CN112953707A - Key encryption method, decryption method, data encryption method and decryption method - Google Patents
Key encryption method, decryption method, data encryption method and decryption method Download PDFInfo
- Publication number
- CN112953707A CN112953707A CN201911266698.0A CN201911266698A CN112953707A CN 112953707 A CN112953707 A CN 112953707A CN 201911266698 A CN201911266698 A CN 201911266698A CN 112953707 A CN112953707 A CN 112953707A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- identification information
- encryption
- acquiring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a secret key encryption method, a decryption method, a data encryption method and a data decryption method. The key encryption method comprises the steps of obtaining a first key and equipment identification information of the electronic equipment, generating a second key according to the equipment identification information, and encrypting the first key by using the second key to generate an encryption key. In the embodiment of the application, the first key is encrypted by using the equipment identification information, so that the safety of the first key can be effectively ensured, and the safety of data encryption is improved; meanwhile, the first secret key is encrypted by using the equipment identification information, and the encryption safety of the first secret key is greatly improved based on the uniqueness of the equipment identification information.
Description
Technical Field
The present application relates to the field of encryption technologies, and in particular, to a key encryption method, a key decryption method, a data encryption method, and a data decryption method.
Background
With the rapid development of the internet and mobile networks, various network security problems occur, and network security becomes one of the focuses of people. The network security development has a mature framework and theory so far, and related scenes and methods are very many, such as cryptography, infrastructure security, access control, authentication management, transmission security, sensitive data protection and the like. If important data related to identity information, confidential information, privacy of individuals, etc. is revealed, it will pose a great threat to the user's assets and security, etc. For the protection of these important data, it is common to encrypt these data with a key. However, in the existing encryption method, since the key is mostly managed by the user, once the key is leaked, an attacker may easily decrypt important data, and thus the security of the existing encryption method still needs to be improved.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
On the one hand, the embodiment of the application provides a secret key encryption method, a decryption method, a data encryption method and a data decryption method, and the security of data encryption can be improved.
On the other hand, an embodiment of the present application further provides a key encryption method, which is applied to an electronic device, and includes:
acquiring a first secret key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and encrypting the first key by using the second key to generate an encryption key.
On the other hand, an embodiment of the present application further provides a key decryption method, applied to an electronic device, including:
acquiring an encryption key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and decrypting the encryption key by using the second key to obtain a first key.
On the other hand, an embodiment of the present application provides a data encryption method, which is applied to an electronic device, and includes:
acquiring original data;
acquiring a first key, and encrypting the original data by using the first key to generate encrypted data;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and encrypting the first key by using the second key to generate an encryption key.
On the other hand, an embodiment of the present application further provides a data decryption method, which is applied to an electronic device, and includes:
acquiring encrypted data and an encryption key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
decrypting the encryption key by using the second key to obtain a first key;
and decrypting the encrypted data by using the first key to obtain original data.
On the other hand, the embodiment of the present application further provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the computer program is executed, the computer program executes the above-mentioned key encryption method, or executes the above-mentioned key decryption method, or executes the above-mentioned data encryption method, or executes the above-mentioned data decryption method.
In still another aspect, an embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions for performing the key encryption method, or performing the key decryption method, or performing the data encryption method, or performing the data decryption method.
The embodiment of the application comprises the following steps: the method comprises the steps of obtaining a first secret key and equipment identification information of electronic equipment, generating a second secret key according to the equipment identification information, and encrypting the first secret key by using the second secret key to generate an encryption secret key. Based on the technical scheme of the embodiment of the application, the first key is encrypted by using the equipment identification information, so that the safety of the first key can be effectively ensured, and the safety of data encryption is improved; meanwhile, the first secret key is encrypted by using the equipment identification information, and the encryption safety of the first secret key is greatly improved based on the uniqueness of the equipment identification information.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
Fig. 1 is a block diagram of a data encryption system according to an embodiment of the present application;
fig. 2 is a flowchart of a key encryption method provided in an embodiment of the present application;
fig. 3 is a flowchart of a key decryption method provided in an embodiment of the present application;
fig. 4 is a flowchart of a data encryption method provided in an embodiment of the present application;
fig. 5 is a flowchart of generating a second key according to the device identification information in a data encryption method provided in an embodiment of the present application;
fig. 6 is a flowchart illustrating that, in a data encryption method provided in an embodiment of the present application, the second key is generated through one or more iterations according to the third key;
fig. 7 is a flowchart of performing one-way hash processing on raw data in a data encryption method according to an embodiment of the present application;
fig. 8 is a flowchart of a data decryption method provided in an embodiment of the present application;
fig. 9 is a flowchart illustrating hash checking on raw data obtained by decryption in a data decryption method according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It should be understood that in the description of the embodiments of the present application, a plurality (or a plurality) means two or more, and more than, less than, more than, etc. are understood as excluding the present number, and more than, less than, etc. are understood as including the present number. If the description of "first", "second", etc. is used for the purpose of distinguishing technical features, it is not intended to indicate or imply relative importance or to implicitly indicate the number of indicated technical features or to implicitly indicate the precedence of the indicated technical features.
With the rapid development of the internet and mobile networks, various network security problems occur, and network security becomes one of the focuses of people. The network security development has a mature framework and theory so far, and the related scenes and methods are very many, such as cryptography, infrastructure security, access control, authentication management, transmission security, sensitive data protection and the like. If important data related to identity information, confidential information, privacy of individuals, etc. is revealed, it will pose a great threat to the user's assets and security, etc. For the protection of these important data, it is common to encrypt these data with a key. However, in the existing encryption method, since the key is mostly managed by the user, once the key is leaked, an attacker may easily decrypt important data, and thus the security of the existing encryption method still needs to be improved.
The embodiment of the application provides a data encryption method, a data decryption method, a key encryption method and a key decryption method. The data encryption method, the data decryption method, the key encryption method and the key decryption method are applied to electronic equipment.
The electronic device is a device capable of installing various communication applications or having a communication function. For example, a smart phone, a tablet Computer, a PC (Personal Computer), various wearable devices (headphones, a watch, and the like), an in-vehicle device, a television set-top box, a wireless base station device, a virtualized data device, and the like.
The data encryption system executing the data encryption method, the data decryption method, the key encryption method and the key decryption method provided by the embodiment of the application is installed in the electronic equipment. Referring to fig. 1, a block diagram of a data encryption system in an embodiment of the present application is shown. Wherein:
the first key obtaining module 111 is configured to generate a first key;
the data encryption module 112 is configured to encrypt the original data with a first key;
the third key generation module 113 is configured to generate a third key according to the device identification information;
the second key generation module 114 is configured to generate a second key according to the third key;
the key encryption module 115 is configured to encrypt the first key with the second key and generate a random number;
the key decryption module 116 is configured to decrypt the first key using the second key;
the data decryption module 117 is configured to decrypt the original data with the first key;
the storage module 118 is used for storing encrypted data, encryption keys, random numbers and the like; the memory module 118 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device, or a secure storage area within some chip.
It should be understood that the structure of the data encryption system shown in fig. 1 does not constitute a limitation on the data encryption system, and the data encryption system provided by the embodiments of the present application may include more or less modules than those shown, or some modules may be combined, or a different arrangement of modules.
Fig. 2 is a flowchart of a key encryption method according to an embodiment of the present application. As shown in fig. 2, the method is applied to an electronic device, and includes, but is not limited to, the following steps:
step 101: acquiring a first secret key;
step 102: acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
step 103: and encrypting the first key by using the second key to generate an encryption key.
The first key is used to encrypt the original data, and the first key may be stored in advance through a storage medium, where the storage medium may be a hard disk, a usb disk, an optical disk, or the like.
Specifically, the device identification information is used to identify a specific device, and has uniqueness. The device identification information may include software device identification information and hardware device identification information. The software device identification information may be one or more combinations of host names, IP addresses, etc., for example, in a lan device group, each individual host has a corresponding host name and IP address, and a host can be quickly determined by the host name or IP address. The hardware device identification information may be one or more combinations of a CPU (Central Processing Unit) serial number, a single-board bar code, a Media Access Control (MAC) address, and the like, where each CPU has a unique CPU serial number, and the CPU serial number is placed into the CPU by a manufacturer in the manufacturing process of the CPU, is invariable throughout the life, and can be read by software; the single board strip-shaped code comprises single board basic information such as BOM (Byte Order Mark) codes, factory information, single board versions, single board names, single board characteristic codes and the like, can be read through software, and each single board is unique; the ethernet port MAC address, i.e. the physical address, is used to uniquely identify a network card in the network, and the ethernet port MAC address of each device is also unique and can be read by software. Specifically, the obtaining of the hardware device identification information in step 102 may be implemented by reading the hardware running information of the electronic device, and the software for reading the hardware running information of the electronic device is the prior art and is not described herein again. It is understood that the hardware device identification information is not limited to the CPU serial number, the board barcode and the ethernet port MAC address in the present embodiment, and those skilled in the art can select other similar hardware device identification information based on understanding the present application.
And after the hardware equipment identification information of the electronic equipment is acquired, generating a second key according to the hardware equipment identification information. Because the hardware device identification information corresponds to each electronic device and has uniqueness, the second secret key generated by each device has correspondence and uniqueness, so that the encryption security of the first secret key is greatly improved. The first key is encrypted by using the second key, and the Encryption can be realized by adopting an AES-CCM (Advanced Encryption Standard-Counter with Cipher Block Encryption-Message Authentication Code) algorithm in the prior art. The present embodiment is not limited to encrypting the first key by using the AES-CCM algorithm, and those skilled in the art may also use other similar algorithms in the prior art.
In the embodiment, the first key is encrypted by using the device identification information, so that the safety of the first key can be effectively ensured, and the safety of data encryption is improved; meanwhile, the first secret key is encrypted by using the equipment identification information, and the encryption safety of the first secret key is greatly improved based on the uniqueness of the equipment identification information.
Corresponding to the key encryption method in the foregoing embodiment, referring to fig. 3, an embodiment of the present application further provides a key decryption method, where the method includes, but is not limited to, the following steps:
step 201: acquiring an encryption key;
step 202: acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
step 203: and decrypting the encryption key by using the second key to obtain a first key.
The encryption key may be stored in advance through a storage medium, which may be a hard disk, a usb disk, an optical disk, or the like.
Step 202 and step 102 are the same operations, and are not described herein again.
In step 203, the encryption key is decrypted by using the second key, and the decryption is implemented by using the same algorithm as that in the key encryption method embodiment, that is, the AES-CCM algorithm. If another algorithm is used for encrypting the first key, the same algorithm as used for encrypting is used for decrypting the encryption key.
Based on the key encryption method in the above embodiment, the embodiment of the present application further provides a data encryption method. As shown in fig. 4, the method includes, but is not limited to, the following steps:
step 301: acquiring original data;
step 302: acquiring a first key, and encrypting the original data by using the first key to generate encrypted data;
step 303: acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
step 304: and encrypting the first key by using the second key to generate an encryption key.
The original data is data that the user needs to encrypt, and may relate to identity information, confidential information, personal privacy, and the like. For example, if the electronic device is a wireless base station device, the original data may be a digital certificate private key, an account number and a password for communication between the base station and a network manager, and the like; if the electronic equipment is a mobile phone or a PC, the original data can be photos, various account passwords, confidential documents and the like of the user; if the electronic device is a set-top box, the original data may be a viewing record, an account password, etc. of the user.
Specifically, the raw data may be obtained based on the encryption request. The encryption request may be generated by an application program run by the electronic device, where the application program may be a conventional application program that needs to be installed for use, or may be an applet that can be used without being downloaded and installed. When newly generating original data, the application program can identify whether the newly generated original data needs to be encrypted according to the preset encryption rule, and if so, generates an encryption request to acquire the original data. In addition, the application program can also identify the original data needing to be encrypted according to the preset encryption rule, and generate an encryption request to acquire the original data. Or, the application program receives the instruction of the user and requests to encrypt the original data, and generates an encryption request to acquire the original data.
In an embodiment of the present application, to further explain the foregoing embodiment, in the step 102, the obtaining a first key specifically includes: and generating a random character string, wherein the random character string is used as a first secret key. Wherein, the combination of the character strings can be numbers, letters or the combination of the numbers and the letters; the random character string is generated by adopting a random number algorithm in the prior art, and meanwhile, the generated random character string can be compared with each generated random character string before, if the random character string is repeated, the generated random character string can be discarded, and the random character string is generated again. In this way, uniqueness can be given to the random string that is generated and retained.
After the random string is generated, the original data may be encrypted by an encryption algorithm in the prior art, such as an AES-CCM algorithm. The AES-CCM algorithm is a well-known encryption algorithm to those skilled in the art, and is not described herein. It is understood that, in this embodiment, the encryption of the original data is not limited to the AES-CCM algorithm, and after the random character string is obtained, a person skilled in the art may also use other encryption algorithms in the prior art to encrypt the original data.
In an embodiment, in the step 302, obtaining the first key may further include: and acquiring a character string configured by a user, and taking the character string configured by the user as a first key. Specifically, the user configured character string is a character string set by the user through the input device. The user can freely set the first key according to own hobbies or requirements. Likewise, the combination of character strings may be a number, a letter, or a combination of a number and a letter, and after the random character string is acquired, the original data may be encrypted by the AES-CCM algorithm.
In an embodiment, in the step 302, obtaining the first key may further include: and connecting the server, acquiring the character string dynamically generated by the server, and taking the character string dynamically generated by the server as a first key. The server dynamically generates the character string, which may adopt one or more combination modes such as a Dynamic password card, a Dynamic password token, a mobile phone Dynamic password, or a DHCP (Dynamic Host Configuration Protocol) Protocol. Likewise, the combination of character strings may be a number, a letter, or a combination of a number and a letter, and after the random character string is acquired, the original data may be encrypted by the AES-CCM algorithm.
It is to be understood that the manner in which the above-described embodiments obtain the first key is equally applicable to the embodiments of the key encryption method and the key decryption method.
The device identification information in this embodiment is consistent with the device identification information in the key encryption method embodiment, and is used to identify a specific device, and may include software device identification information and hardware device identification information, and has uniqueness. In this embodiment, the device identification information is hardware device identification information, and may be one or a combination of multiple types of CPU serial number, board barcode, ethernet port MAC address, and the like, where the CPU serial number, the board barcode, and the ethernet port MAC address have been described in detail in the above embodiment of the key encryption method, and are not described herein again.
Specifically, referring to fig. 5, generating the second key according to the device identification information includes, but is not limited to, the following steps:
step 401: generating a third key through one or more iterations according to the equipment identification information;
step 402: and generating the second key through one or more iterations according to the third key.
For example, the SHA-256(Secure Hash Algorithm-256) Algorithm in the prior art may be used to generate both the second key and the third key, where the SHA-256 Algorithm is well known to those skilled in the art, and may convert a message of any length into a shorter message digest of a fixed length, which is not described herein again. It is to be understood that the embodiment is not limited to the SHA-256 algorithm for generating the second key or the third key, and those skilled in the art can also use other similar algorithms in the prior art. For example, when the device identification information includes a plurality of types, the device identification information may be processed in one or more ways, such as simple combination, exclusive or operation, and the like, and then used as an input of the SHA-256 algorithm. Firstly, a third key is generated according to the equipment identification information, and then a second key is generated by using the third key, so that the complexity of the second key is improved, and the encryption security of the first key is improved; and the third key and the second key are generated through multiple iterations, so that the effects of improving the complexity of the second key and improving the security of the encryption of the first key can be achieved.
It is understood that the specific steps of generating the second key according to the device identification information in the present embodiment can be applied to the embodiments of the key encryption method and the key decryption method described above.
Based on the foregoing embodiment, referring to fig. 6, in an embodiment, when the second key is generated through one or more iterations according to the third key, a random number is further introduced, which specifically includes, but is not limited to, the following steps:
step 501: acquiring a random number;
step 502: and generating the second key through one or more iterations according to the third key and the random number.
Specifically, in step 501, a random number algorithm in the prior art may be adopted for obtaining the random number, and details are not described here. In step 502, the second key is generated through one or more iterations according to the third key and the random number, that is, the third key and the random number are simultaneously used as inputs of the SHA-256 algorithm, and the third key and the random number may be processed before being input through one or more manners such as simple combination, exclusive-or operation, and the like. By introducing the random number, the effects of improving the complexity of the second secret key and improving the security of the encryption of the first secret key can be achieved. After the random number is obtained, the random number can be stored by a storage medium, which can be a hard disk, a U disk, an optical disk and the like, so as to be convenient for use in the subsequent decryption process.
It is understood that the specific steps of generating the second key by introducing the random number in this embodiment may also be applied to the embodiments of the key encryption method and the key decryption method described above.
Referring to fig. 7, in an embodiment, a data encryption method provided by the present application may further include the following steps:
step 601: performing one-way hash processing on the original data to generate corresponding first hash message check data;
step 602: and encrypting the first hash message verification data by using the first key to generate encrypted hash message verification data.
The one-way hash processing may be implemented by using a SHA-256 algorithm in the prior art, and the first hash message check data is encrypted by using the first key, which may be implemented by using an AES-CCM algorithm in the prior art. In this embodiment, the original data is subjected to one-way hash processing to generate corresponding first hash message verification data, so as to facilitate verification of the decrypted original data in a decryption process, verify whether the original data is tampered, and improve security.
Fig. 8 is a flowchart of a data decryption method in an embodiment of the present application. As shown in fig. 8, the data encryption method corresponding to the above embodiment includes, but is not limited to, the following steps:
step 701: acquiring encrypted data and an encryption key;
step 702: acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
step 703: decrypting the encryption key by using the second key to obtain a first key;
step 704: and decrypting the encrypted data by using the first key to obtain original data.
The encrypted data is obtained by encrypting the original data by the data encryption method, and the encryption key is obtained by encrypting the first key by the data encryption method in the embodiment. The encrypted data and the encryption key may be stored in advance by a storage medium, such as a hard disk, a usb disk, an optical disk, etc.
In step 702, the device identification information of the electronic device is consistent with the key encryption method in the above embodiment, and is not described herein again.
In this embodiment, the hardware device identification information may be read by software, which is suitable for decrypting the original data on the original electronic device; or, the hardware device identification information may be input by the user, and the user may pre-memorize the hardware device identification information of the original electronic device, and at this time, the user may decrypt the original data on another electronic device, as long as an interface is provided for the user to input the hardware device identification information of the original electronic device, and the method is suitable for decrypting the original data on other electronic devices.
Likewise, the first key is used for encrypting original data, and a random character string can be generated and used as the first key; or acquiring a character string configured by a user, and taking the character string configured by the user as a first key; or connecting with the server to obtain the character string dynamically generated by the server, and taking the character string dynamically generated by the server as the first key.
And decrypting the encryption key by using the second key and decrypting the encrypted data by using the first key by using an algorithm corresponding to the data encryption method embodiment, namely, an AES-CCM algorithm. Similarly, if another algorithm is used for the original data encryption or the first key encryption, the same algorithm as used for the encryption is used for the encrypted data decryption or the encryption key decryption.
In an embodiment, the second key is generated according to the device identification information, and a third key may be generated through one or more iterations according to the device identification information; and generating the second key through one or more iterations according to the third key. Corresponding to the above data encryption method embodiment, both the second key and the third key may be generated by using the SHA-256 algorithm in the prior art. If another algorithm is used to generate the third key and the second key when the original data is encrypted, the same algorithm as that used in encryption is used to generate the third key and the second key when the encrypted data is decrypted.
In the above embodiment of the data encryption method, if a random number is introduced to generate the second key, in an embodiment, when the second key is generated, the corresponding random number needs to be acquired first. Specifically, there may be the following cases: when the original data is encrypted, the random number is stored locally, and when the original data is decrypted, the random number is obtained locally; or, when the original data is encrypted, the random number is stored in a removable storage medium (such as a usb disk), and when the original data is decrypted, the removable storage medium is read first, and then the random number is obtained from the removable storage medium; or, when encrypting the original data, the user records the random number in another way, and when decrypting the original data, the user firstly provides an input interface for inputting, and then obtains the random number. And after the random number is obtained, generating the second key through one or more iterations according to the third key and the random number. Likewise, the SHA-256 algorithm in the prior art can be used for implementation.
Referring to fig. 9, in the embodiment of the data encryption method, if the original data is subjected to the one-way hash processing, in an embodiment, when the encrypted data is decrypted, the method may further include the following steps:
step 801: acquiring encrypted hash message verification data;
step 802: decrypting the encrypted hash message verification data by using the first key to obtain first hash message verification data;
step 803: performing one-way hash processing on the decrypted original data to generate corresponding second hash message check data;
step 804: and verifying the first hash message verification data and the second hash message verification data, and judging the integrity of the original data obtained after decryption.
The encrypted hash message verification data may be stored in advance in a storage medium, where the storage medium may be a hard disk, a usb disk, an optical disk, or the like.
In step 802, the encrypted hash message verification data is decrypted by using the first key, which may be implemented by using an AES-CCM algorithm in the prior art, corresponding to the above-described data encryption method embodiment.
In step 803, the original data obtained after decryption is subjected to one-way hash processing, which corresponds to the above data encryption method embodiment, and is consistent with the algorithm used for generating the first hash message verification data, and can be implemented by using the SHA-256 algorithm in the prior art.
In step 804, after the first hash message verification data and the second hash message verification data are verified, if it is determined that the decrypted original data is tampered, the original data may be discarded, or an alarm may be given to the user; if the original data obtained by decryption is judged, the decrypted original data can be submitted to a user for use, and therefore safety is improved. The verification method of the first hash message verification data and the second hash message verification data is the prior art, and is not described herein again.
The following is a practical example to illustrate the data encryption method of the present application.
The application scene is a plurality of base stations, each base station is provided with a corresponding wireless base station management computer, each management computer stores the account number and the password of the communication between the base station and the network management, and once the management password is cracked, the account number and the password of the communication between the base station and the network management are leaked; even in some cases, for convenience of management, the management keys of the base stations in the batch are all set to be the same, so once the management key of one of the base stations is leaked, all the accounts and passwords of the communication between the base stations in the batch and the network manager are leaked, and the security is not high.
Aiming at the problems, the data encryption method can greatly improve the safety. Firstly, a first secret key is used for encrypting an account number and a password of communication between a base station and a network manager, then a corresponding third secret key is generated according to one or more of a CPU serial number, a single-board bar code or an Ethernet port MAC address of a management computer, a second secret key is generated according to the third secret key, and the first secret key is encrypted by the second secret key. Therefore, even if the first key is leaked, the first key is in the state of being encrypted by the second key, and an attacker needs to decrypt the first key; meanwhile, the second key is generated by managing the hardware equipment identification information of the computer, so that the second key has uniqueness and high cracking cost, and even if cracked, other base stations cannot be influenced based on the uniqueness of the second key, thereby greatly improving the safety of data encryption.
When decrypting, the same algorithm adopted during encryption is used for generating a second secret key, the second secret key is used for decrypting a first secret key by adopting the same algorithm during encryption, and then the first secret key is used for decrypting an account and a password of the communication between the base station and the network management by adopting the same algorithm during encryption.
Based on the above example, according to the data encryption method, after the original data is encrypted by using the first key, the first key is encrypted by using the device identification information, so that the security of the first key can be effectively ensured, and the security of data encryption is improved; meanwhile, the first secret key is encrypted by using the equipment identification information, and one-station one-secret key can be realized based on the uniqueness of the equipment identification information, so that the encryption security of the first secret key is greatly improved.
It should also be appreciated that the various implementations of the methods provided in the embodiments of the present application can be combined arbitrarily to achieve different technical effects.
Fig. 10 shows an electronic device 100 provided in an embodiment of the present application. The electronic apparatus 100 includes: a memory 102, a processor 101 and a computer program stored in the memory 102 and executable on the processor 101, the computer program being operable to perform the key encryption method described above, or perform the key decryption method described above, or perform the data encryption method described above, or perform the data decryption method described above.
The processor 101 and the memory 102 may be connected by a bus or other means.
The memory 102, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs and non-transitory computer executable programs, such as a key encryption method, a key decryption method, a data encryption method, or a data decryption method, as described in the embodiments of the present application. The processor 101 implements the key encryption method, the key decryption method, the data encryption method, or the data decryption method described above by executing the non-transitory software program and the instructions stored in the memory 102.
The memory 102 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store a key encryption method, a key decryption method, a data encryption method, or a data decryption method, which is performed as described above. Further, the memory 102 may include a high speed random access memory 102, and may also include a non-transitory memory 102, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 102 may optionally include memory 102 located remotely from processor 101, and such remote memory 102 may be connected to the electronic device 100 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Non-transitory software programs and instructions needed to implement the above-described key encryption method, key decryption method, data encryption method or data decryption method are stored in the memory 102 and, when executed by the one or more processors 101, perform the above-described key encryption method, key decryption method, data encryption method or data decryption method, e.g., perform the method steps 101 to 103 described in fig. 2, the method steps 201 to 203 described in fig. 3, the method steps 301 to 304 described in fig. 4, the method steps 401 to 402 described in fig. 5, the method steps 501 to 502 described in fig. 6, the method steps 601 to 602 described in fig. 7, the method steps 701 to 704 described in fig. 8, the method steps 801 to 804 described in fig. 9.
Embodiments of the present application further provide a computer-readable storage medium, which stores computer-executable instructions for executing the key encryption method, the key decryption method, the data encryption method, or the data decryption method.
In an embodiment, the computer-readable storage medium stores computer-executable instructions that are executed by one or more control processors 101, for example, by one processor 101 in the electronic device 100, and may cause the one or more processors 101 to perform the key encryption method, the key decryption method, the data encryption method, or the data decryption method described above, for example, to perform method steps 101 to 103 described in fig. 2, method steps 201 to 203 described in fig. 3, method steps 301 to 304 described in fig. 4, method steps 401 to 402 described in fig. 5, method steps 501 to 502 described in fig. 6, method steps 601 to 602 described in fig. 7, method steps 701 to 704 described in fig. 8, and method steps 801 to 804 described in fig. 9.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor 101, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as integrated circuits, such as application specific integrated circuits. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
While the preferred embodiments of the present invention have been described, the present invention is not limited to the above embodiments, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and such equivalent modifications or substitutions are included in the scope of the present invention defined by the claims.
Claims (18)
1. A key encryption method is applied to electronic equipment and is characterized by comprising the following steps:
acquiring a first secret key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and encrypting the first key by using the second key to generate an encryption key.
2. The key encryption method according to claim 1, wherein the device identification information includes hardware device identification information, and the acquiring device identification information of the electronic device includes:
and reading the hardware running information of the electronic equipment to acquire the hardware equipment identification information.
3. The key encryption method of claim 2, wherein the hardware device identification information comprises at least one of:
CPU serial number;
a single-board bar code;
the ethernet port MAC address is MAC address controlled.
4. The key encryption method of claim 1, wherein the obtaining the first key comprises one of:
generating a random character string, and taking the random character string as a first secret key;
acquiring a character string configured by a user, wherein the character string configured by the user is used as a first key;
and connecting the server, acquiring the character string dynamically generated by the server, and taking the character string dynamically generated by the server as a first key.
5. The key encryption method according to any one of claims 1 to 4, wherein the generating a second key according to the device identification information specifically includes the following steps:
generating a third key through one or more iterations according to the equipment identification information;
and generating the second key through one or more iterations according to the third key.
6. The key encryption method according to claim 5, wherein the generating the second key from the third key through one or more iterations comprises the following steps:
acquiring a random number;
and generating the second key through one or more iterations according to the third key and the random number.
7. A key decryption method is applied to electronic equipment, and is characterized by comprising the following steps:
acquiring an encryption key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and decrypting the encryption key by using the second key to obtain a first key.
8. The key decryption method according to claim 7, wherein the device identification information includes hardware device identification information, and the acquiring device identification information of the electronic device includes:
and reading the hardware running information of the electronic equipment to acquire the hardware equipment identification information.
9. The key decryption method of claim 8, wherein the hardware device identification information comprises at least one of:
CPU serial number;
a single-board bar code;
the ethernet port MAC address is MAC address controlled.
10. The key decryption method of claim 9, wherein the first key is obtained by one of the following steps:
generating a random character string, and taking the random character string as a first secret key;
acquiring a character string configured by a user, wherein the character string configured by the user is used as a first key;
and connecting the server, acquiring the character string dynamically generated by the server, and taking the character string dynamically generated by the server as a first key.
11. The key decryption method according to any one of claims 7 to 10, wherein the generating of the second key according to the device identification information specifically includes the steps of:
generating a third key through one or more iterations according to the equipment identification information;
and generating the second key through one or more iterations according to the third key.
12. The key decryption method according to claim 11, wherein the generating the second key from the third key through one or more iterations comprises the following steps:
acquiring a random number;
and generating the second key through one or more iterations according to the third key and the random number.
13. A data encryption method is applied to electronic equipment and is characterized by comprising the following steps:
acquiring original data;
acquiring a first key, and encrypting the original data by using the first key to generate encrypted data;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
and encrypting the first key by using the second key to generate an encryption key.
14. The data encryption method of claim 13, further comprising:
performing one-way hash processing on the original data to generate corresponding first hash message check data;
and encrypting the first hash message verification data by using the first key to generate encrypted hash message verification data.
15. A data decryption method applied to electronic equipment is characterized by comprising the following steps:
acquiring encrypted data and an encryption key;
acquiring equipment identification information of the electronic equipment, and generating a second key according to the equipment identification information;
decrypting the encryption key by using the second key to obtain a first key;
and decrypting the encrypted data by using the first key to obtain original data.
16. The data decryption method of claim 15, further comprising:
acquiring encrypted hash message verification data;
decrypting the encrypted hash message verification data by using the first key to obtain first hash message verification data;
performing one-way hash processing on the decrypted original data to generate corresponding second hash message check data;
and verifying the first hash message verification data and the second hash message verification data, and judging the integrity of the original data obtained after decryption.
17. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which computer program when executed performs the key encryption method according to any one of claims 1 to 6, or performs the key decryption method according to claims 7 to 12, or performs the data encryption method according to claim 13 or 14, or performs the data decryption method according to claim 15 or 16.
18. A computer-readable storage medium storing computer-executable instructions for performing the key encryption method of any one of claims 1 to 6, or performing the key decryption method of claims 7-12, or performing the data encryption method of claim 13 or 14, or performing the data decryption method of claim 15 or 16.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911266698.0A CN112953707A (en) | 2019-12-11 | 2019-12-11 | Key encryption method, decryption method, data encryption method and decryption method |
PCT/CN2020/122961 WO2021114891A1 (en) | 2019-12-11 | 2020-10-22 | Key encryption method and decryption method, and, data encryption method and decryption method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911266698.0A CN112953707A (en) | 2019-12-11 | 2019-12-11 | Key encryption method, decryption method, data encryption method and decryption method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112953707A true CN112953707A (en) | 2021-06-11 |
Family
ID=76226489
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911266698.0A Pending CN112953707A (en) | 2019-12-11 | 2019-12-11 | Key encryption method, decryption method, data encryption method and decryption method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN112953707A (en) |
WO (1) | WO2021114891A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113794706A (en) * | 2021-09-06 | 2021-12-14 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and readable storage medium |
CN113992445A (en) * | 2021-12-28 | 2022-01-28 | 广东曜芯科技有限公司 | Authentication apparatus and method |
CN114745112A (en) * | 2022-04-15 | 2022-07-12 | 北京凝思软件股份有限公司 | Root key derivation method and device, electronic equipment and storage medium |
CN115174073A (en) * | 2022-07-18 | 2022-10-11 | 重庆长安汽车股份有限公司 | Key storage method, device, equipment and storage medium |
CN115361168A (en) * | 2022-07-15 | 2022-11-18 | 北京海泰方圆科技股份有限公司 | Data encryption method, device, equipment and medium |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113950049B (en) * | 2021-09-28 | 2023-10-03 | 天翼物联科技有限公司 | Quantum security method, system, device and medium of Internet of things based on SIM card |
CN114124502B (en) * | 2021-11-15 | 2023-07-28 | 兰州乐智教育科技有限责任公司 | Message transmission method, device, equipment and medium |
CN114205643A (en) * | 2021-11-15 | 2022-03-18 | 杭州当虹科技股份有限公司 | Advertisement insertion identification method and device based on IP live stream |
CN114189860A (en) * | 2021-12-21 | 2022-03-15 | 四川安迪科技实业有限公司 | Fixed format data encryption and decryption method and verification method for satellite network equipment |
CN114598466B (en) * | 2022-03-08 | 2024-05-28 | 山东云海国创云计算装备产业创新中心有限公司 | Production data processing method and device, computer equipment and storage medium |
CN114594912A (en) * | 2022-03-14 | 2022-06-07 | 中国第一汽车股份有限公司 | Information protection method, device, equipment and medium for vehicle instrument system |
CN114928756B (en) * | 2022-05-27 | 2023-03-17 | 浙江大华技术股份有限公司 | Video data protection, encryption and verification method, system and equipment |
CN115242485A (en) * | 2022-07-19 | 2022-10-25 | 核工业四一六医院 | Data encryption or decryption method, system, electronic equipment and storage medium |
CN117609965B (en) * | 2024-01-19 | 2024-06-25 | 深圳前海深蕾半导体有限公司 | Upgrade data packet acquisition method of intelligent device, intelligent device and storage medium |
CN118214557B (en) * | 2024-05-21 | 2024-07-19 | 北京炼石网络技术有限公司 | Secure backup key, method and system for recovering key |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795547A (en) * | 2014-02-26 | 2014-05-14 | 北京金山网络科技有限公司 | User data encryption method and device |
WO2018148244A1 (en) * | 2017-02-08 | 2018-08-16 | Pcms Holdings, Inc. | Key provisioning and identity privacy for lpwan |
US11522685B2 (en) * | 2017-04-14 | 2022-12-06 | Mitsubishi Electric Corporation | Key management system, communication device and key sharing method |
CN108810022A (en) * | 2018-07-18 | 2018-11-13 | 郑州云海信息技术有限公司 | A kind of encryption method, decryption method and device |
-
2019
- 2019-12-11 CN CN201911266698.0A patent/CN112953707A/en active Pending
-
2020
- 2020-10-22 WO PCT/CN2020/122961 patent/WO2021114891A1/en active Application Filing
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113794706A (en) * | 2021-09-06 | 2021-12-14 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and readable storage medium |
CN113794706B (en) * | 2021-09-06 | 2023-08-15 | 北京百度网讯科技有限公司 | Data processing method and device, electronic equipment and readable storage medium |
CN113992445A (en) * | 2021-12-28 | 2022-01-28 | 广东曜芯科技有限公司 | Authentication apparatus and method |
CN113992445B (en) * | 2021-12-28 | 2022-04-19 | 广东曜芯科技有限公司 | Authentication apparatus and method |
CN114745112A (en) * | 2022-04-15 | 2022-07-12 | 北京凝思软件股份有限公司 | Root key derivation method and device, electronic equipment and storage medium |
CN115361168A (en) * | 2022-07-15 | 2022-11-18 | 北京海泰方圆科技股份有限公司 | Data encryption method, device, equipment and medium |
CN115174073A (en) * | 2022-07-18 | 2022-10-11 | 重庆长安汽车股份有限公司 | Key storage method, device, equipment and storage medium |
CN115174073B (en) * | 2022-07-18 | 2024-09-24 | 重庆长安汽车股份有限公司 | Key storage method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
WO2021114891A1 (en) | 2021-06-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112953707A (en) | Key encryption method, decryption method, data encryption method and decryption method | |
CN110324143B (en) | Data transmission method, electronic device and storage medium | |
CN110798315B (en) | Data processing method and device based on block chain and terminal | |
US9867051B2 (en) | System and method of verifying integrity of software | |
US8462955B2 (en) | Key protectors based on online keys | |
US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
US8995653B2 (en) | Generating a secret key from an asymmetric private key | |
US20170118015A1 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
US9165148B2 (en) | Generating secure device secret key | |
CN112615834B (en) | Security authentication method and system | |
CN107920052B (en) | Encryption method and intelligent device | |
CN113557689B (en) | Initializing a data storage device with a manager device | |
US11128455B2 (en) | Data encryption method and system using device authentication key | |
US7076062B1 (en) | Methods and arrangements for using a signature generating device for encryption-based authentication | |
CN111740995B (en) | Authorization authentication method and related device | |
CN111510288B (en) | Key management method, electronic device and storage medium | |
KR100668446B1 (en) | Safe --method for transferring digital certificate | |
CN112995144A (en) | File processing method and system, readable storage medium and electronic device | |
CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
CN115859267A (en) | Method for safely starting application program, storage control chip and electronic equipment | |
CN114793184A (en) | Security chip communication method and device based on third-party key management node | |
US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
CN109302442B (en) | Data storage proving method and related equipment | |
CN111949996B (en) | Method, system, equipment and medium for generating and encrypting security private key | |
KR101912403B1 (en) | Method for security authentication between equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |