CN101309278B - Method and system for storing encrypt data on customer - Google Patents
Method and system for storing encrypt data on customer Download PDFInfo
- Publication number
- CN101309278B CN101309278B CN2008101275538A CN200810127553A CN101309278B CN 101309278 B CN101309278 B CN 101309278B CN 2008101275538 A CN2008101275538 A CN 2008101275538A CN 200810127553 A CN200810127553 A CN 200810127553A CN 101309278 B CN101309278 B CN 101309278B
- Authority
- CN
- China
- Prior art keywords
- client
- password
- data
- server
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention concretely discloses a method of storing the encrypted data in the client; the method includes that the client sends the login password to the server and receives the returned encrypted object with the current time from the server; the client processes at least once hash towards the login password to generate the hash data; the encrypted object is encrypted through the hash data to generate the encrypted data; the client stores the encrypted data. The invention also discloses a system which stores the encrypted data in the client. The method and the system which store the encrypted data in the client improve the security of the encrypted data stored in the client.
Description
Technical field
The present invention relates to communication network areas, particularly relate to a kind of method and system in the client storage enciphered data.
Background technology
Generally speaking, the user can require the user to import corresponding login account number and login password when client having of using that server provides software that authority requires or application program usually, uses to prevent the disabled user.Login for the convenience of the user, client provides " remembeing password " function of login account number.The user uses " remembeing password " function when logining for the first time, with the login account number with login password is corresponding remembers that the password bill is kept at client.When the user when same client is logined once more, only need provide the login account number, this client will directly be read according to this login account and be remembered password bill, login account accordingly.
Referring to Fig. 1, in the prior art at the method flow diagram of client storage enciphered data.Said method comprising the steps of:
Step 101: the user is at certain client login interface input login account number and login password, and selection " remembeing password " function;
Step 102: login account number and login password that client provides according to the user, the cryptographic hash that obtains with the plaintext of described login password or by the plaintext hash of described login password be as remembeing the password bill, and preserve.
As user during once more in the login of described client, input login account number, client be according to the login account number that the user provides, and what extract this login account correspondence remembers the password bill, passes to server;
Whether the password bill of remembeing that the server verification receives conforms to the login password information of self preserving, if, think that login password is correct, allow the user directly to login; If not, return the login password error message, the Client-Prompt user re-enters login password.
The login password information that server is preserved can be the plaintext of login password, also can be and the corresponding cryptographic hash of login password plaintext.If server is preserved be login password expressly, then at first expressly calculate corresponding cryptographic hash according to login password, whether the cryptographic hash that calculates of verification identical with the cryptographic hash that receives again; If what server was preserved is cryptographic hash, then directly whether the cryptographic hash of verification self preservation is identical with the cryptographic hash that receives.
Above-mentionedly remember the method for password bill in client storage, directly with login password expressly or cryptographic hash as remembeing that the password bill is kept at local client.
Obviously, this way is very unsafe.If forget the described function of cancellation after using " remembeing password " function on user's client in public, the password bill of remembeing of generation will be kept at client, be easy to be obtained by other people.Remember that when described the password bill is a login password expressly the time, directly causes login password stolen; When remembeing that the password bill is cryptographic hash,, just can cause login password stolen when described according to cryptographic hash by the counter plaintext of finding login password of hash result database as long as know the computational methods of cryptographic hash.
Summary of the invention
Technical problem to be solved by this invention provides a kind of method and system in the client storage enciphered data, to strengthen the fail safe in the client storage enciphered data.
For solving the problems of the technologies described above, the invention provides a kind of method in the client storage enciphered data, described method comprises: client sends login password to server, receives the cryptographic object that comprises the current time that described server returns; The described current time, be meant that the user preserves the time or the time of renewing of login password for the first time in described client; Described client generates hash data at least hash of described login password, utilizes described hash data that described cryptographic object is encrypted, and generates enciphered data; Described client storage enciphered data.
Wherein, utilize described hash data that described cryptographic object is encrypted and be specially: add in described hash data and obscure data, the hash data that the utilization adding is obscured after the data is encrypted described cryptographic object.
Wherein, further comprise after utilizing described hash data that described cryptographic object is encrypted: utilize client terminal local information described cryptographic object superencipher.
Wherein, described client terminal local information is the data that client NIC physical address, client hard disk sequence number and/or client generate at random.
Wherein, further comprise: client sends and contains the automatic logging request of enciphered data to described server; Described server is deciphered described enciphered data, determines that the current time in the described cryptographic object surpasses the default maximum permission time interval, returns to allow auto login information to give described client.
Wherein, client sends login password to after the server, further comprises: the preservation term of validity that password is set.
Wherein, further comprise: client sends the password preservation that contains enciphered data and renews request to described server; Described server is deciphered described enciphered data, upgrades the cryptographic object that obtains after the deciphering, the cryptographic object after upgrading is encrypted again, and returns renewal back enciphered data and gives described client; Described server prolongs password and preserves the term of validity.
Wherein, described server prolongation password is preserved before the term of validity, further comprises: described server determines that the preservation of reception password renews request number of times and allows to renew number of times above default maximum.
Wherein, described server prolongs password to be preserved before the term of validity, further comprises: the preservation of the definite reception of described server password renews request time and surpasses the default maximum permission time interval.
Wherein, upgrading the cryptographic object that obtains after the deciphering comprises: server adds the preservation of reception password and renews request time in described cryptographic object.
Wherein, receive the password preservation and renew request time for receiving the time that password is preserved the request that renews recently.
Wherein, upgrading the cryptographic object that obtains after the deciphering comprises: server adds the preservation of reception password and renews request number of times in described cryptographic object.
Wherein, upgrading the cryptographic object that obtains after the deciphering comprises: server adds format version number and obscures data in described cryptographic object.
The present invention also provides a kind of system in the client storage enciphered data, comprise client and server, described client comprises: the cryptographic object receiver module, be used to send login password to server, and receive the cryptographic object that comprises the current time that described server returns; The described current time, be meant that the user preserves the time or the time of renewing of login password for the first time in described client; The login password Hash module is used for hash of described login password at least, generates hash data; The hash data encrypting module is used to utilize described hash data that described cryptographic object is encrypted, and generates enciphered data; Memory module is used to preserve the enciphered data that described hash data encrypting module sends.
Wherein, described client further comprises: the local information encrypting module is used to utilize client terminal local information that the enciphered data of described hash data encrypting module output is encrypted; Described memory module is used to preserve the enciphered data that described local information encrypting module sends.
Compared with prior art, the present invention has the following advantages:
Adopting the described method of the embodiment of the invention, be kept at the enciphered data of client, is to adopt the hash data that the login password hash is obtained as key, and the cryptographic object encryption that comprises the current time that server is returned obtains.When described enciphered data is acquired, even know the cryptographic algorithm of employing, owing to be difficult to the information of acquisition about encrypted object, therefore, only obtain as the possibility of the hash data relevant of key very for a short time, ensure the fail safe of storing encrypt data with login password according to described enciphered data.In prior art, only access to your password hash as remembeing to have strengthened fail safe greatly by the password bill in the client storage enciphered data.
Simultaneously, in the described method of the embodiment of the invention, the cryptographic object that comprises the current time that described server returns, the described current time is in described client carries out the time that password is preserved first.Even other people can login successfully according to the enciphered data that is kept at client, server can compare time of carrying out the password preservation first in the cryptographic object and this login time, when carrying out time that password preserves and the interval between this login time first when excessive, server can notify the client refusal that described account number is logined automatically, and the prompting user re-enters login password.Therefore, even other people can login successfully according to the enciphered data that is kept at client, also can't use described account number for a long time, in certain time limit, the Auto Login feature of described account number will be cancelled automatically.
Description of drawings
Fig. 1 is at the method flow diagram of client storage enciphered data in the prior art;
Fig. 2 is the described method flow diagram in the client storage enciphered data of the embodiment of the invention;
Fig. 3 is the described method flow diagram in the client storage enciphered data of first embodiment of the invention;
Fig. 4 is for adopting the automatic login process figure of the described method in the client storage enciphered data of first embodiment of the invention;
Fig. 5 is the described method flow diagram in the client storage enciphered data of second embodiment of the invention;
Fig. 6 is for adopting the automatic login process figure of the described method in the client storage enciphered data of second embodiment of the invention;
Fig. 7 is the described system diagram in the client storage enciphered data of first embodiment of the invention;
Fig. 8 is the described system diagram in the client storage enciphered data of second embodiment of the invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
Referring to Fig. 2, be the described method flow diagram of the embodiment of the invention in the client storage enciphered data.
Step 1111: client sends login password to server, receives the cryptographic object that comprises the current time that described server returns;
Step 1112: described client is carried out hash at least one time to described login password, generates the hash data corresponding with login password, as key, the described cryptographic object of current time that comprises is encrypted, and generates enciphered data;
Step 1113: described client storage enciphered data.
Referring to Fig. 3, be the described method flow diagram of first embodiment of the invention in the client storage enciphered data.
Step 201: the user is at client login interface input login account number and login password, and selection " remembeing password " function;
Step 202: client sends and to comprise logging request that the user logins account number and login password to server, the cryptographic object that contains current time information that reception server returns;
The described current time, be the user preserves described user login code for the first time in described client time.To same client, the described time is unique.
Step 203: client is selected hashing algorithm, and the login password that the user is provided carries out hash at least one time, obtains the hash data corresponding with login password, as key;
Described hashing algorithm is an one-way function, receives the plaintext of password, with statement password character string expressly, converts one section hash data that can't be used for rebuilding original plaintext, i.e. cryptographic hash to.
In the described method of the embodiment of the invention, the login password that can directly provide the user carries out hash, generates cryptographic hash, as key.
In order to strengthen the fail safe that login password is preserved, the present invention can also adopt predefined operation function f that cryptographic hash is calculated, and obtains the hash data relevant with cryptographic hash, as key.
Described hash data=the f relevant (cryptographic hash) with cryptographic hash
F is predefined operation function, can specifically set as required.F carries out the inferior hash of N (N is not less than 1 integer) again to described cryptographic hash, and generally selecting N is 2,3 or 4, obtains hash data, as key; Also can be earlier described cryptographic hash to be carried out N time hash again, in the hash data that obtains, obscure data accordingly then, obtain new hash data, as key by the preset rule adding; Also can be in described cryptographic hash, to obscure data accordingly earlier, carry out N time hash again, obtain new hash data, as key by the preset rule adding.
In function f, for further tightening security property, to N hash, each hash can adopt identical hashing algorithm, also can adopt different hashing algorithms, to strengthen the complexity as the hash data of key, strengthens the difficulty that is decrypted.
Step 204: the predefined cryptographic algorithm of customer end adopted,, as key described cryptographic object is encrypted with described hash data, generate enciphered data, as remembeing the password bill, be kept at client.
Described cryptographic algorithm is some specific formula and rules, is used for the transform method between regulation plaintext and the ciphertext.With data encryption standard DEA (DES:Data Encryption Standard) commonly used be that example illustrates that the employing cryptographic algorithm carries out encrypted process.
Described DES is a kind of algorithm that binary data is encrypted, and comprises three parameters: key (Key), expressly (Data) and model selection (Mode) of data.Wherein said Key is totally 64 of 8 bytes, is the working key of DES algorithm; Data also is 64 of 8 bytes, is the data plaintext of wanting encrypted or decrypted; The mode of operation of Mode position DES comprises and encrypting or deciphering.
When described Mode when encrypting, with Key Data is encrypted, ciphered data expressly through 16 take turns iterate, cataloged procedures such as product of transformation, compressed transform, the enciphered data (64) of generation Data is as the output result of DES.In decrypting process, adopt same Key that code data is decrypted, reproduce the data plaintext of plain code form.
In the described method of the embodiment of the invention, described cryptographic object is the Data that will encrypt, and as Key, Mode is for encrypting with described hash data.Adopt the DES algorithm that described cryptographic object is carried out cryptographic calculation, the enciphered data of generation is as remembeing that the password bill is kept at client.
Adopt the described method of the embodiment of the invention, what be kept at client remembers the password bill, and promptly enciphered data is to adopt the hash data that the login password hash is obtained as key, and the cryptographic object that comprises the current time that server is returned is encrypted and obtained.Remember that when described the password bill is acquired, even know the cryptographic algorithm of employing, owing to be difficult to the information of acquisition about encrypted object, therefore, only to remember that the password bill obtains as the possibility of the hash data information relevant with login password of key very little according to described, ensures the fail safe of remembeing the password bill in client storage.In prior art, only access to your password hash, strengthened greatly in client storage and remembered the password document security as remembeing the password bill.
In the described method of the embodiment of the invention, described hash data as key can calculate cryptographic hash by predefined function f, even describedly remember that the password bill is decrypted, obtain cryptographic object, but, also be difficult to obtain password expressly by the anti-hash data of looking into owing to can't learn the concrete definition mode of function f.
Client described in the embodiment of the invention can be the software of client, the web application that World Wide Web (WWW) (web) triggers, the wireless application of portable terminal class etc.The described method of the embodiment of the invention is applicable to fields such as instant messaging, mail and recreation.
Referring to Fig. 4, for adopting the described flow chart of logining automatically in the method for client storage enciphered data of first embodiment of the invention.
Step 301: the user is once more in described client login, the login account number that client provides according to the user, extract the corresponding password bill of remembeing from this locality, i.e. enciphered data sends to contain and describedly remembers that the automatic logging request of password bill and login account number is to server;
Step 302: server receives described automatic landing request information, extracts the cryptographic hash data corresponding with described login account number from database, as the key of deciphering;
If be as key in the step 202 by the cryptographic hash hash data that computing obtains according to function f, then corresponding, in the step 302, described cryptographic hash is carried out computing according to predefined operation function f described in the step 202, generate hash data, as the key of deciphering;
Step 303: server is decrypted the password bill of remembeing that is received from client with described hash data, if successful decryption proves that the client password is correct, obtains cryptographic object, enters step 304; If the deciphering failure enters step 306;
Server adopt with step 204 in identical cryptographic algorithm remember that to described the password bill is decrypted.
Step 304: server to deciphering after the described cryptographic object that obtains check judge describedly remember whether the password bill effective, if describedly remember that the password bill is effective, enter step 305; Otherwise, enter step 306;
Described cryptographic object abbreviates the password holding time as for preserve the time of described user login code relevant information for the first time in described client.
Described judgement remembers whether the password bill effectively specifically may further comprise the steps.
Step 304a: judge whether the described password holding time be later than the server current time, if, illustrate and describedly remember that the password bill is invalid, enter step 306; Otherwise, enter step 304b;
Step 304b: judge whether the described password holding time and the described time interval of server between the current time surpass default maximum and allow the time interval, if, illustrate and describedly remember that the password bill preserved for a long time not login at local client, describedly remember that the password bill lost efficacy, enter step 306, otherwise enter step 305;
The described maximum length in the time interval that allows can specifically be set as required, is generally one month.
Step 305: the described client of server notification allows the user to login automatically, and login process finishes automatically.
Step 306: the described Client-Prompt user of server notification inputs password once more, and login process finishes automatically.
By above-mentioned automatic login process as can be known, the described method of the embodiment of the invention in the client storage enciphered data, adopt the described password holding time as cryptographic object, even other people can successful decryptions or login successfully according to the enciphered data that is kept at client, server can compare password holding time in the cryptographic object and server current time, when the time interval between the current time is excessive when password holding time and server, illustrate described remember the password bill in client storage not login for a long time, server can notify the client refusal that described account number is logined automatically, and the prompting user re-enters login password.Therefore, even other people can successful decryptions or login successfully according to the enciphered data that is kept at client, also can't use described account number for a long time, in certain time limit, the Auto Login feature of described account number will be cancelled automatically.
In order further to strengthen the fail safe that password is preserved, cryptographic object described in the first embodiment of the invention can further include server and receives password and preserve and renew request time and server and receive password and preserve and renew request number of times, abbreviates the time of renewing respectively as and renews number of times.
In step 201, when the user selects " remembeing password " function, further comprise: the term of validity that " remembeing password " function is set.
General is regular in the time of client storage password, i.e. the term of validity was such as a week, one month, four months or 1 year.When the user selected " remembeing password " function, the Client-Prompt user selected the term of validity of " remembeing password " or generates the term of validity of acquiescence automatically.The described term of validity is the current term of validity of remembeing the password bill.
In the described term of validity of remembeing the password bill, when the user when local client is logined, client can be carried out " remembeing password " function automatically and be renewed operation, client is sent and is contained the current password of remembeing the password bill and preserve the request of renewing and give described server, server to described remember that password bill successful decryption obtains described cryptographic object after, the time that renews that can upgrade in the described cryptographic object automatically is the current time, and the described number of times that renews added 1, then newly-generated cryptographic object is encrypted, return a new password bill of remembeing and give described client, client storage is new remembers the password bill, and the new term of validity is set for the described new password bill of remembeing.
Generally speaking, remember to expire the password bill term of validity login be during described client in first three day or a week that described client is understood carry out the operation that renews of " remembeing password " function for described user automatically as the client.If during this period, the user is never in described client login, after surpassing the described term of validity, describedly remembers that the password bill lost efficacy, and what client was no longer preserved described user remembers the password bill.During user's login next time, need input login account number and login password once more.
When the user when described client is selected " remembeing password " for the first time, it is described that to renew the time be 0, the described number of times that renews also is 0.When each described client renewed operation, the time that renews in the described cryptographic object of server update renewed the time for this, and the described number of times that renews is added 1.
For example: certain user is when on January 1st, 2008,13:33:45 was in certain client login MSN account number, select to use " remembeing password " function, suppose that the term of validity of remembeing the password bill is defaulted as one month, then this moment, described cryptographic object is: rise time=2008/01/01 13:33:45; Renew time=0; Renew number of times=0.Suppose to renew in advance the time for expiring the last week, certain time after 24 days January in 2008 then, be assumed to be 14:34:36 on January 25th, 2008, the user logins in described client, client renews operation for the user automatically, upgrades described cryptographic object to be: rise time=2008/01/01 13:33:45; Renew time=2008/01/25 14:34:36; Renew number of times=1.If not in described client login, then on February 1st, 2008,13:33:45 rose the user before on February 1st, 2008 13:33:45, what described client was no longer preserved described user remembers the password bill.
For adopting password holding time, the time of renewing and renewing the method in client storage enciphered data of number of times as cryptographic object, when the user when client is logined automatically, in the described step 304, described judgement remembers whether the password bill effectively specifically may further comprise the steps.
Step 304A: judge whether the described password holding time be later than the server current time, if, illustrate and describedly remember that the password bill is invalid, enter step 306; Otherwise, enter step 304B;
Step 304B: judge whether the described password holding time and the described time interval of server between the current time surpass default maximum and allow the time interval, if, illustrate and describedly remember that the password bill preserved for a long time not login at local client, enter step 304C, otherwise enter step 305;
The described maximum length in the time interval that allows can specifically be set as required, is generally one month.
Step 304C: to renew the time be 0 or describedly renew time interval between time and current time in default maximum allows the time interval when described, and the notice client renews operation; Otherwise, do not allow to renew operation, think described and remember that the password bill lost efficacy, and entered step 306;
Step 305: the described client of server notification allows the user to login automatically, and login process finishes automatically.
Step 306: the described Client-Prompt user of server notification inputs password once more, and login process finishes automatically.
When the client of server notification described in the step 304C renews operation, client sends and to contain the current password of remembeing the password bill and preserve and renew request to described server, server to described remember that password bill successful decryption obtains described cryptographic object after, the time that renews that can upgrade in the described cryptographic object automatically is current time information, and the described number of times that renews added 1, then newly-generated cryptographic object is encrypted, return a new password bill of remembeing and give described client, described client is preserved the described new password bill of remembeing.Therefore, remember the password bill for described after each renewal, it renews the time is inequality, is the time that the last time renews operation
In step 304C, before described server notification client renews operation, can also judge further whether the described number of times that renews allows to renew number of times above default maximum, if, no longer renew operation, server directly notifies the Client-Prompt user to input password once more.
In step 304C, server can also further be judged the described time interval that renews between time and described rise time, allow the time interval if the described time interval surpasses default maximum, no longer renew operation, server directly notifies the Client-Prompt user to input password once more.
By above-mentioned automatic login process as can be known,, will further strengthen the intensity that server is verified, strengthen the fail safe of password when described cryptographic object is password holding time, the time of renewing and when renewing number of times.In practice, even describedly remember that the password bill has been decrypted, and realized login, if do not renew, can not use the long time, reduced the stolen loss of password.
In order to strengthen the reliability that enciphered data is preserved, described server info can further include: format version number, obscure data and other data, with the complexity of further increase cryptographic object, strengthen the fail safe that enciphered data is preserved.
In the described method of the embodiment of the invention, the setting of cryptographic object can be provided with flexibly according to concrete needs.When server is verified remembeing the password bill, judge described when remembeing that the password bill whether effectively, as long as each does not satisfy verification condition in the described cryptographic object, server all can notify the client refusing user's to login automatically, and the prompting user imports login password once more.By described method, strengthen the reliability and the flexibility of server authentication greatly, strengthen the fail safe of client storage enciphered data.
The difference of the second embodiment of the invention and first embodiment is: after with described hash data cryptographic object being encrypted, with client terminal local information the code data that obtains after encrypting is for the first time carried out superencipher again, remember the password bill thereby generate, be kept at client, further increase the complexity of remembeing the password bill, improve fail safe in the client storage enciphered data.
With reference to Fig. 5, be the described method flow diagram of second embodiment of the invention in the client storage enciphered data.
Step 401: the user is at client login interface input login account number and login password, and selection " remembeing password " function;
Step 402: client sends and to contain logging request that the user logins account number and login password to server, the cryptographic object that comprises the current time that reception server returns;
Step 403: client is selected hashing algorithm, and the login password that the user is provided carries out hash, obtains the hash data corresponding with login password, as key;
Step 404: the predefined cryptographic algorithm of customer end adopted, with described hash data as key, described cryptographic object is once encrypted, obtain enciphered data one time, adopt client terminal local information as key again, a described enciphered data is carried out superencipher, obtain the superencipher data, as remembeing the password bill, be kept at client.
Described client terminal local information can be the intrinsic machine information of local client self, also can be that local network relevant information or this locality generate data etc. at random.
The intrinsic machine information of described client self can be physics (MAC) address of client NIC, the sequence number of the first hard disk of client etc.The IP address that described local network relevant information can be a client, gateway address, subnet mask etc.It can be the data that generate at random at local client that described this locality generates data at random, according to preset rule, use with machine information or local network relevant information that client self is intrinsic, play and obscure effect, in order to strengthen the complexity of key, strengthen the difficulty that is decrypted.
Adopting described client terminal local information is in order to strengthen the difficulty that key is decrypted as key.As required, client is selected these relevant informations at random, forms key according to certain rule, cryptographic object is encrypted, and others is difficult to obtain above-mentioned key by technological means, therefore, even cryptographic algorithm is known, still be difficult to decoding and obtain cryptographic object, stealing passwords.
The general intrinsic machine information of client self that adopts because this part information is changeless, and can the stranger can't be known as client terminal local information by keeper's locking more, further strengthens the fail safe that password is preserved.Accordingly, described local network relevant information may be changeless, also may be arbitrarily change, and for example local network adopts and obtains the mode of IP address automatically, and then the IP address of described client may be all inequality at every turn.Can further strengthen the fail safe that password is preserved like this.
In the described method of the embodiment of the invention, can adopt identical cryptographic algorithm that described cryptographic object is once encrypted and superencipher, also can adopt different cryptographic algorithm respectively, with the fail safe of further enhancing password preservation twice encryption.
The described method in the client storage enciphered data of second embodiment of the invention adopts client terminal local information as key, and cryptographic object is carried out superencipher, will generate enciphered data as remembeing the password bill, is kept at client.
In the described method of the embodiment of the invention, described client terminal local information as the superencipher key can generate data at random by the intrinsic machine information of local client self, local network relevant information and this locality according to the needs of client and generate according to the preset rule arbitrary combination, strengthened the confidentiality of key, even someone has known cryptographic algorithm, but owing to can't learn the part and the definition mode of key, be difficult to obtain key to break a code, therefore, described method in the client storage enciphered data has very high fail safe.
Referring to Fig. 6, for adopting the described flow chart of logining automatically in the method for client storage enciphered data of second embodiment of the invention.
Step 501: the user is once more in described client login, the login account number that client provides according to the user, extract the corresponding password bill of remembeing from this locality, remember that to described the password bill is decrypted according to client terminal local information, obtain a described enciphered data, the automatic landing request information that will contain a described enciphered data and login account number passes to server;
Superencipher algorithm respective algorithms remembers that to described the password bill is decrypted in server employing and the step 404.
Step 502: server receives described automatic landing request information, extracts the cryptographic hash data corresponding with described login account number from database, as key;
If be as key in the step 402 by the cryptographic hash hash data that computing obtains according to function f, then corresponding, in the step 502, described cryptographic hash data are carried out computing according to predefined operation function f described in the step 402, generate hash data, as the key of deciphering;
Step 503: server is decrypted an enciphered data that is received from client with described hash data, if successful decryption proves that the client password is correct, obtains cryptographic object, enters step 504; If the deciphering failure enters step 506;
A cryptographic algorithm respective algorithms remembers that to described the password bill is decrypted in server employing and the step 404.
Step 504: server to deciphering after the described cryptographic object that obtains check judge describedly remember whether the password bill effective, if describedly remember that the password bill is effective, enter step 505; Otherwise, enter step 506;
Described cryptographic object abbreviates the password holding time as for preserve the time of described user login code for the first time in described client.
The password bill is remembered in described judgement, and whether effectively detailed process is identical with the embodiment of the invention one described step 304.
Step 505: the described client of server notification allows the user to login automatically, and login process finishes automatically.
Step 506: the described Client-Prompt user of server notification inputs password once more, and login process finishes automatically.
In order to strengthen the reliability that password is preserved, cryptographic object described in the second embodiment of the invention also may further include the time of renewing and renews number of times, and described server is identical with the described proof procedure of first embodiment with the proof procedure that renews number of times to renewing the time.
In order to strengthen the reliability that enciphered data is preserved, described server info can further include: format version number, obscure data and other data, generate the complexity of remembeing the password bill to increase.
Based on above-mentioned method in the client storage enciphered data, the present invention also provides a kind of system in the client storage enciphered data.
Referring to Fig. 7, be the described system diagram of first embodiment of the invention in the client storage enciphered data.
Described system comprises client 61 and server 62, and wherein, client 61 comprises:
Cryptographic object receiver module 610 is used to receive the cryptographic object that comprises the current time that described server returns.
Login password Hash module 611 is used for hash of described login password at least, generates hash data.
Hash data encrypting module 612, be used for according to predefined cryptographic algorithm, the hash data that utilizes described login password Hash module 611 generations is as key, the cryptographic object that described cryptographic object generation module 610 generates is encrypted, with the enciphered data that generates as remembeing that the password bill sends to memory module 613.
In order to strengthen the reliability that password is preserved, the described login password Hash module 611 of the embodiment of the invention, the login password that can directly provide the user carries out hash, generate cryptographic hash, as key, also can adopt predefined operation function f that cryptographic hash is calculated, obtain the hash data relevant, as key with cryptographic hash.Even someone has known hashing algorithm, but, be difficult to obtain key to break a code owing to can't learn the definition mode of function f.
Adopt the described system of the embodiment of the invention, memory module 613 is preserved remembers the password bill, and promptly enciphered data is to adopt the hash data that the login password hash is obtained as key, and the cryptographic object that contains the current time that server is returned is encrypted and obtained.Remember that when described the password bill is acquired, even know the cryptographic algorithm of employing, owing to be difficult to the information of acquisition about encrypted object, therefore, only to remember that the password bill obtains as the possibility of the hash data information relevant with login password of key very little according to described, ensures the fail safe of preserving password.In prior art, only access to your password hash as remembeing to have strengthened fail safe greatly by the password bill in the client storage enciphered data.
Referring to Fig. 8, be the described system diagram of second embodiment of the invention in the client storage enciphered data.
The difference of the described system in the client storage enciphered data of the first embodiment of the invention and second embodiment is: the described client of second embodiment further comprises local information encrypting module 614.
Described local information encrypting module 614 is used to adopt predefined cryptographic algorithm, utilizes client terminal local information as key, and the enciphered data of described hash data encrypting module 612 outputs is encrypted, and generates and remembers the password bill, sends to memory module 613.
Accordingly, described memory module 613 is used to preserve that described local information encrypting module sends remembers the password bill.
Described client terminal local information can be the intrinsic machine information of local client self, also can be that local network relevant information or this locality generate data etc. at random.
In the described system of the embodiment of the invention, described client terminal local information encryption module 614 adopts client terminal local information as key, described client terminal local information can be according to the needs of client by the intrinsic machine information of local client self, local network relevant information and this locality generate data at random and generate according to the preset rule arbitrary combination, strengthened the confidentiality of key, even someone has known cryptographic algorithm, but owing to can't learn the part and the definition mode of key, be difficult to obtain key to break a code, therefore, described system in the client storage enciphered data has very high fail safe.
More than to a kind of method and system provided by the present invention in the client storage enciphered data, be described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (15)
1. the method in the client storage enciphered data is characterized in that, described method comprises:
Client sends login password to server, receives the cryptographic object that comprises the current time that described server returns; The described current time, be meant that the user preserves the time or the time of renewing of login password for the first time in described client;
Described client generates hash data at least hash of described login password, utilizes described hash data that described cryptographic object is encrypted, and generates enciphered data;
Described client storage enciphered data.
2. method according to claim 1 is characterized in that, utilizes described hash data that described cryptographic object is encrypted and is specially:
Add in described hash data and obscure data, the hash data that the utilization adding is obscured after the data is encrypted described cryptographic object.
3. method according to claim 1 is characterized in that, further comprises after utilizing described hash data that described cryptographic object is encrypted:
Utilize client terminal local information to described cryptographic object superencipher.
4. method according to claim 3 is characterized in that, described client terminal local information is the data that client NIC physical address, client hard disk sequence number and/or client generate at random.
5. method according to claim 1 is characterized in that, further comprises:
Client sends and contains the automatic logging request of enciphered data to described server;
Described server is deciphered described enciphered data, determines that the current time in the described cryptographic object surpasses the default maximum permission time interval, returns to allow auto login information to give described client.
6. method according to claim 1 is characterized in that, client sends login password to after the server, further comprises: the preservation term of validity that password is set.
7. method according to claim 6 is characterized in that, further comprises:
Client sends the password preservation that contains enciphered data and renews request to described server;
Described server is deciphered described enciphered data, upgrades the cryptographic object that obtains after the deciphering, the cryptographic object after upgrading is encrypted again, and returns renewal back enciphered data and gives described client;
Described server prolongs password and preserves the term of validity.
8. method according to claim 7 is characterized in that, described server prolongs password to be preserved before the term of validity, further comprises:
Described server determines that the preservation of reception password renews request number of times and allows to renew number of times above default maximum.
9. method according to claim 7 is characterized in that, described server prolongs password to be preserved before the term of validity, further comprises:
Described server determines that the preservation of reception password renews request time and allows the time interval above default maximum.
10. method according to claim 7 is characterized in that, upgrades the cryptographic object that obtains after the deciphering and comprises:
Server adds the preservation of reception password and renews request time in described cryptographic object.
11. method according to claim 10 is characterized in that, receives the password preservation and renews request time for receiving the time that password is preserved the request that renews recently.
12. method according to claim 7 is characterized in that, upgrades the cryptographic object that obtains after the deciphering and comprises:
Server adds the preservation of reception password and renews request number of times in described cryptographic object.
13. method according to claim 12 is characterized in that, upgrades the cryptographic object that obtains after the deciphering and comprises:
Server adds format version number and obscures data in described cryptographic object.
14. the system in the client storage enciphered data comprises client and server, it is characterized in that, described client comprises:
The cryptographic object receiver module is used to send login password to server, receives the cryptographic object that comprises the current time that described server returns; The described current time, be meant that the user preserves the time or the time of renewing of login password for the first time in described client;
The login password Hash module is used for hash of described login password at least, generates hash data;
The hash data encrypting module is used to utilize described hash data that described cryptographic object is encrypted, and generates enciphered data;
Memory module is used to preserve the enciphered data that described hash data encrypting module sends.
15. system according to claim 14 is characterized in that, described client further comprises:
The local information encrypting module is used to utilize client terminal local information that the enciphered data of described hash data encrypting module output is encrypted;
Described memory module is used to preserve the enciphered data that described local information encrypting module sends.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101275538A CN101309278B (en) | 2008-06-27 | 2008-06-27 | Method and system for storing encrypt data on customer |
PCT/CN2009/071883 WO2009155813A1 (en) | 2008-06-27 | 2009-05-20 | Method for storing encrypted data in client and system thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101275538A CN101309278B (en) | 2008-06-27 | 2008-06-27 | Method and system for storing encrypt data on customer |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101309278A CN101309278A (en) | 2008-11-19 |
CN101309278B true CN101309278B (en) | 2011-07-06 |
Family
ID=40125497
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2008101275538A Active CN101309278B (en) | 2008-06-27 | 2008-06-27 | Method and system for storing encrypt data on customer |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101309278B (en) |
WO (1) | WO2009155813A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105491030A (en) * | 2015-11-27 | 2016-04-13 | 韦昱灵 | Website user password encryption and verification method |
Families Citing this family (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101309278B (en) * | 2008-06-27 | 2011-07-06 | 腾讯科技(深圳)有限公司 | Method and system for storing encrypt data on customer |
CN102055722B (en) * | 2009-10-28 | 2014-01-15 | 中标软件有限公司 | Implementation method for ensuring secure storage of electronic mails |
US10102242B2 (en) * | 2010-12-21 | 2018-10-16 | Sybase, Inc. | Bulk initial download of mobile databases |
CN102045170B (en) * | 2010-12-28 | 2013-02-20 | 北京深思洛克软件技术股份有限公司 | Method and system for protecting safety of password |
CN102629925B (en) * | 2012-03-31 | 2014-10-15 | 苏州阔地网络科技有限公司 | Method and system for preventing illegal connection |
CN102752285B (en) * | 2012-06-07 | 2015-03-18 | 广东电网公司茂名供电局 | Pre-authentification computer system login method based on high collision probability hash function |
CN102739404B (en) * | 2012-06-29 | 2016-01-06 | 浪潮(北京)电子信息产业有限公司 | A kind of cipher management method and system |
CN103713915A (en) * | 2012-09-29 | 2014-04-09 | 联想(北京)有限公司 | System starting method and electronic equipment |
CN103873442B (en) * | 2012-12-13 | 2017-12-12 | 腾讯科技(深圳)有限公司 | The treating method and apparatus of log-on message |
CN103188271A (en) * | 2013-04-19 | 2013-07-03 | 国家电网公司 | Secure mail client local data storage and identification methods and devices |
CN104135364A (en) * | 2013-04-30 | 2014-11-05 | 鸿富锦精密工业(深圳)有限公司 | Account encryption and decryption system and method |
CN104601532B (en) * | 2013-10-31 | 2019-03-15 | 腾讯科技(深圳)有限公司 | A kind of method and device of logon account |
CN104883341B (en) * | 2014-02-28 | 2019-01-25 | 宇龙计算机通信科技(深圳)有限公司 | Application management device, terminal and application management method |
CN103888457A (en) * | 2014-03-19 | 2014-06-25 | 深信服网络科技(深圳)有限公司 | Method and system for improving login security |
CN105812329B (en) * | 2014-12-31 | 2018-07-20 | 中国科学院沈阳自动化研究所 | For the mobile security encryption method in complicated production management system |
CN105376261B (en) * | 2015-12-21 | 2020-01-14 | Tcl集团股份有限公司 | Encryption method and system for instant messaging message |
CN105610811B (en) * | 2015-12-24 | 2019-06-25 | 中国建设银行股份有限公司 | Authentication method and its relevant equipment and system |
CN106127061A (en) * | 2016-06-22 | 2016-11-16 | 杨越 | Computer Cryptography Security ensures computational methods |
CN106650351B (en) * | 2016-10-31 | 2018-12-04 | 维沃移动通信有限公司 | A kind of operation method and mobile terminal of application program |
CN108259165A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | Inventory's grain cognizance code encryption and decryption approaches and device |
CN108234458A (en) * | 2017-12-21 | 2018-06-29 | 广东汇泰龙科技有限公司 | Method, the system of encryption storage and the decryption extraction of a kind of cloud lock cipher |
CN109787760B (en) * | 2019-01-23 | 2021-10-08 | 哈尔滨工业大学 | Optimized secret key security enhancement method and device based on H1 type hash function family |
CN112543241B (en) * | 2020-10-22 | 2023-05-30 | 重庆恢恢信息技术有限公司 | Construction site safety image data mining method by using block chain |
CN112506647A (en) * | 2020-11-19 | 2021-03-16 | 杭州电魂网络科技股份有限公司 | Method, system, device and storage medium for load balancing of stateful servers |
CN113542256B (en) * | 2021-07-12 | 2023-08-22 | 苏州达家迎信息技术有限公司 | Method, device, equipment and storage medium for updating login credentials in client |
CN113872979B (en) * | 2021-09-29 | 2023-11-24 | 北京高途云集教育科技有限公司 | Login authentication method, login authentication device, electronic equipment and computer readable storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1505309A (en) * | 2002-11-20 | 2004-06-16 | Securely processing client credentials used for web-based access to resources | |
CN1567294A (en) * | 2003-06-14 | 2005-01-19 | 华为技术有限公司 | User certification method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7475252B2 (en) * | 2004-08-12 | 2009-01-06 | International Business Machines Corporation | System, method and program to filter out login attempts by unauthorized entities |
CN101309278B (en) * | 2008-06-27 | 2011-07-06 | 腾讯科技(深圳)有限公司 | Method and system for storing encrypt data on customer |
-
2008
- 2008-06-27 CN CN2008101275538A patent/CN101309278B/en active Active
-
2009
- 2009-05-20 WO PCT/CN2009/071883 patent/WO2009155813A1/en active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1505309A (en) * | 2002-11-20 | 2004-06-16 | Securely processing client credentials used for web-based access to resources | |
CN1567294A (en) * | 2003-06-14 | 2005-01-19 | 华为技术有限公司 | User certification method |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105491030A (en) * | 2015-11-27 | 2016-04-13 | 韦昱灵 | Website user password encryption and verification method |
Also Published As
Publication number | Publication date |
---|---|
WO2009155813A1 (en) | 2009-12-30 |
CN101309278A (en) | 2008-11-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101309278B (en) | Method and system for storing encrypt data on customer | |
US6959394B1 (en) | Splitting knowledge of a password | |
KR101508360B1 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
US6950523B1 (en) | Secure storage of private keys | |
US8526606B2 (en) | On-demand secure key generation in a vehicle-to-vehicle communication network | |
KR101753859B1 (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
CN106534092A (en) | Message-based and key-dependent privacy data encryption method | |
KR20080020621A (en) | Implementation of an integrity-protected secure storage | |
JP2009529832A (en) | Undiscoverable, ie secure data communication using black data | |
CN105099690A (en) | OTP and user behavior-based certification and authorization method in mobile cloud computing environment | |
CN106982186A (en) | A kind of online safe key guard method and system | |
CN101359991A (en) | Public key cipher system private key escrowing system based on identification | |
CN107920052B (en) | Encryption method and intelligent device | |
CN1977559B (en) | Method and system for protecting information exchanged during communication between users | |
CN101990201B (en) | Method, system and device for generating general bootstrapping architecture (GBA) secret key | |
CN110138548B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol | |
CN105025019A (en) | Data safety sharing method | |
Dua et al. | Replay attack prevention in Kerberos authentication protocol using triple password | |
CN113886771A (en) | Software authorization authentication method | |
CN115396121A (en) | Security authentication method for security chip OTA data packet and security chip device | |
CN112559991A (en) | System secure login method, device, equipment and storage medium | |
Feiri et al. | Efficient and secure storage of private keys for pseudonymous vehicular communication | |
CN110098925B (en) | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and random number | |
KR101358375B1 (en) | Prevention security system and method for smishing | |
WO2016177843A1 (en) | A security approach for storing credentials for offline use and copy-protected vault content in devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |