CN116155489A - Key replacement method and device and electronic equipment - Google Patents

Key replacement method and device and electronic equipment Download PDF

Info

Publication number
CN116155489A
CN116155489A CN202211657498.XA CN202211657498A CN116155489A CN 116155489 A CN116155489 A CN 116155489A CN 202211657498 A CN202211657498 A CN 202211657498A CN 116155489 A CN116155489 A CN 116155489A
Authority
CN
China
Prior art keywords
initial
key data
data
buried point
image file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211657498.XA
Other languages
Chinese (zh)
Inventor
贺宇航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Eswin Computing Technology Co Ltd
Original Assignee
Beijing Eswin Computing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Eswin Computing Technology Co Ltd filed Critical Beijing Eswin Computing Technology Co Ltd
Priority to CN202211657498.XA priority Critical patent/CN116155489A/en
Publication of CN116155489A publication Critical patent/CN116155489A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for replacing a key, and an electronic device, so as to improve security performance of a secure operating system. The method is applied to the compiling server, and comprises the following steps: acquiring a key data structure corresponding to the initial key data, and marking the key data structure based on at least one initial buried point data; compiling and generating an image file containing at least one initial buried point data and initial key data based on the marking result; and feeding back the image file to the client. The method applied to the client comprises the following steps: obtaining an image file; acquiring reference buried point data, and respectively matching the reference buried point data with at least one initial buried point data; and according to the matching result, determining a first position of the initial key data in the image file, and replacing the initial key data with the target key data based on the first position. The client side directly replaces the secret key in the mirror image file, so that the safety performance of the safety operation system is improved.

Description

Key replacement method and device and electronic equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for replacing a key, and an electronic device.
Background
With the rapid development of computer technology, network information is easy to be tampered by a third party in the transmission process, data risks exist, and corresponding security technical measures are adopted, so that the provision of proper security services is important. A hardware-based trusted execution environment (Trusted Execution Environment, TEE) may be used to protect the data being processed, creating a flexible and secure environment by ensuring the integrity and confidentiality of the data and the integrity of the code.
In the related art, in order to ensure that a complete trust chain is established, a trusted execution environment needs to add a digital signature to an executable file of a secure application, and complete signature verification in a starting stage of the secure application. Signature verification requires the use of a key that is hard-coded and packaged into the image file of the secure operating system to which the secure application corresponds.
When a key replacement is desired, it is necessary to reconstruct the image file of the secure operating system from the source code phase. However, the developer does not want to release the source code to the customer. It is necessary for the client to master the key, which requires the developer to release the source code to the client, but is not beneficial to guaranteeing the security performance of the secure operating system.
Therefore, how to eliminate the contradiction between the fact that the developer does not release the source code and the fact that the client must master the secret key, and improve the safety performance of the safety operation system, is a problem to be solved urgently.
Disclosure of Invention
The method, the device and the electronic equipment for replacing the secret key are used for improving the safety performance of a safety operation system.
The method for replacing the secret key, provided by the embodiment of the application, is applied to a compiling server and comprises the following steps:
acquiring a key data structure corresponding to initial key data, and marking the key data structure based on at least one initial buried point data;
compiling and generating an image file containing the at least one initial buried point data and the initial key data based on the marking result;
and feeding the image file back to the client so that the client locates the initial key data in the image file based on a matching result of the reference embedded point data and the at least one initial embedded point data and replaces the initial key data with target key data.
Optionally, the marking the key data structure based on at least one initial buried point data includes:
Based on preset identification information and attribute information of the initial key data, combining and generating at least one initial buried point data; wherein the attribute information includes at least one of a key data type and a key data length;
a target key segment is declared and the key data structure is marked in the target key segment based on the at least one initial buried point data.
Optionally, the method further comprises:
in the initial key data, a field generated based on a target key rule is inserted.
Optionally, the obtaining the key data structure corresponding to the initial key data includes:
respectively abstracting attribute information of the initial key data and the initial key data into at least one variable;
and determining the key data structure based on the obtained variables so as to compile by calling the corresponding variables in the compiling process of the image file.
Optionally, the compiling generates an image file containing the at least one initial buried point data and the initial key data, and further includes:
the initial key data in the image file is scrambled by the following method:
performing reversible encryption operation on the initial key data to obtain encrypted initial key data, and generating at least one piece of pseudo key data aiming at the initial key data;
Each key data is placed into the image file through a target key segment, wherein the key data is encrypted initial key data or pseudo key data; a preset byte offset interval is provided between each target key segment.
The method for replacing the secret key, provided by the embodiment of the application, is applied to the client and comprises the following steps:
acquiring an image file compiled in advance by a compiling server, wherein the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure for marking the corresponding initial key data;
acquiring reference buried point data, and respectively matching the reference buried point data with the at least one initial buried point data;
and according to a matching result, determining a first position of the initial key data in the image file, and replacing the initial key data in the image file with target key data based on the first position.
Optionally, the acquiring the reference buried point data includes:
obtaining locally stored reference buried point data, wherein the reference buried point data is prestored to the local in a hard coding mode; or (b)
And linking the storage servers, and acquiring reference buried point data from the storage servers, wherein the reference buried point data is shared by the compiling servers to the storage servers.
Optionally, the method further comprises:
determining a second position of the initial buried data in the image file according to the matching result;
and replacing the initial buried point data in the image file with target buried point data based on the second position.
Optionally, the initial buried data is generated based on a combination of preset identification information and attribute information of the initial key data; wherein the attribute information includes at least one of a key data type and a key data length.
The device for replacing the secret key is applied to a compiling server and comprises:
the marking unit is used for acquiring a key data structure corresponding to the initial key data and marking the key data structure based on at least one initial buried point data;
a compiling unit for compiling and generating an image file containing the at least one initial buried point data and the initial key data based on the marking result;
and the feedback unit is used for feeding back the image file to the client so that the client locates the initial key data in the image file based on a matching result of the reference embedded point data and the at least one initial embedded point data and replaces the initial key data with the target key data.
Optionally, the marking unit is further configured to:
based on preset identification information and attribute information of the initial key data, combining and generating at least one initial buried point data; wherein the attribute information includes at least one of a key data type and a key data length;
a target key segment is declared and the key data structure is marked in the target key segment based on the at least one initial buried point data.
Optionally, the apparatus further includes:
and the inserting unit is used for inserting a field generated based on the target key rule into the initial key data.
Optionally, the marking unit is further configured to:
respectively abstracting attribute information of the initial key data and the initial key data into at least one variable;
and determining the key data structure based on the obtained variables so as to compile by calling the corresponding variables in the compiling process of the image file.
Optionally, the compiling unit is further configured to:
the initial key data in the image file is scrambled by the following method:
performing reversible encryption operation on the initial key data to obtain encrypted initial key data, and generating at least one piece of pseudo key data aiming at the initial key data;
Each key data is placed into the image file through a target key segment, wherein the key data is encrypted initial key data or pseudo key data; a preset byte offset interval is provided between each target key segment.
The device for replacing the secret key, provided by the embodiment of the application, is applied to a client and comprises:
the system comprises an acquisition unit, a compiling server and a storage unit, wherein the acquisition unit is used for acquiring an image file pre-compiled by the compiling server, and the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure for marking the corresponding initial key data;
the matching unit is used for acquiring reference buried point data and respectively matching the reference buried point data with the at least one initial buried point data;
and the first replacing unit is used for determining a first position of the initial key data in the image file according to the matching result and replacing the initial key data in the image file with target key data based on the first position.
Optionally, the matching unit is further configured to:
obtaining locally stored reference buried point data, wherein the reference buried point data is prestored to the local in a hard coding mode; or (b)
And linking the storage servers, and acquiring reference buried point data from the storage servers, wherein the reference buried point data is shared by the compiling servers to the storage servers.
Optionally, the apparatus further includes:
a second replacing unit, configured to determine a second position of the initial embedded data in the image file according to a matching result;
and replacing the initial buried point data in the image file with target buried point data based on the second position.
Optionally, the initial buried data is generated based on a combination of preset identification information and attribute information of the initial key data; wherein the attribute information includes at least one of a key data type and a key data length.
An electronic device provided in an embodiment of the present application includes a processor and a memory, where the memory stores a computer program that, when executed by the processor, causes the processor to perform the steps of any one of the above-described methods for key replacement.
The embodiment of the application provides a computer readable storage medium, which comprises a computer program, wherein when the computer program runs on an electronic device, the computer program is used for enabling the electronic device to execute the steps of any one of the key replacement methods.
A computer program product provided by an embodiment of the present application includes a computer program stored in a computer readable storage medium; when the processor of the electronic device reads the computer program from the computer readable storage medium, the processor executes the computer program, causing the electronic device to perform the steps of any one of the above-described methods of key replacement.
The beneficial effects of the application are as follows:
the embodiment of the application provides a method, a device and electronic equipment for replacing a key. In the method, a key data structure is marked based on initial buried point data, and then an image file containing the initial buried point data and the initial key data is compiled and generated, so that a client can directly match the initial buried point data through reference buried point data in the acquired image file, locate the position of the initial key data in the image file, and according to the located position, the client can directly perform key replacement in the image file without recompilation from a source code stage to generate the image file; in addition, in the mode, the source code is not required to be released to the client, and the replacement key is directly realized in the binary file obtained by compiling, so that the contradiction between the fact that the source code is not released by a developer and the client must master the key is solved, and the safety performance of the safety operation system is improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application.
Fig. 1 is a schematic view of an application scenario in an embodiment of the present application;
FIG. 2 is a flowchart of an implementation of a method for replacing a key in an embodiment of the present application applied to a compiling server;
FIG. 3 is a schematic diagram of a key data structure in an embodiment of the present application;
FIG. 4A is a schematic diagram of a target key segment in an embodiment of the present application;
FIG. 4B is a schematic diagram of another target key segment in an embodiment of the present application;
FIG. 5 is a flowchart of an implementation of a method for key replacement in an embodiment of the present application applied to a client;
FIG. 6 is a schematic flow chart of interaction between a compiling server and a client according to an embodiment of the application;
FIG. 7 is a flowchart of a specific implementation of a client replacing initial key data according to an embodiment of the present application;
fig. 8 is a schematic diagram of the composition and structure of a device 800 for replacing a key in the embodiment of the present application;
fig. 9 is a schematic diagram of the composition and structure of a device 900 for replacing a key in the embodiment of the present application;
fig. 10 is a schematic diagram of a composition structure of an electronic device in an embodiment of the present application;
fig. 11 is a schematic diagram of a hardware composition of a computing device to which embodiments of the present application are applied.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, which can be made by a person of ordinary skill in the art without any inventive effort, based on the embodiments described in the present application are within the scope of the technical solution of the present application.
Some of the concepts involved in the embodiments of the present application are described below.
TEE: is a secure area located in the host processor. Loading the running code and data in the TEE may be protected for privacy and integrity. The TEE may run in parallel with the user-oriented operating system, but with better privacy and security than the latter.
Buried point and buried point data: the buried point is to add a section of code in front of or behind the data to be monitored for marking the monitored data; the specific content of the code is buried point data. The embodiment of the application relates to initial buried point data and reference buried point data. Wherein the initial buried data is used to mark the key data structure; the reference buried data is stored in a local or storage server for matching with the initial buried data to locate the initial key data.
Key data: refers to the cryptographic data used in the encryption and decryption process, including private key data (abbreviated as private key data) and public key data (abbreviated as public key data). In the embodiment of the present application, the initial key data and the target key data are referred to, and for the purpose of simple distinction, different limitation manners listed above are adopted in the present application. Wherein, the initial key data refers to public key data packed into an image file of a secure operating system in a hard coding mode; the target key data refers to public key data for replacing the initial key data.
Target key segment: the characterization is that the program segment stated is stored in the mirror image file of the safe operating system. In this embodiment of the present application, the target key segment includes at least one initial buried point data and initial key data.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and are not intended to limit the present application, and embodiments and features of embodiments of the present application may be combined with each other without conflict.
Fig. 1 is a schematic view of an application scenario in an embodiment of the present application. The application scenario diagram includes a client 110 and a compiling server 120.
It should be noted that the method of key replacement in the embodiments of the present application may be performed by the client 110, which is installed on the terminal device.
In the embodiment of the application, the terminal equipment comprises, but is not limited to, mobile phones, tablet computers, notebook computers, desktop computers and other equipment; the terminal device may be provided with a client related to key replacement, and the client may be software, a webpage, an applet, or the like. A storage server may also be included in the scenario for storing data required by the client. The storage server and the compiling server can be independent physical servers, can also be a server cluster or a distributed system formed by a plurality of physical servers, and can also be cloud servers for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), basic cloud computing services such as big data and artificial intelligent platforms and the like.
In an alternative embodiment, the communication between the terminal device and the server may be via a communication network.
In an alternative embodiment, the communication network is a wired network or a wireless network.
It should be noted that, the number of terminal devices, storage servers and compiling servers shown in fig. 1 is merely illustrative, and the number of terminal devices, storage servers and compiling servers is not limited in practice, and is not particularly limited in the embodiments of the present application.
The method of key replacement provided by the exemplary embodiments of the present application will be described below with reference to the accompanying drawings in conjunction with the application scenario described above, and it should be noted that the application scenario described above is merely shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in any way in this respect.
Referring to fig. 2, a flowchart of an implementation of a method for replacing a key in an embodiment of the present application applied to a compiling server is shown, where the compiling server is used as an execution body, and a specific implementation flow of the method includes steps S201 to S203 as follows:
s201: and acquiring a key data structure corresponding to the initial key data, and marking the key data structure based on at least one initial buried point data.
The initial key data refers to public key data used in the decryption process, and the public key data can be packaged into an image file of the secure operating system in a hard coding mode.
Initial buried data refers to a piece of code for marking a key data structure, which may be placed in front of or behind the key data structure.
The key data structure refers to a key data structure formed by respectively abstracting the type of the initial key data, the length of the initial key data, and other optional data into variables based on the obtained variables.
An alternative implementation manner is to obtain a key data structure corresponding to the initial key data by the following manner:
firstly, respectively abstracting attribute information of initial key data and the initial key data into at least one variable;
then, a key data structure is determined based on the obtained variables, so that the corresponding variables are called for compiling in the compiling process of the image file.
Specifically, the initial key data represents public key data in a safe operating system image file, and consists of an e value and a modulus value; the e value in the initial key data is abstracted to be a variable e, and the modulus value in the initial key data is abstracted to be a variable N. The attribute information of the initial key data includes: the type of the initial key data and the length of the initial key data; the type of the initial key data is abstracted to be a variable key type, and the length of the initial key data is abstracted to be a variable key size.
Referring to fig. 3, a schematic diagram of a key data structure in an embodiment of the present application is shown. In this figure, header information in the key data structure may be composed of a variable key type and a variable key size, and public key data in the key data structure may be composed of a variable N and a variable e. In addition, other optional data structures may be included in the key data structure, such as a magic number and a salt, where the magic number refers to a fixed value that may be written directly in the code, such as a company name, a company established date. salt refers to the insertion of a specific string in the original key data, a process called salifying to prevent rainbow table attacks. For example, some hackers can calculate hash values to make a table, and can reverse out the original text content by looking up the existing hash values in the table, so that the problem can be effectively avoided by adding salt.
In addition, the key data structure requires a large enough space to be declared in order to be compatible with longer specification key data. In the practice of the present application, the declared space may be compatible with 2048 bits of key data length.
Based on the above mode, the key data structure corresponding to the initial key data can be obtained, and the operation is ensured not to be tampered.
Before compiling and generating an image file, the key data structure needs to be marked with buried points, so that the position of the initial key data can be accurately positioned through the initial buried point data, and the replacement of the initial key data is completed.
In marking the key data structure in conjunction with the initial buried point data, an alternative embodiment is as follows:
firstly, generating at least one initial buried point data based on preset identification information and attribute information of initial key data in a combined mode;
further, a target key segment is declared and the key data structure is marked in the target key segment based on the at least one initial buried point data.
The preset identification information may be a character string set at will, for example abcd0001, or a character string set according to a magic number, for example, an ASCII code (an information exchange standard code) of a company name.
In the present application, the attribute information of the key data includes: at least one of a key data type and a key data length. The key data types include two types, namely a symmetric key and an asymmetric key, wherein the symmetric key refers to the same key used in the encryption/decryption process, and the asymmetric key refers to different keys used in the encryption/decryption process. For example, the key data type is an asymmetric key in this application, and is set correspondingly to asymmetrickeys. The key data length includes the following: 126 bits, 512 bits, 1024 bits, and 2048 bits.
Based on the above, an initial buried point data, such as abcd00011024, can be generated by combining the preset identification information and the initial key data length. Or, the initial embedded point data, such as abcd0001asymmetrickeys, can be generated by combining the preset identification information and the initial key data type; alternatively, the preset identification information, the initial key data type and the initial key data length may be combined to generate an initial buried point data, such as abcd0001asymmetrickey 1024.
It should be noted that the preset identification information, the key data type, the key data length and the initial embedded data listed above are only simple examples, and are not limited in particular herein.
In the above manner, by declaring the target key segment in which the key data structure is marked based on the initial buried point data, the client can be quickly located to the position of the initial key data.
In the embodiment of the present application, under the condition that the scrambling operation is not performed on the initial key data in the image file, the target key segment is placed in a read-only data (rodata) segment in the image file, and includes at least one initial buried point data and a key data structure, and referring to fig. 4A, a schematic diagram of one target key segment in the embodiment of the present application is shown. In this figure, the target key segment contains an initial buried point data by which the key data structure is marked.
Further, a field generated based on the target key rule may be inserted in the initial key data.
Specifically, the target key rule characterizes that one key algorithm in the key algorithm library is modified, and some fields can be inserted into the initial key data through the modified key algorithm. For example, the initial key data is 0110, and the initial key data after inserting the field is 00111100 through the modified key algorithm.
It should be noted that the above-mentioned initial key data and the initial key data after the field is inserted are only simple examples, and are not limited in detail herein.
Based on the mode, the real initial key data can be hidden, and the safety of the initial key data is ensured.
S202: compiling and generating an image file containing at least one initial buried point data and initial key data based on the marking result;
an alternative embodiment is to scramble the initial key data in the image file by:
performing reversible encryption operation on the initial key data to obtain encrypted initial key data, and generating at least one piece of pseudo key data aiming at the initial key data; and then, each key data is respectively put into the image file through one target key segment.
The key data is encrypted initial key data or pseudo key data; a preset byte offset interval is provided between each target key segment.
For example, if the initial key data is 1234, and the initial key data is subjected to reversible encryption operation, the encrypted initial key data is abcd. For example, for the initial key data 1234, the dummy key data may be aacd, abbd, abcc or the like.
Based on this, four key data structures can be obtained, wherein the key data in one key data structure is abcd, and the key data in the other three key data structures are aacd, abbd, abcc respectively. Four target key segments are thus available, of which only the target key segment containing the initial key data is placed in the read-only data (rodata) segment in the image file, and other target key segments containing the pseudo-key data may be placed in the rodata segment in the image file, or in other segments in the image file. Each target key segment is placed in the image file at a preset byte offset interval, for example, 200 bytes.
The above-mentioned initial key data, encrypted initial key data, pseudo key data, and the like are merely examples, and are not particularly limited herein.
In the mode, the initial key data is scrambled, and a plurality of target key segments are regularly arranged in the image file, so that the initial key data can be hidden, and the safety of the initial key data is ensured.
Furthermore, the initial key data in the image file may be null, i.e., the initial key data is not specified in the image file.
S203: and feeding back the image file to the client so that the client locates initial key data in the image file based on the matching result of the reference buried point data and at least one initial buried point data and replaces the initial key data with target key data.
Specifically, the reference buried data is used to match the initial buried data, and if the reference buried data is identical to the initial buried data, the initial key data in the target key segment can be located, so that the initial key data can be replaced by the target key data.
Based on the mode, the key data structure is marked by the initial buried point data, and the image file containing the initial buried point data and the key data structure is compiled and generated, so that the client can be quickly positioned at the position of the initial key data.
Referring to fig. 5, a flowchart of an implementation of a key replacement method applied to a client according to an embodiment of the present application is shown, and a terminal device is taken as an execution body, where a specific implementation flow of the method includes steps S501-S503 as follows:
S501: acquiring an image file compiled in advance by a compiling server, wherein the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure for marking the correspondence of the initial key data.
The initial buried point data is generated based on the combination of preset identification information and attribute information of initial key data; wherein the attribute information includes at least one of a key data type and a key data length.
Specifically, the image file is fed back to the client by the compiling server. The at least one initial buried point data is characterized in that the initial buried point data can be placed in front of the key data structure, and the initial buried point data can also be placed in front of and behind the key data structure. Referring to fig. 4B, a schematic diagram of another target key segment in an embodiment of the present application is shown. In this figure, the target key segment contains two initial buried point data, and the key data structure is marked by the two initial buried point data.
If the initial key data in the key data structure in the obtained image file is null, that is, the initial key data is not specified in the image file, an initial key data can be generated by the client.
If the initial key data is specified in the key data structure in the obtained image file, the client can judge the validity of the initial key data.
If the initial key data is illegal, whether the client can regenerate the initial key data can be judged according to the type of the initial key data.
If the client is compatible with the initial key data type, the client can regenerate initial key data; if the client cannot be compatible with the initial key data type, the client can report a wrong exit from the key replacement process.
S502: and acquiring reference buried point data, and respectively matching the reference buried point data with at least one initial buried point data.
In embodiments of the present application, reference buried data may be obtained by:
in the first mode, locally stored reference buried point data is obtained, and the reference buried point data is prestored locally in a hard coding mode.
The characteristic value of the reference buried point data is included in the characteristic value of at least one initial buried point data, for example, the initial key data in the image file is not scrambled, the image file only contains one initial key data, and if the initial buried point data corresponding to the initial key data is abc2048, the reference buried point data is abc2048; after the initial key data is scrambled, initial buried point data corresponding to the initial key data is abc2048, initial buried point data corresponding to the pseudo key data is 110126, 100512, abc1024, and at this time, reference buried point data is abc2048.
And the second mode is to link the storage server, acquire reference buried point data from the storage server, and share the reference buried point data with the storage server for the compiling server.
For example, the reference embedded point data is abc2048, and the compiling server stores the characteristic value of the reference embedded point data, and shares the characteristic value to the storage server, so that the client can obtain the characteristic value from the storage server when networking.
Specifically, without networking, reference buried point data may be obtained locally; in the case of networking, the reference point data may be obtained locally or by linking a storage server.
Based on the above manner, the reference buried point data can be obtained, and then the reference buried point data is matched with at least one initial buried point data in the image file, and the initial buried point data which is the same as the reference buried point data is matched.
S503: and determining a first position of the initial key data in the image file according to the matching result, and replacing the initial key data in the image file with the target key data based on the first position.
Specifically, if the initial buried data identical to the reference buried data is matched, the initial key data can be located at the position of the initial key data, so that the initial key data in the image file is replaced by the target key data.
In addition, the initial buried data can be replaced, specifically as follows:
(1) determining a second position of the initial buried point data in the mirror image file according to the matching result;
(2) and replacing the initial buried point data in the image file with target buried point data based on the second position.
The target embedded point data can be generated by combining preset identification information and attribute information of target key data, wherein the attribute information of the target key data comprises at least one of a target key data type and a target key data length. For example, if the preset identification information is aabb and the target key data length is 2048, the target buried data generated by combining is aabb2048.
In the mode, the initial embedded point data is replaced, so that the position rule of the embedded point data in the image file can be prevented from being found out from the image files before and after replacement, and the safety is improved.
Referring to fig. 6, a schematic flow chart of interaction between a compiling server and a client in an embodiment of the application is shown, and a specific interaction flow is as follows:
step S601: the compiling server obtains a key data structure corresponding to the initial key data, and marks the key data structure based on at least one initial buried point data;
Step S602: the compiling server compiles and generates an image file containing at least one initial buried point data and initial key data based on the marking result;
step S603: the compiling server feeds back the image file to the client;
step S604: the client acquires an image file compiled in advance by a compiling server;
step S605: the client acquires reference buried point data and respectively matches the reference buried point data with at least one initial buried point data;
step S606: the client determines a first position of initial key data in the image file according to the matching result, and replaces the initial key data in the image file with target key data based on the first position;
in the embodiment of the application, based on the steps, the client can replace the key data in the image file through the interaction between the compiling server and the client.
Referring to fig. 7, a schematic flowchart of an implementation process of replacing initial key data by a client in the embodiment of the present application is shown, where the implementation process is as follows:
step S701: the initial key data is not specified in the image file, namely the initial key data in the image file is empty;
Step S702: the client generates initial key data;
step S703: matching initial buried point data in the mirror image file;
step S704: according to the matching result, positioning the position of the initial key data, and replacing the initial key data with the target key data;
step S705: the image file is assigned with initial key data;
step S706: judging whether the designated initial key data is legal or not; if the designated initial key data is legal, steps S703 and S704 are executed;
step S707: if the designated initial key data is illegal, judging whether the initial key data can be regenerated; if the initial key data can not be regenerated, the process of replacing the initial key data is exited;
step S708: if the initial key data can be regenerated, the initial key data is regenerated, and then steps S703 and S704 are performed.
Based on the same inventive concept, the embodiment of the application also provides a device for replacing the key. Referring to fig. 8, a schematic diagram of a key replacement apparatus 800, which may be applied to a compiling server, may include:
a marking unit 801, configured to obtain a key data structure corresponding to the initial key data, and mark the key data structure based on at least one initial buried point data;
A compiling unit 802, configured to compile and generate an image file containing at least one initial buried point data and initial key data based on the marking result;
and a feedback unit 803, configured to feed back the image file to the client, so that the client locates the initial key data in the image file based on the matching result of the reference buried point data and the at least one initial buried point data, and replaces the initial key data with the target key data.
Optionally, the marking unit 801 is further configured to:
based on the preset identification information and the attribute information of the initial key data, combining and generating at least one initial buried point data; wherein the attribute information includes at least one of a key data type and a key data length;
the target key segment is declared and the key data structure is marked in the target key segment based on at least one initial buried point data.
Optionally, the apparatus further comprises:
an inserting unit 804 is configured to insert, in the initial key data, a field generated based on the target key rule.
Wherein the insertion unit 804 is represented by a dashed box, which characterizes the unit as a newly added unit in performing the above-described corresponding optional steps. This is merely a simple example, and the new way may be adopted, or other ways may be adopted, which are not specifically limited herein.
Optionally, the marking unit 801 is further configured to:
respectively abstracting attribute information of the initial key data and the initial key data into at least one variable;
and determining a key data structure based on the obtained variables so as to compile by calling the corresponding variables in the compiling process of the image file.
Optionally, the compiling unit 802 is further configured to:
the initial key data in the image file is scrambled by:
performing reversible encryption operation on the initial key data to obtain encrypted initial key data, and generating at least one piece of pseudo key data aiming at the initial key data;
each key data is placed into an image file through a target key segment, wherein the key data is encrypted initial key data or pseudo key data; a preset byte offset interval is provided between each target key segment.
Referring to fig. 9, which is a schematic diagram illustrating a composition structure of a key replacement device 900, the key replacement device may be applied to a client, and may include:
an obtaining unit 901, configured to obtain an image file pre-compiled by a compiling server, where the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure corresponding to the initial key data for marking;
A matching unit 902, configured to obtain reference buried point data, and match the reference buried point data with at least one initial buried point data respectively;
the first replacing unit 903 is configured to determine a first location of the initial key data in the image file according to the matching result, and replace the initial key data in the image file with the target key data based on the first location.
Optionally, the matching unit 902 is further configured to:
acquiring locally stored reference buried point data, wherein the reference buried point data is stored locally in advance in a hard coding mode; or (b)
And linking the storage servers, and acquiring reference embedded point data from the storage servers, wherein the reference embedded point data is shared by the compiling servers to the storage servers.
Optionally, the apparatus further comprises:
a second replacing unit 904, configured to determine a second position of the initial buried point data in the image file according to the matching result;
and replacing the initial buried point data in the image file with target buried point data based on the second position.
Wherein the second replacement unit 904 is represented by a dashed box, which characterizes the unit as a newly added unit in performing the corresponding optional steps described above. This is merely a simple example, and the new way may be adopted, or other ways may be adopted, which are not specifically limited herein.
Optionally, the initial buried data is generated based on a combination of preset identification information and attribute information of the initial key data; wherein the attribute information includes at least one of a key data type and a key data length.
For convenience of description, the above parts are described as being functionally divided into modules (or units) respectively. Of course, the functions of each module (or unit) may be implemented in the same piece or pieces of software or hardware when implementing the present application.
Having described the method and apparatus for key replacement according to an exemplary embodiment of the present application, next, an electronic device according to another exemplary embodiment of the present application is described.
Those skilled in the art will appreciate that the various aspects of the present application may be implemented as a system, method, or program product. Accordingly, aspects of the present application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
The embodiment of the application also provides electronic equipment based on the same inventive concept as the embodiment of the method. In one embodiment, the electronic device may be a server. In this embodiment, the electronic device may be configured as shown in fig. 10, including a memory 1001, a communication module 1003, and one or more processors 1002.
Memory 1001 for storing computer programs for execution by processor 1002. The memory 1001 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, a program required for running an instant communication function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.
The memory 1001 may be a volatile memory (RAM) such as a random-access memory (RAM); the memory 1001 may also be a nonvolatile memory (non-volatile memory), such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a Solid State Drive (SSD); or memory 1001 is any other medium that can be used to carry or store a desired computer program in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. Memory 1001 may be a combination of the above.
The processor 1002 may include one or more central processing units (central processing unit, CPU) or digital processing units, or the like. A processor 1002 for implementing the above-described key replacement method when calling a computer program stored in the memory 1001.
The communication module 1003 is used for communicating with a terminal device and other servers.
The specific connection medium between the memory 1001, the communication module 1003, and the processor 1002 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 1001 and the processor 1002 are connected by the bus 1004 in fig. 10, and the bus 1004 is depicted by a thick line in fig. 10, and the connection manner between other components is only schematically illustrated, and is not limited to the illustration. The bus 1004 may be divided into an address bus, a data bus, a control bus, and the like. For ease of description, only one thick line is depicted in fig. 10, but only one bus or one type of bus is not depicted.
The memory 1001 has stored therein a computer storage medium having stored therein computer executable instructions for implementing the method of key replacement of the embodiments of the present application. The processor 1002 is configured to perform the method of key replacement described above, as shown in fig. 5.
A computing device 1100 according to such an embodiment of the present application is described below with reference to fig. 11. The computing device 1100 of fig. 11 is merely an example and should not be taken as limiting the functionality and scope of use of embodiments of the present application.
As shown in fig. 11, computing device 1100 is in the form of a general purpose computing device. Components of computing device 1100 may include, but are not limited to: the at least one processing unit 1101, the at least one memory unit 1102, a bus 1103 that connects the different system components (including the memory unit 1102 and the processing unit 1101).
The bus 1103 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures.
The storage unit 1102 may include a readable medium in the form of volatile memory, such as Random Access Memory (RAM) 1121 and/or cache memory 1122, and may further include Read Only Memory (ROM) 1123.
Storage unit 1102 may also include a program/utility 1125 having a set (at least one) of program modules 1124, such program modules 1124 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The computing device 1100 may also communicate with one or more external devices 1104 (e.g., keyboard, pointing device, etc.), one or more devices that enable a user to interact with the computing device 1100, and/or any devices (e.g., routers, modems, etc.) that enable the computing device 1100 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1105. Moreover, computing device 1100 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter 1106. As shown in fig. 11, network adapter 1106 communicates with other modules for computing device 1100 over bus 1103. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with computing device 1100, including, but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
In some possible embodiments, aspects of the method of key replacement provided herein may also be implemented in the form of a program product comprising a computer program for causing an electronic device to perform the steps of the method of key replacement according to various exemplary embodiments of the present application described herein above when the program product is run on the electronic device, e.g. the electronic device may perform the steps as shown in fig. 5.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The program product of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and comprise a computer program and may run on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.
The readable signal medium may comprise a data signal propagated in baseband or as part of a carrier wave in which a readable computer program is embodied. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with a command execution system, apparatus, or device.
A computer program embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer programs for performing the operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer program may execute entirely on the user's computing device, partly on the user's equipment, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present application. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.
Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (12)

1. A key replacement method, applied to a client, the method comprising:
acquiring an image file compiled in advance by a compiling server, wherein the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure for marking the corresponding initial key data;
acquiring reference buried point data, and respectively matching the reference buried point data with the at least one initial buried point data;
and according to a matching result, determining a first position of the initial key data in the image file, and replacing the initial key data in the image file with target key data based on the first position.
2. The method of claim 1, wherein the acquiring reference buried point data comprises:
obtaining locally stored reference buried point data, wherein the reference buried point data is prestored to the local in a hard coding mode; or (b)
And linking the storage servers, and acquiring reference buried point data from the storage servers, wherein the reference buried point data is shared by the compiling servers to the storage servers.
3. The method of claim 1, wherein the method further comprises:
Determining a second position of the initial buried data in the image file according to the matching result;
and replacing the initial buried point data in the image file with target buried point data based on the second position.
4. A method according to any one of claims 1 to 3, wherein the initial buried data is generated based on a combination of preset identification information and attribute information of the initial key data; wherein the attribute information includes at least one of a key data type and a key data length.
5. A key replacement method, applied to a compiling server, comprising:
acquiring a key data structure corresponding to initial key data, and marking the key data structure based on at least one initial buried point data;
compiling and generating an image file containing the at least one initial buried point data and the initial key data based on the marking result;
and feeding the image file back to the client so that the client locates the initial key data in the image file based on a matching result of the reference embedded point data and the at least one initial embedded point data and replaces the initial key data with target key data.
6. The method of claim 5, wherein the marking the key data structure based on at least one initial buried point data comprises:
based on preset identification information and attribute information of the initial key data, combining and generating at least one initial buried point data; wherein the attribute information includes at least one of a key data type and a key data length;
a target key segment is declared and the key data structure is marked in the target key segment based on the at least one initial buried point data.
7. The method of claim 5 or 6, wherein the method further comprises:
in the initial key data, a field generated based on a target key rule is inserted.
8. The method as claimed in claim 5 or 6, wherein the obtaining the key data structure corresponding to the initial key data comprises:
respectively abstracting attribute information of the initial key data and the initial key data into at least one variable;
and determining the key data structure based on the obtained variables so as to compile by calling the corresponding variables in the compiling process of the image file.
9. The method of claim 5 or 6, wherein the compiling generates an image file containing the at least one initial buried point data and the initial key data, further comprising:
the initial key data in the image file is scrambled by the following method:
performing reversible encryption operation on the initial key data to obtain encrypted initial key data, and generating at least one piece of pseudo key data aiming at the initial key data;
each key data is placed into the image file through a target key segment, wherein the key data is encrypted initial key data or pseudo key data; a preset byte offset interval is provided between each target key segment.
10. A key replacement device for application to a client, the device comprising:
the system comprises an acquisition unit, a compiling server and a storage unit, wherein the acquisition unit is used for acquiring an image file pre-compiled by the compiling server, and the image file contains at least one initial buried point data and initial key data; the initial buried point data is a key data structure for marking the corresponding initial key data;
the matching unit is used for acquiring reference buried point data and respectively matching the reference buried point data with the at least one initial buried point data;
And the first replacing unit is used for determining a first position of the initial key data in the image file according to the matching result and replacing the initial key data in the image file with target key data based on the first position.
11. A key replacement device, for use with a compiling server, the device comprising:
the marking unit is used for acquiring a key data structure corresponding to the initial key data and marking the key data structure based on at least one initial buried point data;
a compiling unit for compiling and generating an image file containing the at least one initial buried point data and the initial key data based on the marking result;
and the feedback unit is used for feeding back the image file to the client so that the client locates the initial key data in the image file based on a matching result of the reference embedded point data and the at least one initial embedded point data and replaces the initial key data with the target key data.
12. An electronic device comprising a processor and a memory, wherein the memory stores a computer program which, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 9.
CN202211657498.XA 2022-12-22 2022-12-22 Key replacement method and device and electronic equipment Pending CN116155489A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211657498.XA CN116155489A (en) 2022-12-22 2022-12-22 Key replacement method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211657498.XA CN116155489A (en) 2022-12-22 2022-12-22 Key replacement method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116155489A true CN116155489A (en) 2023-05-23

Family

ID=86372772

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211657498.XA Pending CN116155489A (en) 2022-12-22 2022-12-22 Key replacement method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116155489A (en)

Similar Documents

Publication Publication Date Title
EP1942431B1 (en) Software or other information integrity verification using variable block length and selection
US20160094347A1 (en) Method and system for secure management of computer applications
US9798677B2 (en) Hybrid cryptographic key derivation
CN105637800A (en) Keying infrastructure
CN107077540B (en) Method and system for providing cloud-based application security services
Sookhak et al. Towards dynamic remote data auditing in computational clouds
US10572635B2 (en) Automatic correction of cryptographic application program interfaces
KR20150045790A (en) Method and Apparatus for authenticating and managing an application using trusted platform module
CN115248919A (en) Method and device for calling function interface, electronic equipment and storage medium
CN111228819B (en) Method, device and equipment for protecting Shader
CN114942729A (en) Data safety storage and reading method for computer system
CN110737725A (en) Electronic information inspection method, device, equipment, medium and system
WO2017197869A1 (en) Version file checking method and apparatus, encryption method and apparatus, and storage medium
CN107315945A (en) The disk decryption method and device of a kind of electronic equipment
CN111045856A (en) Method, apparatus and computer program product for managing application systems
CN117313046A (en) Code reinforcement method, code loading method, device and medium
CN111400771A (en) Target partition checking method and device, storage medium and computer equipment
CN110135131B (en) Encryption method of application program, storage medium and terminal equipment
CN116155489A (en) Key replacement method and device and electronic equipment
CN111831978A (en) Method and device for protecting configuration file
CN115589316A (en) Data encryption transmission method and device, electronic equipment and storage medium
US20220138050A1 (en) Method for storage management, electronic device, and computer program product
CN111949738A (en) Block chain-based data storage deduplication method, terminal device and storage medium
Lekshmi et al. Data auditing in cloud storage using smart contract
US20200183675A1 (en) Image file packaging method and image file packaging system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination