即可获得第二密码;然后,第一终端向存储服务器发送的数据都是经第二密码加密的。由上述过程可知,第一终端与秘钥服务器协商的用于数据加密的第二密码在网络中传输是经过层层加密保护的,具体的,秘钥服务器将第二密码下发至第一终端是经第一密码加密的,而第一密码是第一终端通过非对称加密方式(公钥私钥加密方式)进行加密传输至秘钥服务器的。在上述任意步骤,即使数据信息在终端与秘钥服务器之间传输过程中被黑客拦截,由于数据信息都是加密的且黑客不能获取对应的解密密码,因此不能获取数据信息的内容。通过实施上述实施例,可以提高云备份过程中用户个人数据的安全性,避免数据泄露风险,实现对用户个人数据更好更安全地保护。It can be seen that the first terminal encrypts the first password according to the public key of the key server, and obtains the first ciphertext information; The ciphertext information is decrypted to obtain the first password. Here, only the secret key server has the right to use the private key, so only the secret key server can decrypt to obtain the first password; after the secret key server decrypts and obtains the first password, according to the first password The second password of the key server is encrypted to obtain the second ciphertext information, and the second ciphertext information is sent to the first terminal; since the first terminal originally stores the first password, the first terminal can directly The second password can be obtained by decrypting the second ciphertext information with a password; then, the data sent by the first terminal to the storage server are all encrypted by the second password. It can be seen from the above process that the transmission of the second password for data encryption negotiated by the first terminal and the secret key server in the network is protected by layers of encryption. Specifically, the secret key server issues the second password to the first terminal. is encrypted by the first password, and the first password is encrypted and transmitted by the first terminal to the secret key server through an asymmetric encryption method (public key and private key encryption method). In any of the above steps, even if the data information is intercepted by the hacker during the transmission between the terminal and the key server, since the data information is encrypted and the hacker cannot obtain the corresponding decryption password, the content of the data information cannot be obtained. By implementing the above embodiments, the security of the user's personal data during the cloud backup process can be improved, the risk of data leakage can be avoided, and better and more secure protection of the user's personal data can be achieved.

在一些实现方式中,所述数据为视频数据,所述经所述第二密码加密的视频数据用于通过所述存储服务器下发至第二终端进行解密和播放。In some implementations, the data is video data, and the video data encrypted by the second password is used to be delivered to the second terminal through the storage server for decryption and playback.

在一些实现方式中,在所述第一终端向存储服务器发送经所述第二密码加密的视频数据之前,所述方法还包括:所述第一终端根据原始视频数据,获得多个视频分块数据;相应地,所述第一终端向存储服务器发送经所述第二密码加密的视频数据,具体包括:所述第一终端向所述存储服务器发送分别经所述第二密码加密的各个视频分块数据。In some implementations, before the first terminal sends the video data encrypted by the second password to the storage server, the method further includes: obtaining, by the first terminal, a plurality of video segments according to the original video data correspondingly, the first terminal sending the video data encrypted by the second password to the storage server specifically includes: the first terminal sending each video encrypted by the second password to the storage server Chunked data.

需要说明的,视频数据若以明文的形式在网络中传输,可通过通常的流媒体(Streaming Media)技术实现对视频的在线播放,即边下载边播放已下载的视频内容。在本发明中针对的视频数据是加密后的,即视频数据在网络中传输是以密文的形式传输的,而通过常规方案无法实现对加密的视频数据进行在线播放,常规方案中需要完整下载加密的视频数据后,并对加密的视频数据进行解密后,才能对解密后的视频数据进行播放。通过实施本发明提出的方案,可以不修改操作系统的底层流媒体技术的代码实现,可以通过对原始视频数据进行切分处理和分别加密处理后,将加密后的各个视频分块数据发送至存储服务器,以便于第二终端从存储服务器下载得到加密后的各个视频分块数据,每解密了一个视频分块数据,就播放该视频分块数据。从而既能实现对加密的视频数据的安全传输,又能实现对该视频数据在线播放,其实现高效快捷,且能节省大量的开发成本。It should be noted that, if the video data is transmitted in the network in the form of plaintext, the online playback of the video can be realized through the common streaming media technology, that is, the downloaded video content is played while downloading. The video data aimed at in the present invention is encrypted, that is, the video data is transmitted in the form of cipher text in the network, and the encrypted video data cannot be played online through the conventional scheme, and the conventional scheme needs to be completely downloaded. After the encrypted video data is encrypted and the encrypted video data is decrypted, the decrypted video data can be played. By implementing the solution proposed by the present invention, the code of the underlying streaming media technology of the operating system can not be modified, and the original video data can be segmented and separately encrypted, and then each encrypted video segment data can be sent to the storage. The server makes it easy for the second terminal to download the encrypted video segment data from the storage server, and play the video segment data every time one video segment data is decrypted. Therefore, both the secure transmission of the encrypted video data and the online playback of the video data can be realized, which is efficient and fast, and can save a lot of development costs.

在一些实现方式中,所述经所述第二密码加密的视频数据为原始视频数据中的至少一个视频分块数据。In some implementations, the video data encrypted by the second cipher is at least one video block data in the original video data.

需要说明的,所述至少一个视频分块数据是基于用于的输入指令从多个视频分块数据中确定的。通过实施上述实施例,实现了根据用户的需求只对原始视频数据的部分视频数据进行备份,不仅能提高用户体验,而且节约了存储服务器的存储空间。It should be noted that the at least one video segment data is determined from a plurality of video segment data based on an input instruction for . By implementing the above embodiments, only part of the original video data can be backed up according to the user's needs, which not only improves the user experience, but also saves the storage space of the storage server.

在一些实现方式中,所述第一终端根据原始视频数据,获得多个视频分块数据,包括:所述第一终端根据来自所述存储服务器的分块规则信息对所述原始视频数据进行切分处理,获得所述多个视频分块数据;所述分块规则信息是根据所述第一终端与所述存储服务器之间的网络带宽确定的。In some implementation manners, the first terminal obtains a plurality of video block data according to the original video data, including: the first terminal cuts the original video data according to the block rule information from the storage server. sub-processing to obtain the plurality of video sub-blocking data; the sub-blocking rule information is determined according to the network bandwidth between the first terminal and the storage server.

上述实施例中,根据由网络带宽确定的分块规则对原始视频数据进行切分处理,并将切分后的各个视频分块数据发送至存储服务器,可以避免由于视频分块数据过大导致的网络拥塞,从而提高了视频分块数据从第一终端传输至存储服务器的速度。In the above embodiment, the original video data is segmented according to the segmentation rule determined by the network bandwidth, and each segmented video segment data is sent to the storage server, which can avoid the problem of excessive video segment data. The network is congested, thereby increasing the transmission speed of the video segmented data from the first terminal to the storage server.

在一些实现方式中,在第一终端向秘钥服务器发送第一密文信息之前,所述方法还包括:所述第一终端接收所述认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第一终端的登录信息生成的;所述第一终端向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第一终端接收所述秘钥服务器发送的所述公钥。In some implementations, before the first terminal sends the first ciphertext information to the secret key server, the method further includes: receiving, by the first terminal, an access password sent by the authentication server; the access password is the The authentication server is generated according to the login information of the first terminal; the first terminal sends a request for obtaining the public key to the secret key server; the request includes the access password; in the secret key When the server successfully verifies the access password through the authentication server, the first terminal receives the public key sent by the secret key server.

在一些实现方式中,所述第一终端向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,所述第一终端接收所述秘钥服务器发送的所述第二密文信息,具体包括:在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第一终端接收所述秘钥服务器发送的所述第二密文信息。In some implementation manners, the first terminal sends the access password to the secret key server while sending the first ciphertext information to the secret key server; accordingly, the first terminal receives the The second ciphertext information sent by the secret key server specifically includes: when the secret key server successfully verifies the access password through the authentication server, the first terminal receives the information sent by the secret key server. of the second ciphertext information.

上述实施例中,在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,认证服务器负责对终端的登录用户的合法性进行验证,对通过认证的终端授予访问口令,通过增加对用户的请求的合法性的验证,进一步提高了云备份中的用户隐私数据(如视频数据)的安全性。In the above embodiment, an authentication server is added to the cloud, and before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the legitimacy of the logged-in user of the terminal, Granting an access password to an authenticated terminal further improves the security of user privacy data (such as video data) in the cloud backup by increasing the verification of the legitimacy of the user's request.

在一些实现方式中,所述第一终端的登录信息和所述第二终端的登录信息相同。通过实施例上述实施例,即可通过登录信息(用户账户)来关联不同的终端,可实现了在不同终端进行下载或备份。In some implementations, the login information of the first terminal and the login information of the second terminal are the same. Embodiments Through the above-mentioned embodiments, different terminals can be associated through login information (user accounts), and downloading or backup can be implemented in different terminals.

在一些实现方式中,所述第一密码是所述第一终端根据随机数生成的密码。上述实施例中,由于第一密码是终端内部随机生成的,增加了黑客窃取第一密码的难度,其安全性更高。In some implementations, the first password is a password generated by the first terminal according to a random number. In the above embodiment, since the first password is randomly generated inside the terminal, it is more difficult for hackers to steal the first password, and the security is higher.

第二方面,本发明实施例提供了一种数据安全保护方法,该方法包括:第二终端向秘钥服务器发送第一密文信息;所述第一密文信息是所述第二终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;所述第二终端接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;所述第二终端根据所述第一密码解密所述第二密文信息,获得所述秘钥服务器的第二密码;所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密。In a second aspect, an embodiment of the present invention provides a data security protection method, the method includes: a second terminal sends first ciphertext information to a secret key server; the first ciphertext information is the second terminal according to the source obtained by encrypting the first password with the public key of the secret key server; the second terminal receives the second ciphertext information sent by the secret key server; the second ciphertext information is the secret key After the server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password, it is obtained by encrypting the second password of the secret key server according to the first password; The second terminal decrypts the second ciphertext information according to the first password, and obtains the second password of the secret key server; the second terminal encrypts the encrypted data from the storage server according to the second password of the secret key server data is decrypted.

可以看到,第二终端根据秘钥服务器的公钥对第一密码进行加密,获得第一密文信息;第一密文信息只有根据秘钥服务器的公钥对应的私钥,才能对第一密文信息解密获得第一密码,这里只有秘钥服务器拥有所述私钥的使用权限,因此只有秘钥服务器才能解密得到第一密码;秘钥服务器解密得到第一密码后,根据第一密码对秘钥服务器的第二密码进行加密,得到第二密文信息,并将第二密文信息发送给第二终端;由于第二终端原本就存储有第一密码,因此第二终端可直接根据第一密码解密第二密文信息,即可获得第二密码;然后,第二终端向存储服务器发送的数据都是经第二密码加密的。由上述过程可知,第二终端与秘钥服务器协商的用于数据解密的第二密码在网络中传输是经过层层加密保护的,具体的,秘钥服务器将第二密码下发至第二终端是经第一密码加密的,而第一密码是第一终端通过非对称加密方式(公钥私钥加密方式)进行加密传输至秘钥服务器的。在上述任意步骤,即使数据信息在终端与秘钥服务器之间传输过程中被黑客拦截,由于数据信息都是加密的且黑客不能获取对应的解密密码,因此不能获取数据信息的内容。通过实施上述实施例,可以提高云备份过程中用户个人数据的安全性,避免数据泄露风险,实现对用户个人数据更好更安全地保护。It can be seen that the second terminal encrypts the first password according to the public key of the key server to obtain the first ciphertext information; The ciphertext information is decrypted to obtain the first password. Here, only the secret key server has the right to use the private key, so only the secret key server can decrypt to obtain the first password; after the secret key server decrypts and obtains the first password, according to the first password The second password of the key server is encrypted to obtain the second ciphertext information, and the second ciphertext information is sent to the second terminal; since the second terminal originally stores the first password, the second terminal can directly The second password can be obtained by decrypting the second ciphertext information with a password; then, the data sent by the second terminal to the storage server are all encrypted by the second password. It can be seen from the above process that the second password for data decryption negotiated by the second terminal and the secret key server is transmitted in the network through layer-by-layer encryption protection. Specifically, the secret key server issues the second password to the second terminal. is encrypted by the first password, and the first password is encrypted and transmitted by the first terminal to the secret key server through an asymmetric encryption method (public key and private key encryption method). In any of the above steps, even if the data information is intercepted by the hacker during the transmission between the terminal and the key server, since the data information is encrypted and the hacker cannot obtain the corresponding decryption password, the content of the data information cannot be obtained. By implementing the above embodiments, the security of the user's personal data during the cloud backup process can be improved, the risk of data leakage can be avoided, and better and more secure protection of the user's personal data can be achieved.

在一些实现方式中,所述加密数据是第一终端根据所述秘钥服务器的第二密码加密并发送至所述存储服务器的。In some implementations, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.

在一些实现方式中,所述加密数据为所述第一终端根据所述秘钥服务器的第二密码加密的视频数据;在所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之后,所述方法还包括:所述第二终端对解密后的所述视频数据进行播放。In some implementation manners, the encrypted data is video data encrypted by the first terminal according to the second password of the key server; the second terminal, according to the second password of the key server, encrypts the video data from the key server. After decrypting the encrypted data of the storage server, the method further includes: playing, by the second terminal, the decrypted video data.

在一些实现方式中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的各个视频分块数据分别进行加密得到的。In some implementation manners, the encrypted video data is obtained by encrypting each video block data in the original video data by the first terminal according to the second password.

需要说明的,视频数据若以明文的形式在网络中传输,可通过通常的流媒体(Streaming Media)技术实现对视频的在线播放,即边下载边播放已下载的视频内容。在本发明中针对的视频数据是加密后的,即视频数据在网络中传输是以密文的形式传输的,而通过常规方案无法实现对加密的视频数据进行在线播放,常规方案中需要完整下载加密的视频数据后,并对加密的视频数据进行解密后,才能对解密后的视频数据进行播放。而在本发明实施例中,存储在存储服务器的视频数据是经过第一终端分块处理和分别加密的,因此在第二终端从存储服务器下载得到的视频数据是分块处理和分别加密后的,第二终端每从存储服务器下载得到一个视频分块数据,就对该视频分块数据进行解密播放。从而既能实现对加密的视频数据的安全传输,又能实现对该视频数据在线播放,其实现高效快捷,且能节省大量的开发成本。It should be noted that, if the video data is transmitted in the network in the form of plaintext, the online playback of the video can be realized through the common streaming media technology, that is, the downloaded video content is played while downloading. The video data aimed at in the present invention is encrypted, that is, the video data is transmitted in the form of cipher text in the network, and the encrypted video data cannot be played online through the conventional scheme, and the conventional scheme needs to be completely downloaded. After the encrypted video data is encrypted and the encrypted video data is decrypted, the decrypted video data can be played. In this embodiment of the present invention, the video data stored in the storage server is processed in blocks and encrypted separately by the first terminal. Therefore, the video data downloaded from the storage server by the second terminal is processed in blocks and encrypted respectively. , every time the second terminal downloads a piece of video segment data from the storage server, it decrypts and plays the video segment data. Therefore, both the secure transmission of the encrypted video data and the online playback of the video data can be realized, which is efficient and fast, and can save a lot of development costs.

在一些实现方式中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的至少一个视频分块数据进行加密得到的。In some implementation manners, the encrypted video data is obtained by encrypting at least one video block data in the original video data by the first terminal according to the second password.

需要说明的,所述至少一个视频分块数据是第二终端基于用于的输入指令从原始视频数据中确定的。通过实施上述实施例,实现了根据用户的需求只对原始视频数据的部分视频数据进行下载,不仅能提高用户体验,而且节约了网络带宽。It should be noted that the at least one video segment data is determined from the original video data by the second terminal based on the input instruction for . By implementing the above embodiments, only part of the original video data can be downloaded according to user requirements, which not only improves user experience, but also saves network bandwidth.

在一些实现方式中,在所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之前,所述方法还包括:所述第二终端向所述存储服务器发送用于获取一个加密的视频分块数据的请求;所述一个加密的视频分块数据为加密后的所述各个视频分块数据中的一块,所述一个视频分块数据是所述第二终端基于用户输入指令确定的;所述第二终端接收来自所述存储服务器的所述一个加密的视频分块数据。In some implementations, before the second terminal decrypts the encrypted data from the storage server according to the second password of the secret key server, the method further includes: the second terminal sends a message to the storage server Send a request for obtaining an encrypted video block data; the one encrypted video block data is a piece of the encrypted each video block data, and the one video block data is the second The terminal is determined based on a user input instruction; the second terminal receives the one encrypted video segment data from the storage server.

上述实施例中,第二终端向存储服务器发送用于获取一个加密的视频分块数据的请求,所述一个加密的视频分块数据是基于用于输入指令,例如快进、快退、以及任意拖动播放进度条确定的。通过实施上述实施例,对加密的视频数据实现了快进播放、快退播放、以及任意拖动进度条播放,进而提高了用户体验。In the above embodiment, the second terminal sends a request for obtaining an encrypted video segment data to the storage server, and the encrypted video segment data is based on the input instructions, such as fast forward, Drag the playback progress bar to determine. By implementing the above embodiments, fast-forward playback, fast-rewind playback, and playback by dragging a progress bar at will are implemented for encrypted video data, thereby improving user experience.

在一些实现方式中,在第二终端向秘钥服务器发送第一密文信息之前,所述方法还包括:所述第二终端接收认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第二终端的登录信息生成的;所述第二终端向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第二终端接收所述秘钥服务器发送的所述公钥。In some implementations, before the second terminal sends the first ciphertext information to the secret key server, the method further includes: receiving, by the second terminal, an access password sent by an authentication server; the access password is the authentication server generated according to the login information of the second terminal; the second terminal sends a request for obtaining the public key to the key server; the request includes the access password; When the authentication server successfully verifies the access password, the second terminal receives the public key sent by the secret key server.

在一些实现方式中,所述第二终端向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,所述第二终端接收所述秘钥服务器发送的所述第二密文信息,具体包括:在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第二终端接收所述秘钥服务器发送的所述第二密文信息。In some implementation manners, the second terminal sends the access password to the secret key server while sending the first ciphertext information to the secret key server; accordingly, the second terminal receives the The second ciphertext information sent by the secret key server specifically includes: when the secret key server successfully verifies the access password through the authentication server, the second terminal receives the information sent by the secret key server. of the second ciphertext information.

上述实施例中,在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,认证服务器负责对终端的登录用户的合法性进行验证,对通过认证的终端授予访问口令,通过增加对用户的请求的合法性的验证,进一步提高了云备份中的用户隐私数据(如视频数据)的安全性。In the above embodiment, an authentication server is added to the cloud, and before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the legitimacy of the logged-in user of the terminal, Granting an access password to an authenticated terminal further improves the security of user privacy data (such as video data) in the cloud backup by increasing the verification of the legitimacy of the user's request.

在一些实现方式中,所述第二终端的登录信息和所述第一终端的登录信息相同。通过实施例上述实施例,即可通过登录信息(用户账户)来关联不同的终端,可实现了在不同终端进行下载或备份。In some implementations, the login information of the second terminal is the same as the login information of the first terminal. Embodiments Through the above-mentioned embodiments, different terminals can be associated through login information (user accounts), and downloading or backup can be implemented in different terminals.

第三方面,本发明实施例提供了一种数据安全保护方法,该方法包括:秘钥服务器接收终端发送的第一密文信息,所述第一密文信息是所述终端根据来自所述秘钥服务器的公钥对所述终端的第一密码进行加密得到的;所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息,获得所述第一密码;所述秘钥服务器向所述终端发送第二密文信息,所述第二密文信息是根据所述第一密码对所述秘钥服务器生成的第二密码进行加密得到的,所述第二密码用于对所述终端的数据进行安全保护。In a third aspect, an embodiment of the present invention provides a data security protection method, the method includes: a key server receives first ciphertext information sent by a terminal, the first ciphertext information is the obtained by encrypting the first password of the terminal with the public key of the key server; the key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password; the The secret key server sends second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting the second password generated by the secret key server according to the first password, and the second password uses For the security protection of the data of the terminal.

可以看到,终端根据秘钥服务器的公钥对第一密码进行加密,获得第一密文信息;第一密文信息只有根据秘钥服务器的公钥对应的私钥,才能对第一密文信息解密获得第一密码,这里只有秘钥服务器拥有所述私钥的使用权限,因此只有秘钥服务器才能解密得到第一密码;秘钥服务器解密得到第一密码后,根据第一密码对秘钥服务器的第二密码进行加密,得到第二密文信息,并将第二密文信息发送给第一终端;由于终端原本就存储有第一密码,因此终端可直接根据第一密码解密第二密文信息,即可获得第二密码;然后,终端向存储服务器发送的数据都是经第二密码加密的。由上述过程可知,终端与秘钥服务器协商的用于数据加密的第二密码在网络中传输是经过层层加密保护的,具体的,秘钥服务器将第二密码下发至终端是经第一密码加密的,而第一密码是终端通过非对称加密方式(公钥私钥加密方式)进行加密传输至秘钥服务器的。在上述任意步骤,即使数据信息在终端与秘钥服务器之间传输过程中被黑客拦截,由于数据信息都是加密的且黑客不能获取对应的解密密码,因此不能获取数据信息的内容。通过实施上述实施例,可以提高云备份过程中用户个人数据的安全性,避免数据泄露风险,实现对用户个人数据更好更安全地保护。It can be seen that the terminal encrypts the first password according to the public key of the key server to obtain the first ciphertext information; the first ciphertext information can only be encrypted to the first ciphertext according to the private key corresponding to the public key of the secret key server. The information is decrypted to obtain the first password. Here only the secret key server has the right to use the private key, so only the secret key server can decrypt to obtain the first password; after the secret key server decrypts and obtains the first password, the secret key The second password of the server is encrypted to obtain the second ciphertext information, and the second ciphertext information is sent to the first terminal; since the terminal originally stores the first password, the terminal can directly decrypt the second password according to the first password. Then, the data sent by the terminal to the storage server is encrypted by the second password. It can be seen from the above process that the transmission of the second password for data encryption negotiated by the terminal and the key server in the network is protected by layers of encryption. Specifically, the second password delivered by the key server to the terminal is transmitted through the first password. The password is encrypted, and the first password is encrypted and transmitted by the terminal to the secret key server through an asymmetric encryption method (public key and private key encryption method). In any of the above steps, even if the data information is intercepted by the hacker during the transmission between the terminal and the key server, since the data information is encrypted and the hacker cannot obtain the corresponding decryption password, the content of the data information cannot be obtained. By implementing the above embodiments, the security of the user's personal data during the cloud backup process can be improved, the risk of data leakage can be avoided, and better and more secure protection of the user's personal data can be achieved.

在一些实现方式中,所述数据为视频数据,所述第二密码用于所述终端对所述视频数据进行加密并发送至存储服务器。In some implementations, the data is video data, and the second password is used by the terminal to encrypt the video data and send it to a storage server.

在一些实现方式中,所述数据为视频数据,所述第二密码用于所述终端对来自存储服务器的、加密的所述视频数据进行解密。In some implementations, the data is video data, and the second password is used by the terminal to decrypt the encrypted video data from the storage server.

在一些实现方式中,在秘钥服务器接收终端发送的第一密文信息之前,所述方法还包括:所述秘钥服务器接收所述终端发送的用于获取所述公钥的请求;所述请求包括访问口令;所述访问口令是认证服务器根据所述终端的登录信息预先生成并发送给所述终端的;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述秘钥服务器向所述终端发送所述公钥。In some implementations, before the key server receives the first ciphertext information sent by the terminal, the method further includes: receiving, by the key server, a request sent by the terminal for obtaining the public key; the The request includes an access password; the access password is pre-generated by the authentication server according to the login information of the terminal and sent to the terminal; in the case that the key server successfully verifies the access password through the authentication server, The key server sends the public key to the terminal.

在一些实现方式中,所述秘钥服务器接收所述终端发送的所述第一密文信息的同时还接收所述访问口令;相应地,所述秘钥服务器向所述终端发送第二密文信息,具体为:在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述秘钥服务器向所述终端发送所述第二密文信息。In some implementations, the secret key server receives the access password when receiving the first ciphertext information sent by the terminal; correspondingly, the secret key server sends a second ciphertext to the terminal The information is specifically: in the case that the key server successfully verifies the access password through the authentication server, the key server sends the second ciphertext information to the terminal.

上述实施例中,在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,认证服务器负责对终端的登录用户的合法性进行验证,对通过认证的终端授予访问口令,通过增加对用户的请求的合法性的验证,进一步提高了云备份中的用户隐私数据(如视频数据)的安全性。In the above embodiment, an authentication server is added to the cloud, and before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server is responsible for verifying the legitimacy of the logged-in user of the terminal, Granting an access password to an authenticated terminal further improves the security of user privacy data (such as video data) in the cloud backup by increasing the verification of the legitimacy of the user's request.

在一些实现方式中,所述第二密码是所述秘钥服务器根据随机数生成的密码。上述实施例中,由于第二密码是秘钥服务器内部随机生成的,增加了黑客窃取第二密码的难度,其安全性更高。In some implementations, the second password is a password generated by the key server according to a random number. In the above embodiment, since the second password is randomly generated inside the key server, it increases the difficulty for hackers to steal the second password, and the security is higher.

第四方面,本发明实施例提供了一种终端,所述终端用作第一终端,包括显示装置,输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述终端实现上述第一方面的方法。In a fourth aspect, an embodiment of the present invention provides a terminal, which serves as a first terminal and includes a display device, an input device, an output device, one or more memories, and one or more processors; wherein the one One or more programs are stored in one or more memories; it is characterized in that, when the one or more processors are executing the one or more programs, the terminal is made to implement the method of the first aspect.

第五方面,本发明实施例提供了一种终端,所述终端用作第二终端,包括显示装置,输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述终端实现上述第二方面的方法。In a fifth aspect, an embodiment of the present invention provides a terminal, the terminal is used as a second terminal, and includes a display device, an input device, an output device, one or more memories, and one or more processors; wherein the one One or more programs are stored in one or more memories; it is characterized in that, when the one or more processors are executing the one or more programs, the terminal is made to implement the method of the second aspect.

第六方面,本发明实施例提供了一种服务器,包括输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述服务器实现上述第三方面的方法。In a sixth aspect, an embodiment of the present invention provides a server, including an input device, an output device, one or more memories, and one or more processors; wherein the one or more memories store one or more programs ; characterized in that, when the one or more processors are executing the one or more programs, the server is caused to implement the method of the third aspect.

第七方面,本发明实施例提供了一种第一终端,该终端包括:加解密模块,通信模块,可能实施例中,第一终端还包括:切分模块。上述各个模块用于实现第一方面及其任一实现方式所述的数据安全保护方法。In a seventh aspect, an embodiment of the present invention provides a first terminal, where the terminal includes: an encryption/decryption module and a communication module. In a possible embodiment, the first terminal further includes: a segmentation module. The foregoing modules are used to implement the data security protection method described in the first aspect and any implementation manner thereof.

通信模块用于向秘钥服务器发送第一密文信息;所述第一密文信息是所述第一终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The communication module is used for sending the first ciphertext information to the secret key server; the first ciphertext information is obtained by the first terminal encrypting the first password according to the public key from the secret key server;

通信模块用于接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The communication module is configured to receive the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key Obtained by encrypting the second password of the secret key server according to the first password after obtaining the first password;

加解密模块用于根据所述第一密码解密所述第二密文信息,获得所述第二密码;The encryption and decryption module is configured to decrypt the second ciphertext information according to the first password to obtain the second password;

通信模块用于向存储服务器发送经所述第二密码加密的数据。The communication module is used for sending the data encrypted by the second password to the storage server.

可能实施例中,所述数据为视频数据,所述经所述第二密码加密的视频数据用于通过所述存储服务器下发至第二终端进行解密和播放。In a possible embodiment, the data is video data, and the video data encrypted by the second password is used to be delivered to the second terminal through the storage server for decryption and playback.

可能实施例中,所述切分模块用于在通信模块向存储服务器发送经所述第二密码加密的视频数据之前,根据原始视频数据,获得多个视频分块数据;相应地,通信模块用于向所述存储服务器发送分别经所述第二密码加密的各个视频分块数据。In a possible embodiment, the segmentation module is configured to obtain a plurality of video segment data according to the original video data before the communication module sends the video data encrypted by the second password to the storage server; for sending each video segment data encrypted by the second password to the storage server.

可能实施例中,所述经所述第二密码加密的视频数据为原始视频数据中的至少一个视频分块数据。In a possible embodiment, the video data encrypted by the second password is at least one video block data in the original video data.

可能实施例中,切分模块用于根据来自所述存储服务器的分块规则信息对所述原始视频数据进行切分处理,获得所述多个视频分块数据;所述分块规则信息是根据所述第一终端与所述存储服务器之间的网络带宽确定的。In a possible embodiment, the segmentation module is configured to perform segmentation processing on the original video data according to the segmentation rule information from the storage server to obtain the plurality of video segmentation data; the segmentation rule information is based on The network bandwidth between the first terminal and the storage server is determined.

可能实施例中,通信模块用于在通信模块向秘钥服务器发送第一密文信息之前,接收所述认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第一终端的登录信息生成的;向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述公钥。In a possible embodiment, the communication module is configured to receive an access password sent by the authentication server before the communication module sends the first ciphertext information to the secret key server; log-in information is generated; a request for obtaining the public key is sent to the secret key server; the request includes the access password; when the secret key server successfully verifies the access password through the authentication server Next, receive the public key sent by the key server.

可能实施例中,通信模块用于向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,通信模块用于接收所述秘钥服务器发送的所述第二密文信息,具体包括:通信模块用于在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述第二密文信息。In a possible embodiment, the communication module is configured to send the access password to the key server while sending the first ciphertext information to the key server; correspondingly, the communication module is configured to receive the key The second ciphertext information sent by the server specifically includes: a communication module configured to receive the first ciphertext sent by the secret key server when the secret key server successfully verifies the access password through the authentication server. Second cipher text information.

可能实施例中,所述第一终端的登录信息和所述第二终端的登录信息相同。In a possible embodiment, the login information of the first terminal and the login information of the second terminal are the same.

可能实施例中,所述第一密码是所述加解密模块根据随机数生成的密码。In a possible embodiment, the first password is a password generated by the encryption/decryption module according to a random number.

第八方面,本发明实施例提供了一种第二终端,该终端包括:通信模块,加解密模块,可能实施例中,第一终端还包括:播放模块。上述各个模块用于实现第二方面及其任一实现方式所述的数据安全保护方法。In an eighth aspect, an embodiment of the present invention provides a second terminal, the terminal includes: a communication module, an encryption/decryption module, and in a possible embodiment, the first terminal further includes: a playback module. The foregoing modules are used to implement the data security protection method described in the second aspect and any implementation manner thereof.

通信模块用于向秘钥服务器发送第一密文信息;所述第一密文信息是所述第二终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The communication module is used for sending the first ciphertext information to the secret key server; the first ciphertext information is obtained by the second terminal encrypting the first password according to the public key from the secret key server;

通信模块用于接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The communication module is configured to receive the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key Obtained by encrypting the second password of the secret key server according to the first password after obtaining the first password;

加解密模块用于根据所述第一密码解密所述第二密文信息,获得所述秘钥服务器的第二密码;The encryption and decryption module is configured to decrypt the second ciphertext information according to the first password, and obtain the second password of the secret key server;

加解密模块根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密。The encryption and decryption module decrypts the encrypted data from the storage server according to the second password of the key server.

可能实施例中,所述加密数据是第一终端根据所述秘钥服务器的第二密码加密并发送至所述存储服务器的。In a possible embodiment, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.

可能实施例中,所述加密数据为所述第一终端根据所述秘钥服务器的第二密码加密的视频数据;播放模块用于在加解密模块根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之后,对解密后的所述视频数据进行播放。In a possible embodiment, the encrypted data is video data encrypted by the first terminal according to the second password of the key server; After the encrypted data from the storage server is decrypted, the decrypted video data is played.

可能实施例中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的各个视频分块数据分别进行加密得到的。In a possible embodiment, the encrypted video data is obtained by encrypting each video block data in the original video data by the first terminal according to the second password.

可能实施例中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的至少一个视频分块数据进行加密得到的。In a possible embodiment, the encrypted video data is obtained by encrypting at least one video block data in the original video data by the first terminal according to the second password.

可能实施例中,通信模块用于在加解密模块根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之前,向所述存储服务器发送用于获取一个加密的视频分块数据的请求;所述一个加密的视频分块数据为加密后的所述各个视频分块数据中的一块,所述一个视频分块数据是所述第二终端基于用户输入指令确定的;接收来自所述存储服务器的所述一个加密的视频分块数据。In a possible embodiment, the communication module is configured to, before the encryption and decryption module decrypts the encrypted data from the storage server according to the second password of the key server, send to the storage server an encrypted video segment for obtaining an encrypted video segment. data request; the encrypted video block data is a piece of the encrypted video block data, and the video block data is determined by the second terminal based on a user input instruction; The one encrypted video segment data of the storage server.

可能实施例中,通信模块用于在第二终端向秘钥服务器发送第一密文信息之前,接收认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第二终端的登录信息生成的;向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述公钥。In a possible embodiment, the communication module is configured to receive an access password sent by the authentication server before the second terminal sends the first ciphertext information to the secret key server; information generated; send a request for obtaining the public key to the secret key server; the request includes the access password; in the case that the secret key server successfully verifies the access password through the authentication server , and receive the public key sent by the key server.

可能实施例中,通信模块用于向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,通信模块用于接收所述秘钥服务器发送的所述第二密文信息,具体包括:通信模块用于在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述第二密文信息。In a possible embodiment, the communication module is configured to send the access password to the key server while sending the first ciphertext information to the key server; correspondingly, the communication module is configured to receive the key The second ciphertext information sent by the server specifically includes: a communication module configured to receive the first ciphertext sent by the secret key server when the secret key server successfully verifies the access password through the authentication server. Second cipher text information.

可能实施例中,所述第二终端的登录信息和所述第一终端的登录信息相同。In a possible embodiment, the login information of the second terminal is the same as the login information of the first terminal.

第九方面,本发明实施例提供了一种秘钥服务器包括:通信模块,加解密模块。上述各个模块用于实现第三方面及其任一实现方式所述的数据安全保护方法。In a ninth aspect, an embodiment of the present invention provides a key server including: a communication module, and an encryption and decryption module. The foregoing modules are used to implement the data security protection method described in the third aspect and any implementation manner thereof.

通信模块用于接收终端发送的第一密文信息,所述第一密文信息是所述终端根据来自所述秘钥服务器的公钥对所述终端的第一密码进行加密得到的;The communication module is configured to receive first ciphertext information sent by the terminal, where the first ciphertext information is obtained by the terminal encrypting the first password of the terminal according to the public key from the secret key server;

加解密模块用于根据所述公钥对应的私钥解密所述第一密文信息,获得所述第一密码;The encryption and decryption module is configured to decrypt the first ciphertext information according to the private key corresponding to the public key to obtain the first password;

通信模块用于向所述终端发送第二密文信息,所述第二密文信息是根据所述第一密码对所述秘钥服务器生成的第二密码进行加密得到的,所述第二密码用于对所述终端的数据进行安全保护。The communication module is configured to send second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting a second password generated by the secret key server according to the first password, and the second password It is used for security protection of the data of the terminal.

可能实施例中,所述数据为视频数据,所述第二密码用于所述终端对所述视频数据进行加密并发送至存储服务器。In a possible embodiment, the data is video data, and the second password is used by the terminal to encrypt the video data and send it to a storage server.

可能实施例中,所述数据为视频数据,所述第二密码用于所述终端对来自存储服务器的、加密的所述视频数据进行解密。In a possible embodiment, the data is video data, and the second password is used by the terminal to decrypt the encrypted video data from the storage server.

可能实施例中,通信模块用于在接收终端发送的第一密文信息之前,接收所述终端发送的用于获取所述公钥的请求;所述请求包括访问口令;所述访问口令是认证服务器根据所述终端的登录信息预先生成并发送给所述终端的;在通过所述认证服务器验证所述访问口令成功的情况下,向所述终端发送所述公钥。In a possible embodiment, the communication module is configured to receive, before receiving the first ciphertext information sent by the terminal, a request sent by the terminal for obtaining the public key; the request includes an access password; the access password is an authentication The server generates in advance according to the login information of the terminal and sends it to the terminal; in the case that the access password is successfully verified by the authentication server, the public key is sent to the terminal.

可能实施例中,通信模块用于接收所述终端发送的所述第一密文信息的同时还接收所述访问口令;相应地,通信模块用于向所述终端发送第二密文信息,具体为:通信模块用于通过所述认证服务器验证所述访问口令成功的情况下,向所述终端发送所述第二密文信息。In a possible embodiment, the communication module is configured to receive the access password while receiving the first ciphertext information sent by the terminal; correspondingly, the communication module is configured to send the second ciphertext information to the terminal, specifically The steps are: the communication module is configured to send the second ciphertext information to the terminal when the authentication server successfully verifies the access password.

可能实施例中,所述第二密码是加解密模块根据随机数生成的密码。In a possible embodiment, the second password is a password generated by an encryption/decryption module according to a random number.

第十方面,本发明实施例提供了一种存储服务器,包括:通信模块,存储模块,其中:In a tenth aspect, an embodiment of the present invention provides a storage server, including: a communication module and a storage module, wherein:

通信模块用于接收第一终端发送的经第二密码加密的数据;The communication module is configured to receive the data encrypted by the second password sent by the first terminal;

通信模块用于向第二终端发送经第二密码加密的数据;The communication module is used for sending the data encrypted by the second password to the second terminal;

存储模块用于将所述第一终端发送的经第二密码加密的数据存储在数据库中。The storage module is used for storing the data encrypted by the second password sent by the first terminal in the database.

第十一方面,本发明实施例提供了一种非易失性计算机可读存储介质;所述计算机可读存储介质用于存储第一方面所述方法的实现代码。所述程序代码被计算设备执行时,所述计算设备用于第一方面所述方法。In an eleventh aspect, an embodiment of the present invention provides a non-volatile computer-readable storage medium; the computer-readable storage medium is used to store an implementation code of the method in the first aspect. When the program code is executed by a computing device, the computing device is used in the method of the first aspect.

第十二方面,本发明实施例提供了又一种非易失性计算机可读存储介质;所述计算机可读存储介质用于存储第二方面所述方法的实现代码。所述程序代码被计算设备执行时,所述用户设备用于第二方面所述方法。In a twelfth aspect, an embodiment of the present invention provides yet another non-volatile computer-readable storage medium; the computer-readable storage medium is used to store an implementation code of the method in the second aspect. When the program code is executed by a computing device, the user equipment is used in the method of the second aspect.

第十三方面,本发明实施例提供了又一种非易失性计算机可读存储介质;所述计算机可读存储介质用于存储第二方面所述方法的实现代码。所述程序代码被计算设备执行时,所述用户设备用于第三方面所述方法。In a thirteenth aspect, an embodiment of the present invention provides yet another non-volatile computer-readable storage medium; the computer-readable storage medium is used to store an implementation code of the method in the second aspect. When the program code is executed by a computing device, the user equipment is used in the method of the third aspect.

第十四方面,本发明实施例提供了一种计算机程序产品;该计算机程序产品包括程序指令,当该计算机程序产品被计算设备执行时,该控制器执行前述第一方面所述方法。该计算机程序产品可以为一个软件安装包,在需要使用前述第一方面的任一种可能的设计提供的方法的情况下,可以下载该计算机程序产品并在控制器上执行该计算机程序产品,以实现第一方面所述方法。In a fourteenth aspect, an embodiment of the present invention provides a computer program product; the computer program product includes program instructions, and when the computer program product is executed by a computing device, the controller executes the method described in the foregoing first aspect. The computer program product may be a software installation package, and if the method provided by any of the possible designs of the first aspect needs to be used, the computer program product may be downloaded and executed on the controller to The method described in the first aspect is implemented.

第十五方面,本发明实施例提供了又一种计算机程序产品。该计算机程序产品包括程序指令,当该计算机程序产品被用户设备执行时,该控制器执行前述第二方面的任一种可能的设计提供的方法。该计算机程序产品可以为一个软件安装包,在需要使用前述第二方面的任一种可能的设计提供的方法的情况下,可以下载该计算机程序产品并在控制器上执行该计算机程序产品,以实现第二方面所述方法。In a fifteenth aspect, an embodiment of the present invention provides yet another computer program product. The computer program product includes program instructions, and when the computer program product is executed by the user equipment, the controller performs the method provided by any one of the possible designs of the aforementioned second aspect. The computer program product may be a software installation package, and if the method provided by any of the possible designs of the foregoing second aspect needs to be used, the computer program product may be downloaded and executed on the controller to The method of the second aspect is implemented.

第十六方面,本发明实施例提供了又一种计算机程序产品。该计算机程序产品包括程序指令,当该计算机程序产品被用户设备执行时,该控制器执行前述第三方面的任一种可能的设计提供的方法。该计算机程序产品可以为一个软件安装包,在需要使用前述第三方面的任一种可能的设计提供的方法的情况下,可以下载该计算机程序产品并在控制器上执行该计算机程序产品,以实现第三方面所述方法。In a sixteenth aspect, an embodiment of the present invention provides yet another computer program product. The computer program product includes program instructions, and when the computer program product is executed by the user equipment, the controller executes the method provided by any possible design of the aforementioned third aspect. The computer program product may be a software installation package, and if the method provided by any of the possible designs of the foregoing third aspect needs to be used, the computer program product may be downloaded and executed on the controller to The method described in the third aspect is implemented.

可以看到,本发明实施例中,终端与秘钥服务器协商的用于视频数据加密或解密的第二密码在网络中传输是经过层层加密保护的,具体的,秘钥服务器将第二密码下发至终端是经第一密码加密的,而第一密码是终端通过非对称加密方式(公钥私钥加密方式)进行加密传输至秘钥服务器的;另外,本发明实施例中,还在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,需要通过认证服务器对终端的登录用户的合法性进行验证;此外,本发明实施例中,终端对加密的视频数据进行备份之前对原始视频数据进行切分后分别加密,从而既能实现了加密视频的安全传输,也能实现加密视频的在线播放。通过实施本发明实施例,提高了云备份中的用户隐私数据(如视频数据)的安全性,还解决了常规方案不能对加密的视频数据进行在线播放的难题。It can be seen that, in this embodiment of the present invention, the second password negotiated by the terminal and the key server for encrypting or decrypting video data is transmitted in the network through layer-by-layer encryption protection. The delivery to the terminal is encrypted by the first password, and the first password is encrypted and transmitted to the secret key server by the terminal through an asymmetric encryption method (public key private key encryption method). An authentication server is added to the cloud, and before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, the authentication server needs to verify the legitimacy of the logged-in user of the terminal; in addition, the present invention implements In an example, before backing up the encrypted video data, the terminal splits the original video data and encrypts them respectively, thereby realizing both the secure transmission of the encrypted video and the online playback of the encrypted video. By implementing the embodiments of the present invention, the security of user privacy data (such as video data) in cloud backup is improved, and the problem that conventional solutions cannot perform online playback of encrypted video data is also solved.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments.

图1本发明实施例提供的一种数据安全保护的网络架构示意图;1 is a schematic diagram of a network architecture for data security protection provided by an embodiment of the present invention;

图2本发明实施例提供的另一种数据安全保护的网络架构示意图FIG. 2 is a schematic diagram of another network architecture for data security protection provided by an embodiment of the present invention

图3本发明实施例设计的一种应用场景的示意图;3 is a schematic diagram of an application scenario designed by an embodiment of the present invention;

图4是本发明实施例提供的一种终端设备的硬件架构示意图;4 is a schematic diagram of a hardware architecture of a terminal device provided by an embodiment of the present invention;

图5是本发明实施例提供的服务器的硬件架构示意图;5 is a schematic diagram of a hardware architecture of a server provided by an embodiment of the present invention;

图6本发明实施例提供的一种数据安全保护方法的流程示意图;6 is a schematic flowchart of a data security protection method provided by an embodiment of the present invention;

图7本发明实施例提供的另一种数据安全保护方法的流程示意图;7 is a schematic flowchart of another data security protection method provided by an embodiment of the present invention;

图8是图6实施例描述的各个设备内各个部件的协作交互示意图;FIG. 8 is a schematic diagram of cooperation and interaction of each component in each device described in the embodiment of FIG. 6;

图9是本发明实施例提供的一种数据安全保护系统以及相关设备的功能模块示意图;9 is a schematic diagram of functional modules of a data security protection system and related equipment provided by an embodiment of the present invention;

图10是本发明实施例提供的另一种数据安全保护系统以及相关设备的功能模块示意图。FIG. 10 is a schematic diagram of functional modules of another data security protection system and related equipment provided by an embodiment of the present invention.

具体实施方式Detailed ways

本发明的实施方式部分使用的术语仅用于对本发明的具体实施例进行解释,而非旨在限定本发明。The terms used in the embodiments of the present invention are only used to explain specific embodiments of the present invention, and are not intended to limit the present invention.

下面介绍一种常规方案中用户通过终端将个人数据在云端进行备份下载的过程。The following describes a process in which a user backs up and downloads personal data in the cloud through a terminal in a conventional solution.

终端根据用户的秘钥对用户个人数据进行加密,然后终端将加密后的用户个人数据上传至存储服务器进行备份。存储服务器中没有用户的秘钥,因而不能访问加密后的用户个人数据。提供解密服务的厂商部署独立的解密服务器,解密服务器负责从用户终端获取密钥并保存在秘钥库。当用户需要下载已在云端备份的用户个人数据时,解密服务器负责从存储服务器获取的用户个人数据,并根据秘钥库中对应的秘钥对对用户个人数据进行解密,将解密后的用户个人数据发送至终端。The terminal encrypts the user's personal data according to the user's secret key, and then the terminal uploads the encrypted user's personal data to the storage server for backup. There is no user's secret key in the storage server, so the encrypted user's personal data cannot be accessed. Manufacturers that provide decryption services deploy independent decryption servers, which are responsible for obtaining keys from user terminals and storing them in the keystore. When the user needs to download the user's personal data that has been backed up in the cloud, the decryption server is responsible for the user's personal data obtained from the storage server, and decrypts the user's personal data according to the corresponding key in the keystore, and decrypts the decrypted user's personal data. data is sent to the terminal.

然而,上述过程中,解密服务器采用明文的形式将用户个人数据下发至终端,黑客可通过拦截下行的用户个人数据,从而直接获得用户个人数据。因此,上述方案存在个人数据的隐私泄露的风险。However, in the above process, the decryption server sends the user's personal data to the terminal in plaintext, and hackers can directly obtain the user's personal data by intercepting the downlink user's personal data. Therefore, the above solution has the risk of privacy leakage of personal data.

本发明实施例提供了一种新的数据安全保护网络架构,能够有效避免云备份过程中的用户数据泄露风险,实现对用户个人数据的更安全地保护。具体参见图1,图1是本发明提供的数据安全保护的网络架构示意图,该架构包括:The embodiment of the present invention provides a new data security protection network architecture, which can effectively avoid the risk of user data leakage during the cloud backup process, and achieve more secure protection of user personal data. Referring specifically to FIG. 1, FIG. 1 is a schematic diagram of a network architecture for data security protection provided by the present invention, and the architecture includes:

(1)秘钥云:秘钥云由部署在云端的多个服务器连接而成,秘钥云中提供秘钥服务的服务器又可称为“秘钥服务器”,秘钥服务器负责与第一终端、第二终端协商密码,所述密码用于第一终端对用户个人数据进行加密并发送至存储服务器,所述密码还用于第二终端对来自存储服务器的、加密的用户个人数据进行解密。(1) Secret key cloud: The secret key cloud is formed by connecting multiple servers deployed in the cloud. The server that provides secret key services in the secret key cloud can also be called "secret key server". The secret key server is responsible for communicating with the first terminal. . The second terminal negotiates a password, the password is used by the first terminal to encrypt the user's personal data and send to the storage server, and the password is also used by the second terminal to decrypt the encrypted user's personal data from the storage server.

(2)认证云:认证云由部署在云端的多个服务器连接而成,认证云中提供认证服务的服务器又可称为“认证服务器”,认证服务器负责对用户通过终端登录的账号和密码进行认证,通过认证的用户被授予访问口令,只有被授予访问口令的用户才能获取秘钥云中所述账户对应的秘钥以及存储云中所述账户对应的用户个人数据。(2) Authentication cloud: The authentication cloud is formed by connecting multiple servers deployed in the cloud. The server that provides authentication services in the authentication cloud can also be called "authentication server". Authentication, the user who passes the authentication is granted an access password, and only the user who is granted the access password can obtain the secret key corresponding to the account in the key cloud and the user's personal data corresponding to the account in the storage cloud.

(3)存储云:存储云由部署在云端的多个服务器连接而成,存储云中提供存储服务器的服务器又可称为“存储服务器”,存储服务器负责存储用户上传加密后的个人数据。另外,由于存储云中的各个服务器不能获取用户的秘钥,在存储云中不能直接访问加密后的用户个人数据的内容。(3) Storage cloud: The storage cloud is formed by connecting multiple servers deployed in the cloud. The server that provides the storage server in the storage cloud can also be called "storage server". The storage server is responsible for storing the encrypted personal data uploaded by users. In addition, since each server in the storage cloud cannot obtain the user's secret key, the encrypted content of the user's personal data cannot be directly accessed in the storage cloud.

(4)第一终端、第二终端:第一终端、第二终端均可以包括但不限于诸如移动手机、可穿戴设备、膝上型计算机或平板计算机之类的其它便携式设备。所述第一终端负责根据与秘钥云协商的密码,并根据密码对将要备份至存储云的用户个人数据进行加密,并将加密后的用户个人数据发送至存储云进行存储。所述第二终端负责根据与秘钥云协商的密码,并根据密码对从存储云下载的加密后的用户个人数据进行解密。(4) First terminal, second terminal: Both the first terminal and the second terminal may include but are not limited to other portable devices such as mobile phones, wearable devices, laptop computers or tablet computers. The first terminal is responsible for encrypting the user's personal data to be backed up to the storage cloud according to the password negotiated with the key cloud, and sending the encrypted user's personal data to the storage cloud for storage. The second terminal is responsible for decrypting the encrypted user personal data downloaded from the storage cloud according to the password negotiated with the key cloud.

在另外一种实施例中,本发明提供的数据安全保护的网络架构还可以是如图2所示的网络架构,即上述描述的秘钥云、认证云、存储云可以合设为一个云端,云端中的一个或多个服务器可用作秘钥服务器,云端中的又一个或多个服务器可用作认证服务器,云端中的再一个或多个服务器可用作秘钥服务器,其中秘钥服务器、认证服务器、秘钥服务器的相关功能可参考上文的描述,第一终端、第二终端可与云端的服务器进行通信交互以实现数据的安全保护,第一终端和第二终端的相关功能可参考上文的描述。In another embodiment, the network architecture for data security protection provided by the present invention may also be the network architecture shown in FIG. 2 , that is, the key cloud, authentication cloud, and storage cloud described above can be combined into one cloud, One or more servers in the cloud can be used as the key server, one or more servers in the cloud can be used as the authentication server, and one or more servers in the cloud can be used as the key server, wherein the key server The relevant functions of the authentication server and the secret key server can refer to the above description. The first terminal and the second terminal can communicate and interact with the server in the cloud to realize data security protection. The relevant functions of the first terminal and the second terminal can be Refer to the description above.

为了便于理解本发明实施例,下面对本发明实施例涉及的应用场景进行说明。To facilitate understanding of the embodiments of the present invention, application scenarios involved in the embodiments of the present invention are described below.

随着终端(例如智能手机,平板电脑等)的摄像头功能的越来越强大,以及移动互联网技术的发展,越来越多的用户喜欢使用终端拍摄的视频,并上传云端保存,这样用户可以使用其它终端(例如智能手机,平板电脑等)来播放。在上述使用场景中用户使用终端拍摄的视频文件数据涉及用户隐私,因此需要对视频文件数据进行更高要求的安全保护。另外,由于视频文件数据的容量较大,下载所花费的时间比较长,为了提高用户体验,需要支持视频在线播放,即用户没有下载完整的视频文件的情况下也可以通过拖动播放进度条实现播放任意时间点的视频内容。With the increasingly powerful camera functions of terminals (such as smart phones, tablet computers, etc.) and the development of mobile Internet technology, more and more users like to use the video shot by the terminal and upload it to the cloud to save, so that users can use Other terminals (such as smart phones, tablet computers, etc.) to play. In the above usage scenario, the video file data captured by the user using the terminal involves user privacy, and therefore higher security protection is required for the video file data. In addition, due to the large capacity of the video file data, it takes a long time to download. In order to improve the user experience, it is necessary to support online video playback, that is, if the user does not download the complete video file, it can also be achieved by dragging the playback progress bar. Play video content at any point in time.

如图3所示,图3是本发明实施例提供的终端视频数据备份下载应用场景示意图。在图3中,第一终端获取原始视频数据,所述原始视频数据可以是存储在第一终端本地的视频数据,例如可以是第一终端拍摄并存储在本地的视频数据,也可以是其他终端设备发送给第一终端的视频数据,还可以是第一终端从网络中下载到本地的视频数据,本发明对此不作具体限定;然后,第一终端对原始视频数据进行切分处理后得到N个视频分块数据,其中N为正整数;接着,第一终端根据与秘钥服务器协商的密码,分别对N个视频分块数据进行加密,并将加密后的N个视频分块数据发送至存储服务器进行备份存储。在用户需要通过其他终端下载已备份的视频数据的情况下,第二终端从存储服务器获取对应的已加密的视频分块数据(可以是N个视频分块数据,也可以是N个视频分块数据中的一部分的视频分块数据),然后根据与秘钥服务器协商的密码,分别对N个视频分块数据进行解密并播放解密后的视频分块数据,每解密了一个视频分块数据则播放该解密后的视频分块数据,从而实现视频数据的在线播放。As shown in FIG. 3 , FIG. 3 is a schematic diagram of an application scenario of terminal video data backup and download provided by an embodiment of the present invention. In FIG. 3 , the first terminal acquires original video data. The original video data may be video data stored locally on the first terminal, for example, video data captured by the first terminal and stored locally, or other terminals. The video data sent by the device to the first terminal may also be the video data downloaded from the network to the local by the first terminal, which is not specifically limited in the present invention; then, the first terminal performs segmentation processing on the original video data to obtain N pieces of video segment data, where N is a positive integer; then, the first terminal encrypts the N pieces of video segment data respectively according to the password negotiated with the key server, and sends the encrypted N pieces of video segment data to The storage server performs backup storage. When the user needs to download the backed up video data through another terminal, the second terminal obtains the corresponding encrypted video segment data (which may be N video segment data, or N video segment data) from the storage server. Part of the video block data in the data), and then according to the password negotiated with the key server, respectively decrypt the N video block data and play the decrypted video block data. The decrypted video block data is played, thereby realizing online playback of the video data.

在一些应用场景中,图3中的第一终端和第二终端是两个不同的终端,例如以下应用场景:用户通过终端(例如移动手机,平板电脑等)拍摄视频,并通过用户账号登录到云端,将视频上传至云端进行备份;用户可以在其他终端(例如其他移动手机,平板电脑等)通过用户账号登录到云端后,对视频进行下载和在线播放。In some application scenarios, the first terminal and the second terminal in FIG. 3 are two different terminals, such as the following application scenarios: a user shoots a video through a terminal (such as a mobile phone, a tablet computer, etc.), and logs in to the user account through the user account. Cloud, upload videos to the cloud for backup; users can download and play videos online after logging in to the cloud through user accounts on other terminals (such as other mobile phones, tablet computers, etc.).

在另一些应用场景中,图3中的第一终端和第二终端可以是同一个终端,例如以下应用场景:用户通过终端拍摄视频,并通过用户账号登录到云端,将视频上传至云端进行备份;由于终端的存储空间有限,用户在将视频上传至云端后,删除了在终端存储的视频,但只要通过用户账号登录到云端,用户仍然可以对视频进行下载和在线播放。In other application scenarios, the first terminal and the second terminal in FIG. 3 may be the same terminal, for example, the following application scenarios: a user shoots a video through the terminal, logs in to the cloud through a user account, and uploads the video to the cloud for backup ; Due to the limited storage space of the terminal, the user deletes the video stored in the terminal after uploading the video to the cloud, but as long as the user logs in to the cloud with the user account, the user can still download and play the video online.

可以理解的是,图中的第一终端,第二终端只是举例用以方便理解本发明实施例,也可以是多个终端。It can be understood that, the first terminal and the second terminal in the figure are only examples to facilitate understanding of the embodiments of the present invention, and may also be multiple terminals.

参见图4,图4是图1-3中涉及的终端的硬件架构示意图,终端400可包括:芯片410、存储器411、射频(RF)模块412、显示装置413、输入装置414、摄像装置415。这些部件可在一个或多个通信总线4104上通信。终端400可以是第一终端,也可以是第二终端。Referring to FIG. 4 , FIG. 4 is a schematic diagram of the hardware architecture of the terminal involved in FIGS. 1-3 . The terminal 400 may include: a chip 410 , a memory 411 , a radio frequency (RF) module 412 , a display device 413 , an input device 414 , and a camera device 415 . These components may communicate on one or more communication buses 4104. The terminal 400 may be the first terminal or the second terminal.

芯片410可集成包括:一个或多个处理器4101、时钟模块4102以及电源管理模块4103。集成于芯片410中的时钟模块4102主要用于为处理器4101产生数据传输和时序控制所需要的时钟。集成于芯片410中的电源管理模块4103主要用于为处理器410、射频模块412以及外围系统提供稳定的、高精确度的电压。例如,当终端400是第一终端时,第一终端的处理器4101用于执行图6或图7方法实施例中涉及的与第一终端的处理器相关的步骤;当终端400是第二终端时,第二终端的处理器4101用于执行图6或图7方法实施例中涉及的与第二终端的处理器相关的步骤。The chip 410 can be integrated to include: one or more processors 4101 , a clock module 4102 and a power management module 4103 . The clock module 4102 integrated in the chip 410 is mainly used to generate the clock required for data transmission and timing control for the processor 4101 . The power management module 4103 integrated in the chip 410 is mainly used to provide a stable and high-precision voltage for the processor 410, the radio frequency module 412 and the peripheral systems. For example, when the terminal 400 is the first terminal, the processor 4101 of the first terminal is configured to execute the steps related to the processor of the first terminal involved in the method embodiment of FIG. 6 or FIG. 7; when the terminal 400 is the second terminal , the processor 4101 of the second terminal is configured to execute the steps related to the processor of the second terminal involved in the method embodiment of FIG. 6 or FIG. 7 .

存储器411与处理器4101耦合,用于存储各种软件程序和/或多组指令。具体实现中,存储器411可包括高速随机存取的存储器,并且也可包括非易失性存储器,例如一个或多个磁盘存储设备、闪存设备或其他非易失性固态存储设备。存储器411可以存储操作系统(下述简称系统),例如ANDROID,IOS,WINDOWS,或者LINUX等嵌入式操作系统。存储器411还可以存储网络通信程序,该网络通信程序可用于与一个或多个终端设备,进行通信。存储器411还可以存储用户接口程序,该用户接口程序可以通过图形化的操作界面将应用程序的内容形象逼真的显示出来,并通过菜单、对话框以及按键等输入控件接收用户对应用程序的控制操作。存储器411还可以存储数据,例如,当终端400是第一终端时,存储器411可以用于存储后文图7方法实施例中涉及的原始视频数据;当终端400是第二终端时,存储器411可以用于存储后文图7方法实施例中涉及的视频分块数据。射频(RF)模块412用于接收和发送射频信号,主要集成了终端400的接收器和发射器。射频(RF)模块412通过射频信号与通信网络和其他通信设备通信。具体实现中,射频(RF)模块412可包括但不限于:天线系统、RF收发器、一个或多个放大器、调谐器、一个或多个振荡器、数字信号处理器、CODEC芯片、SIM卡和存储介质等。在一些实施例中,可在单独的芯片上实现射频(RF)模块412。例如,本发明图6或图7方法实施例中,当终端400是第一终端或者第二终端时,发射器可以用于发送第一密文信息和经第二密码加密的数据等,接收器可以用于接收第二密文信息等。Memory 411 is coupled to processor 4101 for storing various software programs and/or sets of instructions. In specific implementations, memory 411 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. The memory 411 may store an operating system (hereinafter referred to as a system), such as an embedded operating system such as ANDROID, IOS, WINDOWS, or LINUX. The memory 411 can also store a network communication program, which can be used to communicate with one or more terminal devices. The memory 411 can also store a user interface program, which can vividly display the content of the application program through a graphical operation interface, and receive user control operations on the application program through input controls such as menus, dialog boxes, and buttons. . The memory 411 can also store data. For example, when the terminal 400 is the first terminal, the memory 411 can be used to store the original video data involved in the method embodiment of FIG. 7 below; when the terminal 400 is the second terminal, the memory 411 can It is used to store the video block data involved in the method embodiment of FIG. 7 later. The radio frequency (RF) module 412 is used for receiving and transmitting radio frequency signals, and mainly integrates the receiver and the transmitter of the terminal 400 . A radio frequency (RF) module 412 communicates with a communication network and other communication devices via radio frequency signals. In a specific implementation, the radio frequency (RF) module 412 may include, but is not limited to, an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chip, a SIM card, and storage media, etc. In some embodiments, radio frequency (RF) module 412 may be implemented on a separate chip. For example, in the method embodiment of FIG. 6 or FIG. 7 of the present invention, when the terminal 400 is the first terminal or the second terminal, the transmitter can be used to send the first ciphertext information and the data encrypted by the second cipher, etc., and the receiver It can be used to receive second ciphertext information and so on.

显示装置413可用于显示由用户输入的信息或终端400提供给用户的信息以及终端400的各种图形用户接口,这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。具体的,显示装置413可包括显示面板和音频电路,可选的,可以采用液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示面板。虽然在图4中,触敏表面与显示面板是作为两个独立的部件,但是在某些实施例中,可以将触敏表面与显示面板集成而实现输入和输出功能。例如,触敏表面可覆盖显示面板,当触敏表面检测到在其上或附近的触摸操作后,传送给处理器4101以确定触摸事件的类型,随后处理器4101根据触摸事件的类型在显示面板上提供相应的视觉输出。例如,在本发明图7方法实施例中,当终端400是第一终端时,显示装置413可以用于显示播放原始视频数据;当终端400是第二终端时,显示装置413可以用于显示播放视频分块数据。The display device 413 may be used to display information input by the user or information provided to the user by the terminal 400 and various graphical user interfaces of the terminal 400, which may be composed of graphics, text, icons, videos and any combination thereof. Specifically, the display device 413 may include a display panel and an audio circuit. Optionally, the display panel may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like. Although in FIG. 4 the touch-sensitive surface and the display panel are presented as two separate components, in some embodiments, the touch-sensitive surface and the display panel may be integrated to implement input and output functions. For example, the touch-sensitive surface may cover the display panel, and when the touch-sensitive surface detects a touch operation on or near it, it is transmitted to the processor 4101 to determine the type of the touch event, and then the processor 4101 displays the display panel according to the type of the touch event. The corresponding visual output is provided on the . For example, in the method embodiment of FIG. 7 of the present invention, when the terminal 400 is the first terminal, the display device 413 can be used to display and play the original video data; when the terminal 400 is the second terminal, the display device 413 can be used to display and play Video chunked data.

输入装置414可用于接收用户输入的数字或字符信息,以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。具体地,输入装置414可包括触敏表面以及其他输入设备。触敏表面也称为触摸显示屏或者触控板,可收集用户在其上或附近的触摸操作,并根据预先设定的程式驱动相应的连接装置。具体地,其他输入设备可以包括但不限于物理键盘、功能键、轨迹球、鼠标、操作杆等中的一种或多种。例如,本发明图7方法实施例中,当终端400是第一终端或第二终端时,输入装置414可以用于检测用户操作以获得用户的输入指令,其中输入指令可以是通过在触敏表面滑动、触摸、点击等操作形成的。The input device 414 may be used to receive numerical or character information entered by the user, as well as generate keyboard, mouse, joystick, optical or trackball signal input related to user settings and functional control. Specifically, input device 414 may include touch-sensitive surfaces as well as other input devices. A touch-sensitive surface, also known as a touch display or touchpad, collects the user's touches on or near it and drives the corresponding connection device according to a preset program. Specifically, other input devices may include, but are not limited to, one or more of physical keyboards, function keys, trackballs, mice, joysticks, and the like. For example, in the method embodiment of FIG. 7 of the present invention, when the terminal 400 is the first terminal or the second terminal, the input device 414 can be used to detect the user's operation to obtain the user's input instruction, wherein the input instruction can be performed by pressing the touch-sensitive surface Formed by operations such as swiping, touching, and clicking.

摄像装置415可中设置有图像传感器等感光元件,用于进行拍摄场景的图像或视频采集,摄像装置415例如可以是单目摄像头或双目摄像头或多目摄像头。例如,本发明图7方法实施例中,当终端400是第一终端时,摄像装置415可以用于拍摄得到视频数据。The camera device 415 may be provided with a photosensitive element such as an image sensor for capturing images or videos of the shooting scene, and the camera device 415 may be, for example, a monocular camera, a binocular camera, or a multi-camera camera. For example, in the method embodiment of FIG. 7 of the present invention, when the terminal 400 is the first terminal, the camera 415 may be used to capture video data.

参见图5,图5是本公开实施例提供的服务器结构框图,图1-3中涉及的服务器,特别是秘钥服务器可以参考图5的服务器结构框图。该服务器包括:处理器501,用于存储处理器可执行指令的存储器,其中,所述处理器被配置为:执行图6或图7方法实施例秘钥服务器涉及的方法步骤。Referring to FIG. 5 , FIG. 5 is a structural block diagram of a server provided by an embodiment of the present disclosure. For the servers involved in FIGS. 1-3 , especially the key server, refer to the structural block diagram of the server in FIG. 5 . The server includes: a processor 501, a memory for storing processor-executable instructions, wherein the processor is configured to: execute the method steps involved in the key server in the method embodiment of FIG. 6 or FIG. 7 .

可能实施例中,所述服务器还可以包括:一个或多个输入接口502,一个或多个输出接口503和存储器504。In a possible embodiment, the server may further include: one or more input interfaces 502 , one or more output interfaces 503 and a memory 504 .

上述处理器501、输入接口502、输出接口503和存储器504通过总线505连接。存储器502用于存储指令,处理器501用于执行存储器502存储的指令,输入接口502用于接收数据,例如图6或图7方法实施例中的第一密文信息,输出接口503用于输出数据,例如图6或图7方法实施例中的公钥、第二密文信息。The above-mentioned processor 501 , input interface 502 , output interface 503 and memory 504 are connected through a bus 505 . The memory 502 is used to store instructions, the processor 501 is used to execute the instructions stored in the memory 502, the input interface 502 is used to receive data, such as the first ciphertext information in the method embodiment of FIG. 6 or FIG. 7, and the output interface 503 is used to output Data, such as the public key and the second ciphertext information in the method embodiment of FIG. 6 or FIG. 7 .

其中,处理器501被配置用于调用所述程序指令执行:图6或图7方法实施例中涉及与秘钥服务器的处理器相关的方法步骤。Wherein, the processor 501 is configured to invoke the program instructions to execute: method steps related to the processor of the key server in the method embodiment of FIG. 6 or FIG. 7 .

应当理解,在本公开实施例中,所称处理器501可以是中央处理单元(CentralProcessing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(DigitalSignal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiments of the present disclosure, the processor 501 may be a central processing unit (Central Processing Unit, CPU), and the processor may also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), special-purpose processors An integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

该存储器504可以包括只读存储器和随机存取存储器,并向处理器501提供指令和数据。存储器504的一部分还可以包括非易失性随机存取存储器。例如,存储器504还可以存储接口类型的信息。The memory 504 may include read only memory and random access memory, and provides instructions and data to the processor 501 . A portion of memory 504 may also include non-volatile random access memory. For example, memory 504 may also store interface type information.

在一些实现方式中,本公开实施例中所描述的服务器的上述各部件可用于执行后文描述的图6或图7方法实施例中涉及秘钥服务器的方法步骤。In some implementations, the above components of the server described in the embodiments of the present disclosure may be used to execute the method steps involving the key server in the method embodiment of FIG. 6 or FIG. 7 described later.

下面结合附图详细描述本发明实施例提供的数据安全保护方法,该方法可实现在云备份技术中对用户个人数据的更安全地保护。The data security protection method provided by the embodiments of the present invention is described in detail below with reference to the accompanying drawings, and the method can realize more secure protection of user personal data in the cloud backup technology.

参见图6,图6是本发明实施例提供的一种数据安全保护方法的流程示意图。在图6实施例中,步骤601至步骤609描述了第一终端根据与秘钥服务器协商得到的密码对数据进行加密,并将加密后的数据发送至存储服务器的过程;步骤701至步骤710描述了第二终端从存储服务器下载得到加密的数据,并根据与秘钥服务器协商得到的密码对加密的数据进行解密,获得解密后的数据的过程。其中,第一终端与秘钥服务器协商得到的用于数据加密的密码和第二终端与秘钥服务器协商得到的用于数据解密的密码可在网络中安全传输。下面展开描述:首先描述第一终端将需要备份的数据加密后,发送至存储服务器的过程。该过程包括但不限于以下步骤:Referring to FIG. 6, FIG. 6 is a schematic flowchart of a data security protection method provided by an embodiment of the present invention. In the embodiment of FIG. 6 , steps 601 to 609 describe the process that the first terminal encrypts data according to the password negotiated with the key server, and sends the encrypted data to the storage server; steps 701 to 710 describe The second terminal downloads the encrypted data from the storage server, decrypts the encrypted data according to the password negotiated with the key server, and obtains the decrypted data. The password used for data encryption obtained through negotiation between the first terminal and the key server and the password used for data decryption obtained through negotiation between the second terminal and the key server can be securely transmitted in the network. The description will be expanded below: first, the process of encrypting the data to be backed up by the first terminal and sending the data to the storage server will be described. The process includes but is not limited to the following steps:

601、秘钥服务器向第一终端发送公钥,相应的,第一终端接收秘钥服务器发送的公钥。601. The secret key server sends the public key to the first terminal, and correspondingly, the first terminal receives the public key sent by the secret key server.

602、第一终端生成第一密码,并根据公钥对第一密码进行加密,获得第一密文信息。602. The first terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information.

603、第一终端向秘钥服务器发送第一密文信息,相应的,秘钥服务器接收第一终端发送的第一密文信息。603. The first terminal sends the first ciphertext information to the secret key server, and correspondingly, the secret key server receives the first ciphertext information sent by the first terminal.

604、秘钥服务器根据所述公钥对应的私钥解密第一密文信息,获得第一密码。604. The key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain a first password.

605、秘钥服务器生成第二密码。605. The key server generates a second password.

606、秘钥服务器根据第一密码对第二密码进行加密,获得第二密文信息。606. The key server encrypts the second password according to the first password to obtain second ciphertext information.

607、秘钥服务器向第一终端发送第二密文信息,相应的,第一终端接收秘钥服务器发送的第二密文信息。607. The key server sends the second ciphertext information to the first terminal, and correspondingly, the first terminal receives the second ciphertext information sent by the key server.

608、第一终端根据第一密码解密第二密文信息,获得第二密码。608. The first terminal decrypts the second ciphertext information according to the first password to obtain the second password.

609、第一终端根据第二密码对数据进行加密,并将经第二密码加密的数据发送至存储服务器,相应的,存储服务器接收第一终端发送的经第二密码加密的数据。609. The first terminal encrypts the data according to the second password, and sends the data encrypted by the second password to the storage server. Correspondingly, the storage server receives the data encrypted by the second password sent by the first terminal.

下面详细说明上述步骤601-608描述的第一终端与秘钥服务器协商所述第二密码的过程,所述第二密码用于所述第一终端对数据进行加密。其中,本申请中所描述的公钥(英文Public Key)与私钥(英文Private Key)可以是通过RSA非对称加密算法生成的一组秘钥对(即一个公钥和一个私钥),公钥可以是秘钥对中公开的部分,私钥可以则是非公开的部分。公钥通常用于加密会话密钥、验证数字签名,或加密可以用相应的私钥解密的数据。通过RSA非对称加密算法生成的秘钥对能保证在世界范围内是独一无二的。使用这个秘钥对的时候,如果用其中一个秘钥加密一段数据,必须用另一个秘钥解密。比如用公钥加密数据就必须用该公钥对应的私钥解密,如果用私钥加密也必须用公钥解密,否则解密将不会成功。The process of negotiating the second password between the first terminal and the key server described in the above steps 601-608 will be described in detail below, where the second password is used by the first terminal to encrypt data. Wherein, the public key (English Public Key) and the private key (English Private Key) described in this application may be a set of secret key pairs (that is, a public key and a private key) generated by the RSA asymmetric encryption algorithm. The key can be the public part of the key pair, and the private key can be the non-public part. Public keys are typically used to encrypt session keys, verify digital signatures, or encrypt data that can be decrypted with the corresponding private key. The key pair generated by the RSA asymmetric encryption algorithm is guaranteed to be unique worldwide. When using this key pair, if a piece of data is encrypted with one of the keys, it must be decrypted with the other key. For example, data encrypted with a public key must be decrypted with the private key corresponding to the public key, and if encrypted with a private key, it must also be decrypted with the public key, otherwise the decryption will not succeed.

步骤602中的第一密码可以是在第一终端内部的处理器根据随机数生成的动态随机密码,在一些实施例中,第一密码可以在预设时间间隔后进行更新,也可以根据不同的数据批次对第一密码进行更新,还可以是根据其它条件对第一终端内部的处理器生成的第一密码进行动态更新,本发明对此不做具体限定。对第一密码进行动态更新有利于提高第一密码的安全性,增加了黑客窃取第一密码的难度。The first password in step 602 may be a dynamic random password generated by the processor inside the first terminal according to the random number. In some embodiments, the first password may be updated after a preset time interval, or may be updated according to different The data batch updates the first password, and may also dynamically update the first password generated by the processor inside the first terminal according to other conditions, which is not specifically limited in the present invention. The dynamic update of the first password is beneficial to improve the security of the first password, and increases the difficulty for hackers to steal the first password.

在本发明实施例中,第一终端内部的处理器生成第一密码后,根据秘钥服务器的公钥对第一密码进行加密,获得第一密文信息。第一密文信息只有通过秘钥服务器的公钥对应的私钥,才能解密获得第一密码。即使第一密文信息在第一终端向秘钥服务器传输的过程被黑客拦截,由于黑客不能获得所述公钥对应的私钥,因而不能解密第一密文信息获得第一密码。所述公钥对应的私钥可以保存在秘钥服务器中,仅限秘钥服务器拥有使用权限。秘钥服务器通过输入接口接收第一终端发送的第一密文信息后,根据所述公钥对应的私钥解密第一密文信息,获得第一密码。由此可见,第一密码从在第一终端生成到发送至秘钥服务器的过程是安全可信的。In the embodiment of the present invention, after the processor inside the first terminal generates the first password, the first password is encrypted according to the public key of the key server to obtain the first ciphertext information. The first ciphertext information can be decrypted to obtain the first password only through the private key corresponding to the public key of the key server. Even if the first ciphertext information is intercepted by the hacker in the process of transmitting the first ciphertext information to the secret key server, since the hacker cannot obtain the private key corresponding to the public key, the hacker cannot decrypt the first ciphertext information to obtain the first password. The private key corresponding to the public key can be stored in the key server, and only the key server has the right to use. After receiving the first ciphertext information sent by the first terminal through the input interface, the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password. It can be seen that the process from generating the first password at the first terminal to sending it to the key server is safe and reliable.

步骤605中的第二密码可以是在秘钥服务器内部的处理器生成的,第二密码可以是在秘钥服务器内部的处理器根据随机数生成的动态随机密码,在一些实施例中,第二密码可以在预设时间间隔后进行更新,也可以是根据其它条件对秘钥服务器内部的处理器生成的第二密码进行动态更新,本发明对此不做具体限定。而需要解释的,第二密码是秘钥服务器需要发送给第一终端的,第一终端向存储服务器发送的数据是根据第二密码进行加密的,第二密码的安全性直接决定了第一终端向存储服务器发送的数据的安全性。由此可见,第二密码安全性的保障是十分关键的。The second password in step 605 may be generated by a processor inside the key server, and the second password may be a dynamic random password generated by a processor inside the key server according to random numbers. The password may be updated after a preset time interval, or the second password generated by the processor inside the key server may be dynamically updated according to other conditions, which is not specifically limited in the present invention. It needs to be explained that the second password is what the secret key server needs to send to the first terminal, and the data sent by the first terminal to the storage server is encrypted according to the second password, and the security of the second password directly determines the first terminal. Security of data sent to storage servers. It can be seen that the security of the second password is very critical.

在上文的描述中,可知第一终端将第一密码告知秘钥服务器的过程,可以确保第一密码是安全可信的。因此,秘钥服务器根据安全可信的第一密码对第二密码进行加密,获得第二密文信息,并将第二密文信息发送给第一终端的过程同样是安全可信的。这个过程中,即使第二密文信息在秘钥服务器向第一终端传输的过程被黑客拦截,由于黑客不能获得所述第一密码,因而不能解密第二密文信息获得第二密码。而第一终端接收秘钥服务器发送的第二密文信息后,根据在第一终端内部已有的第一密码解密第二密文信息,获得第二密码。由此可见,第二密码从秘钥服务器发送至第二终端的过程是安全可信的。From the above description, it can be known that the process of notifying the first password of the first terminal to the key server by the first terminal can ensure that the first password is safe and credible. Therefore, the process of encrypting the second password by the key server according to the secure and credible first password, obtaining the second ciphertext information, and sending the second ciphertext information to the first terminal is also secure and credible. In this process, even if the second ciphertext information is intercepted by the hacker in the process of transmitting the second ciphertext information to the first terminal, since the hacker cannot obtain the first password, the hacker cannot decrypt the second ciphertext information to obtain the second password. After receiving the second ciphertext information sent by the key server, the first terminal decrypts the second ciphertext information according to the existing first password inside the first terminal to obtain the second password. It can be seen that the process of sending the second password from the key server to the second terminal is safe and reliable.

在步骤609中,由上文可知,第一终端对数据进行加密所使用的第二密码是安全可信的,因此第一终端根据第二密码对数据进行加密,并将经第二密码加密的数据发送至存储服务器的过程也是安全可靠的。即使经第二密码加密的数据在从第一终端向秘钥服务器传输的过程中被黑客拦截,由于黑客不能获得所述第二密码,因而不能解密经第二密码加密的数据。因而实施上述实施例,可以确保用户通过终端将数据备份至云端的过程的数据是安全可信的。In step 609, it can be seen from the above that the second password used by the first terminal to encrypt the data is safe and reliable, so the first terminal encrypts the data according to the second password, and encrypts the data encrypted by the second password. The process of sending data to the storage server is also secure and reliable. Even if the data encrypted by the second password is intercepted by the hacker during the transmission from the first terminal to the key server, since the hacker cannot obtain the second password, the data encrypted by the second password cannot be decrypted. Therefore, by implementing the above embodiment, it can be ensured that the data in the process of backing up the data to the cloud by the user through the terminal is safe and reliable.

下面描述第二终端从存储服务器下载已备份的加密数据,并对其进行解密的过程。该过程包括但不限于以下步骤:The following describes the process of the second terminal downloading the backed up encrypted data from the storage server and decrypting it. The process includes but is not limited to the following steps:

701、秘钥服务器向第二终端发送公钥,相应的,第二终端接收秘钥服务器发送的公钥。701. The secret key server sends the public key to the second terminal, and correspondingly, the second terminal receives the public key sent by the secret key server.

702、第二终端生成第一密码,并根据公钥对第一密码进行加密,获得第一密文信息。702. The second terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information.

703、第二终端向秘钥服务器发送第一密文信息,相应的,秘钥服务器接收第二终端发送703. The second terminal sends the first ciphertext information to the secret key server, and accordingly, the secret key server receives the information sent by the second terminal.

的第一密文信息。the first ciphertext information.

704、秘钥服务器根据所述公钥对应的私钥解密第一密文信息,获得第一密码。704. The key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain a first password.

705、秘钥服务器生成第二密码。705. The key server generates a second password.

706、秘钥服务器根据第一密码对第二密码进行加密,获得第二密文信息。706. The key server encrypts the second password according to the first password to obtain second ciphertext information.

707、秘钥服务器向第二终端发送第二密文信息,相应的,第二终端接收秘钥服务器发送707. The secret key server sends the second ciphertext information to the second terminal, and accordingly, the second terminal receives the information sent by the secret key server

的第二密文信息。the second ciphertext information.

708、第二终端根据第一密码解密第二密文信息,获得第二密码。708. The second terminal decrypts the second ciphertext information according to the first password to obtain the second password.

709、存储服务器向第二终端发送加密数据,第二终端接收存储服务器发送的加密数据。所述加密数据可以是由第一终端根据第二密码进行加密、并发送至存储服务器的数据,例如,加密数据可以是加密的视频数据、图片数据、文本数据等。709. The storage server sends the encrypted data to the second terminal, and the second terminal receives the encrypted data sent by the storage server. The encrypted data may be data encrypted by the first terminal according to the second password and sent to the storage server. For example, the encrypted data may be encrypted video data, picture data, text data, and the like.

710、第二终端根据第二密码解密加密数据。710. The second terminal decrypts the encrypted data according to the second password.

步骤701-708是第二终端与秘钥服务器协商得到的用于数据解密的密码的过程,该过程与步骤601-608第一终端与秘钥服务器协商得到用于数据加密的密码的过程类似,为了简洁,这里不再赘述。Steps 701-708 are the process of negotiating the password used for data decryption between the second terminal and the key server, and this process is similar to the process in steps 601-608 that the first terminal negotiated with the key server to obtain the password used for data encryption, For the sake of brevity, details are not repeated here.

下面对步骤709-710进行说明,由于步骤701-708是第二终端与秘钥服务器协商得到的用于数据解密的密码的过程与步骤601-608相似,而结合步骤601-608的描述可知,第二终端对从存储服务器获取的加密数据进行解密所使用的第二密码是安全可信的,而步骤709中第二终端接收存储服务器发送的加密数据是经第二密码加密的、以密文的形式在网络中传输的数据。因此,加密数据在从存储服务器下发至第二终端的过程中即使被黑客拦截,由于黑客不能获取第二密码,因而不能访问加密数据中的内容。而第二终端接收存储服务器发送的加密数据后,在终端内部根据第二密码对加密数据进行解密,获得解密后的数据内容。因而通过实施上述实施例,可以确保用户通过终端从云端下载已备份的数据的过程是安全可靠的。Steps 709-710 will be described below. Since steps 701-708 are the passwords used for data decryption negotiated between the second terminal and the key server, the process is similar to steps 601-608, and it can be seen from the description of steps 601-608 that , the second password used by the second terminal to decrypt the encrypted data obtained from the storage server is safe and reliable, and in step 709, the encrypted data received by the second terminal from the storage server is encrypted by the second password, and the encrypted data is encrypted with the encrypted data. data transmitted over the network in the form of text. Therefore, even if the encrypted data is intercepted by the hacker in the process of delivering the encrypted data from the storage server to the second terminal, the hacker cannot access the content in the encrypted data because the hacker cannot obtain the second password. After receiving the encrypted data sent by the storage server, the second terminal decrypts the encrypted data according to the second password inside the terminal to obtain the decrypted data content. Therefore, by implementing the above embodiments, it can be ensured that the process of downloading the backed up data from the cloud by the user through the terminal is safe and reliable.

在一些实施例中,图6实施例涉及的数据可以是用户个人数据,即第一终端向存储服务器发送的数据,以及存储服务器向第二终端发送的数据可以是用户个人数据。其中用户个人数据可以是通讯录、短信、图片、视频等数据,而这些数据会涉及用户隐私,因此需要对上述数据进行更高要求的安全保护。而通过实施上述数据安全保护方法的实施例,即可实现对用户个人数据更高要求的安全保护。In some embodiments, the data involved in the embodiment of FIG. 6 may be user personal data, that is, the data sent by the first terminal to the storage server, and the data sent by the storage server to the second terminal may be user personal data. The personal data of the user may be data such as address book, text messages, pictures, videos, etc., and these data will involve user privacy, so it is necessary to carry out higher security protection for the above-mentioned data. By implementing the above embodiments of the data security protection method, higher requirements for security protection of the user's personal data can be achieved.

在图6方法实施例中,第一终端根据与秘钥服务器协商得到的密码对数据进行加密后,将加密后的数据发送至存储服务器;第二终端从存储服务器下载得到加密的数据后,根据与秘钥服务器协商得到的密码对加密的数据进行解密,获得解密后的数据。其中,第一终端与秘钥服务器协商得到的用于数据加密的密码和第二终端与秘钥服务器协商得到的用于数据解密的密码在网络中传输是安全的。通过实施上述实施例,提高了云备份中的用户隐私数据的安全性。In the method embodiment of FIG. 6 , after the first terminal encrypts the data according to the password negotiated with the secret key server, the encrypted data is sent to the storage server; after the second terminal downloads the encrypted data from the storage server, the encrypted data is The encrypted data is decrypted with the password negotiated with the key server to obtain the decrypted data. The password used for data encryption obtained through negotiation between the first terminal and the key server and the password used for data decryption obtained through negotiation between the second terminal and the key server are safe to transmit in the network. By implementing the above embodiments, the security of user privacy data in cloud backup is improved.

图7是本发明实施例提供的另一种数据安全保护方法。图6实施例和图7实施例的主要区别在于,在图7实施例中,在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,认证服务器负责对终端的登录用户的合法性进行验证;并且,图7实施例是针对视频数据进行安全保护,对视频数据进行安全保护的同时可实现对视频数据的在线播放。下面展开描述:FIG. 7 is another data security protection method provided by an embodiment of the present invention. The main difference between the embodiment in FIG. 6 and the embodiment in FIG. 7 is that, in the embodiment in FIG. 7, an authentication server is added to the cloud, and the key server sends relevant security data (such as public key and second ciphertext information) to the terminal Previously, the authentication server was responsible for verifying the legitimacy of the logged-in user of the terminal; and, the embodiment of FIG. 7 is for security protection of video data, which can realize online playback of video data while performing security protection on video data. Below is the description:

首先描述第一终端将需要备份的视频数据进行切分加密后,发送至存储服务器的过程。该过程包括但不限于以下步骤:First, the process of splitting and encrypting the video data to be backed up by the first terminal and sending it to the storage server is described. The process includes but is not limited to the following steps:

801、第一终端向认证服务器发送登录信息,相应的,认证服务器接收第一终端发送的登录信息。801. The first terminal sends login information to an authentication server, and accordingly, the authentication server receives the login information sent by the first terminal.

802、认证服务器向第一终端发送访问口令,相应的,第一终端接收认证服务器发送的访问口令。具体的,所述访问口令是认证服务器根据第一终端发送的登录信息生成的。802. The authentication server sends an access password to the first terminal, and correspondingly, the first terminal receives the access password sent by the authentication server. Specifically, the access password is generated by the authentication server according to the login information sent by the first terminal.

在一些实现方式中,第一终端通过射频模块向认证服务器发送登录信息,以请求获取所述访问口令,相应地,认证服务器接收到该登录信息,根据该登录信息生成访问口令,并将生成的访问口令发送给第一终端。所述登录信息为用户账号,所述用户账号包括用户名和密码,所述用户账号用于标识用户。用户可以使用同一个用户账号在不同终端中登录到认证服务器,获取认证服务器授予的访问口令,其中所述访问口令是认证服务器验证第一终端的用户账号为合法的用户账号后,认证服务器授予第一终端用于获取相关安全数据(例如下文描述的公钥和第二密文信息)的口令。In some implementations, the first terminal sends login information to the authentication server through the radio frequency module to request to obtain the access password, and accordingly, the authentication server receives the login information, generates the access password according to the login information, and sends the generated access password to the authentication server. An access token is sent to the first terminal. The login information is a user account, the user account includes a user name and a password, and the user account is used to identify the user. The user can use the same user account to log in to the authentication server in different terminals, and obtain the access password granted by the authentication server, wherein the access password is that after the authentication server verifies that the user account of the first terminal is a legal user account, the authentication server grants the access password to the first terminal. A password used by a terminal to obtain relevant security data (eg, the public key and the second ciphertext information described below).

803、第一终端向秘钥服务器发送获取公钥请求,其中所述获取公钥请求包括访问口令。803. The first terminal sends a public key acquisition request to the secret key server, where the public key acquisition request includes an access password.

804-806、在秘钥服务器通过认证服务器验证访问口令成功的情况下,秘钥服务器向第一终端发送公钥,相应的,第一终端接收秘钥服务器发送的公钥。804-806: In the case that the key server successfully verifies the access password through the authentication server, the key server sends the public key to the first terminal, and correspondingly, the first terminal receives the public key sent by the key server.

在一些实现方式中,秘钥服务器通过步骤803中第一终端发送的获取公钥请求中得到访问口令后,向认证服务器发送所述访问口令,以验证发送所述获取公钥请求的用户账号是否合法。相应的,认证服务器接收所述访问口令,并根据所述访问口令验证发送所述获取公钥请求的用户账号是否合法,并将验证结果返回给秘钥服务器的输入接口,在所述验证结果为合法的情况下,秘钥服务器通过输出接口将所述公钥发送给第一终端,相应地,第一终端通过射频模块接收秘钥服务器发送的公钥。In some implementations, after obtaining the access password from the public key acquisition request sent by the first terminal in step 803, the secret key server sends the access password to the authentication server to verify whether the user account sending the public key acquisition request is not legitimate. Correspondingly, the authentication server receives the access password, and verifies whether the user account that sends the request for obtaining the public key is legal according to the access password, and returns the verification result to the input interface of the secret key server, where the verification result is: In a legal case, the key server sends the public key to the first terminal through the output interface, and correspondingly, the first terminal receives the public key sent by the key server through the radio frequency module.

807、第一终端生成第一密码,并根据公钥对第一密码进行加密,获得第一密文信息。其中,第一密码的生成方式参见图6方法实施例步骤102的描述。807. The first terminal generates a first password, and encrypts the first password according to the public key to obtain first ciphertext information. For the generation method of the first password, refer to the description of step 102 in the method embodiment in FIG. 6 .

808、第一终端向秘钥服务器发送第一密文信息和访问口令,相应的,秘钥服务器接收第一终端发送的第一密文信息和访问口令。808. The first terminal sends the first ciphertext information and the access password to the secret key server, and correspondingly, the secret key server receives the first ciphertext information and the access password sent by the first terminal.

809-811、在秘钥服务器通过认证服务器验证访问口令成功的情况下,秘钥服务器根据公钥对应的私钥解密第一密文信息,获得第一密码。809-811. In the case that the secret key server successfully verifies the access password through the authentication server, the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key, and obtains the first password.

在一些实现方式中,秘钥服务器的输出接口向认证服务器发送所述访问口令,以验证发送所述第一密文信息的用户账号是否合法。相应的,认证服务器接收所述访问口令,并根据所述访问口令验证发送所述第一密文信息的用户账号是否合法,并将验证结果返回给秘钥服务器的输入接口,在所述验证结果为合法的情况下,秘钥服务器的处理器根据所述公钥对应的私钥解密第一密文信息,得到第一密码。In some implementations, the output interface of the key server sends the access password to the authentication server to verify whether the user account that sends the first ciphertext information is legal. Correspondingly, the authentication server receives the access password, verifies whether the user account sending the first ciphertext information is legal according to the access password, and returns the verification result to the input interface of the key server, where the verification result is In the case of legality, the processor of the key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.

812、秘钥服务器生成第二密码。其中,第二密码的生成方式参见图6方法实施例步骤105的描述。812. The key server generates a second password. For the generation method of the second password, refer to the description of step 105 in the method embodiment in FIG. 6 .

813、秘钥服务器根据第一密码对第二密码进行加密,获得第二密文信息。813. The key server encrypts the second password according to the first password to obtain second ciphertext information.

814、秘钥服务器向第一终端发送第二密文信息,相应的,第一终端接收秘钥服务器发送的第二密文信息。814. The key server sends the second ciphertext information to the first terminal, and correspondingly, the first terminal receives the second ciphertext information sent by the key server.

815、第一终端根据第一密码解密第二密文信息,获得第二密码。815. The first terminal decrypts the second ciphertext information according to the first password to obtain the second password.

816、第一终端对原始视频数据进行切分,获得多个视频分块数据,并根据第二密码分别对多个视频分块数据进行加密。所述原始视频数据可以是存储在第一终端本地的视频数据,例如可以是第一终端拍摄并存储在本地的视频数据,也可以是其他终端设备发送给第一终端的视频数据,还可以是第一终端从网络中下载到本地的视频数据,本发明对此不作具体限定816. The first terminal divides the original video data to obtain multiple pieces of video segment data, and encrypts the multiple pieces of video segment data respectively according to the second password. The original video data may be video data stored locally on the first terminal, for example, video data captured by the first terminal and stored locally, or video data sent by other terminal devices to the first terminal, or may be The first terminal downloads the local video data from the network, which is not specifically limited in the present invention

817、第一终端向存储服务器发送经第二密码加密的各个视频分块数据,相应的,存储服务器接收第一终端发送的经第二密码加密的各个视频分块数据。817. The first terminal sends each video segment data encrypted by the second password to the storage server, and correspondingly, the storage server receives each video segment data encrypted by the second password sent by the first terminal.

下面对步骤816和步骤817展开说明。Steps 816 and 817 are described below.

需要说明的,视频数据若以明文的形式在网络中传输,可通过通常的流媒体(Streaming Media)技术实现对视频的在线播放,即边下载边播放已下载的视频内容。在本发明中针对的视频数据是加密后的,即视频数据在网络中传输是以密文的形式传输的,而通过常规方案无法实现对加密的视频数据进行在线播放,常规方案中需要完整下载加密的视频数据后,并对加密的视频数据进行解密后,才能对解密后的视频数据进行播放。It should be noted that, if the video data is transmitted in the network in the form of plaintext, the online playback of the video can be realized through the common streaming media technology, that is, the downloaded video content is played while downloading. The video data aimed at in the present invention is encrypted, that is, the video data is transmitted in the form of cipher text in the network, and the encrypted video data cannot be played online through the conventional scheme, and the conventional scheme needs to be completely downloaded. After the encrypted video data is encrypted and the encrypted video data is decrypted, the decrypted video data can be played.

由于通常的流媒体技术是操作系统,如安卓操作系统(Android)、苹果操作系统(iOS),的底层基础技术,若针对通常的流媒体技术的代码实现进行改进,例如在通常的流媒体技术的代码实现中整合视频加解密功能,其涉及改动的代码篇幅大,技术复杂、开发难度大、开发周期长。鉴于此,本发明提出的方案不涉及修改操作系统的底层流媒体技术的代码实现,但可实现对加密的视频数据进行在线播放,其实现高效快捷,能节省大量的开发成本。下面展开描述:Since the usual streaming media technology is the underlying basic technology of the operating system, such as the Android operating system (Android) and the Apple operating system (iOS), if the code implementation of the usual streaming media technology is improved, for example, in the usual streaming media technology The video encryption and decryption functions are integrated in the code implementation of the . In view of this, the solution proposed by the present invention does not involve modifying the code implementation of the underlying streaming media technology of the operating system, but can realize online playback of encrypted video data, which is efficient and fast, and can save a lot of development costs. Below is the description:

在本发明实施例中,第一终端对原始视频数据进行切分处理得到多个视频分块数据,再根据第二密码分别对多个视频分块数据进行加密,并将经第二密码加密后的各个视频分块数据发送至存储服务器,这样,存储服务器保存的是多个经第二密码加密的视频分块数据,而不是加密的原始视频数据。当用户通过其他终端设备从存储服务器下载加密的视频数据时,第一终端只需要下载了多个加密的视频分块数据中一个加密的视频分块数据,并在对其进行解密后,即可通过通常的流媒体技术播放该解密后的视频分块数据,在播放该解密后的视频分块数据的同时,继续下载后续的加密的视频分块数据,从而实现了加密的视频数据的在线播放。通过实施上述实施例,不仅解决了实现了加密的视频数据的在线播放,提高了用户体验,而且上述实施例在实现上高效快捷,能节省大量的开发成本。In the embodiment of the present invention, the first terminal performs segmentation processing on the original video data to obtain multiple video segment data, then encrypts the multiple video segment data according to the second password, and encrypts the multiple video segment data according to the second password. The data of each video segment is sent to the storage server, so that the storage server stores a plurality of video segment data encrypted by the second password instead of the encrypted original video data. When the user downloads encrypted video data from the storage server through other terminal devices, the first terminal only needs to download one encrypted video segment data among the multiple encrypted video segment data, and after decrypting it, The decrypted video segment data is played through the usual streaming media technology, and the subsequent encrypted video segment data is continuously downloaded while playing the decrypted video segment data, thereby realizing the online playback of the encrypted video data. . By implementing the above-mentioned embodiments, not only the online playback of encrypted video data is solved, and the user experience is improved, but also the above-mentioned embodiments are efficient and fast in implementation, and can save a lot of development costs.

在一种实现方式中,第一终端根据来自存储服务器的分块规则信息对原始视频数据进行切分处理,其中分块规则信息是存储服务器根据第一终端与存储服务器之间的网络带宽确定的。具体实现中,第一终端通过射频模块向存储服务器发送视频数据存储请求,相应的,存储服务器接收视频数据存储请求后,根据第一终端与存储服务器之间的网络带宽确定所述分块规则信息,所述分块规则信息包括对原始视频数据进行切分得到的视频分块的大小。例如原始视频数据的大小为100M,而根据分块规则信息确定对原始视频数据按照4M的大小进行等比例切分,则切分后得到25个视频分块数据。需要说明,若对原始视频数据进行等比例切分,则切分得到的各个视频分块的大小可以相同,但本发明也支持对原始视频数据进行不等比例切分,切分得到的各个视频分块的大小可以不同。具体的,视频分块的大小与网络带宽成正相关,即网络带宽越大,视频分块的大小越大,例如视频分块的大小可以是4M、8M、16M等。由于视频数据通常较大,而根据由网络带宽确定的分块规则对原始视频数据进行切分处理,并将切分后的各个视频分块数据发送至存储服务器,可以避免由于视频分块数据过大导致的网络拥塞,从而提高了视频分块数据从第一终端传输至存储服务器的速度。In an implementation manner, the first terminal performs segmentation processing on the original video data according to the segmentation rule information from the storage server, where the segmentation rule information is determined by the storage server according to the network bandwidth between the first terminal and the storage server . In a specific implementation, the first terminal sends a video data storage request to the storage server through the radio frequency module. Correspondingly, after receiving the video data storage request, the storage server determines the block rule information according to the network bandwidth between the first terminal and the storage server. , the segmenting rule information includes the size of the video segment obtained by segmenting the original video data. For example, the size of the original video data is 100M, and according to the block rule information, it is determined to divide the original video data according to the size of 4M in equal proportions, and then 25 pieces of video block data are obtained after the division. It should be noted that if the original video data is divided into equal proportions, the size of each video segment obtained by the segmentation can be the same, but the present invention also supports unequal proportion segmentation of the original video data, and each video segment obtained by segmentation Chunks can vary in size. Specifically, the size of the video block is positively correlated with the network bandwidth, that is, the larger the network bandwidth, the larger the size of the video block, for example, the size of the video block may be 4M, 8M, 16M, and so on. Since the video data is usually large, the original video data is segmented according to the segmentation rules determined by the network bandwidth, and each segmented video segment data is sent to the storage server, which can avoid excessive video segment data. network congestion caused by large scale, thereby improving the transmission speed of video segmented data from the first terminal to the storage server.

在一些实现方式中,第一终端对原始视频数据进行切分,并对切分得到的各个视频分块数据加密后,可再根据各个视频分块数据的播放次序对加密后的各个视频分块数据进行编号,例如在原始视频数据中的播放次序靠前的视频分块数据的编号较小。相应的,存储服务器可以按照视频分块数据的编号的大小顺序进行存储。In some implementation manners, the first terminal divides the original video data, and after encrypting each video segment data obtained from the segment, can then encrypt each encrypted video segment according to the playback order of each video segment data. The data is numbered, for example, the video segment data in the original video data in the first playback order has a smaller number. Correspondingly, the storage server may store the video segment data in the order of the size of the numbers.

在一些实现方式中,第一终端可以根据对经第二密码加密的各个视频分块数据的编号的大小,依次向存储服务器发送经第二密码加密的各个视频分块数据,例如编号较小的视频分块数据的发送次序靠前。In some implementation manners, the first terminal may sequentially send each video segment data encrypted by the second password to the storage server according to the size of the number of each video segment data encrypted by the second password. The video segment data is sent in the first order.

在一些实现方式中,步骤816和步骤817还可以通过如下方式实现:第一终端对原始视频数据进行切分,获得多个视频分块数据,并根据第二密码对原始视频数据中的至少一个视频分块数据进行加密;第一终端向存储服务器发送经第二密码加密的至少一个视频分块数据,相应的,存储服务器接收第一终端发送的所述经第二密码加密的至少一个视频分块数据。具体应用中,存在如下应用场景,例如用户只想将通过终端的摄像装置,例如摄像头,拍摄得到的视频中的一部分视频备份至云端,而不想将整一个视频备份至云端。具体实现,第一终端对原始视频数据进行切分,获得多个视频分块数据后,基于用户的输入指令从多个视频分块数据中确定至少一个视频分块数据,其中所述至少一个视频分块数据包括用户从原始视频中确定需要备份至云端的部分视频,然后第一终端根据第二密码对所述至少一个视频分块数据进行加密,并将经第二密码加密的至少一个视频分块数据发送至存储服务器。通过实施上述实施例,实现了根据用户的需求只对原始视频数据的部分视频数据进行备份,不仅能提高用户体验,而且节约了存储服务器的存储空间。In some implementation manners, steps 816 and 817 may also be implemented by the following manner: the first terminal divides the original video data, obtains a plurality of video segment data, and divides at least one of the original video data according to the second password The video segment data is encrypted; the first terminal sends at least one video segment data encrypted by the second password to the storage server, and correspondingly, the storage server receives the at least one video segment data encrypted by the second password sent by the first terminal. block data. In specific applications, there are the following application scenarios. For example, the user only wants to back up a part of the videos captured by the terminal's camera device, such as a camera, to the cloud, but does not want to back up the entire video to the cloud. Specifically, the first terminal divides the original video data, and after obtaining multiple video segment data, determines at least one video segment data from the plurality of video segment data based on the user's input instruction, wherein the at least one video segment data is The segmented data includes part of the video that the user determines from the original video that needs to be backed up to the cloud, and then the first terminal encrypts the at least one video segmented data according to the second password, and encrypts the at least one video segmented by the second password. Block data is sent to the storage server. By implementing the above embodiments, only part of the original video data can be backed up according to the user's needs, which not only improves the user experience, but also saves the storage space of the storage server.

在一些实现方式中,基于用户的输入指令从多个视频分块数据中确定至少一个视频分块数据,可以通过如下方式实现:用户在触敏表面(手机屏幕)上点击、触摸、滑动后触发形成相应的输入指令,具体的,输入指令可以是用户在触敏表面滑动视频播放条触发形成的,而对视频播放条滑动范围对应的视频片段进行切分处理后,则可以得到所述至少一个视频分块数据;或者,输入指令可以是用户在触敏表面点击输入视频播放开始时间和视频播放结束时间触发形成的,而对由视频播放开始时间和视频播放结束时间确定的视频片段进行切分处理后,则可以得到所述至少一个视频分块数据。下面描述第二终端从存储服务器下载已备份的加密视频数据,并对其进行解密和播放的过程。该过程包括但不限于以下步骤:In some implementations, at least one video segment data is determined from the plurality of video segment data based on the user's input instruction. The corresponding input command is formed. Specifically, the input command may be triggered by the user sliding the video playback bar on the touch-sensitive surface, and after the video clip corresponding to the sliding range of the video playback bar is segmented, the at least one Video segment data; alternatively, the input instruction can be triggered by the user clicking on the touch-sensitive surface to input the video playback start time and video playback end time, and the video segment determined by the video playback start time and video playback end time is segmented. After processing, the at least one video block data can be obtained. The following describes the process of the second terminal downloading the backed up encrypted video data from the storage server, and decrypting and playing it. The process includes but is not limited to the following steps:

901、第二终端向认证服务器发送登录信息,相应的,认证服务器接收第一终端发送的登录信息,所述登录信息为用户的账户和密码。901. The second terminal sends login information to the authentication server, and accordingly, the authentication server receives the login information sent by the first terminal, where the login information is the user's account and password.

902、认证服务器向第二终端发送访问口令,相应的,第二终端接收认证服务器发送的访问口令。902. The authentication server sends an access password to the second terminal, and correspondingly, the second terminal receives the access password sent by the authentication server.

903、第二终端向秘钥服务器发送获取公钥请求,其中获取公钥请求包括访问口令。903. The second terminal sends a public key acquisition request to the secret key server, where the public key acquisition request includes an access password.

904-906、在秘钥服务器通过认证服务器验证访问口令成功的情况下,秘钥服务器向第二终端发送公钥,相应的,第二终端接收秘钥服务器发送的公钥。904-906: In the case that the key server successfully verifies the access password through the authentication server, the key server sends the public key to the second terminal, and correspondingly, the second terminal receives the public key sent by the key server.

907、第二终端生成第一密码,并根据公钥对第一密码进行加密,获得第一密文。907. The second terminal generates a first password, and encrypts the first password according to the public key to obtain the first ciphertext.

908、第二终端向秘钥服务器发送第一密文信息和访问口令,相应的,秘钥服务器接收第二终端发送的第一密文信息和访问口令。908. The second terminal sends the first ciphertext information and the access password to the secret key server, and correspondingly, the secret key server receives the first ciphertext information and the access password sent by the second terminal.

909-911、在秘钥服务器通过认证服务器验证访问口令成功的情况下,秘钥服务器根据公钥对应的私钥解密第一密文信息,获得第一密码。909-911. In the case that the secret key server successfully verifies the access password through the authentication server, the secret key server decrypts the first ciphertext information according to the private key corresponding to the public key, and obtains the first password.

912、秘钥服务器生成第二密码。912. The key server generates a second password.

913、秘钥服务器根据第一密码对第二密码进行加密,获得第二密文信息。913. The secret key server encrypts the second password according to the first password to obtain second ciphertext information.

914、秘钥服务器向第二终端发送第二密文信息,相应的,第二终端接收秘钥服务器发送的第二密文信息。914. The key server sends the second ciphertext information to the second terminal, and correspondingly, the second terminal receives the second ciphertext information sent by the key server.

915、第二终端根据第一密码解密第二密文信息,获得第二密码。915. The second terminal decrypts the second ciphertext information according to the first password to obtain the second password.

步骤901-915是第二终端与秘钥服务器协商得到的用于视频数据解密的密码的过程,该过程与步骤801-815第一终端与秘钥服务器协商得到用于视频数据加密的密码的过程类似,为了简洁,这里不再赘述。Steps 901-915 are the process that the second terminal negotiates with the key server to obtain a password for video data decryption, and this process is the same as steps 801-815 that the first terminal negotiates with the key server to obtain a password for video data encryption. Similarly, for brevity, details are not repeated here.

916-919、第二终端向存储服务器发送下载视频分块数据请求;存储服务器根据下载视频分块数据请求,向第二终端发送加密的视频分块数据;第二终端接收存储服务器发送的加密后的视频分块数据,根据第二密码对加密后的视频分块数据进行解密后,对解密后的视频分数数据进行播放。916-919, the second terminal sends a request for downloading video segmented data to the storage server; the storage server sends the encrypted video segmented data to the second terminal according to the request for downloading video segmented data; the second terminal receives the encrypted video segmented data sent by the storage server. After decrypting the encrypted video segment data according to the second password, the decrypted video score data is played.

在一些实现方式中,第二终端通过射频模块向存储服务器发送下载视频分块数据请求,所述下载视频分块数据请求用于请求下载加密的视频数据,所述加密的视频数据为第一终端根据第二密码对原始视频数据中的各个视频分块数据分别进行加密得到的。相应的,存储服务器接收到该请求,并响应所述请求,将各个经第二密码加密的视频分块数据发送给第二终端。相应的,第二终端在通过射频模块接收所述各个经第二密码加密的视频分块数据的过程中,每当接收到了各个经第二密码加密的视频分块数据中的其中一个,根据终端内部已有的第二密码对其解密,并对该解密后的视频分块数据进行播放。通过实施上述实施例,实现了用户从云端(即存储服务器)中下载已备份的完整原始视频数据,并在下载的过程中,可实现在线播放。In some implementations, the second terminal sends a request for downloading video segmented data to the storage server through a radio frequency module, where the request for downloading video segmented data is used to request to download encrypted video data, and the encrypted video data is the first terminal It is obtained by encrypting each video block data in the original video data according to the second password. Correspondingly, the storage server receives the request, and in response to the request, sends each video block data encrypted by the second password to the second terminal. Correspondingly, in the process of receiving the video block data encrypted by the second password through the radio frequency module, whenever it receives one of the video block data encrypted by the second password, according to the terminal It is decrypted by the existing second password inside, and the decrypted video block data is played. By implementing the above-mentioned embodiments, the user can download the complete original video data that has been backed up from the cloud (ie, the storage server), and during the downloading process, it can be played online.

在一些实现方式中,第二终端通过射频模块向存储服务器发送下载视频分块数据请求,所述下载视频分块数据请求用于请求下载加密的视频数据,所述加密的视频数据为第一终端根据第二密码对原始视频数据中的至少一个视频分块数据进行加密得到的。相应的,存储服务器接收到该请求,并响应所述请求,将至少一个经第二密码加密的视频分块数据发送给第二终端。相应的,第二终端通过射频模块接收到所述至少一个经第二密码加密的视频分块数据的过程中,每当接收到至少一个经第二密码加密的视频分块数据中的其中一个,根据第二终端内部已有的第二密码对其解密,并对该解密后的视频分块数据进行播放。通过实施上述实施例,实现了用户从云端(即存储服务器)中下载已备份的原始视频数据中的部分视频数据,并在下载的过程中,可实现在线播放,此外上述实施例由于只下载了部分视频数据,因而减少了视频传输的数据量,从而节约了带宽。In some implementations, the second terminal sends a request for downloading video segmented data to the storage server through a radio frequency module, where the request for downloading video segmented data is used to request to download encrypted video data, and the encrypted video data is the first terminal It is obtained by encrypting at least one video block data in the original video data according to the second password. Correspondingly, the storage server receives the request, and in response to the request, sends at least one piece of video block data encrypted by the second password to the second terminal. Correspondingly, in the process of receiving the at least one video block data encrypted by the second password through the radio frequency module, whenever one of the at least one video block data encrypted by the second password is received, It is decrypted according to the existing second password in the second terminal, and the decrypted video block data is played. By implementing the above-mentioned embodiment, the user can download part of the video data in the backed up original video data from the cloud (ie, the storage server), and in the process of downloading, online playback can be realized. Part of the video data, thus reducing the amount of video transmission data, thereby saving bandwidth.

为了对加密的视频数据实现快进播放、快退播放、以及任意拖动进度条播放。本发明还提供了如下实现方式:第二终端向存储服务器发送用于获取一个加密的视频分块数据的请求;其中,所述一个加密的视频分块数据为加密后的各个视频分块数据中的一块,所述一个视频分块数据是第二终端基于用户输入指令确定的,所述用户输入指令可以是用户在触敏表面(手机屏幕)上点击、触摸、滑动后触发形成相应的输入指令,具体的,用户在触敏表面滑动视频播放条,或者点击、触摸快进播放、快退播放相关按键,处理器通过触敏表面检测所述滑动、点击、触摸操作而生成所述用户输入指令;相应的,存储服务器接收所述用于获取一个加密的视频分块数据的请求,并响应该请求后,向第二终端发送所述一个加密的视频分块数据;相应的,第二终端通过射频模块接收来自存储服务器的一个加密的视频分块数据。具体实现中,由于视频数据为符合视频编码格式的文件数据,在视频数据的文件起始位置保存了该视频数据的所有关键帧在文件中的保存位置和播放时间点信息。因而,第二终端在播放视频数据前,总是必须下载和解密该视频数据的第一个视频分块数据,然后根据第一个视频分块数据的关键帧的保存位置和播放时间点信息,计算得到用户快进、快退、或者任意拖动进度条到某一时间点对应的关键帧在视频数据的起始位置。然后第一终端将该关键帧在视频数据的起始位置信息添加到用于获取一个加密的视频分块数据的请求中,一同发送给存储服务器,存储服务器根据所述起始位置信息确定目标视频分块数据,该目标视频分块数据包括关键帧,并将目标视频分块数据发送给第二终端,第二终端的处理器对目标视频数据进行解密后,在第二终端的显示面板(例如手机屏幕)进行播放。通过实施上述实施例,对加密的视频数据实现了快进播放、快退播放、以及任意拖动进度条播放,进而提高了用户体验。In order to realize fast-forward playback, fast-rewind playback, and arbitrary dragging of the progress bar for encrypted video data. The present invention also provides the following implementation: the second terminal sends a request for acquiring an encrypted video segment data to the storage server; wherein, the encrypted video segment data is one of the encrypted video segment data. One piece of video segment data is determined by the second terminal based on user input instructions, and the user input instructions may be the user clicks, touches, and slides on the touch-sensitive surface (mobile phone screen) to trigger the formation of corresponding input instructions. , Specifically, the user slides the video playback bar on the touch-sensitive surface, or clicks or touches the relevant buttons for fast-forward playback and fast-rewind playback, and the processor detects the sliding, clicking, and touch operations on the touch-sensitive surface to generate the user input instruction ; Correspondingly, the storage server receives the described request for obtaining an encrypted video block data, and after responding to the request, sends the encrypted video block data to the second terminal; Correspondingly, the second terminal passes the The radio frequency module receives an encrypted video block data from the storage server. In the specific implementation, since the video data is file data conforming to the video coding format, the file start position of the video data saves the storage position and playback time point information of all key frames of the video data in the file. Therefore, before playing the video data, the second terminal always has to download and decrypt the first video segment data of the video data, and then according to the storage location and playback time point information of the key frame of the first video segment data, It is calculated that the user fast-forwards, rewinds, or arbitrarily drags the progress bar to the starting position of the video data corresponding to the key frame at a certain point in time. Then the first terminal adds the starting position information of the key frame in the video data to the request for obtaining an encrypted video segment data, and sends them to the storage server together, and the storage server determines the target video according to the starting position information Block data, the target video block data includes key frames, and the target video block data is sent to the second terminal. After the processor of the second terminal decrypts the target video data, it is displayed on the display panel of the second terminal (for example, phone screen) to play. By implementing the above embodiments, fast-forward playback, fast-rewind playback, and playback by dragging a progress bar at will are implemented for encrypted video data, thereby improving user experience.

下面通过举例说明存储服务器如何根据关键帧在视频数据的起始位置信息确定目标视频分块数据。例如,关键帧的在视频数据的起始位置为第41000个字节,而第一终端对该视频数据进行切分得到的视频分块数据的大小均为4M,即4096个字节,存储服务器通过计算41000÷4096=10…40,则确定该关键帧为于第11个视频分块数据中。The following is an example to illustrate how the storage server determines the target video segment data according to the starting position information of the key frame in the video data. For example, the starting position of the video data of the key frame is the 41000th byte, and the size of the video block data obtained by dividing the video data by the first terminal is 4M, that is, 4096 bytes. The storage server By calculating 41000÷4096=10...40, it is determined that the key frame is in the 11th video block data.

在本发明实施例中,第一终端的登录信息和第二终端的登录信息可以相同,但在一些实现中,二者的登录信息也可能设计为不同,但二者都具有对云端(例如秘钥服务器、存储服务器)的访问权限。第一终端和第二终端可以是不相同的终端,也可以是相同的终端。第一终端和第二终端为不同的终端的方案,用于实现如下应用场景:用户通过终端(例如移动手机)的摄像头拍摄视频,并通过用户账号登录到云端,将视频上传至云端进行备份;用户可以在其他终端(例如平板电脑)通过用户账号登录到云端后,对视频进行下载和在线播放。第一终端和第二终端为相同的终端的方案,用于实现如下应用场景:用户通过终端的摄像头拍摄视频,并通过用户账号登录到云端,将视频上传至云端进行备份;由于终端的存储空间有限,用户在将视频上传至云端后,删除了在终端存储的视频,但只要通过用户账号登录到云端,用户仍然可以对视频进行下载和在线播放。In this embodiment of the present invention, the login information of the first terminal and the login information of the second terminal may be the same, but in some implementations, the login information of the two may also be designed to be different, but both have access to the cloud (for example, a secret key server, storage server) access rights. The first terminal and the second terminal may be different terminals, or may be the same terminal. The solution in which the first terminal and the second terminal are different terminals is used to realize the following application scenarios: the user shoots a video through the camera of the terminal (such as a mobile phone), logs in to the cloud through the user account, and uploads the video to the cloud for backup; Users can download and play videos online after logging in to the cloud through a user account on other terminals (such as tablet computers). The solution in which the first terminal and the second terminal are the same terminal is used to realize the following application scenarios: the user shoots a video through the camera of the terminal, logs in to the cloud through the user account, and uploads the video to the cloud for backup; due to the storage space of the terminal Limited. After uploading the video to the cloud, the user deletes the video stored in the terminal, but as long as the user logs in to the cloud with the user account, the user can still download and play the video online.

相比于图6方法实施例,图7方法实施例中,在云端增加了认证服务器,在秘钥服务器将相关安全数据(例如公钥和第二密文信息)发送至终端之前,需要通过认证服务器对终端的登录用户的合法性进行验证;并且,图7实施例的加密数据为加密的视频数据,终端对加密的视频数据进行备份之前进行切分得到多个视频分块数据,从而实现了加密视频的在线播放。通过实施上述实施例,进一步提高了云备份中的用户隐私数据(如视频数据)的安全性,另外解决了常规方案不能对加密的视频数据进行在线播放的难题。Compared with the method embodiment in FIG. 6 , in the method embodiment in FIG. 7 , an authentication server is added to the cloud, and before the key server sends the relevant security data (such as the public key and the second ciphertext information) to the terminal, it needs to pass the authentication. The server verifies the legitimacy of the logged-in user of the terminal; and, the encrypted data in the embodiment of FIG. 7 is encrypted video data, and the terminal divides the encrypted video data before backing up to obtain a plurality of video block data, thereby realizing Online playback of encrypted video. By implementing the above embodiments, the security of user privacy data (such as video data) in cloud backup is further improved, and the problem that conventional solutions cannot perform online playback of encrypted video data is also solved.

上文描述了本发明实施例的相关方法,基于相同的发明构思,下面描述本发明实施例的相关装置。The related methods of the embodiments of the present invention are described above. Based on the same inventive concept, the related apparatuses of the embodiments of the present invention are described below.

参见图8,图8是本发明实施例提供的一种数据安全保护系统以及相关设备的功能模块示意图。Referring to FIG. 8 , FIG. 8 is a schematic diagram of functional modules of a data security protection system and related devices provided by an embodiment of the present invention.

图8示出了本发明实施例提供的第一终端1000、第二终端1100、秘钥服务器1200和存储服务器1300的一种实施例,以及四者构成的通信系统的结构示意图。如图8所示,第一终端1000与秘钥服务器1200、第一终端1000与存储服务器1300、第二终端1100与秘钥服务器1200、第二终端1100与存储服务器1300之间可存在通信连接,例如无线连接,可实现上述设备之间的数据通信。下面展开描述。FIG. 8 shows an embodiment of the first terminal 1000 , the second terminal 1100 , the key server 1200 , and the storage server 1300 provided by an embodiment of the present invention, and a schematic structural diagram of a communication system formed by the four. As shown in FIG. 8, there may be communication connections between the first terminal 1000 and the key server 1200, the first terminal 1000 and the storage server 1300, the second terminal 1100 and the key server 1200, and the second terminal 1100 and the storage server 1300, For example, a wireless connection enables data communication between the above-mentioned devices. The description is expanded below.

如图8所示,第一终端1000可包括:加解密模块1002,通信模块1003,可能实施例中,第一终端还包括:切分模块1001,加解密模块1002可运行于前文图4实施例描述的处理器4101,通信单元1003可通过图4描述的射频模块412来实现,切分模块1001可运行于图4实施例描述的处理器4101,其中:As shown in FIG. 8 , the first terminal 1000 may include: an encryption/decryption module 1002 and a communication module 1003. In a possible embodiment, the first terminal may further include: a segmentation module 1001, and the encryption/decryption module 1002 may operate in the foregoing embodiment of FIG. 4 The described processor 4101 and the communication unit 1003 may be implemented by the radio frequency module 412 described in FIG. 4 , and the segmentation module 1001 may run on the processor 4101 described in the embodiment of FIG. 4 , wherein:

通信模块1003可用于向秘钥服务器发送第一密文信息;所述第一密文信息是所述第一终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The communication module 1003 can be configured to send the first ciphertext information to the secret key server; the first ciphertext information is obtained by the first terminal encrypting the first password according to the public key from the secret key server;

通信模块1003可用于接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The communication module 1003 can be configured to receive the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext according to the private key corresponding to the public key After obtaining the first password, the information is obtained by encrypting the second password of the key server according to the first password;

加解密模块1002可用于根据所述第一密码解密所述第二密文信息,获得所述第二密码;The encryption and decryption module 1002 can be configured to decrypt the second ciphertext information according to the first password to obtain the second password;

通信模块1003可用于向存储服务器发送经所述第二密码加密的数据。The communication module 1003 can be configured to send the data encrypted by the second password to the storage server.

可能实施例中,所述数据为视频数据,所述经所述第二密码加密的视频数据用于通过所述存储服务器下发至第二终端进行解密和播放。In a possible embodiment, the data is video data, and the video data encrypted by the second password is used to be delivered to the second terminal through the storage server for decryption and playback.

可能实施例中,所述切分模块1001可用于在通信模块1003向存储服务器发送经所述第二密码加密的视频数据之前,根据原始视频数据,获得多个视频分块数据;相应地,通信模块1003可用于向所述存储服务器发送分别经所述第二密码加密的各个视频分块数据。In a possible embodiment, the segmentation module 1001 may be configured to obtain a plurality of video segment data according to the original video data before the communication module 1003 sends the video data encrypted by the second password to the storage server; Module 1003 may be configured to send the respective video segment data encrypted by the second password to the storage server.

可能实施例中,所述经所述第二密码加密的视频数据为原始视频数据中的至少一个视频分块数据。In a possible embodiment, the video data encrypted by the second password is at least one video block data in the original video data.

可能实施例中,切分模块1001可用于根据来自所述存储服务器的分块规则信息对所述原始视频数据进行切分处理,获得所述多个视频分块数据;所述分块规则信息是根据所述第一终端与所述存储服务器之间的网络带宽确定的。In a possible embodiment, the segmentation module 1001 may be configured to perform segmentation processing on the original video data according to the segmentation rule information from the storage server to obtain the plurality of video segmentation data; the segmentation rule information is: It is determined according to the network bandwidth between the first terminal and the storage server.

可能实施例中,通信模块1003可用于在通信模块1003向秘钥服务器发送第一密文信息之前,接收所述认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第一终端的登录信息生成的;向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述公钥。In a possible embodiment, the communication module 1003 may be configured to receive an access password sent by the authentication server before the communication module 1003 sends the first ciphertext information to the key server; The login information of the terminal is generated; a request for obtaining the public key is sent to the secret key server; the request includes the access password; the access password is successfully verified on the secret key server through the authentication server In the case of receiving the public key sent by the key server.

可能实施例中,通信模块1003可用于向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,通信模块1003可用于接收所述秘钥服务器发送的所述第二密文信息,具体包括:通信模块1003可用于在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述第二密文信息。In a possible embodiment, the communication module 1003 may be configured to send the access password to the key server while sending the first ciphertext information to the key server; correspondingly, the communication module 1003 may be configured to receive the The second ciphertext information sent by the secret key server specifically includes: the communication module 1003 can be configured to receive the information sent by the secret key server when the secret key server successfully verifies the access password through the authentication server. the second ciphertext information.

可能实施例中,所述第一终端的登录信息和所述第二终端的登录信息相同。In a possible embodiment, the login information of the first terminal and the login information of the second terminal are the same.

可能实施例中,所述第一密码是所述加解密模块1002根据随机数生成的密码。In a possible embodiment, the first password is a password generated by the encryption/decryption module 1002 according to a random number.

如图8所示,第二终端1100可包括:通信模块1101,加解密模块1102,可能实施例中,第一终端还包括:播放模块1103,通信单元1101可通过图4描述的射频模块412来实现,加解密模块1102可运行于图4实施例描述的处理器4101,播放模块1103可通过图4描述的显示装置413来实现,其中:As shown in FIG. 8 , the second terminal 1100 may include: a communication module 1101 and an encryption/decryption module 1102. In a possible embodiment, the first terminal may further include: a playback module 1103. The communication unit 1101 may use the radio frequency module 412 described in FIG. For implementation, the encryption/decryption module 1102 can run on the processor 4101 described in the embodiment of FIG. 4 , and the playback module 1103 can be realized by the display device 413 described in FIG. 4 , wherein:

通信模块1101可用于向秘钥服务器发送第一密文信息;所述第一密文信息是所述第二终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The communication module 1101 can be configured to send the first ciphertext information to the secret key server; the first ciphertext information is obtained by the second terminal encrypting the first password according to the public key from the secret key server;

通信模块1101可用于接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The communication module 1101 can be configured to receive the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext according to the private key corresponding to the public key After obtaining the first password, the information is obtained by encrypting the second password of the key server according to the first password;

加解密模块1102可用于根据所述第一密码解密所述第二密文信息,获得所述秘钥服务器的第二密码;The encryption and decryption module 1102 can be configured to decrypt the second ciphertext information according to the first password to obtain the second password of the key server;

加解密模块1102根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密。The encryption and decryption module 1102 decrypts the encrypted data from the storage server according to the second password of the key server.

可能实施例中,所述加密数据是第一终端根据所述秘钥服务器的第二密码加密并发送至所述存储服务器的。In a possible embodiment, the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server.

可能实施例中,所述加密数据为所述第一终端根据所述秘钥服务器的第二密码加密的视频数据;播放模块1103可用于在加解密模块1102根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之后,对解密后的所述视频数据进行播放。In a possible embodiment, the encrypted data is the video data encrypted by the first terminal according to the second password of the key server; the playback module 1103 can be used in the encryption and decryption module 1102 according to the second password of the key server. , after decrypting the encrypted data from the storage server, and then playing the decrypted video data.

可能实施例中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的各个视频分块数据分别进行加密得到的。In a possible embodiment, the encrypted video data is obtained by encrypting each video block data in the original video data by the first terminal according to the second password.

可能实施例中,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的至少一个视频分块数据进行加密得到的。In a possible embodiment, the encrypted video data is obtained by encrypting at least one video block data in the original video data by the first terminal according to the second password.

可能实施例中,通信模块1101可用于在加解密模块1102根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之前,向所述存储服务器发送用于获取一个加密的视频分块数据的请求;所述一个加密的视频分块数据为加密后的所述各个视频分块数据中的一块,所述一个视频分块数据是所述第二终端基于用户输入指令确定的;接收来自所述存储服务器的所述一个加密的视频分块数据。In a possible embodiment, the communication module 1101 may be configured to send an encrypted video to the storage server for obtaining an encrypted video before the encryption and decryption module 1102 decrypts the encrypted data from the storage server according to the second password of the key server. A request for segmented data; the encrypted video segmented data is a piece of the encrypted each video segmented data, and the one video segmented data is determined by the second terminal based on a user input instruction; The one encrypted video segment data is received from the storage server.

可能实施例中,通信模块1101可用于在第二终端向秘钥服务器发送第一密文信息之前,接收认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第二终端的登录信息生成的;向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述公钥。In a possible embodiment, the communication module 1101 may be configured to receive an access password sent by the authentication server before the second terminal sends the first ciphertext information to the key server; log-in information is generated; a request for obtaining the public key is sent to the secret key server; the request includes the access password; when the secret key server successfully verifies the access password through the authentication server Next, receive the public key sent by the key server.

可能实施例中,通信模块1101可用于向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;相应地,通信模块1101可用于接收所述秘钥服务器发送的所述第二密文信息,具体包括:通信模块1101可用于在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,接收所述秘钥服务器发送的所述第二密文信息。In a possible embodiment, the communication module 1101 may be configured to send the access password to the key server while sending the first ciphertext information to the key server; correspondingly, the communication module 1101 may be configured to receive the The second ciphertext information sent by the secret key server specifically includes: the communication module 1101 can be configured to receive the information sent by the secret key server when the secret key server successfully verifies the access password through the authentication server. the second ciphertext information.

可能实施例中,所述第二终端的登录信息和所述第一终端的登录信息相同。In a possible embodiment, the login information of the second terminal is the same as the login information of the first terminal.

如图8所示,秘钥服务器1200可包括:通信模块1201,加解密模块1202,其中:As shown in FIG. 8 , the key server 1200 may include: a communication module 1201, and an encryption and decryption module 1202, wherein:

通信模块1201可用于接收终端发送的第一密文信息,所述第一密文信息是所述终端根据来自所述秘钥服务器的公钥对所述终端的第一密码进行加密得到的;The communication module 1201 can be configured to receive the first ciphertext information sent by the terminal, where the first ciphertext information is obtained by the terminal encrypting the first password of the terminal according to the public key from the key server;

加解密模块1202可用于根据所述公钥对应的私钥解密所述第一密文信息,获得所述第一密码;The encryption and decryption module 1202 can be configured to decrypt the first ciphertext information according to the private key corresponding to the public key to obtain the first password;

通信模块1201可用于向所述终端发送第二密文信息,所述第二密文信息是根据所述第一密码对所述秘钥服务器生成的第二密码进行加密得到的,所述第二密码用于对所述终端的数据进行安全保护。The communication module 1201 can be configured to send second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting the second password generated by the key server according to the first password, and the second ciphertext information is obtained by encrypting the second password generated by the key server according to the first password. The password is used for security protection of the data of the terminal.

可能实施例中,所述数据为视频数据,所述第二密码用于所述终端对所述视频数据进行加密并发送至存储服务器。In a possible embodiment, the data is video data, and the second password is used by the terminal to encrypt the video data and send it to a storage server.

可能实施例中,所述数据为视频数据,所述第二密码用于所述终端对来自存储服务器的、加密的所述视频数据进行解密。In a possible embodiment, the data is video data, and the second password is used by the terminal to decrypt the encrypted video data from the storage server.

可能实施例中,通信模块1201可用于在接收终端发送的第一密文信息之前,接收所述终端发送的用于获取所述公钥的请求;所述请求包括访问口令;所述访问口令是认证服务器根据所述终端的登录信息预先生成并发送给所述终端的;在通过所述认证服务器验证所述访问口令成功的情况下,向所述终端发送所述公钥。In a possible embodiment, the communication module 1201 may be configured to, before receiving the first ciphertext information sent by the terminal, receive a request sent by the terminal for obtaining the public key; the request includes an access password; the access password is The authentication server generates in advance according to the login information of the terminal and sends it to the terminal; when the access password is successfully verified by the authentication server, the public key is sent to the terminal.

可能实施例中,通信模块1201可用于接收所述终端发送的所述第一密文信息的同时还接收所述访问口令;相应地,通信模块1201可用于向所述终端发送第二密文信息,具体为:通信模块1201可用于通过所述认证服务器验证所述访问口令成功的情况下,向所述终端发送所述第二密文信息。In a possible embodiment, the communication module 1201 may be configured to receive the access password while receiving the first ciphertext information sent by the terminal; correspondingly, the communication module 1201 may be configured to send the second ciphertext information to the terminal , specifically: the communication module 1201 may be configured to send the second ciphertext information to the terminal when the authentication server successfully verifies the access password.

可能实施例中,所述第二密码是加解密模块1202根据随机数生成的密码。In a possible embodiment, the second password is a password generated by the encryption/decryption module 1202 according to a random number.

如图8所示,存储服务器1300可包括:通信模块1301,存储模块1302,其中:As shown in FIG. 8 , the storage server 1300 may include: a communication module 1301 and a storage module 1302, wherein:

通信模块1301可用于接收第一终端发送的经第二密码加密的数据;The communication module 1301 can be configured to receive the data encrypted by the second password sent by the first terminal;

通信模块1301可用于向第二终端发送经第二密码加密的数据;The communication module 1301 can be used to send the data encrypted by the second password to the second terminal;

存储模块1302可用于将所述第一终端发送的经第二密码加密的数据存储在数据库中。The storage module 1302 may be configured to store the data encrypted by the second password sent by the first terminal in a database.

需要说明,图8实施例中未提及的内容以及各个功能模块的具体实现,请参考图6和图7实施例的描述,例如在图6中,对于第一终端1000,加解密模块1002可用于执行步骤602、608,通信模块1003可用于执行步骤601、603、607;对于第二终端1100,通信模块1101可用于执行步骤701、703、707、709,加解密模块1102可用于执行步骤702、708、710;对于秘钥服务器1200,通信模块1201可用于执行步骤601、603、607、701、703、707,加解密模块1202可用于执行步骤604、605、606、704、705、706;对于存储服务器1300,通信模块1301可用于执行步骤609、709,存储模块1302可用于存储步骤609的加密数据。为了简洁,这里不再赘述。It should be noted that for the content not mentioned in the embodiment of FIG. 8 and the specific implementation of each functional module, please refer to the description of the embodiment of FIG. 6 and FIG. 7 , for example, in FIG. 6 , for the first terminal 1000, the encryption and decryption module 1002 is available In executing steps 602, 608, the communication module 1003 can be used to execute steps 601, 603, 607; for the second terminal 1100, the communication module 1101 can be used to execute steps 701, 703, 707, 709, and the encryption and decryption module 1102 can be used to execute step 702 , 708, 710; for the key server 1200, the communication module 1201 can be used to execute steps 601, 603, 607, 701, 703, 707, and the encryption and decryption module 1202 can be used to execute steps 604, 605, 606, 704, 705, 706; For the storage server 1300 , the communication module 1301 can be used to perform steps 609 and 709 , and the storage module 1302 can be used to store the encrypted data of step 609 . For the sake of brevity, details are not repeated here.

下面以图6实施例为例,详细说明第一终端1000中的各个模块与秘钥服务器1200各个模块在本发明实施例中的协作关系,以及第二终端1100中的各个模块与秘钥服务器1200各个模块在本发明实施例中的协作关系,请参见图9和图10。The following takes the embodiment of FIG. 6 as an example to describe in detail the cooperative relationship between each module in the first terminal 1000 and each module of the key server 1200 in this embodiment of the present invention, and each module in the second terminal 1100 and the key server 1200 For the cooperation relationship of each module in the embodiment of the present invention, please refer to FIG. 9 and FIG. 10 .

请参见图9,下面主要描述第一终端内部各个模块与秘钥服务器内部各个部件的交互过程。Referring to FIG. 9 , the following mainly describes the interaction process between each module inside the first terminal and each component inside the key server.

1401.通信模块1003向通信模块1201发送公钥请求。1401. The communication module 1003 sends a public key request to the communication module 1201.

1402.通信模块1201向通信模块1003发送公钥。1402. The communication module 1201 sends the public key to the communication module 1003.

1403.加解密模块1002生成第一密码,并根据从通信模块1003获取的公钥加密,获得第一密文信息。1403. The encryption and decryption module 1002 generates a first password, and encrypts it according to the public key obtained from the communication module 1003 to obtain the first ciphertext information.

1404.通信模块1003向通信模块1201发送第一密文信息。1404. The communication module 1003 sends the first ciphertext information to the communication module 1201.

1405.加解密模块1202根据公钥对应的私钥解密第一密文信息,获得第一密码。1405. The encryption and decryption module 1202 decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.

1406.加解密模块1202根据第一密码对第二密码进行加密,获得第二密文信息。1406. The encryption and decryption module 1202 encrypts the second password according to the first password to obtain second ciphertext information.

1407.通信模块1201向通信模块1003发送第二密文信息。1407. The communication module 1201 sends the second ciphertext information to the communication module 1003.

1408.加解密模块1002根据第一密码解密第二密文信息,获得第二密码。1408. The encryption and decryption module 1002 decrypts the second ciphertext information according to the first password to obtain the second password.

1409.加解密模块1002将第二密码发送至第一终端内部的切分模块1001。1409. The encryption and decryption module 1002 sends the second password to the segmentation module 1001 inside the first terminal.

1410.切分模块1001对原始视频数据进行切分,得到多个视频分块数据,并根据第二密码对多个视频分块数据进行加密。1410. The segmenting module 1001 segments the original video data to obtain multiple video segment data, and encrypts the multiple video segment data according to the second password.

1411.通信模块1003向存储服务器发送经第二密码加密的视频分块数据。1411. The communication module 1003 sends the video segment data encrypted by the second password to the storage server.

1412.存储服务器存储加密的视频分块数据。1412. The storage server stores encrypted video chunked data.

请参见图10,下面主要描述第二终端内部各个模块与秘钥服务器内部各个部件的交互过程。Referring to FIG. 10, the following mainly describes the interaction process between each module in the second terminal and each component in the key server.

1501.通信模块1101向通信模块1201发送公钥请求。1501. The communication module 1101 sends a public key request to the communication module 1201.

1502.通信模块1201向通信模块1101发送公钥。1502. The communication module 1201 sends the public key to the communication module 1101.

1503.加解密模块1102生成第一密码,并根据从通信模块1101获取的公钥加密,获得第一密文信息。1503. The encryption and decryption module 1102 generates a first password, and encrypts it according to the public key obtained from the communication module 1101 to obtain the first ciphertext information.

1504.通信模块1101向通信模块1201发送第一密文信息。1504. The communication module 1101 sends the first ciphertext information to the communication module 1201.

1505.加解密模块1202根据公钥对应的私钥解密第一密文信息,获得第一密码。1505. The encryption and decryption module 1202 decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password.

1506.加解密模块1202根据第一密码对第二密码进行加密,获得第二密文信息。1506. The encryption and decryption module 1202 encrypts the second password according to the first password to obtain second ciphertext information.

1507.通信模块1201向通信模块1101发送第二密文信息。1507. The communication module 1201 sends the second ciphertext information to the communication module 1101.

1508.加解密模块1102根据第一密码解密第二密文信息,获得第二密码。1508. The encryption and decryption module 1102 decrypts the second ciphertext information according to the first password to obtain the second password.

1509.加解密模块1102将第二密码发送给第二终端1100内部的播放模块1103。1509. The encryption/decryption module 1102 sends the second password to the playback module 1103 inside the second terminal 1100.

1510.播放模块1103通过通信模块向存储服务器发送下载视频分块数据请求。1510. The playback module 1103 sends a request for downloading video segmented data to the storage server through the communication module.

1511.存储服务器向通信模块1101发送加密的视频分块数据。1511. The storage server sends the encrypted video segment data to the communication module 1101.

1512.播放模块1101根据第二密码,解密加密的视频分块数据。1512. The playback module 1101 decrypts the encrypted video block data according to the second password.

1513.播放模块1101播放解密后的视频分块数据。1513. The playback module 1101 plays the decrypted video segment data.

需要说明的,图9仅仅是本发明实施例的一种实现方式,实际应用中,第一终端1000或秘钥服务器1200还可以包括更多或更少的部件,这里不作限制。图10仅仅是本发明实施例的一种实现方式,实际应用中,第二终端1100或秘钥服务器1200还可以包括更多或更少的部件,这里不作限制。It should be noted that FIG. 9 is only an implementation manner of the embodiment of the present invention. In practical applications, the first terminal 1000 or the key server 1200 may further include more or less components, which are not limited here. FIG. 10 is only an implementation manner of the embodiment of the present invention. In practical applications, the second terminal 1100 or the key server 1200 may further include more or less components, which are not limited here.

在上文所述实施例中,可以全部或部分地通过软件、硬件、固件或者任意组合来实现。当使用软件实现时,可以全部或者部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令,在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络或其他可编程装置。所述计算机指令可存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网络站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、微波等)方式向另一个网络站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质,也可以是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如软盘、硬盘、磁带等)、光介质(例如DVD等)、或者半导体介质(例如固态硬盘)等等。The above-described embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions, and when the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated. The computer may be a general purpose computer, special purpose computer, computer network or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a network site, computer, server, or data center Transmission to another network site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line) or wireless (eg, infrared, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer, or may be a data storage device such as a server, a data center, or the like that includes one or more available media integrated. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes, etc.), optical media (eg, DVDs, etc.), or semiconductor media (eg, solid state drives), and the like.

在上述实施例中,对各个实施例的描述各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference may be made to the relevant descriptions of other embodiments.

Claims (27)

1.一种数据安全保护方法,其特征在于,包括:1. a data security protection method, is characterized in that, comprises: 第一终端向秘钥服务器发送第一密文信息;所述第一密文信息是所述第一终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The first terminal sends first ciphertext information to the secret key server; the first ciphertext information is obtained by the first terminal encrypting the first password according to the public key from the secret key server; 所述第一终端接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The first terminal receives the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext according to the private key corresponding to the public key After obtaining the first password, the information is obtained by encrypting the second password of the key server according to the first password; 所述第一终端根据所述第一密码解密所述第二密文信息,获得所述第二密码;The first terminal decrypts the second ciphertext information according to the first password to obtain the second password; 所述第一终端向存储服务器发送经所述第二密码加密的数据。The first terminal sends the data encrypted by the second password to the storage server. 2.根据权利要求1所述的方法,其特征在于,所述数据为视频数据,所述经所述第二密码加密的视频数据用于通过所述存储服务器下发至第二终端进行解密和播放。2 . The method according to claim 1 , wherein the data is video data, and the video data encrypted by the second password is used for decrypting and decrypting and sending the encrypted video data to the second terminal through the storage server. 3 . play. 3.根据权利要求2所述的方法,其特征在于,在所述第一终端向存储服务器发送经所述第二密码加密的视频数据之前,所述方法还包括:3. The method according to claim 2, wherein before the first terminal sends the video data encrypted by the second password to a storage server, the method further comprises: 所述第一终端根据原始视频数据,获得多个视频分块数据;The first terminal obtains a plurality of video block data according to the original video data; 相应地,所述第一终端向存储服务器发送经所述第二密码加密的视频数据,具体包括:Correspondingly, the first terminal sends the video data encrypted by the second password to the storage server, which specifically includes: 所述第一终端向所述存储服务器发送分别经所述第二密码加密的各个视频分块数据。The first terminal sends each video segment data encrypted by the second password to the storage server. 4.根据权利要求2所述的方法,其特征在于,所述经所述第二密码加密的视频数据为原始视频数据中的至少一个视频分块数据。4. The method according to claim 2, wherein the video data encrypted by the second password is at least one video block data in the original video data. 5.根据权利要求3所述的方法,其特征在于,所述第一终端根据原始视频数据,获得多个视频分块数据,包括:5. The method according to claim 3, wherein the first terminal obtains a plurality of video block data according to the original video data, comprising: 所述第一终端根据来自所述存储服务器的分块规则信息对所述原始视频数据进行切分处理,获得所述多个视频分块数据;所述分块规则信息是根据所述第一终端与所述存储服务器之间的网络带宽确定的。The first terminal performs segmentation processing on the original video data according to the segmentation rule information from the storage server, and obtains the plurality of video segmentation data; the segmentation rule information is based on the segmentation rule information from the first terminal. The network bandwidth with the storage server is determined. 6.根据权利要求1-5任一项所述的方法,其特征在于,在第一终端向秘钥服务器发送第一密文信息之前,所述方法还包括:6. The method according to any one of claims 1-5, wherein before the first terminal sends the first ciphertext information to the secret key server, the method further comprises: 所述第一终端接收所述认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第一终端的登录信息生成的;the first terminal receives an access password sent by the authentication server; the access password is generated by the authentication server according to the login information of the first terminal; 所述第一终端向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;The first terminal sends a request for obtaining the public key to the secret key server; the request includes the access password; 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第一终端接收所述秘钥服务器发送的所述公钥。The first terminal receives the public key sent by the key server when the access password is successfully verified by the key server through the authentication server. 7.根据权利要求6所述的方法,其特征在于,7. The method of claim 6, wherein 所述第一终端向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;The first terminal also sends the access password to the secret key server while sending the first ciphertext information to the secret key server; 相应地,所述第一终端接收所述秘钥服务器发送的所述第二密文信息,具体包括:Correspondingly, the first terminal receiving the second ciphertext information sent by the key server specifically includes: 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第一终端接收所述秘钥服务器发送的所述第二密文信息。In the case that the access password is successfully verified by the key server through the authentication server, the first terminal receives the second ciphertext information sent by the key server. 8.根据权利要求2-7任一项所述的方法,其特征在于,所述第一终端的登录信息和所述第二终端的登录信息相同。8 . The method according to claim 2 , wherein the login information of the first terminal and the login information of the second terminal are the same. 9 . 9.根据权利要求1-8任一项所述的方法,其特征在于,所述第一密码是所述第一终端根据随机数生成的密码。9 . The method according to claim 1 , wherein the first password is a password generated by the first terminal according to a random number. 10 . 10.一种数据安全保护方法,其特征在于,包括:10. A data security protection method, comprising: 第二终端向秘钥服务器发送第一密文信息;所述第一密文信息是所述第二终端根据来自所述秘钥服务器的公钥对第一密码进行加密得到的;The second terminal sends the first ciphertext information to the secret key server; the first ciphertext information is obtained by the second terminal encrypting the first password according to the public key from the secret key server; 所述第二终端接收所述秘钥服务器发送的所述第二密文信息;所述第二密文信息是所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息获得所述第一密码后,根据所述第一密码对所述秘钥服务器的第二密码进行加密得到的;The second terminal receives the second ciphertext information sent by the secret key server; the second ciphertext information is that the secret key server decrypts the first ciphertext according to the private key corresponding to the public key After obtaining the first password, the information is obtained by encrypting the second password of the key server according to the first password; 所述第二终端根据所述第一密码解密所述第二密文信息,获得所述秘钥服务器的第二密码;The second terminal decrypts the second ciphertext information according to the first password, and obtains the second password of the key server; 所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密。The second terminal decrypts the encrypted data from the storage server according to the second password of the key server. 11.根据权利要求10所述的方法,其特征在于,所述加密数据是第一终端根据所述秘钥服务器的第二密码加密并发送至所述存储服务器的。The method according to claim 10, wherein the encrypted data is encrypted by the first terminal according to the second password of the key server and sent to the storage server. 12.根据权利要求11所述的方法,其特征在于,所述加密数据为所述第一终端根据所述秘钥服务器的第二密码加密的视频数据;在所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之后,所述方法还包括:所述第二终端对解密后的所述视频数据进行播放。12. The method according to claim 11, wherein the encrypted data is video data encrypted by the first terminal according to the second password of the key server; After decrypting the encrypted data from the storage server, the method further includes: the second terminal playing the decrypted video data. 13.根据权利要求12所述的方法,其特征在于,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的各个视频分块数据分别进行加密得到的。13 . The method according to claim 12 , wherein the encrypted video data is obtained by respectively encrypting each video block data in the original video data by the first terminal according to the second password. 14 . 14.根据权利要求12所述的方法,其特征在于,所述加密的视频数据为所述第一终端根据所述第二密码对原始视频数据中的至少一个视频分块数据进行加密得到的。The method according to claim 12, wherein the encrypted video data is obtained by encrypting at least one video block data in the original video data by the first terminal according to the second password. 15.根据权利要求13所述的方法,其特征在于,在所述第二终端根据所述秘钥服务器的第二密码,对来自存储服务器的加密数据进行解密之前,所述方法还包括:15. The method according to claim 13, wherein before the second terminal decrypts the encrypted data from the storage server according to the second password of the secret key server, the method further comprises: 所述第二终端向所述存储服务器发送用于获取一个加密的视频分块数据的请求;所述一个加密的视频分块数据为加密后的所述各个视频分块数据中的一块,所述一个视频分块数据是所述第二终端基于用户输入指令确定的;The second terminal sends a request for obtaining an encrypted video segment data to the storage server; the encrypted video segment data is a piece of the encrypted video segment data, and the A piece of video block data is determined by the second terminal based on a user input instruction; 所述第二终端接收来自所述存储服务器的所述一个加密的视频分块数据。The second terminal receives the one encrypted video segment data from the storage server. 16.根据权利要求10-15任一项所述的方法,其特征在于,在第二终端向秘钥服务器发送第一密文信息之前,所述方法还包括:16. The method according to any one of claims 10-15, wherein before the second terminal sends the first ciphertext information to the secret key server, the method further comprises: 所述第二终端接收认证服务器发送的访问口令;所述访问口令是所述认证服务器根据所述第二终端的登录信息生成的;the second terminal receives the access password sent by the authentication server; the access password is generated by the authentication server according to the login information of the second terminal; 所述第二终端向所述秘钥服务器发送用于获取所述公钥的请求;所述请求包括所述访问口令;The second terminal sends a request for obtaining the public key to the secret key server; the request includes the access password; 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第二终端接收所述秘钥服务器发送的所述公钥。In the case that the access password is successfully verified by the key server through the authentication server, the second terminal receives the public key sent by the key server. 17.根据权利要求16所述的方法,其特征在于,17. The method of claim 16, wherein: 所述第二终端向所述秘钥服务器发送所述第一密文信息的同时还向所述秘钥服务器发送所述访问口令;The second terminal also sends the access password to the key server while sending the first ciphertext information to the key server; 相应地,所述第二终端接收所述秘钥服务器发送的所述第二密文信息,具体包括:Correspondingly, the second terminal receiving the second ciphertext information sent by the key server specifically includes: 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述第二终端接收所述秘钥服务器发送的所述第二密文信息。In the case that the access password is successfully verified by the key server through the authentication server, the second terminal receives the second ciphertext information sent by the key server. 18.根据权利要求11-17任一项所述的方法,其特征在于,所述第二终端的登录信息和所述第一终端的登录信息相同。The method according to any one of claims 11-17, wherein the login information of the second terminal is the same as the login information of the first terminal. 19.一种数据安全保护方法,其特征在于,包括:19. A data security protection method, comprising: 秘钥服务器接收终端发送的第一密文信息,所述第一密文信息是所述终端根据来自所述秘钥服务器的公钥对所述终端的第一密码进行加密得到的;The secret key server receives the first ciphertext information sent by the terminal, where the first ciphertext information is obtained by the terminal encrypting the first password of the terminal according to the public key from the secret key server; 所述秘钥服务器根据所述公钥对应的私钥解密所述第一密文信息,获得所述第一密码;The secret key server decrypts the first ciphertext information according to the private key corresponding to the public key to obtain the first password; 所述秘钥服务器向所述终端发送第二密文信息,所述第二密文信息是根据所述第一密码对所述秘钥服务器生成的第二密码进行加密得到的,所述第二密码用于对所述终端的数据进行安全保护。The secret key server sends second ciphertext information to the terminal, where the second ciphertext information is obtained by encrypting the second password generated by the secret key server according to the first password, and the second ciphertext information is obtained by encrypting the second password generated by the secret key server according to the first password. The password is used for security protection of the data of the terminal. 20.根据权利要求19所述的方法,其特征在于,所述数据为视频数据,所述第二密码用于所述终端对所述视频数据进行加密并发送至存储服务器。20 . The method according to claim 19 , wherein the data is video data, and the second password is used by the terminal to encrypt the video data and send it to a storage server. 21 . 21.根据权利要求19所述的方法,其特征在于,所述数据为视频数据,所述第二密码用于所述终端对来自存储服务器的、加密的所述视频数据进行解密。21. The method according to claim 19, wherein the data is video data, and the second password is used by the terminal to decrypt the encrypted video data from a storage server. 22.根据权利要求19-21任一项所述的方法,其特征在于,在秘钥服务器接收终端发送的第一密文信息之前,所述方法还包括:22. The method according to any one of claims 19-21, wherein before the key server receives the first ciphertext information sent by the terminal, the method further comprises: 所述秘钥服务器接收所述终端发送的用于获取所述公钥的请求;所述请求包括访问口令;所述访问口令是认证服务器根据所述终端的登录信息预先生成并发送给所述终端的;The secret key server receives the request sent by the terminal for obtaining the public key; the request includes an access password; the access password is pre-generated by the authentication server according to the login information of the terminal and sent to the terminal of; 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述秘钥服务器向所述终端发送所述公钥。In the case that the key server successfully verifies the access password through the authentication server, the key server sends the public key to the terminal. 23.根据权利要求22所述的方法,其特征在于,23. The method of claim 22, wherein 所述秘钥服务器接收所述终端发送的所述第一密文信息的同时还接收所述访问口令;The key server also receives the access password while receiving the first ciphertext information sent by the terminal; 相应地,所述秘钥服务器向所述终端发送第二密文信息,具体为:Correspondingly, the secret key server sends the second ciphertext information to the terminal, specifically: 在所述秘钥服务器通过所述认证服务器验证所述访问口令成功的情况下,所述秘钥服务器向所述终端发送所述第二密文信息。In the case that the key server successfully verifies the access password through the authentication server, the key server sends the second ciphertext information to the terminal. 24.根据权利要求19-23任一项所述的方法,其特征在于,所述第二密码是所述秘钥服务器根据随机数生成的密码。24. The method according to any one of claims 19-23, wherein the second password is a password generated by the key server according to a random number. 25.一种终端,所述终端用作第一终端,包括显示装置,输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述终端实现如权利要求1至9任一项所述的方法。25. A terminal used as a first terminal, comprising a display device, an input device, an output device, one or more memories, and one or more processors; wherein the one or more memories store a or more programs; characterized in that, when the one or more processors are executing the one or more programs, the terminal is caused to implement the method according to any one of claims 1 to 9. 26.一种终端,所述终端用作第二终端,包括显示装置,输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述终端实现如权利要求10至18任一项所述的方法。26. A terminal used as a second terminal, comprising a display device, an input device, an output device, one or more memories, and one or more processors; wherein the one or more memories store a or more programs; characterized in that, when the one or more processors are executing the one or more programs, the terminal is caused to implement the method according to any one of claims 10 to 18 . 27.一种服务器,包括输入装置,输出装置,一个或多个存储器,一个或多个处理器;其中所述一个或多个储存器存储有一个或多个程序;其特征在于,当所述一个或多个处理器在执行所述一个或多个程序时,使得所述服务器实现如权利要求19至24任一项所述的方法。27. A server, comprising an input device, an output device, one or more memories, and one or more processors; wherein the one or more memories store one or more programs; The one or more processors, when executing the one or more programs, cause the server to implement the method of any one of claims 19 to 24.
CN201910329967.7A 2019-04-23 2019-04-23 Data security protection method and related equipment Active CN110138749B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910329967.7A CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910329967.7A CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Publications (2)

Publication Number Publication Date
CN110138749A true CN110138749A (en) 2019-08-16
CN110138749B CN110138749B (en) 2021-12-21

Family

ID=67570885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910329967.7A Active CN110138749B (en) 2019-04-23 2019-04-23 Data security protection method and related equipment

Country Status (1)

Country Link
CN (1) CN110138749B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110769306A (en) * 2019-10-12 2020-02-07 北京达佳互联信息技术有限公司 Subtitle decryption method and device, client and storage medium
CN110795745A (en) * 2019-10-14 2020-02-14 山东药品食品职业学院 A server-based information storage and transmission system and method thereof
CN111193659A (en) * 2019-12-30 2020-05-22 广东盈世计算机科技有限公司 File processing method and device based on instant chat tool
CN111510745A (en) * 2020-03-27 2020-08-07 曹新 Internet video data encryption transmission method
CN112235299A (en) * 2020-10-14 2021-01-15 杭州海康威视数字技术股份有限公司 Data encryption and decryption method, device, equipment, system and medium
CN112447007A (en) * 2019-08-28 2021-03-05 富士电机株式会社 Vending machine and service management method
CN112528311A (en) * 2020-12-23 2021-03-19 杭州海康汽车软件有限公司 Data management method and device and terminal
CN112612976A (en) * 2020-12-18 2021-04-06 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium
CN113091224A (en) * 2021-04-07 2021-07-09 青岛海信日立空调系统有限公司 Air conditioning device and air conditioning control device
CN113752963A (en) * 2020-06-02 2021-12-07 汽车科睿特股份有限责任公司 Vehicle information processing apparatus and method of operating the same
CN114244551A (en) * 2021-09-28 2022-03-25 自然资源部第三地形测量队 Data application protection method and device and field painting checking method
CN114422233A (en) * 2022-01-17 2022-04-29 中国科学院软件研究所 Login method and system for private device
CN114760500A (en) * 2022-03-24 2022-07-15 海南乾唐视联信息技术有限公司 Audio and video data encryption method and device
CN115174043A (en) * 2019-12-31 2022-10-11 华为技术有限公司 Method for sharing equipment and electronic equipment
CN115189953A (en) * 2022-07-13 2022-10-14 深圳微言科技有限责任公司 Two-way communication device based on privacy protection
WO2023015771A1 (en) * 2021-08-09 2023-02-16 北京卓越乐享网络科技有限公司 Information publication method and apparatus, and electronic device and storage medium
CN116032504A (en) * 2021-10-26 2023-04-28 北京小米移动软件有限公司 Data decryption method, device and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103078841A (en) * 2012-12-03 2013-05-01 厦门市美亚柏科信息股份有限公司 Method and system for preventive electronic data security
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN105898376A (en) * 2015-12-11 2016-08-24 乐视网信息技术(北京)股份有限公司 Online video stream play method, device and system
CN106534092A (en) * 2016-11-02 2017-03-22 西安电子科技大学 Message-based and key-dependent privacy data encryption method
CN106611128A (en) * 2016-07-19 2017-05-03 四川用联信息技术有限公司 Secondary encryption-based data validation and data recovery algorithm in cloud storage
US20180183769A1 (en) * 2016-12-23 2018-06-28 Industrial Technology Research Institute Control system and control method
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108471404A (en) * 2018-02-28 2018-08-31 深圳市达仁基因科技有限公司 File sharing method, device, computer equipment and storage medium
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server
CN108900869A (en) * 2018-05-04 2018-11-27 烽火通信科技股份有限公司 A kind of communication group information encryption and decryption method and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685162A (en) * 2012-09-05 2014-03-26 中国移动通信集团公司 File storing and sharing method
CN103078841A (en) * 2012-12-03 2013-05-01 厦门市美亚柏科信息股份有限公司 Method and system for preventive electronic data security
CN105898376A (en) * 2015-12-11 2016-08-24 乐视网信息技术(北京)股份有限公司 Online video stream play method, device and system
CN106611128A (en) * 2016-07-19 2017-05-03 四川用联信息技术有限公司 Secondary encryption-based data validation and data recovery algorithm in cloud storage
CN106534092A (en) * 2016-11-02 2017-03-22 西安电子科技大学 Message-based and key-dependent privacy data encryption method
US20180183769A1 (en) * 2016-12-23 2018-06-28 Industrial Technology Research Institute Control system and control method
CN108259609A (en) * 2018-01-20 2018-07-06 福建省数字福建云计算运营有限公司 The management method and Cloud Server of a kind of family high in the clouds data
CN108471404A (en) * 2018-02-28 2018-08-31 深圳市达仁基因科技有限公司 File sharing method, device, computer equipment and storage medium
CN108900869A (en) * 2018-05-04 2018-11-27 烽火通信科技股份有限公司 A kind of communication group information encryption and decryption method and system
CN108737394A (en) * 2018-05-08 2018-11-02 腾讯科技(深圳)有限公司 Off-line verification system, barcode scanning equipment and server

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112447007A (en) * 2019-08-28 2021-03-05 富士电机株式会社 Vending machine and service management method
CN110769306A (en) * 2019-10-12 2020-02-07 北京达佳互联信息技术有限公司 Subtitle decryption method and device, client and storage medium
CN110769306B (en) * 2019-10-12 2023-05-09 北京达佳互联信息技术有限公司 Subtitle decryption method and device, client and storage medium
CN110795745A (en) * 2019-10-14 2020-02-14 山东药品食品职业学院 A server-based information storage and transmission system and method thereof
CN111193659A (en) * 2019-12-30 2020-05-22 广东盈世计算机科技有限公司 File processing method and device based on instant chat tool
CN115174043A (en) * 2019-12-31 2022-10-11 华为技术有限公司 Method for sharing equipment and electronic equipment
CN115174043B (en) * 2019-12-31 2024-07-05 华为技术有限公司 Method for sharing equipment and electronic equipment
CN111510745A (en) * 2020-03-27 2020-08-07 曹新 Internet video data encryption transmission method
CN111510745B (en) * 2020-03-27 2021-01-19 曹新 Internet video data encryption transmission method
CN113752963A (en) * 2020-06-02 2021-12-07 汽车科睿特股份有限责任公司 Vehicle information processing apparatus and method of operating the same
CN112235299A (en) * 2020-10-14 2021-01-15 杭州海康威视数字技术股份有限公司 Data encryption and decryption method, device, equipment, system and medium
CN112612976A (en) * 2020-12-18 2021-04-06 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium
CN112528311B (en) * 2020-12-23 2024-02-20 杭州海康汽车软件有限公司 Data management method, device and terminal
CN112528311A (en) * 2020-12-23 2021-03-19 杭州海康汽车软件有限公司 Data management method and device and terminal
CN113091224A (en) * 2021-04-07 2021-07-09 青岛海信日立空调系统有限公司 Air conditioning device and air conditioning control device
WO2023015771A1 (en) * 2021-08-09 2023-02-16 北京卓越乐享网络科技有限公司 Information publication method and apparatus, and electronic device and storage medium
CN114244551A (en) * 2021-09-28 2022-03-25 自然资源部第三地形测量队 Data application protection method and device and field painting checking method
CN114244551B (en) * 2021-09-28 2024-01-30 自然资源部第三地形测量队 Data application protection method, equipment and wild external painting verification method
CN116032504A (en) * 2021-10-26 2023-04-28 北京小米移动软件有限公司 Data decryption method, device and storage medium
CN114422233B (en) * 2022-01-17 2023-01-13 中国科学院软件研究所 Login method and system of private device
CN114422233A (en) * 2022-01-17 2022-04-29 中国科学院软件研究所 Login method and system for private device
CN114760500A (en) * 2022-03-24 2022-07-15 海南乾唐视联信息技术有限公司 Audio and video data encryption method and device
CN114760500B (en) * 2022-03-24 2024-09-13 海南乾唐视联信息技术有限公司 Audio and video data encryption method and device
CN115189953A (en) * 2022-07-13 2022-10-14 深圳微言科技有限责任公司 Two-way communication device based on privacy protection
CN115189953B (en) * 2022-07-13 2024-02-06 深圳微言科技有限责任公司 Two-way communication device based on privacy protection

Also Published As

Publication number Publication date
CN110138749B (en) 2021-12-21

Similar Documents

Publication Publication Date Title
CN110138749B (en) Data security protection method and related equipment
US11509485B2 (en) Identity authentication method and system, and computing device
CN110892672B (en) Key authentication assertion generation providing device anonymity
CN112596802B (en) An information processing method and device
CN111193695B (en) Encryption method and device for third party account login and storage medium
US10104093B2 (en) Apparatus and method for securely managing the accessibility to content and applications
US10469469B1 (en) Device-based PIN authentication process to protect encrypted data
CN110492990B (en) Private key management method, device and system in blockchain scenario
KR101941049B1 (en) Method and system for encrypted communications
US12381728B2 (en) Accessory assisted account recovery
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
CN113259301A (en) Account data sharing method and electronic equipment
CN108989848A (en) A kind of acquisition methods and management system of video resource file
KR20210022157A (en) Synchronization and verification groups among related devices
CN113454626B (en) Secure offline streaming of content
US11159329B2 (en) Collaborative operating system
US20160180102A1 (en) Computer program, method, and system for secure data management
JP6756056B2 (en) Cryptographic chip by identity verification
WO2016105917A1 (en) Protected media decoding system supporting metadata
WO2022237379A1 (en) Screen projection method and electronic device
JP6172866B2 (en) Agent for providing security cloud service and security key device for security cloud service
CN112565656B (en) Video call method, device, system, electronic equipment and storage medium
CN105391673A (en) Safe access method and device
KR101701625B1 (en) Method and system for reproducing contents by secure acquiring decryption key for encrypted contents
CN109600631B (en) Video file encryption and publishing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220510

Address after: 523799 Room 101, building 4, No. 15, Huanhu Road, Songshanhu Park, Dongguan City, Guangdong Province

Patentee after: Petal cloud Technology Co.,Ltd.

Address before: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee before: HUAWEI DEVICE Co.,Ltd.

Effective date of registration: 20220510

Address after: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: HUAWEI DEVICE Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right