CN101309278B - Method and system for storing encrypt data on customer - Google Patents

Method and system for storing encrypt data on customer Download PDF

Info

Publication number
CN101309278B
CN101309278B CN2008101275538A CN200810127553A CN101309278B CN 101309278 B CN101309278 B CN 101309278B CN 2008101275538 A CN2008101275538 A CN 2008101275538A CN 200810127553 A CN200810127553 A CN 200810127553A CN 101309278 B CN101309278 B CN 101309278B
Authority
CN
China
Prior art keywords
client
password
data
encrypted
server
Prior art date
Application number
CN2008101275538A
Other languages
Chinese (zh)
Other versions
CN101309278A (en
Inventor
傅建兵
陈启祥
陈定佳
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Priority to CN2008101275538A priority Critical patent/CN101309278B/en
Publication of CN101309278A publication Critical patent/CN101309278A/en
Application granted granted Critical
Publication of CN101309278B publication Critical patent/CN101309278B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention concretely discloses a method of storing the encrypted data in the client; the method includes that the client sends the login password to the server and receives the returned encrypted object with the current time from the server; the client processes at least once hash towards the login password to generate the hash data; the encrypted object is encrypted through the hash data to generate the encrypted data; the client stores the encrypted data. The invention also discloses a system which stores the encrypted data in the client. The method and the system which store the encrypted data in the client improve the security of the encrypted data stored in the client.

Description

一种在客户端保存加密数据的方法及系统 A method of encrypting data stored in the client system and

技术领域 FIELD

[0001] 本发明涉及通讯网络领域,特别是涉及一种在客户端保存加密数据的方法及系统。 [0001] The present invention relates to the field of communication networks, and more particularly to a method and a system for the encrypted data stored in the client.

[0002] 背景技术 [0002] BACKGROUND OF THE INVENTION

[0003] 一般情况下,用户在客户端使用服务器提供的有权限要求的软件或应用程序时, 通常会要求用户输入相应的登录帐号和登录密码,以防止非法用户使用。 [0003] In general, when a user at the client server has permission to use the software or application requirements, often ask users to enter login ID and password, to prevent illegal users. 为方便用户登录, 客户端提供登录帐号的“记住密码”功能。 For the convenience of users logged in, login account provided by the client "Remember Password" feature. 用户在第一次登录时使用“记住密码”功能,与登录帐号和登录密码相对应的记住密码票据保存在客户端。 When users first login "Remember Password" feature, login account and password corresponding to remember the password stored in the client notes. 当用户在同一客户端再次登录时,只需提供登录帐号,该客户端就会依据该登录账号直接读出相应的记住密码票据,登陆账户。 When a user logs on again at the same client, only need to provide login account, the client will be read according to the login account directly to the corresponding notes to remember passwords, login account.

[0004] 参见图1,为现有技术中在客户端保存加密数据的方法流程图。 [0004] Referring to Figure 1, a flowchart of method for storing the encrypted data to the client in the prior art. 所述方法包括以下步骤: Said method comprising the steps of:

[0005] 步骤101 :用户在某客户端登录界面输入登录帐号和登录密码,并选择“记住密码”功能; [0005] Step 101: the user enters in the login screen for a client login account and password, and select the "Remember Password" feature;

[0006] 步骤102 :客户端根据用户提供的登录帐号和登录密码,将所述登录密码的明文或是由所述登录密码的明文散列得到的密码散列作为记住密码票据,并保存。 [0006] Step 102: The client login account and password provided by the user, the login password in plain text or clear text password is hashed by the hash of the password as a password to remember bill and save.

[0007] 当用户再次在所述客户端登录时,输入登录帐号,客户端根据用户提供的登录帐号,提取出该登录账号对应的记住密码票据,传递给服务器; [0007] When the user again when the client logging in, the login account, the client provides the user login account, the login account is extracted corresponding to remember the password ticket, is transmitted to the server;

[0008] 服务器校验接收到的记住密码票据与自身保存的登录密码信息是否相符,如果是,认为登录密码正确,允许用户直接登录;如果否,返回登录密码错误信息,客户端提示用户重新输入登录密码。 [0008] Server check received login password remember password information stored by the bill are consistent with, and if so, that the correct password, allowing the user to log in directly; if not, the password error message is returned, the client prompts the user to re enter the login password.

[0009] 服务器保存的登录密码信息可以是登录密码的明文,也可以是与登录密码明文相对应的密码散列。 [0009] login password information can be stored in the server's password in plain text, it may also be a corresponding plaintext password of password hashes. 若服务器保存的是登录密码明文,则首先根据登录密码明文计算出相应的密码散列,再校验计算得到的密码散列与接收到的密码散列是否相同;若服务器保存的是密码散列,则直接校验自身保存的密码散列与接收到的密码散列是否相同。 If the password is stored in the server plaintext, the plaintext is first calculated password corresponding cryptographic hash, then check the calculated cryptographic hash with the hash of the received password is the same; saved if the server is a cryptographic hash , check directly stored by cryptographic hash with the received cryptographic hash are the same.

[0010] 上述在客户端保存记住密码票据的方法,直接将登录密码明文或密码散列作为记住密码票据保存在本地客户端。 [0010] In the above-mentioned client save notes to remember the password method, directly to the login password in clear text or hashed password as the password to remember notes stored in a local client.

[0011] 很显然,这种做法是非常不安全的。 [0011] It is clear that this approach is very unsafe. 如果用户在公共场合的客户端上使用“记住密码”功能后忘记取消所述功能,生成的记住密码票据将保存在客户端,很容易被他人获取。 If the user on the client after the public "Remember Password" feature forget to cancel the function, the resulting bill will remember the password stored in the client, it can easily be acquired by others. 当所述记住密码票据是登录密码明文时,直接导致登录密码被盗;当所述记住密码票据是密码散列时,只要知道密码散列的计算方法,就可以根据密码散列由散列结果数据库反查出登录密码的明文,导致登录密码被盗。 When the ticket is to remember the password in plain text password, the login password is stolen a direct result; when the ticket is cryptographically hashed passwords to remember, as long as the cryptographic hash of the known calculation method, according to a cryptographic hash can be scattered by the anti results database columns found in plain text password, resulting password theft.

[0012] 发明内容 [0012] SUMMARY OF THE INVENTION

[0013] 本发明所要解决的技术问题是提供一种在客户端保存加密数据的方法及系统,以增强在客户端保存加密数据的安全性。 [0013] The present invention solves the technical problem is to provide a method and system for encryption of data saved in the client, in order to enhance the security of the encrypted data stored in the client.

[0014] 为解决上述技术问题,本发明提供了一种在客户端保存加密数据的方法,所述方 [0014] In order to solve the above technical problem, the present invention provides a method of encrypting data stored in the client, the side

4法包括:客户端发送登录密码给服务器,接收所述服务器返回的包括当前时间的加密对象; 所述当前时间,是指用户在所述客户端第一次保存登录密码的时间或续期时间;所述客户端对所述登录密码至少一次散列,生成散列数据,利用所述散列数据对所述加密对象加密, 生成加密数据;所述客户端保存加密数据。 4 method comprising: a client sends a password to the server, the server receives the returned encryption target comprises a current time; the current time, refers to the first user login password saved in the time client or the renewal time ; at least one of the client hashing the password, the hash data generated by the hash data of the encryption object is encrypted to generate encrypted data; the saved client encrypted data.

[0015] 其中,利用所述散列数据对所述加密对象加密具体为:在所述散列数据中加入混淆数据,利用加入混淆数据后的散列数据对所述加密对象加密。 [0015] wherein, using the hash data of the encryption object is encrypted specifically is: added obfuscated data in the hash data, using the hash data added to the obfuscated data after the encrypted encryption target.

[0016] 其中,利用所述散列数据对所述加密对象加密后进一步包括:利用客户端本地信息对所述加密对象二次加密。 [0016] wherein, further comprising using the hash data after encrypting the encryption target: information local to the client using the encryption target secondary encryption.

[0017] 其中,所述客户端本地信息为客户端网卡物理地址、客户端硬盘序列号、和/或客户端随机生成的数据。 [0017] wherein the local client information to the client network card physical address, the client hard disk serial number, and / or clients randomly generated data.

[0018] 其中,进一步包括:客户端发送含有加密数据的自动登录请求给所述服务器;所述服务器解密所述加密数据,确定所述加密对象中的当前时间未超过预设的最大允许时间间隔,返回允许自动登录信息给所述客户端。 [0018], further comprising: a client sends the encrypted data containing the automatic login request to the server; said server decrypting said encrypted data, said encrypted determined that the current time does not exceed a predetermined object maximum allowable time interval , allows automatic login information returned to the client.

[0019] 其中,客户端发送登录密码给服务器之后,进一步包括:设置密码的保存有效期。 [0019] in which the client sends the login password to the server later, further comprising: a saving valid password.

[0020] 其中,进一步包括:客户端发送含有加密数据的密码保存续期请求给所述服务器; 所述服务器解密所述加密数据,更新解密后得到的加密对象,再对更新后的加密对象加密, 返回更新后加密数据给所述客户端;所述服务器延长密码保存有效期。 [0020], further comprising: a client sends the encrypted data containing the stored password renewal request to the server; the server decrypting the encrypted data, the decrypted update an encryption target, and then updated after the encrypted encryption target after the update returns the encrypted data to the client; valid password is saved by the server extension.

[0021 ] 其中,所述服务器延长密码保存有效期之前,进一步包括:所述服务器确定接收密码保存续期请求次数未超过预设的最大允许续期次数。 Before [0021] wherein said server extension is valid password is saved, further comprising: determining the server receives a request for renewal of the maximum allowed number of password stored does not exceed the preset number of renewals.

[0022] 其中,所述服务器延长密码保存有效期之前,进一步包括:所述服务器确定接收密码保存续期请求时间未超过预设的最大允许时间间隔。 Before [0022] wherein said server extension is valid password is saved, further comprising: determining the server receives the renewal request password holding time does not exceed a predetermined maximum allowable time interval.

[0023] 其中,更新解密后得到的加密对象包括:服务器在所述加密对象中加设接收密码保存续期请求时间。 [0023] wherein, after updating the decrypted encryption target comprising: a server in the received encryption target of putting in the renewal request time password is saved.

[0024] 其中,接收密码保存续期请求时间为最近接收密码保存续期请求的时间。 [0024] wherein the renewal request reception time is saved as the most recently received time password renewal request password is saved.

[0025] 其中,更新解密后得到的加密对象包括:服务器在所述加密对象中加设接收密码保存续期请求次数。 [0025] wherein, after updating the decrypted encryption target comprising: a server in the received encryption target of putting in password save renewal requests.

[0026] 其中,更新解密后得到的加密对象包括:服务器在所述加密对象中加设格式版本号和混淆数据。 [0026] wherein, after updating the decrypted encryption target comprises: adding a server provided obfuscated data format and the version number in the encrypted object.

[0027] 本发明还提供了一种在客户端保存加密数据的系统,包括客户端和服务器,所述客户端包括:加密对象接收模块,用于发送登录密码给服务器,接收所述服务器返回的包括当前时间的加密对象;所述当前时间,是指用户在所述客户端第一次保存登录密码的时间或续期时间;登录密码散列模块,用于对所述登录密码至少一次散列,生成散列数据;散列数据加密模块,用于利用所述散列数据对所述加密对象加密,生成加密数据;存储模块,用于保存所述散列数据加密模块发送的加密数据。 [0027] The present invention also provides a system for the encrypted data stored in the client, including the client and the server, the client comprising: an encryption target receiving module, configured to send a password to the server, the server receives the returned including encryption target current time; the current time, refers to the first user login password saved in the time client or the renewal time; password hashing module configured to hash the password at least once generating hash data; the hash data encryption module configured to hash the data using the encryption target encryption, to generate encrypted data; storage means for storing the encrypted data encrypted hash data sent by the module.

[0028] 其中,所述客户端进一步包括:本地信息加密模块,用于利用客户端本地信息对所述散列数据加密模块输出的加密数据加密;所述存储模块,用于保存所述本地信息加密模块发送的加密数据。 [0028] wherein, the client further comprises: a local encryption module configured to encrypt data using the local client information encrypted said hash data module output; the storage module, for storing the local information encryption module to encrypt data transmitted.

[0029] 与现有技术相比,本发明具有以下优点: [0029] Compared with the prior art, the present invention has the following advantages:

[0030] 采用本发明实施例所述方法,保存在客户端的加密数据,是采用对登录密码散列得到的散列数据作为密钥,对服务器返回的包括当前时间的加密对象加密得到的。 [0030] The embodiment of the method of the present invention, the encrypted data stored in the client, using the hash data is hashed password as a key, including a current time on the server encrypts the encryption target returns obtained. 当所述加密数据被获取,即使知道采用的加密算法,由于很难获得关于被加密对象的信息,因此, 仅仅根据所述加密数据来获得作为密钥的与登录密码相关的散列数据的可能性非常小,保障保存加密数据的安全性。 When the encrypted data is acquired, even if they know the encryption algorithm is used, since it is difficult to obtain the encrypted information on the object, therefore, simply to obtain a hash key data as a login password associated with the encrypted data may be based on the very little, save to protect the security of encrypted data. 相较于现有技术中仅仅使用密码散列作为记住密码票据,大大增强了在客户端保存加密数据的安全性。 Compared to the prior art, only to remember the password using a cryptographic hash as bills, greatly enhancing the security of the encrypted data stored in the client.

[0031] 同时,本发明实施例所述方法中,所述服务器返回的包括当前时间的加密对象,所述当前时间即为在所述客户端首次进行密码保存的时间。 [0031] Also, embodiments of the method of the present invention, the server returns the object comprises an encrypted current time, the current time is the first time to save the password client. 即使他人能够根据保存在客户端的加密数据登录成功,服务器会将加密对象中的首次进行密码保存的时间与此次的登录时间进行比较,当首次进行密码保存的时间与此次登录时间之间的间隔过大时,服务器会通知客户端拒绝对所述帐号进行自动登录,提示用户重新输入登录密码。 Even if someone else can log on successfully stored in encrypted according to data from the client, the server will be encrypted objects saved passwords the first time compared with the time of login time, when the time between the first time and the login password save time when the interval is too large, the server notifies the client denies the account for automatic logon, the user is prompted to re-enter the password. 因此,即使他人能够根据保存在客户端的加密数据登录成功,也无法长期使用所述帐号,在一定期限内,所述帐号的自动登录功能将自动取消。 Thus, even if someone else can log on successfully from the encrypted data stored in the client, nor can the long-term use of the account within a certain time limit, the account will automatically cancel the automatic login feature.

附图说明 BRIEF DESCRIPTION

[0032] 图1为现有技术中在客户端保存加密数据的方法流程图; [0032] FIG. 1 is a flowchart of a method in the prior art to encrypt data stored client;

[0033] 图2为本发明实施例所述在客户端保存加密数据的方法流程图; [0033] FIG 2 is a flowchart of a method to encrypt data stored in the client of the embodiment of the present invention;

[0034] 图3为本发明第一实施例所述在客户端保存加密数据的方法流程图; [0034] FIG. 3 flowchart illustrating a method of the encrypted data stored in the end of a first embodiment of the present invention, the client;

[0035] 图4为采用本发明第一实施例所述在客户端保存加密数据的方法自动登录流程图; [0035] FIG. 4 is a first embodiment of the method of the present invention the encrypted data stored in the client automatic login flowchart;

[0036] 图5为本发明第二实施例所述在客户端保存加密数据的方法流程图; [0036] FIG. 5 a second embodiment of the invention the method of preserving the encrypted data is a flowchart of a client;

[0037] 图6为采用本发明第二实施例所述在客户端保存加密数据的方法自动登录流程图; [0037] FIG. 6 is a second embodiment of the present invention uses the automatic login flowchart of a method to encrypt data stored in the client;

[0038] 图7为本发明第一实施例所述在客户端保存加密数据的系统图; First Embodiment [0038] FIG. 7 embodiment of the present invention, the client system of FIG stored encrypted data;

[0039] 图8为本发明第二实施例所述在客户端保存加密数据的系统图。 The data storage system of FIG encrypted client Second Embodiment [0039] FIG. 8 of the present invention.

具体实施方式 Detailed ways

[0040] 为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本发明作进一步详细的说明。 [0040] For the above-described objects, features and advantages of the invention more apparent, the accompanying drawings and the following specific embodiments of the present invention will be further described in detail.

[0041] 参见图2,为本发明实施例所述在客户端保存加密数据的方法流程图。 [0041] Referring to Figure 2, a flow diagram of the method of the encrypted data stored in the client embodiment of the present invention.

[0042] 步骤1111 :客户端发送登录密码给服务器,接收所述服务器返回的包括当前时间的加密对象; [0042] Step 1111: The client sends the login password to the server, the server receives the returned encryption target comprises a current time;

[0043] 步骤1112 :所述客户端对所述登录密码进行至少一次散列,生成与登录密码对应的散列数据,作为密钥,对所述包括当前时间的加密对象加密,生成加密数据; [0043] Step 1112: the encrypted data to the client at least once a login password hash, generates hash data corresponding to the password, as a key, the encrypted encryption target comprising a current time, generates;

[0044] 步骤1113 :所述客户端保存加密数据。 [0044] Step 1113: The client encrypted save data.

[0045] 参见图3,为本发明第一实施例所述在客户端保存加密数据的方法流程图。 [0045] Referring to Figure 3, a flowchart of the method according to the encrypted data stored in the client of the first embodiment of the present invention.

[0046] 步骤201 :用户在客户端登录界面输入登录帐号和登录密码,并选择“记住密码” 功能; [0046] Step 201: the user enters in the login screen the client login account and password, and select the "Remember Password" feature;

[0047] 步骤202 :客户端发送包括用户登录帐号和登录密码的登录请求给服务器,接收服务器返回的含有当前时间信息的加密对象;[0048] 所述当前时间,即为用户在所述客户端第一次保存所述用户登录密码的时间。 [0047] Step 202: The client sends login user ID and includes password request to the server, the server returns the received encryption target comprising a current time information; [0048] The current time, which the user at the client the first time to save the user login password. 对同一客户端,所述时间是唯一的。 On the same client, the time is unique.

[0049] 步骤203 :客户端选择散列算法,对用户提供的登录密码进行至少一次散列,得到与登录密码对应的散列数据,作为密钥; [0049] Step 203: The client hashing algorithm is selected, the login password provided by the user at least once hashed, and the hash data to obtain the corresponding password as a key;

[0050] 所述散列算法是单向函数,接收密码的明文,将表述密码明文的字符串,转换成一段无法用来重建原始明文的散列数据,即密码散列。 [0050] The one-way hash function algorithm, the password received plaintext, the plaintext password string expression, the hash data converted into a paragraph can not be used to reconstruct the original plaintext, i.e. cryptographic hash.

[0051] 本发明实施例所述方法中,可以直接对用户提供的登录密码进行散列,生成密码散列,作为密钥。 In embodiments of the method [0051] of the present invention, the user password can be supplied directly hashed to generate a cryptographic hash as a key.

[0052] 为了增强登录密码保存的安全性,本发明还可以采用预先设定的运算函数f对密码散列进行计算,得到与密码散列相关的散列数据,作为密钥。 [0052] In order to enhance the security of login password saved, the present invention also may employ a predetermined function f for computing a cryptographic hash has been calculated, the hash data related to a cryptographic hash as a key.

[0053] 所述与密码散列相关的散列数据=f (密码散列) [0053] The hash hash data associated with the password = f (cryptographic hash)

[0054] f为预先设定的运算函数,可以根据需要具体设定。 [0054] f is a preset operation function, may be set according to specific needs. f可以是对所述密码散列再进行N(N为不小于1的整数)次散列,一般选择N为2、3或4,得到散列数据,作为密钥;也可以是先对所述密码散列再进行N次散列,然后在得到的散列数据中按预先设定的规则加入相应的混淆数据,得到新的散列数据,作为密钥;也可以是先在所述密码散列中按预先设定的规则加入相应的混淆数据,再进行N次散列,得到新的散列数据,作为密钥。 f may be the cryptographic hash then N (N is an integer not smaller than 1) times the hash, typically 2, 3 or 4 N selected to obtain the hash data, as a key; may be the first of said cryptographic hash hash again N times, and then press a predetermined rule obtained in the hash data added to the corresponding obfuscated data, get new hash data, as a key; may be the first password hash at regular preset corresponding obfuscated data is added, and then N times hashed to obtain a new hash data, as a key.

[0055] 在函数f中,为了进一步加强安全性,对N次散列,每次散列可以采用相同的散列算法,也可以采用不同的散列算法,以增强作为密钥的散列数据的复杂度,加强被破译的难度。 [0055] In the function f, in order to further enhance security, a hash of N times, each hashed using the same hash algorithm, we may use different hash algorithm to enhance the data as a hash key complexity, difficulty strengthen deciphered.

[0056] 步骤204 :客户端采用预先设定的加密算法,用所述散列数据作为密钥,对所述加密对象进行加密,生成加密数据,作为记住密码票据,保存在客户端。 [0056] Step 204: The client uses the encryption algorithm preset data with the hash as a key, the encrypted object is encrypted, the encrypted data generated as the ticket remember the password, stored in the client.

[0057] 所述加密算法是一些特定的公式和法则,用于规定明文和密文之间的变换方法。 The [0057] encryption algorithm is specific formulas and rules for specifying a conversion method between the plaintext and the ciphertext. 以常用的数据加密标准数据加密算法(DES :Data Encryption Standard)为例来说明采用加密算法进行加密的过程。 In conventional data encryption algorithm Data Encryption Standard (DES: Data Encryption Standard) encryption process uses an example to illustrate the algorithm for encryption.

[0058] 所述DES是一种对二进制数据进行加密的算法,包括三个参数:密钥(Key)、数据明文(Data)和模式选择(Mode)。 [0058] The DES is an algorithm for encrypting binary data comprising three parameters: Key (Key), the plaintext data (Data) and a mode selection (Mode). 其中所述Key为8个字节共64位,是DES算法的工作密钥;Data也为8个字节64位,是要被加密或被解密的数据明文;Mode位DES的工作模式,包括加密或解密。 Key wherein the 8 bytes of 64 bits, the work key DES algorithm; Data 8 bytes is also 64, that is to be encrypted or decrypted plaintext data; Mode bit DES mode of operation, comprising encryption or decryption.

[0059] 当所述Mode为加密时,用Key对Data进行加密,要加密的数据明文经过16轮的叠代、乘积变换、压缩变换等编码过程,生成Data的加密数据(64位)作为DES的输出结果。 [0059] When the encrypted data (64) is the encrypted Mode, Data Key is used to encrypt the plaintext data to be encrypted after 16 iterations, the product of the transform, transform compression coding process to generate as DES Data output. 在解密过程中,采用同样的Key对密码数据进行解密,再现明码形式的数据明文。 In the decryption process, the plain data using the same Key decrypts the cipher data reproduced in the form of codes.

[0060] 本发明实施例所述方法中,所述加密对象即为要加密的Data,用所述散列数据作为Key,M0de为加密。 Embodiment [0060] The method of the present invention, the encryption target to be encrypted is the Data, with the hash data as Key, M0de encrypted. 采用DES算法对所述加密对象进行加密运算,生成的加密数据作为记住密码票据保存在客户端。 DES encryption algorithm using the encryption operation object, encrypted data generated as remember the password stored in the client ticket.

[0061] 采用本发明实施例所述方法,保存在客户端的记住密码票据,S卩加密数据,是采用对登录密码散列得到的散列数据作为密钥,对服务器返回的包括当前时间的加密对象加密得到的。 [0061] The embodiment of the method of the present invention, stored in the client's ticket to remember the password, S Jie encrypted data, using the hash data is hashed password as a key, the server returns the current time comprises encryption object encryption get. 当所述记住密码票据被获取,即使知道采用的加密算法,由于很难获得关于被加密对象的信息,因此,仅仅根据所述记住密码票据来获得作为密钥的与登录密码相关的散列数据信息的可能性非常小,保障在客户端保存记住密码票据的安全性。 Remember the password when the ticket is acquired, even if they know the encryption algorithm used, because it is difficult to obtain information about the encrypted object, therefore, only be obtained as the key login password associated with the bulk of the bill, according to the Remember Password the possibility is very small column of data to ensure the security of passwords to remember to save the bill the client. 相较于现有技术中仅仅使用密码散列作为记住密码票据,大大增强了在客户端保存记住密码票据安全性。 Compared to the prior art, only to remember the password using a cryptographic hash as bills, greatly enhancing the client save notes to remember the password security.

[0062] 本发明实施例所述方法中,所述作为密钥的散列数据可以通过预先设定的函数f 对密码散列进行计算得到,即使所述记住密码票据被破译,得到加密对象,但是由于无法获悉函数f的具体定义方式,也很难通过反查散列数据获得密码明文。 [0062] The embodiment of the invention the method, as the hash key data can be a preset cryptographic hash function f to calculate, remember the password even if the ticket is deciphered, to give an encryption target , but because of the way could not understand a specific definition of the function f, it is difficult to obtain the plaintext password hash data by pegging.

[0063] 本发明实施例中所述客户端可以是客户端的软件、万维网(web)触发的网页应用、移动终端类的无线应用等。 [0063] Examples of the embodiment of the present invention, the client may be a client software, the World Wide Web (Web) page application, mobile terminal class of wireless applications like trigger. 本发明实施例所述方法适用于即时通信、邮件以及游戏等领域。 The method according to the embodiment of the present invention is applicable to the field of instant messaging, e-mail and games.

[0064] 参见图4,为采用本发明第一实施例所述在客户端保存加密数据的方法自动登录的流程图。 [0064] Referring to Figure 4, the present invention is a first flowchart of a method of the encrypted data stored in the client automatically logged embodiment.

[0065] 步骤301 :用户再次在所述客户端登录,客户端根据用户提供的登录帐号,从本地提取出对应的记住密码票据,即加密数据,发送含有所述记住密码票据和登录帐号的自动登录请求给服务器; [0065] Step 301: the user again logs in the client, the client according to the user-supplied logon account, a local extracted from the corresponding ticket remember the password, i.e. the encrypted data, comprising transmitting the ticket to remember the password and login automatic login request to the server;

[0066] 步骤302 :服务器接收到所述自动登录请求信息,从数据库中提取出与所述登录帐号对应的密码散列数据,作为解密的密钥; [0066] Step 302: The server receives the automatic login request information, the hash data extracted with the login password corresponding to the account from the database, as the decryption key;

[0067] 如果步骤202中是由密码散列根据函数f运算得到的散列数据作为密钥的,则相应的,步骤302中,对所述密码散列按照步骤202中所述预先设定的运算函数f进行运算, 生成散列数据,作为解密的密钥; [0067] If in step 202 the password is hashed by the function f operating the hash data obtained as a key, and accordingly, in step 302, the cryptographic hash in accordance with step 202 of the preset computes arithmetic function f, to generate hash data as the decryption key;

[0068] 步骤303 :服务器用所述散列数据对接收自客户端的记住密码票据进行解密,如果解密成功,证明客户端密码正确,得到加密对象,进入步骤304 ;如果解密失败,进入步骤306 ; [0068] Step 303: the server received from the client to remember the password for decrypting the hash ticket data, if the decryption is successful, the client to prove correct password, the encrypted object is obtained, proceeds to step 304; if the decryption fails, proceeds to step 306 ;

[0069] 服务器采用与步骤204中相同的加密算法对所述记住密码票据进行解密。 [0069] The server uses the same encryption algorithm in step 204 to decrypt the ticket to remember the password.

[0070] 步骤304 :服务器对解密后得到的所述加密对象进行检查,判断所述记住密码票据是否有效,如果所述记住密码票据有效,进入步骤305 ;否则,进入步骤306 ; [0070] Step 304: the server the decrypted encryption target is checked, determining whether the ticket is valid to remember the password, to remember the password if the ticket is valid, proceeds to step 305; otherwise, proceeds to step 306;

[0071] 所述加密对象为在所述客户端第一次保存所述用户登录密码相关信息的时间,简称为密码保存时间。 The [0071] first be encrypted as stored in said client user password login time related information, simply referred to as storage time password.

[0072] 所述判断记住密码票据是否有效具体包括以下步骤。 [0072] The determination remember the password is valid ticket includes the following steps.

[0073] 步骤304a:判断所述密码保存时间是否晚于服务器当前时间,如果是,说明所述记住密码票据无效,进入步骤306 ;否则,进入步骤304b ; [0073] Step 304a: determining whether to save the password server time is later than the current time, if it is described to remember the password is invalid ticket proceeds to step 306; otherwise, proceeds to step 304b;

[0074] 步骤304b :判断所述密码保存时间与所述服务器当前时间之间的时间间隔是否超过预设的最大允许时间间隔,如果是,说明所述记住密码票据已经在本地客户端保存了很久没有登录,所述记住密码票据已经失效,进入步骤306,否则进入步骤305 ; [0074] Step 304b: determining the time and the server password holding time between the current time interval exceeds a predetermined maximum allowable time interval, if it is described the bill remember the password already stored in the local client not logged on for a long time, the bill has failed to remember the password, proceed to step 306, otherwise, step 305;

[0075] 所述最大允许时间间隔的长度可以根据需要具体设定,一般为一个月。 The [0075] maximum allowable time interval length may be set according to specific needs, typically one month.

[0076] 步骤305 :服务器通知所述客户端允许用户自动登录,自动登录流程结束。 [0076] Step 305: the server notifies the client allows a user to automatically log, automatic sign-in process ends.

[0077] 步骤306 :服务器通知所述客户端提示用户再次输入密码,自动登录流程结束。 [0077] Step 306: the server notifies the client prompts the user to enter the password again, automatic sign-in process ends.

[0078] 由上述自动登录过程可知,本发明实施例所述在客户端保存加密数据的方法,采用所述密码保存时间作为加密对象,即使他人能够解密成功或是根据保存在客户端的加密数据登录成功,服务器会将加密对象中的密码保存时间与服务器当前时间进行比较,当密码保存时间与服务器当前时间之间的时间间隔过大时,说明所述记住密码票据已经在客户端保存了很久没有登录,服务器会通知客户端拒绝对所述帐号进行自动登录,提示用户重新输入登录密码。 [0078] From the above automatic login procedure, the method embodiments of the invention the encrypted data stored in the client, using the password as an encryption target storage time, or even that others can successfully decrypt the encrypted data stored in the log according to the client successful, the server will be encrypted password stored in the server time and compares the current time, when the time between the server password save time and current time interval is too large, indicating that the ticket has been saved password remember for a long time on the client not logged in, the server notifies the client denies the account for automatic logon, the user is prompted to re-enter the password. 因此,即使他人能够解密成功或是根据保存在客户端的加密数据登录成功,也无法长期使用所述帐号,在一定期限内,所述帐号的自动登录功能将自动取消。 Therefore, even if the others can decrypt the success or log in successfully encrypted data stored in the client, nor can the long-term use of the account within a certain time limit, the account will automatically cancel the automatic login feature.

[0079] 为了进一步增强密码保存的安全性,本发明第一实施例中所述加密对象还可以进一步包括服务器接收密码保存续期请求时间和服务器接收密码保存续期请求次数,分别简称为续期时间和续期次数。 [0079] To further enhance the security of the password saved, as described in the first embodiment of the present invention to be encrypted may further include a server receives the renewal request time password is saved and the server receives the save request renewal of the password number, simply referred to as renewal of time and number of renewals.

[0080] 在步骤201中,当用户选择“记住密码”功能时,进一步包括:设置“记住密码”功能的有效期。 When [0080] In step 201, when the user selects "remember password" feature, further comprising: a validity period "remember password" function.

[0081] 一般在客户端保存密码的时间是有一定期限的,即有效期,比如一周、一个月、四个月或一年。 [0081] Generally in time to save the password of the client there is a certain period, that period, such as week, month, or four months a year. 在用户选择“记住密码”功能时,客户端提示用户选择“记住密码”的有效期或是自动生成默认的有效期。 When the user selects the "Remember Password" feature, the client prompts the user to select the "remember password" valid or automatic generation of default expiration date. 所述有效期即为当前记住密码票据的有效期。 The validity period is the current notes to remember passwords.

[0082] 在所述记住密码票据的有效期内,当用户在本地客户端登录时,客户端会自动进行“记住密码”功能续期操作,客户端发出含有当前记住密码票据的密码保存续期请求给所述服务器,服务器对所述记住密码票据解密成功得到所述加密对象后,会自动更新所述加密对象中的续期时间为当前时间,,并对所述续期次数加1,然后对新生成的加密对象进行加密,返回一个新的记住密码票据给所述客户端,客户端保存新的记住密码票据,并为所述新的记住密码票据设置新的有效期。 [0082] remember the password within the ticket validity period, when the user logs on the local client, the client will automatically "remember password" function renewal operation, the client sends the password to remember the password to save the current bill contains renewal request to the server, the server after successfully get to remember the password to decrypt the encrypted bill object will automatically update the time of renewal of the encrypted object to the current time and the number of renewals plus ,, 1, the object is then encrypted newly generated encrypted password to remember to return a new ticket to the client, the new client to remember the password stored bills, and is valid for the new set of the new password to remember notes .

[0083] 一般情况下,当客户在所述记住密码票据有效期到期前三天或是一周内登录所述客户端时,客户端会自动为所述用户进行“记住密码”功能的续期操作。 [0083] In general, when the customer three days or a week before the log on the client remember password ticket's validity expires, the client will automatically continue "Remember Password" feature for the user phase I operations. 如果在此期间,用户一直没有在所述客户端登录,当超过所述有效期后,所述记住密码票据失效,客户端不再保存所述用户的记住密码票据。 If during this period, there has been no end user to log in the client, over the period when the bills fail to remember the password, the client will not save the user remember the password bills. 用户下次登录时,需要再次输入登录帐号和登录密码。 Next time the user logs on, enter your login ID and password again.

[0084] 当用户在所述客户端第一次选择“记住密码”时,所述续期时间为0,所述续期次数也为0。 [0084] When a user at the client to select the first "remember password", the renewal time is 0, is also the number of renewals is zero. 每次所述客户端进行续期操作时,服务器更新所述加密对象中的续期时间为本次续期时间,并对所述续期次数加1。 Each time the client renewal operation, the renewal time server updates the encrypted object oriented sub-renewal time, and said number of renewals is incremented.

[0085] 例如:某用户在2008年1月1日13 : 33 : 45在某客户端登录MSN帐号时,选择使用“记住密码”功能,假定记住密码票据的有效期默认为一个月,则此时,所述加密对象为:生成时间=2008/01/01 13:33:45 ;续期时间=0 ;续期次数=0。 [0085] For example: A user in 2008 at 13:33 on January 1st: 45 Log MSN account in a client choose to use the "Remember Password" feature, assuming remember the password is valid bill of default of one month, the At this time, the encrypted object is to: generate time = 2008/01/01 13:33:45; renewal time = 0; = 0 the number of renewals. 假设提前续期时间为到期前一周,则在2008年1月24日后某时间,假设为2008年1月25日14:34:36,用户在所述客户端登录,客户端自动为用户进行续期操作,更新所述加密对象为:生成时间=2008/01/01 13:33:45 ;续期时间=2008/01/25 14:34:36 ;续期次数=1。 Assume in advance for renewal before the expiry time of one week at a time after 24 January 2008, assumed to be January 25, 2008 14:34:36, a user logs in to the client, the client automatically for users renewal operations, updating the encryption target to: generate time = 2008/01/01 13:33:45; renewal time = 2008/01 / 14:34:36 25; 1 = the number of renewals. 如果用户在2008年2月1日13:33:45前没有在所述客户端登录,则2008年2月1日13 : 33 : 45起,所述客户端不再保存所述用户的记住密码票据。 If the user is not logged in to the client in February 1, 2008 13:33:45 ago, then in 2008 at 13:33 on February 1: 45 cases, the client will not save the user to remember password bills.

[0086] 对于采用密码保存时间、续期时间和续期次数作为加密对象的在客户端保存加密数据的方法,当用户在客户端自动登录时,所述步骤304中,所述判断记住密码票据是否有效具体包括以下步骤。 [0086] For using the password storage time, number of renewals and the renewal time as a method of encrypting an encryption target data is stored in the client, when the client automatically log the user, step 304, the password is determined to remember ticket is valid includes the following steps.

[0087] 步骤304A:判断所述密码保存时间是否晚于服务器当前时间,如果是,说明所述记住密码票据无效,进入步骤306 ;否则,进入步骤304B ; [0087] Step 304A: determining whether the password is saved time is later than the current time of the server, if it is described to remember the password is invalid ticket proceeds to step 306; otherwise, step 304B;

[0088] 步骤304B :判断所述密码保存时间与所述服务器当前时间之间的时间间隔是否超过预设的最大允许时间间隔,如果是,说明所述记住密码票据已经在本地客户端保存了很久没有登录,进入步骤304C,否则进入步骤305 ;[0089] 所述最大允许时间间隔的长度可以根据需要具体设定,一般为一个月。 [0088] Step 304B: determination of the password holding time between the time server current time interval exceeds a predetermined maximum allowable time interval, if it is described the bill remember the password already stored in the local client not logged in for a long time, proceeds to step 304C, otherwise, proceed to step 305; and the [0089] maximum allowable time interval length may be set according to specific needs, typically one month.

[0090] 步骤304C :当所述续期时间为0或所述续期时间与当前时间之间的时间间隔在预设的最大允许时间间隔内,通知客户端进行续期操作;否则,不允许进行续期操作,认为所述记住密码票据失效,进入步骤306 ; [0090] Step 304C: when the renewal time is 0 or renewal of the time between the current time and the time interval within a predetermined maximum allowable time interval, the client notifies renewal; otherwise, not allowed renewing operation, that the ticket fail to remember the password, proceeds to step 306;

[0091] 步骤305 :服务器通知所述客户端允许用户自动登录,自动登录流程结束。 [0091] Step 305: the server notifies the client allows a user to automatically log, automatic sign-in process ends.

[0092] 步骤306 :服务器通知所述客户端提示用户再次输入密码,自动登录流程结束。 [0092] Step 306: the server notifies the client prompts the user to enter the password again, automatic sign-in process ends.

[0093] 步骤304C中所述服务器通知客户端进行续期操作时,客户端发送含有当前记住密码票据的密码保存续期请求给所述服务器,服务器对所述记住密码票据解密成功得到所述加密对象后,会自动更新所述加密对象中的续期时间为当前时间信息,并对所述续期次数加1,然后对新生成的加密对象进行加密,返回一个新的记住密码票据给所述客户端,所述客户端对所述新的记住密码票据进行保存。 When [0093] Step 304C in the server notifies the client renewing operation, the client sends the current password is saved comprising remember the password renewal ticket request to the server, the server to remember the password decryption is successful to obtain the notes encryption target later, the renewal time is automatically updated encrypted object information to the current time, and the number of renewals by 1, and then the encrypted encrypts the generated new object and returns a new bill to remember password to the client, the client, the new notes to remember passwords to be saved. 因此,对于每次更新后的所述记住密码票据, 其续期时间是不相同的,均为最近一次续期操作的时间 Therefore, after each update to the instruments remember the password, renew time is not the same, are the time of the last renewal operations

[0094] 在步骤304C中,所述服务器通知客户端进行续期操作前,还可以进一步判断所述续期次数是否已经超过预设的最大允许续期次数,如果是,不再进行续期操作,服务器直接通知客户端提示用户再次输入密码。 Before [0094] At step 304C, the client notifies the server renewal operation, may be further determined whether the renewal of the maximum allowed number of renewal times has exceeded a preset, and if so, no further renewal operation The server notifies the client directly prompts the user to enter the password again.

[0095] 在步骤304C中,服务器还可以进一步判断所述续期时间与所述生成时间之间的时间间隔,如果所述时间间隔超过预设的最大允许时间间隔,不再进行续期操作,服务器直接通知客户端提示用户再次输入密码。 [0095] In step 304C, the server may further judge whether the renewal time and the time between the generation interval, if the time interval exceeds a predetermined maximum allowable time interval, no further renewal operation, direct server notifies the client prompts the user to enter the password again.

[0096] 由上述自动登录过程可知,当所述加密对象为密码保存时间、续期时间和续期次数时,将进一步加强服务器进行验证的强度,增强密码的安全性。 [0096] From the above automatic login process, when the password is to be encrypted storage time, number of renewals and the renewal time, will further enhance the strength of the authentication server, to enhance security of the password. 在实际运用中,即使所述记住密码票据被破译了,而且实现了登录,如果不续期的话,也不能使用太长时间,降低了密码被盗的损失。 In practice, even though the bill was cracked passwords to remember, but also to achieve a login, if you do not renew it, can not be used too long, reducing password theft losses.

[0097] 为了增强加密数据保存的可靠性,所述服务器信息还可以进一步包括:格式版本号、混淆数据以及其他数据,以进一步增加加密对象的复杂度,增强加密数据保存的安全性。 [0097] In order to enhance the reliability of stored encrypted data, the information server may further comprise: Format version number, obfuscated data and other data, to further increase the complexity of the encryption target, to enhance the security of the encrypted data stored.

[0098] 本发明实施例所述方法中,加密对象的设定可以根据具体需要灵活设置。 Example embodiments of the [0098] method of the present invention, the encrypted object set can be flexibly set according to specific needs. 当服务器对记住密码票据进行验证,判断所述记住密码票据是否有效时,只要所述加密对象中任一项不满足验证条件,服务器都会通知客户端拒绝用户自动登录,提示用户再次输入登录密码。 When the login server to remember passwords for authentication ticket determines whether the ticket to remember the password is valid, as long as any one of an encryption target does not satisfy the verification condition, the server notifies the client user is automatically logged denied, the user is prompted again password. 通过所述方法,大大加强服务器验证的可靠性和灵活性,增强客户端保存加密数据的安全性。 By the method, greatly enhance the reliability and flexibility of server authentication to enhance the security of client data is stored encrypted.

[0099] 本发明第二实施例与第一实施例的区别在于:用所述散列数据对加密对象进行加密后,再用客户端本地信息对第一次加密后得到的密码数据进行二次加密,从而生成记住密码票据,保存在客户端,进一步增加记住密码票据的复杂度,提高在客户端保存加密数据的安全性。 [0099] The second embodiment differs from the first embodiment of the present invention is that: after the encryption target data encrypted with the hash, then the local client information encrypted first cryptographic data obtained secondary encryption, remember the password to generate bills stored in the client, to further increase the complexity of passwords to remember bills, improve the security of the encrypted data stored in the client.

[0100] 参照图5,为本发明第二实施例所述在客户端保存加密数据的方法流程图。 Method [0100] Referring to FIG 5, a second embodiment of the encrypted data stored in the client of the present invention. FIG.

[0101] 步骤401 :用户在客户端登录界面输入登录帐号和登录密码,并选择“记住密码” 功能; [0101] Step 401: the user enters in the login screen the client login account and password, and select the "Remember Password" feature;

[0102] 步骤402 :客户端发送含有用户登录帐号和登录密码的登录请求给服务器,接收服务器返回的包括当前时间的加密对象;[0103] 步骤403 :客户端选择散列算法,对用户提供的登录密码进行散列,得到与登录密码对应的散列数据,作为密钥; [0102] Step 402: The client sends contains user login and password account login request to the server, the server returns the received encryption target comprises a current time; [0103] Step 403: The client hashing algorithm is selected, the user is provided hashing password, the login password to obtain the hash data corresponding to a key;

[0104] 步骤404 :客户端采用预先设定的加密算法,用所述散列数据作为密钥,对所述加密对象进行一次加密,得到一次加密数据,再采用客户端本地信息作为密钥,对所述一次加密数据进行二次加密,得到二次加密数据,作为记住密码票据,保存在客户端。 [0104] Step 404: The client uses the encryption algorithm preset data with the hash as a key, the encrypted object is encrypted once, the encrypted data once obtained, then using information as a key local to the client, said secondary encryption data is encrypted once, the encrypted data to obtain the second, as remember the password ticket, stored in the client.

[0105] 所述客户端本地信息可以是本地客户端自身固有的机器信息,也可以是本地网络相关信息或是本地随机生成数据等。 The [0105] information local to the client may be the local client machine inherent information may be local or network-related information locally generated random data.

[0106] 所述客户端自身固有的机器信息可以是客户端网卡的物理(MAC)地址、客户端首个硬盘的序列号等。 The [0106] client machine inherent information may be a physical client side card (MAC) address, the client first hard disk serial number. 所述本地网络相关信息可以是客户端的IP地址、网关地址、子网掩码等。 The local network-related information may be a client IP address, the gateway address, subnet mask, and the like. 所述本地随机生成数据可以是在本地客户端随机生成的数据,按照预先设定的规则,与客户端自身固有的机器信息或本地网络相关信息一起使用,起混淆作用,用以增强密钥的复杂度,加强被破译的难度。 The local data can be randomly generated data is randomly generated in a local client, in accordance with a predetermined rule, the client machine for use with the inherent information or local network-related information, from the confusion effect, to enhance the key complexity, difficulty strengthen deciphered.

[0107] 采用所述客户端本地信息作为密钥是为了增强密钥被破译的难度。 [0107] The client uses local information as a key in order to enhance the key more difficult to decipher. 根据需要,客户端随机选择这些相关信息,按照一定的规则组成密钥,对加密对象进行加密,别人很难通过技术手段得到上述密钥,因此,即使加密算法被获知,仍很难破译得到加密对象,盗取密码。 If necessary, the client randomly selects the relevant information according to certain rules of composition key to encrypt the object is encrypted, others find it difficult to obtain the above key technical means, therefore, be known even if the encryption algorithm is still difficult to decipher is encrypted objects, steal passwords.

[0108] 一般多采用客户端自身固有的机器信息作为客户端本地信息,因为这部分信息是固定不变的,而且可以通过管理员锁定让外人无法获知,进一步增强密码保存的安全性。 [0108] More commonly used client information inherent in the machine as a client local information, because this part of the information is fixed, and can be locked by the administrator so that outsiders can not learn, to further enhance the security of saved passwords. 相应的,所述本地网络相关信息可能是固定不变的,也可能是随意变动的,例如本地网络采用自动获取IP地址的方式,则所述客户端的IP地址可能每次都不相同。 Accordingly, the local network-related information may be fixed, or it may be a random change, such as a local network IP address acquired automatic mode, the IP address of the client may be different each time. 这样可以进一步增强了密码保存的安全性。 This further enhances the security of saved passwords.

[0109] 本发明实施例所述方法中,可以采用相同的加密算法对所述加密对象进行一次加密和二次加密,也可以对两次加密分别采用不同的加密算法,以进一步增强密码保存的安全性。 [0109] Example embodiments of the present invention, the method, the same encryption algorithm may the encrypted object using the primary encryption and the secondary encryption, the encryption may be of two different encryption algorithms were used, to further enhance the password stored safety.

[0110] 本发明第二实施例所述在客户端保存加密数据的方法,采用客户端本地信息作为密钥,对加密对象进行二次加密,将生成加密数据作为记住密码票据,保存在客户端。 Method [0110] The second embodiment of the present invention, the encrypted data stored in the client, the client uses local information as a key, encrypting the second encrypted object, the encrypted data generated as the ticket remember the password stored in the client end.

[0111] 本发明实施例所述方法中,所述作为二次加密密钥的客户端本地信息可以根据客户端的需要由本地客户端自身固有的机器信息、本地网络相关信息和本地随机生成数据按照预先设定的规则随意组合生成,增强了密钥的保密性,即使有人获知了加密算法,但是由于无法获悉密钥的组成部分和定义方式,很难得到密钥以破译密码,因此,所述在客户端保存加密数据的方法具有很高的安全性。 [0111] Example embodiments of the present invention, the method, as the client end of the secondary encryption key information may be the local client terminal as required by the local client machine inherent information, local information and the local network-related data in a randomly generated a predetermined rule to generate random combination enhances the privacy of the key, even if someone known encryption algorithm, but can not be learned because part of the key and defined manner, it is difficult to obtain a key to decipher the code, and therefore, the way to save encrypted data on the client with high security.

[0112] 参见图6,为采用本发明第二实施例所述在客户端保存加密数据的方法自动登录的流程图。 A flowchart of a method [0112] Referring to Figure 6, a second embodiment of the data stored encrypted in the present invention the client automatically login.

[0113] 步骤501 :用户再次在所述客户端登录,客户端根据用户提供的登录帐号,从本地提取出对应的记住密码票据,根据客户端本地信息对所述记住密码票据进行解密,得到所述一次加密数据,将含有所述一次加密数据和登录帐号的自动登录请求信息传递给服务器; [0113] Step 501: the user logs in the client, the client to provide the user login account is extracted from the corresponding local remember the password ticket, the ticket remember the password to decrypt the information in accordance with the local client, to give the primary encrypted data, the encrypted data containing the primary and login automatic login request information to the server;

[0114] 服务器采用与步骤404中二次加密算法相应算法对所述记住密码票据进行解密。 [0114] the secondary server using the corresponding algorithm in step 404 of the encryption algorithm to remember the password to decrypt the ticket.

[0115] 步骤502 :服务器接收到所述自动登录请求信息,从数据库中提取出与所述登录帐号对应的密码散列数据,作为密钥; [0115] Step 502: The server receives the automatic login request information, and extracts the login password corresponding to the hash data, as a key from the database;

[0116] 如果步骤402中是由密码散列根据函数f运算得到的散列数据作为密钥的,则相应的,步骤502中,对所述密码散列数据按照步骤402中所述预先设定的运算函数f进行运算,生成散列数据,作为解密的密钥; [0116] If in step 402 the password is hashed by the function f operating the hash data obtained as a key, and accordingly, in step 502, the cryptographic hash of the data in step 402 is set in advance calculation computes the function f, to generate hash data as the decryption key;

[0117] 步骤503 :服务器用所述散列数据对接收自客户端的一次加密数据进行解密,如果解密成功,证明客户端密码正确,得到加密对象,进入步骤504 ;如果解密失败,进入步骤506 ; [0117] Step 503: The server data with the hash received from the first client to decrypt the encrypted data, if the decryption is successful, the client to prove correct password, the encrypted object is obtained, proceeds to step 504; if the decryption fails, proceeds to step 506;

[0118] 服务器采用与步骤404中一次加密算法相应算法对所述记住密码票据进行解密。 [0118] Server using the corresponding algorithm in step 404 the primary encryption algorithm to decrypt the ticket to remember the password.

[0119] 步骤504 :服务器对解密后得到的所述加密对象进行检查,判断所述记住密码票据是否有效,如果所述记住密码票据有效,进入步骤505 ;否则,进入步骤506 ; [0119] Step 504: the server the decrypted encryption target is checked, determining whether the ticket is valid to remember the password, to remember the password if the ticket is valid, proceeds to step 505; otherwise, proceeds to step 506;

[0120] 所述加密对象为在所述客户端第一次保存所述用户登录密码的时间,简称为密码保存时间。 [0120] The encryption object storing the first user at the client login time password, simply referred to as storage time password.

[0121] 所述判断记住密码票据是否有效的具体过程与本发明实施例一所述步骤304相同。 [0121] The determination whether to remember the password valid ticket 304 cases of the same particular process step of the present invention.

[0122] 步骤505 :服务器通知所述客户端允许用户自动登录,自动登录流程结束。 [0122] Step 505: the server notifies the client allows a user to automatically log, automatic sign-in process ends.

[0123] 步骤506 :服务器通知所述客户端提示用户再次输入密码,自动登录流程结束。 [0123] Step 506: the server notifies the client prompts the user to enter the password again, automatic sign-in process ends.

[0124] 为了增强密码保存的可靠性,本发明第二实施例中所述加密对象也可以进一步包括续期时间和续期次数,所述服务器对续期时间和续期次数的验证过程与第一实施例所述验证过程相同。 [0124] In order to enhance the reliability of the stored password, the second embodiment of the present invention may be encrypted and further comprising a number of renewals renewal time, the server authentication process for the first time and the number of renewals of the renewal one embodiment the verification process is the same.

[0125] 为了增强加密数据保存的可靠性,所述服务器信息还可以进一步包括:格式版本号、混淆数据以及其他数据,以增加生成记住密码票据的复杂度。 [0125] In order to enhance the reliability of stored encrypted data, the information server may further comprise: Format version number, obfuscated data and other data, in order to increase the complexity of the generated ticket to remember the password.

[0126] 基于上述在客户端保存加密数据的方法,本发明还提供一种在客户端保存加密数据的系统。 [0126] A method for encrypting data stored in the client based on the above, the present invention also provides a system to encrypt data stored in the client.

[0127] 参见图7,为本发明第一实施例所述在客户端保存加密数据的系统图。 [0127] Referring to Figure 7, the embodiment of saving the encrypted data in the client system a first embodiment of the present invention, FIG.

[0128] 所述系统包括客户端61和服务器62,其中,客户端61包括: [0128] The system comprises a client 61 and server 62, in which the client 61 comprises:

[0129] 加密对象接收模块610,用于接收所述服务器返回的包括当前时间的加密对象。 [0129] encryption target receiving module 610, for encrypting object comprises receiving the current time returned by the server.

[0130] 登录密码散列模块611,用于对所述登录密码至少一次散列,生成散列数据。 [0130] Password hashing module 611, for at least one of the password hash, the hash data generated.

[0131] 散列数据加密模块612,用于按照预先设定的加密算法,利用所述登录密码散列模块611生成的散列数据作为密钥,对所述加密对象生成模块610生成的加密对象加密,将生成的加密数据作为记住密码票据发送到存储模块613。 Encryption target [0131] the hash data encryption module 612, in accordance with a predetermined encryption algorithm, using the cryptographic hash of the login module 611 hash data generated as a key to generate the encrypted object generation module 610 encrypting the encrypted data generated is transmitted to the storage module 613 as a ticket to remember the password.

[0132] 存储模块613,用于保存所述散列数据加密模块612发送的记住密码票据,即加密数据。 [0132] storing module 613, configured to store the hash of the transmitted data encryption module 612 to remember the password ticket, i.e. the encrypted data.

[0133] 为了增强密码保存的可靠性,本发明实施例所述登录密码散列模块611,可以直接对用户提供的登录密码进行散列,生成密码散列,作为密钥,也可以采用预先设定的运算函数f对密码散列进行计算,得到与密码散列相关的散列数据,作为密钥。 [0133] In order to enhance the reliability of the stored password, the embodiment of the present invention password hash module 611, the user can be provided directly to the password hashes, to generate a cryptographic hash, as a key provided in advance may be employed given function f for computing a cryptographic hash has been calculated, the hash data related to a cryptographic hash as a key. 即使有人获知了散列算法,但是由于无法获悉函数f的定义方式,很难得到密钥以破译密码。 Even if someone informed of the hash algorithm, but because of the way could not understand the definition of the function f, it is difficult to get the key to breaking the code.

[0134] 采用本发明实施例所述系统,存储模块613保存的记住密码票据,即加密数据, 是采用对登录密码散列得到的散列数据作为密钥,对服务器返回的含有当前时间的加密对象加密得到的。 [0134] The embodiment of the system of the present embodiment of the invention the storage module 613 to remember the password stored in the bill, i.e. the encrypted data, using the hash data is hashed password as a key, returns the server containing the current time encryption object encryption get. 当所述记住密码票据被获取,即使知道采用的加密算法,由于很难获得关于 Remember the password when the ticket is acquired, even if they know the encryption algorithm used, because it is difficult to obtain on

12被加密对象的信息,因此,仅仅根据所述记住密码票据来获得作为密钥的与登录密码相关的散列数据信息的可能性非常小,保障保存密码的安全性。 12 is the possibility of encrypted information object, therefore, based solely on the ticket to remember the password hash data to obtain information related to the login password as the key is very small to ensure the security of stored passwords. 相较于现有技术中仅仅使用密码散列作为记住密码票据,大大增强了在客户端保存加密数据的安全性。 Compared to the prior art, only to remember the password using a cryptographic hash as bills, greatly enhancing the security of the encrypted data stored in the client.

[0135] 参见图8,为本发明第二实施例所述在客户端保存加密数据的系统图。 [0135] Referring to Figure 8, a second embodiment of the system of FIG encrypted data stored in the client of the present invention.

[0136] 本发明第一实施例和第二实施例所述在客户端保存加密数据的系统的区别在于: 第二实施例所述客户端进一步包括本地信息加密模块614。 Embodiment differs from the first [0136] embodiment of the present invention and a second embodiment of the system, the encrypted data stored in the client in that: the second embodiment further includes a local client encryption module 614.

[0137] 所述本地信息加密模块614,用于采用预先设定的加密算法,利用客户端本地信息作为密钥,对所述散列数据加密模块612输出的加密数据加密,生成记住密码票据,发送到存储模块613。 [0137] The local encryption module 614 using a predetermined encryption algorithm, using the information local to the client as a key, a data encryption module 612 outputs the hash of the encrypted data encryption, password generating ticket remember , sent to the storage module 613.

[0138] 相应的,所述存储模块613,用于保存所述本地信息加密模块发送的记住密码票据。 [0138] Accordingly, the storage module 613 for storing the local information to remember the password encryption module ticket transmitted.

[0139] 所述客户端本地信息可以是本地客户端自身固有的机器信息,也可以是本地网络相关信息或是本地随机生成数据等。 [0139] The local client information may be the local client machine inherent information may be local or network-related information locally generated random data.

[0140] 本发明实施例所述系统中,所述客户端本地信息加密模块614采用客户端本地信息作为密钥,所述客户端本地信息可以根据客户端的需要由本地客户端自身固有的机器信息、本地网络相关信息和本地随机生成数据按照预先设定的规则随意组合生成,增强了密钥的保密性,即使有人获知了加密算法,但是由于无法获悉密钥的组成部分和定义方式,很难得到密钥以破译密码,因此,所述在客户端保存加密数据的系统具有很高的安全性。 The system according to the embodiment of [0140] the present invention, the encryption module information local to the client 614 using as a key information local to the client, the client may be the local information needed by the client's local client terminal device information inherent and local network-related information and data randomly generated locally generated random combinations according to rules set in advance, to enhance the confidentiality of the key, even if someone known encryption algorithm, but can not be learned because part of the key and defined manner, it is difficult to obtain a key to decipher the code, and therefore, the encrypted data storage system having a high safety at the client.

[0141] 以上对本发明所提供的一种在客户端保存加密数据的方法及系统,进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。 Method and system for [0141] the above stored the encrypted data in the client to one of the present invention provides, described in detail herein through specific examples of the principles and embodiments of the invention are set forth in description of the above embodiment only used to help understand the method and core idea of ​​the present invention; while those of ordinary skill in the art, according to the ideas of the present invention, there are changes in the embodiments and application scope of the, sum, this specification shall not be construed as limiting the present invention.

13 13

Claims (15)

1. 一种在客户端保存加密数据的方法,其特征在于,所述方法包括:客户端发送登录密码给服务器,接收所述服务器返回的包括当前时间的加密对象;所述当前时间,是指用户在所述客户端第一次保存登录密码的时间或续期时间;所述客户端对所述登录密码至少一次散列,生成散列数据,利用所述散列数据对所述加密对象加密,生成加密数据; 所述客户端保存加密数据。 1. A method of encrypting data stored in the client, wherein the method comprises: the client sends a password to the server, the server receives the returned encryption target comprises a current time; the current time, means the first user login password saved in the time client or the renewal time; at least one of said client hashing the password, the hash data generated by the hash data of the encrypted encryption target generating encrypted data; the saved client encrypted data.
2.根据权利要求1所述的方法,其特征在于,利用所述散列数据对所述加密对象加密具体为:在所述散列数据中加入混淆数据,利用加入混淆数据后的散列数据对所述加密对象加密。 2. The method according to claim 1, characterized by the hash data of the encryption object is encrypted specifically is: added obfuscated data in the hash data, using the hash data added to the obfuscated data after encrypting the encryption target.
3.根据权利要求1所述的方法,其特征在于,利用所述散列数据对所述加密对象加密后进一步包括:利用客户端本地信息对所述加密对象二次加密。 3. The method according to claim 1, wherein, after using the hash of the encrypted data object encryption further comprising: using the information local to the client encryption target secondary encryption.
4.根据权利要求3所述的方法,其特征在于,所述客户端本地信息为客户端网卡物理地址、客户端硬盘序列号、和/或客户端随机生成的数据。 4. The method according to claim 3, wherein said local client data to the client information card physical address, the client hard disk serial number, and / or clients randomly generated.
5.根据权利要求1所述的方法,其特征在于,进一步包括: 客户端发送含有加密数据的自动登录请求给所述服务器;所述服务器解密所述加密数据,确定所述加密对象中的当前时间未超过预设的最大允许时间间隔,返回允许自动登录信息给所述客户端。 5. The method according to claim 1, characterized in that, further comprising: a client sends the encrypted data containing the automatic login request to the server; said server decrypting said encrypted data, said encrypted determined that the current object time does not exceed a predetermined maximum allowable time interval, to allow automatic login information returned to the client.
6.根据权利要求1所述的方法,其特征在于,客户端发送登录密码给服务器之后,进一步包括:设置密码的保存有效期。 6. The method according to claim 1, characterized in that the password sent by the client to the server after, further comprising: setting a valid password stored.
7.根据权利要求6所述的方法,其特征在于,进一步包括: 客户端发送含有加密数据的密码保存续期请求给所述服务器;所述服务器解密所述加密数据,更新解密后得到的加密对象,再对更新后的加密对象加密,返回更新后加密数据给所述客户端; 所述服务器延长密码保存有效期。 7. The method according to claim 6, characterized in that, further comprising: a client sends the encrypted data containing the stored password renewal request to the server; the server decrypting the encrypted data, decrypt the encrypted update obtained objects, and then the updated encrypted encryption target, returns the updated encrypted data to the client; valid password is saved by the server extension.
8.根据权利要求7所述的方法,其特征在于,所述服务器延长密码保存有效期之前,进一步包括:所述服务器确定接收密码保存续期请求次数未超过预设的最大允许续期次数。 8. The method according to claim 7, wherein said server extension is valid password before saving, further comprising: determining the server receives a request to save the password renewal frequency and the maximum number is not allowed to exceed a predetermined renewal.
9.根据权利要求7所述的方法,其特征在于,所述服务器延长密码保存有效期之前,进一步包括:所述服务器确定接收密码保存续期请求时间未超过预设的最大允许时间间隔。 9. The method according to claim 7, wherein said server extension is valid password before saving, further comprising: determining the server receives the renewal request password holding time does not exceed a predetermined maximum allowable time interval.
10.根据权利要求7所述的方法,其特征在于,更新解密后得到的加密对象包括: 服务器在所述加密对象中加设接收密码保存续期请求时间。 10. The method according to claim 7, characterized in that the decrypted encryption target after updating comprises: the server receives the encryption target of putting in the renewal request time password is saved.
11.根据权利要求10所述的方法,其特征在于,接收密码保存续期请求时间为最近接收密码保存续期请求的时间。 11. The method according to claim 10, wherein receiving a request to save the password renewal time is saved most recently received time password renewal request.
12.根据权利要求7所述的方法,其特征在于,更新解密后得到的加密对象包括: 服务器在所述加密对象中加设接收密码保存续期请求次数。 12. The method according to claim 7, characterized in that the decrypted encryption target after updating comprises: the server receives the encryption target of putting in password save renewal requests.
13.根据权利要求12所述的方法,其特征在于,更新解密后得到的加密对象包括:服务器在所述加密对象中加设格式版本号和混淆数据。 13. The method according to claim 12, characterized in that the decrypted encryption target after updating comprises: adding a server provided obfuscated data format and the version number in the encrypted object.
14. 一种在客户端保存加密数据的系统,包括客户端和服务器,其特征在于,所述客户端包括:加密对象接收模块,用于发送登录密码给服务器,接收所述服务器返回的包括当前时间的加密对象;所述当前时间,是指用户在所述客户端第一次保存登录密码的时间或续期时间;登录密码散列模块,用于对所述登录密码至少一次散列,生成散列数据; 散列数据加密模块,用于利用所述散列数据对所述加密对象加密,生成加密数据; 存储模块,用于保存所述散列数据加密模块发送的加密数据。 14. A system to encrypt data stored on the client, including the client and server, wherein said client comprises: an encryption target receiving module, configured to send a password to the server, the server receives the return current comprises encryption target time; the current time, it refers to the first user login password saved in the time client or the renewal time; password hashing module configured to hash the password at least once, generating hash data; the hash data encryption module configured to hash the data using the encryption target encryption, to generate encrypted data; storage means for storing the encrypted data encrypted hash data sent by the module.
15.根据权利要求14所述的系统,其特征在于,所述客户端进一步包括:本地信息加密模块,用于利用客户端本地信息对所述散列数据加密模块输出的加密数据加密;所述存储模块,用于保存所述本地信息加密模块发送的加密数据。 15. The system according to claim 14, wherein the client further comprises: a local encryption module configured to encrypt data using the local client information encrypted said hash data module output; the a storage module configured to store the encrypted data transmitted by the local information encryption module.
CN2008101275538A 2008-06-27 2008-06-27 Method and system for storing encrypt data on customer CN101309278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008101275538A CN101309278B (en) 2008-06-27 2008-06-27 Method and system for storing encrypt data on customer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008101275538A CN101309278B (en) 2008-06-27 2008-06-27 Method and system for storing encrypt data on customer
PCT/CN2009/071883 WO2009155813A1 (en) 2008-06-27 2009-05-20 Method for storing encrypted data in client and system thereof

Publications (2)

Publication Number Publication Date
CN101309278A CN101309278A (en) 2008-11-19
CN101309278B true CN101309278B (en) 2011-07-06

Family

ID=40125497

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008101275538A CN101309278B (en) 2008-06-27 2008-06-27 Method and system for storing encrypt data on customer

Country Status (2)

Country Link
CN (1) CN101309278B (en)
WO (1) WO2009155813A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491030A (en) * 2015-11-27 2016-04-13 韦昱灵 Website user password encryption and verification method

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309278B (en) * 2008-06-27 2011-07-06 腾讯科技(深圳)有限公司 Method and system for storing encrypt data on customer
CN102055722B (en) * 2009-10-28 2014-01-15 中标软件有限公司 Implementation method for ensuring secure storage of electronic mails
US10102242B2 (en) * 2010-12-21 2018-10-16 Sybase, Inc. Bulk initial download of mobile databases
CN102045170B (en) * 2010-12-28 2013-02-20 北京深思洛克软件技术股份有限公司 Method and system for protecting safety of password
CN102629925B (en) * 2012-03-31 2014-10-15 苏州阔地网络科技有限公司 A method of preventing illegal connections and system
CN102752285B (en) * 2012-06-07 2015-03-18 广东电网公司茂名供电局 Pre-authentification computer system login method based on high collision probability hash function
CN102739404B (en) * 2012-06-29 2016-01-06 浪潮(北京)电子信息产业有限公司 A cryptographic method and system management
CN103713915A (en) * 2012-09-29 2014-04-09 联想(北京)有限公司 System starting method and electronic equipment
CN103873442B (en) * 2012-12-13 2017-12-12 腾讯科技(深圳)有限公司 The treating method and apparatus of log-on message
CN103188271A (en) * 2013-04-19 2013-07-03 国家电网公司 Secure mail client local data storage and identification methods and devices
CN104135364A (en) * 2013-04-30 2014-11-05 鸿富锦精密工业(深圳)有限公司 Account encryption and decryption system and method
CN104601532B (en) * 2013-10-31 2019-03-15 腾讯科技(深圳)有限公司 A kind of method and device of logon account
CN104883341B (en) * 2014-02-28 2019-01-25 宇龙计算机通信科技(深圳)有限公司 Application management device, terminal and application management method
CN103888457A (en) * 2014-03-19 2014-06-25 深信服网络科技(深圳)有限公司 Method and system for improving login security
CN105812329B (en) * 2014-12-31 2018-07-20 中国科学院沈阳自动化研究所 For the mobile security encryption method in complicated production management system
CN105376261A (en) * 2015-12-21 2016-03-02 Tcl集团股份有限公司 Encryption method and system for instant communication message
CN105610811B (en) * 2015-12-24 2019-06-25 中国建设银行股份有限公司 Authentication method and its relevant equipment and system
CN106127061A (en) * 2016-06-22 2016-11-16 杨越 Computer password safety guarantee calculation method
CN106650351B (en) * 2016-10-31 2018-12-04 维沃移动通信有限公司 A kind of operation method and mobile terminal of application program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) 2002-11-20 2004-06-16 微软公司 Securely processing client credentials used for web-based access to resources
CN1567294A (en) 2003-06-14 2005-01-19 华为技术有限公司 User certification method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7475252B2 (en) * 2004-08-12 2009-01-06 International Business Machines Corporation System, method and program to filter out login attempts by unauthorized entities
CN101309278B (en) * 2008-06-27 2011-07-06 腾讯科技(深圳)有限公司 Method and system for storing encrypt data on customer

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) 2002-11-20 2004-06-16 微软公司 Securely processing client credentials used for web-based access to resources
CN1567294A (en) 2003-06-14 2005-01-19 华为技术有限公司 User certification method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105491030A (en) * 2015-11-27 2016-04-13 韦昱灵 Website user password encryption and verification method

Also Published As

Publication number Publication date
CN101309278A (en) 2008-11-19
WO2009155813A1 (en) 2009-12-30

Similar Documents

Publication Publication Date Title
EP1927211B1 (en) Authentication method and apparatus utilizing proof-of-authentication module
US8989390B2 (en) Certify and split system and method for replacing cryptographic keys
JP4222834B2 (en) Method and apparatus for storing a cryptographic key that authenticates a key server by obtaining and securely distributing the stored key
US6826686B1 (en) Method and apparatus for secure password transmission and password changes
US7571471B2 (en) Secure login using a multifactor split asymmetric crypto-key with persistent key security
JP5058600B2 (en) System and method for providing contactless authentication
US7243226B2 (en) Method and system for enabling content security in a distributed system
US6539479B1 (en) System and method for securely logging onto a remotely located computer
JP4226665B2 (en) Logon certificate
US6834112B1 (en) Secure distribution of private keys to multiple clients
US8074078B2 (en) System and method for remote reset of password and encryption key
US8769637B2 (en) Iterated password hash systems and methods for preserving password entropy
EP1473869B1 (en) Universal secure messaging for cryptographic modules
US6292896B1 (en) Method and apparatus for entity authentication and session key generation
JP4680596B2 (en) Method and system for securely escrowing private keys within public key infrastructure
JP4938673B2 (en) One-time password
Lin et al. A password authentication scheme with secure password updating
DE60314060T2 (en) Method and device for key management for secure data transmission
JP4746333B2 (en) Efficient and secure authentication of computing systems
EP1659475B1 (en) Password protection
KR100990320B1 (en) Method and system for providing client privacy when requesting content from a public server
CN100561916C (en) Method and system for updating certification key
US20040193891A1 (en) Integrity check value for WLAN pseudonym
CN101019369B (en) Method of delivering direct proof private keys to devices using an on-line service
CA2465270C (en) Secure communication with a keyboard or related device

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted