CN111917680A - Encryption system, method, server and storage medium - Google Patents

Encryption system, method, server and storage medium Download PDF

Info

Publication number
CN111917680A
CN111917680A CN201910374545.1A CN201910374545A CN111917680A CN 111917680 A CN111917680 A CN 111917680A CN 201910374545 A CN201910374545 A CN 201910374545A CN 111917680 A CN111917680 A CN 111917680A
Authority
CN
China
Prior art keywords
mobile payment
payment application
file
installation package
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910374545.1A
Other languages
Chinese (zh)
Inventor
李海滨
赵波锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Henan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201910374545.1A priority Critical patent/CN111917680A/en
Publication of CN111917680A publication Critical patent/CN111917680A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3827Use of message hashing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Signal Processing (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the invention discloses an encryption system, an encryption method and a server, which aim to solve the problem of ensuring the security of codes for realizing business logic of mobile payment application in the prior art. The encryption system includes: the application installation package encryption unit encrypts a data file of the mobile payment application based on a block encryption method to obtain an encrypted data file; the data file comprises a service logic code; the storage unit is used for storing the specified file and the installation package of the mobile payment application; the designated file at least comprises an encrypted data file obtained by the application installation package unit; the installation package comprises: other files of the mobile payment application than the specified file; the providing unit is used for responding to a mobile payment application downloading request sent by the mobile terminal and providing the installation package stored by the storage unit to the mobile terminal; and providing the specified file stored in the storage unit to the mobile terminal in response to a file download request sent by the mobile terminal when the mobile payment application is running.

Description

Encryption system, method, server and storage medium
Technical Field
The present invention relates to the field of mobile internet technologies, and in particular, to an encryption system, method, server, and computer-readable storage medium.
Background
Mobile Payment (Mobile Payment), also called Mobile Payment, refers to a commercial transaction that both parties of the transaction use Mobile terminals as carriers for certain goods or services and are realized through a Mobile communication network. The mobile terminal used for mobile payment may be a mobile phone, a Personal Digital Assistant (PDA, also called a palmtop), a mobile Personal Computer (PC), and the like.
The Mobile payment Service is a Mobile data value-added Service Application which is jointly promoted by a Mobile operator, a Mobile Application Service Provider (MASP) and a financial institution and is constructed on a Mobile operation support system. A typical system architecture for supporting mobile payment services is shown in fig. 1, which includes at least: the system comprises MASP servers, financial institution servers, mobile terminals and a mobile payment system, wherein the mobile payment system mainly comprises a mobile payment Application (APP) installed on the mobile terminal and a mobile payment system server.
Based on the system architecture, the mobile payment system establishes a payment account associated with the mobile phone number of each mobile user, the function of the payment account is equivalent to that of an electronic wallet, and a way for transaction payment and identity authentication through a mobile phone is provided for the mobile users. The user accesses the mobile payment system by dialing a telephone, sending a short message or using a Wireless Application Protocol (WAP) function, the mobile payment system transmits the requirement of the transaction to the MASP, the MASP determines the amount of the transaction and informs the user through the mobile payment system, and after the user confirms, the payment mode can be realized through various ways, such as directly transferring to a bank, a user telephone bill or debiting on a special prepaid account in real time.
Since the mobile payment service involves the operation of "pay" which is extremely high in data security requirement, it is urgently needed to ensure the security of the mobile payment service as a whole, and especially to ensure the security of the code used for implementing the service logic of the mobile payment application so as to avoid the security risk caused by stealing the code.
Disclosure of Invention
The embodiment of the invention provides an encryption system, which aims to solve the problem of how to ensure the security of codes for realizing business logic of mobile payment application in the prior art.
The embodiment of the invention also provides an encryption method, a server and a computer readable storage medium.
To solve the above technical problem, the embodiment of the present invention is implemented as follows:
in a first aspect, an encryption system provided in an embodiment of the present invention is applied to a mobile payment system server, where the encryption system includes:
the application installation package encryption unit is used for encrypting the data file of the mobile payment application based on a preset block bit encryption method to obtain an encrypted data file; the data file comprises codes for realizing the business logic of the mobile payment application;
the storage unit is used for storing the specified file of the mobile payment application and the installation package of the mobile payment application; the specified file at least comprises the encrypted data file obtained by the application installation package unit; the installation package comprises: files of the mobile payment application other than the designated file;
the providing unit is used for responding to a mobile payment application downloading request sent by a mobile terminal and providing the installation package stored in the storage unit for the mobile terminal; and responding to a file downloading request sent by the mobile terminal when the mobile payment application is operated, and providing the specified file stored in the storage unit for the mobile terminal.
In a second aspect, an encryption method provided in an embodiment of the present invention is used for a mobile payment system server, and the encryption method includes:
encrypting a data file of the mobile payment application based on a preset block bit encryption method to obtain an encrypted data file; the data file comprises codes for realizing the business logic of the mobile payment application;
storing a designated file of the mobile payment application and an installation package of the mobile payment application; wherein the specified file at least comprises the encrypted data file obtained by the application installation package unit; the installation package comprises: files of the mobile payment application other than the designated file;
responding to a mobile payment application downloading request sent by a mobile terminal, and providing the installation package stored in the storage unit for the mobile terminal; and responding to a file downloading request sent by the mobile terminal when the mobile payment application is operated, and providing the specified file stored in the storage unit for the mobile terminal.
In a third aspect, an embodiment of the present invention provides a server, including a processor, a memory, and a computer program stored on the memory and executable on the processor, where the computer program, when executed by the processor, implements the steps of the encryption method provided in the foregoing embodiment.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the steps of the encryption method provided in the foregoing embodiment.
By adopting at least one technical scheme provided by the embodiment of the invention, on one hand, the data file of the mobile payment application can be encrypted, so that the specific content in the data file cannot be directly obtained in a decompilation mode after the data file is stolen by a hacker, and the code for realizing the business logic in the data file is ensured not to be leaked; on the other hand, the encrypted data file is stored in the mobile payment system server, and the encrypted data file is provided for the mobile payment application when the mobile terminal runs the mobile payment application, so that the risk of code leakage caused by the fact that the data file stored in the mobile terminal is easy to steal due to the fact that a mobile terminal operating system (such as an Android operating system) has a bug is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of a typical architecture of a system supporting mobile payment service in the prior art;
fig. 2 is a schematic structural diagram of an encryption system according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the architecture of the installation package of the mobile payment application when stored and the architecture when running in the embodiment of the present invention;
FIG. 4 is a flowchart illustrating an implementation of specific functions of the authentication management unit according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating an implementation of specific functions of an authentication unit according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating an authentication process combining a dynamic password and a static password according to an embodiment of the present invention;
FIG. 7 is a schematic flow chart illustrating a process of encrypting data and then transmitting the encrypted data to an encryption system for decryption by a mobile payment application;
fig. 8 is a schematic flowchart of an encryption method applied to a mobile payment system server according to embodiment 7 of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
In order to solve the problem of how to ensure the security of codes used for implementing business logic by a mobile payment application in the prior art, embodiment 1 of the present invention provides an encryption system 20 applied to a mobile payment system server, where a specific structural schematic diagram of the encryption system is shown in fig. 2, and the encryption system includes the following functional units:
the application installation package encryption unit 21 is configured to encrypt a data file of the mobile payment application based on a preset block (bit) encryption method to obtain an encrypted data file. Wherein the data file contains code implementing the business logic of the mobile payment application; the mobile payment application may include, but is not limited to, a mobile payment application that may run on an Android operating system.
And a storage unit 22 for storing the designation file of the mobile payment application and the installation package of the mobile payment application. The specified file includes at least the encrypted data file obtained by the application installation package unit 21; the installation package comprises: other files of the mobile payment application than the specified file. If the mobile payment application is a mobile payment application which can run on an Android operating system, the type of the installation Package can be specifically an APK, namely an Android installation Package and an Android Package.
A providing unit 23, configured to provide the installation package stored in the storage unit 22 to the mobile terminal in response to the mobile payment application download request sent by the mobile terminal; the specified file stored by the storage unit 22 is provided to the mobile terminal in response to a file download request transmitted by the mobile terminal when the mobile payment application is executed.
The block encryption method is an encryption method for encrypting a block of plaintext each time data is encrypted. Common block encryption methods include, for example: an International Data Encryption Algorithm (IDEA), an Encryption method based on a Data Encryption Standard (DES), an Encryption method based on an Advanced Encryption Standard (AES), and the like.
It should be noted that, in the software system architecture, software is generally divided into three layers: a presentation layer, a business logic layer, and a data access layer. Wherein, the presentation layer is responsible for interfaces and interactions; the business logic layer is responsible for defining business logic (rules, workflow, data integrity and the like), receiving a data request from the presentation layer, submitting the request to the data access layer after logic judgment, and transmitting a data access result, and the business logic layer is actually a middleware and plays an important role in starting and stopping; and the data access layer is used for being responsible for data reading.
In the embodiment of the present invention, the "code for implementing the service logic of the mobile payment application" is a software code belonging to the service logic layer in the mobile payment application, and when the software codes are executed, the functions of the mobile payment application can be implemented.
By adopting the system provided by the embodiment of the invention, on one hand, the data file of the mobile payment application can be encrypted, so that the specific content in the data file cannot be directly obtained in a decompilation mode after the data file is stolen by a hacker, and the code for realizing the business logic in the data file is ensured not to be leaked; on the other hand, the encrypted data file is stored in the mobile payment system server, and the encrypted data file is provided for the mobile payment application when the mobile terminal runs the mobile payment application, so that the risk of code leakage caused by the fact that the data file stored in the mobile terminal is easy to steal due to the fact that a mobile terminal operating system (such as an Android operating system) has a bug is avoided.
In an embodiment of the present invention, in order to further enhance the security of the mobile payment application, in addition to the encrypted data file, some other files of the mobile payment application may be included in the category of the specified file, and the files are stored in the storage unit 22, and the providing unit 23 provides the mobile terminal with the files after receiving the file downloading request.
When the mobile payment application is a mobile payment application that can run on the Android operating system, the files may include at least one of a shared object (so) file and an interaction description file.
The so file refers to a program function library under Linux and comprises compiled codes and data which can be used by other programs; the interaction description file is a description file for describing a business process of the mobile payment application.
The so file in the embodiment of the present invention may be compiled by using a local Development Kit (NDK).
In order to avoid the security risk caused by the so file being randomly called by other applications besides the mobile payment application, in the embodiment of the present invention, the encryption system 20 may further include: and the detection logic setting unit is used for setting detection logic which is prevented from being called by other applications in the so file. The functions of the detection logic include, but are not limited to: after receiving a so file calling request, judging whether calling the so file is a mobile payment application or not according to an identifier of an application which wants to call the so file; if so, allowing the application to call the so file, otherwise, refusing the application to call the so file.
In the embodiment of the invention, the so file and/or the interaction description file are/is stored in the mobile payment system server, and after a file downloading request sent by the mobile terminal when the mobile payment application is operated is received, the so file and/or the interaction description file are/is provided for the mobile terminal, so that the risk of file leakage caused by the fact that the so file and/or the interaction description file stored in the mobile terminal are easy to steal due to the fact that a vulnerability exists in an operating system (such as an Android operating system) of the mobile terminal can be avoided.
In order to further ensure the security of the mobile payment application, the application installation package encryption unit 21 in the embodiment of the present invention may be further configured to:
performing obfuscation encryption on a program code in an installation package of the mobile payment application to obtain an obfuscated and encrypted installation package; pseudo-encrypting the obfuscated and encrypted installation package to obtain a pseudo-encrypted installation package; the pseudo-encrypted installation package is stored to the storage unit 22.
Wherein, the pseudo-encryption means that the installation package in the compressed file format is encrypted through java codes. The encryption rules may include, for example: the modification is to modify the 5 th byte located after the byte flag "PK 0102", specifically, for example, to modify the 5 th byte to be an odd number.
Based on the above-described function of the application installation package encryption unit 21, subsequently, the providing unit 23 provides the installation package stored by the storage unit storage 22, which is the pseudo-encrypted installation package, to the mobile terminal in response to the mobile payment application download request transmitted by the mobile terminal.
For the mobile terminal receiving the pseudo-encrypted installation package, firstly, a preset decryption rule inverse to the pseudo-encryption can be adopted to decrypt the pseudo-encrypted installation package to obtain the obfuscated and encrypted installation package; and then, decrypting the installation package subjected to the obfuscation encryption by adopting a preset decryption rule which is the inverse of the obfuscation encryption. The decrypted installation package can be normally installed on the mobile terminal.
Further, for the mobile terminal, when receiving an instruction to run the mobile payment application, in response to the instruction, signature information stored in an installation package in the mobile payment application (for example, the signature information is a digital signature based on a private key) may be obtained locally from the mobile terminal, and then the signature information is checked (for example, verified by using a public key) to determine whether the mobile payment application is legal or not. If the signature information is not verified, judging that the mobile payment application is not legal, and directly prompting the mobile payment application to be pirated and canceling the operation of the mobile payment application by the mobile terminal; if the signature information is verified, the mobile payment application may be run.
For mobile payment applications, the data may be stored according to the storage scheme shown in table 1 below.
Table 1:
Figure BDA0002051198170000071
Figure BDA0002051198170000081
to summarize the encryption system 20 provided by the embodiment of the present invention, the client framework can obtain the object processing scheme and the corresponding technical effects of each scheme as shown in table 2 below.
Table 2:
Figure BDA0002051198170000082
Figure BDA0002051198170000091
accordingly, the architecture of the installation package of the mobile payment application at the time of storage and the architecture at the time of runtime are shown in fig. 3.
In the framework during storage shown in fig. 3, the files that can be stored in the mobile payment system server include the so file, the encrypted data file, and the interaction description file, which are the aforementioned designated files, and can be provided to the mobile terminal by the mobile payment system server when the mobile payment application is running; other files of the mobile payment application, such as the Android file shown in fig. 3, can be provided for the mobile terminal to be saved when the mobile terminal downloads the installation package of the mobile payment application from the mobile payment system server.
The processing schemes and corresponding technical effects of the respective files shown in fig. 3 are shown in table 3 below.
Table 3:
Figure BDA0002051198170000092
Figure BDA0002051198170000101
example 2
Compared with the specific structure of the encryption system 20 provided in embodiment 1, the encryption system 20 provided in embodiment 2 may further include, in addition to the application installation package encryption unit 21, the storage unit 22, and the providing unit 23:
the digital certificate management unit is used for issuing, updating and canceling the digital certificate; the digital certificate comprises at least one of the following digital certificates:
a digital certificate for authenticating the identity of the MASP server;
a digital certificate for authenticating the identity of the mobile payment system server;
a digital certificate (such as a usb key digital certificate) for authenticating the identity of a user of a mobile payment application.
The role of the digital certificate for authenticating the identity of the server (including the digital certificate for authenticating the MASP server and the mobile payment system server) includes: when the mobile payment application is a web client, if the web client accesses the MASP server (or the mobile payment system server) by initiating an http request, the MASP server (or the mobile payment system server) may feed back a digital certificate for authenticating the identity of the MASP server (or the mobile payment system server) to the web client, so that the web client verifies the identity of the MASP server (or the mobile payment system server) based on the digital certificate.
The role of the digital certificate for authenticating the identity of the MASP server may further include: the method is used for bidirectional identity authentication between different MASP servers.
The function of the digital certificate for authenticating the identity of the server of the mobile payment system can further comprise: the method is used for bidirectional identity authentication between the MASP server and the mobile payment system server.
Specifically, the identity authentication between MASP servers, or between a MASP server and a mobile payment system server, may be performed based on a Secure Sockets Layer (SSL) protocol.
Example 3
Compared with the specific structure of the encryption system 20 provided in embodiment 1, the encryption system 20 provided in embodiment 3 may further include, in addition to the application installation package encryption unit 21, the storage unit 22, and the providing unit 23: an authentication management unit and an authentication unit.
The specific functions of the authentication management unit can be seen in the flow shown in fig. 4, which specifically includes:
generating a first random number in response to a received password updating request, wherein the password updating request comprises a user password (a new password shown in FIG. 4) and a user identification;
performing a Hash algorithm on the first random number (the random salt value shown in fig. 4) and the user password to obtain a corresponding first Hash value (the Hash value shown in fig. 4); correspondingly storing the user identification, the first random number and the first hash value;
and sending the first random number to the mobile terminal which sends the password updating request.
The specific functions of the authentication unit can be seen in the flow shown in fig. 5, which specifically includes:
receiving a user identity authentication request, wherein the user identity authentication request includes a user identifier and a user password (input password shown in fig. 5) of a user to be authenticated;
according to the user identification of the user to be authenticated, searching a first random number corresponding to the user identification of the user to be authenticated from the user identification and the first random number (salt value shown in fig. 5) which are correspondingly stored;
executing a hash algorithm on the searched first random number and the user password to obtain a corresponding second hash value;
searching a first hash value corresponding to the user identifier of the user to be authenticated from the user identifiers and the first hash values stored correspondingly by the authentication management unit;
and determining the identity authentication result of the user to be authenticated according to whether the second hash value is matched and consistent with the searched first hash value. Specifically, if the matching is consistent, determining that the identity authentication result of the user to be authenticated is authentication pass; otherwise, determining the identity authentication result of the user to be authenticated as that the authentication is not passed.
Please refer to table 4, which is a related description of parameters related to the above process that can be used in the embodiment of the present invention.
Table 4:
parameter(s) Description of the invention
Hash algorithm SHA1
Length of Salt 4 characters
Hash length >16 characters
Example 4
Compared with the specific structure of the encryption system 20 provided in embodiment 1, the encryption system 20 provided in embodiment 4 may further include at least one of the first authentication unit and the second authentication unit in addition to the application installation package encryption unit 21, the storage unit 22, and the providing unit 23.
The first authentication unit may specifically be configured to:
receiving a first authentication request of a client; the client side first authentication request comprises a second random number and an identifier of a mobile payment application to be authenticated;
generating a first Message Authentication Code (MAC) according to the second random number and a symmetric key which is agreed in advance and corresponds to the identifier of the mobile payment application to be authenticated, and sending the MAC to the mobile payment application to be authenticated; and the first MAC is used for the mobile payment application to be authenticated to authenticate the identity of the mobile payment system server.
The second authentication unit may specifically be configured to:
receiving a second authentication request of the client; the second authentication request of the client comprises a second MAC and an identifier of the mobile payment application to be authenticated;
and verifying the second MAC according to a preset symmetric key corresponding to the identifier of the mobile payment application to be authenticated so as to obtain an authentication result of the mobile payment application to be authenticated.
When the encryption system comprises the first authentication unit, the identity authentication of the mobile payment system server by the mobile payment application to be authenticated can be realized;
when the encryption system comprises the second authentication unit, the identity authentication of the mobile payment application to be authenticated can be realized by the mobile payment system server;
when the encryption system comprises the first authentication unit and the second authentication unit, bidirectional identity authentication of the mobile payment application and the mobile payment system server can be realized.
Example 5
Compared with the specific structure of the encryption system 20 provided in embodiment 1, the encryption system 20 provided in embodiment 5 may further include a static password verification unit, a dynamic password generation unit, and a dynamic password verification unit in addition to the application installation package encryption unit 21, the storage unit 22, and the providing unit 23.
Wherein the static password authentication unit is configured to:
receiving a mobile payment system server login request, wherein the mobile payment system server login request comprises a user identifier, a static password and a mobile phone number;
and responding to the mobile payment system server login request, and verifying whether the mapping relation between the user identification and the static password is correct or not to obtain a verification result.
A dynamic password generation unit to:
after the static password verification unit verifies the mapping relation between the user identification and the static password, a first dynamic password is randomly generated;
correspondingly storing the user identification and the first dynamic password;
and sending the first dynamic password to the mobile phone number according to the mobile phone number.
A dynamic password authentication unit to:
receiving a dynamic password verification request, wherein the dynamic password verification request comprises a user identifier and a second dynamic password;
inquiring each user identification and a first dynamic password which are correspondingly stored according to the user identification contained in the dynamic password verification request;
and determining whether the second dynamic password passes the verification according to whether the second dynamic password is matched with the searched first dynamic password. Specifically, if the matching is consistent, the second dynamic password is determined to pass the verification; otherwise, determining that the second dynamic password authentication fails.
In the embodiment of the invention, a 'two-factor' verification mode is formed by combining the static password verification mode and the dynamic password verification mode, and the reliability of the verification result is ensured.
The authentication process of the combination of the dynamic password and the static password can be seen in the flow shown in fig. 6. The specific steps of the process are similar to the process of realizing the two-factor authentication by combining the static password authentication unit, the dynamic password generation unit and the dynamic password authentication unit, and are not repeated here. It should be noted that, the first server in fig. 6 may be a mobile payment system server, and the second server may be a short message service server; alternatively, the first server and the second server in fig. 1 may be regarded as two sub-servers of the mobile payment system server.
Please refer to table 5, which is a related description of parameters related to the above process that can be used in the embodiment of the present invention.
Table 5:
Figure BDA0002051198170000151
example 6
In order to ensure the security of data during transmission, in embodiment 6, when the mobile payment system communicates with the mobile payment application, the data to be transmitted is encrypted by using a secret key. Wherein the key that encrypts the data is itself encrypted.
Specifically, compared with the specific structure of the encryption system 20 provided in embodiment 1, the encryption system 20 provided in embodiment 6 may further include at least one of a data encryption unit and a data decryption unit in addition to the application installation package encryption unit 21, the storage unit 22, and the providing unit 23.
The data encryption unit is configured to:
based on a predetermined target key generation formula, carrying out encryption operation on the private key and the public key to obtain a target key;
encrypting the data to be transmitted based on the target secret key to obtain encrypted transmission data;
and sending the private key and the encrypted transmission data to a mobile payment application.
A data decryption unit to:
receiving a private key and encrypted transmission data;
based on a predetermined target key generation formula, carrying out encryption operation on the public key and the received private key to obtain a target key;
decrypting the encrypted transmission data based on the calculated target key.
In the scheme provided in embodiment 6 of the present application, two links are required for generating a key, one is a key encryption source code, and the other is a key generation formula. The key encryption source code is composed of two parts, one part is a public key known by both communication parties, the other part contains a private key in a data packet in the data transmission process, the two parts generate a real decryption key through a key generation formula after being received, and the data can be decoded through the key.
In an implementation manner, when the encryption system provided in embodiment 6 of the present invention includes a data decryption unit, a flow of encrypting data and then transmitting the encrypted data to the encryption system for decryption by a mobile payment application is shown in fig. 7. Since the specific steps of the process are similar to the functions implemented by the data encryption unit and the data decryption unit, they are not described herein again.
Example 7
In order to solve the problem of how to ensure the security of codes used for implementing business logic by a mobile payment application in the prior art, embodiment 7 of the present invention provides an encryption method applied to a mobile payment system server, where a specific flow diagram of the encryption method is shown in fig. 8, and the encryption method includes the following steps:
step 81, encrypting a data file of the mobile payment application based on a preset block encryption method to obtain an encrypted data file;
step 82, storing the specified file of the mobile payment application and the installation package of the mobile payment application; wherein the specified file at least comprises the encrypted data file obtained by the application installation package unit; the installation package comprises: files of the mobile payment application other than the designated file;
step 83, responding to a mobile payment application downloading request sent by a mobile terminal, and providing the installation package stored in the storage unit for the mobile terminal;
and step 84, responding to a file downloading request sent by the mobile terminal when the mobile payment application is operated, and providing the specified file stored in the storage unit for the mobile terminal.
By adopting the method provided by the embodiment of the invention, on one hand, the data file of the mobile payment application can be encrypted, so that the specific content in the data file cannot be directly obtained in a decompilation mode after the data file is stolen by a hacker, and the code for realizing the business logic in the data file is ensured not to be leaked; on the other hand, the encrypted data file is stored in the mobile payment system server, and the encrypted data file is provided for the mobile payment application when the mobile terminal runs the mobile payment application, so that the risk of code leakage caused by the fact that the data file stored in the mobile terminal is easy to steal due to the fact that a mobile terminal operating system (such as an Android operating system) has a bug is avoided.
Optionally, the method provided in the embodiment of the present invention may further include method logics implemented by the units in embodiments 1 to 7 described above, and for specific method logics, reference may be made to detailed descriptions of functions of the units in embodiments 1 to 7, which are not described herein again.
Example 8
In order to solve the problem of how to ensure the security of a code used by a mobile payment application to implement business logic in the prior art, embodiment 8 of the present invention provides a server of a mobile payment system. The server may specifically include a processor, a memory, and a computer program stored in the memory and capable of running on the processor, where the computer program, when executed by the processor, implements each process of the encryption method embodiment described in embodiment 7, and can achieve the same technical effect, and is not described herein again to avoid repetition.
Embodiment 8 of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements each process of the encryption method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
By adopting the scheme provided by the embodiment of the invention, on one hand, the data file of the mobile payment application can be encrypted, so that the specific content in the data file cannot be directly obtained in a decompilation mode after the data file is stolen by a hacker, and the code for realizing the business logic in the data file is ensured not to be leaked; on the other hand, the encrypted data file is stored in the mobile payment system server, and the encrypted data file is provided for the mobile payment application when the mobile terminal runs the mobile payment application, so that the risk of code leakage caused by the fact that the data file stored in the mobile terminal is easy to steal due to the fact that a mobile terminal operating system (such as an Android operating system) has a bug is avoided.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present invention, and is not intended to limit the present invention. Various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.

Claims (10)

1. An encryption system applied to a mobile payment system server, the encryption system comprising:
the application installation package encryption unit is used for encrypting the data file of the mobile payment application based on a preset block bit encryption method to obtain an encrypted data file; the data file comprises codes for realizing the business logic of the mobile payment application;
the storage unit is used for storing the specified file of the mobile payment application and the installation package of the mobile payment application; the specified file at least comprises the encrypted data file obtained by the application installation package unit; the installation package comprises: files of the mobile payment application other than the designated file;
the providing unit is used for responding to a mobile payment application downloading request sent by a mobile terminal and providing the installation package stored in the storage unit for the mobile terminal; and responding to a file downloading request sent by the mobile terminal when the mobile payment application is operated, and providing the specified file stored in the storage unit for the mobile terminal.
2. The encryption system according to claim 1, wherein the designation file further includes at least one of a shared object so file and an interaction description file.
3. The encryption system according to claim 1, wherein the installation package stored by the storage unit specifically includes a pseudo-encrypted installation package;
the application installation package encryption unit is further configured to:
performing obfuscation encryption on program codes in the installation package of the mobile payment application to obtain an obfuscated and encrypted installation package; pseudo-encrypting the obfuscated and encrypted installation package to obtain a pseudo-encrypted installation package; and storing the pseudo-encrypted installation package to the storage unit.
4. The encryption system of claim 1, further comprising:
the digital certificate management unit is used for issuing, updating and canceling the digital certificate; the digital certificate comprises at least one of the following digital certificates:
a digital certificate for authenticating the identity of a Mobile Application Service Provider (MASP) server;
a digital certificate for authenticating the identity of the mobile payment system server;
a digital certificate for authenticating the identity of a user of a mobile payment application.
5. The encryption system of claim 1, further comprising:
the authentication management unit is used for responding to a received password updating request and generating a first random number, wherein the password updating request comprises a user password and a user identifier; performing a hash algorithm on the first random number and the user password to obtain a corresponding first hash value; correspondingly storing the user identification, the first random number and the first hash value; sending the first random number to a mobile terminal which sends the password updating request;
the authentication unit is used for receiving a user identity authentication request, wherein the user identity authentication request comprises a user identifier and a user password of a user to be authenticated; inquiring a user identifier and a first random number which are correspondingly stored according to the user identifier of the user to be authenticated; executing a hash algorithm on the user password and the searched first random number to obtain a corresponding second hash value; searching a first hash value corresponding to the user identifier of the user to be authenticated from the user identifiers and the first hash values stored correspondingly by the authentication management unit; and determining the identity authentication result of the user to be authenticated according to whether the second hash value is matched and consistent with the searched first hash value.
6. The encryption system according to claim 1, further comprising at least one of a first authentication unit and a second authentication unit, wherein:
the first authentication unit is used for receiving a first authentication request of a client; the client side first authentication request comprises a second random number and an identifier of a mobile payment application to be authenticated; generating a first message verification code MAC and sending the first message verification code MAC to the mobile payment application to be authenticated according to the second random number and a symmetric key which is agreed in advance and corresponds to the identification of the mobile payment application to be authenticated; the first MAC is used for the mobile payment application to be authenticated to authenticate the identity of the mobile payment system server;
the second authentication unit is used for receiving a second authentication request of the client; the second authentication request of the client comprises a second MAC and an identifier of the mobile payment application to be authenticated; and verifying the second MAC according to a preset symmetric key corresponding to the identifier of the mobile payment application to be authenticated so as to obtain an authentication result of the mobile payment application to be authenticated.
7. The encryption system according to claim 1, further comprising at least one of a data encryption unit and a data decryption unit, wherein:
the data encryption unit is used for carrying out encryption operation on the private key and the public key based on a predetermined target key generation formula to obtain a target key; encrypting the data to be transmitted based on the target secret key to obtain encrypted transmission data; sending the private key and the encrypted transmission data to a mobile payment application;
the data decryption unit is used for receiving the private key and the encrypted transmission data; based on a predetermined target key generation formula, carrying out encryption operation on the public key and the received private key to obtain a target key; decrypting the encrypted transmission data based on the calculated target key.
8. An encryption method applied to a mobile payment system server, the encryption method comprising:
encrypting a data file of the mobile payment application based on a preset block bit encryption method to obtain an encrypted data file; the data file comprises codes for realizing the business logic of the mobile payment application;
storing a designated file of the mobile payment application and an installation package of the mobile payment application; wherein the specified file at least comprises the encrypted data file obtained by the application installation package unit; the installation package comprises: files of the mobile payment application other than the designated file;
responding to a mobile payment application downloading request sent by a mobile terminal, and providing the installation package stored in the storage unit for the mobile terminal; and responding to a file downloading request sent by the mobile terminal when the mobile payment application is operated, and providing the specified file stored in the storage unit for the mobile terminal.
9. A server comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing the steps of the encryption method of claim 8.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the encryption method according to any one of claims 8.
CN201910374545.1A 2019-05-07 2019-05-07 Encryption system, method, server and storage medium Pending CN111917680A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910374545.1A CN111917680A (en) 2019-05-07 2019-05-07 Encryption system, method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910374545.1A CN111917680A (en) 2019-05-07 2019-05-07 Encryption system, method, server and storage medium

Publications (1)

Publication Number Publication Date
CN111917680A true CN111917680A (en) 2020-11-10

Family

ID=73241884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910374545.1A Pending CN111917680A (en) 2019-05-07 2019-05-07 Encryption system, method, server and storage medium

Country Status (1)

Country Link
CN (1) CN111917680A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112488686A (en) * 2020-11-19 2021-03-12 建信金融科技有限责任公司 Secure payment method, system, electronic equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357012A (en) * 2015-10-26 2016-02-24 上海易码信息科技有限公司 Authentication method for mobile application not depending on local private key
CN106327184A (en) * 2016-08-22 2017-01-11 中国科学院信息工程研究所 Intelligent mobile terminal payment system and intelligent mobile terminal payment method based on safe hardware isolation
CN107464109A (en) * 2017-07-28 2017-12-12 中国工商银行股份有限公司 Credible mobile payment device, system and method
CN109062582A (en) * 2018-07-23 2018-12-21 北京云测信息技术有限公司 A kind of encryption method and device of application installation package
CN109165029A (en) * 2018-08-27 2019-01-08 北京奇虎科技有限公司 Realize method, server and the device of downloading-running payment applications
US20190042713A1 (en) * 2017-08-01 2019-02-07 Lakeba Technology Pty Ltd Securing applications on mobile devices

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357012A (en) * 2015-10-26 2016-02-24 上海易码信息科技有限公司 Authentication method for mobile application not depending on local private key
CN106327184A (en) * 2016-08-22 2017-01-11 中国科学院信息工程研究所 Intelligent mobile terminal payment system and intelligent mobile terminal payment method based on safe hardware isolation
CN107464109A (en) * 2017-07-28 2017-12-12 中国工商银行股份有限公司 Credible mobile payment device, system and method
US20190042713A1 (en) * 2017-08-01 2019-02-07 Lakeba Technology Pty Ltd Securing applications on mobile devices
CN109062582A (en) * 2018-07-23 2018-12-21 北京云测信息技术有限公司 A kind of encryption method and device of application installation package
CN109165029A (en) * 2018-08-27 2019-01-08 北京奇虎科技有限公司 Realize method, server and the device of downloading-running payment applications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李彬: "《Linux Qt GUI开发详解 基于Nokia Qt SDK》", 31 January 2013, 北京航空航天大学出版社 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112488686A (en) * 2020-11-19 2021-03-12 建信金融科技有限责任公司 Secure payment method, system, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US10595201B2 (en) Secure short message service (SMS) communications
US11258777B2 (en) Method for carrying out a two-factor authentication
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
CN108241517B (en) Software upgrading method, client and electronic equipment
US9219607B2 (en) Provisioning sensitive data into third party
KR102221541B1 (en) Method and device for providing and obtaining graphic code information, and terminal
AU2016317561A1 (en) Secure binding of software application to a communication device
CN105207774A (en) Key negotiation method and device of verification information
CN112688773A (en) Token generation and verification method and device
CN105142139A (en) Method and device for obtaining verification information
CN111130799B (en) Method and system for HTTPS protocol transmission based on TEE
CN111814132B (en) Security authentication method and device, security authentication chip and storage medium
CN111917536A (en) Identity authentication key generation method, identity authentication method, device and system
CN112948789B (en) Identity authentication method and device, storage medium and electronic equipment
CN117436043A (en) Method and device for verifying source of file to be executed and readable storage medium
JP2015104020A (en) Communication terminal device, communication terminal association system, communication terminal association method and computer program
CN111901287B (en) Method and device for providing encryption information for light application and intelligent equipment
JP2022545809A (en) Secure environment for cryptographic key generation
CN111917680A (en) Encryption system, method, server and storage medium
CN111182010B (en) Local service providing method and device
US20240113898A1 (en) Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity
CN107241341B (en) Access control method and device
CN115935379A (en) Service processing method, device, equipment and computer readable storage medium
CN112131597A (en) Method and device for generating encrypted information and intelligent equipment
CN106789074B (en) Application identity verification method and verification system of Java card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination