CN114785495A - Key derivation method, data encryption method, server, electronic device, and storage medium - Google Patents
Key derivation method, data encryption method, server, electronic device, and storage medium Download PDFInfo
- Publication number
- CN114785495A CN114785495A CN202210339817.6A CN202210339817A CN114785495A CN 114785495 A CN114785495 A CN 114785495A CN 202210339817 A CN202210339817 A CN 202210339817A CN 114785495 A CN114785495 A CN 114785495A
- Authority
- CN
- China
- Prior art keywords
- key
- bit string
- key derivation
- algorithm
- data bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000009795 derivation Methods 0.000 title claims abstract description 91
- 238000000034 method Methods 0.000 title claims abstract description 78
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 95
- 238000004364 calculation method Methods 0.000 claims description 13
- 150000003839 salts Chemical class 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012790 confirmation Methods 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a key derivation method, a data encryption method, a server, electronic equipment and a storage medium, and relates to the technical field of data security. The method comprises the following steps: acquiring a master password input by a user and unique identification information of user authentication equipment; and performing key derivation operation according to a first key derivation algorithm based on the master password and the uniqueness identification information of the user authentication device to obtain a key for encrypting data. The method and the device realize the derivation of the key based on multiple factors, can improve the data encryption security to a certain extent, and are suitable for the scene of encrypted data security protection.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a key derivation method, a data encryption method, a server, an electronic device, and a storage medium.
Background
With the rapid development and popularization of information technology, electronic accounts and passwords are required in more and more internet access scenes, for example, browser login accounts, email accounts, login names of various application software and the like, and the corresponding passwords are numerous and are easy to forget. In order to solve the problem, some software for password management tools is developed, and accounts and passwords can be managed in a centralized manner.
The password management tool can help the user create a different password for each account without worrying about the password being forgotten. By means of the password management tool, a user can store all passwords in a password file locked by a master password, only one master password needs to be memorized, and then the master password is used for carrying out encryption protection on a large number of passwords applied online. But this means that protection of the master password will become a serious issue.
The key participating in the encryption and decryption operation is not generally generated based on the master password set by the user through a key Derivation algorithm kdf (key Derivation function), but rather, the key is directly used. The key derivation algorithm has various principles, parameters participating in derivation are different, and currently, besides a master password set by a user, most KDF algorithms can improve the security of the derived key by increasing parameters such as Salt (Salt) and iteration times (Rounds).
However, the inventor finds out in the process of realizing the invention: the password file header stores salt and iteration times used when the password file is stored, although parameter values in each storage are different, the salt and the iteration times can be read from the file header when the key file is opened, and the only password which cannot be obtained is the master password set by a user. Currently, based on a single master password factor key derivation method, once a single master password is leaked, all account password records in the whole password file are exposed without reservation.
Disclosure of Invention
In view of this, embodiments of the present invention provide a key derivation method, a file encryption method, a server, an electronic device, and a storage medium, which can improve data encryption security to a certain extent.
In order to achieve the purpose of the invention, the following technical scheme is adopted:
in a first aspect, an embodiment of the present invention provides a key derivation method, including: acquiring a master password input by a user and unique identification information of user authentication equipment;
and performing key derivation operation according to a first key derivation algorithm based on the master password and the uniqueness identification information of the user authentication device to obtain a key for encrypting data.
Optionally, the user authentication device is a bluetooth device, and the unique identification information is bluetooth address information or a machine code.
Optionally, after acquiring the master password input by the user, the method further comprises: verifying whether the master password is correct;
if so, performing hash calculation on the master password according to a cryptographic hash algorithm to obtain a first hash value of the master password.
Optionally, the unique identification information is bluetooth address information;
after obtaining the unique identification information of the user authentication device, the method further includes:
and performing hash calculation on the Bluetooth address information of the user authentication equipment according to a password hash algorithm to obtain a corresponding second hash value.
Optionally, the first key derivation algorithm comprises: a cryptographic hash algorithm and a multi-factor key derivation algorithm;
the obtaining a key for encrypting data by performing key derivation operation according to a first key derivation algorithm based on the master password and the unique identification information of the user authentication device includes:
splicing the first hash value of the master password with a second hash value corresponding to the Bluetooth address information;
calculating according to a cryptographic hash algorithm to obtain a spliced third hash value; the third hash value is a bit string parameter for an incoming multi-factor key derivation algorithm;
and receiving the transmitted bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data.
Optionally, the multi-factor key derivation algorithm is a cryptographic hash algorithm;
the receiving the incoming bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data includes:
assigning the acquired salt value to the intermediate sequence code variable as an initial intermediate sequence code variable value;
initializing a key data bit string into a bit string with a predetermined byte length;
performing a first iterative operation on the transmitted bit string parameters and the initial value of the intermediate sequence code variable by using the cryptographic hash algorithm to obtain a first intermediate sequence code variable value;
performing XOR operation on the initialized key data bit string and the first intermediate sequence code variable value to obtain a first intermediate key data bit string; the first intermediate key data bit string is the same length as the initialization key data bit string;
substituting the first intermediate key data bit string and the first intermediate sequence code variable value into the cryptographic hash algorithm, and executing second iterative operation to obtain a second intermediate sequence code variable value;
performing XOR operation on the first intermediate key data bit string and the second intermediate sequence code variable value to obtain a second intermediate key data bit string; the second intermediate key data bit string is the same length as the initialization key data bit string;
substituting the ith intermediate key data bit string obtained by the ith iterative operation and the ith intermediate sequence code variable value into the cryptographic hash algorithm, and executing the (i +1) th iterative operation to obtain the (i +1) th intermediate sequence code variable value;
performing XOR operation on the ith intermediate key data bit string and the (i +1) th intermediate sequence code variable value to obtain a final key data bit string; wherein i is a variable of the iteration times of the key derivation operation, and i is more than or equal to 0;
storing the final key data bit string as a key for encrypting data.
In a second aspect, an embodiment of the present invention further provides a data encryption method, including: generating a key for encrypting data according to the key derivation method of any one of the first aspect;
and encrypting the data according to a preset encryption algorithm based on the secret key.
In a third aspect, an embodiment of the present invention provides a server, including a host, where a password management application is installed on the host, and the password management application is at least configured to respond to a request of a user and execute the key derivation method according to any one of the first aspects.
In a fourth aspect, an embodiment of the present invention provides an electronic device, including: one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory and run a password management application corresponding to the executable program codes, so as to execute the key derivation method according to any one of the first aspect.
In a fifth aspect, an embodiment of the present invention provides a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the key derivation method described in any one of the first aspects.
According to the key derivation method, the data encryption method, the server, the electronic device and the storage medium provided by the embodiment of the invention, the master password input by the user and the unique identification information of the user authentication device are obtained; compared with the prior single-factor key derivation mode, the key for encrypting data obtained by performing key derivation operation by adopting double-factor parameters can improve the data encryption security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flowchart illustrating a key derivation method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a key derivation method according to another embodiment of the present invention;
FIG. 3 is a flow chart of an embodiment of a data encryption method according to the present invention
FIG. 4 is a schematic block diagram of a server according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an embodiment of an electronic device of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The key derivation method and the data encryption method provided by the embodiment of the invention can be applied to a password management tool and are suitable for an encrypted data security protection scene. By using the user authentication equipment, such as the Bluetooth technology, and the user master password protection together for key derivation, a key derivation method based on double factors is realized, the difficulty of key cracking is improved, and the purpose of security protection on the encrypted file is further achieved.
It should be noted that the method can be solidified in a certain manufactured physical product in the form of software, and when a user uses the product, the method flow of the application can be reproduced.
FIG. 1 is a flowchart illustrating a key derivation method according to an embodiment of the present invention; referring to fig. 1, the key derivation method may include the steps of:
s110, acquiring a master password input by a user and unique identification information of user authentication equipment.
The master password, also referred to as a master password, may consist of arabic numbers, english letters, and/or other special characters. In order to ensure the security of the master password, in some embodiments, after the master password input by the user is obtained, the hash calculation may be performed on the master password by some password derivation algorithms, for example, the secret hash algorithm SM3, and a 256-bit master password hash value is output to participate in a subsequent derivation operation of a key used for encrypting data, so as to improve the security of the key.
Referring to fig. 2, specifically, after acquiring the master password input by the user, the method further includes: verifying whether the master password is correct;
specifically, a main password input box and a main password confirmation box are set on a setting interface of a password management tool, wherein the main password confirmation box is provided with a correct main password defined by a user; and (4) confirming whether the input of the master password is correct or not by comparing whether the passwords of the two frames are consistent or not.
If yes, performing hash calculation on the master password according to a cryptographic hash algorithm to obtain a first hash value of the master password, and after the input of the master password is confirmed to be correct, calculating the hash value of the master password according to a preset cryptographic hash algorithm, such as an SM3 algorithm. Therefore, the complexity of cracking the encryption file key can be improved, and the safety protection performance of the key is improved.
With continued reference to fig. 2, in some embodiments, the user authentication device is a bluetooth device, and the unique identification information is bluetooth address information or machine code.
The unique identification code of the user authentication device may be obtained, for example, by: setting a Bluetooth device scanning function on a setting interface of a password management tool, scanning Bluetooth devices which are in matched connection with password management tool running devices, reading Bluetooth names and Bluetooth addresses, forming a Bluetooth device list for a user to select the Bluetooth devices for encrypting and decrypting password files, performing hash calculation on Bluetooth device address information authenticated by the user according to a password hash algorithm, such as the SM3 algorithm, and taking a hash value corresponding to the obtained Bluetooth device address information as a subsequent key derivation calculation parameter.
In this embodiment, address information of the bluetooth device is used as a unique identifier to participate in key derivation together with a master password input by a user, so that security of a derived key can be improved.
Since the machine code can also identify the uniqueness of the bluetooth device, the uniqueness identification can also be the machine code, and the machine code is participated in the key derivation operation together with the master password.
When the unique identification information is Bluetooth address information; after obtaining the unique identification information of the user authentication device, the method further includes:
and performing hash calculation on the Bluetooth address information of the user authentication equipment according to a password hash algorithm to obtain a corresponding second hash value.
And S120, performing key derivation operation according to a first key derivation algorithm based on the master password and the unique identification information of the user authentication equipment to obtain a key for encrypting data.
Referring to fig. 2, in detail, the first key derivation algorithm may include: a cryptographic hash algorithm and a multi-factor key derivation algorithm; the obtaining a key for encrypting data by performing key derivation operation according to a first key derivation algorithm based on the master password and the unique identification information of the user authentication device includes: splicing the first hash value of the master password with a second hash value corresponding to the Bluetooth address information; calculating according to a cryptographic hash algorithm to obtain a spliced third hash value; the third hash value is a bit string parameter for an incoming multi-factor key derivation algorithm; and receiving the transmitted bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data.
In this embodiment, the hash value of the master password and the hash value of the bluetooth address are concatenated and then the SM3 algorithm hash value is calculated again to obtain the parameter bit string P transmitted into the multi-factor-KDF algorithm.
Wherein, the symbol "|" in fig. 2 represents the splicing operation.
Specifically, the multi-factor key derivation algorithm may also be a cryptographic hash algorithm SM 3;
the receiving the incoming bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data includes:
assigning the acquired salt value to the intermediate sequence code variable as an initial intermediate sequence code variable value; the initialization key data bit string is a bit string of a predetermined byte length.
Performing a first iterative operation on the transmitted bit string parameters and the initial value of the intermediate sequence code variable by using the cryptographic hash algorithm to obtain a first intermediate sequence code variable value;
performing XOR operation on the initialized key data bit string and the first intermediate sequence code variable value to obtain a first intermediate key data bit string; the first intermediate key data bit string is the same length as the initialization key data bit string;
substituting the first intermediate key data bit string and the first intermediate sequence code variable value into the national secret hash algorithm, and executing second iterative operation to obtain a second intermediate sequence code variable value;
performing XOR operation on the first intermediate key data bit string and the second intermediate sequence code variable value to obtain a second intermediate key data bit string; the second intermediate key data bit string is the same length as the initialization key data bit string;
substituting the ith intermediate key data bit string obtained by the ith iterative operation and the ith intermediate sequence code variable value into the cryptographic hash algorithm, and executing the (i +1) th iterative operation to obtain the (i +1) th intermediate sequence code variable value;
performing XOR operation on the ith intermediate key data bit string and the (i +1) th intermediate sequence code variable value to obtain a final key data bit string; wherein i is a variable of iteration times of key derivation operation, and i is more than or equal to 0; storing the final key data bit string as a key for encrypting data.
Exemplarily, the third hash value calculated in the foregoing embodiment is assumed to be a bit string P; the selected salt is S, and the iteration times of key derivation operation are R; the three parameters are used as input parameters and transmitted into a cryptographic hash algorithm SM3 for iterative operation.
The initial intermediate sequence code variable value U _1 equals to S; initializing each bit of K to be 0, and the length of K is 256 bits; the following steps are performed on the variable i of the iteration number from 1 to R: calculating U _ (i +1) ═ HMAC-SM3(P, U _ i); K-Ki^ U _ (i + 1); after a predetermined number of iterations R of the above algorithm, a key data bit string K of 256 bits in length is output. The K value is used as a cipher file data block encryption key.
Wherein, HMAC-SM3 represents that the hash algorithm used in the HMAC algorithm calculation process is replaced by a cryptographic hash algorithm SM3 calculation key; the symbol ^ represents an exclusive or operation; the salt S may be arbitrarily designated or may be a randomly generated sequence number, such as the random sequence number 35sd6, for storage in a subsequent cryptographic file header from which it can be read when decrypting the cryptographic file data block. The default value of the iteration times R can be 3000, and can also be changed by a user on a setting interface of the password management tool and stored in a password file header.
In the embodiment of the invention, besides the main password set by the user and the unique identification information of the user authentication device, the security of the derived key can be improved by adding parameters such as Salt (Salt) and iteration times (Rounds) and the like in most KDF algorithms.
In addition, as shown in fig. 3, an embodiment of the present invention further provides a data encryption method, wherein a key for encrypting data is generated according to any one of the key derivation methods of the present invention (S210 and S220); and S230, encrypting the data according to a preset encryption algorithm based on the secret key.
The preset encryption algorithm may be: a symmetric encryption algorithm or an asymmetric encryption algorithm. Common symmetric encryption algorithms mainly comprise DES, 3DES, AES and other algorithms, common asymmetric algorithms mainly comprise RSA, DSA and other algorithms, and it should be noted that the English capital letters are terms in the technical field and have exact meanings.
In the invention, the key derived based on the multi-factor key derivation algorithm is used for the encryption key of the data, so that the problem that all account passwords stored in the password file are exposed without reservation due to single factor leakage can be prevented, and the data encryption security can be improved to a certain extent.
According to the description, in the embodiment of the invention, the bluetooth address and the main password are used as the factors of the key derivation algorithm by using the principle of the bluetooth and national commercial cryptographic algorithm, and the key derivation is performed by using the dual-factor key derivation algorithm, so that exposure that all account passwords stored in the cryptographic file are not reserved due to leakage of a single factor can be prevented, and the security of the encrypted file can be improved.
In addition, compared with the existing KDF algorithm, the international SHA series hash algorithm or the message authentication code (HMAC) algorithm based on the hash algorithms is basically adopted in the calculation process, so that the hacker can easily launch attacks by utilizing the loopholes existing in the international KDF algorithm, the security is not easy to control, and the localization autonomous control is difficult to realize.
In the invention, a brand-new multi-factor key derivation algorithm DF-KDF is autonomously provided based on a national cryptographic algorithm, such as the SM3 algorithm, and by utilizing the advantage of autonomous controllability of the national cryptographic algorithm, a hacker can be prevented from initiating attacks by utilizing possible vulnerabilities of the international KDF algorithm, so that the security of the key is improved. Further, based on a multi-factor key derivation algorithm, the problem that exposure of all account passwords stored in a password file due to single factor leakage is not reserved can be prevented, and therefore data encryption safety can be improved to a certain extent.
Example two
Fig. 4 is a schematic block diagram of an architecture of an embodiment of a Web application server according to the present invention, and referring to fig. 4, an embodiment of the present invention provides a server, which includes a host, where a password management application is installed on the host, and the password management application is at least configured to, in response to a request of a user, execute a key derivation method according to any one of the first aspects.
The server of this embodiment may be configured to execute the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect of the server of this embodiment are similar to those of the embodiment, and are not described herein again, and may refer to each other.
EXAMPLE III
A further embodiment of the present invention provides an electronic device, including one or more processors; a memory; the memory stores one or more executable programs, and the one or more processors read the executable program codes stored in the memory to run programs corresponding to the executable program codes so as to execute the method of any one of the embodiments.
Fig. 5 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which may implement the method according to any one of the embodiments of the present invention, as shown in fig. 5, as an alternative embodiment, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program codes; the processor 42 runs the password management application corresponding to the executable program code by reading the executable program code stored in the memory 43, so as to execute the key derivation method and the file encryption method described in any one of the first embodiment.
For the specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code, reference may be made to the description of the first embodiment of the key derivation method and the file encryption method in the present invention, which is not described herein again.
The electronic device exists in a variety of forms including, but not limited to: (1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice and data communications. Such terminals include: smart phones (e.g., iPhoie), multimedia phones, functional phones, and low-end phones, among others. (2) Ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads. (3) A portable entertainment device: such devices may display and play multimedia content. This type of device comprises: audio and video playing modules (such as an iPod), handheld game consoles, electronic books, and intelligent toys and portable car navigation devices. (4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service. (5) And other electronic equipment with data interaction function.
A further embodiment of the present invention provides a computer-readable storage medium, which stores one or more programs, where the one or more programs are executable by one or more processors to implement the key derivation method and the data encryption method described in any one of the foregoing embodiments.
In summary, it can be known from the descriptions of the above embodiments that the key derivation method and the data encryption method disclosed in this embodiment are based on a multi-factor key derivation algorithm, and can prevent the problem that all account passwords stored in a password file are not reserved due to single factor leakage, so that the data encryption security can be improved to a certain extent.
In addition, based on the same technical concept, the provided password file management tool installed on the server is used for executing the key derivation method in the embodiment of the invention, and based on a national password algorithm, such as the SM3 algorithm, a brand-new multi-factor key derivation algorithm DF-KDF is autonomously provided.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by a computer program, which may be stored in a computer readable storage medium and executed by a computer to implement the processes of the embodiments of the methods described above. The storage medium may also be a magnetic disk, an optical disk, a Read-only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method of key derivation, the method comprising the steps of:
acquiring a master password input by a user and unique identification information of user authentication equipment;
and performing key derivation operation according to a first key derivation algorithm based on the master password and the unique identification information of the user authentication device to obtain a key for encrypting data.
2. The key derivation method according to claim 1, wherein the user authentication device is a bluetooth device, and the unique identification information is bluetooth address information or a machine code.
3. The key derivation method according to claim 1, wherein after acquiring the master password input by the user, the method further comprises: verifying whether the master password is correct;
if so, performing hash calculation on the master password according to a cryptographic hash algorithm to obtain a first hash value of the master password.
4. The key derivation method of claim 3, wherein the unique identification information is Bluetooth address information;
after obtaining the unique identification information of the user authentication device, the method further includes:
and performing hash calculation on the Bluetooth address information of the user authentication equipment according to a password hash algorithm to obtain a corresponding second hash value.
5. The key derivation method of claim 4, wherein the first key derivation algorithm comprises: a cryptographic hash algorithm and a multi-factor key derivation algorithm;
the obtaining a key for encrypting data by performing key derivation operation according to a first key derivation algorithm based on the master password and the unique identification information of the user authentication device includes:
splicing the first hash value of the master password with a second hash value corresponding to the Bluetooth address information;
calculating according to a cryptographic hash algorithm to obtain a spliced third hash value; the third hash value is a bit string parameter for an incoming multi-factor key derivation algorithm;
and receiving the transmitted bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data.
6. A key derivation method according to claim 1 or claim 1, wherein the multi-factor key derivation algorithm is a cryptographic hash algorithm;
the receiving the incoming bit string parameters, and performing iterative operation by using a multi-factor key derivation algorithm to obtain a key for encrypting data includes:
assigning the acquired salt value to the intermediate sequence code variable to serve as an initial intermediate sequence code variable value;
initializing a key data bit string into a bit string with a predetermined byte length;
performing a first iterative operation on the transmitted bit string parameters and the initial value of the intermediate sequence code variable by using the cryptographic hash algorithm to obtain a first intermediate sequence code variable value;
performing XOR operation on the initialized key data bit string and the first intermediate sequence code variable value to obtain a first intermediate key data bit string; the first intermediate key data bit string is the same length as the initialization key data bit string;
substituting the first intermediate key data bit string and the first intermediate sequence code variable value into the cryptographic hash algorithm, and executing second iterative operation to obtain a second intermediate sequence code variable value;
performing XOR operation on the first intermediate key data bit string and the second intermediate sequence code variable value to obtain a second intermediate key data bit string; the second intermediate key data bit string is the same length as the initialization key data bit string;
substituting the ith intermediate key data bit string obtained by the ith iterative operation and the ith intermediate sequence code variable value into the cryptographic hash algorithm, and executing the (i +1) th iterative operation to obtain the (i +1) th intermediate sequence code variable value;
performing XOR operation on the ith intermediate key data bit string and the (i +1) th intermediate sequence code variable value to obtain a final key data bit string; wherein i is a variable of iteration times of key derivation operation, and i is more than or equal to 0;
storing the final key data bit string as a key for encrypting data.
7. A data encryption method, wherein a key for encrypting data is generated according to the key derivation method of any one of claims 1 to 6;
and encrypting the data according to a preset encryption algorithm based on the secret key.
8. A server, comprising a host having installed thereon a password management application for performing the key derivation method of any one of claims 1 to 6, at least in response to a request from a user.
9. An electronic device, comprising: one or more processors; a memory; the memory has one or more executable programs stored therein, and the one or more processors read the executable program code stored in the memory and execute a password management application corresponding to the executable program code for performing the key derivation method of any one of claims 1 to 6.
10. A computer readable storage medium, characterized in that it stores one or more programs, which are executable by one or more processors, to implement the method of any of the preceding claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210339817.6A CN114785495A (en) | 2022-04-01 | 2022-04-01 | Key derivation method, data encryption method, server, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210339817.6A CN114785495A (en) | 2022-04-01 | 2022-04-01 | Key derivation method, data encryption method, server, electronic device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114785495A true CN114785495A (en) | 2022-07-22 |
Family
ID=82428055
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210339817.6A Pending CN114785495A (en) | 2022-04-01 | 2022-04-01 | Key derivation method, data encryption method, server, electronic device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114785495A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379445A (en) * | 2022-08-23 | 2022-11-22 | 中国联合网络通信集团有限公司 | Key derivation method and device, and network equipment |
| CN115795413A (en) * | 2023-02-07 | 2023-03-14 | 山东省计算中心(国家超级计算济南中心) | Software authentication protection method and system based on state cryptographic algorithm |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494551A (en) * | 2018-03-16 | 2018-09-04 | 数安时代科技股份有限公司 | Processing method, system, computer equipment and storage medium based on collaboration key |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
| CN110046489A (en) * | 2019-04-10 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of credible access verifying system based on domestic Loongson processor, computer and readable storage medium storing program for executing |
| CN110378139A (en) * | 2019-07-25 | 2019-10-25 | 江苏芯盛智能科技有限公司 | A kind of data key guard method, system and electronic equipment and storage medium |
| CN111740828A (en) * | 2020-07-29 | 2020-10-02 | 北京信安世纪科技股份有限公司 | Key generation method, device and equipment and encryption method |
| CN112269970A (en) * | 2020-10-28 | 2021-01-26 | 国能日新科技股份有限公司 | Script encryption method and device, server and storage medium |
-
2022
- 2022-04-01 CN CN202210339817.6A patent/CN114785495A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108494551A (en) * | 2018-03-16 | 2018-09-04 | 数安时代科技股份有限公司 | Processing method, system, computer equipment and storage medium based on collaboration key |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
| CN110046489A (en) * | 2019-04-10 | 2019-07-23 | 山东超越数控电子股份有限公司 | A kind of credible access verifying system based on domestic Loongson processor, computer and readable storage medium storing program for executing |
| CN110378139A (en) * | 2019-07-25 | 2019-10-25 | 江苏芯盛智能科技有限公司 | A kind of data key guard method, system and electronic equipment and storage medium |
| CN111740828A (en) * | 2020-07-29 | 2020-10-02 | 北京信安世纪科技股份有限公司 | Key generation method, device and equipment and encryption method |
| CN112269970A (en) * | 2020-10-28 | 2021-01-26 | 国能日新科技股份有限公司 | Script encryption method and device, server and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115379445A (en) * | 2022-08-23 | 2022-11-22 | 中国联合网络通信集团有限公司 | Key derivation method and device, and network equipment |
| CN115379445B (en) * | 2022-08-23 | 2024-05-14 | 中国联合网络通信集团有限公司 | Key derivation method and device and network equipment |
| CN115795413A (en) * | 2023-02-07 | 2023-03-14 | 山东省计算中心(国家超级计算济南中心) | Software authentication protection method and system based on state cryptographic algorithm |
| CN115795413B (en) * | 2023-02-07 | 2023-05-16 | 山东省计算中心(国家超级计算济南中心) | Software authentication protection method and system based on cryptographic algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10790976B1 (en) | System and method of blockchain wallet recovery | |
| Amin et al. | A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment | |
| CN107959567B (en) | Data storage method, data acquisition method, device and system | |
| US8462955B2 (en) | Key protectors based on online keys | |
| US10187373B1 (en) | Hierarchical, deterministic, one-time login tokens | |
| US20110022856A1 (en) | Key Protectors Based On Public Keys | |
| CN107426235B (en) | Authority authentication method, device and system based on equipment fingerprint | |
| CN114785495A (en) | Key derivation method, data encryption method, server, electronic device, and storage medium | |
| CN114157451B (en) | Internet of things equipment identity authentication method, device and system and storage medium | |
| CN112615834B (en) | Security authentication method and system | |
| CN116458117A (en) | Secure digital signatures | |
| Jan et al. | A robust authentication scheme for client-server architecture with provable security analysis | |
| CN114553590A (en) | Data transmission method and related equipment | |
| CN112468293B (en) | Identity authentication method, system, equipment and computer readable storage medium | |
| CN116097615B (en) | Authentication using key agreement | |
| KR102329221B1 (en) | Blockchain-based user authentication model | |
| US20230198746A1 (en) | Secure key exchange using key-associated attributes | |
| Xie et al. | Security and efficiency enhancement of an anonymous three-party password-authenticated key agreement using extended chaotic maps | |
| CN112084485A (en) | Data acquisition method, device, equipment and computer storage medium | |
| CN113010908B (en) | Safe storage method suitable for large-capacity SIM card | |
| CN114826614B (en) | Distributed storage method and device for authenticatable password library file and electronic equipment | |
| CN113032816B (en) | Encrypted file searching method, device and computer readable medium | |
| EP4221295A1 (en) | Injection of cryptographic material during application delivery | |
| US11012245B1 (en) | Decentralized management of data access and verification using data management hub | |
| US10931454B1 (en) | Decentralized management of data access and verification using data management hub |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |