CN112000967B - Secret parameter generation method and device - Google Patents

Secret parameter generation method and device Download PDF

Info

Publication number
CN112000967B
CN112000967B CN202010794564.2A CN202010794564A CN112000967B CN 112000967 B CN112000967 B CN 112000967B CN 202010794564 A CN202010794564 A CN 202010794564A CN 112000967 B CN112000967 B CN 112000967B
Authority
CN
China
Prior art keywords
data
encrypted
generating
target
key derivation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010794564.2A
Other languages
Chinese (zh)
Other versions
CN112000967A (en
Inventor
胡润宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Ethernet Education Technology Co ltd
Original Assignee
Guangzhou Ethernet Education Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Ethernet Education Technology Co ltd filed Critical Guangzhou Ethernet Education Technology Co ltd
Priority to CN202010794564.2A priority Critical patent/CN112000967B/en
Publication of CN112000967A publication Critical patent/CN112000967A/en
Priority to PCT/CN2021/111536 priority patent/WO2022033433A1/en
Application granted granted Critical
Publication of CN112000967B publication Critical patent/CN112000967B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for generating secret parameters, wherein the method comprises the following steps: acquiring first data and second data corresponding to any data to be encrypted; generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data; and generating corresponding target secret parameters according to the salt value, the first data and a key derivation algorithm, wherein the target secret parameters are used for encrypting the data to be encrypted. Therefore, the method and the device can generate the salt values corresponding to the key derivation algorithm based on a plurality of data corresponding to the data to be encrypted, and the salt values generated by different data are different, so that the complexity of the generated confidential parameters is improved, the encryption safety or the use safety is improved, different salt values do not need to be stored aiming at different data to be encrypted in advance, only the salt values required by the key derivation algorithm need to be generated when the data to be encrypted is encrypted, the encryption safety is improved, and the storage cost can be reduced.

Description

Secret parameter generation method and device
Technical Field
The invention relates to the technical field of data encryption, in particular to a method and a device for generating secret parameters.
Background
Currently, for important data, such as data related to user privacy or related data of a customer group maintained by an enterprise, the data generally needs to be encrypted, and when the data needs to be viewed or used, the encrypted data needs to be further decrypted to enhance the security of the data.
In practical applications, one of the most common encryption algorithms is a symmetric encryption algorithm, which requires selecting a key with a specified length, and the simplest key generation method is to convert simple data (such as a user password) into a hash digest with a fixed length as a required key through a cryptographically secure hash algorithm. However, under this algorithm, an attacker can compile a common password into a pre-computed data table, so that it is not necessary to dynamically compute a hash digest at each break, and time complexity is exchanged for space complexity. In order to solve the problem, a salted cryptographically secure hash algorithm is used during encryption, different examples use different salt values, and thus for the same simple data (such as a user password), in different examples, due to different salt values, generated keys are also different, and in addition, the salt values are longer in length, a universal table cannot be calculated, so that the universal table can be mutually available among different examples, wherein the PBKDF2 algorithm is a key derivation algorithm, and through multiple rounds of iterations of the selected HMAC mode hash algorithm, under the condition that a key space is smaller, the cracking difficulty of an attacker is increased, namely, the speed of normal user use is slowed down by N times, and the speed of the attacker in each attempt is slowed down by N times. Meanwhile, due to the existence of the salt value parameters in the algorithm, the algorithm can further resist the attack mode of a pre-calculation table, different salt values can generate different keys by using the same original key and the same round number, and the structure of the algorithm is as follows:
the generated key is PBKDF2(HMAC mode cryptographic secure hash algorithm, HMAC mode key, salt, iteration round, output key length).
In practice, the following problems exist in the generation of keys using the PBKDF2 algorithm:
1. if the same salt value is used, an attacker can accelerate the cracking of the violent password by pre-calculating the hash table, and the safety is low;
2. if different salt values are used, the corresponding salt values need to be stored for each different encrypted object, when the method is used in a large scale, the data volume needing to be stored safely is large, more salt values need to be stored, the stored salt values have the risk of leakage, and the safety is low;
3. if the same global key is used together with other parameters to generate the hash value used by the PBKDF2 algorithm through block cipher, the problem of potential attack on the relevant key can be suffered, and the security is low.
It can be seen that the current way of generating keys by PBKDF2 algorithm has a problem of low security.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for generating secret parameters, which can improve the security of encryption.
In order to solve the above technical problem, a first aspect of the present invention discloses a method for generating secret parameters, where the method includes:
acquiring first data and second data corresponding to any data to be encrypted;
generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data;
generating a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm;
the target secret parameter is used for encrypting the data to be encrypted.
Optionally, in the first aspect of the present invention, the generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data includes:
executing preset operation on the first data and the second data to obtain an operation result;
inputting the operation result into a predetermined Hash algorithm of the cryptography to obtain a Hash value;
and inputting the predetermined symmetric encryption algorithm by taking the first data as a key parameter and the hash value as a parameter to be encrypted to obtain a salt value corresponding to the predetermined key derivation algorithm.
Optionally, in the first aspect of the present invention, the preset operation includes one of a character concatenation operation, a logic comparison operation, an identical character extraction operation, and a different character extraction operation;
and the character concatenation operation comprises one of a character integral concatenation operation, a character cross concatenation operation and a character partial concatenation operation.
Optionally, in the first aspect of the present invention, the generating, according to the salt value, the first data, and the key derivation algorithm, a target secret parameter corresponding to the data to be encrypted includes:
and performing iteration for preset times on the salt value and the first data according to the key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
Optionally, in the first aspect of the present invention, after acquiring the first data and the second data corresponding to any data to be encrypted, the method further includes:
determining a key strength of target data, the target data comprising the first data and/or the second data;
detecting whether the key strength of the target data meets a predetermined key strength condition;
and when the key strength of the target data is detected to meet the key strength condition, triggering and executing the operation of generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
Optionally, in the first aspect of the present invention, the method further includes:
counting a first data volume of attacked data in all encrypted data within a certain time period;
counting a second data volume of successfully cracked data in the attacked data;
calculating a ratio of the second data amount to the first data amount;
judging whether the ratio exceeds a preset ratio threshold value or not, and executing adjustment operation aiming at the confidential parameter generation process when the ratio exceeds the ratio threshold value;
wherein the adjustment operation comprises one or more of a combination of a data source adjustment operation, a salt generation mode adjustment operation and a key derivation algorithm adjustment operation.
The second aspect of the present invention discloses a device for generating secret parameters, the device comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring first data and second data corresponding to any data to be encrypted;
the first generation module is used for generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data;
the second generation module is used for generating a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm;
the target secret parameter is used for encrypting the data to be encrypted.
Optionally, in the second aspect of the present invention, the first generating module includes:
the pre-operation unit is used for executing preset operation on the first data and the second data to obtain an operation result;
the determining unit is used for inputting the operation result into a predetermined Hash algorithm of the password security to obtain a Hash value; and inputting the predetermined symmetric encryption algorithm by taking the first data as a key parameter and the hash value as a parameter to be encrypted to obtain a salt value corresponding to the predetermined key derivation algorithm.
Optionally, in the second aspect of the present invention, the preset operation includes one of a character concatenation operation, a logic comparison operation, an identical character extraction operation, and a different character extraction operation;
and the character concatenation operation comprises one of a character integral concatenation operation, a character cross concatenation operation and a character partial concatenation operation.
Optionally, in the second aspect of the present invention, a specific manner of generating, by the second generation module, the target secret parameter corresponding to the data to be encrypted according to the salt value, the first data, and the key derivation algorithm is as follows:
and performing iteration for preset times on the salt value and the first data according to the key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
Optionally, in the second aspect of the present invention, the apparatus further includes:
a determining module, configured to determine key strength of target data after the obtaining module obtains the first data and the second data, where the target data includes the first data and/or the second data;
and the detection module is used for detecting whether the key strength of the target data meets a predetermined key strength condition, and when the key strength of the target data meets the key strength condition, triggering the first generation module to execute the operation of generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
Optionally, in the second aspect of the present invention, the apparatus further includes:
the statistical module is used for counting a first data volume of attacked data in all encrypted data within a certain time period and counting a second data volume of successfully cracked data in the attacked data;
the calculating module is used for calculating the ratio of the second data volume to the first data volume;
the judging module is used for judging whether the ratio exceeds a preset ratio threshold value;
the adjusting module is used for executing the adjusting operation aiming at the confidential parameter generating process when the judging module judges that the ratio exceeds the ratio threshold;
wherein the adjustment operation comprises one or more of a combination of a data source adjustment operation, a salt generation mode adjustment operation and a key derivation algorithm adjustment operation.
The third aspect of the present invention discloses another secret parameter generation apparatus, which includes a processor, wherein:
the processor calls the executable program code stored in the memory to execute the method for generating the confidential parameter disclosed by the first aspect of the present invention.
In a fourth aspect, the present invention discloses a computer-readable storage medium storing computer instructions for executing the method for generating confidential parameters disclosed in the first aspect of the present invention when the computer instructions are called.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, first data and second data corresponding to any data to be encrypted are obtained; generating a salt value corresponding to a predetermined key derivation algorithm based on the acquired first data and second data; and generating a target secret parameter corresponding to the data to be encrypted according to the generated salt value, the acquired first data and a key derivation algorithm, wherein the target secret parameter is used for encrypting the data to be encrypted. Therefore, the method and the device can generate the salt values corresponding to the key derivation algorithm based on a plurality of data corresponding to the data to be encrypted, and the salt values generated by different data are different, so that the complexity of the generated confidential parameters is improved, the encryption safety or the use safety is improved, different salt values do not need to be stored aiming at different data to be encrypted in advance, only the salt values required by the key derivation algorithm need to be generated when the data to be encrypted is encrypted, the encryption safety is improved, and the storage cost can be reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method for generating secret parameters according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating another method for generating secret parameters according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a secret parameter generating apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of another apparatus for generating confidential parameters according to the embodiment of the present invention;
fig. 5 is a schematic structural diagram of another apparatus for generating secret parameters according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The invention discloses a secret parameter generation method and device, which can generate salt values corresponding to a key derivation algorithm based on a plurality of data corresponding to data to be encrypted, and different data generate different salt values, so that the complexity of generated secret parameters is improved, the encryption safety or the use safety is further improved, different salt values do not need to be stored aiming at different data to be encrypted in advance, only the salt values required by the key derivation algorithm need to be generated when the data to be encrypted is encrypted, and the storage cost can be reduced while the encryption safety is improved. The following are detailed below.
EXAMPLE I (method side embodiment)
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a method for generating secret parameters according to an embodiment of the present invention. The method described in fig. 1 may be applied to a secret parameter generating device, such as a server, where the server may be a local server or a cloud server, and the embodiment of the present invention is not limited thereto. As shown in fig. 1, the method for generating the confidential parameter may include the following operations:
101. the secret parameter generation device acquires first data and second data corresponding to any data to be encrypted.
In this embodiment of the present invention, the first data may include a single data or may include a group of data, and the second data may include a single data or may include a group of data, which is not limited in this embodiment of the present invention. Further, the first data may include related data of the corresponding object of the data to be encrypted, such as one or more combinations of a password or a key of the corresponding object, user information of the corresponding object, and random data generated for the corresponding object; the second data may include a global password or a global key, which is not limited in the embodiment of the present invention.
As an alternative implementation, the obtaining, by the secret parameter generating apparatus, the first data and the second data corresponding to any data to be encrypted may include:
the confidential parameter generating device determines parameter information corresponding to any data to be encrypted;
the confidential parameter generating device determines a data source for generating data of a salt value according to the parameter information corresponding to the data to be encrypted;
and the confidential parameter generating device acquires the first data and the second data corresponding to the data to be encrypted according to the data source.
Optionally, the parameter information corresponding to the data to be encrypted may include one or a combination of multiple types, such as a data type of the data to be encrypted, a data amount of the data to be encrypted, and a security level of the data to be encrypted.
It can be seen that this alternative embodiment provides a personalized data source for generating data of a salt value for different data to be encrypted, and further provides a personalized secret parameter generation mode for different data to be encrypted.
102. The secret parameter generation device generates a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
In the embodiment of the present invention, it should be noted that, for different data to be encrypted, the obtained data are different, so that the salt values generated in real time are different, the security of the generated salt values is improved, and the security of the generated confidential parameters is further improved. Further, for different data to be encrypted, the generation modes or generation algorithms of the corresponding salt values may also be different. It should be further noted that, for different data to be encrypted, the difference in the obtained data means that at least one of the first data and the second data is different, and preferably, the two obtained data are different.
In this embodiment of the present invention, optionally, the predetermined key derivation algorithm may be a PBKDF2 algorithm.
103. The secret parameter generating device generates a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm.
The target secret parameter is used to encrypt the data to be encrypted, or the target secret parameter may be used as a Nonce value.
In an optional embodiment, after the step 101 is performed, the method for generating the secret parameter may further include the following operations:
when the data source of any one of the first data and the second data is a predetermined data generation mode, the confidential parameter generation device judges whether the data generated according to the data generation mode meets a predetermined data condition;
when the judgment result is yes, the secret parameter generating means executes the above step 102.
Optionally, the preset data condition may include a data length condition and/or a data content condition, for example, whether the data length of the data generated according to the data generation manner is greater than or equal to a preset length threshold, and for example, whether the data content of the data generated according to the data generation manner is different from the data content generated in the history, and the like, which is not limited in the embodiment of the present invention.
Therefore, the optional embodiment can intelligently judge whether the data generated according to the data generation mode meets the data condition before generating the salt value, and generate the corresponding salt value under the condition of meeting the data condition, so that the effectiveness of the salt value generated in real time is improved, and the generation efficiency of the secret parameter used for encryption is improved.
In an optional embodiment, after the step 101 is performed, the method for generating the secret parameter may further include the following operations:
the secret parameter generating device determines the key intensity of the target data, wherein the target data comprises the first data and/or the second data;
the secret parameter generation device detects whether the key strength of the target data meets a predetermined key strength condition;
when the key strength of the target data is detected to satisfy the key strength condition, the secret parameter generation device triggers and executes the operation of generating the salt value corresponding to the predetermined key derivation algorithm based on the first data and the second data.
In this optional embodiment, it should be noted that, the secret parameter generation apparatus detects whether the key strength of the target data meets a predetermined key strength condition, which may also be directly understood as determining whether the obtained target data meets the predetermined data condition, and the condition that the key strength of the target data meets the key strength condition may specifically be that the key strength of at least one kind of data in the target data is greater than or equal to a predetermined key strength threshold corresponding to the data, which is favorable for improving the validity of the salt value generated in real time, and further favorable for improving the generation efficiency of the secret parameter.
Therefore, the method described in the embodiment of the invention can generate the salt values corresponding to the key derivation algorithm based on the plurality of data corresponding to the data to be encrypted, and the salt values generated by different data are different, so that the complexity of the generated secret parameters is improved, the encryption safety or the use safety is further improved, different salt values do not need to be stored aiming at different data to be encrypted in advance, only the salt values required by the key derivation algorithm need to be generated when the data to be encrypted is encrypted, and the storage cost can be reduced while the encryption safety is improved.
EXAMPLE two (method side example)
Referring to fig. 2, fig. 2 is a flow chart illustrating another method for generating confidential parameters according to an embodiment of the present invention. The method described in fig. 2 may be applied to the secret parameter generating device, for example, a server, where the server may be a local server or a cloud server, and the embodiment of the present invention is not limited thereto. As shown in fig. 2, the method for generating the confidential parameter may include the following operations:
201. the secret parameter generation device acquires first data and second data corresponding to any data to be encrypted.
202. The secret parameter generating device executes preset operation on the first data and the second data to obtain an operation result.
In the embodiment of the present invention, optionally, the preset operation includes one of a character concatenation operation, a logic comparison operation, an identical character extraction operation, and a different character extraction operation. The character parallel connection operation refers to parallel connection of characters included in the first data and the second data, the logic comparison operation refers to logic comparison operation of the characters of the first data and the second data according to sequence, the same character extraction operation refers to extraction of the same characters of the first data and the second data, and the different character extraction operation refers to extraction of different characters of the first data and the second data.
Further optionally, the character join operation may include one of a character full join operation, a character cross join operation, and a character partial join operation.
Still further optionally, the secret parameter generating device may perform a preset operation on the first data and the second data to obtain an operation result, and the operation result may include:
the secret parameter generating device selects matched preset operations from a preset operation set comprising a plurality of preset operations according to at least one of the data to be encrypted, the first data and the second data;
the confidential parameter generating device executes the matched preset operation of the selected first data and the second data to obtain an operation result.
Therefore, the embodiment of the invention can select different preset operations for different data to be encrypted to generate corresponding salt values, further improve the difference of the salt values corresponding to the different data to be encrypted, and is favorable for improving the safety of the generated salt values.
203. And the confidential parameter generating device inputs the operation result into a predetermined Hash algorithm of the cryptology to obtain a Hash value.
204. The secret parameter generation device takes the first data as a key parameter and the hash value as a parameter to be encrypted, inputs a predetermined symmetric encryption algorithm, and obtains a salt value corresponding to the predetermined key derivation algorithm.
It should be noted that, in an alternative embodiment, the secret parameter generating device may further perform a sequential scrambling operation on the characters included in the operation result, and determine the result after the sequential scrambling as a salt value corresponding to the predetermined key derivation algorithm.
205. And the secret parameter generating device performs iteration for preset times on the salt value and the first data according to the key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
The target secret parameter is used to encrypt the data to be encrypted, or may be used as a Nonce value.
In the embodiment of the present invention, one of the ways of generating the target secret parameter is as follows:
Key=PBKDF2(HMAC-SHA256,KC,AES256(KC,SHA256(KC||KG)),i,256);
wherein, Key is the generated target secret parameter,KCfor the first data (e.g. the password or key corresponding to the object of the data to be encrypted), KGFor the second data (such as global key or password), i is the number of iteration rounds of PBKDF2 function, "|" represents the whole character concatenation operation, HMAC-SHA256 represents the used hash function, which is a hash algorithm of cryptographic security, AES256 represents a symmetric encryption algorithm used, and 256 represents the length of the output target secret parameter. Note that, i ═ 1 indicates that iteration is not necessary when generating the target secret parameter, and i may be omitted in this case.
Therefore, the embodiment of the invention can also set the number of iteration rounds, and improves the complexity and the safety of the generated confidential parameters.
In an optional embodiment, the method for generating the secret parameter may further include the following operations:
the confidential parameter generation device inputs the target confidential parameter into a predetermined complexity detection model to obtain a detection result for the target confidential parameter.
The secret parameter generating means determines whether the detection result is used to indicate that the complexity of the target secret parameter is greater than or equal to a predetermined complexity threshold, and when the determination result is yes, performs an encryption operation on the data to be encrypted by using the target secret parameter to obtain encrypted data, or when the determination result is no, the current process may be ended, or step 201 may be re-triggered.
It should be noted that, for the same data to be encrypted, each time step 201 is re-triggered and executed, at least one of the acquired first data and the acquired second data is different from the same kind of data acquired in step 201.
It should be noted that different secret parameters of the data to be encrypted may correspond to the same complexity threshold, or may correspond to different complexity thresholds, preferably the latter.
Therefore, the embodiment of the invention can detect the complexity of the confidential parameters after generating the confidential parameters, and if the complexity is higher, the subsequent operation is carried out, thereby being beneficial to improving the encryption security or the use security.
It should be noted that, in another alternative embodiment, after the step 204 is completed, the above-mentioned operation of performing the encryption operation on the data to be encrypted by using the target secret parameter may also be directly triggered to be performed, so as to obtain the encrypted data, or the operation of using the target secret parameter as the Nonce value may also be performed.
In yet another optional embodiment, the method for generating the confidential parameter may further include the operations of:
the secret parameter generation device counts a first data volume of attacked data in all encrypted data within a certain time period;
the secret parameter generating device counts a second data amount of successfully cracked data in the attacked data;
the secret parameter generation device calculates the ratio of the second data volume to the first data volume;
the secret parameter generation device judges whether the ratio exceeds a preset ratio threshold value, and when the ratio exceeds the ratio threshold value, the secret parameter generation device executes adjustment operation aiming at the secret parameter generation process.
In this optional embodiment, further optionally, the adjusting operation may include a combination of one or more of a data source adjusting operation, a salt generation manner adjusting operation, and a key derivation algorithm adjusting operation.
Therefore, the embodiment of the invention can also carry out self-adaptive adjustment operation on the secret parameter generation process according to the attacked data and the successfully attacked data within a period of time so as to optimize the secret parameter generation mode, further improve the safety of the generated secret parameter and further improve the encryption safety or the use safety.
Therefore, the method described in the embodiment of the invention can generate the salt values corresponding to the key derivation algorithm based on the plurality of data corresponding to the data to be encrypted, and the salt values generated by different data are different, so that the complexity of the generated secret parameters is improved, the encryption safety or the use safety is further improved, different salt values do not need to be stored aiming at different data to be encrypted in advance, only the salt values required by the key derivation algorithm need to be generated when the data to be encrypted is encrypted, and the storage cost can be reduced while the encryption safety is improved. In addition, different preset operations can be selected for different data to be encrypted to generate corresponding salt values, so that the difference of the salt values corresponding to the different data to be encrypted is further improved, and the safety of the generated salt values is improved. In addition, the number of iteration rounds can be set, and the complexity and the safety of the generated confidential parameters are improved. In addition, the complexity of the secret parameters can be detected after the secret parameters are generated, and if the complexity is higher, subsequent encryption operation or use operation is performed, so that the encryption security or use security can be improved. In addition, the secret parameter generation process can be adaptively adjusted according to the attacked data and the successfully attacked data within a period of time, so that the secret parameter generation mode is optimized, the security of the generated secret parameter is further improved, and the encryption security or the use security is further improved.
EXAMPLE three (virtual device side embodiment)
Referring to fig. 3, fig. 3 is a schematic structural diagram of a secret parameter generating device according to an embodiment of the present invention. The secret parameter generating device described in fig. 3 may be applied to a server, which may be a local server or a cloud server, and the embodiment of the present invention is not limited thereto. As shown in fig. 3, the secret parameter generating means may include:
the obtaining module 301 is configured to obtain first data and second data corresponding to any data to be encrypted.
A first generating module 302, configured to generate a predetermined salt value corresponding to the key derivation algorithm based on the first data and the second data.
A second generating module 303, configured to generate a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data, and the key derivation algorithm.
The target secret parameter is used to encrypt the data to be encrypted, or may be used as a Nonce value.
It can be seen that the secret parameter generation device described in the embodiment of the present invention can generate the salt values corresponding to the key derivation algorithm based on a plurality of data corresponding to the data to be encrypted, and the salt values generated by different data are different, which improves the complexity of the generated secret parameter, and further facilitates improving the encryption security or the use security.
In an alternative embodiment, as shown in fig. 4, the first generating module 302 may include:
a pre-operation unit 3021, configured to perform a preset operation on the first data and the second data to obtain an operation result.
A determining unit 3022, configured to input the operation result into a predetermined hash algorithm (such as SHA256 hash function) of the cryptographic security to obtain a hash value; and inputting the first data as a key parameter and the hash value as a parameter to be encrypted into a predetermined symmetric encryption algorithm (such as an AES256 symmetric encryption function) to obtain a salt value corresponding to the predetermined key derivation algorithm.
In an optional embodiment, further optionally, the preset operation may include one of a character concatenation operation, a logic comparison operation, an identical character extraction operation, and a different character extraction operation.
Still further optionally, the character join operation includes one of a character whole join operation, a character cross join operation, and a character partial join operation.
Therefore, the optional embodiment can also improve the difference of the salt values corresponding to different data to be encrypted, and is favorable for improving the safety of the generated salt values.
In another optional embodiment, the specific manner of generating the target secret parameter corresponding to the data to be encrypted by the second generating module 303 according to the salt value, the first data, and the predetermined key derivation algorithm is as follows:
and performing iteration for preset times on the salt value and the first data according to a predetermined key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
Therefore, the optional embodiment can also set the iteration round number, and the complexity and the safety of the generated confidential parameters are improved.
In yet another alternative embodiment, as shown in fig. 4, the apparatus may further include:
a determining module 304, configured to determine the key strength of the target data after the acquiring module 301 acquires the first data and the second data, where the target data includes the first data and/or the second data.
The detecting module 305 is configured to detect whether the key strength of the target data meets a predetermined key strength condition, and when it is detected that the key strength of the target data meets the key strength condition, trigger the first generating module 302 to perform the above-mentioned operation of generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
Therefore, the optional embodiment can also detect the key strength of the data after the data is acquired, and generate the corresponding salt value after the key strength meets the predetermined key strength condition, which is beneficial to improving the reliability and the safety of the generated confidential parameters by ensuring the key strength of the data.
In yet another alternative embodiment, as shown in fig. 4, the apparatus may further include:
the counting module 306 is configured to count a first data amount of attacked data in all encrypted data within a certain time period, and count a second data amount of successfully cracked data in the attacked data.
A calculating module 307, configured to calculate a ratio of the second data amount to the first data amount.
The judging module 308 is configured to judge whether the ratio calculated by the calculating module 307 exceeds a preset ratio threshold.
An adjusting module 309, configured to perform an adjusting operation for the secret parameter generating process when the determining module 308 determines that the ratio calculated by the calculating module 307 exceeds the ratio threshold.
Optionally, the adjusting operation may include one or more of a combination of a data source adjusting operation, a salt generation adjusting operation, and a key derivation algorithm adjusting operation.
Therefore, the optional embodiment can also perform adaptive adjustment operation on the secret parameter generation process according to the attacked data and the successfully attacked data within a period of time, so as to optimize the secret parameter generation mode, further improve the security of the generated secret parameter, and further improve the encryption security or the use security.
EXAMPLE four (solid device side embodiment)
Referring to fig. 5, fig. 5 is a schematic structural diagram of another secret parameter generating device according to an embodiment of the present invention. As shown in fig. 5, the secret parameter generating device may include a processor 402, and further, may further include a memory 401 storing executable program code, wherein:
the memory 401 is coupled with the processor 402;
the processor 402 calls the executable program code stored in the memory 401 to execute the method for generating the secret parameter described in the first embodiment of the present invention or the second embodiment of the present invention.
EXAMPLE five (computer storage media embodiment)
The embodiment of the invention discloses a computer storage medium, which stores computer instructions, and the computer instructions are used for executing the secret parameter generation method described in the first embodiment or the second embodiment of the invention when being called.
EXAMPLE six (computer program product embodiment)
An embodiment of the present invention discloses a computer program product, which includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute the method for generating a confidential parameter described in the first embodiment or the second embodiment.
The above-described embodiments of the apparatus are merely illustrative, and the modules described as separate components may or may not be physically separate, and the components shown as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above detailed description of the embodiments, those skilled in the art will clearly understand that the embodiments may be implemented by software plus a necessary general hardware platform, and may also be implemented by hardware. Based on such understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, where the storage medium includes a Read-Only Memory (ROM), a Random Access Memory (RAM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), a One-time Programmable Read-Only Memory (OTPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc-Read-Only Memory (CD-ROM), or other disk memories, CD-ROMs, or other magnetic disks, A tape memory, or any other medium readable by a computer that can be used to carry or store data.
Finally, it should be noted that: the method and the apparatus for generating secret parameters disclosed in the embodiments of the present invention are only preferred embodiments of the present invention, and are only used for illustrating the technical solutions of the present invention, not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art; the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (14)

1. A method for generating secret parameters, the method comprising:
acquiring first data and second data corresponding to any data to be encrypted, wherein the acquired first data and the acquired second data are different aiming at different data to be encrypted;
generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data;
generating a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm;
the target secret parameter is used for encrypting the data to be encrypted.
2. The method of generating confidential parameters according to claim 1, wherein generating a predetermined salt value corresponding to a key derivation algorithm based on the first data and the second data comprises:
executing preset operation on the first data and the second data to obtain an operation result;
inputting the operation result into a predetermined Hash algorithm of the cryptography to obtain a Hash value;
and inputting the predetermined symmetric encryption algorithm by taking the first data as a key parameter and the hash value as a parameter to be encrypted to obtain a salt value corresponding to the predetermined key derivation algorithm.
3. The method for generating confidential parameters according to claim 2, wherein the predetermined operation comprises one of a character concatenation operation, a logical comparison operation, an identical character extraction operation, and a different character extraction operation;
and the character concatenation operation comprises one of a character integral concatenation operation, a character cross concatenation operation and a character partial concatenation operation.
4. The method for generating secret parameters according to claim 3, wherein the generating the target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm comprises:
and performing iteration for preset times on the salt value and the first data according to the key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
5. The method for generating confidential parameters according to any of claims 1 to 4, wherein after the obtaining of the first data and the second data corresponding to any data to be encrypted, the method further comprises:
determining a key strength of target data, the target data comprising the first data and/or the second data;
detecting whether the key strength of the target data meets a predetermined key strength condition;
and when the key strength of the target data is detected to meet the key strength condition, triggering and executing the operation of generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
6. The method of generating confidential parameters of claim 5, further comprising:
counting a first data volume of attacked data in all encrypted data within a certain time period;
counting a second data volume of successfully cracked data in the attacked data;
calculating a ratio of the second data amount to the first data amount;
judging whether the ratio exceeds a preset ratio threshold value or not, and executing adjustment operation aiming at the confidential parameter generation process when the ratio exceeds the ratio threshold value;
wherein the adjustment operation comprises one or more of a combination of a data source adjustment operation, a salt generation mode adjustment operation and a key derivation algorithm adjustment operation.
7. An apparatus for generating secret parameters, the apparatus comprising:
the device comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring first data and second data corresponding to any data to be encrypted, and the acquired first data and the acquired second data are different aiming at different data to be encrypted;
the first generation module is used for generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data;
the second generation module is used for generating a target secret parameter corresponding to the data to be encrypted according to the salt value, the first data and the key derivation algorithm;
the target secret parameter is used for encrypting the data to be encrypted.
8. The secret parameter generation apparatus according to claim 7, wherein the first generation module comprises:
the pre-operation unit is used for executing preset operation on the first data and the second data to obtain an operation result;
the determining unit is used for inputting the operation result into a predetermined Hash algorithm of the password security to obtain a Hash value; and inputting the predetermined symmetric encryption algorithm by taking the first data as a key parameter and the hash value as a parameter to be encrypted to obtain a salt value corresponding to the predetermined key derivation algorithm.
9. The apparatus for generating confidential parameters according to claim 8, wherein the predetermined operation comprises one of a character concatenation operation, a logical comparison operation, an identical character extraction operation, and a different character extraction operation;
and the character concatenation operation comprises one of a character integral concatenation operation, a character cross concatenation operation and a character partial concatenation operation.
10. The secret parameter generation apparatus according to claim 9, wherein the second generation module generates the target secret parameter corresponding to the data to be encrypted according to the salt value, the first data, and the key derivation algorithm by:
and performing iteration for preset times on the salt value and the first data according to the key derivation algorithm to obtain a target secret parameter corresponding to the data to be encrypted.
11. The secret parameter generation apparatus according to any one of claims 7 to 10, further comprising:
a determining module, configured to determine key strength of target data after the obtaining module obtains the first data and the second data, where the target data includes the first data and/or the second data;
and the detection module is used for detecting whether the key strength of the target data meets a predetermined key strength condition, and when the key strength of the target data meets the key strength condition, triggering the first generation module to execute the operation of generating a salt value corresponding to a predetermined key derivation algorithm based on the first data and the second data.
12. The apparatus for generating confidential parameters according to claim 11, further comprising:
the statistical module is used for counting a first data volume of attacked data in all encrypted data within a certain time period and counting a second data volume of successfully cracked data in the attacked data;
the calculating module is used for calculating the ratio of the second data volume to the first data volume;
the judging module is used for judging whether the ratio exceeds a preset ratio threshold value;
the adjusting module is used for executing the adjusting operation aiming at the confidential parameter generating process when the judging module judges that the ratio exceeds the ratio threshold;
wherein the adjustment operation comprises one or more of a combination of a data source adjustment operation, a salt generation mode adjustment operation and a key derivation algorithm adjustment operation.
13. An apparatus for generating secret parameters, the apparatus comprising a processor, wherein:
the processor calls the executable program code stored in the memory to execute the method for generating confidential parameters according to any of claims 1 to 6.
14. A computer-storable medium that stores computer instructions that, when invoked, perform a method of generating confidential parameters as defined in any of claims 1-6.
CN202010794564.2A 2020-08-10 2020-08-10 Secret parameter generation method and device Active CN112000967B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010794564.2A CN112000967B (en) 2020-08-10 2020-08-10 Secret parameter generation method and device
PCT/CN2021/111536 WO2022033433A1 (en) 2020-08-10 2021-08-09 Method and apparatus for generating confidential parameter

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010794564.2A CN112000967B (en) 2020-08-10 2020-08-10 Secret parameter generation method and device

Publications (2)

Publication Number Publication Date
CN112000967A CN112000967A (en) 2020-11-27
CN112000967B true CN112000967B (en) 2021-10-22

Family

ID=73464239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010794564.2A Active CN112000967B (en) 2020-08-10 2020-08-10 Secret parameter generation method and device

Country Status (2)

Country Link
CN (1) CN112000967B (en)
WO (1) WO2022033433A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112000967B (en) * 2020-08-10 2021-10-22 广州以太教育科技有限责任公司 Secret parameter generation method and device
CN115102750B (en) * 2022-06-16 2024-02-02 平安银行股份有限公司 Private data processing method, system, computer terminal and readable storage medium
CN117499023B (en) * 2024-01-02 2024-04-09 深圳市玩视科技股份有限公司 Hardware security method, device and storage medium based on AES algorithm

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012073559A1 (en) * 2010-11-30 2012-06-07 日本電気株式会社 Authorization information verification device and authorization information verification program, and authorization information verification system and authorization information verification method
CN103208151A (en) * 2013-04-03 2013-07-17 天地融科技股份有限公司 Method and system for processing operation requests
CN107135078A (en) * 2017-06-05 2017-09-05 浙江大学 PBKDF2 cryptographic algorithms accelerated method and equipment therefor
CN110460426A (en) * 2019-07-03 2019-11-15 五邑大学 Optimization accelerated method, device, equipment and the storage medium of PBKDF2 cryptographic algorithm
CN111314090A (en) * 2020-03-25 2020-06-19 北京航空航天大学 Secure multi-cloud password management method based on bit level threshold

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160275294A1 (en) * 2015-03-16 2016-09-22 The MaidSafe Foundation Data system and method
CN107689869B (en) * 2016-08-05 2020-06-16 华为技术有限公司 User password management method and server
US10873450B2 (en) * 2017-11-16 2020-12-22 Intuit Inc. Cryptographic key generation for logically sharded data stores
CN110351077B (en) * 2019-05-30 2023-05-02 平安科技(深圳)有限公司 Method, device, computer equipment and storage medium for encrypting data
CN110312054B (en) * 2019-06-28 2021-08-27 浙江大华技术股份有限公司 Image encryption and decryption method, related device and storage medium
CN110516467B (en) * 2019-07-16 2021-09-24 上海数据交易中心有限公司 Data distribution method and device, storage medium and terminal
CN112000967B (en) * 2020-08-10 2021-10-22 广州以太教育科技有限责任公司 Secret parameter generation method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012073559A1 (en) * 2010-11-30 2012-06-07 日本電気株式会社 Authorization information verification device and authorization information verification program, and authorization information verification system and authorization information verification method
CN103208151A (en) * 2013-04-03 2013-07-17 天地融科技股份有限公司 Method and system for processing operation requests
CN107135078A (en) * 2017-06-05 2017-09-05 浙江大学 PBKDF2 cryptographic algorithms accelerated method and equipment therefor
CN110460426A (en) * 2019-07-03 2019-11-15 五邑大学 Optimization accelerated method, device, equipment and the storage medium of PBKDF2 cryptographic algorithm
CN111314090A (en) * 2020-03-25 2020-06-19 北京航空航天大学 Secure multi-cloud password management method based on bit level threshold

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
口令加密算法安全性分析与对比;祁鑫;《认证及保密》;20161231;1,5,7,11,13,14 *

Also Published As

Publication number Publication date
CN112000967A (en) 2020-11-27
WO2022033433A1 (en) 2022-02-17

Similar Documents

Publication Publication Date Title
CN112000967B (en) Secret parameter generation method and device
Shuai et al. Modelling analysis and auto-detection of cryptographic misuse in android applications
KR101095239B1 (en) Secure communications
US9313026B2 (en) Key negotiation method and apparatus according to SM2 key exchange protocol
US20130212385A1 (en) Utilization of a protected module to prevent offline dictionary attacks
CN110099048B (en) Cloud storage method and equipment
CN109981285B (en) Password protection method, password verification method and system
JP2001313634A (en) Method for communication
CN109688098B (en) Method, device and equipment for secure communication of data and computer readable storage medium
CN108134666A (en) A kind of encrypting and decrypting method and device
CN110149209A (en) Internet of things equipment and its method and apparatus of improve data transfer safety
CN110059458A (en) A kind of user password encryption and authentication method, apparatus and system
CN110110551B (en) Data storage method and device
CN109495270A (en) Digital signature generate in interim random number to message combination
US20220085999A1 (en) System and method to optimize decryption operations in cryptographic applications
US20220085998A1 (en) System and method to generate prime numbers in cryptographic applications
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
US9735963B2 (en) Decryption service providing device, processing device, safety evaluation device, program, and recording medium
CN116938434A (en) Data security detection method and device in privacy calculation
CN113347270B (en) Method and device for preventing horizontal unauthorized network transmission file
CN115086008B (en) Method and device for realizing password security protection, storage medium and electronic equipment
Alattar et al. Anti-continuous collisions user-based unpredictable iterative password salted hash encryption
CN116248258A (en) Password detection method, device, equipment and storage medium
CN115828224A (en) Automatic Go language password misuse detection method and device
Wang et al. Automated proof for authorization protocols of TPM 2.0 in computational model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder

Address after: 510000 room 103, building 7, scientists' house 66, No. 1190, Tianyuan Road, Tianhe District, Guangzhou, Guangdong Province (office only) (not for plant use)

Patentee after: Guangzhou Ethernet Education Technology Co.,Ltd.

Address before: 510000 room 4026c, 4th floor, No. 82, Taoyu Road, Tianhe District, Guangzhou City, Guangdong Province

Patentee before: Guangzhou Ethernet Education Technology Co.,Ltd.

CP02 Change in the address of a patent holder