1. What is data desensitization
Data Masking is a data protection technology used to hide or replace sensitive data to protect the privacy and security of data, while keeping data availability and certain format retention as far as possible.
The purpose of data desensitization is to protect sensitive data in the process of data use and sharing, and prevent sensitive information from being leaked, misused or unauthorized access. Common sensitive data include personal ID number, name, mobile phone number, bank account number, social security number, etc.
example:
| type | Raw data | Desensitized data |
|---|---|---|
| cell phone | 13248765917 | 132****5917 |
| ID card | 530321199204074611 | 530321**********11 |
| Bank card | 9988002866797031 | 998800********31 |
Data desensitization can be achieved by:
Replacement: Replace sensitive data with forged data that conforms to the specified format, such as replacing real names with randomly generated names, replacing mobile phone numbers with randomly generated mobile phone numbers, etc.
Shielding: Shield sensitive data and only display part of the information, such as hiding part of the ID card number, hiding the last few digits of the bank account number, etc.
Encryption: Encrypt sensitive data, and only users with corresponding permissions can decrypt and view real data.
2. The main purpose and benefits of data desensitization
-
Data protection: Through desensitization technology, ensure that sensitive data is effectively protected during data processing, storage and transmission, and reduce the risk of data leakage and abuse.
-
Compliance requirements: Many industries and regulations have strict requirements for the protection of sensitive data, such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), etc. Data masking can help organizations comply with relevant regulations and compliance requirements.
-
Sharing and analysis: Data desensitization allows for less exposure of sensitive information and protection of user privacy when sharing data or performing data analysis, while still enabling effective data processing and analysis.
-
Testing and development: During testing and development, using desensitized data can reduce reliance on real sensitive data, protect data security, and still enable system function and performance testing.
3. Realize data desensitization
1) A third-party package for commonly used data desensitization in java
-
Apache Commons Text:
Apache Commons Text is a project of the Apache Software Foundation that provides a variety of text processing tools. The RandomStringUtils class can be used to generate random strings to replace sensitive data and realize data desensitization. -
Jasypt (Java Simplified Encryption):
Jasypt is a Java encryption library that provides the function of data desensitization. It supports encryption, decryption, and desensitization of sensitive data, including operations such as replacement, masking, and encryption. -
DataMasking:
DataMasking is an open source Java library that focuses on data masking. It provides a series of annotations and tool classes that can be used to replace, mask, encrypt, etc. sensitive data. -
MaskFormatter (javax.swing.text.MaskFormatter):
MaskFormatter is a class in the Java standard library for formatting text. It can desensitize sensitive data by specifying a format, such as by replacing some or all of the sensitive data with placeholders or specific characters.
2) Desensitization tools
Hutool provides the DesensitizedUtil (opens new window) desensitization tool class, which supports desensitization of user ID, Chinese name, ID card, landline number, mobile phone number, address, email, password, license plate, and bank card number.
Using Fonda, the code is as follows
DesensitizedUtil.desensitized(“100”, DesensitizedUtil.DesensitizedType.USER_ID)) = “0”
DesensitizedUtil.desensitized(“段正淳”, DesensitizedUtil.DesensitizedType.CHINESE_NAME)) = “段**”
DesensitizedUtil.desensitized(“51343620000320711X”, DesensitizedUtil.DesensitizedType.ID_CARD)) = “51X"
DesensitizedUtil.desensitized(“09157518479”, DesensitizedUtil.DesensitizedType.FIXED_PHONE)) = "091579"
DesensitizedUtil.desensitized(“18049531999”, DesensitizedUtil.DesensitizedType.MOBILE_PHONE)) = "1801999"
DesensitizedUtil.desensitized(“北京市海淀区马连洼街道289号”, DesensitizedUtil.DesensitizedType.ADDRESS)) = "北京市海淀区马**”
DesensitizedUtil.desensitized(“[email protected]”, DesensitizedUtil.DesensitizedType.EMAIL)) = “d*************@gmail.com.cn”
DesensitizedUtil.desensitized(“1234567890”, DesensitizedUtil.DesensitizedType.PASSWORD)) = “****"
DesensitizedUtil.desensitized(“苏D40000”, DesensitizedUtil.DesensitizedType.CAR_LICENSE)) = "苏D40"
DesensitizedUtil.desensitized(“11011111222233333256”, DesensitizedUtil.DesensitizedType.BANK_CARD)) = “1101 **** **** **** 3256”
DesensitizedUtil.desensitized(“192.168.1.1”, DesensitizedUtil.DesensitizedType.IPV4)) = "192...”
3) Realize custom desensitization
- Create a custom desensitization enumeration class:
define an enumeration of sensitive fields here, and set the desensitization strategy for each field.
public enum SensitiveEnum {
/**
* 用户名
*/
USERNAME(s -> s.replaceAll("\\S*(\\S)", "***$1")),
/**
* 身份证
*/
ID_CARD(s -> s.replaceAll("(\\d{4})\\d{10}(\\w{4})", "$1****$2")),
/**
* 手机号
*/
PHONE(s -> s.replaceAll("(\\d{3})\\d{4}(\\d{4})", "$1****$2")),
/**
* 地址
*/
ADDRESS(s -> s.replaceAll("(\\S{3})\\S{2}(\\S*)\\S{2}", "$1****$2****"));
private final Function<String, String> desensitizer;
SensitiveEnum(Function<String, String> desensitizer) {
this.desensitizer = desensitizer;
}
public Function<String, String> desensitizer() {
return desensitizer;
}
}
- Create a serialization class: SensitiveSerializer:
public class SensitiveSerializer extends JsonSerializer<String> implements ContextualSerializer {
private SensitiveEnum sensitiveEnum;
@Override
public void serialize(String value, JsonGenerator gen, SerializerProvider serializers) throws IOException {
gen.writeString(sensitivityEnum.desensitizer().apply(value));
}
@Override
public JsonSerializer<?> createContextual(SerializerProvider prov, BeanProperty property) throws JsonMappingException {
Sensitivity annotation = property.getAnnotation(Sensitivity.class);
if (Objects.nonNull(annotation)&&Objects.equals(String.class, property.getType().getRawClass())) {
this.sensitivityEnum = annotation.strategy();
return this;
}
return prov.findValueSerializer(property.getType(), property);
}
}
- Define the SensitiveData annotation
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.FIELD)
@JacksonAnnotationsInside
@JsonSerialize(using = SensitiveSerializer.class)
public @interface SensitiveData {
SensitivityEnum strategy();
}
- Define the returned result entity class
Create an entity class containing sensitive data fields, and add @SensitiveData annotations on the fields that need to be desensitized.
@Data
@NoArgsConstructor
@AllArgsConstructor
public class UserVO {
private Integer id;
@Sensitivity(strategy = SensitivityEnum.USERNAME)
private String username;
@Sensitivity(strategy = SensitivityEnum.PHONE)
private String tel;
private String email;
}
Create Conrtoller test return result
@GetMapping("test")
public Object getTest(){
UserVO u = new UserVO();
u.setId(1);
u.setUsername("张老三");
u.setTel("13555551111");
u.setEmail("[email protected]");
//根据key查询对应的信息
return u;
}
Through the above steps, you can implement data desensitization in Spring Boot.