CN109474423B - Data encryption and decryption method, server and storage medium - Google Patents

Data encryption and decryption method, server and storage medium Download PDF

Info

Publication number
CN109474423B
CN109474423B CN201811503032.8A CN201811503032A CN109474423B CN 109474423 B CN109474423 B CN 109474423B CN 201811503032 A CN201811503032 A CN 201811503032A CN 109474423 B CN109474423 B CN 109474423B
Authority
CN
China
Prior art keywords
key
ciphertext
encryption
decryption
version
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811503032.8A
Other languages
Chinese (zh)
Other versions
CN109474423A (en
Inventor
梁炳春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201811503032.8A priority Critical patent/CN109474423B/en
Publication of CN109474423A publication Critical patent/CN109474423A/en
Application granted granted Critical
Publication of CN109474423B publication Critical patent/CN109474423B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a cryptographic technology, and provides a data encryption and decryption method, a server and a storage medium. The method comprises the following steps: setting an updating period of the key, and generating and storing a multi-version key; receiving a data encryption request which is sent by a user and comprises authentication information and data to be encrypted; distributing a key number to the data encryption request, and carrying out primary symmetric encryption on the data to be encrypted by using a current version key corresponding to the key number to obtain a first ciphertext; performing secondary symmetric encryption on the key number, the key version number of the current version key and the first ciphertext by using a key generated by the identity authentication information to obtain a second ciphertext; and receiving a data decryption request sent by the user, and performing reverse decryption operation on the second ciphertext to obtain a decryption result. The invention can realize the regular updating of the key and enhance the security of the key.

Description

Data encryption and decryption method, server and storage medium
Technical Field
The present invention relates to the field of cryptographic technologies, and in particular, to a data encryption and decryption method, a server, and a storage medium.
Background
With the development of computer technology and network technology, people have entered into the big data era, and in the face of massive data information of a large number of users, how to ensure the security of important data has become a key focus of attention in the technical field of information security.
On the one hand, the server generally has higher requirements in terms of stability and security, compared to a general PC. In actual work, in order to strengthen information security management, a client needs to be prevented from storing important data locally for a long time sometimes. On the other hand, in the conventional technology, an encryption and decryption algorithm can be used for processing data content to prevent an unauthorized user from acquiring the data content, while a currently used cryptosystem is composed of an algorithm and a key, the algorithm is mostly public, and the security of the cryptosystem mainly depends on the security of the key. In order to strengthen data security and information protection, the key needs to be strictly protected and needs to be replaced with a certain frequency, however, the existing cryptographic system with the function of dynamically updating the key usually has high system complexity.
However, most key management products only provide fixed long-term key management, so that there is a high risk of deciphering the key used in the network for a long time, which results in leakage of personal private information and immeasurable loss of personal safety, property safety and other aspects.
Disclosure of Invention
In view of the above, the present invention provides a data encryption and decryption method, a server, and a storage medium, and aims to improve security of a personal key, ensure security of personal information in a network, and improve security of data by changing a key without affecting use of a file operated by an old version key.
In order to achieve the above object, the present invention provides a data encryption and decryption method, including:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext;
a receiving step: receiving a data encryption request sent by a user, wherein the data encryption request comprises authentication information and data to be encrypted;
a first encryption step: distributing a key number to the data encryption request, decrypting by using a current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: secondly encrypting the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and (3) decryption: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
Preferably, the method comprises:
setting a capacity threshold of the key storage table;
and when the space size occupied by the key storage table is larger than the capacity threshold, deleting the old version keys stored in advance in sequence according to the sequence of storing the keys of each version until the ratio of the space size occupied by the key storage table to the capacity threshold is smaller than a preset percentage.
Optionally, the method may further include:
a ciphertext storage step: and storing the second ciphertext into a second database.
Optionally, the method may further include:
a sending step: and sending the second ciphertext to the user.
In addition, the present invention also provides a server, which includes a memory and a processor, wherein the memory includes a data encryption/decryption program, and the data encryption/decryption program implements the following steps when executed by the processor:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext;
a receiving step: receiving a data encryption request sent by a user, wherein the data encryption request comprises identity authentication information and data to be encrypted;
a first encryption step: distributing a key number to the data encryption request, decrypting by using a current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: secondly encrypting the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and (3) decryption: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
In addition, to achieve the above object, the present invention further provides a computer-readable storage medium including a data encryption and decryption program, which when executed by a processor implements any of the steps of the data encryption and decryption method described above.
In the invention, the generation and storage processes of all keys and the encryption and decryption processes using the keys are finished by the server, a user can perform data interaction with the server at a client, the data to be encrypted is stored in the server in a ciphertext mode, or the second ciphertext returned by the server is stored in a local client, when the data to be encrypted is needed, the second ciphertext is sent to the server for decryption, then the data to be encrypted returned by the server is received, the situation that the plaintext of the data to be encrypted is stored locally by the client for a long time is avoided, and the data security of the data to be encrypted is ensured. In addition, by adopting a key dynamic updating mechanism and combining a symmetric cryptosystem and an asymmetric cryptosystem, an illegal invader can be effectively prevented from carrying out destructive operation on large-scale data in the server in a key cracking mode, and the data security is further improved.
Drawings
FIG. 1 is a diagram of a server according to a preferred embodiment of the present invention;
FIG. 2 is a block diagram of a preferred embodiment of the data encryption/decryption process of FIG. 1;
FIG. 3 is a flowchart illustrating a data encryption/decryption method according to a first preferred embodiment of the present invention;
FIG. 4 is a flowchart illustrating a data encryption/decryption method according to a second preferred embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The invention provides a server. The server can be one or more of a rack server, a blade server, a tower server or a cabinet server. Fig. 1 is a schematic diagram of a server 1 according to a preferred embodiment of the present invention. In an embodiment, the server 1 comprises a memory 11, a processor 12 and a network interface 13.
Wherein the memory 11 includes at least one type of readable storage medium. The at least one type of readable storage medium may be a non-volatile storage medium such as a flash memory, a hard disk, a multimedia card, a card-type memory, and the like. In some embodiments, the readable storage medium may be an internal storage unit of the server 1, such as a hard disk of the server 1. In other embodiments, the readable storage medium may also be an external memory 11 of the server 1, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the server 1.
In this embodiment, the readable storage medium of the memory 11 is used for storing the data encryption and decryption program 10 and data generated in the encryption and decryption process, such as data to be encrypted, key numbers, user authentication information, and the like. The memory 11 may also be used for temporarily storing data that has been output or is to be output.
The processor 12 may be a Central Processing Unit (CPU), microprocessor or other data Processing chip in some embodiments, and is used for executing program codes stored in the memory 11 or Processing data, such as executing the data encryption/decryption program 10.
The network interface 13 may include a standard wired interface, a wireless interface (e.g., WI-FI interface). Typically for establishing a communication connection between the server 1 and other electronic devices.
Fig. 1 shows only the server 1 with components 11-13 and the data encryption/decryption program 10, but it should be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
In one embodiment, the processor 12 executes the data encryption/decryption program 10 stored in the memory 11 to implement the following steps:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext;
a receiving step: receiving a data encryption request sent by a user, wherein the data encryption request comprises authentication information and data to be encrypted;
a first encryption step: distributing a key number to the data encryption request, decrypting by using a current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: secondly encrypting the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and (3) decryption: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
The detailed principle is described with reference to the following block diagram of fig. 2 related to the data encryption/decryption program 10, and the flowcharts of fig. 3 and fig. 4 related to the data encryption/decryption method.
Referring to fig. 2, a block diagram of the data encryption/decryption program 10 of fig. 1 is shown. The data encryption/decryption program 10 is divided into a plurality of modules, which are stored in the memory 12 and executed by the processor 13, to accomplish the present invention. The modules referred to herein are referred to as a series of computer program instruction segments capable of performing specified functions.
The data encryption and decryption program 10 may be divided into: a generating module 110, a storing module 120, a receiving module 130, an encrypting module 140 and a decrypting module 150.
The generating module 110 is configured to set an update period of the key, and when the system time of the server reaches the update period, randomly generate a new version key. The new version key may be generated using a random string generator or a preset random number generation algorithm. For example, assuming that the period of server key update is set to 24 hours, the system randomly generates a new version of the key every 24 hours. There are many ways to generate the key, and the random string generator method and the random number algorithm generation method are commonly used. When the random character string generator is used for generating the key, keys of different versions can be randomly generated in an online mode of a webpage; when the key is generated using a preset random number algorithm, different keys are randomly generated by the rules of the algorithm. There are many ways of key generation, which will not be described herein.
The storage module 120 is configured to encrypt the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and store an encrypted key ciphertext into a key storage table of the first database, where the key storage table includes a key number field, a key version number field, and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext, where the asymmetric encryption algorithm is an Elliptic cryptograph (ECC).
ECC is a public key cryptosystem originally proposed by both Koblitz and Miller in 1985, and is based on the difficulty of computing discrete logarithms of ellipses on Abel additive groups using rational points on elliptic curves. Public key cryptosystems are generally classified into three categories according to the underlying problem: large integer decomposition problem class, discrete logarithm problem class, elliptic curve class. Elliptic curve classes are also sometimes classified as discrete logarithm classes. The elliptic encryption algorithm has the advantages that: firstly, the security is high, and studies show that the security of the 160-bit elliptic key is the same as that of the 1024-bit RSA key. And secondly, the processing speed is high, and the ECC algorithm is higher than RSA and DSA speeds in the encryption and decryption speed of the private key. And thirdly, the occupied storage space is small, and the bandwidth requirement is lower. For example, one of the generated keys is encrypted by an elliptic encryption algorithm to obtain a key ciphertext ENC _ DK, and the ENC _ DK is stored in a key storage table. Each key number in the key storage table has a corresponding key version number and a corresponding key ciphertext corresponding to the key number, and a one-to-many relationship exists. The version number of the key corresponding to the ciphertext ENC _ DK is version, and the number of the corresponding key is keyID. In addition, an RSA asymmetric encryption algorithm can be adopted, and one of the characteristics is that the mathematical principle is simple, the implementation is easy in engineering application, but the unit security intensity is relatively low. The mathematical theory of the ECC algorithm is very esoteric and complex, and is difficult to realize in engineering application, but the unit safety intensity of the ECC algorithm is relatively high. If the above-mentioned key is encrypted using the RSA algorithm, the security is lower than that using the ECC algorithm. The ECC encryption algorithm is small in calculation amount and fast in processing speed. Under certain same computing resource conditions, although the public key processing speed, namely the encryption and signature verification speed, can be increased in RSA to make it comparable to ECC in the encryption and signature verification speed, ECC is much faster than RSA in the processing speed (decryption and signature) of the private key. Meanwhile, the key generation speed of the ECC system is more than one hundred times faster than that of RSA, compared with an RSA encryption algorithm with 1024 bits, the signature time of the ECC encryption algorithm is 3.0ms, the key pair generation time is 3.8ms, but the RSA encryption algorithms respectively reach 228.4ms and 4708.3ms, so that the ECC encryption algorithm has higher encryption performance under the same condition. The main technical effect of the invention is to improve the security of data encryption, so the invention adopts the ECC algorithm for encryption better.
The first database may be a relational database, such as Oracle, DB2, microsoft SQL Server, microsoft Access, mySQL, or the like, and is configured to store data of a key storage table, where the key storage table includes a key number field, a key version number field, and a key ciphertext field.
In an embodiment, the key storage table has a corresponding capacity threshold, and when the size of the space occupied by the key storage table is greater than the capacity threshold, the old version keys stored in advance are sequentially deleted according to the storage sequence of the versions of the keys until the ratio of the size of the space occupied by the key storage table to the capacity threshold is smaller than a preset percentage. For example, the storage capacity threshold may be set to 20M, i.e., 20M of storage capacity is allocated in the storage capacity of the computer system for storing the key. The computer system may record the storage time of the key at the same time as the key is stored. Assume that the first stored key has a requirement of 0.7M for storage capacity and the second first stored key has a requirement of 0.5M for storage capacity. The key that has been currently stored occupies a storage capacity of 19M. And when the requirement of the updated key on the storage capacity is 0.5M, deleting the key stored firstly, and storing the updated key together with the rest of the old key after deleting the key stored firstly. And when the requirement of the updated key on the storage capacity is 1M, deleting the key stored firstly and the key stored secondly, and storing the updated key together with the key which is deleted firstly and the key which is remained after the key stored secondly is deleted in the old key. Due to the fact that the storage capacity threshold value is set, the storage capacity occupied by the updated key and the old key is limited to a reasonable level.
The receiving module 130 is configured to receive a data encryption request sent by a user, where the data encryption request includes authentication information and data to be encrypted. For example, the received key number is keyID. The identity authentication information is a unique identifier representing the identity of the user, such as an account and a password of the user, and the identity information of the user is authenticated through the account and the password of the user.
The encryption module 140 is configured to allocate a key number to the data encryption request, decrypt the key ciphertext of the current version corresponding to the key number to obtain a key plaintext, and primarily encrypt the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext; and secondly, carrying out secondary encryption on the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity authentication information and a second symmetric encryption algorithm to obtain a second ciphertext. For example, the key plaintext and the AES encryption algorithm are used to encrypt data to be encrypted for the first time to obtain a first ciphertext ENC _ DK, and then the key generated by the identity verification information and the AES encryption algorithm are used to encrypt the received key number keyID, the key version number version corresponding to the current version of the key ciphertext, and the first ciphertext ENC _ DK for the second time to obtain a second ciphertext. The second ciphertext may be stored in the first database, or may be stored in a second database independent of the first database, so as to improve the security of data storage. Of course, the first database and the second database may be of the same type or different types. For example, it may be any one or two of Oracle, DB2, microsoft SQL Server, microsoft Access, mySQL.
The first symmetric encryption algorithm may be any one of symmetric encryption algorithms such as DES, 3DES, IDEA, FEAL, BLOWFISH, AES, and the like. The 3DES is to encrypt a piece of data for three times by three different keys, the intensity is higher, the length of the key which can be encrypted is 112 bits or 168 bits, and the 3DES is characterized by low operation speed, moderate safety and high resource consumption; the AES is an advanced encryption standard, is an encryption algorithm standard of the next generation, is high in speed and security level, has the encryption key length of 128 bits, 192 bits and 256 bits, and is characterized by high operation speed, high security and low resource consumption. According to the comparison result of the two encryption algorithms, the AES algorithm has better performance, so the invention adopts the AES algorithm for encryption. The second encryption algorithm may be the same as or different from the first encryption algorithm.
In another embodiment, the second ciphertext of the encrypting step may further comprise: and performing secondary encryption on the distributed key number, the key version number corresponding to the current version key ciphertext, the first ciphertext and the salt value ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext. In this embodiment, the data format of the twice-encrypted object may be keyID & ENC _ DK & version & salt value. Wherein, keyID represents a key number, ENC _ DK represents a first ciphertext, version represents a key version number corresponding to the key used for the primary encryption, and the salt value is a random number generated by the server or a random character string stored by the server and input by the user. The salt value has the function of increasing the difficulty of the key to be cracked, so that the security of data encryption is improved. For example, if the server randomly generates 369, the key number of the receiving user is keyID, the first ciphertext is ENC _ DK, and the key version number is version, the format of the encrypted object of the secondary encryption is keyID & ENC _ DK & version &369, the randomness of the salt value is used to increase the difficulty of password cracking, and the security of the data is improved.
The decryption module 150 is configured to, when a decryption operation request of the user for the second ciphertext is received, perform reverse decryption operation on the second ciphertext twice to obtain a decryption result. Specifically, the second ciphertext is decrypted for the first time by using the key generated by the authentication information to obtain the corresponding key number, the key version number and the first ciphertext, the key of the corresponding version is obtained according to the key number and the key version number, and the first ciphertext is decrypted by using the key to obtain the data to be encrypted. For example, the second ciphertext is primarily decrypted by using the key generated by the authentication information to obtain a corresponding key number keyID, key version number version and first ciphertext ENC _ DK, the corresponding key is obtained according to the key number keyID and the key version number version, and the first ciphertext ENC _ DK is decrypted by using the key to obtain a decryption result.
Fig. 3 is a flowchart illustrating a data encryption and decryption method according to a first preferred embodiment of the present invention. When the processor 13 of the server 1 executes the data encryption and decryption program 10 stored in the memory 12, the following steps of the data encryption and decryption method are implemented:
and step S300, setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period. The server can set a timer for the periodic update of the secret key, when the timer reaches the time of the secret key update, the timer is started, the data encryption and decryption program can execute the generation module, the task of updating the secret key is started, and the secret key of the new version is randomly generated.
Step S310, encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing the encrypted key ciphertext into a key storage table of the first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext. For example, the ECC asymmetric algorithm is adopted to encrypt the key of the new version, so that the calculation amount is small, the processing speed is high, and the storage efficiency of storing the key ciphertext into the key storage table is improved. And encrypting the randomly generated key by using an ECC asymmetric algorithm to obtain a key ciphertext, and storing the key ciphertext into a key storage table of a first database (for example, mySQL).
Step S320, receiving a data encryption request sent by a user, where the data encryption request includes authentication information and data to be encrypted. At this time, the data encryption and decryption program executes a receiving module, for example, to receive the data to be encrypted and the account and password of the user, and verify the identity information of the user.
Step S330, distributing a key number to the data encryption request, decrypting the key ciphertext of the current version corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext. The first symmetric Encryption Algorithm may be any one of Data Encryption Standard (DES), triple Data Encryption Algorithm (3 DES), international Data Encryption Algorithm (IDEA), FEAL (Fast Data Encryption Algorithm), advanced Encryption Standard (AES), BLOWFISH, and other symmetric Encryption algorithms. For example, an AES encryption algorithm can be adopted, the length of the encryption key of the algorithm can be 128, 192, 256 bits, and the method has the characteristics of high operation speed, high security and low resource consumption, thereby improving the efficiency and security of data encryption and decryption.
Step S340, performing secondary encryption on the distributed key number, the key version number corresponding to the current version key ciphertext, and the first ciphertext by using the key generated by the authentication information and a second symmetric encryption algorithm to obtain a second ciphertext. The encryption process is to encrypt the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext respectively by using a key generated by the identity authentication information and a second symmetric encryption algorithm, and integrate the encrypted result into a whole to obtain a second ciphertext. In an embodiment, the second symmetric encryption algorithm may adopt an IDEA encryption algorithm, which uses a 128-bit key to provide very strong security, and when the key number keyID, the corresponding key version number version, and the first ciphertext ENC _ DK are encrypted for the second time, the security is very strong and the efficiency is high, thereby reducing the risk of being cracked and ensuring the security of data encryption.
And step S350, when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result. Specifically, the second ciphertext is decrypted for the first time by using the key generated by the authentication information to obtain a corresponding key number, a key version number and the first ciphertext, a key of a corresponding version is obtained according to the key number and the key version number, and the first ciphertext is decrypted by using the key to obtain a decryption result. For example, the second ciphertext is primarily decrypted by using the key generated by the authentication information to obtain a corresponding key number keyID, key version number version and first ciphertext ENC _ DK, the corresponding key is obtained according to the key number keyID and the key version number version, and the first ciphertext ENC _ DK is decrypted by using the key to obtain a decryption result.
Fig. 4 is a flowchart illustrating a data encryption/decryption method according to a second preferred embodiment of the present invention. When the processor 13 of the server 1 executes the data encryption/decryption program 10 stored in the memory 12, the following steps of the data encryption/decryption method are implemented:
step S400, setting the updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period. The server can set a timer for the periodic update of the key, and when the timer reaches the time for updating the key, the timer is started, the data encryption and decryption program can execute the generation module, start the task of updating the key, and randomly generate a new version of the key.
Step S410, encrypting each version of the randomly generated key by using a predetermined asymmetric encryption algorithm, and storing the encrypted key ciphertext into a key storage table of the first database, where the key storage table includes a key number field, a key version number field, and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext. For example, the ECC asymmetric algorithm is adopted to encrypt the key of the new version, so that the calculation amount is small, the processing speed is high, and the storage efficiency of storing the key ciphertext into the key storage table is improved. And encrypting the randomly generated key by using an ECC asymmetric algorithm to obtain a key ciphertext, and storing the key ciphertext into a key storage table of a first database (for example, mySQL).
Step S420, receiving a data encryption request sent by a user, where the data encryption request includes authentication information and data to be encrypted. At this time, the data encryption and decryption program executes a receiving module, for example, to receive the data to be encrypted and the account and password of the user, and verify the identity information of the user.
And step S430, distributing a key number for the data encryption request, decrypting by using the current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext. The first symmetric encryption algorithm can be any one of DES, 3DES, IDEA, FEAL, BLOWFSH, AES and other symmetric encryption algorithms. For example, an AES encryption algorithm can be adopted, the length of the encryption key of the algorithm can be 128, 192, 256 bits, and the method has the characteristics of high operation speed, high security and low resource consumption, thereby improving the encryption and decryption efficiency and security of the data encryption and decryption of the invention.
And step S440, performing secondary encryption on the distributed key number, the key version number corresponding to the current version key ciphertext, the first ciphertext and the salt value ciphertext by using the key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext. The salt value ciphertext is obtained by encrypting a salt value by using a key generated by the identity authentication information and the second symmetric encryption algorithm, wherein the salt value is a random number generated by the server or a random character string stored by the server and input by the user. In an embodiment, the data format of the twice-encrypted object may be keyID & ENC _ DK & version & salt value. Wherein, keyID represents a key number, ENC _ DK represents a first ciphertext, and version represents a key version number corresponding to the key used for the primary encryption. In this embodiment, the second symmetric encryption algorithm may adopt an IDEA encryption algorithm, which uses a 128-bit key to provide very strong security, and when the key number keyID, the corresponding key version number version, and the first ciphertext ENC _ DK are encrypted for the second time, the security is very strong and the efficiency is high, thereby greatly reducing the risk of being cracked, and ensuring the security of data encryption.
The salt value ciphertext aims to increase the difficulty of cracking by an attacker, and the salt value ciphertext needs to pay attention to the following points when being encrypted, otherwise, the meaning of the salt value ciphertext is not too great.
1. The salt number cannot be too short; an attacker can simply exhaust all possible salt values if the salt value has only a few two to three or even one to two bits.
2. The salt value cannot be fixed; if the system uses a fixed salt value, the same effect as without the salt value is achieved, and an attacker can prepare the cracking method in advance by using the fixed salt value.
3. No use of a value predictable in advance as a salt value; if the salt value can be known or deduced in advance, an attacker can completely prepare a cracking method in advance, so that the cracking difficulty is not increased.
And step S450, when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result. Specifically, the second ciphertext is decrypted for the first time by using the key generated by the authentication information to obtain the corresponding key number, the key version number and the first ciphertext, the key of the corresponding version is obtained according to the key number and the key version number, and the first ciphertext is decrypted by using the key to obtain a decryption result.
Furthermore, the embodiment of the present invention also provides a computer-readable storage medium, which may be any one or any combination of a hard disk, a multimedia card, an SD card, a flash memory card, an SMC, a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM), a portable compact disc read only memory (CD-ROM), a USB memory, and the like. The computer readable storage medium includes a data encryption and decryption program 10, and the functions implemented by the data encryption and decryption program 10 when executed by a processor perform the following steps:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, and each key number corresponds to at least one key version number and the key ciphertext;
a receiving step: receiving a data encryption request of a user, wherein the data encryption request comprises data to be encrypted, a key number and identity authentication information;
a first encryption step: decrypting the current version key ciphertext corresponding to the received key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: performing secondary encryption on the received key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using the key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and (3) decryption: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
In the encryption process, a client only needs to provide data to be encrypted, identity verification information and a key number to the server to obtain a second ciphertext returned by the server; in the decryption process, the client only needs to provide the server with the data to be decrypted and the original data corresponding to the data to be decrypted, wherein the original data can be obtained by the authentication information.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A data encryption and decryption method is applied to a server, and is characterized by comprising the following steps:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, each key number corresponds to at least one key version number and the key ciphertext, and the first database is a relational database;
a receiving step: receiving a data encryption request sent by a user, wherein the data encryption request comprises authentication information and data to be encrypted, and the authentication information is a unique identifier representing the identity of the user;
a first encryption step: distributing a key number to the data encryption request, decrypting by using a current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: secondly encrypting the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and a decryption step: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
2. The data encryption and decryption method of claim 1 wherein the first symmetric encryption algorithm and the second symmetric encryption algorithm are one or two of DES, 3DES, IDEA, FEAL, BLOWFISH, AES symmetric encryption algorithms.
3. The data encryption and decryption method according to claim 1, wherein the second ciphertext further comprises a salt ciphertext obtained by encrypting a salt using a key generated by the authentication information and the second symmetric encryption algorithm, and the salt is a random number generated by the server or a random string input by the user.
4. The data encryption and decryption method according to claim 3, wherein the data format of the secondary encrypted object is key ID & ENC _ DK & version & salt value, where key ID represents a key number, ENC _ DK represents a first ciphertext, and version represents a key version number corresponding to a key used for the primary encryption.
5. The data encryption and decryption method of claim 1, wherein in the decryption step, the second ciphertext is first decrypted by using a key generated by the authentication information to obtain a corresponding key number, a key version number and the first ciphertext, and then the first ciphertext is decrypted by using the key to obtain a decryption result.
6. The data encryption and decryption method of claim 1, wherein the method further comprises:
and setting a capacity threshold of the key storage table, and when the space size occupied by the key storage table is larger than the capacity threshold, sequentially deleting the old version keys stored firstly according to the storage sequence of the version keys until the ratio of the space size occupied by the key storage table to the capacity threshold is smaller than a preset percentage.
7. The data encryption and decryption method of claim 1, wherein the method further comprises:
and ciphertext storage: and storing the second ciphertext into a second database.
8. The data encryption and decryption method of claim 1, wherein the method further comprises:
a sending step: and sending the second ciphertext to the user.
9. A server comprising a memory and a processor, wherein the memory includes a data encryption/decryption program, and the data encryption/decryption program when executed by the processor implements the steps of:
a key generation step: setting an updating period of the secret key, and randomly generating a new version secret key when the system time of the server reaches the updating period;
and a key storage step: encrypting the randomly generated key of each version by using a predetermined asymmetric encryption algorithm, and storing a key ciphertext obtained by encryption into a key storage table of a first database, wherein the key storage table comprises a key number field, a key version number field and a key ciphertext field, each key number corresponds to at least one key version number and the key ciphertext, and the first database is a relational database;
a receiving step: receiving a data encryption request sent by a user, wherein the data encryption request comprises authentication information and data to be encrypted, and the authentication information is a unique identifier representing the identity of the user;
a first encryption step: distributing a key number to the data encryption request, decrypting by using a current version key ciphertext corresponding to the key number to obtain a key plaintext, and primarily encrypting the data to be encrypted by using the key plaintext and a first symmetric encryption algorithm to obtain a first ciphertext;
a second encryption step: secondly encrypting the distributed key number, the key version number corresponding to the current version key ciphertext and the first ciphertext by using a key generated by the identity verification information and a second symmetric encryption algorithm to obtain a second ciphertext; and
and (3) decryption: and when a decryption operation request of the user for the second ciphertext is received, performing reverse decryption operation on the second ciphertext twice to obtain a decryption result.
10. A computer-readable storage medium, wherein a data encryption and decryption program is stored in the computer-readable storage medium, and when the data encryption and decryption program is called by a processor, the steps of the data encryption and decryption method according to any one of claims 1 to 8 are implemented.
CN201811503032.8A 2018-12-10 2018-12-10 Data encryption and decryption method, server and storage medium Active CN109474423B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811503032.8A CN109474423B (en) 2018-12-10 2018-12-10 Data encryption and decryption method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811503032.8A CN109474423B (en) 2018-12-10 2018-12-10 Data encryption and decryption method, server and storage medium

Publications (2)

Publication Number Publication Date
CN109474423A CN109474423A (en) 2019-03-15
CN109474423B true CN109474423B (en) 2022-10-21

Family

ID=65674972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811503032.8A Active CN109474423B (en) 2018-12-10 2018-12-10 Data encryption and decryption method, server and storage medium

Country Status (1)

Country Link
CN (1) CN109474423B (en)

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756675B (en) * 2019-03-28 2023-04-07 钉钉控股(开曼)有限公司 Data processing method, device, equipment and system
CN110084051A (en) * 2019-04-29 2019-08-02 京工博创(北京)科技有限公司 A kind of data ciphering method and system
CN110598440B (en) * 2019-08-08 2023-05-09 中腾信金融信息服务(上海)有限公司 Distributed automatic encryption and decryption system
CN110636503B (en) * 2019-09-24 2023-03-24 中国联合网络通信集团有限公司 Data encryption method, device, equipment and computer readable storage medium
CN110995433A (en) * 2019-10-28 2020-04-10 北京三快在线科技有限公司 Data encryption method and device, electronic equipment and computer readable storage medium
CN111131278B (en) * 2019-12-27 2022-09-06 京东科技控股股份有限公司 Data processing method and device, computer storage medium and electronic equipment
CN111274611A (en) * 2020-02-04 2020-06-12 北京同邦卓益科技有限公司 Data desensitization method, device and computer readable storage medium
CN111404943B (en) * 2020-03-18 2021-10-26 腾讯科技(深圳)有限公司 Data processing method and device, electronic equipment and computer readable storage medium
CN111881474B (en) * 2020-07-24 2023-09-15 杭州弦冰科技有限公司 Private key management method and device based on trusted computing environment
CN112115491B (en) * 2020-08-20 2024-03-22 恒安嘉新(北京)科技股份公司 Symmetric encryption key protection method, device, equipment and storage medium
CN111935181B (en) * 2020-09-25 2021-01-26 北京天御云安科技有限公司 Method for realizing uninterrupted service of key switching under full-secret condition
CN112492352A (en) * 2020-11-17 2021-03-12 北京慕华信息科技有限公司 Video encryption and decryption method and device, electronic equipment and storage medium
CN113761551A (en) * 2020-11-18 2021-12-07 北京沃东天骏信息技术有限公司 Key generation method, encryption method, decryption method and device
CN112769559B (en) * 2020-12-31 2022-04-22 无锡艾立德智能科技有限公司 Symmetric key synchronization method based on multiple keys
CN112769565B (en) * 2021-01-15 2022-12-23 中国工商银行股份有限公司 Method, device, computing equipment and medium for upgrading cryptographic algorithm
CN112887087B (en) * 2021-01-20 2023-04-18 成都质数斯达克科技有限公司 Data management method and device, electronic equipment and readable storage medium
CN112668032B (en) * 2021-03-16 2021-06-04 四川微巨芯科技有限公司 Method and system for encrypting and decrypting computer, server and mobile equipment
CN113162763A (en) * 2021-04-20 2021-07-23 平安消费金融有限公司 Data encryption and storage method and device, electronic equipment and storage medium
CN113517981B (en) * 2021-04-28 2023-05-23 河南中烟工业有限责任公司 Key management method, code version management method and device
CN113392428B (en) * 2021-06-28 2023-11-10 西藏联萨智能科技有限公司 Data protection method, device, equipment and medium
CN113556735B (en) * 2021-07-09 2024-05-03 深圳市高德信通信股份有限公司 Data encryption method
CN113676318B (en) * 2021-07-15 2024-02-27 北京思特奇信息技术股份有限公司 Method for key rotation without affecting original cipher encryption and decryption
CN113346999B (en) * 2021-08-09 2021-10-26 国网浙江省电力有限公司杭州供电公司 Splitting encryption-based brain central system
CN113591138A (en) * 2021-09-30 2021-11-02 连连(杭州)信息技术有限公司 Service data processing method, device, equipment and medium
CN114024724B (en) * 2021-10-25 2023-06-13 四川启睿克科技有限公司 Symmetric key dynamic generation method based on Internet of things
CN113709188B (en) * 2021-10-27 2022-03-11 北京蓝莓时节科技有限公司 Session control information processing method, device, system and storage medium
CN114244508B (en) * 2021-12-15 2023-07-28 平安科技(深圳)有限公司 Data encryption method, device, equipment and storage medium
CN116032514B (en) * 2022-03-08 2024-05-24 海南伍尔索普电子商务有限公司 Distributed high concurrency data security encryption and decryption method
CN116089967B (en) * 2022-05-12 2024-03-26 荣耀终端有限公司 Data rollback prevention method and electronic equipment
CN115174136B (en) * 2022-05-23 2024-02-02 北京旷视科技有限公司 Data acquisition and data transmission method, terminal, server and storage medium
CN115174236A (en) * 2022-07-08 2022-10-11 上海百家云科技有限公司 Authentication method, authentication device, electronic equipment and storage medium
CN117857078B (en) * 2023-11-23 2024-06-11 烟台新韦达智慧科技有限公司 Variable-length hybrid dynamic transmission encryption and decryption method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573551A (en) * 2014-12-25 2015-04-29 广东欧珀移动通信有限公司 File processing method and mobile terminal
CN106888183A (en) * 2015-12-15 2017-06-23 阿里巴巴集团控股有限公司 Data encryption, decryption, the method and apparatus and system of key request treatment
CN108234112A (en) * 2016-12-14 2018-06-29 ***通信集团安徽有限公司 Data encryption and decryption method and system
WO2018165835A1 (en) * 2017-03-14 2018-09-20 深圳大学 Cloud ciphertext access control method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9076004B1 (en) * 2014-05-07 2015-07-07 Symantec Corporation Systems and methods for secure hybrid third-party data storage
CN108880806A (en) * 2018-08-01 2018-11-23 深圳三角形科技有限公司 Encryption and decryption method, chip and readable storage medium storing program for executing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573551A (en) * 2014-12-25 2015-04-29 广东欧珀移动通信有限公司 File processing method and mobile terminal
CN106888183A (en) * 2015-12-15 2017-06-23 阿里巴巴集团控股有限公司 Data encryption, decryption, the method and apparatus and system of key request treatment
CN108234112A (en) * 2016-12-14 2018-06-29 ***通信集团安徽有限公司 Data encryption and decryption method and system
WO2018165835A1 (en) * 2017-03-14 2018-09-20 深圳大学 Cloud ciphertext access control method and system

Also Published As

Publication number Publication date
CN109474423A (en) 2019-03-15

Similar Documents

Publication Publication Date Title
CN109474423B (en) Data encryption and decryption method, server and storage medium
CN105260668B (en) A kind of file encrypting method and electronic equipment
CN107959567B (en) Data storage method, data acquisition method, device and system
US10635835B2 (en) Decentralized token table generation
WO2018112948A1 (en) Block generation method and device, and blockchain network
Teng et al. A Modified Advanced Encryption Standard for Data Security.
CN108259171B (en) Shader file protection method and device
CN110661748B (en) Log encryption method, log decryption method and log encryption device
CN103095452A (en) Random encryption method needing to adopt exhaustion method for deciphering
CN105721156A (en) General Encoding Functions For Modular Exponentiation Encryption Schemes
CN113067816A (en) Data encryption method and device
CN112804133A (en) Encrypted group chat method and system based on block chain technology
CN116488814A (en) FPGA-based data encryption secure computing method
CN115865448A (en) Data self-encryption device and method
CN117240625A (en) Tamper-resistant data processing method and device and electronic equipment
CN113422832B (en) File transmission method, device, equipment and storage medium
CN106919348A (en) Distributed memory system and storage method that anti-violence is cracked
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool
CN103593592A (en) User data encryption and decryption method
CN111798236A (en) Transaction data encryption and decryption method, device and equipment
CN107437998A (en) Safety elliptic curve scalar multiplication is calculated using dangerous and security context
US11533167B2 (en) Methods and devices for optimal information-theoretically secure encryption key management
Nagendran et al. Hyper Elliptic Curve Cryptography (HECC) to ensure data security in the cloud
CN103746798A (en) Data access control method and data access control system
Tian et al. A trusted control model of cloud storage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant