CN116132041A - Key processing method and device, storage medium and electronic equipment - Google Patents

Key processing method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN116132041A
CN116132041A CN202310160927.0A CN202310160927A CN116132041A CN 116132041 A CN116132041 A CN 116132041A CN 202310160927 A CN202310160927 A CN 202310160927A CN 116132041 A CN116132041 A CN 116132041A
Authority
CN
China
Prior art keywords
key
decryption
encryption
encrypted file
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310160927.0A
Other languages
Chinese (zh)
Inventor
吴帆
刘阳成
陈李平
王杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Netease Hangzhou Network Co Ltd
Original Assignee
Netease Hangzhou Network Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netease Hangzhou Network Co Ltd filed Critical Netease Hangzhou Network Co Ltd
Priority to CN202310160927.0A priority Critical patent/CN116132041A/en
Publication of CN116132041A publication Critical patent/CN116132041A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the disclosure relates to a key processing method, a key processing device, a storage medium and electronic equipment, and relates to the technical field of information security. The encryption method comprises the following steps: the key provider receives a key use request sent by a key demand side; generating a plaintext key based on the key use request; obtaining an encryption key according to a fixed key and a dynamic key, encrypting the plaintext key by adopting the encryption key to obtain a ciphertext key, and obtaining a target encryption file according to the ciphertext key and the dynamic key so as to send the target encryption file to the key requiring party; the fixed key is agreed in advance by the key requiring party and the key providing party, the dynamic key is generated in a preset mode, and the dynamic key is stored in the target encrypted file in a plaintext form. The security of key text information is improved.

Description

Key processing method and device, storage medium and electronic equipment
Technical Field
Embodiments of the present disclosure relate to the field of information security technology, and more particularly, to an encryption method, a decryption method, an encryption apparatus, a decryption apparatus, a computer-readable storage medium, and an electronic device.
Background
This section is intended to provide a background or context for the embodiments of the disclosure recited in the claims, which description herein is not admitted to be prior art by inclusion in this section.
When a client initiates a request to a server, the request data is generally encrypted. The key that requested the encryption of the data is stored at the client.
In the related art, a key is mostly stored in a client file or a client code.
Disclosure of Invention
However, in most of the existing encryption methods, the plaintext key is stored in the client file or the client code, so that the plaintext key can be cracked by decompilation, reverse splicing or tools, and the security of the key cannot be well ensured.
For this reason, an improved key processing method is highly required to improve the security of the plaintext key.
In this context, embodiments of the present disclosure desirably provide a key processing method, a key processing apparatus, a computer-readable storage medium, and an electronic device.
According to a first aspect of the present disclosure, there is provided a key processing method applied to a key provider, including:
the key provider receives a key use request sent by a key demand side;
Generating a plaintext key based on the key use request;
obtaining an encryption key according to a fixed key and a dynamic key, encrypting the plaintext key by adopting the encryption key to obtain a ciphertext key, and obtaining a target encryption file according to the ciphertext key and the dynamic key so as to send the target encryption file to the key requiring party;
the fixed key is agreed in advance by the key requiring party and the key providing party, the dynamic key is generated in a preset mode, and the dynamic key is stored in the target encrypted file in a plaintext form.
In one embodiment, the method further comprises: generating a decryption tool library based on a predetermined decryption algorithm, the fixed key, and the signature of the key requiring party; wherein the predetermined decryption algorithm corresponds to the predetermined encryption algorithm; and sending the decryption tool library to the key requiring party so that the key requiring party adopts the decryption tool library to decrypt the ciphertext key in the target encrypted file to obtain the plaintext key.
In one embodiment, the obtaining the encryption key from the fixed key and the dynamic key includes: obtaining a pre-configured target encryption file generation tool, wherein the target encryption file generation tool comprises the fixed key and a preset encryption algorithm; encrypting the fixed key and the dynamic key generated randomly by adopting the preset encryption algorithm to obtain the encryption key; obtaining the target encrypted file according to the ciphertext key and the dynamic key, wherein the method comprises the following steps: and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
In one embodiment, the target encrypted file generation tool is configured by: the target encrypted file generation tool is generated based on the predetermined encryption algorithm and the fixed key.
In one embodiment, the obtaining a pre-configured target encrypted file generation tool includes: acquiring a latest version of a target encrypted file generation tool; the latest version of the target encrypted file generation tool comprises a fixed key after the latest update.
In one embodiment, the target encrypted file is a binary file.
In one embodiment, the file content of the target encrypted file includes: magic number, check code, version number, binary pattern, reserved space, cipher text key length, the cipher text key, dynamic key length and the dynamic key.
In one embodiment, the sending the target encrypted file to the key requester includes: and carrying out content confusion processing on the target encrypted file and then sending the target encrypted file to the key requiring party.
According to a second aspect of the present disclosure, there is provided a key processing method applied to a key provider, including:
The key demand side receives a target encryption file and a decryption tool library sent by the key provider; the decryption tool library comprises a fixed key and a preset decryption algorithm;
checking the key requiring party and/or the target encrypted file to obtain a checking result;
generating a decryption key based on a dynamic key in the target encryption file, a fixed key in the decryption tool library and a preset decryption algorithm in the decryption tool library under the condition that the verification result is that verification is passed, and decrypting a ciphertext key in the target encryption file by adopting the decryption key to obtain a plaintext key; the fixed key is agreed in advance for the key requiring party and the key provider.
In one embodiment, the verifying the key requiring party and/or the target encrypted file to obtain a verification result includes: checking the target encrypted file; if the verification of the target encrypted file is passed, verifying the key requiring party; and if the verification of the key requiring party is passed, determining that the verification result is passed.
In one embodiment, the verifying the target encrypted file includes: verifying the magic number in the target encrypted file; under the condition that the magic number passes the verification, verifying the verification code of the target encrypted file; and if the verification code of the target encrypted file passes the verification, determining that the verification of the target encrypted file passes.
In one embodiment, the verifying the verification code of the target encrypted file includes: carrying out hash operation on preset field content in the target encrypted file to obtain a hash value of the target encrypted file; and comparing the hash value with the check code in the target encrypted file, and if the hash value is consistent with the check code, determining that the check code passes the check.
In one embodiment, the verifying the key requiring party includes: checking whether the signature of the key requiring party is consistent with the signature in the decryption tool library, and if so, determining that the verification of the key requiring party is passed; the decryption tool library includes a signature of the key requiring party.
In one embodiment, the decryption tool library is configured by: the decryption tool library is generated based on the predetermined decryption algorithm, the fixed key, and the signature of the key requiring party.
In one embodiment, the generating a decryption key based on the dynamic key in the target encrypted file, the fixed key in the decryption tool library, and a predetermined decryption algorithm in the decryption tool library includes: obtaining a pre-configured decryption tool library; and processing the fixed key and the dynamic key in the target encrypted file by adopting the preset decryption algorithm to obtain the decryption key.
In one embodiment, the obtaining a pre-configured decryption tool library includes: and acquiring the decryption tool library consistent with the version number of the target encrypted file.
According to a third aspect of the present disclosure, there is provided a key processing apparatus comprising:
a request receiving module configured to receive a key use request sent by a key requiring party by a key provider;
a plaintext key generation module configured to generate a plaintext key based on the key use request;
the encryption file generation module is configured to obtain an encryption key according to a fixed key and a dynamic key, encrypt the plaintext key by adopting the encryption key to obtain a ciphertext key, and obtain a target encryption file according to the ciphertext key and the dynamic key so as to send the target encryption file to the key requiring party;
the fixed key is agreed in advance by the key requiring party and the key providing party, the dynamic key is generated in a preset mode, and the dynamic key is stored in the target encrypted file in a plaintext form.
In one embodiment, the apparatus further comprises a decryption tool library receiving module configured to: generating a decryption tool library based on a predetermined decryption algorithm, the fixed key, and the signature of the key requiring party; wherein the predetermined decryption algorithm corresponds to the predetermined encryption algorithm; and sending the decryption tool library to the key requiring party so that the key requiring party adopts the decryption tool library to decrypt the ciphertext key in the target encrypted file to obtain the plaintext key.
In one embodiment, the encrypted file generation module is configured to: obtaining a pre-configured target encryption file generation tool, wherein the target encryption file generation tool comprises the fixed key and a preset encryption algorithm; encrypting the fixed key and the dynamic key generated randomly by adopting the preset encryption algorithm to obtain the encryption key; is also configured to: and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
In one embodiment, the target encrypted file generation tool is configured by: the target encrypted file generation tool is generated based on the predetermined encryption algorithm and the fixed key.
In one embodiment, the encrypted file generation module is configured to: acquiring a latest version of a target encrypted file generation tool; the latest version of the target encrypted file generation tool comprises a fixed key after the latest update.
In one embodiment, the target encrypted file is a binary file.
In one embodiment, the file content of the target encrypted file includes: magic number, check code, version number, binary pattern, reserved space, cipher text key length, the cipher text key, dynamic key length and the dynamic key.
In one embodiment, the encrypted file generation module is configured to: and carrying out content confusion processing on the target encrypted file and then sending the target encrypted file to the key requiring party.
According to a fourth aspect of the present disclosure, there is provided a key processing apparatus comprising:
the encryption file receiving module is configured to receive a target encryption file and a decryption tool library sent by a key provider by a key requiring party; the decryption tool library comprises a fixed key and a preset decryption algorithm;
the verification module is configured to verify the key requiring party and/or the target encrypted file to obtain a verification result;
the decryption module is configured to generate a decryption key based on a dynamic key in the target encryption file, a fixed key in the decryption tool library and a preset decryption algorithm in the decryption tool library when the verification result is that verification is passed, and decrypt a ciphertext key in the target encryption file by adopting the decryption key to obtain a plaintext key; the fixed key is agreed in advance for the key requiring party and the key provider.
In one embodiment, the verification module is configured to: checking the target encrypted file; if the verification of the target encrypted file is passed, verifying the key requiring party; and if the verification of the key requiring party is passed, determining that the verification result is passed.
In one embodiment, the verification module is configured to: verifying the magic number in the target encrypted file; under the condition that the magic number passes the verification, verifying the verification code of the target encrypted file; and if the verification code of the target encrypted file passes the verification, determining that the verification of the target encrypted file passes.
In one embodiment, the verification module is configured to: carrying out hash operation on preset field content in the target encrypted file to obtain a hash value of the target encrypted file; and comparing the hash value with the check code in the target encrypted file, and if the hash value is consistent with the check code, determining that the check code passes the check.
In one embodiment, the verification module is configured to: checking whether the signature of the key requiring party is consistent with the signature in the decryption tool library, and if so, determining that the verification of the key requiring party is passed; the decryption tool library includes a signature of the key requiring party.
In one embodiment, the decryption tool library is configured by: the decryption tool library is generated based on the predetermined decryption algorithm, the fixed key, and the signature of the key requiring party.
In one embodiment, the decryption module is configured to: obtaining a pre-configured decryption tool library; and processing the fixed key and the dynamic key in the target encrypted file by adopting the preset decryption algorithm to obtain the decryption key.
In one embodiment, the decryption module is configured to: and acquiring the decryption tool library consistent with the version number of the target encrypted file.
According to a fifth aspect of embodiments of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the methods described above.
According to a sixth aspect of embodiments of the present disclosure, there is provided an electronic device, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform any of the methods described above via execution of the executable instructions.
According to the key processing method, the key processing device, the computer readable storage medium and the electronic equipment of the embodiment of the disclosure, a key provider (such as a server) generates a target encrypted file comprising a ciphertext key according to a key use request sent by a key demand (such as a client), the target encrypted file is sent to the key demand for storage, and the key demand decrypts the ciphertext key in the target encrypted file by adopting a decryption tool library sent by the key provider to obtain a plaintext key required by the key demand. Therefore, the plaintext key is stored in the target encrypted file in the form of the ciphertext key at the client, and even if the target encrypted file is decrypted, the ciphertext key is obtained instead of the plaintext key, so that the safety of the plaintext key is improved.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings, in which:
FIG. 1 illustrates a key processing flow architecture diagram in an embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of a key processing method in an embodiment of the present disclosure;
FIG. 3 illustrates a flow chart for generating an encryption key in an embodiment of the present disclosure;
FIG. 4 illustrates a flow chart of a generation target encrypted file generation tool in an embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of a generation target encrypted file generation tool in an embodiment of the present disclosure;
FIG. 6 shows a flow chart of a key processing method in an embodiment of the present disclosure;
FIG. 7 illustrates a flow chart of a verification method in an embodiment of the present disclosure;
FIG. 8 illustrates a flow chart of a verification method in an embodiment of the present disclosure;
FIG. 9 illustrates a flow chart for verifying a check code in an embodiment of the present disclosure;
FIG. 10 illustrates a flow chart for generating a decryption key in an embodiment of the present disclosure;
FIG. 11 illustrates a schematic diagram of generating a decryption tool library in an embodiment of the present disclosure;
FIG. 12 shows a flow chart of a key processing method in an embodiment of the present disclosure;
fig. 13 is a schematic diagram showing a configuration of a key processing apparatus in the embodiment of the present disclosure;
fig. 14 is a schematic diagram showing a configuration of a key processing apparatus in the embodiment of the present disclosure;
fig. 15 shows a schematic structural diagram of an electronic device in an embodiment of the disclosure.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
The principles and spirit of the present disclosure will be described below with reference to several exemplary embodiments. It should be understood that these embodiments are presented merely to enable one skilled in the art to better understand and practice the present disclosure and are not intended to limit the scope of the present disclosure in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the present disclosure may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to an embodiment of the present disclosure, there are provided a key processing method, a key processing apparatus, a computer-readable storage medium, and an electronic device.
Any number of elements in the figures are for illustration and not limitation, and any naming is used for distinction only, and not for any limiting sense.
The principles and spirit of the present disclosure are described in detail below with reference to several representative embodiments thereof.
Summary of The Invention
When a client initiates a request to a server, the request data is generally encrypted. The key that requested the encryption of the data is stored at the client.
In the related art, there are mainly the following four preservation methods:
(1) Storing the plaintext in a client file;
(2) Storing the key code in the code of the client;
(3) After segmenting the secret key, part of the secret key is stored in a client file, and the other part of the secret key is stored in a client code;
(4) After encrypting the key, the key is stored in a client configuration file, and encryption and decryption logic is stored in a client code.
The inventor discovers that the (1) preservation mode, namely, the plaintext is preserved in the client file, has the unsafe problem; regarding the preservation mode (2), namely, the key code is preserved in the code of the client, the method has the problems of decompilation and unsafe; for the preservation mode (3), namely after the secret key is segmented, part of the secret key is preserved in the client file, and part of the secret key is preserved in the client code, so that the secret key is reversely spliced and unsafe; and (4) the storage mode is that after the secret key is encrypted, the secret key is stored in a client configuration file, and encryption and decryption logic is stored in a client code, so that the decompilation threshold is improved to a certain extent, but the secret key can be cracked by a tool.
In view of the foregoing, the present disclosure provides a key processing method applied to a key provider, a key processing method applied to a key requester, a key processing apparatus applied to a key provider, a computer-readable storage medium, and an electronic device, the key provider (e.g., a server, a client) generates a target encrypted file including a ciphertext key according to a key usage request sent by the key requester (e.g., a client), and a decryption tool library including a predetermined decryption algorithm, a fixed key, a signature of the key requester, and sends the target encrypted file and the decryption tool library to the key requester, so that the key requester decrypts the ciphertext key in the target encrypted file using the decryption tool library to obtain a plaintext key. Therefore, (1) since the plaintext key is stored in the target encrypted file in the form of the ciphertext key at the client, even if the target encrypted file is decrypted, the obtained ciphertext key is not the plaintext key, so that the safety of the plaintext key is improved; (2) The key using mechanism of the black box is provided, even if an attacker takes the ciphertext key by cracking the target encryption file, the attacker does not know how to restore the plaintext key by using the target encryption file and the ciphertext key, so that the key requiring party does not need to consider too much the security problem of storing the key in the client, and the whole process is not used and depends on any encryption library (such as OpenSSL) with external open source, so that the method is more closed and safer.
Having described the basic principles of the present disclosure, various non-limiting embodiments of the present disclosure are specifically described below.
Application scene overview
It should be noted that the following application scenarios are only shown for facilitating understanding of the spirit and principles of the present disclosure, and embodiments of the present disclosure are not limited in this respect. Rather, embodiments of the present disclosure may be applied to any scenario where applicable.
The present disclosure may be applied to any scenario where a client needs to use a key, such as: the client A is accessed to the third party client B, and a server of the client B generates a target encryption file comprising a ciphertext key and a dynamic key according to a key use request sent by the client A and sends the target encryption file to the client A; further, the client B generates a decryption tool library comprising a preset decryption algorithm and a fixed key, and sends the decryption tool library to the client A; the client A adopts a preset decryption algorithm in a decryption tool library to process the fixed key and the dynamic key in the target encrypted file to obtain a decryption key; further, the ciphertext key in the target encrypted file is decrypted by adopting the decryption key, so that a plaintext key required by the client A is obtained; in this way, the client a can use the function in the client B corresponding to the plaintext key.
When the client needs to decrypt the file, the target encrypted file is sent to the server, the server decrypts the ciphertext to obtain plaintext, the plaintext is sent to the client, and the client decrypts the file by using the plaintext.
Exemplary method
The system architecture and application scenario of the operating environment of the present exemplary embodiment are described below in conjunction with fig. 1.
Fig. 1 shows a schematic diagram of a system architecture, which system architecture 100 may include a key requester 110 and a key provider 120. The key requiring party 110 may be a terminal, for example, a smart phone, a tablet computer, a personal computer, etc., and the key requiring party 110 may receive a key use request input by a user and transmit the key use request to the key provider 120. The key provider 120 may refer generally to a background system (such as a key service system) that provides a service related to key processing, where the key provider 120 may send a ciphertext key to the key requester 110 in the form of a binary file for storage, or may send a decryption tool library including a predetermined decryption algorithm and a fixed key to the key requester 110 to improve the security of a plaintext key; the key provider 120 may be a client or a server; in the case where the key provider 120 is a server, the key provider 120 may be a server or a cluster of servers. The key requirer 110 and the key provider 120 may form a connection for data interaction via a wired or wireless communication link.
Exemplary embodiments of the present disclosure first provide a key processing method applied to a key provider, which may include:
the key provider receives a key use request sent by a key demand side;
generating a plaintext key based on the key use request;
obtaining an encryption key according to the fixed key and the dynamic key, encrypting the plaintext key by adopting the encryption key to obtain a ciphertext key, obtaining a target encryption file according to the ciphertext key and the dynamic key, and sending the target encryption file to a key requiring party;
the fixed key is agreed in advance by the key demand party and the key provider, the dynamic key is generated in a preset mode, and the dynamic key is stored in a target encrypted file in a plaintext form.
Fig. 2 shows an exemplary flow of the key processing method applied to the key provider, and each step in fig. 2 is specifically described below.
Referring to fig. 2, in step S210, a key provider receives a key use request transmitted from a key demander.
The key provider is used for distributing a plaintext key for the key requiring party; here, the key provider may be a server or a client; in the case where the key provider is a server, the key provider may be one server or may be a cluster formed by a plurality of servers.
The key requiring party is the party needing the plaintext key; here, the key requiring party may be a client.
With continued reference to fig. 2, in step S220, a plaintext key is generated based on the key use request.
Wherein the plaintext key may be unencrypted key text information.
With continued reference to fig. 2, in step S230, an encryption key is obtained according to the fixed key and the dynamic key, the plaintext key is encrypted by using the encryption key to obtain a ciphertext key, and a target encrypted file is obtained according to the ciphertext key and the dynamic key, so as to send the target encrypted file to the key requester.
The fixed key is agreed in advance by the key demand party and the key provider, the dynamic key is generated in a preset mode, and the dynamic key is stored in a target encrypted file in a plaintext form.
The dynamic key may be generated at the key provider by a random algorithm. When the key provider and the key demander agree on a fixed key, the encryption algorithm may be agreed at the same time.
The encryption key is obtained by processing the dynamic key and the fixed key through an encryption algorithm. In one embodiment, the encryption key may be derived from a fixed key and a dynamic key reorganization; for example, the fixed key and the dynamic key may be subjected to string splicing to obtain an encryption key, or the fixed key and the dynamic key may be subjected to string splicing and then encrypted to obtain an encryption key; algorithms used for encryption herein may include, but are not limited to: a one-way hash encryption algorithm, a symmetric encryption algorithm, an asymmetric encryption algorithm, or the like; among them, the one-way hash encryption Algorithm may employ a Message Digest Algorithm (MD 5Message-Digest Algorithm, MD 5), a secure hash Algorithm1 (Secure Hash Algorithm, SHA-1), a secure hash Algorithm 256 (Secure Hash Algorithm, SHA-256), and the like; the symmetric encryption algorithm may employ a data encryption standard (Data Encryption Standard, DES) algorithm, a Triple data encryption algorithm (Triple DES,3 DES), an advanced encryption standard (Advanced Encryption Standard, AES), or the like; the asymmetric encryption algorithm may employ an RSA algorithm, an elliptic encryption algorithm (Elliptic curve cryptography, ECC), or the like.
The target encrypted file includes a ciphertext key and a dynamic key, and in one embodiment, the target encrypted file may be obtained by:
and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
Because the target encrypted file comprises the ciphertext key and is sent to the key requiring party by the key provider and stored in the key requiring party (such as a client), even if the target encrypted file is cracked, the ciphertext key is obtained instead of the plaintext key, and the safety of the plaintext key is improved.
In one embodiment, to further improve the security of the target encrypted file, "send the target encrypted file to the key requester" in step S230 may further include the steps of:
and the target encrypted file is subjected to content confusion processing and then is sent to a key requiring party.
The obfuscation processing can make the target encrypted file after the obfuscation processing difficult to read and analyze by means of variable replacement, character string array, control flow flattening, polymorphic variation, zombie function, debugging protection and the like, so that the aim of further improving the safety of the binary target encrypted file is fulfilled.
When the target encrypted file is subjected to content confusion processing and then sent to the key requiring party, the decryption tool library comprises a confusion algorithm, so that the key requiring party restores the target encrypted file subjected to content confusion processing based on the confusion algorithm to read the target encrypted file.
In one embodiment, the key provider further generates a decryption tool library and sends the decryption tool library to the key demander, and specifically referring to fig. 3, the above-mentioned key processing method may further include the following steps S310 and S320:
step S310, a decryption tool library is generated based on a predetermined decryption algorithm, a fixed key and a signature of a key requester.
Wherein the predetermined decryption algorithm corresponds to the predetermined encryption algorithm.
The predetermined decryption algorithm, the predetermined encryption algorithm and the fixed key are agreed in advance by the key provider and the key requester.
The signature of the key requester may be obtained from an enterprise certificate management system or may be sent to the key provider by the key requester, which is not limited herein.
In one embodiment, the predetermined encryption algorithm, the fixed key, and the signature of the key requester may all be kept by an issuing administrator of the key provider.
And step 320, the decryption tool library is sent to the key requiring party, so that the key requiring party adopts the decryption tool library to decrypt the ciphertext key in the target encrypted file to obtain the plaintext key.
Because the decryption tool library comprises a preset decryption algorithm and a fixed key, the key requiring party processes the fixed key and the dynamic key read from the target encrypted file through the preset decryption algorithm to obtain a decryption key, and further, the decryption key is adopted to decrypt the ciphertext key in the target encrypted file to obtain the key required by the key requiring party.
In one embodiment, the target encrypted file may be generated by the target encrypted file generating tool, and specifically, referring to fig. 4, the "obtaining the encrypted key according to the fixed key and the dynamic key" in step S230 may further include the following steps S410 and S420:
step S410, a preconfigured target encrypted file generation tool is obtained.
Wherein the target encrypted file generation tool comprises a fixed key and a predetermined encryption algorithm.
The target encryption file generation tool is used for generating a target encryption file; the functions of the target encrypted file generation tool may be integrated by a server of the key provider, and further, may be integrated by one server of the key provider, or may be integrated by a cluster formed by a plurality of servers.
In one embodiment, the target encrypted file generation tool may be configured by:
generating a target encrypted file generation tool based on a predetermined encryption algorithm and the fixed key.
The predetermined encryption algorithm, the predetermined decryption algorithm and the fixed key are all agreed in advance by the key provider and the key requiring party, wherein the predetermined encryption algorithm can be a one-way hash encryption algorithm, a symmetric encryption algorithm or an asymmetric encryption algorithm, and is not limited herein. After the target encrypted file generating tool is generated, the target encrypted file generating tool is stored in a database so as to be directly called from the database to generate the target encrypted file when the target encrypted file needs to be generated. Both the predetermined encryption algorithm and the fixed key may be maintained and managed by an issuing administrator of the key provider.
In the process of generating the target encrypted file by the target encrypted file generating tool, a preset encryption algorithm is used for processing the fixed key and the dynamic key to obtain an encryption key, so that the encryption key is adopted to encrypt the plaintext key to obtain the ciphertext key; further, the ciphertext key and the dynamic key are stored in the target encrypted file. The dynamic key may be generated by the key provider through a random algorithm.
After the target encrypted file generating tool is generated, the target encrypted file generating tool can be stored in a database so as to be directly called from the database to generate the target encrypted file when the target encrypted file needs to be generated.
In one embodiment, to facilitate machine identification, the target encrypted file is a binary file, and the file content of the target encrypted file includes:
magic numbers, check codes, version numbers, binary patterns, reserved spaces, ciphertext lengths, ciphertext, dynamic key lengths and dynamic keys.
The magic numbers are used for judging the validity of the binary target encrypted file.
The check code is used for checking the integrity of contents except magic numbers in the target encrypted file.
The version number is used to represent the version number of the target encrypted file generation tool.
The binary pattern is used to represent the pattern in which the target encrypted file is located.
The reserved space is used to represent reserved bytes to facilitate subsequent expansion of new functions.
Ciphertext length represents the bytes of ciphertext.
The ciphertext is data after encrypting a key requested by a key requiring party.
The dynamic key length represents bytes of the dynamic key.
A dynamic key is a key used to generate an encryption key or a decryption key.
In one embodiment, as shown in table 1, the description of the contents included in the target encrypted file is specifically as follows:
Figure SMS_1
TABLE 1
In one embodiment, step S410 may further include the steps of:
and acquiring the latest version of the target encrypted file generation tool.
The latest version of the target encryption file generation tool comprises a fixed key updated last time.
The updating of the fixed key can be periodically or irregularly updated, so that the updated fixed key is used for encryption, and the safety and the reliability of encryption can be improved.
Step S420, encrypting the fixed key and the randomly generated dynamic key by adopting a preset encryption algorithm to obtain an encryption key.
The preset encryption algorithm and the fixed key are carried by a preset target encryption file generation tool, and in actual implementation, the target encryption file generation tool is required to acquire a randomly generated dynamic key, and then the fixed key and the dynamic key are processed based on the preset encryption algorithm to generate the encryption key.
In one embodiment, as shown in FIG. 5, the target encrypted file generation tool may be obtained by:
step S510, the issuing administrator inputs the obtained preset encryption algorithm and the fixed key into an issuing script;
Wherein the issuing administrator is used to maintain and keep the fixed keys.
The predetermined encryption algorithm is negotiated by the key requester and the key provider.
Step S520, the issuing script generates a target encryption file generation tool based on a preset encryption algorithm and a fixed key;
the issuing script can generate the target encryption tool according to a preset encryption algorithm by running the issuing script.
And step S530, the issuing script uploads the target encrypted file generating tool to an intranet resource warehouse for storage.
The intranet resource repository may be understood as a database of key providers.
The "obtaining the target encrypted file from the ciphertext key and the dynamic key" in step S230 may further include the steps of:
and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
The ciphertext key and the dynamic key can be combined in a mode of splicing character strings or placing the ciphertext key and the dynamic key in a two-dimensional table and the like, so that the integrity of the ciphertext key and the dynamic key in the target encrypted file can be ensured, and a decryption key for decrypting the ciphertext can be obtained based on the complete dynamic key during decryption.
The key processing procedure applied to the key provider was described above, and the key processing procedure applied to the key demander is described below:
Exemplary embodiments of the present disclosure first provide a key processing method applied to a key demander, which may include:
the key demand side receives a target encryption file and a decryption tool library sent by the key provider; the decryption tool library comprises a fixed key and a preset decryption algorithm;
checking the key requiring party and/or the target encrypted file to obtain a checking result;
under the condition that the verification result is that verification is passed, generating a decryption key based on a dynamic key in the target encryption file, a fixed key in a decryption tool library and a preset decryption algorithm in the decryption tool library, and decrypting a ciphertext key in the target encryption file by adopting the decryption key to obtain a plaintext key; wherein the fixed key is agreed in advance for the key requiring party and the key providing party.
Fig. 6 shows an exemplary flow of the key processing method applied to the key provider, and each step in fig. 6 is specifically described below.
Referring to fig. 6, in step S610, a key requiring party receives a target encrypted file and a decryption tool library transmitted from a key provider.
Wherein the decryption tool library comprises a fixed key and a predetermined decryption algorithm.
The key provider is used for distributing a target encrypted file comprising a ciphertext key for the key requiring party; here, the key provider may be a server or a client; in the case where the key provider is a server, the key provider may be one server or may be a cluster formed by a plurality of servers.
The key requiring party is the party needing the plaintext key; here, the key requiring party may be a client.
The target encrypted file includes a ciphertext key and a dynamic key.
The fixed key is agreed in advance for the key requiring party and the key providing party.
The predetermined decryption algorithm corresponds to the predetermined encryption algorithm. The predetermined decryption algorithm, the predetermined encryption algorithm and the fixed key are the same and are agreed in advance by the key provider and the key requester.
With continued reference to fig. 6, in step S620, the key demander and/or the target encrypted file is checked to obtain a check result.
The purpose of the verification is to determine whether the target encrypted file is legal, complete, tampered, and adapted to the decryption tool library, so that the verification on the target encrypted file may be performed on an item included in the target encrypted file, or on the key requester and the item included in the target encrypted file.
In one embodiment, the verification performed on the key requiring party and/or the target encrypted file has a sequence, specifically, referring to fig. 7, step S620 may further include the following steps S710 to S730:
Step S710, checking the target encrypted file.
The verification of the target encrypted file is to verify the items included in the target encrypted file; such as: and verifying the magic numbers, check codes, version numbers and the like in the target encrypted file.
And step S720, if the verification of the target encrypted file is passed, verifying the key requiring party.
The target encrypted file is checked first, and then the key demand party is checked under the condition that the target encrypted file passes the check, so that the key demand party is checked under the condition that the target encrypted file is ensured not to be tampered, and the check cost can be saved.
In one embodiment, to ensure that the decryption tool library matches the key requester, the target encrypted file stored on the key requester can be decrypted, and the decryption tool library and the key requester are verified; specifically, step S620 may further include the steps of:
and checking whether the signature of the key requiring party is consistent with the signature in the decryption tool library, and if so, determining that the verification of the key requiring party is passed.
Wherein the decryption tool library comprises a signature of the key requiring party.
The signature of the key requiring party in the decryption tool library is written in the process of generating the decryption tool library; in one embodiment, the decryption tool library may be generated from a predetermined decryption algorithm, a fixed key, and a signature of the key requester. The signature of the key requiring party is consistent with the signature in the decryption tool library, and the fact that the target encrypted file stored in the key requiring party is not tampered is indicated; the signature of the key requiring party is inconsistent with the signature in the decryption tool library, which indicates that the target encrypted file stored in the key requiring party is tampered with.
Step S730, if the verification of the key requiring party is passed, determining that the verification result is passed.
The verification of the key requiring party is also passed, which indicates that the key requiring party has no tampering or leakage, and further, the key requiring party can decrypt the ciphertext key in the target encrypted file by adopting a preset decryption algorithm in the decryption tool library, the fixed key and the dynamic key in the target encrypted file, so as to obtain the plaintext key required by the key requiring party.
The verification of the target encrypted file is to verify the items included in the target encrypted file, and in one embodiment, referring to fig. 8, step S710 may further include the following steps S810 to S830:
and step 810, checking the magic numbers in the target encrypted file.
The verification of the magic number is used for judging the validity of the target encrypted file.
Step S820, checking the check code of the target encrypted file under the condition that the magic number passes the check.
And checking the check code is used for judging the integrity of the residual content in the target encrypted file.
Step S830, if the verification code of the target encrypted file passes the verification, determining that the verification of the target encrypted file passes.
The verification processes of steps S810 to S830 are shown in the above description of the fields in table 1, and will not be repeated here.
In one embodiment, referring to fig. 9, the "check the check code of the target encrypted file" in step S820 may further include the following steps S910 and S920:
step S910, performing a hash operation on the preset field content in the target encrypted file to obtain a hash value of the target encrypted file.
Wherein the hash value is a value calculated using a hash function (hash function). The hash function calculates a corresponding 'digest' according to the content of the file, so that the data size is reduced, and the file can be distinguished from other files according to the digest.
The preset field content comprises file content after a check code in the target encrypted file, and specifically comprises the following steps: version number, binary pattern, reserved space, ciphertext length, ciphertext, dynamic key length, and dynamic key.
And step S920, comparing the hash value with the check code in the target encrypted file, and if the hash value is consistent with the check code, determining that the check code passes.
The hash value is consistent with the check code, and the target encrypted file is complete; the hash value is inconsistent with the check code, which indicates that the target encrypted file is incomplete.
With continued reference to fig. 6, in step S630, if the verification result is that the verification passes, a decryption key is generated based on the dynamic key in the target encrypted file, the fixed key in the decryption tool library, and the predetermined decryption algorithm in the decryption tool library, and the ciphertext key in the target encrypted file is decrypted by using the decryption key to obtain the plaintext key.
Wherein the fixed key is agreed in advance for the key requiring party and the key providing party.
The ciphertext key is encrypted key text information.
The plaintext key is unencrypted key text information.
In one embodiment, referring to fig. 10, the "generating a decryption key based on a dynamic key in a target encrypted file, a fixed key in a decryption tool library, and a predetermined decryption algorithm in a decryption tool library" in step S630 may further include the following steps S1010 and S1020:
step S1010, obtaining a pre-configured decryption tool library.
Wherein the decryption tool library comprises a predetermined decryption algorithm, a fixed key and a signature of the key requiring party. The functionality of the decryption tool library may be integrated by the client of the key requiring party.
In one embodiment, as shown in FIG. 11, the decryption tool library may be obtained by the following process:
Step S1110, the issuing administrator inputs the obtained signature of the preset decryption algorithm, the fixed key and the key requiring party into an issuing script;
wherein the predetermined decryption algorithm corresponds to the predetermined encryption algorithm.
The signature of the key requiring party is written during the process of generating the target encrypted file by the target encrypted file generating tool.
Step S1120, the issuing script injects the initial decryption tool based on a preset decryption algorithm, a fixed key and a signature of a demander to generate a decryption tool;
wherein the issuing script is capable of generating the initial decryption tool in accordance with a predetermined decryption algorithm.
Step 1130, the issuing script uploads the decryption tool to the intranet resource repository for storage.
In one embodiment, the pre-configured decryption tool library is consistent with the version number of the target encrypted file, so that the whole encryption process and decryption process can be performed smoothly, and step S1110 includes the following steps:
and obtaining a decryption tool library consistent with the version number of the target encrypted file.
The version numbers of the target encryption file and the decryption tool library are stored in the target encryption file and the decryption tool library, and the version numbers are directly read from the target encryption file and the decryption tool library.
And step 1020, adopting a preset decryption algorithm to process the fixed key and the dynamic key in the target encrypted file to obtain a decryption key.
Wherein the predetermined decryption algorithm is determined according to the predetermined encryption algorithm; for example, in the case where the predetermined encryption algorithm employs a symmetric encryption algorithm, the key requiring party and the key providing party encrypt and decrypt data with the same key; in the case where the predetermined encryption algorithm employs asymmetric key encryption, the key requiring party and the key provider perform encryption and decryption operations with different keys, respectively, the key requiring party encrypts data with the public key of the key provider, and the key provider decrypts with its own private key.
Processing the fixed key and the dynamic key read from the target encrypted file by adopting a preset decryption algorithm in a decryption tool library to obtain a decryption key; and further, decrypting the ciphertext key in the target encrypted file by adopting the decryption key to obtain a plaintext key required by the key requiring party.
In addition, in the process of executing the key processing method applied to the key provider and the key processing method applied to the key demander, the key demander does not need to consider the security problem of how the key is stored in the client, and the whole process does not use and rely on any encryption library (such as OpenSSL) with an external open source, so that the key processing method is more closed and safer, and can be understood as providing a set of key using mechanism of a black box.
In one embodiment, as shown in FIG. 12, the verification and decryption process is as follows:
step S1201, reading a target encrypted file;
step S1202, checking Magic numbers (Magic numbers);
if the verification passes, step S1203 is performed; otherwise, ending the whole flow;
step S1203, calculating hash value from all contents from the beginning of Version field to the end of the target encrypted file;
step S1204, determining whether the check code is consistent with the hash value;
if the check code is consistent with the hash value, step S1205 is performed; otherwise, ending the whole flow;
step S1205, determining whether the version number of the target encrypted file is consistent with the version number of the decryption tool library;
if the version number of the target encrypted file is identical to the version number of the decryption tool library, step S1206 is performed; otherwise, ending the whole flow;
step S1206, checking whether the signature of the key requiring party is consistent with the signature in the decryption tool library;
in the case where the signature of the key requiring party is identical to the signature in the decryption tool library, step S1207 is performed; otherwise, ending the whole flow;
step S1207, reading the dynamic key in the target encrypted file;
step S1208, combining the dynamic key with the fixed key in the decryption tool library to obtain a decryption key;
Step S1209, decrypting the ciphertext key in the target encrypted file by using the decryption key to obtain a plaintext key;
step S1210, a plaintext key is transmitted to the key requiring party.
The decryption tool library comprises a fixed key M which is injected in advance by a tool issuing administrator, the fixed key M and a dynamic key N read from a target encryption file are used for generating a decryption key MN through a preset decryption algorithm corresponding to the preset encryption algorithm, and the decryption key MN is used for decrypting a ciphertext key in the target encryption file to obtain a plaintext key required by a key requiring party. Here, the basic formula of the predetermined decryption algorithm may be: decryption key mn=f (fixed key m+dynamic key N). In this embodiment, even if an attacker takes the ciphertext key by cracking the target encrypted file, the attacker does not know the decryption key mn=f (the fixed key m+the dynamic key N), and does not know that the plaintext key can be obtained after further decrypting the ciphertext key in the target encrypted file by using the decryption key, so that the whole key usage mechanism is a black box for the attacker, and the security of storing the plaintext key at the client is greatly improved.
Exemplary apparatus
Having described the key processing method of the exemplary embodiment of the present disclosure, next, an encryption apparatus and a decryption apparatus of the exemplary embodiment of the present disclosure will be described with reference to fig. 13 and 14.
Referring to fig. 13, a key processing apparatus 1300 includes:
a request receiving module 1310 configured to receive a key usage request sent by a key requester by a key provider;
a plaintext key generation module 1320 configured to generate a plaintext key based on a key use request;
the encryption file generation module 1330 is configured to obtain an encryption key according to the fixed key and the dynamic key, encrypt the plaintext key by using the encryption key to obtain a ciphertext key, and obtain a target encryption file according to the ciphertext key and the dynamic key, so as to send the target encryption file to the key requiring party;
the fixed key is agreed in advance by the key demand party and the key provider, the dynamic key is generated in a preset mode, and the dynamic key is stored in a target encrypted file in a plaintext form.
In one embodiment, the apparatus further comprises a decryption tool library receiving module configured to: generating a decryption tool library based on a predetermined decryption algorithm, a fixed key, and a signature of a key requiring party; wherein the predetermined decryption algorithm corresponds to the predetermined encryption algorithm; and sending the decryption tool library to a key requiring party so that the key requiring party adopts the decryption tool library to decrypt the ciphertext key in the target encrypted file to obtain the plaintext key.
In one embodiment, the encrypted file generation module 1330 is configured to: acquiring a pre-configured target encryption file generation tool, wherein the target encryption file generation tool comprises a fixed key and a preset encryption algorithm; encrypting the fixed key and the randomly generated dynamic key by adopting a preset encryption algorithm to obtain an encryption key; is also configured to: and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
In one embodiment, the target encrypted file generation tool is configured by: a target encrypted file generation tool is generated based on a predetermined encryption algorithm and a fixed key.
In one embodiment, the encrypted file generation module 1330 is configured to: acquiring a latest version of a target encrypted file generation tool; the latest version of the target encrypted file generation tool includes the last updated fixed key.
In one embodiment, the target encrypted file is a binary file.
In one embodiment, the file content of the target encrypted file includes: magic numbers, check codes, version numbers, binary patterns, reserved spaces, ciphertext key lengths, ciphertext keys, dynamic key lengths, and dynamic keys.
In one embodiment, the encrypted file generation module 1330 is configured to: and the target encrypted file is subjected to content confusion processing and then is sent to a key requiring party.
Referring to fig. 14, the key processing apparatus 1400 includes:
an encrypted file receiving module 1410 configured to receive a target encrypted file and a decryption tool library sent by a key provider by a key requester; the decryption tool library comprises a fixed key and a preset decryption algorithm;
a verification module 1420 configured to verify the key requiring party and/or the target encrypted file to obtain a verification result;
the decryption module 1430 is configured to generate a decryption key based on the dynamic key in the target encryption file, the fixed key in the decryption tool library and a predetermined decryption algorithm in the decryption tool library, and decrypt the ciphertext key in the target encryption file by using the decryption key to obtain a plaintext key if the verification result is that the verification result passes; wherein the fixed key is agreed in advance for the key requiring party and the key providing party.
In one implementation, the verification module 1420 is configured to: verifying the target encrypted file; if the verification of the target encrypted file is passed, verifying the key requiring party; and if the verification of the key requiring party is passed, determining that the verification result is the verification pass.
In one implementation, the verification module 1420 is configured to: verifying the magic number in the target encrypted file; under the condition that the magic number passes the verification, verifying the verification code of the target encrypted file; and if the verification code of the target encrypted file passes the verification, determining that the verification of the target encrypted file passes.
In one implementation, the verification module 1420 is configured to: carrying out hash operation on preset field content in the target encrypted file to obtain a hash value of the target encrypted file; and comparing the hash value with the check code in the target encrypted file, and if the hash value is consistent with the check code, determining that the check code passes the check.
In one implementation, the verification module 1420 is configured to: checking whether the signature of the key requiring party is consistent with the signature in the decryption tool library, and if so, determining that the verification of the key requiring party is passed; the decryption tool library includes a signature of the key requiring party.
In one embodiment, the decryption tool library is configured by: a decryption tool library is generated based on a predetermined decryption algorithm, a fixed key, and a signature of the key requiring party.
In one embodiment, decryption module 1430 is configured to: obtaining a pre-configured decryption tool library; and processing the fixed key and the dynamic key in the target encrypted file by adopting a preset decryption algorithm to obtain a decryption key.
In one embodiment, decryption module 1430 is configured to: and obtaining a decryption tool library consistent with the version number of the target encrypted file.
Exemplary storage Medium
A storage medium according to an exemplary embodiment of the present disclosure is described below.
In the present exemplary embodiment, the above-described method may be implemented by a program product, such as a portable compact disc read only memory (CD-ROM) and including program code, and may be run on a device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RE, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Exemplary electronic device
An electronic device of an exemplary embodiment of the present disclosure is described with reference to fig. 15.
The electronic device 1500 shown in fig. 15 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 15, the electronic device 1500 is embodied in the form of a general purpose computing device. The components of electronic device 1500 may include, but are not limited to: at least one processing unit 1510, at least one storage unit 1520, a bus 1530 connecting the different system components (including the storage unit 1520 and the processing unit 1510), a display unit 1540.
Wherein the storage unit stores program code that is executable by the processing unit 1510 such that the processing unit 1510 performs steps according to various exemplary embodiments of the present disclosure described in the above section of the "exemplary method" of the present specification. For example, the processing unit 1510 may perform method steps, etc., as shown in fig. 1.
The storage unit 1520 may include volatile storage units such as a random access memory unit (RAM) 1521 and/or a cache memory unit 1522, and may further include a read only memory unit (ROM) 1523.
The storage unit 1520 may also include a program/utility 1524 having a set (at least one) of program modules 1525, such program modules 1525 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1530 may include a data bus, an address bus, and a control bus.
The electronic device 1500 may also communicate with one or more external devices 2000 (e.g., keyboard, pointing device, bluetooth device, etc.) via an input/output (I/O) interface 1550. The electronic device 1500 also includes a display unit 1540 connected to an input/output (I/O) interface 1550 for displaying. Also, the electronic device 1500 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, for example, the Internet, through a network adapter 1560. As shown, the network adapter 1560 communicates with other modules of the electronic device 1500 over the bus 1530. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 1500, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
It should be noted that while several modules or sub-modules of the apparatus are mentioned in the detailed description above, such partitioning is merely exemplary and not mandatory. Indeed, the features and functionality of two or more units/modules described above may be embodied in one unit/module in accordance with embodiments of the present disclosure. Conversely, the features and functions of one unit/module described above may be further divided into ones that are embodied by a plurality of units/modules.
Furthermore, although the operations of the methods of the present disclosure are depicted in the drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
While the spirit and principles of the present disclosure have been described with reference to several particular embodiments, it is to be understood that this disclosure is not limited to the particular embodiments disclosed nor does it imply that features in these aspects are not to be combined to benefit from this division, which is done for convenience of description only. The disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (10)

1. A key processing method applied to a key provider, comprising:
the key provider receives a key use request sent by a key demand side;
generating a plaintext key based on the key use request;
obtaining an encryption key according to a fixed key and a dynamic key, encrypting the plaintext key by adopting the encryption key to obtain a ciphertext key, and obtaining a target encryption file according to the ciphertext key and the dynamic key so as to send the target encryption file to the key requiring party;
The fixed key is agreed in advance by the key requiring party and the key providing party, the dynamic key is generated in a preset mode, and the dynamic key is stored in the target encrypted file in a plaintext form.
2. The key processing method according to claim 1, characterized in that the method further comprises:
generating a decryption tool library based on a predetermined decryption algorithm, the fixed key, and the signature of the key requiring party; wherein the predetermined decryption algorithm corresponds to a predetermined encryption algorithm;
and sending the decryption tool library to the key requiring party so that the key requiring party adopts the decryption tool library to decrypt the ciphertext key in the target encrypted file to obtain the plaintext key.
3. The key processing method according to claim 1, wherein the obtaining the encryption key from the fixed key and the dynamic key includes:
obtaining a pre-configured target encryption file generation tool, wherein the target encryption file generation tool comprises the fixed key and a preset encryption algorithm;
encrypting the fixed key and the dynamic key generated randomly by adopting the preset encryption algorithm to obtain the encryption key;
Obtaining the target encrypted file according to the ciphertext key and the dynamic key, wherein the method comprises the following steps:
and combining the ciphertext key and the dynamic key to obtain the target encrypted file.
4. The key processing method according to claim 1, wherein the target encrypted file generation tool is configured by:
generating the target encrypted file generation based on the predetermined encryption algorithm and the fixed key
A tool.
5. A key processing method applied to a key requiring party, comprising:
the key demand side receives a target encryption file and a decryption tool library sent by the key provider; the decryption tool library comprises a fixed key and a preset decryption algorithm;
checking the key requiring party and/or the target encrypted file to obtain a checking result;
generating a decryption key based on a dynamic key in the target encryption file, a fixed key in the decryption tool library and a preset decryption algorithm in the decryption tool library under the condition that the verification result is that verification is passed, and decrypting a ciphertext key in the target encryption file by adopting the decryption key to obtain a plaintext key; the fixed key is agreed in advance for the key requiring party and the key provider.
6. The key processing method according to claim 5, wherein the verifying the key requiring party and/or the target encrypted file to obtain a verification result includes:
checking the target encrypted file;
if the verification of the target encrypted file is passed, verifying the key requiring party;
and if the verification of the key requiring party is passed, determining that the verification result is passed.
7. A key processing apparatus, comprising:
a request receiving module configured to receive a key use request sent by a key requiring party by a key provider;
a plaintext key generation module configured to generate a plaintext key based on the key use request;
the encryption file generation module is configured to obtain an encryption key according to a fixed key and a dynamic key, encrypt the plaintext key by adopting the encryption key to obtain a ciphertext key, and obtain a target encryption file according to the ciphertext key and the dynamic key so as to send the target encryption file to the key requiring party;
the fixed key is agreed in advance by the key requiring party and the key providing party, the dynamic key is generated in a preset mode, and the dynamic key is stored in the target encrypted file in a plaintext form.
8. A key processing apparatus, comprising:
the encryption file receiving module is configured to receive a target encryption file and a decryption tool library sent by a key provider by a key requiring party; the decryption tool library comprises a fixed key and a preset decryption algorithm;
the verification module is configured to verify the key requiring party and/or the target encrypted file to obtain a verification result;
the decryption module is configured to generate a decryption key based on a dynamic key in the target encryption file, a fixed key in the decryption tool library and a preset decryption algorithm in the decryption tool library when the verification result is that verification is passed, and decrypt a ciphertext key in the target encryption file by adopting the decryption key to obtain a plaintext key; the fixed key is agreed in advance for the key requiring party and the key provider.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any one of claims 1-6.
10. An electronic device, comprising:
A processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any one of claims 1-6 via execution of the executable instructions.
CN202310160927.0A 2023-02-22 2023-02-22 Key processing method and device, storage medium and electronic equipment Pending CN116132041A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310160927.0A CN116132041A (en) 2023-02-22 2023-02-22 Key processing method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310160927.0A CN116132041A (en) 2023-02-22 2023-02-22 Key processing method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN116132041A true CN116132041A (en) 2023-05-16

Family

ID=86311726

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310160927.0A Pending CN116132041A (en) 2023-02-22 2023-02-22 Key processing method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN116132041A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN116318686B (en) * 2023-05-17 2023-09-05 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US8694467B2 (en) Random number based data integrity verification method and system for distributed cloud storage
CN110798315B (en) Data processing method and device based on block chain and terminal
CN109583217B (en) Internet e-commerce platform user privacy data encryption and decryption method
CN113378236B (en) Evidence data online security notarization platform and security method
US20040175000A1 (en) Method and apparatus for a transaction-based secure storage file system
CN109067814B (en) Media data encryption method, system, device and storage medium
US11831753B2 (en) Secure distributed key management system
KR101103403B1 (en) Control method of data management system with emproved security
CN110084599B (en) Key processing method, device, equipment and storage medium
CN111131278A (en) Data processing method and device, computer storage medium and electronic equipment
CN110061968A (en) A kind of file encryption-decryption method based on block chain, system and storage medium
US8392723B2 (en) Information processing apparatus and computer readable medium for preventing unauthorized operation of a program
US20200089867A1 (en) System and method for authentication
CN107528689B (en) Password modification method based on Ukey
WO2020123926A1 (en) Decentralized computing systems and methods for performing actions using stored private data
CN116132041A (en) Key processing method and device, storage medium and electronic equipment
JP4684714B2 (en) File management system and program
CN114154181A (en) Privacy calculation method based on distributed storage
CN113722741A (en) Data encryption method and device and data decryption method and device
US8862893B2 (en) Techniques for performing symmetric cryptography
CN113886793A (en) Device login method, device, electronic device, system and storage medium
CN112528309A (en) Data storage encryption and decryption method and device
US20220216999A1 (en) Blockchain system for supporting change of plain text data included in transaction
CN113672955B (en) Data processing method, system and device
CN114553557B (en) Key calling method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination