為使本案的目的、技術方案和優點更加清楚,下面將結合本案具體實施例及相應的圖式對本案技術方案進行清楚、完整地描述。顯然,所描述的實施例僅是本案一部分實施例,而不是全部的實施例。基於本案中的實施例,本領域普通技術人員在沒有做出創造性勞動前提下所獲得的所有其他實施例,都屬於本案保護的範圍。
為了便於理解本案實施例中提及的技術方案,下面先對本案中涉及的若干技術術語進行簡要說明。
軟體密碼模組:密碼模組是具有密鑰保護和密碼計算等安全功能的軟硬體模組。通常將採用軟體保護密鑰的模組叫做軟體密碼模組。由於與傳統的硬體密碼模組相比,軟體密碼模組應用範圍更廣,且具有成本低、部署方便的優點,當前的軟體密鑰保護需求強烈。與此同時,使用軟體密碼模組進行密鑰保護困難重重。具體地,軟體由於沒有一個獨立的運行環境,一旦軟體所在的作業系統被攻陷,攻擊者就能獲得軟體的硬碟儲存資料、運行時記憶體等等,透過這些內容一般可以恢復出密鑰等敏感資訊。目前常用的保護密鑰的方法有門檻密碼演算法和白盒密碼演算法等。
門檻密碼演算法:門檻密碼演算法是在秘密分享演算法的基礎上演化而來的。(t,n)秘密分享,是將一個秘密拆成n份,分別由n個人掌管,至少要t+1個參與者才能恢復秘密。如果使用秘密分享方法來保管密鑰,可以保證密鑰在儲存過程中的安全,但是密鑰在使用過程中仍然需要先恢復然後才能運算,而恢復出來的明文密鑰仍有可能被攻擊者截獲。門檻密碼演算法能夠緩解這一問題。與秘密分享演算法最大的不同是,門檻密碼演算法在密鑰的使用過程仍然以密鑰分量的形式進行的,不需要恢復出完整密鑰。具體地,(t,n)門檻密碼演算法,是將一個私鑰拆成n份,分別由n個人掌管,至少要t+1個參與者才能基於私鑰進行密碼運算,任何t個參與者都不能得到關於以上結果的任何資訊,並且在密碼運算過程中不洩露私鑰和私鑰分量的任何資訊。另外,通常使用的門檻密碼演算法是標準密碼演算法的一種實現方式,與標準密碼演算法是等價的。
白盒密碼演算法:白盒密碼演算法是能夠在白盒攻擊環境下保證密鑰安全的密碼演算法,其中,將程式的執行對攻擊者完全可見的環境稱為白盒攻擊環境。一般,白盒密碼演算法會配合代碼混淆技術使用,進一步防止攻擊者從密碼演算法中恢復出密鑰。白盒密碼演算法是將原始密鑰進行白盒化得到白盒密鑰,白盒密鑰可以以查閱資料表的形式存在,假設原始密鑰為16位元組,將原始密鑰白盒化之後成為例如300kB的查閱資料表,也就相當於將16位元組的密鑰分散在300kB的資料中,以達到隱藏的效果。一般來說,白盒密碼演算法只支援對稱密碼演算法,這是由於對稱密碼演算法與非對稱密碼演算法的實現原理不同,將非對稱密碼演算法進行白盒化存在技術障礙。為了更清楚地瞭解白盒密碼演算法的原理,可以參考肖雅瑩等在中國密碼學會2009年會的論文“白盒密碼及SM4算法的白盒實現”以及電子科技大學的尚培的碩士學位論文“SM4算法的白盒密碼算法設計與實現”中示出的基於SM4的白盒密碼演算法的示例,但是本案的實施例中白盒密碼演算法的實現方式可以是多種多樣的,並不限於基於SM4演算法,例如,也可以基於AES演算法、DES演算法、3DES演算法等等各種對稱密碼演算法,本案對此並不作具體限定。
以下結合圖式,詳細說明本案各實施例提供的技術方案。
圖1為本說明書實施例提供的非對稱密鑰中的私鑰生成方法的流程圖。從程式角度而言,流程的執行主體可以為搭載於應用伺服器的程式或應用使用者端。
如圖1所示,根據實施例的非對稱密鑰中的私鑰生成方法包括以下步驟:
S110:獲取非對稱密鑰生成請求。
資料加密的基本過程,就是對原來為明文的檔案或資料按某種演算法進行處理,使其成為不經解密就無法理解的字元或位元集,通常稱為“密文”,透過這樣的途徑來達到保護資料不被非法人竊取、閱讀的目的。加密的逆過程為解密,即將該編碼資訊轉化為其原來資料的過程。加密演算法分對稱加密演算法和非對稱加密演算法,其中,對稱加密演算法的加密與解密密鑰相同,非對稱加密演算法的加密密鑰與解密密鑰不同。
非對稱加密演算法,又稱為公開密鑰加密演算法。它需要兩個密鑰,稱為非對稱密鑰,其中,一個稱為公開密鑰(public key),即公鑰,另一個稱為私有密鑰(private key),即私鑰。如果使用公鑰對資料進行加密,只有用對應的私鑰才能進行解密。如果使用私鑰對資料進行加密,只有用對應的公鑰才能進行解密。例如,甲方生成一對密鑰並將其中的一把作為公鑰向其它人公開,得到該公鑰的乙方使用該公鑰對機密資訊進行加密後再發送給甲方,甲方再使用自己保存的另一把專用密鑰(私鑰),對加密後的資訊進行解密。
根據實施例,所述獲取非對稱密鑰生成請求,即,獲取生成私鑰和公鑰的請求。根據實施例,所述獲取非對稱密鑰生成請求可以指獲取用於指示生成私鑰和相應公鑰的請求。
S120:根據所述非對稱密鑰生成請求,生成使用者私鑰,所述使用者私鑰包括多個使用者私鑰分量。
可選地,可以採用(t,n)秘密分享或(t,n)門檻密碼演算法來生成多個使用者私鑰分量。例如,如果採用(t,n)秘密分享,則先生成使用者私鑰明文,然後將該使用者私鑰明文拆分為n份,至少需要其中的t+1個分量可以恢復出初始的使用者私鑰明文。例如,如果採用(t,n)門檻密碼演算法,直接生成n個使用者私鑰分量作為使用者私鑰,其中的至少t+1個分量參與可以實現基於該使用者私鑰的密碼運算,在這一過程中,既不生成使用者私鑰明文,使用時也無需恢復出使用者私鑰明文,即使用者私鑰自始至終都未曾出現完整的明文,而是以密鑰分量的形式存在。顯然,使用(t,n)門檻密碼演算法生成使用者私鑰的安全性更高,在本案中,較佳地,使用(t,n)門檻密碼演算法來直接生成使用者私鑰分量作為使用者私鑰。
根據實施例,所述根據所述非對稱密鑰生成請求,生成使用者私鑰,具體包括:根據所述非對稱密鑰生成請求,採用非對稱門檻密碼演算法,生成使用者私鑰。
根據實施例,所述採用非對稱門檻密碼演算法,生成使用者私鑰,具體可以包括:根據基於標準非對稱密碼演算法的門檻密碼演算法,生成使用者私鑰。其中,所述標準非對稱密碼演算法可以是SM2演算法、ECC(Elliptic Curves Cryptography,橢圓曲線密碼編碼學)演算法、RSA演算法或DSA(Digital Signature Algorithm,數位簽章演算法),但是不限於此。
可選地,可以根據基於SM2的(t,n)門檻密碼演算法,生成使用者私鑰,所述使用者私鑰可以包括n個使用者私鑰分量,使用其中的任意t+1個分量就可以直接實現使用者私鑰的功能。具體地,當使用使用者私鑰時,可以直接使用t+1個分量來基於私鑰進行密碼運算,也就是說,在這個過程中無需恢復出使用者私鑰明文,而是以私鑰分量的形式進行密碼運算。由此,在使用者私鑰的使用過程中,實際上只會出現私鑰分量,而不會出現在記憶體中傳遞並使用的完整的使用者私鑰,這解決了完整使用者私鑰存在於記憶體之中的問題,增加了攻擊者獲取使用者私鑰明文的難度。
S130:採用預定加密方法,對所述多個使用者私鑰分量進行加密,得到相應的多個使用者私鑰分量密文,其中,所述多個使用者私鑰分量中的至少兩個採用不同的預定加密方法來加密。
具體地,所述預定加密演算法,可以是任何已知的標準對稱加密演算法或其改進演算法,例如,SM4演算法、AES(Advanced Encryption Standard,高級加密標準)演算法、DES(Data Encryption Standard,資料加密標準)演算法、3DES(Triple DES,三重資料加密標準)演算法或它們的改進演算法,但是不限於此。所述預定加密方法的加密過程使用的密鑰可以包括固定字串、隨機字串、使用者終端設備資訊或者它們的組合,也可以使用白盒密鑰,但是不限於此。
具體地,所述多個使用者私鑰分量中的至少兩個採用不同的預定加密方法來加密,意思是,所述多個使用者私鑰分量中的所有分量被加密的方式不完全相同。該方案的優勢在於,當攻擊者想要透過使用者私鑰分量密文來恢復出使用者私鑰分量明文時,不能透過一種方法破解所有的密文,增加了攻擊者破解出滿足數量要求的使用者私鑰分量明文的難度。
S140:將所述多個使用者私鑰分量密文儲存在同一設備。
在傳統的多分量密鑰保護方案中,將密鑰分量中的至少一部分分散在不同的伺服器上,並且可以使用諸如密碼機、USB Key等的密碼設備來保護各伺服器上的分量。在本案的方案中,將使用者私鑰分量密文儲存在同一設備上,該設置的優勢在於,當需要使用使用者私鑰分量進行密碼運算時,只需在同一設備上獲取並解密滿足預定數量的使用者分量密文,而無需進行各伺服器之間的通訊交互,減少了系統的通訊開銷,避免了由此導致的通訊延遲。
具體地,所述同一設備可以是生成使用者私鑰分量的設備,也可以是與生成使用者私鑰分量的設備不同的設備。例如,如果在伺服器上生成使用者私鑰分量,那麼儲存使用者私鑰分量密文的設備可以是與該伺服器通訊連接的使用者終端設備。例如,如果在使用者終端上生成使用者私鑰分量,那麼儲存私鑰分量密文的設備可以是該使用者終端。
根據實施例,所述將所述多個使用者私鑰分量密文儲存在同一設備,具體可以包括:將所述多個使用者私鑰分量密文儲存在對所述使用者私鑰具有使用需求的設備中。
具體地,所述對所述使用者私鑰具有使用需求的設備可以是使用者終端,具體地,可以是例如支付機具、IOT設備(物聯網設備)、手機等終端設備。在現有技術中,儘管可以將使用者私鑰拆分為若干份並儲存在不同的存放裝置上,但是也需要引入額外的伺服器,不便於系統的部署及使用者的使用;尤其是,有的使用者終端設備不便於與作為伺服器的物理設備直接連接,而如果透過雲端連接的方式,在私鑰使用過程中,會產生較大的資料通訊開銷,並且會有通訊延遲。本案直接將各個使用者私鑰分量儲存在使用者終端上,一方面減少了使用私鑰時伺服器彼此之間的通訊開銷,另一方面減少了使用私鑰時為了從雲端獲取私鑰而發生在使用者終端與雲端伺服器之間的通訊開銷,減少了通訊延遲。
根據實施例,可以將使用者私鑰分量密文儲存在使用者終端記憶體的不同儲存區域處,每個儲存區域可以儲存至少一個使用者私鑰分量密文。透過將使用者私鑰分量密文進行分散儲存,可以一定程度上提高攻擊者獲取預定數量的使用者私鑰分量密文,從而解密出預定數量的使用者私鑰分量明文的難度。
在現有技術中,將私鑰分成多個私鑰分量分別儲存在與使用者端通訊連接的多個伺服器上,當使用者終端需要使用私鑰時,需要在使用者終端與伺服器以及各個儲存私鑰分量的伺服器之間進行多次通訊,通訊開銷大,且易發生通訊延遲。本案提供了一種非對稱密鑰中的私鑰生成方法,具體地,根據獲取的非對稱密鑰生成請求,生成多個使用者私鑰分量,然後採用不同的預定加密演算法,加密所述多個使用者私鑰分量以得到多個使用者私鑰分量密文,然後將所述多個使用者私鑰分量密文儲存在同一設備中。該方法生成分散的使用者私鑰分量之後,不是將使用者私鑰的私鑰分量分別儲存在多個設備上,而是透過再次加密的方式來代替實現對私鑰分量的保護,具體地,使用不同的加密方法來對多個使用者私鑰分量進行加密,使得需要透過不同的解密方法來解密不同的分量,類似於將私鑰分量分開儲存在不同設備上,實現了風險分散的目的。由此,由於無需使用多個物理設備來儲存私鑰分量,降低了私鑰保護系統建設成本;並且,當需要使用私鑰時,無需在儲存私鑰分量的多個物理設備之間進行通訊,而是在同一設備中透過不同的解密方法來獲得私鑰分量,在保證使用者私鑰分量安全的情況下,減少了私鑰使用過程中的通訊開銷,降低了通訊成本,也減少了通訊延遲。
本說明書實施例還提供了上述非對稱密鑰中的私鑰生成方法的一些具體實施方案,下面進行說明。
通常,門檻密碼演算法能夠保證密鑰生成和使用過程中始終以分量存在,一般分為3至5個密鑰分量,使得攻擊者無法在一處獲得完整的密鑰。然而,門檻密碼演算法的不足是密鑰分散的數量有限,一旦攻擊者獲得大於預定數量的密鑰分量,則能夠恢復出密鑰。與之相比,白盒密碼演算法的密鑰完全分散在演算法實現過程中,其分散程度要遠高於門檻密碼演算法。甚至,對於部分白盒密碼演算法能夠做到攻擊者即使獲得所有的密鑰分散資訊,也無法恢復出密鑰。
根據本案的實施例,在S130中,所述採用預定加密方法,對所述多個使用者私鑰分量進行加密,具體可以包括:採用白盒加密演算法,對所述多個使用者私鑰分量進行加密。
白盒密碼演算法,可以包括用於加密的白盒加密演算法和用於解密的對應的白盒解密演算法,其目的是為了在白盒攻擊環境中保護密鑰,防止攻擊者在密碼軟體的執行過程中抽取出密鑰資訊。白盒密碼演算法可以指一種新的能夠抵抗白盒攻擊環境下的攻擊的演算法,也可以指單純的在已有的密碼演算法的基礎上進行的白盒設計。具體地,其中,基於標準對稱加密演算法的白盒加密演算法,即基於已有的標準對稱加密演算法透過白盒密碼技術進行設計,利用演算法中的某些特性來隱藏密鑰,使得在白盒攻擊環境下,不改變原演算法的功能但是能夠達到在白盒攻擊環境下的安全,並保持原演算法的安全性不被破壞。通常使用的白盒密碼演算法是標準密碼演算法一種實現方式,與標準密碼演算法是等價的,即,對於相同的明文,由標準對稱加密演算法與使用相應的白盒加密演算法所生成的密文相一致。
可選地,所述採用白盒加密演算法,對所述多個使用者私鑰分量進行加密,具體可以包括:採用基於標準對稱加密演算法的白盒加密演算法,對所述多個使用者私鑰分量進行加密。其中,所述標準對稱加密演算法可以是SM4演算法、AES演算法、DES演算法或3DES演算法,但是不限於此。
如果一個使用者密鑰的不同密鑰分量採用相同的防護方式,對於攻擊者來說,可以採用同樣的方式攻破所有的密鑰分量。鑒於此,可以分別使用不同的白盒加密演算法來保護不同的密鑰分量,以使得對密鑰分量的保護程度加強,使得攻擊者攻破多個門檻密鑰分量的難度答覆提升。
根據本案的實施例,所述多個使用者私鑰分量中的至少兩個採用不同的預定加密方法來加密,具體可以包括:對於一個使用者私鑰中的任意一個使用者私鑰分量,採用與所述一個使用者私鑰分量中的其它使用者私鑰分量不同的白盒加密演算法進行加密。換句話說,若使用者私鑰包括n個使用者私鑰分量,可以採用n個不同的白盒加密演算法分別對所述n個使用者私鑰分量進行加密,其中,一個使用者私鑰分量採用一個白盒加密演算法進行加密,不同的使用者私鑰分量採用的白盒加密演算法不同。
可選地,所述不同的白盒加密演算法可以是採用不同的白盒化方法來構建的白盒加密演算法。具體地,可以使用不同的白盒密碼的設計方法來設計白盒加密演算法,例如,可以使用查閱資料表的方式、插入擾亂項的方式、多變數密碼的方式等。其中,查閱資料表方式的主要思想是:對於一個密碼演算法,給定一個特定的密鑰後,明文到密文的映射也就確定了,然後把明文到密文的映射進行置亂編碼,將加密後的映射用查閱資料表的形式表示,最終,密碼演算法的執行過程就透過查閱資料表格來實現。
可選地,所述不同的白盒加密演算法可以是分別基於不同的標準對稱加密演算法構建的白盒加密演算法。具體地,可以使用SM4白盒加密演算法、AES白盒加密演算法、DES白盒加密演算法等。例如,SM4白盒加密演算法可以是在原本SM4演算法的基礎上做的白盒設計,其中,SM4演算法的分組長度是128位元,密鑰長度是128位元,採用32輪非線性反覆運算結果,解密過程與加密過程的結構相似,但是輪密鑰的使用順序相反。具體地,SM4白盒加密演算法的密鑰資訊隱藏在查閱資料表中,其演算法的安全性在於基於從查閱資料表中分析出密鑰資訊或者恢復出輸入輸出編碼的難度。
可選地,所述不同的白盒加密演算法可以是基於相同的標準加密演算法,但是分別使用不同的設計參數的白盒加密演算法。例如,可以均基於SM4白盒加密演算法,但是在白盒實現過程中,可以使用不同數量的查閱資料表,可以使用不同的系統參數及/或固定參數,並且/或者可以使用不同的白盒密鑰。將用於加密和解密的原始密鑰分散在標準密碼演算法中得到的密鑰,稱為白盒密鑰。白盒密鑰是指一種在白盒環境下加密或者解密使用的密鑰,白盒密鑰攜帶了原始密鑰的資訊,並代替原始密鑰完成加密、解密的功能,同時即使被分析也不能得到原始密鑰。白盒密鑰需要在安全的環境下進行,以保證白盒密鑰和原始密鑰的安全性。根據實施例,在本案中,可以在伺服器中生成白盒密鑰,然後將白盒密鑰與演算法程式打包後傳輸到終端設備上,以用於加密使用者私鑰分量,即,白盒密鑰的生成環境不同於其使用環境,以保證生成白盒密鑰的原始密鑰的安全性。
門檻密碼演算法的設計初衷是每個門檻密鑰分量都有不同的掌管者,從而達到風險分散的效果;類比地,在本案的實施例中,儘管為了減少通訊交互而將每個門檻分量均儲存在一個通訊端(例如,使用者端),同時,可以透過每個門檻密鑰分量使用不同的白盒密碼演算法及/或白盒密鑰來進行保護,以達到了一定程度上的風險分散的效果。
根據實施例,上述非對稱密鑰中的私鑰生成方法還可以包括:獲取另一非對稱密鑰生成請求;根據所述另一非對稱密鑰生成請求,生成另一使用者私鑰,所述另一使用者私鑰包括多個使用者私鑰分量;對於所述另一使用者私鑰中的任意一個使用者私鑰分量,採用與所述一個使用者私鑰中的一個使用者私鑰分量所採用的相同的白盒加密演算法來加密,所述另一使用者私鑰中的每個使用者私鑰分量採用的白盒加密演算法不同。其中,所述另一使用者私鑰中的使用者私鑰分量的數量與所述一個使用者私鑰中的使用者私鑰分量的數量相同。
具體地,所述使用者私鑰可以為m個,每個使用者私鑰均可以包括n個使用者私鑰分量,可以使用第(m,n)使用者私鑰分量來表示第m個使用者私鑰中的第n個使用者私鑰分量;可以採用n個不同的白盒加密演算法中的第p個白盒加密演算法對第(1,p)使用者私鑰分量至第(m,p)使用者私鑰分量進行加密;其中,m、n為正整數,p是不大於n的正整數,對於p取1至n中的任意值,執行上述加密方法。
換句話說,當有m個使用者私鑰、每個使用者私鑰均被拆分為n個分量時,可以採用n個不同的白盒加密演算法對全部所述使用者私鑰的使用者私鑰分量進行加密,得到n組使用者私鑰分量密文;每組使用者私鑰分量密文中的m個使用者私鑰分量密文分別對應於各個使用者私鑰中的一個私鑰分量。
圖2為本說明書實施例提供的使用者私鑰生成方法的原理示意圖。
參照圖2,具體地,例如有m個使用者私鑰需要保護,其中,每個使用者私鑰可以拆分為n個分量,圖2中的私鑰分量m-n即上文中的第(m,n)使用者私鑰分量,用於表示m個使用者私鑰中的第n個分量。例如,使用者私鑰1中的第2個私鑰分量,可以用私鑰分量1-2來表示。在此,例如私鑰1中的私鑰分量1-1、私鑰分量1-2和私鑰分量1-3等的命名,只是為了區分的目的,以說明私鑰1中具有多個不同的分量,並不意圖構成對各個分量的限制,其命名方式不限於此。
具體地,可以採用n個不同的白盒加密演算法對所有使用者私鑰分量進行加密,例如,所述n個白盒加密演算法可以基於相同的標準對稱加密演算法,但是使用不同的白盒密鑰。例如,對於不同的分量,可以均是基於SM4標準加密演算法、但是使用不同的原始密鑰進行加密,即,使用不同的白盒密鑰進行加密。圖2中示出了使用不同的白盒密鑰來加密一個使用者私鑰中的各個私鑰分量的情形。具體地,例如,可以採用與每個使用者私鑰的私鑰分量的數量相當的白盒密鑰來對相應的私鑰分量進行加密,以使得該使用者私鑰中的所有私鑰分量彼此使用的白盒密鑰不同。
作為示例,假設圖2中m=1,n=3,即,有1個使用者私鑰(私鑰1)需要加密,該使用者私鑰包括3個私鑰分量,可以使用3個白盒加密演算法來加密這3個分量,p可以取1、2和3。具體地,p=1即,採用3個白盒加密演算法中第1個白盒加密演算法,對私鑰1中的私鑰分量1-1進行加密;p=2即,採用3個白盒加密演算法中第2個白盒加密演算法,對私鑰1中的私鑰分量1-2進行加密;p=3即,採用3個白盒加密演算法中第3個白盒加密演算法,對私鑰1中的私鑰分量1-3進行加密。
作為示例,假設圖2中m=4,n=3,即,有4個使用者私鑰(私鑰1、私鑰2、私鑰3和私鑰4)需要加密,每個使用者私鑰可以包括3個私鑰分量,可以使用3個白盒加密演算法來加密這3個分量;p可以取1、2和3。具體地,p=1即,採用3個白盒加密演算法中第1個白盒加密演算法,對私鑰1中的私鑰分量1-1、私鑰2中的私鑰分量2-1、私鑰3中的私鑰分量3-1、私鑰4中的私鑰分量4-1進行加密;p=2即,採用3個白盒加密演算法中第2個白盒加密演算法,對私鑰1中的私鑰分量1-2、私鑰2中的私鑰分量2-2、私鑰3中的私鑰分量3-2、私鑰4中的私鑰分量4-2進行加密;p=3即,採用3個白盒加密演算法中第3個白盒加密演算法,對私鑰1中的私鑰分量1-3、私鑰2中的私鑰分量2-3、私鑰3中的私鑰分量3-3、私鑰4中的私鑰分量4-3進行加密。
在傳統的白盒密鑰使用過程中,通常使用白盒密鑰作為業務密鑰來加密業務資料,即業務密鑰與白盒的實現綁定,使得業務密鑰的更新不易。具體地,當需要更新業務密鑰時,必須更新白盒密鑰。另外,如果對於不同的業務資料均使用不同的白盒密鑰進行保護,則需要與業務資料的數量相當的白盒密鑰,而白盒密鑰檔案通常較大,這會佔用較多的儲存空間。例如,有100個通訊資料需要保護,相應的100業務密鑰均需要實現為白盒密鑰,則密鑰管理系統需要儲存100個白盒密鑰,會佔用較多的儲存空間;並且,當需要更新業務密鑰時,則需要更新相應的白盒密鑰。
在本案中,使用白盒密鑰來加密保護使用者密鑰分量,而不是使用白盒密鑰來直接保護使用者資料,這是本案中白盒密鑰與現有技術中白盒密鑰的使用方式的顯著不同之處。具體地,在本案中,使用使用者密鑰來加密業務資料,再使用白盒密鑰來加密保護使用者密鑰的分量。一方面,當需要更新業務密鑰時,無需更新白盒密鑰,避免了傳統白盒密鑰使用過程中密鑰更新困難的問題。另一方面,本案使用白盒密鑰來加密密鑰分量,使用的白盒密鑰數量少,佔用的儲存空間少,具體地:例如一個使用者密鑰具有3個密鑰分量,並且每個分量使用不同的白盒密鑰來加密,密鑰管理系統中僅需要儲存3個白盒密鑰即可;假設有100個業務資料需要加密,對應使用100個使用者密鑰,而每個使用者密鑰包括3個密鑰分量,每個使用者密鑰中的三個分量均使用前述3個白盒密鑰來分別加密。另外,本案中,透過將白盒密碼演算法與門檻密碼演算法相結合,提出一種新的用於保護非對稱密鑰的方法,即,將白盒加密技術應用於私鑰保護。
本案結合門檻密碼演算法和白盒密碼演算法,同時利用了門檻密碼演算法的密鑰更新靈活的優點與白盒密碼演算法的密鑰分散程度高的優點,設計了一種全新的密鑰保護技術。相比於傳統的門檻密碼方案,本發明透過白盒密碼演算法的運用,加強了密鑰儲存時的安全性;並且透過使用不同的白盒密鑰/演算法,達到了一定程度上的風險分散的效果。本發明結合門檻密碼演算法和白盒密碼演算法,提出了一種新的軟體密鑰保護方式,克服了門檻密碼演算法密鑰分量保護較弱和白盒密碼密鑰更新和大量使用不便的缺點,安全性和便利性都有提升。
根據本案的實施例,密鑰首先經過門檻演算法進行分散,然後再透過白盒進行加密。根據本案的實施例,方案中至少包括兩種密鑰——使用者密鑰和白盒密鑰,其中,使用使用者密鑰以門檻分量的形式來保護使用者資料,使用白盒密鑰加密保護使用者密鑰分量。本案中不使用白盒密鑰直接保護使用者資料,這也是我們與以往白盒密鑰使用方式的不同之處。並且,透過不同的門檻分量使用不同的白盒密鑰/演算法進行保護,使得門檻分量的保護具備多樣性,取得了一定程度上的風險分散的效果。
基於同樣的思維,本說明書實施例還提供了與非對稱密鑰中的私鑰生成方法對應的非對稱密鑰使用方法。圖3為本說明書實施例提供的非對稱密鑰中的私鑰使用方法的流程圖。從程式角度而言,流程的執行主體可以為搭載於應用伺服器的程式或應用使用者端。
如圖3所示,在非對稱密鑰中的私鑰生成方法中的S140之後,根據實施例的非對稱密鑰使用方法可以包括以下步驟:
S210:從同一設備獲取大於預定數量的使用者私鑰分量密文,所述使用者私鑰分量密文是根據前述使用者非對稱密鑰中的私鑰生成方法得到的。
根據實施例,使用者非對稱密鑰使用方法與生成方法的執行主體可以相同或不同。例如,可以在伺服器上生成使用者私鑰,在使用者端使用使用者私鑰進行密碼運算。又例如,可以在使用者端生成使用者私鑰,並在使用者端使用使用者私鑰進行密碼運算。
根據實施例,所述從同一設備獲取大於預定數量的使用者私鑰分量密文,可以是從與使用者私鑰使用終端不同的一個設備處獲取使用者私鑰分量密文,也可以是從使用者私鑰使用終端的本機存放區器中獲取所述使用者私鑰分量密文。
S220:採用預定解密方法,解密所述大於預定數量的使用者私鑰分量密文,得到相應的大於預定數量的使用者私鑰分量明文,其中,所述預定解密方法與待解密的使用者私鑰分量密文被加密時所採用的預定加密方法相對應。
根據實施例,所述預定解密方法可以是白盒解密演算法,具體地,可以是與使用者密鑰分量被加密時使用的白盒加密演算法相對應的白盒解密演算法。更具體地,當白盒加密演算法是基於SM4的白盒加密演算法時,解密時使用與之相對應的基於SM4的白盒解密演算法。更具體地,加密時使用的白盒加密密鑰可以是將原始密鑰分散在SM4加密演算法實現過程中得到的,解密時使用的白盒解密密鑰可以是將原始密鑰分散在SM4解密演算法實現過程中得到的,其中,用於加密和解密的原始密鑰相同,SM4加密演算法與SM4解密演算法相對應。
S230:使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算。
其中,所述預定數量表示所述多個使用者私鑰分量中執行所述目標運算所需的使用者私鑰分量的最低個數。具體地,例如,對於(t,n)門檻加密演算法,如果將密鑰分成n份,則使用其中的t+1份即可用於進行密碼運算。
根據實施例,在非對稱密鑰使用方法中,使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算,需要說明的是,在此並不透過使用者私鑰分量明文來生成完整的使用者私鑰分量,而是直接使用多個使用者私鑰分量明文來進行密碼運算,例如進行數位簽章、資訊解密等。這一方案的優勢在於,在私鑰的使用過程中,始終以密鑰分量的形式存在,在記憶體中不會出現完整的使用者私鑰明文,即,始終以使用者私鑰分量的形式來保護使用者私鑰,使得攻擊者無法透過破解私鑰使用過程來直接得到使用者私鑰,提高了使用者私鑰在使用過程中的安全性。
根據實施例,在前述非對稱密鑰生成方法中,採用非對稱門檻密碼演算法,生成使用者私鑰之後,所述方法還包括:基於所述多個使用者私鑰分量,生成使用者公鑰;廣播所述使用者公鑰。
圖4為本說明書實施例提供的非對稱密鑰生成方法的原理圖。所述非對稱密鑰包括對應的私鑰和公鑰。使用者私鑰被拆分為多個分量之後,每個分量使用白盒加密演算法進行加密,得到使用者私鑰分量密文,然後進行儲存。
根據可選的實施例,在前述非對稱密鑰使用方法中,所述使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算,具體可以包括:使用所述大於預定數量的使用者私鑰分量明文進行簽章,得到簽章結果。
圖5為本說明書實施例提供的使用私鑰進行數位簽章的方法的原理圖。具體地,當需要使用私鑰進行數位簽章時,從資料儲存位置中獲取大於預定數量的私鑰分量密文,使用對應的白盒解密演算法解密所述私鑰分量密文,得到相應的私鑰分量明文,然後直接使用得到的私鑰分量明文進行數位簽章,得到簽章結果。
為了更清楚地說明使用私鑰進行數位簽章以及使用相應的公鑰進行簽章驗證的過程,提供了圖6及相關描述。
圖6為本說明書實施例提供的使用非對稱密鑰進行數位簽章驗證過程的時序圖。作為示例,圖7示出了在第一通訊方生成並使用私鑰的方法,例如,在使用者終端生成和使用私鑰的方法。本案的方案不限於此,私鑰和公鑰也可以是在伺服器上生成,然後將私鑰加密並儲存在使用者終端,並且在使用者終端使用該私鑰進行密碼運算。
參照圖6,使用非對稱密鑰進行數位簽章驗證的過程具體可以包括:第一通訊方生成使用者私鑰分量和使用者公鑰,並加密所述使用者私鑰分量,得到使用者私鑰分量的密文;當需要使用所述私鑰進行簽章時,第一通訊方解密大於預定數量的使用者私鑰分量密文,得到相應的大於預定數量的使用者私鑰分量明文,然後使用所述大於預定數量的使用者私鑰分量明文,進行數位簽章。
在上述過程中,還包括:第一通訊方廣播所述公鑰,相應地,第二通訊方可以獲取所述公鑰;當第二通訊方接收到由所述第一通訊方發送的所述簽章結果後,第二通訊方使用由第一通訊方廣播的所述使用者公鑰,驗證所述簽章結果。在此,第一通訊方廣播公鑰和第二通訊方接收公鑰的步驟,可以在第一通訊方產生公鑰之後、第二通訊方使用公鑰之前的任何階段,而不限於圖中所示出的時序。
根據可選的實施例,在前述非對稱密鑰使用方法中,所述使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算,具體可以包括:使用所述大於預定數量的使用者私鑰分量明文對待解密資訊進行解密,得到解密結果,其中,所述待解密資訊是使用與所述使用者私鑰對應的使用者公開金鑰加密後得到的資訊。
圖7為本說明書實施例提供的使用私鑰進行資訊解密的方法的原理圖。具體地,當需要使用私鑰對由相應公開金鑰加密後的資訊進行解密時,從資料儲存位置中獲取大於預定數量的私鑰分量密文,使用對應的白盒解密演算法解密所述私鑰分量密文,得到相應的私鑰分量明文,然後直接使用得到的私鑰分量明文進行資訊解密,得到解密結果。
為了更清楚地描述使用公鑰進行資訊加密並使用對應的私鑰進行資訊解密的過程,提供了圖8及相關描述。
圖8為本說明書實施例提供的使用非對稱密鑰進行資訊加解密過程的時序圖。作為示例,圖8示出了在第一通訊方生成並使用私鑰的方法,例如,在使用者終端生成和使用私鑰的方法。本案的方案不限於此,私鑰和公鑰也可以是在伺服器上生成,然後將私鑰加密並儲存在使用者終端,並且在使用者終端使用該私鑰進行密碼運算。
參照圖8,使用非對稱密鑰進行資訊加解密的過程具體包括,第一通訊方生成使用者私鑰分量和使用者公鑰,並加密所述使用者私鑰分量,得到使用者私鑰分量的密文;並且第一通訊方廣播所述公鑰。
在上述過程中,還包括:第二通訊方接收第一通訊方所廣播的公鑰;當第二通訊方需要向第一通訊方發送加密的資訊時,可以使用從第一通訊方接收的公鑰對資訊進行加密;並將加密後的資訊發送至第一通訊方。
在上述過程中,還包括:當第一通訊方接收到第二通訊方發送的加密後的資訊時,解密儲存的大於預定數量的使用者私鑰分量密文,得到相應的大於預定數量的使用者私鑰分量明文;並使用所述大於預定數量的使用者私鑰分量明文,解密所述加密後的資訊。
上述示例僅示出了本案的私鑰的使用方法的一些具體實施方式,但是私鑰的使用方法不限於此。例如,還可以用於進行密鑰交換等。在此不做具體限定。
根據本案的非對稱密鑰生成和使用方法,使用門檻密碼演算法進行非對稱密鑰生成,並使用私鑰進行簽章、解密等操作。具體地,私鑰生成時,首先使用門檻密碼演算法生成多個私鑰分量,然後每個門檻私鑰分量使用白盒密碼演算法進行加密儲存。在需要使用私鑰進行運算時,首先使用白盒密鑰解密門檻私鑰分量,然後使用門檻密碼演算法進行簽章、解密等私鑰運算。
通常,由於攻擊者獲取儲存檔案的要更容易,且記憶體中的密鑰資料通常使用完即擦除,存在時間很短,所以密鑰在儲存時(即,硬碟中)的安全需求比運行時(即,記憶體中)要求更高。鑒於此,本案的方案恰好在密鑰儲存時提供了更強的安全保障,非常好的符合了安全需求。具體地,密鑰在儲存時,密鑰受門檻密碼演算法、白盒密碼演算法兩層保護;在密鑰被使用時(記憶體中),密鑰受門檻密碼演算法保護。
基於同樣的思維,本說明書實施例還提供了上述非對稱密鑰生成方法對應的裝置。圖9為本說明書實施例提供的對應於圖1的一種非對稱密鑰中的私鑰生成裝置的結構示意圖。
如圖9所示,該非對稱密鑰生成裝置可以包括:
請求獲取模組310,用於獲取非對稱密鑰生成請求;
生成模組320,用於根據所述非對稱密鑰生成請求,生成使用者私鑰,所述使用者私鑰包括多個使用者私鑰分量;
加密模組330,用於採用預定加密方法,對所述多個使用者私鑰分量進行加密,得到相應的多個使用者私鑰分量密文,其中,所述多個使用者私鑰分量中的至少兩個採用不同的預定加密方法來加密;
儲存模組340,用於將所述多個使用者私鑰分量密文儲存在同一設備。
可選地,所述生成模組320,具體用於:根據所述非對稱密鑰生成請求,採用非對稱門檻密碼演算法,生成使用者私鑰。
可選地,所述加密模組330,具體用於:採用不同的白盒加密演算法,對所述多個使用者私鑰分量進行加密。
可選地,所述加密模組330,具體用於:對於一個使用者私鑰中的任意一個使用者私鑰分量,採用與所述一個使用者私鑰中的其它使用者私鑰分量不同的白盒加密演算法進行加密。
可選地,所述加密模組330,具體用於:所述使用者私鑰為m個,每個使用者私鑰均包括n個使用者私鑰分量,第(m,n)使用者私鑰分量表示第m個使用者私鑰中的第n個使用者私鑰分量;採用n個不同的白盒加密演算法對所有使用者私鑰分量進行加密;採用所述n個不同的白盒加密演算法中的第p個白盒加密演算法,對第(1,p)使用者私鑰分量至第(m,p)使用者私鑰分量進行加密;其中,m、n為正整數,p為不大於n的正整數。
可選地,所述儲存模組340,具體用於:將所述多個使用者私鑰分量密文儲存在對所述使用者私鑰具有使用需求的設備中。也就是說,所述儲存模組340可以是使用者終端中的儲存模組。
可選地,所述請求獲取模組310、所述生成模組320、所述加密模組330和所述儲存模組340可以均設置在使用者終端。也就是說,可以在使用者終端生成多個使用者私鑰分量,然後加密並儲存所述多個使用者私鑰分量。
基於同樣的思維,本說明書實施例還提供了上述非對稱密鑰使用方法對應的裝置。圖10為本說明書實施例提供的對應於圖3的一種非對稱密鑰中的私鑰使用裝置的結構示意圖。
如圖10所示,該非對稱密鑰使用裝置可以包括:
密鑰獲取模組410,用於從同一設備獲取大於預定數量的使用者私鑰分量密文,所述使用者私鑰分量密文是根據上述非對稱密鑰中的私鑰生成方法生成的;
解密模組420,用於採用預定解密演算法,解密所述大於預定數量的使用者私鑰分量密文,得到相應的大於預定數量的使用者私鑰分量明文,其中,所述預定解密方法與待解密的使用者私鑰分量密文被加密時所採用的預定解密方法相對應;
運算模組430,用於使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算,
其中,所述預定數量表示所述多個使用者私鑰分量中執行所述目標運算所需的使用者私鑰分量的個數。
可選地,所述運算模組430,具體用於:使用所述大於預定數量的使用者私鑰分量明文進行簽章,得到簽章結果。
可選地,所述運算模組430,具體用於:使用所述大於預定數量的使用者私鑰分量明文對待解密資訊進行解密,得到解密結果,其中,所述待解密資訊是使用與所述使用者私鑰對應的使用者公開金鑰加密後得到的資訊。
基於同樣的思維,本說明書實施例還提供了上述非對稱密鑰中的私鑰生成和使用方法對應的設備。
圖11為本說明書實施例提供的一種非對稱密鑰中的私鑰生成及/或使用設備的結構示意圖。如圖11所示,設備500可以包括:
至少一個處理器510;以及,
與所述至少一個處理器通訊連接的儲存器530;其中,
所述儲存器530儲存有可被所述至少一個處理器510執行的指令520,所述指令被所述至少一個處理器510執行,以使所述至少一個處理器510能夠:
獲取非對稱密鑰生成請求;
根據所述非對稱密鑰生成請求,生成使用者私鑰,所述使用者私鑰包括多個使用者私鑰分量;
採用預定加密方法,對所述多個使用者私鑰分量進行加密,得到相應的多個使用者私鑰分量密文,其中,所述多個使用者私鑰分量中的至少兩個採用不同的預定加密方法來加密;
將所述多個使用者私鑰分量密文儲存在同一設備。
根據實施例,設備500可以包括:
至少一個處理器510;以及,
與所述至少一個處理器通訊連接的儲存器530;其中,
所述儲存器530儲存有可被所述至少一個處理器510執行的指令520,所述指令被所述至少一個處理器510執行,以使所述至少一個處理器能夠:
從同一設備獲取大於預定數量的使用者私鑰分量密文,其中,所述使用者私鑰分量密文是根據前述使用者非對稱密鑰中的私鑰生成方法得到的;
採用預定解密方法,解密所述大於預定數量的使用者私鑰分量密文,得到相應的大於預定數量的使用者私鑰分量明文,其中,所述預定解密方法與待解密的使用者私鑰分量密文被加密時所採用的加密方法相對應;
使用所述相應的大於預定數量的使用者私鑰分量明文,執行目標運算,
其中,所述預定數量表示所述多個使用者私鑰分量中執行所述目標運算所需的使用者私鑰分量的最低個數。
將理解的是,雖然本文中使用了術語“第一”、“第二”、“第三”等、“1-1/第(1, 1)”、“1-2/第(1, 2)”、“1-3/第(1, 3)”等來描述各種部分,但是這些部分不應受這些術語的限制。這些術語僅用於將一個部分與另一個部分區分開。因此,在不脫離本文的教導的情況下,在此討論的“第一……”也可以被稱作“第二……”;“1-1/第(1, 1)……” 也可以被稱作“1-2/第(1, 2)……”。
上述對本說明書特定實施例進行了描述,在一些情況下,在申請專利範圍中記載的動作或步驟可以按照不同於實施例中的順序來執行並且仍然可以實現期望的結果。另外,在圖式中描繪的過程不一定要求示出的特定順序或者連續順序才能實現期望的結果。在某些實施方式中,多工處理和並行處理也是可以的或者可能是有利的。
本說明書中的各個實施例均採用遞進的方式描述,各個實施例之間相同相似的部分互相參見即可,每個實施例重點說明的都是與其他實施例的不同之處。尤其,對於裝置、設備實施例而言,由於其基本相似於方法實施例,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。
本說明書實施例提供的裝置、設備與方法是對應的,因此,裝置、設備也具有與對應方法類似的有益技術效果,由於上面已經對方法的有益技術效果進行了詳細說明,因此,這裡不再贅述對應裝置、設備的有益技術效果。
在20世紀90年代,對於一個技術的改進可以很明顯地區分是硬體上的改進(例如,對二極體、電晶體、開關等電路結構的改進)還是軟體上的改進(對於方法流程的改進)。然而,隨著技術的發展,當今的很多方法流程的改進已經可以視為硬體電路結構的直接改進。設計人員幾乎都透過將改進的方法流程程式化到硬體電路中來得到相應的硬體電路結構。因此,不能說一個方法流程的改進就不能用硬體實體模組來實現。例如,可程式化邏輯裝置(Programmable Logic Device, PLD)(例如場域可程式化閘陣列(Field Programmable Gate Array,FPGA))就是這樣一種積體電路,其邏輯功能由使用者對裝置程式化來確定。由設計人員自行程式化來把一個數位系統“集成”在一片PLD上,而不需要請晶片製造廠商來設計和製作專用的積體電路晶片。而且,如今,取代手工地製作積體電路晶片,這種程式化也多半改用“邏輯編譯器(logic compiler)”軟體來實現,它與程式開發撰寫時所用的軟體編譯器相類似,而要編譯之前的原始代碼也得用特定的程式設計語言來撰寫,此稱之為硬體描述語言(Hardware Description Language,HDL),而HDL也並非僅有一種,而是有許多種,如ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL (Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)與Verilog。本領域技術人員也應該清楚,只需要將方法流程用上述幾種硬體描述語言稍作邏輯程式化並程式化到積體電路中,就可以很容易得到實現該邏輯方法流程的硬體電路。
控制器可以按任何適當的方式實現,例如,控制器可以採取例如微處理器或處理器以及儲存可由該(微)處理器執行的電腦可讀程式碼(例如軟體或韌體)的電腦可讀媒體、邏輯門、開關、專用積體電路(Application Specific Integrated Circuit,ASIC)、可程式化邏輯控制器和嵌入微控制器的形式,控制器的例子包括但不限於以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20以及Silicone Labs C8051F320,儲存器控制器還可以被實現為儲存器的控制邏輯的一部分。本領域技術人員也知道,除了以純電腦可讀程式碼方式實現控制器以外,完全可以透過將方法步驟進行邏輯程式化來使得控制器以邏輯門、開關、專用積體電路、可程式化邏輯控制器和嵌入微控制器等的形式來實現相同功能。因此這種控制器可以被認為是一種硬體組件,而對其內包括的用於實現各種功能的裝置也可以視為硬體組件內的結構。或者甚至,可以將用於實現各種功能的裝置視為既可以是實現方法的軟體模組又可以是硬體組件內的結構。
上述實施例闡明的系統、裝置、模組或單元,具體可以由電腦晶片或實體實現,或者由具有某種功能的產品來實現。一種典型的實現設備為電腦。具體的,電腦例如可以為個人電腦、桌上型電腦、蜂巢式電話、相機電話、智慧型電話、個人數位助理、媒體播放機、導航設備、電子郵件設備、遊戲控制台、平板電腦、可穿戴設備或者這些設備中的任何設備的組合。
為了描述的方便,描述以上裝置時以功能分為各種單元分別描述。當然,在實施本案時可以把各單元的功能在同一個或多個軟體及/或硬體中實現。
本領域內的技術人員應明白,本發明的實施例可提供為方法、系統、或電腦程式產品。因此,本發明可採用完全硬體實施例、完全軟體實施例、或結合軟體和硬體方面的實施例的形式。而且,本發明可採用在一個或多個其中包含有電腦可用程式碼的電腦可用儲存媒體(包括但不限於磁碟儲存器、CD-ROM、光學儲存器等)上實施的電腦程式產品的形式。
本發明是參照根據本發明實施例的方法、設備(系統)、和電腦程式產品的流程圖和/或方塊圖來描述的。應理解可由電腦程式指令實現流程圖和/或方塊圖中的每一流程和/或方塊、以及流程圖和/或方塊圖中的流程和/或方塊的結合。可提供這些電腦程式指令到通用電腦、專用電腦、嵌入式處理機或其他可程式化資料處理設備的處理器以產生一個機器,使得透過電腦或其他可程式化資料處理設備的處理器執行的指令產生用於實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能的裝置。
這些電腦程式指令也可儲存在能引導電腦或其他可程式化資料處理設備以特定方式工作的電腦可讀儲存器中,使得儲存在該電腦可讀儲存器中的指令產生包括指令裝置的製造品,該指令裝置實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能。
這些電腦程式指令也可裝載到電腦或其他可程式化資料處理設備上,使得在電腦或其他可程式化設備上執行一系列操作步驟以產生電腦實現的處理,從而在電腦或其他可程式化設備上執行的指令提供用於實現在流程圖一個流程或多個流程和/或方塊圖一個方塊或多個方塊中指定的功能的步驟。
在一個典型的配置中,計算設備包括一個或多個處理器(CPU)、輸入/輸出介面、網路介面和記憶體。
記憶體可能包括電腦可讀媒體中的非永久性記憶體,隨機存取記憶體(RAM)及/或非揮發性記憶體等形式,如唯讀記憶體(ROM)或快閃記憶體(flash RAM)。記憶體是電腦可讀媒體的示例。
電腦可讀媒體包括永久性和非永久性、可移動和非可移動媒體可以由任何方法或技術來實現資訊儲存。資訊可以是電腦可讀指令、資料結構、程式的模組或其他資料。電腦的儲存媒體的例子包括,但不限於相變記憶體(PRAM)、靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、其他類型的隨機存取記憶體(RAM)、唯讀記憶體(ROM)、電可擦除可程式化唯讀記憶體(EEPROM)、快閃記憶體或其他記憶體技術、唯讀記憶光碟(CD-ROM)、數位多功能光碟(DVD)或其他光學儲存、磁盒式磁帶,磁帶磁磁片儲存或其他磁性存放裝置或任何其他非傳輸媒體,可用於儲存可以被計算設備訪問的資訊。按照本文中的界定,電腦可讀媒體不包括暫存電腦可讀媒體(transitory media),如調變的資料訊號和載波。
還需要說明的是,術語“包括”、“包含”或者其任何其他變體意在涵蓋非排他性的包含,從而使得包括一系列要素的過程、方法、商品或者設備不僅包括那些要素,而且還包括沒有明確列出的其他要素,或者是還包括為這種過程、方法、商品或者設備所固有的要素。在沒有更多限制的情況下,由語句“包括一個……”限定的要素,並不排除在包括所述要素的過程、方法、商品或者設備中還存在另外的相同要素。
本案可以在由電腦執行的電腦可執行指令的一般上下文中描述,例如程式模組。一般地,程式模組包括執行特定任務或實現特定抽象資料類型的常式、程式、物件、元件、資料結構等等。也可以在分散式運算環境中實踐本案,在這些分散式運算環境中,由透過通訊網路而被連接的遠端處理設備來執行任務。在分散式運算環境中,程式模組可以位於包括存放裝置在內的本地和遠端電腦儲存媒體中。
本說明書中的各個實施例均採用遞進的方式描述,各個實施例之間相同相似的部分互相參見即可,每個實施例重點說明的都是與其他實施例的不同之處。尤其,對於系統實施例而言,由於其基本相似於方法實施例,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。
以上所述僅為本案的實施例而已,並不用於限制本案。對於本領域技術人員來說,本案可以有各種更改和變化。凡在本案的精神和原理之內所作的任何修改、等同替換、改進等,均應包含在本案的申請專利範圍之內。In order to make the purpose, technical solution and advantages of this case clearer, the technical solution of this case will be described clearly and completely below in conjunction with specific embodiments of this case and corresponding drawings. Obviously, the described embodiments are only a part of the embodiments in this case, rather than all the embodiments. Based on the embodiments in this case, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the scope of protection of this case.
In order to facilitate the understanding of the technical solutions mentioned in the embodiments of this case, a brief description of several technical terms involved in this case will be given below.
Software password module: The password module is a software and hardware module with security functions such as key protection and password calculation. The module that uses the software protection key is usually called the software cryptographic module. Compared with traditional hardware cryptographic modules, software cryptographic modules have a wider range of applications, and have the advantages of low cost and convenient deployment. Currently, there is a strong demand for software key protection. At the same time, it is difficult to use software cryptographic modules for key protection. Specifically, because the software does not have an independent operating environment, once the operating system where the software is located is compromised, the attacker can obtain the software’s hard disk storage data, runtime memory, etc., through which keys can generally be recovered. Sensitive information. Currently, the commonly used methods to protect keys include threshold cryptographic algorithms and white-box cryptographic algorithms.
Threshold cryptographic algorithm: The threshold cryptographic algorithm is evolved on the basis of the secret sharing algorithm. (t, n) Secret sharing is to divide a secret into n parts, each in charge of n individuals, and at least t+1 participants can recover the secret. If you use a secret sharing method to keep the key, you can ensure the security of the key during storage, but the key still needs to be restored before it can be calculated during use, and the restored plaintext key may still be intercepted by an attacker . Threshold cryptographic algorithms can alleviate this problem. The biggest difference from the secret sharing algorithm is that the threshold cryptographic algorithm is still carried out in the form of key components during the use of the key, and there is no need to recover the complete key. Specifically, the (t, n) threshold cryptographic algorithm is to split a private key into n parts, which are controlled by n individuals. At least t+1 participants can perform cryptographic operations based on the private key. Any t participants No information about the above results can be obtained, and no information about the private key and the components of the private key will be disclosed during the cryptographic operation. In addition, the commonly used threshold cryptographic algorithm is an implementation of the standard cryptographic algorithm, which is equivalent to the standard cryptographic algorithm.
White-box cryptographic algorithm: White-box cryptographic algorithm is a cryptographic algorithm that can ensure key security in a white-box attack environment. Among them, the environment where the execution of the program is completely visible to the attacker is called the white-box attack environment. Generally, the white box cryptographic algorithm will be used with code obfuscation technology to further prevent attackers from recovering the key from the cryptographic algorithm. The white-box cryptographic algorithm is to white-box the original key to obtain the white-box key. The white-box key can exist in the form of a look-up table. Assuming that the original key is a 16-byte group, the original key is white-boxed Then it becomes, for example, a 300kB lookup data table, which is equivalent to dispersing the 16-byte key in 300kB data to achieve the effect of hiding. Generally speaking, white-box cryptographic algorithms only support symmetric cryptographic algorithms. This is because the implementation principles of symmetric cryptographic algorithms and asymmetric cryptographic algorithms are different, and there are technical obstacles to white-boxing asymmetric cryptographic algorithms. In order to understand the principle of white box cryptographic algorithm more clearly, you can refer to Xiao Yaying's paper "White box cryptography and SM4 algorithm white box realization" at the 2009 Annual Conference of the Chinese Cryptography Society and the master's thesis of Shang Pei of the University of Electronic Science and Technology of China. The SM4-based white-box cryptographic algorithm design and implementation shown in "SM4 Algorithm" shows an example of the white-box cryptographic algorithm based on SM4, but the implementation of the white-box cryptographic algorithm in the embodiment of this case can be various and is not limited to Based on the SM4 algorithm, for example, it can also be based on various symmetric cryptographic algorithms such as the AES algorithm, the DES algorithm, and the 3DES algorithm. This case does not specifically limit this.
The following describes in detail the technical solutions provided by each embodiment of this case in conjunction with the drawings.
Fig. 1 is a flowchart of a method for generating a private key in an asymmetric key provided by an embodiment of this specification. From a program perspective, the execution body of a process can be a program or an application client loaded on an application server.
As shown in FIG. 1, the method for generating a private key in an asymmetric key according to an embodiment includes the following steps:
S110: Obtain an asymmetric key generation request.
The basic process of data encryption is to process files or data originally in plaintext according to a certain algorithm to make them into characters or bit sets that cannot be understood without decryption, usually called "ciphertext". To achieve the purpose of protecting data from being stolen and read by unauthorized persons. The reverse process of encryption is decryption, that is, the process of transforming the encoded information into its original data. Encryption algorithms are divided into symmetric encryption algorithms and asymmetric encryption algorithms. Among them, the encryption and decryption keys of the symmetric encryption algorithm are the same, and the encryption key and the decryption key of the asymmetric encryption algorithm are different.
Asymmetric encryption algorithm, also known as public key encryption algorithm. It requires two keys, called asymmetric keys, of which one is called a public key, which is a public key, and the other is called a private key, which is a private key. If the public key is used to encrypt the data, only the corresponding private key can be used to decrypt it. If the private key is used to encrypt the data, only the corresponding public key can be used to decrypt it. For example, Party A generates a pair of keys and discloses one of them as a public key to others. Party B who obtains the public key uses the public key to encrypt confidential information before sending it to Party A, and Party A uses its own Another private key (private key) is stored to decrypt the encrypted information.
According to an embodiment, the asymmetric key generation request is obtained, that is, a request to generate a private key and a public key is obtained. According to an embodiment, the obtaining of an asymmetric key generation request may refer to obtaining a request for instructing to generate a private key and a corresponding public key.
S120: Generate a user private key according to the asymmetric key generation request, where the user private key includes multiple user private key components.
Optionally, a (t, n) secret sharing or (t, n) threshold cryptographic algorithm can be used to generate multiple user private key components. For example, if (t,n) secret sharing is used, the user private key plaintext is generated first, and then the user private key plaintext is split into n copies. At least t+1 components of it are required to restore the original use The private key is plaintext. For example, if the (t, n) threshold cryptographic algorithm is used, n user private key components are directly generated as the user private key, of which at least t+1 components can participate in the cryptographic operation based on the user’s private key. In this process, neither the user private key plaintext is generated nor the user private key plaintext is recovered when used, that is, the user private key never appears in complete plaintext from beginning to end, but exists in the form of key components. Obviously, using the (t, n) threshold cryptographic algorithm to generate the user's private key is more secure. In this case, it is better to use the (t, n) threshold cryptographic algorithm to directly generate the user's private key component as User private key.
According to an embodiment, generating the user private key according to the asymmetric key generation request specifically includes: generating the user private key according to the asymmetric key generation request using an asymmetric threshold cryptographic algorithm.
According to an embodiment, the use of an asymmetric threshold cryptographic algorithm to generate a user's private key may specifically include: generating a user's private key according to a threshold cryptographic algorithm based on a standard asymmetric cryptographic algorithm. Wherein, the standard asymmetric cryptographic algorithm may be SM2 algorithm, ECC (Elliptic Curves Cryptography, elliptic curve cryptography) algorithm, RSA algorithm or DSA (Digital Signature Algorithm, digital signature algorithm), but not Limited to this.
Optionally, the user private key can be generated according to the SM2-based (t, n) threshold cryptographic algorithm, and the user private key may include n user private key components, and any t+1 components are used. It can directly realize the function of the user's private key. Specifically, when the user's private key is used, the t+1 components can be used directly to perform cryptographic operations based on the private key, that is, there is no need to recover the plaintext of the user's private key in this process, but the private key component To perform cryptographic operations in the form of. Therefore, in the process of using the user's private key, only the private key component will actually appear, instead of the complete user's private key that is transferred and used in the memory, which solves the existence of the complete user's private key. The problem in the memory increases the difficulty for the attacker to obtain the plaintext of the user's private key.
S130: Use a predetermined encryption method to encrypt the multiple user private key components to obtain corresponding multiple user private key component ciphertexts, wherein at least two of the multiple user private key components adopt Different predetermined encryption methods to encrypt.
Specifically, the predetermined encryption algorithm may be any known standard symmetric encryption algorithm or its improved algorithm, for example, SM4 algorithm, AES (Advanced Encryption Standard, Advanced Encryption Standard) algorithm, DES (Data Encryption Standard) algorithm, Standard, Data Encryption Standard) algorithm, 3DES (Triple DES, Triple Data Encryption Standard) algorithm, or their improved algorithms, but not limited to this. The key used in the encryption process of the predetermined encryption method may include a fixed string, a random string, user terminal equipment information, or a combination thereof, and a white box key may also be used, but is not limited to this.
Specifically, at least two of the plurality of user private key components are encrypted using different predetermined encryption methods, which means that all the components of the plurality of user private key components are encrypted in different ways. The advantage of this scheme is that when an attacker wants to recover the user's private key component ciphertext through the user's private key component ciphertext, he cannot crack all the ciphertexts by one method, which increases the attacker's ability to crack the ciphertext that meets the number The difficulty of the user's private key component in plaintext.
S140: Store the cipher texts of the multiple user private key components in the same device.
In the traditional multi-component key protection scheme, at least part of the key components are scattered on different servers, and cryptographic devices such as cryptographic machines, USB Keys, etc. can be used to protect the components on each server. In the solution of this case, the ciphertext of the user's private key component is stored on the same device. The advantage of this setting is that when the user's private key component needs to be used for cryptographic operations, it only needs to be obtained and decrypted on the same device to meet the predetermined requirements. A large number of users component ciphertexts without the need for communication interaction between servers, which reduces the communication overhead of the system and avoids communication delays caused by this.
Specifically, the same device may be a device that generates the user's private key component, or may be a device different from the device that generates the user's private key component. For example, if the user private key component is generated on the server, the device storing the cipher text of the user private key component may be a user terminal device that is in communication with the server. For example, if the user private key component is generated on the user terminal, the device storing the cipher text of the private key component may be the user terminal.
According to an embodiment, storing the plurality of user private key component ciphertexts in the same device may specifically include: storing the plurality of user private key component ciphertexts in the user private key. In the required equipment.
Specifically, the device that requires the use of the user's private key may be a user terminal, specifically, it may be a terminal device such as a payment machine, an IOT device (Internet of Things device), and a mobile phone. In the prior art, although the user’s private key can be split into several copies and stored on different storage devices, it is also necessary to introduce an additional server, which is not convenient for system deployment and user use; in particular, there are The user terminal device is inconvenient to directly connect with the physical device as the server, and if it is connected through the cloud, in the process of using the private key, a large data communication overhead will be generated, and there will be a communication delay. This case directly stores the private key components of each user on the user terminal. On the one hand, it reduces the communication overhead between servers when using the private key, and on the other hand, it reduces the occurrence of obtaining the private key from the cloud when the private key is used. The communication overhead between the user terminal and the cloud server reduces the communication delay.
According to the embodiment, the user private key component ciphertext can be stored in different storage areas of the user terminal memory, and each storage area can store at least one user private key component ciphertext. By distributing and storing the user private key component ciphertext, it is possible to increase the difficulty for an attacker to obtain a predetermined number of user private key component ciphertexts, thereby decrypting a predetermined number of user private key component plaintexts.
In the prior art, the private key is divided into multiple private key components and stored on multiple servers in communication with the user terminal. When the user terminal needs to use the private key, it needs to be connected between the user terminal and the server and each There are multiple communications between the servers storing the private key components, and the communication overhead is high, and communication delays are prone to occur. This case provides a method for generating a private key in an asymmetric key. Specifically, according to the obtained asymmetric key generation request, multiple user private key components are generated, and then different predetermined encryption algorithms are used to encrypt the multiple A user private key component to obtain multiple user private key component ciphertexts, and then the multiple user private key component ciphertexts are stored in the same device. After this method generates dispersed user private key components, instead of storing the private key components of the user private key on multiple devices, it uses re-encryption instead of realizing the protection of the private key components. Specifically, Using different encryption methods to encrypt multiple user private key components requires different decryption methods to decrypt different components, similar to storing the private key components separately on different devices, achieving the purpose of risk dispersion. Therefore, because there is no need to use multiple physical devices to store the private key component, the construction cost of the private key protection system is reduced; and when the private key needs to be used, there is no need to communicate between multiple physical devices that store the private key component. Instead, the private key component is obtained through different decryption methods in the same device. While ensuring the security of the user’s private key component, the communication overhead during the use of the private key is reduced, the communication cost is reduced, and the communication delay is also reduced. .
The embodiments of this specification also provide some specific implementation schemes of the private key generation method in the above-mentioned asymmetric key, which will be described below.
Generally, the threshold cryptographic algorithm can ensure that the key is always present in components during the process of key generation and use, and is generally divided into 3 to 5 key components, so that the attacker cannot obtain a complete key in one place. However, the shortcoming of the threshold cryptographic algorithm is that the number of keys to be dispersed is limited. Once an attacker obtains more than a predetermined number of key components, the key can be recovered. In contrast, the keys of the white box cryptographic algorithm are completely dispersed in the algorithm implementation process, and the degree of dispersion is much higher than the threshold cryptographic algorithm. Even for some white-box cryptographic algorithms, the attacker cannot recover the key even if he obtains all the key scattered information.
According to an embodiment of this case, in S130, said adopting a predetermined encryption method to encrypt the multiple user private key components may specifically include: adopting a white box encryption algorithm to encrypt the multiple user private keys The components are encrypted.
The white-box cryptographic algorithm can include the white-box encryption algorithm for encryption and the corresponding white-box decryption algorithm for decryption. Its purpose is to protect the key in a white-box attack environment and prevent attackers from using cryptographic software. The key information is extracted during the execution of. White-box cryptographic algorithm can refer to a new algorithm that can resist attacks in a white-box attack environment, or it can refer to a pure white-box design based on an existing cryptographic algorithm. Specifically, the white-box encryption algorithm based on the standard symmetric encryption algorithm is designed based on the existing standard symmetric encryption algorithm through white-box cryptography, and uses certain characteristics of the algorithm to hide the key, so that In the white box attack environment, the function of the original algorithm is not changed, but the security in the white box attack environment can be achieved, and the security of the original algorithm is not damaged. The commonly used white-box cryptographic algorithm is an implementation of the standard cryptographic algorithm, which is equivalent to the standard cryptographic algorithm, that is, for the same plaintext, it is determined by the standard symmetric encryption algorithm and the use of the corresponding white-box encryption algorithm. The generated ciphertext is consistent.
Optionally, said adopting a white box encryption algorithm to encrypt the plurality of user private key components may specifically include: adopting a white box encryption algorithm based on a standard symmetric encryption algorithm, and using a white box encryption algorithm for the plurality of use The private key component is encrypted. Wherein, the standard symmetric encryption algorithm can be SM4 algorithm, AES algorithm, DES algorithm or 3DES algorithm, but is not limited to this.
If the different key components of a user key adopt the same protection method, the attacker can use the same method to break all the key components. In view of this, different white box encryption algorithms can be used to protect different key components, so that the degree of protection of the key components is strengthened, and the difficulty of attacking multiple threshold key components is increased.
According to an embodiment of this case, at least two of the plurality of user private key components are encrypted using different predetermined encryption methods, which may specifically include: for any user private key component of a user private key, using The encryption is performed by a white box encryption algorithm that is different from the other user private key components in the one user private key component. In other words, if the user private key includes n user private key components, n different white box encryption algorithms can be used to respectively encrypt the n user private key components, where one user private key The components are encrypted using a white box encryption algorithm, and different users use different white box encryption algorithms for private key components.
Optionally, the different white-box encryption algorithms may be white-box encryption algorithms constructed using different white-box methods. Specifically, different white box cipher design methods can be used to design the white box encryption algorithm, for example, the method of looking up the data table, the method of inserting scrambled items, the method of multivariable cipher, etc. can be used. Among them, the main idea of the way to look up the data table is: for a cryptographic algorithm, after a specific key is given, the mapping from the plaintext to the ciphertext is determined, and then the mapping from the plaintext to the ciphertext is scrambled. The encrypted mapping is expressed in the form of a look-up data table, and finally, the execution process of the cryptographic algorithm is realized through the look-up data table.
Optionally, the different white box encryption algorithms may be white box encryption algorithms constructed based on different standard symmetric encryption algorithms. Specifically, SM4 white box encryption algorithm, AES white box encryption algorithm, DES white box encryption algorithm, etc. can be used. For example, the SM4 white-box encryption algorithm can be a white-box design based on the original SM4 algorithm, where the packet length of the SM4 algorithm is 128 bits, the key length is 128 bits, and 32 rounds of non-linearity are used. As a result of repeated operations, the structure of the decryption process is similar to that of the encryption process, but the order of using the round key is reversed. Specifically, the key information of the SM4 white-box encryption algorithm is hidden in the lookup table. The security of the algorithm is based on the difficulty of analyzing the key information from the lookup table or recovering the input and output codes.
Optionally, the different white box encryption algorithms may be white box encryption algorithms based on the same standard encryption algorithm, but using different design parameters. For example, they can all be based on the SM4 white box encryption algorithm, but in the white box implementation process, different numbers of look-up tables can be used, different system parameters and/or fixed parameters can be used, and/or different white boxes can be used Key. The key obtained by dispersing the original key used for encryption and decryption in the standard cryptographic algorithm is called the white box key. The white box key refers to a key used for encryption or decryption in a white box environment. The white box key carries the information of the original key, and replaces the original key to complete the function of encryption and decryption. At the same time, it cannot be analyzed even if it is analyzed. Get the original key. The white box key needs to be performed in a secure environment to ensure the security of the white box key and the original key. According to an embodiment, in this case, the white box key can be generated in the server, and then the white box key and the algorithm program are packaged and transmitted to the terminal device for encrypting the user's private key component, that is, the white box key. The generation environment of the box key is different from its use environment to ensure the security of the original key used to generate the white box key.
The original intention of the threshold cryptographic algorithm is that each threshold key component has a different person in charge, so as to achieve the effect of risk dispersion; analogously, in the embodiment of this case, although each threshold component is equalized in order to reduce communication interaction Stored in a communication terminal (for example, the user terminal), and at the same time, can be protected by using different white box cryptographic algorithms and/or white box keys through each threshold key component, so as to achieve a certain degree of risk The effect of dispersion.
According to an embodiment, the method for generating a private key in the aforementioned asymmetric key may further include: obtaining another asymmetric key generation request; generating another user private key according to the another asymmetric key generation request, so The other user’s private key includes multiple user private key components; for any one of the other user’s private key components, the user’s private key is the same as that of the one user’s private key. The key components are encrypted using the same white box encryption algorithm, and each user private key component in the other user's private key uses a different white box encryption algorithm. Wherein, the number of user private key components in the other user private key is the same as the number of user private key components in the one user private key.
Specifically, there may be m user private keys, and each user private key may include n user private key components, and the (m, n)th user private key component may be used to represent the mth use The nth user's private key component in the private key; the p-th white-box encryption algorithm among n different white-box encryption algorithms can be used to compare the (1, p)th user's private key component to the ( m, p) The user's private key component is encrypted; where m and n are positive integers, p is a positive integer not greater than n, and p takes any value from 1 to n, and the above encryption method is executed.
In other words, when there are m user private keys and each user private key is split into n components, n different white box encryption algorithms can be used for all the user private keys The user private key components are encrypted to obtain n sets of user private key component ciphertexts; m user private key component ciphertexts in each user private key component ciphertext correspond to one private key of each user private key Weight.
Figure 2 is a schematic diagram of the principle of a method for generating a user's private key provided by an embodiment of this specification.
Referring to Figure 2, specifically, for example, there are m user private keys that need to be protected. Each user private key can be split into n components. The private key component mn in Figure 2 is the (m, n) User private key component, used to represent the nth component of m user private keys. For example, the second private key component in user private key 1 can be represented by private key component 1-2. Here, for example, the names of the private key component 1-1, the private key component 1-2, and the private key component 1-3 in the private key 1 are only for the purpose of distinguishing, to illustrate that there are multiple different in the private key 1. The component is not intended to constitute a restriction on each component, and its naming method is not limited to this.
Specifically, n different white box encryption algorithms can be used to encrypt all user private key components. For example, the n white box encryption algorithms can be based on the same standard symmetric encryption algorithm, but use different white box encryption algorithms. Box key. For example, for different components, they can all be based on the SM4 standard encryption algorithm, but use different original keys for encryption, that is, use different white box keys for encryption. Figure 2 shows a situation where different white box keys are used to encrypt each private key component of a user's private key. Specifically, for example, a white box key equivalent to the number of private key components of each user’s private key can be used to encrypt the corresponding private key component, so that all private key components in the user’s private key are mutually exclusive. The white box key used is different.
As an example, suppose m=1 and n=3 in Figure 2, that is, there is a user private key (private key 1) that needs to be encrypted. The user private key includes 3 private key components, and 3 white boxes can be used. The encryption algorithm encrypts these three components, and p can be 1, 2, and 3. Specifically, p=1, that is, the first white-box encryption algorithm among the three white-box encryption algorithms is used to encrypt the private key component 1-1 in the private key 1; p=2 that is, three white-box encryption algorithms are used. The second white box encryption algorithm in the box encryption algorithm encrypts the private key component 1-2 in the private key 1; p=3 that is, the third white box encryption algorithm among the 3 white box encryption algorithms Method, encrypt the private key components 1-3 in the private key 1.
As an example, suppose m=4, n=3 in Figure 2, that is, there are 4 user private keys (private key 1, private key 2, private key 3, and private key 4) that need to be encrypted, and each user’s private key It can include 3 private key components, and 3 white box encryption algorithms can be used to encrypt these 3 components; p can take 1, 2, and 3. Specifically, p=1, that is, the first white-box encryption algorithm among the three white-box encryption algorithms is used, and the private key component 1-1 in the private key 1 and the private key component 2-1 in the private key 2 are used. , The private key component 3-1 in the private key 3 and the private key component 4-1 in the private key 4 are encrypted; p=2 that is, the second white-box encryption algorithm among the three white-box encryption algorithms is used, Encrypt private key component 1-2 in private key 1, private key component 2-2 in private key 2, private key component 3-2 in private key 3, private key component 4-2 in private key 4 ;P=3 That is, the third white-box encryption algorithm among the three white-box encryption algorithms is used, and the private key components 1-3 in the private key 1, the private key components 2-3 in the private key 2, and the private key The private key component 3-3 in the key 3 and the private key component 4-3 in the private key 4 are encrypted.
In the traditional white box key use process, the white box key is usually used as the service key to encrypt the service data, that is, the service key is bound to the white box, which makes it difficult to update the service key. Specifically, when the service key needs to be updated, the white box key must be updated. In addition, if different white box keys are used to protect different business data, a white box key equivalent to the number of business data is required, and the white box key file is usually large, which will take up more storage space . For example, if there are 100 communication materials that need to be protected, and the corresponding 100 business keys need to be implemented as white box keys, the key management system needs to store 100 white box keys, which will occupy more storage space; When the service key needs to be updated, the corresponding white box key needs to be updated.
In this case, the white box key is used to encrypt and protect the user key components, instead of using the white box key to directly protect the user data. This is the use of the white box key in this case and the white box key in the prior art Significant difference in approach. Specifically, in this case, the user key is used to encrypt business data, and the white box key is used to encrypt and protect the components of the user key. On the one hand, when the service key needs to be updated, there is no need to update the white box key, which avoids the problem of difficulty in key update in the process of using traditional white box keys. On the other hand, this case uses a white box key to encrypt the key components. The number of white box keys used is small and the storage space is small. Specifically: for example, a user key has 3 key components, and each The components are encrypted using different white box keys. Only 3 white box keys need to be stored in the key management system; assuming that there are 100 business data to be encrypted, 100 user keys are used correspondingly, and each is used The user key includes 3 key components, and the three components of each user key are respectively encrypted using the aforementioned 3 white box keys. In addition, in this case, by combining the white box cryptographic algorithm with the threshold cryptographic algorithm, a new method for protecting asymmetric keys is proposed, that is, the white box encryption technology is applied to private key protection.
This case combines the threshold cipher algorithm and the white box cipher algorithm, and at the same time takes advantage of the flexible key update advantages of the threshold cipher algorithm and the high degree of key dispersion of the white box cipher algorithm to design a brand new key protection technology. Compared with the traditional threshold cipher scheme, the present invention strengthens the security of key storage through the use of white box cipher algorithm; and through the use of different white box keys/algorithms, a certain degree of risk is achieved. The effect of dispersion. The present invention combines the threshold cipher algorithm and the white box cipher algorithm to propose a new software key protection method, which overcomes the disadvantages of weak protection of the threshold cipher algorithm key component and the inconvenience of the white box cipher key update and mass use. , Safety and convenience have been improved.
According to the embodiment of this case, the key is first dispersed through a threshold algorithm, and then encrypted through the white box. According to the embodiment of this case, the solution includes at least two kinds of keys-user key and white box key. Among them, the user key is used to protect user data in the form of threshold component, and the white box key is used for encryption Protect user key components. In this case, the white box key is not used to directly protect user data, which is also the difference between our use of white box keys in the past. In addition, different white box keys/algorithms are used to protect different threshold components, which makes the protection of threshold components diversified and achieves a certain degree of risk dispersion effect.
Based on the same thinking, the embodiments of this specification also provide an asymmetric key usage method corresponding to the private key generation method in the asymmetric key. Fig. 3 is a flowchart of a method for using a private key in an asymmetric key provided by an embodiment of this specification. From a program perspective, the execution body of a process can be a program or an application client loaded on an application server.
As shown in FIG. 3, after S140 in the method for generating a private key in an asymmetric key, the method for using an asymmetric key according to an embodiment may include the following steps:
S210: Obtain more than a predetermined number of user private key component ciphertexts from the same device, the user private key component ciphertext being obtained according to the aforementioned private key generation method in the user asymmetric key.
According to the embodiment, the execution subject of the user's asymmetric key usage method and the generation method may be the same or different. For example, you can generate a user's private key on the server, and use the user's private key to perform cryptographic operations on the user side. For another example, a user private key can be generated on the user side, and the user private key can be used on the user side to perform cryptographic operations.
According to an embodiment, the obtaining of the user private key component ciphertext from the same device that is greater than a predetermined number may be obtained from a device different from the user’s private key using terminal, or it may be obtained from the user’s private key component ciphertext. The user's private key uses the terminal's local storage to obtain the user's private key component ciphertext.
S220: Use a predetermined decryption method to decrypt the user private key component ciphertext greater than a predetermined number to obtain a corresponding user private key component plaintext greater than a predetermined number, wherein the predetermined decryption method is the same as the user private key component to be decrypted. The key component ciphertext corresponds to the predetermined encryption method used when it is encrypted.
According to an embodiment, the predetermined decryption method may be a white box decryption algorithm, specifically, a white box decryption algorithm corresponding to the white box encryption algorithm used when the user key component is encrypted. More specifically, when the white box encryption algorithm is a white box encryption algorithm based on SM4, the corresponding white box decryption algorithm based on SM4 is used for decryption. More specifically, the white box encryption key used in encryption can be obtained by dispersing the original key in the implementation of the SM4 encryption algorithm, and the white box decryption key used in decryption can be the original key being dispersed in SM4 Obtained during the algorithm implementation process, where the original keys used for encryption and decryption are the same, and the SM4 encryption algorithm corresponds to the SM4 decryption algorithm.
S230: Use the corresponding plaintext of the user private key component greater than the predetermined number to execute the target calculation.
Wherein, the predetermined number represents the minimum number of user private key components required to perform the target operation among the plurality of user private key components. Specifically, for example, for the (t, n) threshold encryption algorithm, if the key is divided into n shares, t+1 shares of the key can be used for cryptographic operations.
According to an embodiment, in the asymmetric key usage method, the corresponding user private key component plaintext greater than a predetermined number is used to perform the target calculation. It should be noted that the user private key component plaintext is not used here. Generate a complete user private key component, but directly use multiple user private key components to perform cryptographic operations, such as digital signatures, information decryption, etc. The advantage of this scheme is that in the process of using the private key, it always exists in the form of the key component, and the complete user private key plaintext will not appear in the memory, that is, it is always in the form of the user private key component. To protect the user's private key, so that the attacker cannot directly obtain the user's private key by cracking the private key use process, which improves the security of the user's private key during use.
According to an embodiment, in the foregoing asymmetric key generation method, after the asymmetric threshold cryptographic algorithm is used to generate the user private key, the method further includes: generating a user public key based on the plurality of user private key components Key; broadcast the user's public key.
Fig. 4 is a schematic diagram of the asymmetric key generation method provided by the embodiment of the specification. The asymmetric key includes a corresponding private key and public key. After the user's private key is split into multiple components, each component is encrypted using a white box encryption algorithm to obtain the user's private key component ciphertext, and then store it.
According to an optional embodiment, in the foregoing asymmetric key use method, the use of the corresponding user private key component plaintext greater than a predetermined number to perform the target calculation may specifically include: using the greater than a predetermined number of user private key components. The user's private key component is signed in plain text, and the signing result is obtained.
Fig. 5 is a schematic diagram of a method for digital signature using a private key provided by an embodiment of the specification. Specifically, when it is necessary to use the private key for digital signature, obtain the private key component ciphertext greater than a predetermined number from the data storage location, and use the corresponding white box decryption algorithm to decrypt the private key component ciphertext to obtain the corresponding The private key component is plaintext, and then the obtained private key component plaintext is directly used for digital signature, and the signature result is obtained.
In order to more clearly illustrate the process of using the private key for digital signature and using the corresponding public key for signature verification, Figure 6 and related descriptions are provided.
Fig. 6 is a sequence diagram of a digital signature verification process using an asymmetric key provided by an embodiment of the specification. As an example, FIG. 7 shows a method of generating and using a private key at the first communicating party, for example, a method of generating and using a private key at a user terminal. The solution in this case is not limited to this. The private key and public key can also be generated on the server, then the private key is encrypted and stored in the user terminal, and the private key is used in the user terminal to perform cryptographic operations.
6, the process of using an asymmetric key for digital signature verification may specifically include: the first communicating party generates a user private key component and a user public key, and encrypts the user private key component to obtain the user private key component. The ciphertext of the key component; when the private key needs to be used for signing, the first communicating party decrypts the ciphertext of the user private key component greater than a predetermined number to obtain the corresponding plaintext of the user private key component greater than the predetermined number, and then Digital signature is performed using the plaintext of the user private key component greater than the predetermined number.
In the above process, it further includes: the first communicating party broadcasts the public key, and accordingly, the second communicating party can obtain the public key; when the second communicating party receives the public key sent by the first communicating party After the signing result, the second communicating party uses the user public key broadcast by the first communicating party to verify the signing result. Here, the steps of the first communicating party broadcasting the public key and the second communicating party receiving the public key can be at any stage after the first communicating party generates the public key and before the second communicating party uses the public key, and is not limited to the steps shown in the figure. Timing shown.
According to an optional embodiment, in the foregoing asymmetric key use method, the use of the corresponding user private key component plaintext greater than a predetermined number to perform the target calculation may specifically include: using the greater than a predetermined number of user private key components. The user's private key component decrypts the information to be decrypted in plaintext to obtain the decryption result, wherein the information to be decrypted is information obtained after encryption using the user's public key corresponding to the user's private key.
Fig. 7 is a schematic diagram of a method for decrypting information using a private key provided by an embodiment of this specification. Specifically, when it is necessary to use the private key to decrypt the information encrypted by the corresponding public key, obtain the private key component ciphertext greater than a predetermined number from the data storage location, and use the corresponding white box decryption algorithm to decrypt the private key. Key component ciphertext, obtain the corresponding private key component plaintext, and then directly use the obtained private key component plaintext to decrypt the information, and obtain the decryption result.
In order to more clearly describe the process of using the public key for information encryption and using the corresponding private key for information decryption, Figure 8 and related descriptions are provided.
FIG. 8 is a sequence diagram of a process of information encryption and decryption using an asymmetric key provided by an embodiment of this specification. As an example, FIG. 8 shows a method of generating and using a private key at the first communicating party, for example, a method of generating and using a private key at a user terminal. The solution in this case is not limited to this. The private key and public key can also be generated on the server, then the private key is encrypted and stored in the user terminal, and the private key is used in the user terminal to perform cryptographic operations.
Referring to FIG. 8, the process of using an asymmetric key to encrypt and decrypt information specifically includes: the first communicating party generates a user private key component and a user public key, and encrypts the user private key component to obtain the user private key component The ciphertext; and the first communicating party broadcasts the public key.
In the above process, it also includes: the second communicating party receives the public key broadcast by the first communicating party; when the second communicating party needs to send encrypted information to the first communicating party, the public key received from the first communicating party can be used. The key encrypts the information; and sends the encrypted information to the first communicating party.
In the above process, it also includes: when the first communicating party receives the encrypted information sent by the second communicating party, decrypting the stored user private key component ciphertext greater than a predetermined number to obtain the corresponding use greater than the predetermined number The user private key component is plaintext; and the user private key component plaintext greater than a predetermined number is used to decrypt the encrypted information.
The above examples only show some specific implementations of the method of using the private key in this case, but the method of using the private key is not limited to this. For example, it can also be used for key exchange. There is no specific limitation here.
According to the asymmetric key generation and use method in this case, the threshold cryptographic algorithm is used for asymmetric key generation, and the private key is used for signature, decryption and other operations. Specifically, when the private key is generated, a threshold cryptographic algorithm is first used to generate multiple private key components, and then each threshold private key component is encrypted and stored using a white box cryptographic algorithm. When it is necessary to use the private key to perform operations, first use the white box key to decrypt the threshold private key component, and then use the threshold cryptographic algorithm to perform private key operations such as signature and decryption.
Generally, because it is easier for an attacker to obtain stored files, and the key data in the memory is usually erased when it is used up, and the existence time is very short, so the security requirements of the key when it is stored (that is, on the hard disk) are better than It is more demanding at runtime (ie in memory). In view of this, the solution in this case happened to provide stronger security guarantees during key storage, and very well met the security requirements. Specifically, when the key is stored, the key is protected by the threshold cryptographic algorithm and the white box cryptographic algorithm; when the key is used (in memory), the key is protected by the threshold cryptographic algorithm.
Based on the same thinking, the embodiment of this specification also provides a device corresponding to the above-mentioned asymmetric key generation method. FIG. 9 is a schematic structural diagram of a private key generation device in an asymmetric key corresponding to FIG. 1 provided by an embodiment of the specification.
As shown in Figure 9, the asymmetric key generation device may include:
The request obtaining module 310 is used to obtain an asymmetric key generation request;
The generation module 320 is configured to generate a user private key according to the asymmetric key generation request, where the user private key includes multiple user private key components;
The encryption module 330 is used to encrypt the multiple user private key components using a predetermined encryption method to obtain corresponding multiple user private key component ciphertexts, wherein among the multiple user private key components At least two of them are encrypted using different predetermined encryption methods;
The storage module 340 is used to store the ciphertexts of the multiple user private key components in the same device.
Optionally, the generation module 320 is specifically configured to: according to the asymmetric key generation request, use an asymmetric threshold cryptographic algorithm to generate the user's private key.
Optionally, the encryption module 330 is specifically configured to use different white box encryption algorithms to encrypt the multiple user private key components.
Optionally, the encryption module 330 is specifically configured to: for any user private key component in a user private key, use a component that is different from other user private key components in the one user private key. The white box encryption algorithm performs encryption.
Optionally, the encryption module 330 is specifically configured to: there are m user private keys, each user private key includes n user private key components, and the (m, n)th user private key The key component represents the nth user private key component in the mth user private key; n different white box encryption algorithms are used to encrypt all user private key components; the n different white boxes are used The p-th white-box encryption algorithm in the encryption algorithm encrypts the (1, p)-th user's private key component to the (m, p)-th user's private key component; where m and n are positive integers, p is a positive integer not greater than n.
Optionally, the storage module 340 is specifically configured to store the plurality of user private key component ciphertexts in a device that requires the use of the user private key. In other words, the storage module 340 may be a storage module in the user terminal.
Optionally, the request acquisition module 310, the generation module 320, the encryption module 330, and the storage module 340 may all be provided in a user terminal. In other words, multiple user private key components can be generated at the user terminal, and then the multiple user private key components can be encrypted and stored.
Based on the same thinking, the embodiment of this specification also provides a device corresponding to the above-mentioned asymmetric key usage method. FIG. 10 is a schematic structural diagram of a private key using device in an asymmetric key corresponding to FIG. 3 provided by an embodiment of this specification.
As shown in FIG. 10, the asymmetric key using device may include:
The key acquisition module 410 is configured to acquire more than a predetermined number of user private key component ciphertexts from the same device, and the user private key component ciphertext is generated according to the private key generation method in the aforementioned asymmetric key;
The decryption module 420 is configured to use a predetermined decryption algorithm to decrypt the user private key component ciphertext greater than a predetermined number to obtain a corresponding user private key component plaintext greater than a predetermined number, wherein the predetermined decryption method is the same as Corresponding to the predetermined decryption method used when the user private key component ciphertext to be decrypted is encrypted;
The calculation module 430 is configured to use the corresponding plaintext of the user private key component greater than a predetermined number to perform the target calculation,
Wherein, the predetermined number represents the number of user private key components required to execute the target operation among the plurality of user private key components.
Optionally, the arithmetic module 430 is specifically configured to: use the user private key component greater than a predetermined number to sign in plain text, and obtain a signature result.
Optionally, the arithmetic module 430 is specifically configured to: decrypt the information to be decrypted in the plaintext using the user private key component greater than a predetermined number to obtain the decryption result, wherein the information to be decrypted is used with the Information obtained after encryption by the user's public key corresponding to the user's private key.
Based on the same thinking, the embodiment of this specification also provides a device corresponding to the method of generating and using the private key in the above-mentioned asymmetric key.
FIG. 11 is a schematic structural diagram of a device for generating and/or using a private key in an asymmetric key according to an embodiment of this specification. As shown in FIG. 11, the device 500 may include:
At least one processor 510; and,
A storage 530 communicatively connected with the at least one processor; wherein,
The storage 530 stores instructions 520 executable by the at least one processor 510, and the instructions are executed by the at least one processor 510, so that the at least one processor 510 can:
Obtain an asymmetric key generation request;
Generating a user private key according to the asymmetric key generation request, where the user private key includes multiple user private key components;
Using a predetermined encryption method to encrypt the multiple user private key components to obtain corresponding multiple user private key component ciphertexts, wherein at least two of the multiple user private key components use different Predetermine encryption method to encrypt;
Storing the multiple user private key component cipher texts in the same device.
According to an embodiment, the device 500 may include:
At least one processor 510; and,
A storage 530 communicatively connected with the at least one processor; wherein,
The storage 530 stores instructions 520 executable by the at least one processor 510, and the instructions are executed by the at least one processor 510, so that the at least one processor can:
Obtaining more than a predetermined number of user private key component ciphertexts from the same device, wherein the user private key component ciphertext is obtained according to the private key generation method in the user asymmetric key;
Using a predetermined decryption method, decrypt the ciphertext of the user private key component greater than the predetermined number to obtain the corresponding user private key component plaintext greater than the predetermined number, wherein the predetermined decryption method and the user private key component to be decrypted Corresponding to the encryption method used when the ciphertext is encrypted;
Use the corresponding plaintext of the user private key component greater than a predetermined number to perform the target calculation,
Wherein, the predetermined number represents the minimum number of user private key components required to perform the target operation among the plurality of user private key components.
It will be understood that although the terms "first", "second", "third", etc., "1-1/第(1, 1)", "1-2/第(1, 2) are used herein, )”, “1-3/第(1, 3)” and so on to describe various parts, but these parts should not be limited by these terms. These terms are only used to distinguish one part from another. Therefore, without departing from the teaching of this article, the "first..." discussed here can also be called "second..."; "1-1/第(1, 1)..." can also be It is called "1-2/第(1, 2)......".
The above describes specific embodiments of this specification. In some cases, the actions or steps described in the scope of the patent application can be performed in a different order from the embodiments and still achieve desired results. In addition, the processes depicted in the drawings do not necessarily require the specific order or sequential order shown in order to achieve the desired result. In some embodiments, multiplexing and parallel processing are also possible or may be advantageous.
The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the device and equipment embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and the relevant parts can be referred to the part of the description of the method embodiments.
The devices, equipment, and methods provided in the embodiments of this specification are corresponding. Therefore, the devices and equipment also have beneficial technical effects similar to the corresponding methods. Since the beneficial technical effects of the methods have been described in detail above, they will not be omitted here. To repeat the beneficial technical effects of corresponding devices and equipment.
In the 1990s, the improvement of a technology can be clearly distinguished from the improvement of the hardware (for example, the improvement of the circuit structure of diodes, transistors, switches, etc.) or the improvement of the software (for the process of the method). Improve). However, with the development of technology, the improvement of many methods and processes of today can be regarded as a direct improvement of the hardware circuit structure. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by the hardware entity module. For example, Programmable Logic Device (PLD) (such as Field Programmable Gate Array (FPGA)) is such an integrated circuit, the logic function of which is programmed by the user. determine. It is programmed by the designer to "integrate" a digital system on a PLD without requiring the chip manufacturer to design and manufacture a dedicated integrated circuit chip. Moreover, nowadays, instead of manually making integrated circuit chips, this programming is mostly realized by using "logic compiler" software, which is similar to the software compiler used in program development and writing. The original code before compilation must also be written in a specific programming language, which is called Hardware Description Language (HDL), and there is not only one HDL, but many, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., Currently the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that only need to logically program the method flow in the above-mentioned hardware description languages and program it into an integrated circuit, the hardware circuit that implements the logic method flow can be easily obtained.
The controller can be implemented in any suitable manner. For example, the controller can take the form of, for example, a microprocessor or a processor and a computer readable program code (such as software or firmware) that can be executed by the (micro) processor. Media, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers and embedded microcontrollers. Examples of controllers include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicon Labs C8051F320, the memory controller can also be implemented as part of the memory control logic. Those skilled in the art also know that, in addition to implementing the controller in a purely computer-readable program code, it is entirely possible to program the method steps to make the controller use logic gates, switches, dedicated integrated circuits, and programmable logic control. The same function can be realized in the form of an embedded microcontroller and a microcontroller. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as a structure in the hardware component. Or even, the device for realizing various functions can be regarded as both a software module for realizing the method and a structure within a hardware component.
The systems, devices, modules, or units explained in the above embodiments may be implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. Specifically, the computer can be, for example, a personal computer, a desktop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, and a wearable. Device or any combination of these devices.
For the convenience of description, when describing the above device, the functions are divided into various units and described separately. Of course, when implementing this case, the functions of each unit can be implemented in the same or multiple software and/or hardware.
Those skilled in the art should understand that the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware. Moreover, the present invention can be in the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes. .
The present invention is described with reference to flowcharts and/or block diagrams of methods, equipment (systems), and computer program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processors of general-purpose computers, dedicated computers, embedded processors, or other programmable data processing equipment to generate a machine that can be executed by the processors of the computer or other programmable data processing equipment A device for realizing the functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram is generated.
These computer program instructions can also be stored in a computer-readable storage that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable storage produce a manufactured product including the instruction device , The instruction device realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operating steps are performed on the computer or other programmable equipment to generate computer-implemented processing, so that the computer or other programmable equipment The instructions executed above provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
In a typical configuration, the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
Memory may include non-permanent memory in computer-readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash). RAM). Memory is an example of computer-readable media.
Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. Information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), and other types of random access memory (RAM) , Read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, read-only memory (CD-ROM), digital versatile disc (DVD) ) Or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
It should also be noted that the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or equipment including a series of elements not only includes those elements, but also includes Other elements that are not explicitly listed, or they also include elements inherent to such processes, methods, commodities, or equipment. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, commodity, or equipment that includes the element.
This case can be described in the general context of computer-executable instructions executed by a computer, such as a program module. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. This case can also be implemented in a distributed computing environment. In these distributed computing environments, remote processing devices connected through a communication network perform tasks. In a distributed computing environment, program modules can be located in local and remote computer storage media including storage devices.
The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
The above descriptions are only examples of this case, and are not used to limit this case. For those skilled in the art, various modifications and changes are possible in this case. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this case shall be included in the scope of the patent application of this case.
