CN117176325A - Encryption processing method, decryption processing method and related devices - Google Patents
Encryption processing method, decryption processing method and related devices Download PDFInfo
- Publication number
- CN117176325A CN117176325A CN202210582666.7A CN202210582666A CN117176325A CN 117176325 A CN117176325 A CN 117176325A CN 202210582666 A CN202210582666 A CN 202210582666A CN 117176325 A CN117176325 A CN 117176325A
- Authority
- CN
- China
- Prior art keywords
- data
- encryption
- key
- encrypted
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 41
- 238000012545 processing Methods 0.000 claims abstract description 188
- 238000007499 fusion processing Methods 0.000 claims abstract description 45
- 238000000034 method Methods 0.000 claims description 157
- 238000004422 calculation algorithm Methods 0.000 claims description 145
- 238000006243 chemical reaction Methods 0.000 claims description 51
- 238000004590 computer program Methods 0.000 claims description 23
- 238000005516 engineering process Methods 0.000 abstract description 6
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 13
- 238000013500 data storage Methods 0.000 description 8
- 230000000694 effects Effects 0.000 description 8
- 238000007781 pre-processing Methods 0.000 description 6
- 230000002441 reversible effect Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 230000001010 compromised effect Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 3
- 238000009795 derivation Methods 0.000 description 3
- 230000000295 complement effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012804 iterative process Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012805 post-processing Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Abstract
The embodiment of the application discloses an encryption processing method, a decryption processing method and a related device, wherein the encryption processing method can comprise the following steps: acquiring plaintext data in target equipment and an encryption key associated with the target equipment; carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data; and encrypting the data source to be encrypted by adopting the encryption key, and carrying out encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data. The embodiment of the application can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like, and the safety of data in various fields can be improved by adopting the embodiment of the application.
Description
Technical Field
The present application relates to the field of computer technology, and in particular, to the field of cryptography, and more particularly, to an encryption processing method, a decryption processing method, an encryption processing apparatus, a decryption processing apparatus, an electronic device, a computer-readable storage medium, and a computer program product.
Background
The data encryption and decryption means that encryption algorithm is adopted to encrypt the plaintext data which can be read and understood, so that the plaintext data is the ciphertext data which is not easy to read and understood; decrypting the ciphertext data based on the corresponding decryption algorithm when the plaintext data is required to be read, so that the ciphertext data is restored to plaintext data; the specific content of the data can be protected from being stolen easily by encrypting and decrypting the data, and the safety of the data is ensured.
The existing encryption and decryption algorithm depends on the design of the algorithm itself to ensure the security of data. For example, the symmetric encryption and decryption algorithm is dependent on the security of key preservation to ensure the security of data; if the key is not compromised, the ciphertext data may not be compromised, and if the key is compromised, the ciphertext data may be compromised. Therefore, how to perfect the encryption algorithm to improve the security of data is a research hot topic.
Disclosure of Invention
The embodiment of the application provides an encryption processing method, a decryption processing method and a related device, which can improve the security of data.
In one aspect, an embodiment of the present application provides an encryption processing method, where the method includes:
acquiring plaintext data in target equipment and an encryption key associated with the target equipment; the encryption key is generated based on a device characteristic value of the target device;
Carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data;
and encrypting the data source to be encrypted by adopting the encryption key, and carrying out encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data.
In the embodiment of the application, when the need for encrypting the plaintext data in the target equipment exists, an encryption key generated based on the equipment characteristic value of the target equipment can be obtained, and the encryption key and the plaintext data are subjected to fusion processing to obtain the data source to be encrypted, so that the preprocessing before the encryption processing of the plaintext data is realized, the data source which is input into an encryption algorithm for encryption processing is not the plaintext data, the complexity of the encryption algorithm is improved to a certain extent, and the security of data encryption is further improved; then, the data source to be encrypted is encrypted based on the encryption key and the encryption algorithm, and the encrypted data is encrypted and enhanced, so that the complexity of the finally generated ciphertext data is high, the encryption effect is improved, and the data security is improved. In addition, the encryption key used for encrypting the data source to be encrypted is obtained based on the device characteristic value derivation of the target device, so that the plaintext of the key is hidden, and the risk of key leakage is reduced; and, the device characteristic value of the target device is used for uniquely identifying the target device, namely, the ciphertext data encrypted on the target device can only be decrypted on the target device, which further improves the security of the data.
In another aspect, an embodiment of the present application provides a decryption processing method, where the method includes:
obtaining ciphertext data in target equipment, wherein the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target equipment by adopting an encryption key;
obtaining a decryption key associated with the target device, the decryption key generated based on a device characteristic value of the target device;
performing fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data;
and carrying out decryption processing on the data source to be decrypted by adopting the decryption key, and carrying out decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
In the embodiment of the application, when the ciphertext data is required to be decrypted, the device characteristic value of the target device can be obtained, the decryption key is obtained according to the device characteristic value, and the ciphertext data is decrypted based on the decryption key to obtain the decrypted data. In the scheme, the decryption key for decrypting the ciphertext data is obtained based on the device characteristic value of the target device, compared with the traditional method for storing the decryption key in the configuration file, the decryption key is hidden in the plaintext, the risk of disclosure of the decryption key is reduced, and therefore the security of the ciphertext data is improved. And the device characteristic value of the target device is used for uniquely identifying the target device, so that the data is encrypted and decrypted on the same device, and the data security is further improved.
In another aspect, an embodiment of the present application provides an encryption processing apparatus, including:
an acquisition unit configured to acquire plaintext data in a target device and an encryption key associated with the target device; the encryption key is generated based on a device characteristic value of the target device;
the processing unit is used for carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data;
the processing unit is further used for encrypting the data source to be encrypted by adopting the encryption key, and performing encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data.
In one implementation manner, the obtaining manner of the device characteristic value of the target device includes:
acquiring the equipment identifier of the target equipment; wherein the device identification includes one or more of: a system universal identifier, a system serial number, a processor identifier and a motherboard serial number;
and selecting part or all of the equipment identifiers, and generating the equipment characteristic value of the target equipment by adopting the selected equipment identifiers.
In one implementation, the processing unit is specifically configured to, when used for generating the device characteristic value of the target device using the selected device identifier:
When the selected device identifier is one, the selected device identifier is used as the device characteristic value of the target device;
when the selected equipment identifiers comprise a plurality of equipment identifiers, splicing the selected equipment identifiers to obtain spliced identifiers, and taking the spliced identifiers as the equipment characteristic values of the target equipment.
In one implementation, the means for generating the encryption key based on the device characteristic value of the target device includes:
performing format conversion processing on the equipment characteristic values according to a key generation rule to obtain binary sequences corresponding to the equipment characteristic values;
performing data conversion processing on the binary sequence to generate a confusion factor of the binary sequence; wherein the obfuscation factor is used as an encryption key associated with the target device, the data conversion process including one or more of a hash operation and a shift operation.
In one implementation manner, when the processing unit is configured to perform format conversion processing on the device feature value according to the key generation rule to obtain a binary sequence corresponding to the device feature value, the processing unit is specifically configured to:
acquiring a data conversion format supported by the key generation rule;
And carrying out format conversion processing on the equipment characteristic values by adopting a data conversion format supported by the key generation rule to obtain binary sequences corresponding to the equipment characteristic values.
In one implementation, the processing unit is specifically configured to, when configured to perform the data conversion processing on the binary sequence to generate an aliasing factor of the binary sequence:
obtaining a hash algorithm and a shift algorithm included in the key generation rule;
performing shifting operation on the binary sequence according to the shifting algorithm;
and carrying out hash operation on the data subjected to the shift operation by adopting the hash algorithm, and generating a confusion factor of the binary sequence.
In one implementation manner, when the processing unit is configured to perform fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data, the processing unit is specifically configured to:
performing one or more exclusive-or operations on the encryption key and the plaintext data;
and taking the data subjected to the one or more exclusive OR operations as a data source to be encrypted corresponding to the plaintext data.
In one implementation manner, the data generated by the fusion process is iterated for a plurality of rounds in combination with an encryption key, and a data source to be encrypted corresponding to the plaintext data is generated, wherein the current round of iteration process includes:
Acquiring a reference data source generated in the previous round of the current round and a reference key adopted in the process of generating the reference data source in the previous round;
performing a shift operation on the reference key;
and performing exclusive OR operation on the reference data source by using the reference key after the shift operation to obtain the reference data source of the current round.
In one implementation manner, when the processing unit is configured to perform encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data, the processing unit is specifically configured to:
performing encryption enhancement processing on the encryption key and the encrypted data to obtain ciphertext data of the plaintext data;
wherein the encryption enhancement processing includes one or more of a hash operation and a shift operation.
In the embodiment of the application, when the need for encrypting the plaintext data in the target device exists, the acquisition unit can acquire the encryption key generated based on the device characteristic value of the target device, and the processing unit performs fusion processing on the encryption key and the plaintext data to obtain the data source to be encrypted, so that the preprocessing before the encryption processing of the plaintext data is realized, the data source input into the encryption algorithm for encryption processing is not the plaintext data, the complexity of the encryption algorithm is improved to a certain extent, and the security of data encryption is further improved; then, the data source to be encrypted is encrypted based on the encryption key and the encryption algorithm, and the encrypted data is encrypted and enhanced, so that the complexity of the finally generated ciphertext data is high, the encryption effect is improved, and the data security is improved. In addition, the encryption key used for encrypting the data source to be encrypted is obtained based on the device characteristic value derivation of the target device, so that the plaintext of the key is hidden, and the risk of key leakage is reduced; and, the device characteristic value of the target device is used for uniquely identifying the target device, namely, the ciphertext data encrypted on the target device can only be decrypted on the target device, which further improves the security of the data.
In another aspect, an embodiment of the present application provides a decryption processing apparatus, including:
the acquisition unit is used for acquiring ciphertext data in the target equipment, wherein the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target equipment by adopting an encryption key;
the obtaining unit is further configured to obtain a decryption key associated with the target device, where the decryption key is generated based on a device feature value of the target device;
the processing unit is used for carrying out fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data;
and the processing unit is also used for decrypting the data source to be decrypted by adopting the decryption key, and performing decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
In the embodiment of the application, when the ciphertext data is required to be decrypted, the acquisition unit can acquire the equipment characteristic value of the target equipment, the processing unit derives the decryption key according to the equipment characteristic value, and then the ciphertext data is decrypted based on the decryption key to obtain the decrypted data. In the scheme, the decryption key for decrypting the ciphertext data is obtained based on the device characteristic value of the target device, compared with the traditional method for storing the decryption key in the configuration file, the decryption key is hidden in the plaintext, the risk of disclosure of the decryption key is reduced, and therefore the security of the ciphertext data is improved. And the device characteristic value of the target device is used for uniquely identifying the target device, so that the data is encrypted and decrypted on the same device, and the data security is further improved.
In another aspect, the present application provides an electronic device comprising:
a processor for loading and executing the computer program;
a computer-readable storage medium having a computer program stored therein, which when executed by a processor, implements the encryption processing method or the decryption processing method described above.
In another aspect, the present application provides a computer readable storage medium storing a computer program adapted to be loaded by a processor and to perform the above encryption processing method or decryption processing method.
In another aspect, the present application provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions so that the electronic device performs the encryption processing method or the decryption processing method described above.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1a illustrates a schematic diagram of an asymmetric encryption provided by an exemplary embodiment of the present application;
FIG. 1b illustrates a schematic diagram of a symmetric encryption provided by an exemplary embodiment of the present application;
FIG. 1c is a schematic diagram of a data encryption scenario in which a data encryptor and a data decryptor are the same object according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart of an encryption processing method according to an exemplary embodiment of the present application;
FIG. 3a is a schematic diagram of acquiring plaintext data according to an exemplary embodiment of the present application;
FIG. 3b is a schematic diagram of acquiring plaintext data according to an exemplary embodiment of the present application;
FIG. 3c is a schematic diagram of acquiring plaintext data according to an exemplary embodiment of the present application;
FIG. 4a illustrates a schematic diagram of generating device feature values provided by an exemplary embodiment of the present application;
FIG. 4b illustrates a schematic diagram of generating device feature values provided by an exemplary embodiment of the present application;
FIG. 5 is a diagram of a fusion process during an encryption process provided by an exemplary embodiment of the present application;
FIG. 6a is a schematic diagram illustrating encryption processing based on CBC packet mode according to an exemplary embodiment of the present application;
FIG. 6b is a diagram illustrating an encryption process based on a CBC packet mode, according to an exemplary embodiment of the present application;
FIG. 7 is a flow chart of a decryption processing method according to an exemplary embodiment of the present application;
FIG. 8 is a diagram illustrating a fusion process during a decryption process provided by an exemplary embodiment of the present application;
FIG. 9 is a flow chart illustrating a decryption process based on a CBC packet mode according to an exemplary embodiment of the present application;
FIG. 10 is a diagram illustrating a decryption enhancement process during a decryption process provided by an exemplary embodiment of the present application;
fig. 11 is a schematic diagram showing a configuration of an encryption processing apparatus according to an exemplary embodiment of the present application;
fig. 12 is a schematic diagram showing a configuration of a decryption processing apparatus according to an exemplary embodiment of the present application;
fig. 13 is a schematic structural view of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application relates to an encryption and decryption algorithm, wherein the encryption and decryption algorithm can comprise an encryption algorithm and a decryption algorithm; the encryption algorithm is an algorithm for encrypting a section of plaintext data (or simply referred to as plaintext) which can be read and understood (or simply referred to as readable) to be converted into ciphertext data (or simply referred to as ciphertext) which cannot be read and understood (or simply referred to as unreadable); the decryption algorithm is an algorithm for decrypting a section of encrypted ciphertext data that cannot be read and understood, so as to restore the encrypted ciphertext data to plaintext data that can be read and understood. In the scene of data transmission or storage, the encryption and decryption algorithm is adopted to encrypt the data, so that the confidentiality of the data can be realized, the data is prevented from being changed, the integrity of the data is ensured, and the safety of the data is improved. It should be noted that, considering that the encryption process of the encryption algorithm on the plaintext data and the decryption process of the decryption algorithm on the ciphertext data are reversible, after the ciphertext data are encrypted by the encryption algorithm to obtain the ciphertext data, the ciphertext data may be decrypted by the same encryption algorithm to restore to obtain the plaintext data, so that the encryption algorithm and the decryption algorithm are the same algorithm; therefore, in the following embodiments of the present application, when no specific description is provided, the encryption and decryption algorithm is simply referred to as an encryption algorithm, which is specifically described herein.
Further, the encryption and decryption algorithm encrypts and decrypts the data by using a set of keys, wherein the keys comprise keys existing in pairs; according to whether the paired secret keys included in the secret key are the same, the encryption and decryption algorithm is divided into two main categories, including: symmetric encryption algorithms and asymmetric encryption algorithms. Wherein:
1) The asymmetric encryption algorithm is an encryption algorithm for encrypting and decrypting data by adopting different keys; in other words, the keys used in encrypting and decrypting data by the asymmetric encryption algorithm are different. In this implementation, the pair-wise existing key included in the key may be referred to as: public keys (public keys) and private keys (private keys); the public key is extracted from the private key, and can be disclosed to any one or more objects to be stored, and only one object is stored. Asymmetric encryption algorithms may include, but are not limited to: RAS (RSA algorithm), ECC (Elliptic curve cryptography, elliptic encryption algorithm) or SM2 (elliptic curve public key cryptography algorithm).
An exemplary process of encrypting plaintext data using an asymmetric encryption algorithm may be seen in fig. 1a; as shown in fig. 1a, assume that an object a holds a private key, and shares a public key that exists in pairs with the private key to an object B; then, when the object B has a need to encrypt and share plaintext data (such as any data to be encrypted) to the object a, the object B may encrypt the plaintext data using the public key and the encryption algorithm to obtain encrypted ciphertext data, and send the ciphertext data to the object a; after receiving the ciphertext data sent by the object B, the object A can use the private key and a decryption algorithm to decrypt the ciphertext data so as to restore and obtain plaintext data. In the above process, the object B for encrypting plaintext data may be referred to as a data encryptor, and the object a for decrypting ciphertext data may be referred to as a data decryptor. Of course, the above only provides an exemplary asymmetric encryption process, for example, the object B may also use the private key to encrypt the plaintext data, and share the obtained ciphertext data with the object a, so that the object a uses the public key to decrypt the ciphertext data, and restore the ciphertext data to obtain the plaintext data; the embodiment of the application does not limit whether the data encryption party is specifically an object holding a private key or an object holding a public key.
2) The symmetric encryption algorithm is an encryption algorithm for encrypting and decrypting data by adopting the same key; in other words, the key used in encrypting and decrypting data by the symmetric encryption algorithm is the same. In this implementation, the pairwise keys included in the key are identical. Symmetric encryption algorithms may include, but are not limited to: DES (Data Encryption Standard ), AES (Advanced Encryption Standard, advanced encryption standard), SM4 (packet data algorithm of wireless local area network standard). An exemplary process of encrypting plaintext data using a symmetric encryption algorithm may be seen in fig. 1b; as shown in fig. 1b, the symmetric encryption algorithm adopts single-key encryption, wherein the single-key encryption means that the key adopted for encryption is the same as the key adopted for decryption; in the data encryption process, the data encryption party can encrypt plaintext data by using a secret key and an encryption algorithm to generate encrypted ciphertext data, and the ciphertext data is sent to the data decryption party; after receiving the ciphertext data sent by the data encrypting party, the data decrypting party can decrypt the ciphertext data by using the same key as the data encrypting party so as to restore the ciphertext data.
Further, the symmetric encryption algorithm can be largely divided into two modes, namely block cipher (block cipher) and Stream cipher (Stream cipher), according to the encryption mode. Block encryption is a type of cryptographic algorithm that processes only a block of data of a specific length at a time, where a "block" is called a block; the number of bits of one packet is called a packet length (block length), and the packet length of the DES encryption algorithm as mentioned above is 64 bits. Considering that packet encryption can only encrypt a fixed-length packet at a time, but the length of plaintext data to be encrypted may exceed the packet length specified by the packet encryption, then the packet encryption needs to be iterated to encrypt a long piece of plaintext data entirely; whereas the iterative method is called a mode (mode) of block encryption; the pattern of packet encryption can be divided into: ECB (Electronic Code Book ), CBC (Cipher Block Chaining, ciphertext block chaining), CFB (Cipher Feedback), OFB (Output Feedback), and the like. Stream encryption is a type of cryptographic algorithm that uses the same pseudo-random encryption data stream (pseudo-random stream) as a key for both encryption and decryption, and plaintext data is sequentially and correspondingly encrypted with the key data stream each time, so as to obtain a ciphertext data stream.
In the process of introducing the encryption and decryption algorithm, the data encryption scene in which the data encryption party and the data decryption party are different objects is taken as an example for description. It will be appreciated that the data encryptor and the data decryptor may also be the same object; under the data encryption scene that the data encryption party and the data decryption party are the same object, the data encryption party can encrypt plaintext data in target equipment used by the data encryption party and store encrypted ciphertext data, and when the plaintext data is required to be checked or used subsequently, the target equipment can decrypt the ciphertext data and restore the ciphertext data to obtain the plaintext data; this ensures the security of the data stored in the target device even if the target device is attacked. The embodiment of the application does not limit the specific use scene of the encryption and decryption algorithm. A schematic diagram of a data encryption scenario in which a data encryptor and a data decryptor are the same object can be seen in fig. 1c; as shown in fig. 1c, assuming that the object encrypts the plaintext data using a symmetric encryption algorithm, the plaintext data may be encrypted using a key and the encryption algorithm to obtain ciphertext data; when the plaintext data is required to be checked, the cipher text data can be decrypted by using the key and the decryption algorithm so as to restore the plaintext data.
Based on the above description of the encryption and decryption algorithm, during the process of encrypting and decrypting (i.e. encrypting and decrypting) the data based on the encryption and decryption algorithm, the encryption and decryption algorithm mainly relies on secure transmission and storage of the secret key to ensure the security of the data. For example, in a scenario where the data encryptor and the data decryptor are different objects and the symmetric encryption algorithm is used to encrypt and decrypt the data, the key is usually transmitted to the other party in a physical manner (e.g., online notification) after being negotiated by the data encryptor and the data decryptor, or transmitted to the other party by using a third party platform (e.g., a third party communication application); then, once the key leakage occurs in the process of transferring the key, the malicious person may intercept the ciphertext in combination with the corresponding algorithm, and decrypt the encrypted transmission content by adopting the leaked key. For another example, in a scenario where the data encryptor and the data decryptor are the same object and the data is encrypted and decrypted using a symmetric encryption algorithm, if a key in a configuration file stored in the target device is compromised, ciphertext data may be decrypted, thereby resulting in plaintext data being stolen.
In order to avoid threat to data security caused by key disclosure, the embodiment of the application provides an encryption processing scheme and a corresponding decryption processing scheme (or collectively referred to as encryption and decryption schemes); the main flow of the encryption processing scheme may include: when the encryption processing is required for the plaintext data in the target equipment, an encryption key (or called a confusion factor) associated with the target equipment can be generated based on the equipment characteristic value of the target equipment, and the encryption key and the plaintext data are adopted to carry out fusion processing to obtain a data source to be encrypted, so that the data source which is input into a symmetric encryption algorithm for encryption processing is not the plaintext data, the complexity of the encryption algorithm is improved to a certain extent, and the security of data encryption is further improved; then, the data source to be encrypted is encrypted based on the encryption key and the encryption algorithm, and the encrypted data is encrypted and enhanced, so that the complexity of the finally generated ciphertext data is high, the encryption effect is improved, and the data security is improved. As described above, the encryption process and the decryption process are reversible, and the processing flow of the decryption processing scheme according to the embodiment of the present application will not be described in detail, and the flow may be summarized as follows: and generating a decryption key associated with the target device based on the device characteristic value of the target device, and decrypting the ciphertext data based on the decryption key to restore the plaintext data.
In other words, the embodiment of the present application introduces a device characteristic value (or referred to as a hardware characteristic value) capable of uniquely identifying the target device as a confusion factor in a conventional encryption algorithm, and encrypts and decrypts data using the confusion factor as a key. Considering that the aliasing factor is generated by deriving from the device characteristic value of the target device, so that the device characteristic value of the target device is relied on when encrypting plaintext data on the target device, the device characteristic value of the target device must also be relied on when decrypting; in other words, the encryption keys used for encryption and decryption are the same, i.e. the encryption algorithm provided by the embodiment of the application is a symmetric encryption algorithm, and the embodiment of the application is a cipher algorithm for encrypting and decrypting by introducing a confusion factor into a traditional symmetric encryption algorithm. For convenience of explanation, the encryption processing scheme proposed in the embodiment of the present application will be described by taking the introduction of a aliasing factor into the CBC packet mode of the SM4 encryption algorithm as an example.
The scheme mainly has the following beneficial effects: on the one hand, the confusion factor used as the decryption key to decrypt the ciphertext data in the embodiment of the application is derived based on the device characteristic value of the target device; the device characteristic value only appears in the memory of the target device when encryption and decryption operations are performed, and does not appear in the configuration file in a plaintext manner, so that if the decryption key is required to be decrypted, the memory is required to be analyzed on the target device, or the encryption key or the decryption key generation method is required to be decrypted, and the device characteristic value is read on the target device, so that the decryption difficulty is increased, the hiding of the plaintext of the key is realized, and the key leakage risk is reduced. On the other hand, the scheme relies on the device characteristic value of the target device for encryption and decryption of data, and the device characteristic value of the target device is used for uniquely identifying the target device; i.e. ciphertext data encrypted at the target device, can only be decrypted at the target device, which further improves the security of the data. On the other hand, the data source to be encrypted, which is used as a symmetric encryption algorithm in the embodiment of the application, is obtained based on the fusion processing of the encryption key and the plaintext data, and compared with the direct encryption processing of the plaintext data, the data complexity is increased, and the data encryption security is further improved; similarly, the data which is encrypted by the data source to be encrypted based on the encryption key and the symmetric encryption algorithm is subjected to encryption enhancement processing, so that the complexity of the finally generated ciphertext data is high, the encryption effect can be improved, and the data security is improved.
As described above, the present scheme is all dependent on the device characteristic value of the target device to encrypt and decrypt data, and the device characteristic value of the target device is the same, so the present scheme is applicable to the data encryption scenario in which the aforementioned data encryptor and data decryptor are the same object. In a specific implementation, the encryption algorithm and the decryption algorithm provided by the embodiment of the application can be integrated into one encryption and decryption tool or module, and the encryption and decryption tool can be configured into a target application program (which can be simply called an application, such as any application) or a system of target equipment. Taking the configuration of the encryption and decryption tool to the target application program as an example, when a target object (such as any object) has the requirement of encrypting plaintext data or decrypting ciphertext data, the target application program can be opened and used for realizing the encryption and decryption of the data. For example, the target object can encrypt sensitive information to be stored by using an encryption and decryption tool, so that data is prevented from being leaked, and the safety of data storage is improved; among other sensitive information, may include, but is not limited to: data stored in a local storage space of the target device; or data in any application running in the target device; etc.; the data may include, but is not limited to: files, pictures, audio-video, links, or icons. For another example, if the target device is used as a blockchain node device in the blockchain network, if the target device holds a private key, an encryption and decryption tool can be used to encrypt the private key held by the target device, so as to ensure that the private key is not revealed, improve the security of data encrypted by the private key, and further improve the security of data stored in the blockchain network; the Blockchain is the basis of the Blockchain technology, and is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. It should be noted that the specific type of the data encrypted in the data encryption scenario is not limited in the embodiments of the present application, and is described herein.
It should be noted that, when the embodiment of the present application is applied to a specific product or technology, for example, when the target object encrypts the plaintext data, if necessary, permission or agreement of the object that generates the plaintext data needs to be obtained; and the collection, use and processing of the relevant data is required to comply with relevant laws and regulations of the relevant country and region, such as the type of plaintext data that is acquired is required to comply with relevant laws and regulations of the relevant country and region.
Based on the above simple introduction of the encryption processing scheme and the decryption processing scheme provided by the embodiments of the present application, the embodiments of the present application provide a more detailed encryption processing method and decryption processing scheme, where the encryption and decryption methods may be performed by the aforementioned target device, specifically by an encryption and decryption tool deployed in the target terminal, and the relevant content of the encryption and decryption tool may be referred to the foregoing relevant description and will not be described herein. The target device may refer to any electronic device, which may include, but is not limited to: smart phones (such as Android phones, iOS phones, etc.), tablet computers, portable personal computers, mobile internet devices (Mobile Internet Devices, abbreviated as MID), smart televisions, vehicle-mounted devices, head-mounted devices, smart voice interaction devices, and aircraft; the embodiment of the application can be applied to various application scenes, including but not limited to cloud technology, artificial intelligence, intelligent transportation and auxiliary driving. The electronic device may also include a server or cloud server or the like for providing computing and application support for terminals used by the data encryptor or the data decryptor; the server may include, but is not limited to: data processing servers, web servers, application servers, and the like, have complex computing capabilities. The server may be a separate physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers. The server and the terminal may be directly or indirectly connected in communication through a wired or wireless manner, which is not limited by the embodiment of the present application. Further, in the blockchain scenario, the electronic device may also be any blockchain link point device in the blockchain network; the embodiment of the application does not limit the specific electronic equipment of the target equipment. The encryption processing method and the decryption processing scheme provided by the embodiment of the application are respectively described in detail below with reference to the accompanying drawings.
Fig. 2 shows a flow chart of an encryption processing method provided by an exemplary embodiment of the present application, which may be performed by the above-mentioned target device, and may include, but is not limited to, steps S201-S205:
s201, plaintext data in the target device is acquired.
The plaintext data is data to be encrypted in the target device; the source and specific content of the plaintext data are different according to the encryption requirements of the data encryptor. Alternatively, the plaintext data may be data stored in a local storage space of the target device, such as a file stored in the local storage space, an image stored in the album space, a link or character string stored in a memo, or the like. Alternatively, the plaintext data may be data in any application program running in the target device, such as a social application program (e.g., an instant messaging application or a map client with a social function, etc.) running in the target device, and then the plaintext data may include data in the social application program, such as a file, an audio/video, an image, etc. transmitted in the social application program. Optionally, in the case that the target device is a blockchain node device in a blockchain network, the plaintext data may also be a private key plaintext (or simply referred to as a private key) or a public key plaintext (or simply referred to as a public key) held by the blockchain node device; as can be seen from the foregoing description, the encryption algorithm is dependent on the secure storage and transmission of the private key and the public key to ensure the security of the data, so that when the plaintext data is the plaintext of the private key (or simply referred to as the private key) or the plaintext of the public key (or simply referred to as the public key), the private key or the public key is encrypted by the encryption and decryption tool, so that the private key or the public key is better prevented from being revealed, and the security of the data encrypted by the private key or the public key is further improved.
In a specific implementation, when the data encryption party has a data encryption requirement, the data encryption party can open and use an encryption and decryption tool deployed in the target device so as to encrypt plaintext data by adopting the encryption and decryption tool to generate unreadable ciphertext data. As described above, the encryption and decryption tool may be integrated into the target application, in which case the data encryptor may start the encryption and decryption tool by opening the target application; alternatively, the encryption and decryption tool may be deployed directly in the system of the target device, in which case the data encryptor may start the encryption and decryption tool in the target device. Further, after the encryption and decryption tool is successfully started, plaintext data to be encrypted can be obtained from the target device through the encryption and decryption tool, so that encryption processing can be conveniently carried out on the obtained plaintext data.
An exemplary implementation process of the encryption and decryption tool to obtain plaintext data to be encrypted from a target device may include: after the encryption and decryption tool is opened, the target device can display a data acquisition interface, wherein the data acquisition interface is used for acquiring plaintext data to be encrypted; and responding to the data uploading operation executed by the data encryptor in the data acquisition interface, and acquiring the plaintext data to be encrypted. According to different interface elements contained in the data acquisition interface, the data uploading operation executed by the data encryptor in the data acquisition interface may be different; several exemplary data upload operations that exist in the data acquisition interface are set forth below, wherein:
In one implementation, the data acquisition interface includes an interface element "data acquisition portal", such as the data acquisition interface 301 shown in fig. 3a includes a data acquisition portal 302, where the data uploading operation performed in the data acquisition interface may include: triggering operation of the data acquisition entrance and selecting operation of the data encryption party on the plaintext data in the data storage interface. Specifically, when the data encryptor performs a trigger operation on the data acquisition portal in the data acquisition interface, which indicates that the data encryptor wants to upload plaintext data, a data storage interface may be displayed, where the data storage interface includes: an application portal that allows encrypted plaintext data and a target application (e.g., any application); when the plaintext data directly displayed by the data storage interface is selected, determining the selected plaintext data as plaintext data to be encrypted; similarly, when the application portal of the target application program in the data storage interface is triggered, the data encryptor wants to select plaintext data from the target application program, and jumps to a service interface provided by the target application program, and selects plaintext data to be encrypted from the service interface, where the service interface may be any interface of the target application program, a main interface, or a recently closed interface, and the like. It should be noted that the data acquisition interface, the data acquisition portal, and the data storage interface patterns shown in fig. 3a are all exemplary.
In another implementation, the data acquisition interface includes an interface element "data drag area", and the data acquisition interface 301 shown in fig. 3b includes a data drag area 303 and a data display area 304; the data display area 304 includes one or more candidate data to be selected, where the data uploading operation in the data acquisition interface may include: and a drag operation of dragging the plain text data from the data display area to the data drag area. For example, if the data encryptor wants to encrypt the target file in the service interface provided by the target application program during the process of using the target application program, the data encryptor can open the data acquisition interface of the encryption and decryption tool, drag the selected plaintext data in the data display area in the data acquisition interface from the data display area to the data drag area in the data acquisition interface; when the encryption and decryption tool detects that a file exists in the data dragging area and the dragging operation is released, the plaintext data to be encrypted is determined to be acquired.
In other implementations, the data acquisition interface includes an interface element "data input box", such as the data acquisition interface 301 shown in fig. 3c includes a data input box 305, where the data upload operation performed in the data acquisition interface may include: and inputting operation of the inputted plaintext data in the data input box. For example, the data encryptor may input the plaintext data to be encrypted in the data input box through a virtual keyboard or a physical keyboard, or the data encryptor may paste the plaintext data to be encrypted in the data input box (such as pasting a private key to be encrypted in a blockchain network) using a mouse, or the data encryptor may directly write the plaintext data to be encrypted in the data input box using an electronic pen, or the like.
It can be understood that the above is only given three exemplary implementation processes for obtaining the plaintext data to be encrypted, and the embodiment of the present application is not limited to a specific implementation process for obtaining the plaintext data to be encrypted through an encryption and decryption tool. For example: the data acquisition interface can simultaneously comprise a data acquisition inlet and a data dragging area, so that the data encryptor can randomly select an implementation mode for uploading plaintext data according to own habit and demand, the demand that the data encryptor uploads plaintext data in various modes is met, and the use experience of the data encryptor is further improved; and the following steps: in the case that the target device is a server, the manner in which the target device obtains the plaintext data may include: receiving plaintext data sent by a terminal used by a data encryption party; the manner in which the terminal used by the data encryptor obtains the plaintext data can be seen in the several exemplary processes set forth above.
S202, an encryption key associated with the target device is acquired.
Wherein the encryption key is generated based on the device characteristic value of the target device; considering that the encryption key is derived from the device characteristic value of the target device, it may be determined that the encryption key is associated with the target device; such as a unique encryption key associated with the target device based on the target device characteristic value (e.g., any device characteristic value) of the target device. The implementation of specifically obtaining an encryption key associated with a target device may include steps s11-s12, wherein:
And s11, acquiring the device characteristic value of the target device.
The device characteristic value (or called hardware characteristic value) of the target device can be used for uniquely identifying the target device, and the device characteristic values corresponding to different devices are different; in other words, only one device can be found according to any device characteristic value. Specifically, the device characteristic value of the target device may be composed of part or all of the device identification (or referred to as characteristic value) of the target device. The device identification of the target device may include: an identification for uniquely identifying a system deployed in the target device, or an identification for uniquely identifying hardware in the target device; for example: the device identification in the target device may include one or more of the following: the system universal identification, the system serial number, the processor identification and the mainboard serial number. The system universal identifier may refer to a system UUID (Universally Unique Identifier, universal unique identifier), which is a software building standard, and may be used to enable each element in a distributed system (such as a system formed by multiple computer devices) to have unique identification information. A Serial Number (S/N, such as the system Serial Number and the motherboard Serial Number mentioned above) may be referred to as a machine code, and may refer to a globally unique identification code provided for an item (such as a motherboard, an operating system, or a device, etc.) for uniquely identifying the item. The processor identification may include an ID of the CPU (central processing unit, central processor) in the target device, which is used to uniquely identify one CPU.
In a specific implementation, a program code for accessing a device identifier in a memory of a target device is written in the encryption and decryption tool, and the target device responds to an identifier acquisition event, specifically, the encryption and decryption tool responds to the identifier acquisition event, and the program code can be operated to acquire the device identifier of the target device from the memory of the target device. Wherein identifying the acquisition event may include, but is not limited to: the encryption and decryption tool obtains an event generated when plaintext data to be encrypted is obtained in step S201, or an event generated when an identifier obtaining option provided by the encryption and decryption tool to a data encryptor is triggered, and so on; the generation mode of the identifier acquisition event for triggering the acquisition of the device identifier in the embodiment of the application is not limited. Further, after the device identifier of the target device is obtained from the target device, part or all of the device identifiers can be selected according to the characteristic value generation rule, and the device characteristic value of the target device can be generated by adopting the selected device identifier. It should be noted that, the characteristic value generation rule may be set by a developer of the encryption and decryption tool, or may be set by the data encryptor in a self-defined manner according to the encryption requirement, which can realize that the characteristic value generation rules set by different data encryptors are different to a certain extent, thereby improving the encryption complexity and the security of the data.
Several exemplary feature value generation rules are set forth below, and a specific implementation procedure for generating a device feature value is described in conjunction with the feature value generation rules, where:
(1) The feature value generation rule includes: selecting one device identifier from a plurality of device identifiers, and taking the selected one device identifier as a device characteristic value of target equipment; compared with the mode of selecting a fixed one from a plurality of equipment identifiers or directly acquiring the fixed one from target equipment, the method can increase the randomness of the selected equipment identifier, increase the difficulty of revealing the selected equipment identifier and further better protect the safety of data. For example, as shown in fig. 4a, assume that plaintext data 1 and plaintext data 2 need to be encrypted separately, and the obtained device identification of the target device includes: device id 1, device id 2, device id 3, and device id 4; then in the process of encrypting the plaintext data 1, assuming that the device identifier 3 is randomly selected, taking the device identifier 3 as a device characteristic value adopted when encrypting the plaintext data 1; in the process of encrypting the plaintext data, assuming that the device identifier 1 is randomly selected, the device identifier 1 is used as a device characteristic value adopted when encrypting the plaintext data 2. Therefore, even if the same target device is adopted to encrypt different plaintext data, the adopted device characteristic values can be different, and further the encryption keys used for encrypting different plaintext data are also different, so that the safety of the plaintext data is improved.
(2) The feature value generation rule includes: and selecting a plurality of equipment identifiers from the plurality of equipment identifiers, combining the plurality of selected equipment identifiers to obtain a combined identifier after the combination processing, and taking the combined identifier as an equipment characteristic value of the target equipment. The combination processing performed on the selected plurality of device identifiers may include a splicing processing, etc., which is described below as an example for convenience of explanation. Specifically, when the selected device identifier includes a plurality of device identifiers, performing splicing processing on the plurality of selected device identifiers to obtain a spliced identifier, and taking the spliced identifier as a target set device characteristic value.
As shown in fig. 4b, it is assumed that the acquired device identification of the target device includes: device identification 1"XX12X3", device identification 2"876X54" and device identification 3"09X2X8", then the three selected device identifications are subjected to a stitching process, and the available stitching identifications include: splice identification 1 "device identification 2 device identification 3" (i.e., "XX12X3876X5409X2X 8"), splice identification 2 "device identification 1 device identification 3 device identification 2" (i.e., "XX12X309X2X8876X 54"), splice identification 3 "device identification 2 device identification 1 device identification 3" (i.e., "876X54 XX12X309X2X8"), splice identification 4 "device identification 2 device identification 3 device identification 1" (i.e., "876X5409X2X8XX12X 3"), splice identification 5 "device identification 3 device identification 1 device identification" (i.e., "09X2X8XX12X3876X 54"), splice identification 6 "device identification 3 device identification 2 device identification 1" (i.e., "09X2X8876X54 XX12X3"); then, a splicing identifier can be randomly selected from the 6 splicing identifiers as a device characteristic value of the target device, or a part of splicing identifiers are selected from the 6 splicing identifiers to continue splicing processing, and the splicing identifier after splicing processing is used as a device identifier of the target device, so that the complexity of the splicing identifier is increased, and the like.
It can be understood that the number of times of the splicing process is not limited in the embodiment of the present application, the more the number of times of the splicing process is, the more complex the obtained splicing identifier (i.e. the device feature value) is, the more complex the data obtained by encrypting the plaintext data by using the splicing identifier later, thereby improving the security of the plaintext data. In addition, a splicing processing mode, such as a splicing processing mode for configuring and generating the splicing identifier 3, can be directly configured in the encryption and decryption algorithm provided by the embodiment of the application, so that the encryption and decryption tool does not need to perform various splicing processing on a plurality of selected device identifiers, and can obtain the device characteristic value of the target device only after performing splicing processing according to the configured splicing processing mode, and the processing efficiency of the encryption and decryption tool can be improved to a certain extent.
It should be noted that, in the implementation manners of determining the device feature value, both the implementation manners relate to related content selected randomly, for example, one device identifier is selected randomly from a plurality of device identifiers as the device feature value, or one splice identifier is selected randomly from a plurality of splice identifiers as the device feature value. The device characteristic value adopted for encrypting the plaintext data can be known when decrypting the ciphertext data, and the device characteristic value is composed according to one or more randomly selected device identifiers; the embodiment of the application supports numbering of each equipment identifier, and adds the number of the adopted equipment identifier before encrypting ciphertext data obtained when encrypting plaintext data, so that the corresponding equipment identifier can be determined as an equipment characteristic value according to the number when decrypting the ciphertext data, and the ciphertext data can be decrypted to obtain plaintext data.
For example: in a scenario where the number of device identifiers constituting the device feature value is 1, for example, in the process of encrypting the plaintext data 1 shown in fig. 4a, the device identifier 3 is used as the device feature value to encrypt the plaintext data 1, and then the number of the device identifier 3 may be added in front of the ciphertext data 1 obtained by encrypting the plaintext data 1. Correspondingly, when the ciphertext data 1 needs to be decrypted, the device identifier 3 can be determined according to the number in front of the ciphertext data 1, and the device identifier 3 is used as a device characteristic value to decrypt the ciphertext data so as to restore and obtain the plaintext data 1.
And the following steps: in a scenario where the number of device identifiers constituting the device feature values is two or more, the device feature values as shown in fig. 4b are randomly selected from 6 splice identifiers; in order to facilitate knowing which splicing identifier is randomly selected when decrypting ciphertext data, the embodiment of the application supports adding the number corresponding to the selected splicing identifier to the front of the ciphertext data, so that the splicing identifier can be determined according to the number when decrypting the ciphertext data, and the splicing identifier is used as a device characteristic value for decrypting the ciphertext data. The number corresponding to the splicing mark can be composed of the numbers of the equipment marks composing the splicing mark; continuing with the illustration of FIG. 4b, assuming that the selected splice mark is "09X2X8876X54XX12X3", i.e., the splice mark is made up of device ID 3→device ID 2→device ID 1 in order, then in the case of device ID 3 numbered 3, device ID 2 numbered 2, and device ID 1 numbered 1, the splice mark number may comprise "321".
And s12, performing data conversion processing on the device characteristic value of the target device according to the key generation rule, and generating an encryption key associated with the target device.
The key generation rule (or referred to as a key generation method) specifies a rule that a series of processes are performed on the device feature value to obtain an encryption key; according to different encryption requirements, the key generation rule can be defined as different rules, and the specific content contained in the key generation rule is not limited in the embodiment of the application. For convenience of explanation, an exemplary key generation rule is taken as an example, and an encryption key associated with a generation target device is described in connection with the exemplary key generation rule. The encryption key associated with the target device generated according to the key generation rule may be referred to as a confusion factor, and is a key used for encrypting the plaintext data; the obfuscation factor may be considered to be associated with the target device, i.e., the encryption key is associated with the target device, considering that the obfuscation factor is derived based on the device characteristic value of the target device.
In the specific implementation, firstly, after the encryption and decryption tool obtains the device characteristic value of the target device, format conversion processing can be carried out on the device characteristic value according to the key generation rule to obtain a binary sequence corresponding to the device characteristic value; the format conversion process performed on the device feature value may be simply referred to as Serialization or Serialization (Serialization), which refers to a process of converting the device feature value into a form that can be recognized, stored, or transmitted by the target device. Specifically, before performing format conversion processing on the device feature value, a data conversion format supported by the key generation rule needs to be acquired, where the data conversion format supported by the key generation rule is also a data conversion format that can be identified by the target device, and at this time, the data conversion format supported by the key generation rule may be used to perform format conversion processing on the device feature value, so as to obtain a binary sequence corresponding to the device feature value. For example, the data conversion formats supported by the key generation rule may include json format or C format, and the like, and then the format conversion processing may be performed on the device feature value according to the serialization implementation corresponding to the corresponding data conversion format, so as to generate a binary sequence.
Then, carrying out data conversion processing on the binary sequence obtained by serialization to generate a confusion factor of the binary sequence; the obfuscation factor is used as an encryption key associated with the target device, i.e., the device characteristic value of the target device may be derived to obtain the encryption key associated with the target device. Where the operation is guaranteed to be reversible, the data conversion process performed on the binary sequence may include, but is not limited to: one or more of hash operations and shift operations. The Hash operation may include a process of performing a Hash calculation on the binary using a Hash Algorithm (Hash algorism); the hash algorithm supports mapping binary plaintext with any length into shorter binary strings, and different plaintext are difficult to map into the same hash value, so that the uniqueness of the binary strings is ensured; the hashing algorithm may include, but is not limited to: SHA256, SM3, and MD5. The shift operation (alternatively referred to as a shift operation) may include a process of shifting all bits of the binary sequence by 1 bit in an operator specified manner or by a register specified number of times (0 to 255); the shift operation may include an arithmetic shift operation, a logical shift operation, etc., taking the example that the shift operation includes a logical shift operation, assuming that the binary sequence is 10101110, then logically shifting the binary sequence by 1 bit to the right results in a aliasing factor of 01010111.
Based on the above description of the hash operation and the shift operation, the data conversion process performed on the binary sequence can be summarized as one or more of the following: calling a hash algorithm to perform one or more hash calculations on the binary sequence; or, calling different hash algorithms to perform hash calculation on the binary sequence for a plurality of times; alternatively, the binary sequence is subjected to one or more shift operations. For example, assuming that the data conversion process performed on the binary sequence includes a hash operation and a shift operation, the procedure of the data conversion process may include: the hash algorithm and the shift algorithm included in the key generation rule are acquired, the specific hash algorithm and the shift algorithm included in the key generation rule can be customized by service personnel according to requirements, the hash algorithm and/or the shift algorithm included in different key generation rules can be different, the difficulty of cracking to generate the encryption key and the decryption key is increased to a certain extent, and the security of data encryption is improved; then, carrying out shift operation on the binary sequence according to a shift algorithm to obtain data after the shift operation; and finally, carrying out hash operation on the data after the shift operation by adopting a hash algorithm to generate a confusion factor of the binary sequence, wherein the confusion factor is used as an encryption key. It should be noted that, the purpose of the data conversion process is to increase the complexity of the confusion factor (i.e. the encryption key), which is beneficial to the subsequent enhancement of the protection of the plaintext data, and the specific method of which one or more data conversion processes are adopted, which is not limited by the embodiments of the present application.
S203, the encryption key and the plaintext data are fused, and a data source to be encrypted corresponding to the plaintext data is generated.
The fusion process herein may refer to: before encryption processing is carried out on plaintext data by adopting a symmetric encryption algorithm, carrying out data preprocessing on the plaintext data; the fusion process may include, but is not limited to: one or more of an exclusive-or operation and a shift operation. The relevant content of the shift operation may refer to the relevant description of the implementation process shown in the foregoing step S202, which is not described herein in detail; the exclusive-or operation may be referred to as a half-add operation, abbreviated as XOR or EOR, and corresponds to binary addition without carry. In binary, with 1 representing true and 0 representing false, the exclusive-or algorithm may include: 0 xo0=0, 1 xo0=1, 0 xo1=1, 1 xo1=0; that is, the two values of the exclusive or are the same, the exclusive or result is 0, the two values of the exclusive or are different, and the exclusive or result is 1. Therefore, the embodiment of the application does not limit the specific implementation process of the fusion process; several exemplary implementations of the fusion process provided by embodiments of the present application are set forth below.
In one implementation, one or more shifting operations are supported on an encryption key; and then, performing one or more exclusive OR operations on the encryption key subjected to one or more shift operations and the plaintext data to obtain a data source to be encrypted corresponding to the plaintext data. In another implementation, an exclusive-or operation is supported on the encryption key and plaintext data two or more times. In another implementation, after one or more exclusive-or operations are carried out on the encryption key and the plaintext data, the data after one or more exclusive-or operations is used as a data source to be encrypted corresponding to the plaintext data. In another implementation manner, one or more exclusive-OR operations are supported on the encryption key and the plaintext data, and then one or more shift operations are carried out on the data after the one or more exclusive-OR operations, so that a data source to be encrypted corresponding to the plaintext data is generated; etc. It can be understood that, under the condition of ensuring that the operation is reversible, more operations can be performed on the encryption key and the plaintext data, and the embodiment of the application is not limited to the specific operations performed.
The following procedure in the fusion process includes: the encryption key performs multiple shifting operations, and performs exclusive-or operation with the plaintext data after each shifting operation, that is, the data generated by fusion processing is taken as an example, and the process of performing fusion processing on the encryption key and the plaintext data is introduced by taking the data to be encrypted corresponding to the plaintext data generated by combining the encryption key in multiple iterations. Referring to fig. 5, in the first iterative operation process, a shift operation is performed on the encryption key to obtain the encryption key after the first shift operation; then, performing exclusive-or operation on the encryption key after the first shift operation and the plaintext data to obtain a first exclusive-or result; then, in the second iterative operation process, performing a shifting operation again on the encryption key after the first shifting operation to obtain the encryption key after the second shifting operation; performing exclusive-or operation on the encryption key after the second shift operation and a first exclusive-or result obtained by the first round of iteration to obtain a second exclusive-or result; and the same is repeated until the iteration times are larger than the time threshold value, and the exclusive or result obtained by the last round of iterative operation is used as a data source to be encrypted corresponding to the plaintext data. Based on this, in the process of generating the data source to be encrypted corresponding to the plaintext data in the above-mentioned iterative multiple rounds, the current round of iterative process may include: acquiring a reference data source generated in the previous round of the current round and a reference key adopted in the process of generating the reference data source in the previous round; when the current round is the first round, the reference data source generated in the previous round and the reference key adopted in the previous round of generation of the reference data source are both encryption keys. And then, performing shift operation on the reference key, and performing exclusive-or operation on the reference data source by adopting the reference key after the shift operation to obtain the reference data source of the current round.
S204, encrypting the data source to be encrypted by adopting the encryption key to obtain the encrypted data.
Specifically, after obtaining the data source to be encrypted corresponding to the plaintext data based on step S203, determining that the symmetric encryption input of the symmetric encryption algorithm is obtained, then performing encryption processing (such as symmetric encryption operation) on the data source to be encrypted based on the encryption key and the symmetric encryption algorithm, so as to obtain encrypted data, where the encrypted data may be referred to as symmetric encryption output.
For convenience of explanation, the embodiment of the application takes a CBC grouping mode under a symmetric encryption algorithm including an SM4 algorithm as an example, and describes a specific implementation process of encrypting a data source to be encrypted by an encryption and decryption tool based on an encryption key and the symmetric encryption algorithm. The process of encrypting a data source to be encrypted by CBC packet mode can be seen in fig. 6a; as shown in fig. 6a, before the data source to be encrypted is encrypted in CBC packet mode, the data source to be encrypted is divided into a plurality of data packets (or called plaintext packets) according to a packet length (e.g., 8 bytes), such as data packet 1 and data packet 2 and …, and when the last data packet includes a length less than the packet length, data padding is further required for the last data packet, so that the length of the padded data packet is the same as the packet length. Correspondingly, after each data packet is encrypted, a corresponding encrypted packet (or called ciphertext packet) is obtained, and the encrypted packet 1 corresponding to the data packet 1 and the encrypted packet 2 … corresponding to the data packet 2; the encrypted packets are then combined in the order of the corresponding data packets to obtain the encrypted data.
In a specific implementation, in a process of encrypting a data source to be encrypted by adopting a CBC packet mode to obtain encrypted data, a current data packet (such as any data packet) needs to be subjected to exclusive OR operation (or called exclusive OR operation XOR) with an encrypted packet obtained by encrypting a previous data packet, and then the encrypted data source is subjected to encryption to obtain an encrypted packet corresponding to the current data packet, so that each encrypted packet depends on all data packets before the packet block. With continued reference to the CBC packet mode shown in fig. 6a, when encrypting the first data packet, since there is no "previous encrypted packet", it is necessary to prepare in advance a bit sequence of one packet length instead of "previous encrypted packet", this bit sequence being called an initialization vector (initialization vector, IV); generally, each encryption process randomly generates a different bit sequence as an initialization vector, so that each encrypted packet can be kept unique. In the embodiment of the application, an encryption key derived based on the device characteristic value of the target device is taken as an initialization vector, which is specifically described herein.
It can be seen that, the encryption processing is performed on the data source to be encrypted by adopting the CBC packet mode, and the encryption flow for generating the encrypted data can be summarized as follows:
first, the data source to be encrypted is divided into: data packet 1, data packet 2, data packet 3 …; then, the encryption key is taken as an initialization vector IV, and the data packet 1 and the encryption key are subjected to exclusive-or operation, so that an exclusive-or result 1 is obtained. Next, the exclusive-or result 1 is used as input data of the SM4 encryption algorithm, specifically, the exclusive-or result 1 is encrypted based on the encryption key (or the aliasing factor) and the SM4 encryption algorithm, and an encrypted packet 1 is generated. Then, carrying out exclusive OR operation on the encrypted packet 1 and the data packet 2 to obtain an exclusive OR result 2; and then taking the exclusive OR result 2 as input data of the SM4 encryption algorithm to generate an encryption packet 2, and the like to obtain an encryption packet corresponding to each data packet. And finally, sequentially connecting the plurality of encrypted packets according to the connection sequence among the plurality of data packets, wherein the sequential connection result is the encrypted data. By the encryption process, the encryption processing of the data source to be encrypted based on the encryption key and the symmetric encryption algorithm can be realized, so that the data after the encryption processing is generated. Of course, when different symmetric encryption algorithms or different packet modes are adopted, the specific implementation process of the encryption processing of the data source to be encrypted is different from that shown in fig. 6a, and the embodiment of the present application uses the encryption process shown in fig. 6a as an example, and the embodiment of the present application is not limited thereto.
In summary, the embodiment of the application supports symmetric encryption input of the data source to be encrypted as a symmetric encryption algorithm, and performs encryption processing on the data source to be encrypted based on the encryption key and the symmetric encryption algorithm to obtain encrypted data. In one implementation, the encrypted data obtained by encrypting the data source to be encrypted by the symmetric encryption algorithm can be used as ciphertext data of plaintext data, i.e. the ciphertext data can be directly output at the moment. In other implementations, after the encrypted data is obtained, the encrypted data may be further subjected to encryption enhancement processing, so as to improve the complexity of the final ciphertext data, and further improve the data security. The specific implementation process of the encryption enhancement processing on the encrypted data may refer to step S205.
S205, carrying out encryption enhancement processing on the encrypted data to obtain ciphertext data of plaintext data.
In a specific implementation, after the encrypted data output by the symmetric encryption algorithm is obtained, the embodiment of the application also supports encryption enhancement processing on the encryption key and the encrypted data to obtain ciphertext data of plaintext data. The encryption enhancement process may refer to: after the symmetrical encryption output (namely the data after the encryption processing mentioned above) output by the symmetrical encryption algorithm is obtained, the post-processing of encrypting the symmetrical encryption output is continued, so that the complexity of the ciphertext data can be further improved; the encryption enhancement processing may include one or more of hash operations and shift operations. It should be noted that the implementation of the encryption enhancement process herein may be the same as or different from the implementation of the fusion process mentioned above; the encryption enhancement processing is used for further improving the complexity of the data so as to improve the security of the ciphertext data, and the embodiment of the application does not limit the specific implementation process of the encryption enhancement processing.
The encryption enhancement processing to be performed on the encryption key and the encrypted data includes: the encryption key performs multiple shifting operations, and performs exclusive-or operation with the data after encryption processing after each shifting operation, for example, the data after encryption processing is to be combined with the encryption key to perform iterative multiple rounds to generate ciphertext data of plaintext data, and the encryption enhancement processing process of the encryption key and the data after encryption processing is introduced. Wherein the current round (e.g., any round) iterative process may include: acquiring reference ciphertext data generated in the previous round of the current round and a reference key adopted in the process of generating the reference ciphertext data in the previous round; when the current round is the first round, the reference ciphertext data generated in the previous round and the reference secret key adopted in the previous round of generation of the reference ciphertext data are both encryption secret keys. And then, performing shift operation on the reference key, and performing exclusive-or operation on the reference ciphertext data by adopting the reference key after the shift operation to obtain the reference ciphertext data of the current round. And the like, until the iteration times are larger than the time threshold, taking the data obtained in the last iteration as ciphertext data of plaintext data.
In summary, according to the specific implementation process shown in steps S201 to S205, the encryption key and the plaintext data are fused to obtain the data source to be encrypted, then the data source to be encrypted is encrypted to obtain the encrypted data, and the encryption enhancement process is performed on the encrypted data to generate the ciphertext data, as shown in fig. 6b, when there is a need for encrypting the plaintext data in the target device, the device feature value of the target device may be obtained, the encryption key associated with the target device is generated by combining the key generation rule with the device feature value, and then the data source to be encrypted is obtained by fusing the plaintext data based on the encryption key, so as to increase the complexity of the data. Further, encrypting the data source to be encrypted based on the encryption key and the symmetric encryption algorithm to generate encrypted data; furthermore, the encrypted data can be subjected to encryption enhancement processing, and the data generated by the encryption enhancement processing can be used as ciphertext data of plaintext data.
In the embodiment of the application, when the need for encrypting the plaintext data in the target equipment exists, an encryption key generated based on the equipment characteristic value of the target equipment can be obtained, and the encryption key and the plaintext data are subjected to fusion processing to obtain the data source to be encrypted, so that the preprocessing before the encryption processing of the plaintext data is realized, the data source which is input into an encryption algorithm for encryption processing is not the plaintext data, the complexity of the encryption algorithm is improved to a certain extent, and the security of data encryption is further improved; then, the data source to be encrypted is encrypted based on the encryption key and the encryption algorithm, and the encrypted data is encrypted and enhanced, so that the complexity of the finally generated ciphertext data is high, the encryption effect is improved, and the data security is improved. In addition, the encryption key used for encrypting the data source to be encrypted is obtained based on the device characteristic value derivation of the target device, so that the plaintext of the key is hidden, and the risk of key leakage is reduced; and, the device characteristic value of the target device is used for uniquely identifying the target device, namely, the ciphertext data encrypted on the target device can only be decrypted on the target device, which further improves the security of the data.
The embodiment shown in fig. 2 mainly describes a specific implementation process of encrypting plaintext data to generate ciphertext data, and a specific implementation process of decrypting ciphertext data to obtain decrypted data according to an embodiment of the present application is described below with reference to fig. 7. Fig. 7 shows a decryption processing method provided by an exemplary embodiment of the present application, which may be performed by the above-mentioned target device, and may include, but is not limited to, steps S701-S705:
s701, ciphertext data in the target device is acquired.
The ciphertext data is obtained by processing a data source to be decrypted, which is generated by plaintext data in the target device, by adopting an encryption key; when the data decryption party has a need to decrypt the ciphertext data, the ciphertext data can be obtained from the storage space of the target device. Specifically, when there is a need to encrypt plaintext data in a target device, an encryption key associated with the target device may be obtained, and then the encryption key and the plaintext data to be encrypted are subjected to fusion processing to obtain a data source to be encrypted; encrypting the data source to be encrypted based on the encryption key, and carrying out encryption enhancement on the encrypted data to obtain ciphertext data of plaintext data; the ciphertext data may then be stored in a memory space of the target device. It should be noted that, for the specific implementation process of encrypting the plaintext data to obtain the ciphertext data, reference may be made to the description of the specific implementation process in the embodiment shown in fig. 2, which is not repeated herein.
S702, acquiring a decryption key associated with the target device.
As described above, the encryption algorithm adopted in the embodiment of the present application is a symmetric encryption algorithm, so that the decryption key used when decrypting ciphertext data is the same as the encryption key used when encrypting plaintext data; that is, the decryption key in the embodiment of the present application is an encryption key, that is, the decryption key is also generated based on the device characteristic value of the target device. The specific implementation process of obtaining the device characteristic value of the target device and generating the decryption key associated with the target device according to the device characteristic value is the same as the specific implementation process of obtaining the device characteristic value of the target device and generating the encryption key associated with the target device according to the device characteristic value shown in fig. 2; the embodiment of the present application will not be described herein in detail for the specific implementation process of generating the decryption key.
S703, carrying out fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data.
The fusion process herein may refer to: and (3) preprocessing the data of the ciphertext data before adopting a symmetric decryption algorithm to decrypt the ciphertext data. As described above, the encryption process and the decryption process are in a reversible relationship, and the implementation of the fusion process here is the same as the implementation of the encryption enhancement process in the encryption process shown in fig. 2.
For example, as shown in fig. 8, it is assumed that in encrypting plaintext data, the encryption enhancement processing for the encrypted data includes: performing three exclusive OR operations on the encryption key and the data after encryption processing; the method specifically comprises the following steps: performing first exclusive-or operation on the encryption key and the encrypted data to obtain a first exclusive-or result, performing second exclusive-or operation on the first exclusive-or result and the encryption key to obtain a second exclusive-or result, performing third exclusive-or operation on the second exclusive-or result and the encryption key, and taking the third exclusive-or result as ciphertext data. In this way, in the process of decrypting the ciphertext data, the process of performing the fusion processing on the decryption key and the ciphertext data includes: performing three exclusive OR operations on the decryption key and the ciphertext data; the method specifically comprises the following steps: performing first exclusive-or operation on the decryption key and the ciphertext data to obtain a first exclusive-or result, performing second exclusive-or operation on the first exclusive-or result and the decryption key to obtain a second exclusive-or result, performing third exclusive-or operation on the second exclusive-or result and the decryption key, and taking the third exclusive-or result as a data source to be decrypted.
It should be understood that the above is merely a specific implementation of the fusion process in an exemplary decryption process. In practical application, according to different implementation processes of encryption enhancement processing performed on the encryption key and the encrypted data in the encryption process, different implementation processes of fusion processing performed on the decryption key and the encrypted data in the decryption process are also different, and the implementation process of the embodiment of the application is not limited.
S704, decrypting the data source to be decrypted by adopting the decryption key.
As can be seen from the foregoing description, the process of encrypting the plaintext data by using the encryption algorithm is similar to the process of decrypting the ciphertext data by using the decryption algorithm; then, according to the encryption process shown in fig. 2 described above, the available decryption process may include: when the encryption and decryption tool detects a triggering operation for decrypting the ciphertext data, if the triggering operation is a key or a button provided by the encryption and decryption tool for a data decryption party, the device characteristic value of the target device can be obtained, and a decryption key of the ciphertext data is generated by adopting the device characteristic value, wherein the decryption key is associated with the target device; and then, acquiring a decryption rule, and decrypting the ciphertext data by adopting a decryption key according to the decryption rule to obtain decrypted data of the ciphertext data.
In the encryption process shown in fig. 2, taking a CBC packet mode under a symmetric encryption algorithm including an SM4 encryption algorithm as an example, an implementation process of performing encryption processing on plaintext data is described; correspondingly, the implementation process of decrypting ciphertext data by adopting the CBC grouping mode is briefly described below. As shown in fig. 9, a process of decrypting a data source to be decrypted using a CBC packet mode, corresponding to the encryption process shown in fig. 6a or 6b, may generally include: taking the last encrypted packet (or called ciphertext packet) as input data of an SM4 decryption algorithm, and performing exclusive OR operation on the decryption result 1 and the previous encrypted packet to generate a last data packet (or called plaintext data) corresponding to the last encrypted packet; and so on, obtaining the data packet corresponding to each encrypted packet; and sequentially connecting the plurality of data packets to obtain decrypted data. The decryption process may be described in detail with reference to fig. 6a, and will not be described herein.
And S705, performing decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
The decryption enhancement process may refer to: further decrypting the decrypted data; as described above, the encryption process and the decryption process are in a reversible relationship, and the implementation of the decryption enhancement process herein is the same as the implementation of the fusion process in the encryption process shown in fig. 2.
For example, as shown in fig. 10, it is assumed that in encrypting plaintext data, the process of fusion processing of an encryption key and plaintext data includes: performing exclusive OR operation on the encryption key and the plaintext data twice; the method specifically comprises the following steps: performing first exclusive-or operation on the encryption key and the plaintext data to obtain a first exclusive-or result, performing second exclusive-or operation on the first exclusive-or result and the encryption key to obtain a second exclusive-or result, and taking the second exclusive-or result as a data source to be encrypted. In this way, in the process of decrypting the ciphertext data, the process of performing decryption enhancement processing on the decryption key and the decrypted data includes: performing exclusive OR operation on the decryption key and the decrypted data twice; the method specifically comprises the following steps: performing first exclusive-or operation on the decryption key and the decrypted data to obtain a first exclusive-or result, performing second exclusive-or operation on the first exclusive-or result and the decryption key, and taking the second exclusive-or result as decryption data.
It should be noted that (1) the above is only a specific implementation of the decryption enhancement process in the exemplary decryption process. In practical application, according to different implementation processes of fusion processing performed on an encryption key and plaintext data in an encryption process, different implementation processes of decryption enhancement processing performed on the data after decryption key and decryption processing in a decryption process are also different. (2) If the last divided data packet is subjected to bit filling operation in the process of grouping the data source to be encrypted based on the CBC grouping mode, that is, the length of the last data packet is smaller than the length of the packet, the bit filling operation is performed, and after the decrypted data obtained through the decryption process, the decrypted data also comprises bit filling; in this implementation manner, after obtaining the decrypted data of the ciphertext data, the corresponding complementary bit needs to be deleted (or removed), and then the decryption enhancement processing described above is performed on the decryption key and the decrypted data after the complementary bit is deleted, so that the plaintext data before the encryption processing can be obtained.
In the embodiment of the application, when the ciphertext data is required to be decrypted, the device characteristic value of the target device can be obtained, the decryption key is obtained according to the device characteristic value, and the ciphertext data is decrypted based on the decryption key to obtain the decrypted data. In the scheme, the decryption key for decrypting the ciphertext data is obtained based on the device characteristic value of the target device, compared with the traditional method for storing the decryption key in the configuration file, the decryption key is hidden in the plaintext, the risk of disclosure of the decryption key is reduced, and therefore the security of the ciphertext data is improved. And the device characteristic value of the target device is used for uniquely identifying the target device, so that the data is encrypted and decrypted on the same device, and the data security is further improved.
The foregoing details of the method of the present application and, in order to facilitate better practice of the method of the present application, a device of the present application is provided below.
Fig. 11 is a schematic diagram showing a configuration of an encryption processing apparatus according to an exemplary embodiment of the present application, which may be a computer program (including program code) running in a target device; the encryption processing means may be adapted to perform some or all of the steps of the method embodiment shown in fig. 4; the device comprises the following units:
An obtaining unit 1101, configured to obtain plaintext data in a target device and an encryption key associated with the target device; the encryption key is generated based on a device characteristic value of the target device;
the processing unit 1102 is configured to perform fusion processing on the encryption key and the plaintext data, and generate a data source to be encrypted corresponding to the plaintext data;
the processing unit 1102 is further configured to encrypt the data source to be encrypted with the encryption key, and encrypt the encrypted data to obtain ciphertext data of the plaintext data.
In one implementation manner, the obtaining manner of the device characteristic value of the target device includes:
acquiring the equipment identifier of the target equipment; wherein the device identification includes one or more of: a system universal identifier, a system serial number, a processor identifier and a motherboard serial number;
and selecting part or all of the equipment identifiers, and generating the equipment characteristic value of the target equipment by adopting the selected equipment identifiers.
In one implementation, the processing unit 1102 is specifically configured to, when used in the generating the device characteristic value of the target device using the selected device identifier:
When the selected device identifier is one, the selected device identifier is used as the device characteristic value of the target device;
when the selected equipment identifiers comprise a plurality of equipment identifiers, splicing the selected equipment identifiers to obtain spliced identifiers, and taking the spliced identifiers as the equipment characteristic values of the target equipment.
In one implementation, the means for generating the encryption key based on the device characteristic value of the target device includes:
performing format conversion processing on the equipment characteristic values according to a key generation rule to obtain binary sequences corresponding to the equipment characteristic values;
performing data conversion processing on the binary sequence to generate a confusion factor of the binary sequence; wherein the obfuscation factor is used as an encryption key associated with the target device, the data conversion process including one or more of a hash operation and a shift operation.
In one implementation manner, when the processing unit 1102 is configured to perform format conversion processing on the device feature value according to the key generation rule to obtain a binary sequence corresponding to the device feature value, the processing unit is specifically configured to:
acquiring a data conversion format supported by the key generation rule;
And carrying out format conversion processing on the equipment characteristic values by adopting a data conversion format supported by the key generation rule to obtain binary sequences corresponding to the equipment characteristic values.
In one implementation manner, the processing unit 1102 is specifically configured to, when configured to perform the data conversion processing on the binary sequence to generate an aliasing factor of the binary sequence:
obtaining a hash algorithm and a shift algorithm included in the key generation rule;
performing shifting operation on the binary sequence according to the shifting algorithm;
and carrying out hash operation on the data subjected to the shift operation by adopting the hash algorithm, and generating a confusion factor of the binary sequence.
In one implementation manner, when the processing unit 1102 is configured to perform fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data, the processing unit is specifically configured to:
performing one or more exclusive-or operations on the encryption key and the plaintext data;
and taking the data subjected to the one or more exclusive OR operations as a data source to be encrypted corresponding to the plaintext data.
In one implementation manner, the data generated by the fusion process is iterated for a plurality of rounds in combination with an encryption key, and a data source to be encrypted corresponding to the plaintext data is generated, wherein the current round of iteration process includes:
Acquiring a reference data source generated in the previous round of the current round and a reference key adopted in the process of generating the reference data source in the previous round;
performing a shift operation on the reference key;
and performing exclusive OR operation on the reference data source by using the reference key after the shift operation to obtain the reference data source of the current round.
In one implementation manner, when the processing unit 1102 is configured to perform encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data, the processing unit is specifically configured to:
performing encryption enhancement processing on the encryption key and the encrypted data to obtain ciphertext data of the plaintext data;
wherein the encryption enhancement processing includes one or more of a hash operation and a shift operation.
According to an embodiment of the present application, each unit in the encryption processing apparatus shown in fig. 11 may be separately or completely combined into one or several other units, or some unit(s) thereof may be further split into a plurality of units having smaller functions, which may achieve the same operation without affecting the achievement of the technical effects of the embodiment of the present application. The above units are divided based on logic functions, and in practical applications, the functions of one unit may be implemented by a plurality of units, or the functions of a plurality of units may be implemented by one unit. In other embodiments of the present application, the encryption processing apparatus may also include other units, and in practical applications, these functions may also be implemented with assistance from other units, and may be implemented by cooperation of a plurality of units. According to another embodiment of the present application, an encryption processing apparatus as shown in fig. 11 may be constructed by running a computer program (including program code) capable of executing the steps involved in the respective methods as shown in fig. 4 on a general-purpose computing device such as a computer including a processing element such as a Central Processing Unit (CPU), a random access storage medium (RAM), a read only storage medium (ROM), and the like, and a storage element, and implementing the encryption processing method of the embodiment of the present application. The computer program may be recorded on, for example, a computer-readable recording medium, and loaded into and run in the above-described computing device through the computer-readable recording medium.
In the embodiment of the present application, when there is a need to encrypt plaintext data in a target device, the obtaining unit 1101 may obtain an encryption key generated based on a device feature value of the target device, and the processing unit 1102 may perform fusion processing on the encryption key and the plaintext data to obtain a data source to be encrypted, so as to implement preprocessing before encrypting the plaintext data, so that the data source input into the symmetric encryption algorithm for encryption processing is not plaintext data, thereby improving complexity of the encryption algorithm to a certain extent, and further improving security of data encryption; then, the data source to be encrypted is encrypted based on the encryption key and the encryption algorithm, and the encrypted data is encrypted and enhanced, so that the complexity of the finally generated ciphertext data is high, the encryption effect is improved, and the data security is improved. In addition, the encryption key used for encrypting the plaintext data is obtained by deduction based on the device characteristic value of the target device, so that the plaintext of the key is hidden, and the risk of key leakage is reduced; and, the device characteristic value of the target device is used for uniquely identifying the target device, namely, the ciphertext data encrypted on the target device can only be decrypted on the target device, which further improves the security of the data.
Fig. 12 is a schematic diagram showing a configuration of a decryption processing apparatus according to an exemplary embodiment of the present application, which may be a computer program (including program code) running in a target device; the encryption processing means may be adapted to perform some or all of the steps of the method embodiment shown in fig. 7; the device comprises the following units:
an obtaining unit 1201, configured to obtain ciphertext data in a target device, where the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target device using an encryption key;
the obtaining unit 1201 is further configured to obtain a decryption key associated with the target device, where the decryption key is generated based on a device characteristic value of the target device;
the processing unit 1202 is configured to perform fusion processing on the decryption key and the ciphertext data, and generate a data source to be decrypted corresponding to the ciphertext data;
the processing unit 1202 is further configured to perform decryption processing on the data source to be decrypted by using the decryption key, and perform decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
According to an embodiment of the present application, each unit in the decryption processing apparatus shown in fig. 12 may be separately or completely combined into one or several other units, or some unit(s) thereof may be further split into a plurality of units having smaller functions, which may achieve the same operation without affecting the achievement of the technical effects of the embodiment of the present application. The above units are divided based on logic functions, and in practical applications, the functions of one unit may be implemented by a plurality of units, or the functions of a plurality of units may be implemented by one unit. In other embodiments of the application, the decryption processing means may also comprise other units, and in practical applications, these functions may also be assisted by other units and may be realized by cooperation of a plurality of units. According to another embodiment of the present application, a decryption processing apparatus as shown in fig. 12 may be constructed by running a computer program (including program code) capable of executing the steps involved in the respective methods as shown in fig. 7 on a general-purpose computing device such as a computer including a processing element such as a Central Processing Unit (CPU), a random access storage medium (RAM), a read only storage medium (ROM), and the like, and a storage element, and implementing the decryption processing method of the embodiment of the present application. The computer program may be recorded on, for example, a computer-readable recording medium, and loaded into and run in the above-described computing device through the computer-readable recording medium.
In the embodiment of the present application, when the ciphertext data information needs to be decrypted, the acquiring unit 1201 may acquire the device feature value of the target device; the processing unit 1202 may derive a decryption key according to the device feature value, and decrypt the ciphertext data based on the decryption key to obtain decrypted data. In the scheme, the decryption key for decrypting the ciphertext data is obtained based on the device characteristic value of the target device, compared with the traditional method for storing the decryption key in the configuration file, the decryption key is hidden in the plaintext, the risk of disclosure of the decryption key is reduced, and therefore the security of the ciphertext data is improved. And the device characteristic value of the target device is used for uniquely identifying the target device, so that the data is encrypted and decrypted on the same device, and the data security is further improved.
Fig. 13 is a schematic structural view of an electronic device according to an exemplary embodiment of the present application. Referring to fig. 13, the electronic device includes a processor 1301, a communication interface 1302, and a computer-readable storage medium 1303; the electronic device may refer to the aforementioned target device. Wherein the processor 1301, the communication interface 1302, and the computer readable storage medium 1303 may be connected by a bus or other means. Wherein the communication interface 1302 is for receiving and transmitting data. The computer readable storage medium 1303 may be stored in a memory of the electronic device, the computer readable storage medium 1303 storing a computer program including program instructions, and the processor 1301 executing the program instructions stored in the computer readable storage medium 1303. Processor 1301 (or CPU (Central Processing Unit, central processing unit)) is a computing core as well as a control core of an electronic device, which is adapted to implement one or more instructions, in particular to load and execute one or more instructions to implement a corresponding method flow or a corresponding function.
The embodiment of the application also provides a computer readable storage medium (Memory), which is a Memory device in the electronic device and is used for storing programs and data. It is understood that the computer readable storage medium herein may include both built-in storage media in an electronic device and extended storage media supported by the electronic device. The computer readable storage medium provides a memory space that stores a processing system of the electronic device. Also stored in this memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by processor 1301. Note that the computer readable storage medium can be either a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory; alternatively, it may be at least one computer-readable storage medium located remotely from the aforementioned processor.
In one embodiment, the computer-readable storage medium has one or more instructions stored therein; loading and executing, by the processor 1301, one or more instructions stored in a computer-readable storage medium to implement the corresponding steps in the encryption processing method embodiments described above; in particular implementations, one or more instructions in a computer-readable storage medium are loaded by processor 1301 and perform the steps of:
Acquiring plaintext data in target equipment and an encryption key associated with the target equipment; the encryption key is generated based on a device characteristic value of the target device;
carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data;
and encrypting the data source to be encrypted by adopting the encryption key, and carrying out encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data.
In one implementation manner, the obtaining manner of the device characteristic value of the target device includes:
acquiring the equipment identifier of the target equipment; wherein the device identification includes one or more of: a system universal identifier, a system serial number, a processor identifier and a motherboard serial number;
and selecting part or all of the equipment identifiers, and generating the equipment characteristic value of the target equipment by adopting the selected equipment identifiers.
In one implementation, one or more instructions in the computer-readable storage medium are loaded by the processor 1301 and when executed perform the generating the device characteristic value of the target device using the selected device identification, specifically perform the following steps:
When the selected device identifier is one, the selected device identifier is used as the device characteristic value of the target device;
when the selected equipment identifiers comprise a plurality of equipment identifiers, splicing the selected equipment identifiers to obtain spliced identifiers, and taking the spliced identifiers as the equipment characteristic values of the target equipment.
In one implementation, the means for generating the encryption key based on the device characteristic value of the target device includes:
performing format conversion processing on the equipment characteristic values according to a key generation rule to obtain binary sequences corresponding to the equipment characteristic values;
performing data conversion processing on the binary sequence to generate a confusion factor of the binary sequence; wherein the obfuscation factor is used as an encryption key associated with the target device, the data conversion process including one or more of a hash operation and a shift operation.
In one implementation, one or more instructions in the computer readable storage medium are loaded by the processor 1301 and when executing the format conversion processing on the device feature value according to the key generation rule, the following steps are specifically executed to obtain a binary sequence corresponding to the device feature value:
Acquiring a data conversion format supported by the key generation rule;
and carrying out format conversion processing on the equipment characteristic values by adopting a data conversion format supported by the key generation rule to obtain binary sequences corresponding to the equipment characteristic values.
In one implementation, one or more instructions in the computer readable storage medium are loaded by the processor 1301 and when executing the data conversion process on the binary sequence, the following steps are specifically executed to generate an obfuscation factor of the binary sequence:
obtaining a hash algorithm and a shift algorithm included in the key generation rule;
performing shifting operation on the binary sequence according to the shifting algorithm;
and carrying out hash operation on the data subjected to the shift operation by adopting the hash algorithm, and generating a confusion factor of the binary sequence.
In one implementation, one or more instructions in the computer readable storage medium are loaded by the processor 1301, and when the fusing processing is performed on the encryption key and the plaintext data, the following steps are specifically executed to generate a data source to be encrypted corresponding to the plaintext data:
performing one or more exclusive-or operations on the encryption key and the plaintext data;
And taking the data subjected to the one or more exclusive OR operations as a data source to be encrypted corresponding to the plaintext data.
In one implementation manner, the data generated by the fusion process is iterated for a plurality of rounds in combination with an encryption key, and a data source to be encrypted corresponding to the plaintext data is generated, wherein the current round of iteration process includes:
acquiring a reference data source generated in the previous round of the current round and a reference key adopted in the process of generating the reference data source in the previous round;
performing a shift operation on the reference key;
and performing exclusive OR operation on the reference data source by using the reference key after the shift operation to obtain the reference data source of the current round.
In one implementation, one or more instructions in the computer readable storage medium are loaded by the processor 1301 and when the encrypting enhancement processing is performed on the encrypted data, the following steps are specifically performed to obtain ciphertext data of the plaintext data:
performing encryption enhancement processing on the encryption key and the encrypted data to obtain ciphertext data of the plaintext data;
wherein the encryption enhancement processing includes one or more of a hash operation and a shift operation.
In another embodiment, the electronic device may be a target device; the computer-readable storage medium having one or more instructions stored therein; loading and executing, by processor 1301, one or more instructions stored in a computer-readable storage medium to implement the corresponding steps in the decryption processing method embodiments described above; in particular implementations, one or more instructions in a computer-readable storage medium are loaded by processor 1301 and perform the steps of:
obtaining ciphertext data in target equipment, wherein the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target equipment by adopting an encryption key;
obtaining a decryption key associated with the target device, the decryption key generated based on a device characteristic value of the target device;
performing fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data;
and carrying out decryption processing on the data source to be decrypted by adopting the decryption key, and carrying out decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
Based on the same inventive concept, the principle and beneficial effects of the electronic device provided in the embodiment of the present application for solving the problem are similar to those of the encryption processing method and the decryption processing method in the embodiment of the present application, and may refer to the principle and beneficial effects of the implementation of the method, which are not described herein for brevity.
Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions so that the electronic device performs the encryption processing method or the decryption processing method described above.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable devices. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). Computer readable storage media can be any available media that can be accessed by a computer or data processing device, such as a server, data center, or the like, that contains an integration of one or more of the available media. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily appreciate variations or alternatives within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. An encryption processing method, comprising:
acquiring plaintext data in target equipment and an encryption key associated with the target equipment; the encryption key is generated based on a device characteristic value of the target device;
carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data;
and encrypting the data source to be encrypted by adopting the encryption key, and carrying out encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data.
2. The method of claim 1, wherein the obtaining the device characteristic value of the target device includes:
acquiring the equipment identifier of the target equipment; wherein the device identification includes one or more of: a system universal identifier, a system serial number, a processor identifier and a motherboard serial number;
And selecting part or all of the equipment identifiers, and generating the equipment characteristic value of the target equipment by adopting the selected equipment identifiers.
3. The method of claim 2, wherein generating the device characteristic value for the target device using the selected device identification comprises:
when the selected device identifier is one, the selected device identifier is used as the device characteristic value of the target device;
when the selected equipment identifiers comprise a plurality of equipment identifiers, splicing the selected equipment identifiers to obtain spliced identifiers, and taking the spliced identifiers as the equipment characteristic values of the target equipment.
4. The method of claim 1, wherein generating the encryption key based on the device characteristic value of the target device comprises:
performing format conversion processing on the equipment characteristic values according to a key generation rule to obtain binary sequences corresponding to the equipment characteristic values;
performing data conversion processing on the binary sequence to generate a confusion factor of the binary sequence; wherein the obfuscation factor is used as an encryption key associated with the target device, the data conversion process including one or more of a hash operation and a shift operation.
5. The method of claim 4, wherein the performing format conversion processing on the device feature value according to the key generation rule to obtain the binary sequence corresponding to the device feature value includes:
acquiring a data conversion format supported by the key generation rule;
and carrying out format conversion processing on the equipment characteristic values by adopting a data conversion format supported by the key generation rule to obtain binary sequences corresponding to the equipment characteristic values.
6. The method of claim 4, wherein the performing data conversion processing on the binary sequence to generate the aliasing factor for the binary sequence comprises:
obtaining a hash algorithm and a shift algorithm included in the key generation rule;
performing shifting operation on the binary sequence according to the shifting algorithm;
and carrying out hash operation on the data subjected to the shift operation by adopting the hash algorithm, and generating a confusion factor of the binary sequence.
7. The method of claim 1, wherein the fusing the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data comprises:
Performing one or more exclusive-or operations on the encryption key and the plaintext data;
and taking the data subjected to the one or more exclusive OR operations as a data source to be encrypted corresponding to the plaintext data.
8. The method of claim 1, wherein the data generated by the fusion process is to be iterated for a plurality of rounds in combination with an encryption key to generate a data source to be encrypted corresponding to the plaintext data, and wherein the current round of iteration process comprises:
acquiring a reference data source generated in the previous round of the current round and a reference key adopted in the process of generating the reference data source in the previous round;
performing a shift operation on the reference key;
and performing exclusive OR operation on the reference data source by using the reference key after the shift operation to obtain the reference data source of the current round.
9. The method of claim 1, wherein the encrypting the encrypted data to obtain ciphertext data of the plaintext data comprises:
performing encryption enhancement processing on the encryption key and the encrypted data to obtain ciphertext data of the plaintext data;
wherein the encryption enhancement processing includes one or more of a hash operation and a shift operation.
10. A decryption processing method, comprising:
obtaining ciphertext data in target equipment, wherein the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target equipment by adopting an encryption key;
obtaining a decryption key associated with the target device, the decryption key generated based on a device characteristic value of the target device;
performing fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data;
and carrying out decryption processing on the data source to be decrypted by adopting the decryption key, and carrying out decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
11. An encryption processing apparatus, comprising:
an acquisition unit configured to acquire plaintext data in a target device and an encryption key associated with the target device; the encryption key is generated based on a device characteristic value of the target device;
the processing unit is used for carrying out fusion processing on the encryption key and the plaintext data to generate a data source to be encrypted corresponding to the plaintext data;
The processing unit is further used for encrypting the data source to be encrypted by adopting the encryption key, and performing encryption enhancement processing on the encrypted data to obtain ciphertext data of the plaintext data.
12. A decryption processing apparatus, comprising:
the acquisition unit is used for acquiring ciphertext data in the target equipment, wherein the ciphertext data is obtained by processing a data source to be encrypted generated by plaintext data in the target equipment by adopting an encryption key;
the obtaining unit is further configured to obtain a decryption key associated with the target device, where the decryption key is generated based on a device feature value of the target device;
the processing unit is used for carrying out fusion processing on the decryption key and the ciphertext data to generate a data source to be decrypted corresponding to the ciphertext data;
and the processing unit is also used for decrypting the data source to be decrypted by adopting the decryption key, and performing decryption enhancement processing on the decrypted data to obtain decrypted data of the ciphertext data.
13. An electronic device, comprising:
a processor adapted to execute a computer program;
A computer-readable storage medium having stored therein a computer program which, when executed by the processor, implements the encryption processing method according to any one of claims 1 to 9 or implements the decryption processing method according to claim 10.
14. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program adapted to be loaded by a processor and to perform the encryption processing method according to any one of claims 1-9 or to implement the decryption processing method according to claim 10.
15. A computer program product comprising computer instructions which, when executed by a processor, implement the encryption processing method of any one of claims 1 to 9 or the decryption processing method of claim 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210582666.7A CN117176325A (en) | 2022-05-26 | 2022-05-26 | Encryption processing method, decryption processing method and related devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210582666.7A CN117176325A (en) | 2022-05-26 | 2022-05-26 | Encryption processing method, decryption processing method and related devices |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117176325A true CN117176325A (en) | 2023-12-05 |
Family
ID=88928580
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210582666.7A Pending CN117176325A (en) | 2022-05-26 | 2022-05-26 | Encryption processing method, decryption processing method and related devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117176325A (en) |
-
2022
- 2022-05-26 CN CN202210582666.7A patent/CN117176325A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103563290B (en) | The method and system of combination key control information in the service of public encryption architecture | |
| CN106599723B (en) | File encryption method and device and file decryption method and device | |
| JP6363032B2 (en) | Key change direction control system and key change direction control method | |
| CN108475237A (en) | Storage operation is encrypted | |
| US20130136256A1 (en) | Block encryption | |
| CN102567688B (en) | File confidentiality keeping system and file confidentiality keeping method on Android operating system | |
| CN109672521B (en) | Security storage system and method based on national encryption engine | |
| EP3035585B1 (en) | S-box selection in white-box cryptographic implementation | |
| CN110061840A (en) | Data ciphering method, device, computer equipment and storage medium | |
| CN107453880B (en) | Cloud data secure storage method and system | |
| CN111385084A (en) | Key management method and device for digital assets and computer readable storage medium | |
| CN109274644A (en) | A kind of data processing method, terminal and watermark server | |
| WO2020123926A1 (en) | Decentralized computing systems and methods for performing actions using stored private data | |
| CN108199847A (en) | Security processing method, computer equipment and storage medium | |
| CA3056814A1 (en) | Symmetric cryptographic method and system and applications thereof | |
| JP6172866B2 (en) | Agent for providing security cloud service and security key device for security cloud service | |
| CN114285551A (en) | Quantum key distribution method and device, readable storage medium and electronic equipment | |
| CN113722741A (en) | Data encryption method and device and data decryption method and device | |
| CN106341384A (en) | Methods for facilitating secure communication | |
| US11720693B2 (en) | System and method for securely transferring data | |
| CN117176325A (en) | Encryption processing method, decryption processing method and related devices | |
| CN114629633A (en) | Key block enhanced encapsulation | |
| CN111130788B (en) | Data processing method and system, data reading method and iSCSI server | |
| JP5945525B2 (en) | KEY EXCHANGE SYSTEM, KEY EXCHANGE DEVICE, ITS METHOD, AND PROGRAM | |
| Sri et al. | Concealing the Data using Cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |