CN106506159A - Encryption method and equipment for key safety - Google Patents
Encryption method and equipment for key safety Download PDFInfo
- Publication number
- CN106506159A CN106506159A CN201611033864.9A CN201611033864A CN106506159A CN 106506159 A CN106506159 A CN 106506159A CN 201611033864 A CN201611033864 A CN 201611033864A CN 106506159 A CN106506159 A CN 106506159A
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- data key
- mac address
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Abstract
The purpose of the application is to provide encryption method and equipment for key safety, based on the unique mark character string for obtaining Mobile solution from service equipment, generates the data key of the Mobile solution;Then, static encryption is carried out according to AES and macrodefinition to the data key, and dynamic encryption is carried out to the data key according to the MAC Address and user cipher of default hash function and acquired user equipment.Static encryption is carried out by the data key to Mobile solution, it is ensured that the data key of Mobile solution can only be obtained by the application comprising macrodefinition ciphering process, it is achieved that the application binding of data key;Dynamic encryption is carried out by the data key to Mobile solution, achieve the user equipment binding of data key, even if it is consistent that the MAC Address of user equipment is tampered into two user equipmenies, user cipher is inconsistent, then cannot also crack data key and get the business datum in Mobile solution, it is possible to achieve the user of data key perceives.
Description
Technical field
The application is related to computer realm, more particularly to a kind of encryption technology for key safety.
Background technology
The attack model of mobile terminal key is divided into three kinds:Malware, applies for all available System Privileges, such as sends out
Note, make a phone call, read contact person, obtain the privacy information such as geographical position;Escape from prison attack, obtain equipment highest authority, scanning
File system, obtains system sensitive data;Monitor Root to attack, monitoring users input through keyboard obtains input content.
Mainly have currently for mobile terminal cryptographic key protection mode several as follows:First, ARM TrustZone technology, from
Embedded device is divided into two independent running environment by the design of the aspects such as system bus, processor, and Normal Word bear
Duty Android OS (Android system) operation, Secure word are responsible for processing sensitive process and data.Unauthorized program cannot be obtained
The data being stored in Secure Word hardware are got, is provided in android system and is operated in Normal World's
Android KeyStore Service processes, Mobile solution this process can be called to get to be stored in Secure World hard
The sensitive data such as password in part.It is directed to using above-mentioned password and is stored in system private room data/misc/keystore/ catalogues
Under key file carry out encryption and decryption.Because the password in Secure word obtains difficulty, so using ARM TrustZone skills
Art can strengthen the safety of the key library file after password encryption.In ARM TrustZone technology, cipher key store file designation
For UID_USRPKEY_KeyAlias, UID is the user account that system distributes to application, and UID_USRPKEY is fixed character string,
KeyAlias is key another name.After mobile terminal is acquired highest authority, Malware can copy above-mentioned key library file
And renaming is carried out, above-mentioned UID is altered to Malware itself UID, Android KeyStore Service are now called
Process reads Secure word cryptographic decryption keys library file and obtains key.The defect of ARM TrustZone technology is mobile whole
The other application that key is may be mounted in same terminal after being escaped from prison is held to obtain.
Second, Mobile solution private room mode.Mobile operating system is each privately owned memory space of application distribution, will
Password for encryption key storehouse is stored directly under above-mentioned private room catalogue, is answered because other unauthorized applications cannot access this
Private room data, so strengthen the safety using the key library file after above-mentioned password encryption.Under privately owned catalogue,
File or data base of the cipher key store password storage in file system, after mobile terminal is acquired highest authority, Malware can
Scanning comprehensively is carried out for file system get cipher key store password.Mobile solution private room stores the defect of cipher key store
Key can be obtained by the application in same terminal, it is also possible to be copied on other-end and used.
3rd, the mode that user is manually entered.Cipher key store password is not stored on mobile terminal, when Mobile solution starts,
User input password is required, using this password encryption key library file, after Mobile solution process is closed, password number in internal memory is removed
According to.Because Malware directly cannot get password by scanning file system, so strengthening using after above-mentioned password encryption
The safety of key library file.The defect of the method is the cryptosecurity low intensity of user input, it is easy to by Brute Force.?
In the case that mobile terminal is acquired highest authority, input through keyboard content can be with monitored.So, key can be by same end
Application on end is obtained, it is also possible to is copied on other-end and is used.
Content of the invention
The purpose of the application is to provide a kind of encryption method for key safety and equipment, to solve user equipment end
Key safety problem.
According to the one side of the application, there is provided a kind of encryption method for key safety, the method include:
Based on the unique mark character string for obtaining Mobile solution from service equipment, the data for generating the Mobile solution are close
Key;
Static encryption is carried out according to AES and macrodefinition to the data key, and according to default hash function and
The MAC Address and user cipher of acquired user equipment carries out dynamic encryption to the data key.
Further, the unique mark character string of Mobile solution is obtained from service equipment, including:
Locally whether there is key when judging that Mobile solution starts, if not having, by Encryption Transmission Protocol interface from clothes
The unique mark character string of the Mobile solution is obtained in business equipment,
If having, the key of the encryption of the Mobile solution to being stored in user equipment is decrypted, and obtains the shifting
The unique mark character string of dynamic application.
Further, based on the unique mark character string for obtaining Mobile solution from service equipment, generating the movement should
Data key, including:
The unique mark character string of the Mobile solution got from service equipment is carried out according to default hash function
Hash operation, generates the data key of the Mobile solution.
Further, carrying out static encryption according to AES and macrodefinition to the data key includes:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, based on described grand
Definition obtains the data key after static encryption.
Further, macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively,
Data key after static encryption is obtained based on the macrodefinition, including:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, macrodefinition is obtained
The character of constant;
The character of each macrodefinition constant is inserted in the continuation address of function execution stack, character string is obtained;
The corresponding character string of first address of the continuation address is extracted, and corresponding function is passed to as parameter;
The corresponding function of the parameter is called, the data key after static encryption is obtained.
Further, methods described also includes:Data key after the static encryption is stored to the user equipment
Local file system privately owned catalogue under.
Further, the MAC Address of the user equipment includes wireless network MAC Address and bluetooth on user equipment
MAC Address.
Further, according to the MAC Address and user cipher of default hash function and acquired user equipment to institute
Stating data key carries out dynamic encryption, including:
Wireless network MAC Address, Bluetooth MAC address and user cipher are obtained from the user equipment, obtains splicing word
Symbol string;
Hash calculating is carried out to the splicing character string according to default hash function, corresponding cryptographic Hash is obtained;
Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, the data after dynamic encryption are obtained
Key, and by the dynamic encryption password storage in the user equipment.
Further, methods described also includes:By the dynamic encryption password and the data key after the dynamic encryption
Under storing to the privately owned catalogue of the local file system of the user equipment.
Further, wireless network MAC Address, Bluetooth MAC address and the user of user equipment are obtained from user equipment
Password, obtains splicing character string, including:
Wireless network MAC Address, bluetooth MAC is obtained from user equipment by calling corresponding application programming interface
Address;
Obtain the corresponding user cipher of the Mobile solution;
Multiple words in the wireless network MAC Address, the Bluetooth MAC address and the user cipher are extracted respectively
Section, carries out splicing and obtains splicing character string.
Further, according to the MAC Address and user cipher of default hash function and acquired user equipment to institute
State after data key carries out dynamic encryption, including:
According to the user cipher that the start-up operation of the Mobile solution obtains current input, and obtain the Mobile solution institute
MAC Address in current user equipment;
Hash meter is carried out to the user cipher of the MAC Address and the user currently input according to default hash function
Calculate, obtain result to be verified;
The result to be verified is mated with the dynamic encryption password stored in the user equipment, if mismatching,
The then dynamic encryption password of the unsuccessful decryption data key, if coupling, described in successful decryption, the dynamic of data key adds
Password.
According to the another aspect of the application, a kind of equipment of the encryption for key safety, the equipment bag is additionally provided
Include:
Generating means, for based on the unique mark character string for obtaining Mobile solution from service equipment, generating the shifting
The data key of dynamic application;
Encryption device, for carrying out static encryption according to AES and macrodefinition to the data key, and according to pre-
If hash function and the MAC Address and user cipher of acquired user equipment dynamic encryption is carried out to the data key.
Further, the generating means are used for:
Locally whether there is key when judging that Mobile solution starts, if not having, by Encryption Transmission Protocol interface from clothes
The unique mark character string of the Mobile solution is obtained in business equipment,
If having, the key of the encryption of the Mobile solution to being stored in user equipment is decrypted, and obtains the shifting
The unique mark character string of dynamic application.
Further, the generating means are used for:
The unique mark character string of the Mobile solution got from service equipment is carried out according to default hash function
Hash operation, generates the data key of the Mobile solution.
Further, the encryption device is used for:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, based on described grand
Definition obtains the data key after static encryption.
Further, the encryption device is used for:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, macrodefinition is obtained
The character of constant;
The character of each macrodefinition constant is inserted in the continuation address of function execution stack, character string is obtained;
The corresponding character string of first address of the continuation address is extracted, and corresponding function is passed to as parameter;
The corresponding function of the parameter is called, the data key after static encryption is obtained.
Further, the equipment also includes:
Storage device, for storing the data key after the static encryption to the local file system of the user equipment
Under the privately owned catalogue of system.
Further, the MAC Address of the user equipment includes wireless network MAC Address and bluetooth on user equipment
MAC Address.
Further, the encryption device is used for:
Wireless network MAC Address, Bluetooth MAC address and user cipher are obtained from the user equipment, obtains splicing word
Symbol string;
Hash calculating is carried out to the splicing character string according to default hash function, corresponding cryptographic Hash is obtained;
Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, the data after dynamic encryption are obtained
Key, and by the dynamic encryption password storage in the user equipment.
Further, the equipment also includes:Storage device, for by the dynamic encryption password and the dynamic encryption
Under data key afterwards is stored to the privately owned catalogue of the local file system of the user equipment.
Further, the encryption device is used for:
Wireless network MAC Address, bluetooth MAC is obtained from user equipment by calling corresponding application programming interface
Address;
Obtain the corresponding user cipher of the Mobile solution;
Multiple words in the wireless network MAC Address, the Bluetooth MAC address and the user cipher are extracted respectively
Section, carries out splicing and obtains splicing character string.
Further, the equipment also includes:
Acquisition device, for obtaining the user cipher of current input according to the start-up operation of the Mobile solution, and obtains
MAC Address in the current user equipment of the Mobile solution place;
Computing device, for the user MAC Address and the user being currently input into according to default hash function
Password carries out hash calculating, obtains result to be verified;
Coalignment, for carrying out the dynamic encryption password stored in the result to be verified and the user equipment
Match somebody with somebody, if mismatching, the unsuccessful dynamic encryption password for decrypting the data key, if coupling, data described in successful decryption
The dynamic encryption password of key.
Compared with prior art, the application is by based on the unique mark character for obtaining Mobile solution from service equipment
String, generates the data key of the Mobile solution;Then, static state is carried out to the data key according to AES and macrodefinition
Encryption, and according to the MAC Address and user cipher of default hash function and acquired user equipment to the data key
Carry out dynamic encryption.Static encryption is carried out by the data key to Mobile solution, it is ensured that the data key of Mobile solution can only
Obtained by the application comprising macrodefinition ciphering process, it is achieved that the application binding of data key;Further, by answering to mobile
With data key carry out dynamic encryption, it is achieved that the binding of the user equipment of data key and user approve of, even if user equipment
MAC Address be tampered into that two user equipmenies are consistent, user cipher is inconsistent, then cannot also crack data key and get shifting
Business datum in dynamic application, it is possible to achieve the user of data key perceives.
Description of the drawings
By reading the detailed description made by non-limiting example made with reference to the following drawings, the application other
Feature, objects and advantages will become more apparent upon:
Fig. 1 illustrates a kind of encryption method schematic flow sheet for key safety according to the application one side;
Fig. 2 illustrates the schematic diagram of key generation and safeguard protection process in one embodiment of the application;
Fig. 3 illustrates the method flow schematic diagram of key safeguard protection in one embodiment of the application;
Fig. 4 illustrates that a kind of device structure of the encryption for key safety according to the application other side is illustrated
Figure.
In accompanying drawing, same or analogous reference represents same or analogous part.
Specific embodiment
Below in conjunction with the accompanying drawings the application is described in further detail.
Fig. 1 illustrates a kind of encryption method schematic flow sheet for key safety according to the application one side;Described
Method includes step S11 and step S12,
In step s 11, based on the unique mark character string for obtaining Mobile solution from service equipment, the movement is generated
The data key of application;Here, service equipment generates the unique string of Mobile solution at random, user equipment end is from service equipment
In get the unique mark character string after carry out the unique value that Hash operation is fixed length, by the unique of the regular length
It is worth the data key as the Mobile solution.Here, user equipment end is preferably mobile terminal.
In step s 12, static encryption is carried out according to AES and macrodefinition to the data key, and according to default
Hash function and the MAC Address and user cipher PWD of acquired user equipment dynamic encryption is carried out to the data key.
Here, Mobile solution is when without using under network condition, user still has the demand for browsing ciphertext data, accordingly, it would be desirable to close
The data key of literary data carries out safeguard protection, in the embodiment of the present application, according to AES and macrodefinition to data key
Carry out static encryption, it is ensured that the data key of Mobile solution can only be obtained by the application comprising macrodefinition ciphering process, it is achieved that
The application binding of key, wherein, AES can include the close SM4 algorithms of state.In one embodiment of the application, by static encryption
Data key afterwards is stored directly in user equipment end A, the business datum of Mobile solution and shifting after user equipment end A is escaped from prison
The data key of dynamic application is migrated to the installation on the B of user equipment end and user equipment end A identical Mobile solutions simultaneously
(APP) when, user equipment end B and user equipment end A have macrodefined function, can be with successful decryption from user equipment end
The business datum copied in A, if it is the apparatus bound that can not meet data key to be only through static encryption processing data key
Requirement, therefore also need to be processed using dynamic encryption.Dynamic encryption process is to user equipment using hashing algorithm
MAC Address and user cipher PWD are hashed, and obtain dynamic encryption password.It should be noted that static encryption is processed and dynamic
The process of encryption is separate, and order does not successively affect the effect of final data key safeguard protection.
By the above-mentioned process for carrying out static encryption and dynamic encryption to data key described herein so that data are close
Key is only capable of being accessed by an application-specific, it is impossible to which, by other application or terminal access, satisfaction application binding will with apparatus bound
Ask, realize the cryptographic key protection at user equipment end.
Preferably, in step s 11, whether locally there is key when judging that Mobile solution starts, if not having, by adding
Close host-host protocol interface obtains the unique mark character string of the Mobile solution from service equipment, if having, to being stored in use
The key of the encryption of the Mobile solution of family equipment is decrypted, and obtains the unique mark character string of the Mobile solution.?
This, service equipment distributes a unique character string can to each Mobile solution, for unique mark Mobile solution, in user side
Need to judge whether locally have key when starting a certain Mobile solution, if not having, from Encryption Transmission Protocol interface (https
Interface) get unique mark character string of the service equipment to Mobile solution distribution, if having, from be stored in user side plus
Obtain after close secret key decryption, generation key is carried out with the unique mark character string of the Mobile solution for getting.
Then, in step s 11, according to default hash function to the Mobile solution that gets from service equipment only
One identification strings carry out Hash operation, generate the data key of the Mobile solution.Get the unique mark of Mobile solution
After character string, hash algorithm is carried out to the unique string using default hash function, wherein, default hash function is for example right
Sm3 algorithms are modified, such as be changed to meet how many wheels by iterated conditional in algorithm, and which character carries out obscuring iteration etc.,
The character string after hashing algorithm is enabled to become the data key with certain safety.
Preferably, in step s 12, respectively the data key, encryption key function and corresponding decryption function are entered
Row macrodefinition, obtains the data key after static encryption based on the macrodefinition.Functional expression macrodefinition can be embedded into program generation
In code, without clear and definite entrance, increase static analysis difficulty.Specifically, in step s 12, respectively to the data key, plus
Close key function and corresponding decryption function carry out macrodefinition, obtain the character of macrodefinition constant;By each macrodefinition constant
Character is inserted in the continuation address of function execution stack, obtains character string;Extract the corresponding character of first address of the continuation address
String, passes to corresponding function as parameter;The corresponding function of the parameter is called, the data key after static encryption is obtained.
Here, using the close SM4 algorithms of state to Mobile solution in the data key of business datum carry out static encryption.Static encryption is referred to
The password of the encryption of data key be on different devices consistent, the password (abbreviation StaticKey) of static encryption actual with
The formal definition of ciphertext character string in code, during use needs to be decrypted.StaticKey and decryption StaticKey letters
Number adopts macrodefinition, and for example, data key is:0x26,0x67,0x3b,0x31,0x3f,0x66,0x30,0x57,0x2f,
0x3d,0x52,0x38,0x36,0x66,0x40,0x2a;Static encryption, shown journey specific as follows is carried out to the data key
Sequence code:
#define PRIMARYKEY
((uint8_t[]){'a','b','c','d','e','f','g','h','1','2','3','4','5','
6','7','8'})
#define SECRETKEY
((uint8_t[]){0x48,0x5d,0xcc,0xfd,0x68,0x34,0x0b,0xbb,0x59,0x26,0xe7,
0xb2,0xf4,0x39,0x4f,0xeb})
#define GETSECRET
({
unsigned char originKey[16];
sm4_context ctx;
sm4_setkey_dec(&ctx,PRIMARYKEY);
sm4_crypt_ecb(&ctx,0,16,SECRETKEY,originKey);
OriginKey [16]=' 0';
originKey;
})
In above-mentioned code, SECRETKEY is the StaticKey after encryption, and PRIMARYKEY is encryption key,
GETSECRET is decryption function, returns the StaticKey after decryption, learns PRIMARYKEY, SECRETKEY by dis-assembling
Data (data) section is not stored directly in, is broken up in multiple instruction, become a part for instruction, increase the difficulty of static analysis
Degree.Each character of above-mentioned macrodefinition constant is pressed in the continuation address of function execution stack one by one is assembled into character string, then
The first address that register pair answers continuation address being taken, corresponding function being passed to as parameter, this causes incoming word when calling every time
Accord with location of ploughing all different.After the completion of function is executed, its execution stack is cleared, PRIMARYKEY, SECRETKEY raw information one
And remove from stack, important information will not memory-resident, only with then just internal memory is entered, be finished and remove immediately, effectively prevent
Internal memory is scanned, and reaches the effect of application binding, and data key is only accessed by a specific Mobile solution, it is impossible to by other movements
Application is accessed.
Preferably, the MAC Address of the user equipment includes wireless network MAC Address and bluetooth MAC on user equipment
Address.In one embodiment of the application, step S12 includes:Wireless network MAC Address, bluetooth is obtained from the user equipment
MAC Address and user cipher PWD, obtain splicing character string;The splicing character string is dissipated according to default hash function
Column count, obtains corresponding cryptographic Hash;Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, obtain
Data key after dynamic encryption, and by the dynamic encryption password storage in the user equipment.Here, dynamic encryption with
The difference of static encryption is that the password of dynamic encryption is not write extremely in code, but the MAC Address and user using user equipment
Password PWD is spliced into a character string, and the character string is carried out hash operations, obtains corresponding cryptographic Hash, and stores and set to user
In standby, password of the cryptographic Hash for dynamic encryption.From the foregoing, dynamic encryption is the MAC Address by user equipment and use
Obtain after the character string hash that family password PWD is spliced into, user equipment is inconsistent to cause MAC Address inconsistent, it is impossible to crack
Data key, gets the business datum of Mobile solution, and user cipher PWD inputs incorrect expression user do not approve of, equally
Data key can not be cracked.Therefore, by dynamic encryption being carried out to data key, can achieve apparatus bound and that user approves of is close
Key demand for security.
Preferably, in step s 12, obtained from user equipment wirelessly by calling corresponding application programming interface
Network/MAC address, Bluetooth MAC address;Obtain the corresponding user cipher PWD of the Mobile solution;The wireless network is extracted respectively
Multiple bytes in network MAC Address, the Bluetooth MAC address and the user cipher PWD, carry out splicing and obtain splicing character
String.In one embodiment of the application, " 6 byte wireless network MAC Address+4 byte users of+6 byte Bluetooth MAC address are close for use
The character strings that are spliced into of code PWD " carry out the cryptographic Hash after SM3 hash and deposit on a user device, as the password of dynamic encryption,
Wherein MAC Address is obtained by calling system API.It should be noted that " the 6 byte wireless network MAC used during dynamic encryption
The character string that+4 byte user cipher PWD of+6 byte Bluetooth MAC address of address " is spliced into is only for example, as the MAC of user equipment
When address is not 6 byte, it is also possible to using the corresponding character string of the byte for meeting now MAC Address.
Preferably, methods described also includes:Close according to the user that the start-up operation of the Mobile solution obtains current input
Code PWD, and obtain the MAC Address in the current user equipment of the Mobile solution place;According to default hash function to described
The user cipher PWD of MAC Address and the user currently input carries out hash calculating, obtains treating result to be verified;Treat described
The result is mated with the dynamic encryption password stored in the user equipment, if mismatching, described in unsuccessful decryption
The dynamic encryption password of data key, if coupling, the dynamic encryption password of data key described in successful decryption.
Here, using user equipment MAC Address and user cipher PWD dynamic encryption is carried out to data key after,
User input user cipher PWD is required when starting Mobile solution every time, and calling system API obtains the MAC Address of user equipment,
Including obtaining wireless network MAC Address and Bluetooth MAC address, by the MAC Address of accessed user equipment and user input
PWD spliced, carry out hash operations using default hash function such as SM3, obtain result to be verified, by the knot to be verified
Fruit is contrasted with the cryptographic Hash for being stored in user equipment before, if mismatching, the unsuccessful decryption data key
Dynamic encryption password, if coupling, the dynamic encryption password of data key described in successful decryption.If on same user equipment,
Dynamic encryption causes the demand for security for meeting user's approval, in the user equipment MAC Address and user input PWD password that get
As hash object, to hash operations result verification it is whether checking PWD is input into correctly, if input is correct, represents that user praises
With, if input is incorrect, then it represents that user does not approve of, protection data key;It should be noted that PWD does not store user setting
Standby is local, only exists in internal memory, and after Mobile solution process is killed, PWD auto-destructs do not retain any vestige.If user sets
The business datum of standby A is migrated in user equipment B simultaneously with business cipher key, because having carried out dynamic to key on a user device
The safeguard protection of encryption, though then user input PWD be to, because user equipment A is differed with the MAC Address of the B of user equipment
Cause, cause the result after last hash operations also inconsistent with dynamic encryption password before, equally successfully can not crack
From the business datum of user equipment A copies, the key demand for security of apparatus bound is therefore also achieved by dynamic encryption.To sum up
Described, business datum and business datum key file from user equipment A move to user equipment B when, device mac address differs
Cause, it is impossible to breaking cryptographic keys file, it is possible to achieve the apparatus bound of key.Even if it is consistent that MAC Address is tampered into two equipment,
PWD is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the user of key perceives.
Preferably, methods described also includes:Step S13, the data key after the static encryption is stored to the use
Under the privately owned catalogue of the local file system of family equipment, in step s 13, also the dynamic encryption password and the dynamic are added
Under data key after close is stored to the privately owned catalogue of the local file system of the user equipment.In the embodiment of the present application,
After cryptographic Hash after the SM3 hash operations that dynamic encryption process is obtained and the data key after static encryption, dynamic encryption
Data key store under the privately owned catalogue of the local system to user equipment, here, the operating system of each user equipment
Distribute privately owned memory space for each Mobile solution, the data key after encrypting twice is stored in the privately owned of above-mentioned distribution and is deposited
Under the catalogue in storage space, that is, under the privately owned catalogue of the local system for being stored in user equipment, because other illegal mandate applications cannot
The private room data of this application are accessed, so strengthening the safety for having used static encryption and the data key after dynamic encryption
Property.
Fig. 2 illustrates that key is generated and safeguard protection process in one embodiment of the application, and wherein, server is set for service
Standby, client is user equipment, preferably mobile terminal, generates a unique character string of Mobile solution at service equipment end
(str) locally whether there is key when, judging that the corresponding Mobile solution of mobile terminal starts, if not having, by https interfaces
Str is obtained, if having, is obtained from after the secret key decryption of the encryption for preserving on mobile terminals;Using the sm3 algorithms pair that changed
Str carries out hash and obtains data key (KEY), completes the generating process of key, then, carries out the encryption storage of key, including
Static encryption and dynamic encryption, using macrodefined mode, i.e. #definePRIMARYKEY, # during static encryption
Define SECRETKEY, #define GETSECRET, wherein, SECRETKEY is the password of the static encryption after encryption,
PRIMARYKEY is encryption key, and GETSECRET is decryption function, obtains static keys after macrodefinition;Using the close sm4 of state
Algorithm is encrypted to static keys, obtains the data key sm4str1 after static encryption, realizes application binding (app
bingding);User cipher PWD is got by user input (user input), and obtains the MAC Address of user equipment,
Using the splicing character string of MAC Address+PWD as dynamic key, above-mentioned splicing character string (MAC Address+PWD) is hashed using sm3,
Computing is carried out to the dynamic key using sm4 algorithms, the data key sm4str2 after dynamic encryption is obtained, is realized apparatus bound
(device binding) and user approve of (user consent), finally, cryptographic Hash that sm4str2 and hash operations are obtained
Write (fwrite) key data library file, stores under the privately owned catalogue of the local file system to mobile terminal.The key of Fig. 2
The concrete grammar flow process of safeguard protection process is as shown in figure 3, by carrying out static encryption and dynamic to data key shown in Fig. 3
The process of encryption so that the business datum key of Mobile solution can only be obtained by the application comprising macrodefinition ciphering process, realized
The application binding of key;Business datum and business datum key file from mobile terminal A move to mobile terminal B when, equipment
MAC Address is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the apparatus bound of key, even if MAC Address is tampered into two
Equipment is consistent, and PWD is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the user of key perceives.
Fig. 4 illustrates a kind of device structure schematic diagram of the encryption for key safety according to the application other side;
The equipment 1 includes generating means 11 and encryption device 12, and wherein, generating means 11 are based on and obtain mobile answering from service equipment
Unique mark character string, generates the data key of the Mobile solution;Encryption device 12 is according to AES and macrodefinition
Carry out static encryption to the data key, and the MAC Address according to default hash function and acquired user equipment and
User cipher PWD carries out dynamic encryption to the data key.
Here, the equipment 1 includes but is not limited to any one can carry out the shifting of man-machine interaction with user by touch pad
Dynamic electronic product, such as smart mobile phone, PDA etc., the mobile electronic product can adopt any operating system, such as android
Operating system, iOS operating systems etc..Preferably, equipment 1 can also be and run on the user equipment or user equipment and net
Network equipment, touch terminal or the network equipment are with touch terminal by the shell script on the mutually integrated equipment for being constituted of network.When
So, those skilled in the art will be understood that above-mentioned user equipment 1 is only for example, other equipment that are existing or being likely to occur from now on
1 is such as applicable to the application, and within also should being included in the application protection domain, and here is incorporated herein by reference.
It is constant work between above-mentioned each device, here, it will be understood by those skilled in the art that " continuing " refers to
Each device is stated respectively in real time or according to mode of operation requirement that set or real-time adjustment.
Specifically, generating means 11 are used for based on the unique mark character string for obtaining Mobile solution from service equipment, raw
Data key into the Mobile solution;Here, service equipment generates the unique string of Mobile solution, user equipment end at random
Carry out, after the unique mark character string is got from service equipment, the unique value that Hash operation is fixed length, this is fixed
Data key of the unique value of length as the Mobile solution.Here, user equipment end is preferably mobile terminal.
Specifically, encryption device 12 is used for carrying out static encryption according to AES and macrodefinition to the data key,
And the data key is entered according to the MAC Address and user cipher PWD of default hash function and acquired user equipment
Mobile state is encrypted.Here, Mobile solution is when without using under network condition, user still has the demand for browsing ciphertext data, because
This, needs to carry out safeguard protection to the data key of ciphertext data, in the embodiment of the present application, according to AES and macrodefinition
Static encryption is carried out to data key, it is ensured that the data key of Mobile solution can only be obtained by the application comprising macrodefinition ciphering process
Take, it is achieved that the application binding of key, wherein, AES can include the close SM4 algorithms of state.In one embodiment of the application,
Data key after by static encryption is stored directly in user equipment end A, the industry of Mobile solution after user equipment end A is escaped from prison
The data key of business data and Mobile solution is migrated to the installation on the B of user equipment end and user equipment end A identicals simultaneously
During Mobile solution (APP), user equipment end B and user equipment end A have macrodefined function, can with successful decryption from
The business datum copied in equipment end A of family, if being only through static encryption processing data key can not meet data key
The requirement of apparatus bound, therefore also needs to be processed using dynamic encryption.Dynamic encryption process be using hashing algorithm to
The MAC Address of family equipment and user cipher PWD are hashed, and obtain dynamic encryption password.It should be noted that at static encryption
The process that reason and dynamic encryption are processed is separate, and order does not successively affect the effect of final data key safeguard protection
Really.
By the above-mentioned process for carrying out static encryption and dynamic encryption to data key described herein so that data are close
Key is only capable of being accessed by an application-specific, it is impossible to which, by other application or terminal access, satisfaction application binding will with apparatus bound
Ask, realize the cryptographic key protection at user equipment end.
Preferably, generating means 11 are used for whether locally having key when judging that Mobile solution starts, if not having, pass through
Encryption Transmission Protocol interface obtains the unique mark character string of the Mobile solution from service equipment, if having, to being stored in
The key of the encryption of the Mobile solution of user equipment is decrypted, and obtains the unique mark character string of the Mobile solution.
Here, service equipment distributes a unique character string can to each Mobile solution, for unique mark Mobile solution, in user
End needs to judge whether locally have key when starting a certain Mobile solution, if not having, from Encryption Transmission Protocol interface
(https interfaces) gets unique mark character string of the service equipment to Mobile solution distribution, if having, from being stored in user
Obtain after the secret key decryption of the encryption at end, generation key is carried out with the unique mark character string of the Mobile solution for getting.
Then, generating means 11 are used for according to default hash function to the Mobile solution that gets from service equipment
Unique mark character string carries out Hash operation, generates the data key of the Mobile solution.Get unique mark of Mobile solution
After knowing character string, hash algorithm is carried out to the unique string using default hash function, wherein, default hash function is such as
Sm3 algorithms are modified, is such as changed to meet how many wheels by iterated conditional in algorithm, and which character is carried out obscuring iteration
Deng so that the character string after hashing algorithm can become the data key with certain safety.
Preferably, encryption device 12 is used for respectively to the data key, encryption key function and corresponding decryption function
Macrodefinition is carried out, and the data key after static encryption is obtained based on the macrodefinition.Functional expression macrodefinition can be embedded into program
In code, without clear and definite entrance, increase static analysis difficulty.Specifically, encryption device 12 is used for:Close to the data respectively
Key, encryption key function and corresponding decryption function carry out macrodefinition, obtain the character of macrodefinition constant;Will be normal for each macrodefinition
The character of amount is inserted in the continuation address of function execution stack, obtains character string;The first address for extracting the continuation address is corresponding
Character string, passes to corresponding function as parameter;The corresponding function of the parameter is called, the data after static encryption is obtained close
Key.Here, using the close SM4 algorithms of state to Mobile solution in the data key of business datum carry out static encryption.Static encryption
The password for referring to the encryption of data key is consistent on different devices, and the password (abbreviation StaticKey) of static encryption is real
Border, needs to be decrypted during use with the formal definition of ciphertext character string in code.StaticKey and decryption
StaticKey functions adopt macrodefinition, and for example, data key is:0x26,0x67,0x3b,0x31,0x3f,0x66,0x30,
0x57,0x2f,0x3d,0x52,0x38,0x36,0x66,0x40,0x2a;Static encryption is carried out to the data key, specifically such as
Program code shown in lower:
#define PRIMARYKEY
((uint8_t[]){'a','b','c','d','e','f','g','h','1','2','3','4','5','
6','7','8'})
#define SECRETKEY
((uint8_t[]){0x48,0x5d,0xcc,0xfd,0x68,0x34,0x0b,0xbb,0x59,0x26,0xe7,
0xb2,0xf4,0x39,0x4f,0xeb})
#define GETSECRET
({
unsigned char originKey[16];
sm4_context ctx;
sm4_setkey_dec(&ctx,PRIMARYKEY);
sm4_crypt_ecb(&ctx,0,16,SECRETKEY,originKey);
OriginKey [16]=' 0';
originKey;
})
In above-mentioned code, SECRETKEY is the StaticKey after encryption, and PRIMARYKEY is encryption key,
GETSECRET is decryption function, returns the StaticKey after decryption, learns PRIMARYKEY, SECRETKEY by dis-assembling
Data (data) section is not stored directly in, is broken up in multiple instruction, become a part for instruction, increase the difficulty of static analysis
Degree.Each character of above-mentioned macrodefinition constant is pressed in the continuation address of function execution stack one by one is assembled into character string, then
Depositor takes the first address of corresponding continuation address, passes to corresponding function as parameter, and this causes incoming word when calling every time
Accord with location of ploughing all different.After the completion of function is executed, its execution stack is cleared, PRIMARYKEY, SECRETKEY raw information one
And remove from stack, important information will not memory-resident, only with then just internal memory is entered, be finished and remove immediately, effectively prevent
Internal memory is scanned, and reaches the effect of application binding, and data key is only accessed by a specific Mobile solution, it is impossible to by other movements
Application is accessed.
Preferably, the MAC Address of the user equipment includes wireless network MAC Address and bluetooth MAC on user equipment
Address.In one embodiment of the application, encryption device 12 is used for:Wireless network MAC Address, indigo plant is obtained from the user equipment
Tooth MAC Address and user cipher PWD, obtain splicing character string;The splicing character string is carried out according to default hash function
Hash is calculated, and obtains corresponding cryptographic Hash;Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, obtain
Data key to after dynamic encryption, and by the dynamic encryption password storage in the user equipment.Here, dynamic encryption
Difference with static encryption is that the password of dynamic encryption is not write extremely in code, but the MAC Address and use using user equipment
Family password PWD is spliced into a character string, and the character string is carried out hash operations, obtains corresponding cryptographic Hash, and stores to user
In equipment, password of the cryptographic Hash for dynamic encryption.From the foregoing, dynamic encryption be by the MAC Address of user equipment and
Obtain after the character string hash that user cipher PWD is spliced into, user equipment is inconsistent to cause MAC Address inconsistent, it is impossible to broken
Solution data key, gets the business datum of Mobile solution, and user cipher PWD inputs incorrect expression user do not approve of, equally
Data key can not be cracked.Therefore, by dynamic encryption being carried out to data key, can achieve apparatus bound and user approves of
Key demand for security.
Preferably, encryption device 12 is used for, and is obtained from user equipment by calling corresponding application programming interface
Wireless network MAC Address, Bluetooth MAC address;Obtain the corresponding user cipher PWD of the Mobile solution;The nothing is extracted respectively
Multiple bytes in line network/MAC address, the Bluetooth MAC address and the user cipher PWD, carry out splicing and obtain splicing word
Symbol string.In one embodiment of the application, "+4 byte user of 6+6 byte Bluetooth MAC address of byte wireless network MAC Address is used
The character string that password PWD " is spliced into carries out the cryptographic Hash after SM3 hash and deposits on a user device, as the close of dynamic encryption
Code, wherein MAC Address is obtained by calling system API.It should be noted that " the 6 byte wireless networks used during dynamic encryption
The character string that+4 byte user cipher PWD of+6 byte Bluetooth MAC address of MAC Address " is spliced into is only for example, when user equipment
When MAC Address is not 6 byte, it is also possible to using the corresponding character string of the byte for meeting now MAC Address.
Preferably, the equipment 1 also includes:14 (not shown) of acquisition device, for the startup according to the Mobile solution
Operation obtains the user cipher PWD of current input, and obtains the MAC Address in the current user equipment of the Mobile solution place;
15 (not shown) of computing device, for the use MAC Address and the user being currently input into according to default hash function
Family password PWD carries out hash calculating, obtains treating result to be verified;16 (not shown) of coalignment, for by the knot to be verified
Fruit is mated with the dynamic encryption password stored in the user equipment, if mismatching, the unsuccessful decryption data are close
The dynamic encryption password of key, if coupling, the dynamic encryption password of data key described in successful decryption.
Here, using user equipment MAC Address and user cipher PWD dynamic encryption is carried out to data key after,
User input user cipher PWD is required when starting Mobile solution every time, and calling system API obtains the MAC Address of user equipment,
Including obtaining wireless network MAC Address and Bluetooth MAC address, by the MAC Address of accessed user equipment and user input
PWD spliced, carry out hash operations using default hash function such as SM3, obtain result to be verified, by the knot to be verified
Fruit is contrasted with the cryptographic Hash for being stored in user equipment before, if mismatching, the unsuccessful decryption data key
Dynamic encryption password, if coupling, the dynamic encryption password of data key described in successful decryption.If on same user equipment,
Dynamic encryption causes the demand for security for meeting user's approval, in the user equipment MAC Address and user input PWD password that get
As hash object, to hash operations result verification it is whether checking PWD is input into correctly, if input is correct, represents that user praises
With, if input is incorrect, then it represents that user does not approve of, protection data key;It should be noted that PWD does not store user setting
Standby is local, only exists in internal memory, and after Mobile solution process is killed, PWD auto-destructs do not retain any vestige.If user sets
The business datum of standby A is migrated in user equipment B simultaneously with business cipher key, because having carried out dynamic to key on a user device
The safeguard protection of encryption, though then user input PWD be to, because user equipment A is differed with the MAC Address of the B of user equipment
Cause, cause the result after last hash operations also inconsistent with dynamic encryption password before, equally successfully can not crack
From the business datum of user equipment A copies, the key demand for security of apparatus bound is therefore also achieved by dynamic encryption.To sum up
Described, business datum and business datum key file from user equipment A move to user equipment B when, device mac address differs
Cause, it is impossible to breaking cryptographic keys file, it is possible to achieve the apparatus bound of key.Even if it is consistent that MAC Address is tampered into two equipment,
PWD is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the user of key perceives.
Preferably, the equipment 1 also includes:13 (not shown) of storage device, for by the data after the static encryption
Under the privately owned catalogue of the local file system of key storage to the user equipment, storage device 13 is additionally operable to add the dynamic
Under data key after password and the dynamic encryption is stored to the privately owned catalogue of the local file system of the user equipment.
In the embodiment of the present application, the cryptographic Hash and the number after static encryption after the SM3 hash operations for dynamic encryption process being obtained
Store according to the data key after key, dynamic encryption under the privately owned catalogue of the local system to user equipment, here, each use
The operating system of family equipment distributes privately owned memory space for each Mobile solution, and the data key after encrypting twice is stored in
Under the catalogue of the privately owned memory space of above-mentioned distribution, that is, under the privately owned catalogue of the local system for being stored in user equipment, because of other
The illegal private room data for authorizing application access this application, so after enhancing has used static encryption and dynamic encryption
The safety of data key.
Fig. 2 illustrates the schematic diagram of key generation and safeguard protection process in one embodiment of the application, and wherein, server is
Service equipment, client are user equipment, preferably mobile terminal, and in service equipment end generation Mobile solution is unique
Whether character string (str), locally have key when judging whether the corresponding Mobile solution of mobile terminal starts, if not having, leads to
Cross https interfaces and obtain str, if having, obtain from after the secret key decryption of the encryption for preserving on mobile terminals;Using changing
Sm3 algorithms carry out hash to str and obtain data key (KEY), complete the generating process of key, then, carry out key plus
Close storage, including static encryption and dynamic encryption, using macrodefined mode, i.e. #define during static encryption
PRIMARYKEY, #define SECRETKEY, #define GETSECRET, wherein, SECRETKEY is that the static state after encryption adds
Close password, PRIMARYKEY are encryption key, and GETSECRET is decryption function, obtains static keys after macrodefinition;Make
Static keys are encrypted with state's close sm4 algorithms, obtain the data key sm4str1 after static encryption, realize application binding
(app bingding);User cipher PWD is got by user input (user input), and obtains the MAC of user equipment
Address, using the splicing character string of MAC Address+PWD as dynamic key, using sm3 hash above-mentioned splicing character string (MAC Address+
PWD), computing is carried out to the dynamic key using sm4 algorithms, obtains the data key sm4str2 after dynamic encryption, realize equipment
Binding (device binding) and user's approval (user consent), finally, Kazakhstan that sm4str2 and hash operations are obtained
Uncommon value write (fwrite) key data library file, stores under the privately owned catalogue of the local file system to mobile terminal.Fig. 2's
The concrete grammar flow process of key safeguard protection process as shown in figure 3, by data key is carried out shown in Fig. 3 static encryption and
The process of dynamic encryption so that the business datum key of Mobile solution can only be obtained by the application comprising macrodefinition ciphering process,
Achieve the application binding of key;Business datum and business datum key file from mobile terminal A move to mobile terminal B when,
Device mac address is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the apparatus bound of key, even if MAC Address is tampered into
Two equipment are consistent, and PWD is inconsistent, it is impossible to breaking cryptographic keys file, it is possible to achieve the user of key perceives.
It should be noted that the application can be carried out in the assembly of software and/or software with hardware, for example, can adopt
Realized with special IC (ASIC), general purpose computer or any other similar hardware device.In one embodiment
In, the software program of the application can pass through computing device to realize steps described above or function.Similarly, the application
Software program (including related data structure) can be stored in computer readable recording medium storing program for performing, for example, RAM memory,
Magnetically or optically driver or floppy disc and similar devices.In addition, some steps or function of the application can employ hardware to realize, example
Such as, as coordinating so as to executing the circuit of each step or function with processor.
In addition, the part of the application can be applied to computer program, such as computer program instructions, when its quilt
When computer is executed, by the operation of the computer, can call or provide according to the present processes and/or technical scheme.
And the programmed instruction of the present processes is called, it is possibly stored in fixed or moveable recording medium, and/or passes through
Data flow in broadcast or other signal bearing medias and be transmitted, and/or be stored according to described program instruction operation
In the working storage of computer equipment.Here, including that a device, the device include using according to one embodiment of the application
Processor in the memorizer of storage computer program instructions and for execute program instructions, wherein, when the computer program refers to
When order is by the computing device, method and/or skill of the plant running based on aforementioned multiple embodiments according to the application is triggered
Art scheme.
It is obvious to a person skilled in the art that the application is not limited to the details of above-mentioned one exemplary embodiment, Er Qie
In the case of without departing substantially from spirit herein or basic feature, the application can be realized in other specific forms.Therefore, no matter
From the point of view of which point, embodiment all should be regarded as exemplary, and be nonrestrictive, scope of the present application is by appended power
Profit is required rather than described above is limited, it is intended that all in the implication and scope of the equivalency of claim by falling
Change is included in the application.Any reference in claim should not be considered as and limit involved claim.This
Outward, it is clear that " including ", a word was not excluded for other units or step, and odd number is not excluded for plural number.In device claim, statement is multiple
Unit or device can also be realized by software or hardware by a unit or device.The first, the second grade word is used for table
Show title, and be not offered as any specific order.
Claims (22)
1. a kind of for key safety encryption method, wherein, methods described includes:
Based on the unique mark character string that Mobile solution is obtained from service equipment, generate the data key of the Mobile solution;
Static encryption is carried out according to AES and macrodefinition to the data key, and according to default hash function and is obtained
The MAC Address and user cipher of the user equipment for taking carries out dynamic encryption to the data key.
2. method according to claim 1, wherein, the unique mark character for obtaining Mobile solution from service equipment
String, including:
Locally whether there is key when judging that Mobile solution starts, if not having, set from service by Encryption Transmission Protocol interface
The standby middle unique mark character string for obtaining the Mobile solution,
If having, the key of the encryption of the Mobile solution to being stored in user equipment is decrypted, and obtaining the movement should
Unique mark character string.
3. method according to claim 1 and 2, wherein, described based on the unique of acquisition Mobile solution from service equipment
Identification strings, generate the data key of the Mobile solution, including:
Hash is carried out to the unique mark character string of the Mobile solution got from service equipment according to default hash function
Computing, generates the data key of the Mobile solution.
4. method according to claim 1, wherein, described is carried out to the data key according to AES and macrodefinition
Static encryption, including:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, based on the macrodefinition
Obtain the data key after static encryption.
5. method according to claim 4, wherein, respectively to the data key, encryption key function and corresponding solution
Close function carries out macrodefinition, obtains the data key after static encryption based on the macrodefinition, including:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, macrodefinition constant is obtained
Character;
The character of each macrodefinition constant is inserted in the continuation address of function execution stack, character string is obtained;
The corresponding character string of first address of the continuation address is extracted, and corresponding function is passed to as parameter;
The corresponding function of the parameter is called, the data key after static encryption is obtained.
6. method according to claim 5, wherein, methods described also includes:
Under data key after the static encryption is stored to the privately owned catalogue of the local file system of the user equipment.
7. method according to claim 1, wherein, the MAC Address of the user equipment includes wireless on user equipment
Network/MAC address and Bluetooth MAC address.
8. the method according to claim 1 or 7, wherein, described sets according to default hash function and acquired user
Standby MAC Address and user cipher carry out dynamic encryption to the data key, including:
Wireless network MAC Address, Bluetooth MAC address and user cipher are obtained from the user equipment, splicing character string is obtained;
Hash calculating is carried out to the splicing character string according to default hash function, corresponding cryptographic Hash is obtained;
Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, the data after dynamic encryption are obtained close
Key, and by the dynamic encryption password storage in the user equipment.
9. method according to claim 8, wherein, methods described also includes:
The dynamic encryption password and the data key after the dynamic encryption are stored to the local file of the user equipment
Under the privately owned catalogue of system.
10. method according to claim 8, wherein, obtains the wireless network MAC ground of user equipment from user equipment
Location, Bluetooth MAC address and user cipher, obtain splicing character string, including:
Wireless network MAC Address, bluetooth MAC ground is obtained from user equipment by calling corresponding application programming interface
Location;
Obtain the corresponding user cipher of the Mobile solution;
Extract the multiple bytes in the wireless network MAC Address, the Bluetooth MAC address and the user cipher respectively, enter
Row splicing obtains splicing character string.
11. methods according to claim 8, wherein, according to default hash function and the MAC of acquired user equipment
After address and user cipher carry out dynamic encryption to the data key, including:
The current user cipher being input into is obtained according to the start-up operation of the Mobile solution, and obtains the Mobile solution place and worked as
MAC Address on front user equipment;
Hash calculating is carried out to the user cipher of the MAC Address and the user currently input according to default hash function,
Obtain result to be verified;
The result to be verified is mated with the dynamic encryption password stored in the user equipment, if mismatching, not
The dynamic encryption password of data key described in successful decryption, if coupling, described in successful decryption, the dynamic encryption of data key is close
Code.
A kind of 12. equipment of the encryption for key safety, wherein, the equipment includes:
Generating means, for based on the unique mark character string for obtaining Mobile solution from service equipment, generating the movement should
Data key;
Encryption device, for carrying out static encryption according to AES and macrodefinition to the data key, and according to default
The MAC Address and user cipher of hash function and acquired user equipment carries out dynamic encryption to the data key.
13. equipment according to claim 12, wherein, the generating means are used for:
Locally whether there is key when judging that Mobile solution starts, if not having, set from service by Encryption Transmission Protocol interface
The standby middle unique mark character string for obtaining the Mobile solution,
If having, the key of the encryption of the Mobile solution to being stored in user equipment is decrypted, and obtaining the movement should
Unique mark character string.
14. equipment according to claim 12 or 13, wherein, the generating means are used for:
Hash is carried out to the unique mark character string of the Mobile solution got from service equipment according to default hash function
Computing, generates the data key of the Mobile solution.
15. equipment according to claim 12, wherein, the encryption device is used for:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, based on the macrodefinition
Obtain the data key after static encryption.
16. equipment according to claim 15, wherein, the encryption device is used for:
Macrodefinition is carried out to the data key, encryption key function and corresponding decryption function respectively, macrodefinition constant is obtained
Character;
The character of each macrodefinition constant is inserted in the continuation address of function execution stack, character string is obtained;
The corresponding character string of first address of the continuation address is extracted, and corresponding function is passed to as parameter;
The corresponding function of the parameter is called, the data key after static encryption is obtained.
17. equipment according to claim 16, wherein, the equipment also includes:
Storage device, for the data key after the static encryption to be stored the local file system to the user equipment
Under privately owned catalogue.
18. equipment according to claim 12, wherein, the MAC Address of the user equipment includes the nothing on user equipment
Line network/MAC address and Bluetooth MAC address.
19. equipment according to claim 12 or 18, wherein, the encryption device is used for:
Wireless network MAC Address, Bluetooth MAC address and user cipher are obtained from the user equipment, splicing character string is obtained;
Hash calculating is carried out to the splicing character string according to default hash function, corresponding cryptographic Hash is obtained;
Using the corresponding cryptographic Hash as the dynamic encryption password of the data key, the data after dynamic encryption are obtained close
Key, and by the dynamic encryption password storage in the user equipment.
20. equipment according to claim 19, wherein, the equipment also includes:
Storage device, for storing and setting the dynamic encryption password and the data key after the dynamic encryption to the user
Under the privately owned catalogue of standby local file system.
21. equipment according to claim 19, wherein, the encryption device is used for:
Wireless network MAC Address, bluetooth MAC ground is obtained from user equipment by calling corresponding application programming interface
Location;
Obtain the corresponding user cipher of the Mobile solution;
Extract the multiple bytes in the wireless network MAC Address, the Bluetooth MAC address and the user cipher respectively, enter
Row splicing obtains splicing character string.
22. equipment according to claim 19, wherein, the equipment also includes:
Acquisition device, for obtaining the user cipher of current input according to the start-up operation of the Mobile solution, and obtains described
MAC Address in the current user equipment of Mobile solution place;
Computing device, for the user cipher MAC Address and the user being currently input into according to default hash function
Hash calculating is carried out, result to be verified is obtained;
Coalignment, for the result to be verified is mated with the dynamic encryption password stored in the user equipment,
If mismatching, the unsuccessful dynamic encryption password for decrypting the data key, if coupling, data key described in successful decryption
Dynamic encryption password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033864.9A CN106506159A (en) | 2016-11-18 | 2016-11-18 | Encryption method and equipment for key safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611033864.9A CN106506159A (en) | 2016-11-18 | 2016-11-18 | Encryption method and equipment for key safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106506159A true CN106506159A (en) | 2017-03-15 |
Family
ID=58328346
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611033864.9A Pending CN106506159A (en) | 2016-11-18 | 2016-11-18 | Encryption method and equipment for key safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506159A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107527084A (en) * | 2017-07-26 | 2017-12-29 | 中国联合网络通信集团有限公司 | Electronic card processing method and processing device |
| CN108880812A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and system of data encryption |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
| CN109150499A (en) * | 2018-08-29 | 2019-01-04 | 深圳市迷你玩科技有限公司 | Method, apparatus, computer equipment and the storage medium of dynamic encryption data |
| CN109284622A (en) * | 2017-07-20 | 2019-01-29 | 腾讯科技(深圳)有限公司 | Contact person information processing method, device and storage medium |
| CN109284603A (en) * | 2017-07-20 | 2019-01-29 | 腾讯科技(深圳)有限公司 | A kind of configuration data processing method, device and storage medium |
| CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
| CN109448182A (en) * | 2018-10-23 | 2019-03-08 | 广州创想云科技有限公司 | Wireless method for unlocking based on encryption |
| CN109788000A (en) * | 2019-03-05 | 2019-05-21 | 广州车行易科技股份有限公司 | A kind of Encryption Algorithm based on Http transmitted data on network |
| CN110071799A (en) * | 2019-04-09 | 2019-07-30 | 山东超越数控电子股份有限公司 | A kind of generation guard method of encryption storage key, system, terminating machine and readable storage medium storing program for executing |
| CN110398027A (en) * | 2019-08-01 | 2019-11-01 | 格力电器(武汉)有限公司 | Air-conditioning internal machine encryption method and system |
| CN111064559A (en) * | 2018-10-17 | 2020-04-24 | 中兴通讯股份有限公司 | Method and device for protecting secret key |
| WO2021013245A1 (en) * | 2019-07-25 | 2021-01-28 | 江苏芯盛智能科技有限公司 | Data key protection method and system, electronic device and storage medium |
| CN112287371A (en) * | 2020-11-06 | 2021-01-29 | 北京航天数据股份有限公司 | Method and device for storing industrial data and computer equipment |
| CN112699394A (en) * | 2021-01-13 | 2021-04-23 | 北卡科技有限公司 | SM9 algorithm-based key application method |
| CN112929172A (en) * | 2021-02-08 | 2021-06-08 | 中国工商银行股份有限公司 | System, method and device for dynamically encrypting data based on key bank |
| CN114531236A (en) * | 2022-03-02 | 2022-05-24 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114745112A (en) * | 2022-04-15 | 2022-07-12 | 北京凝思软件股份有限公司 | Root key derivation method and device, electronic equipment and storage medium |
| WO2023072206A1 (en) * | 2021-10-29 | 2023-05-04 | 华为技术有限公司 | Key migration method and related device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103235906A (en) * | 2013-03-27 | 2013-08-07 | 广东欧珀移动通信有限公司 | Method and device for encrypting and decrypting application program |
| CN103795954A (en) * | 2012-10-26 | 2014-05-14 | 索尼公司 | Information processing apparatus, information processing system, and information processing method |
| US8875247B2 (en) * | 2013-03-14 | 2014-10-28 | Facebook, Inc. | Instant personalization security |
| CN104283853A (en) * | 2013-07-08 | 2015-01-14 | 华为技术有限公司 | Method, terminal device and network device for improving information safety |
| CN105812140A (en) * | 2014-12-31 | 2016-07-27 | 上海庆科信息技术有限公司 | Authorization access method |
-
2016
- 2016-11-18 CN CN201611033864.9A patent/CN106506159A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795954A (en) * | 2012-10-26 | 2014-05-14 | 索尼公司 | Information processing apparatus, information processing system, and information processing method |
| US8875247B2 (en) * | 2013-03-14 | 2014-10-28 | Facebook, Inc. | Instant personalization security |
| CN103235906A (en) * | 2013-03-27 | 2013-08-07 | 广东欧珀移动通信有限公司 | Method and device for encrypting and decrypting application program |
| CN104283853A (en) * | 2013-07-08 | 2015-01-14 | 华为技术有限公司 | Method, terminal device and network device for improving information safety |
| CN105812140A (en) * | 2014-12-31 | 2016-07-27 | 上海庆科信息技术有限公司 | Authorization access method |
Non-Patent Citations (1)
| Title |
|---|
| COOPER’S BLOG: ""如何防止客户端被破解"", 《HTTP://TANQISEN.GITHUB.IO/BLOG/2014/06/06/HOW-TO-PREVENT-APP-CRACK/》 * |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108880812A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and system of data encryption |
| CN108880812B (en) * | 2017-05-09 | 2022-08-09 | 北京京东尚科信息技术有限公司 | Method and system for data encryption |
| CN109284622A (en) * | 2017-07-20 | 2019-01-29 | 腾讯科技(深圳)有限公司 | Contact person information processing method, device and storage medium |
| CN109284603A (en) * | 2017-07-20 | 2019-01-29 | 腾讯科技(深圳)有限公司 | A kind of configuration data processing method, device and storage medium |
| CN109284603B (en) * | 2017-07-20 | 2022-07-01 | 腾讯科技(深圳)有限公司 | Configuration data processing method and device and storage medium |
| CN109284622B (en) * | 2017-07-20 | 2022-05-17 | 腾讯科技(深圳)有限公司 | Contact information processing method and device and storage medium |
| CN107527084A (en) * | 2017-07-26 | 2017-12-29 | 中国联合网络通信集团有限公司 | Electronic card processing method and processing device |
| CN108959978A (en) * | 2018-06-28 | 2018-12-07 | 北京海泰方圆科技股份有限公司 | The generation of key and acquisition methods and device in equipment |
| CN109150499A (en) * | 2018-08-29 | 2019-01-04 | 深圳市迷你玩科技有限公司 | Method, apparatus, computer equipment and the storage medium of dynamic encryption data |
| CN109150499B (en) * | 2018-08-29 | 2021-06-08 | 深圳市迷你玩科技有限公司 | Method and device for dynamically encrypting data, computer equipment and storage medium |
| CN109299617A (en) * | 2018-09-19 | 2019-02-01 | 中国农业银行股份有限公司贵州省分行 | A kind of file encryption and decryption system |
| CN111064559B (en) * | 2018-10-17 | 2023-09-29 | 中兴通讯股份有限公司 | Key protection method and device |
| CN111064559A (en) * | 2018-10-17 | 2020-04-24 | 中兴通讯股份有限公司 | Method and device for protecting secret key |
| CN109448182A (en) * | 2018-10-23 | 2019-03-08 | 广州创想云科技有限公司 | Wireless method for unlocking based on encryption |
| CN109788000A (en) * | 2019-03-05 | 2019-05-21 | 广州车行易科技股份有限公司 | A kind of Encryption Algorithm based on Http transmitted data on network |
| CN110071799A (en) * | 2019-04-09 | 2019-07-30 | 山东超越数控电子股份有限公司 | A kind of generation guard method of encryption storage key, system, terminating machine and readable storage medium storing program for executing |
| WO2021013245A1 (en) * | 2019-07-25 | 2021-01-28 | 江苏芯盛智能科技有限公司 | Data key protection method and system, electronic device and storage medium |
| CN110398027A (en) * | 2019-08-01 | 2019-11-01 | 格力电器(武汉)有限公司 | Air-conditioning internal machine encryption method and system |
| CN110398027B (en) * | 2019-08-01 | 2021-09-14 | 格力电器(武汉)有限公司 | Air conditioner indoor unit encryption method and system |
| CN112287371A (en) * | 2020-11-06 | 2021-01-29 | 北京航天数据股份有限公司 | Method and device for storing industrial data and computer equipment |
| CN112287371B (en) * | 2020-11-06 | 2022-10-25 | 北京航天数据股份有限公司 | Method and device for storing industrial data and computer equipment |
| CN112699394A (en) * | 2021-01-13 | 2021-04-23 | 北卡科技有限公司 | SM9 algorithm-based key application method |
| CN112699394B (en) * | 2021-01-13 | 2022-11-25 | 北卡科技有限公司 | SM9 algorithm-based key application method |
| CN112929172A (en) * | 2021-02-08 | 2021-06-08 | 中国工商银行股份有限公司 | System, method and device for dynamically encrypting data based on key bank |
| WO2023072206A1 (en) * | 2021-10-29 | 2023-05-04 | 华为技术有限公司 | Key migration method and related device |
| CN114531236A (en) * | 2022-03-02 | 2022-05-24 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114531236B (en) * | 2022-03-02 | 2023-10-31 | 杭州华澜微电子股份有限公司 | Key processing method and device and electronic equipment |
| CN114745112A (en) * | 2022-04-15 | 2022-07-12 | 北京凝思软件股份有限公司 | Root key derivation method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506159A (en) | Encryption method and equipment for key safety | |
| EP2267628B1 (en) | Token passing technique for media playback devices | |
| CN108389059A (en) | Digital copyrighted work protection, transaction and distributing method based on ownership and system | |
| CN101145911B (en) | Identity authentication method with privacy protection and password retrieval function | |
| CN105681039A (en) | Method and device for secret key generation and corresponding decryption | |
| CN106888080A (en) | Protection whitepack feistel network implementations are in case fault analysis | |
| US20170099144A1 (en) | Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system | |
| CN104834840B (en) | Cipher code protection method based on mapping drift technology | |
| CN105740725A (en) | File protection method and system | |
| CN109510702B (en) | Key storage and use method based on computer feature codes | |
| CN107040520A (en) | A kind of cloud computing data-sharing systems and method | |
| CN106209346B (en) | White-box cryptography interleaving lookup table | |
| Belenko et al. | “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? | |
| CN112800392A (en) | Authorization method and device based on soft certificate and storage medium | |
| CN105978680A (en) | Implementing padding in a white-box implementation | |
| CN108768938B (en) | A kind of web data encryption and decryption method and device | |
| Huang et al. | Smart contract watermarking based on code obfuscation | |
| CN112199730A (en) | Method and device for processing application data on terminal and electronic equipment | |
| US20090044284A1 (en) | System and Method of Generating and Providing a Set of Randomly Selected Substitute Characters in Place of a User Entered Key Phrase | |
| WO2011058629A1 (en) | Information management system | |
| KR100877593B1 (en) | The Security Method for Authentication which using of Random Password | |
| CN102855419A (en) | Copyright protection method for data files of intelligent terminals | |
| CN104009851A (en) | One-time pad bidirectional authentication safe logging technology for internet bank | |
| TWI640928B (en) | System for generating and decrypting two-dimensional codes and method thereof | |
| US20210143978A1 (en) | Method to secure a software code performing accesses to look-up tables |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170315 |