CN106789963B

CN106789963B - Asymmetric white-box password encryption method, device and equipment

Info

Publication number: CN106789963B
Application number: CN201611101864.8A
Authority: CN
Inventors: 阚志刚; 彭建芬; 陈彪; 王全洲; 李世杰; 卢佐华
Original assignee: Beijing Bangcle Technology Co ltd
Current assignee: Beijing Bangcle Technology Co ltd
Priority date: 2016-12-02
Filing date: 2016-12-02
Publication date: 2020-12-22
Anticipated expiration: 2036-12-02
Also published as: CN106789963A

Abstract

The application discloses an asymmetric white-box password encryption method, device and equipment. The method comprises the following steps: receiving an encrypted message and an encrypted serial number from a message sending terminal; responding to a request for acquiring message content, sending the encrypted message and the encrypted serial number which are stored correspondingly to an authentication center, so that the authentication center can search a message grouping scheme and an encrypted public key corresponding to the received encrypted serial number after authenticating the identity of the message receiving terminal and passing the authentication, and decrypting the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; and receiving the decrypted message content from the authentication center. The method and the device can still realize information security when an attacker can obtain control over the running and storage environments of the encrypted data.

Description

Asymmetric white-box password encryption method, device and equipment

Technical Field

The present disclosure relates generally to the field of computer technologies, and in particular, to the field of information processing security, and in particular, to an asymmetric white-box cryptographic method and apparatus.

Background

In data transmission and storage, data encryption is often required for information security considerations. The current encryption mainly assumes that an attacker of data cannot be in contact with an encryption running environment, cannot control an encryption data storage environment, and cannot be in contact with an algorithm and a secret key during encryption. That is, the encryption process and storage of encrypted data exists as a "black box" that is not known to an attacker.

In fact, however, in some cases, an attacker of the data can be exposed to the environment in which the encryption is running, and can even gain control over the environment in which the data is encrypted, encrypted data storage. Thus, they can easily deduce encryption algorithms and keys, etc. in a reverse-engineering manner by encrypting data, encrypting some intermediate data in the data storage environment, environmental data, etc., and thereby attack the data. Therefore, a need has arisen for how to achieve information security when an attacker can take control over data encryption and an encrypted data storage environment, that is, how to achieve information security when the encrypted process and the storage of encrypted data are regarded as "white boxes".

Disclosure of Invention

In view of the above-mentioned drawbacks and deficiencies of the prior art, it is desirable to provide a scheme for implementing information security when an attacker can take control over the environment for running and storing encrypted data, i.e., a scheme for implementing information security when the running and storing of encrypted data are regarded as "white boxes".

In a first aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption method, where the method includes: receiving an encrypted message and an encrypted serial number from a message sending terminal, wherein the encrypted message is obtained by the message sending terminal dividing the message into groups according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group and encrypting the messages by using the encrypted public key corresponding to the group aiming at each group, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number; correspondingly storing the received encrypted message and the encrypted serial number; responding to a request for acquiring message content, sending the encrypted message and the encrypted serial number which are stored correspondingly to an authentication center, so that the authentication center can authenticate the identity of a message receiving terminal and return a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal according to the authentication center after passing the authentication, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypting the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; and receiving the decrypted message content from the authentication center.

In a second aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption method, where the method includes: receiving an encrypted message and an encrypted serial number from a message receiving terminal, wherein the encrypted message is obtained by dividing the message into groups and encrypting the groups by using the encrypted public key corresponding to each group according to a message grouping scheme returned by an authentication center and the encrypted public key corresponding to each group by the message sending terminal and sending the groups to the message receiving terminal, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center; authenticating the identity of the message receiving terminal; if the authentication is passed, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding records of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal; decrypting the encrypted message according to the searched message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group; and transmitting the decrypted message content to the message receiving terminal.

In a third aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption method, where the method includes: sending a message grouping scheme and an encryption public key request to an authentication center; if the authentication center passes the identity authentication of the message sending terminal, receiving a message grouping scheme from the authentication center, an encrypted public key corresponding to each group and an encrypted serial number; dividing the messages into groups according to a message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypting the messages by using the encryption public key corresponding to the group aiming at each group to obtain encrypted messages; and sending the encrypted message to the message receiving terminal together with the encrypted serial number.

In a fourth aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption apparatus, including: the first receiving unit is configured to receive an encrypted message and an encrypted serial number from a message sending terminal, wherein the encrypted message is obtained by the message sending terminal dividing the message into groups according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group and encrypting the messages by using the encrypted public key corresponding to the group for each group, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number; the first storage unit is configured to correspondingly store the received encrypted message and the encrypted serial number; a first sending unit, configured to respond to a request for obtaining message content, send the encrypted message and the encrypted serial number that are stored correspondingly to an authentication center, so that after the authentication center authenticates and passes the identity of the message receiving terminal, the authentication center returns a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal according to the authentication center, searches for the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypts the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; and the second receiving unit is configured to receive the decrypted message content from the authentication center.

In a fifth aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption apparatus, where the apparatus includes: a third receiving unit, configured to receive an encrypted message and an encrypted serial number from a message receiving terminal, where the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, grouping the message into groups, encrypting the group with the encrypted public key corresponding to the group for each group, and sending the group to the message receiving terminal, and the authentication center returns the encrypted serial number while returning the message grouping scheme and the encrypted public key to the message sending terminal so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center; the first authentication unit is configured to authenticate the identity of the message receiving terminal; the searching unit is configured to search the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding records of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal if the authentication is passed; the decryption unit is configured to decrypt the encrypted messages according to the searched message grouping scheme and the encryption private keys corresponding to the encryption public keys corresponding to the groups; and the second sending unit is configured to send the message content obtained by decryption to the message receiving terminal.

In a sixth aspect, an embodiment of the present application provides an asymmetric white-box cryptographic encryption apparatus, including: a fifth sending unit, configured to send the message grouping scheme and the encrypted public key request to the authentication center; a fifth receiving unit, configured to receive the message grouping scheme, the encrypted public key corresponding to each group, and the encrypted serial number from the authentication center if the authentication center passes the identity authentication of the message sending terminal; the encryption unit is configured to divide the messages into groups according to a message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypt the messages by using the encryption public key corresponding to the group aiming at each group to obtain encrypted messages; and a sixth sending unit configured to send the encrypted message to the message receiving terminal together with the encrypted serial number.

In a seventh aspect, an embodiment of the present application provides an apparatus, including a processor, a memory, and a display; the memory includes instructions executable by the processor to cause the processor to perform: receiving an encrypted message and an encrypted serial number from a message sending terminal, wherein the encrypted message is obtained by the message sending terminal dividing the message into groups according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group and encrypting the messages by using the encrypted public key corresponding to the group aiming at each group, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number; correspondingly storing the received encrypted message and the encrypted serial number; responding to a request for acquiring message content, sending the encrypted message and the encrypted serial number which are stored correspondingly to an authentication center, so that the authentication center can authenticate the identity of a message receiving terminal and return a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal according to the authentication center after passing the authentication, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypting the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; and receiving the decrypted message content from the authentication center.

In an eighth aspect, an embodiment of the present application provides an apparatus, including a processor, a memory, and a display: the memory includes instructions executable by the processor to cause the processor to perform: receiving an encrypted message and an encrypted serial number from a message receiving terminal, wherein the encrypted message is obtained by dividing the message into groups and encrypting the groups by using the encrypted public key corresponding to each group according to a message grouping scheme returned by an authentication center and the encrypted public key corresponding to each group by the message sending terminal and sending the groups to the message receiving terminal, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center; authenticating the identity of the message receiving terminal; if the authentication is passed, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding records of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal; decrypting the encrypted message according to the searched message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group; and transmitting the decrypted message content to the message receiving terminal.

In a ninth aspect, an embodiment of the present application provides an apparatus, including a processor, a memory, and a display; the memory includes instructions executable by the processor to cause the processor to perform: sending a message grouping scheme and an encryption public key request to an authentication center; if the authentication center passes the identity authentication of the message sending terminal, receiving a message grouping scheme from the authentication center, an encrypted public key corresponding to each group and an encrypted serial number; dividing the messages into groups according to a message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypting the messages by using the encryption public key corresponding to the group aiming at each group to obtain encrypted messages; and sending the encrypted message to the message receiving terminal together with the encrypted serial number.

In the embodiment of the present application, the encryption key of the encrypted message is not held at the message receiving terminal, and even the message receiving terminal does not know the encryption key because decryption is performed by the authentication center. Stored at the message receiving terminal is the received encrypted message and the encrypted serial number. Thus, even if an attacker can take control of the environment in which the encrypted data is executed and stored, the attacker cannot decrypt the encrypted data. In addition, the encrypted message is not encrypted by a single key, but the message sending terminal divides the message into groups according to a message grouping scheme returned by the authentication center and an encrypted public key corresponding to each group and encrypts the message by using the encrypted public key corresponding to the group aiming at each group. And when the message receiving terminal wants to know the content of the message, the decrypted message can be obtained. At this time, the message receiving terminal transmits the encrypted message and the corresponding encrypted serial number to the authentication center. When the authentication center distributes the message grouping scheme and each encryption public key to the message sending terminal, the grouping scheme, each encryption public key (possibly each encryption private key corresponding to the encryption public key) and the encryption serial number are correspondingly recorded. Thus, after the authentication center authenticates and authenticates the identity of the message receiving terminal, the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number can be found according to the corresponding records, the encrypted message is decrypted according to the message grouping scheme and the encrypted private keys corresponding to the encrypted public keys corresponding to the groups, and the decrypted encrypted message is returned to the message receiving terminal. The critical part of the decryption is done in the authentication center. Even if an attacker can obtain control over the running and storage environments of the encrypted data, the attacker cannot reverse engineer the encrypted message by only one encrypted serial number. If the attacker obtains the encrypted serial number, the request of the decrypted data to the authentication center is impossible to succeed because the authentication of the identity of the requester cannot be realized through the authentication center. The message receiving terminal can request the decrypted data because the message receiving terminal can pass the authentication. In this way, even when an attacker can control the encrypted data operation and storage environment, information security can be achieved.

Drawings

Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:

FIG. 1 illustrates an exemplary system architecture in which embodiments of the present application may be applied;

FIG. 2 illustrates an exemplary flow diagram of a method of asymmetric white-box cryptographic encryption at a message receiving terminal side according to one embodiment of the present application;

FIG. 3 illustrates an exemplary flow diagram of an asymmetric white-box cryptographic method at the authentication center side according to one embodiment of the present application;

FIG. 4 illustrates an exemplary flow diagram of an asymmetric white-box cryptographic method at a messaging terminal side according to one embodiment of the present application;

fig. 5 shows an exemplary block diagram of an asymmetric white-box cryptographic apparatus at a message receiving terminal side according to an embodiment of the present application;

fig. 6 shows an exemplary block diagram of an asymmetric white-box cryptographic apparatus at the authentication center side according to an embodiment of the present application;

fig. 7 shows an exemplary structural block diagram of an asymmetric white-box cryptographic apparatus at a message sending terminal side according to an embodiment of the present application;

FIG. 8 illustrates a block diagram of a computer system suitable for use in implementing a message receiving terminal according to embodiments of the present application.

FIG. 9 illustrates a schematic diagram of a computer system suitable for use in implementing a certificate authority according to embodiments of the present application.

FIG. 10 illustrates a schematic block diagram of a computer system suitable for use in implementing a messaging terminal according to embodiments of the present application.

Detailed Description

The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.

It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.

Reference is made to fig. 1, which illustrates an exemplary system architecture to which embodiments of the present application may be applied.

As shown in fig. 1, the system architecture may include a message sending terminal 102, an authentication center 101, and a message receiving terminal 103. The message sending terminal 102 refers to a terminal that sends a message. The message receiving terminal 103 refers to a terminal that receives a message. The terminal may refer to a physical hardware, such as an in-vehicle device, a mobile phone, etc., or may refer to an element inside the hardware, such as an ECU in a vehicle. The authentication center 101 is a center that authenticates the identities of terminals that transmit and receive messages, and distributes a message grouping scheme, an encrypted public key corresponding to each group, an encrypted private key, and an encrypted serial number for encryption of the messages. It may be located on the server side, such as a cloud server, or as part of the hardware, for example in the case of an ECU identity authentication in a vehicle, it may be located on the vehicle as part of the vehicle.

As mentioned in the background, current encryption mainly assumes that an attacker of data cannot be exposed to the environment in which encryption is performed, cannot control the environment in which encrypted data is stored, and cannot be exposed to algorithms and keys used in encryption. That is, the encryption process and storage of encrypted data exists as a "black box" that is not known to an attacker. In fact, however, in some cases, an attacker of the data can be exposed to the environment in which the encryption is running, and can even gain control over the environment in which the data is encrypted, encrypted data storage. Thus, they can easily deduce encryption algorithms and keys, etc. in a reverse-engineering manner by encrypting data, encrypting some intermediate data in the data storage environment, environmental data, etc., and thereby attack the data. Therefore, a need has arisen for how to achieve information security when an attacker can take control over data encryption and an encrypted data storage environment, that is, how to achieve information security when the encrypted process and the storage of encrypted data are regarded as "white boxes".

Referring to fig. 2, an exemplary flow diagram of an asymmetric white-box cryptographic method is shown, according to one embodiment of the present application. The method illustrated in fig. 2 may be performed at message receiving terminal 103 in fig. 1. The concept of "white box" has been described above. "asymmetric" refers to an encryption technique that employs a combination of public and private keys. Typically, the public key and the private key act as a key pair. For example, in the case of encryption with a public key, decryption is performed with a corresponding private key.

As shown in fig. 2, in step 210, an encrypted message and an encrypted serial number are received from a message sending terminal.

The encrypted message is obtained by dividing the message into groups and encrypting the group by using the encrypted public key corresponding to each group according to the message grouping scheme and the encrypted public key corresponding to each group returned by the authentication center, and the authentication center returns the encrypted serial number while returning the message grouping scheme and the encrypted public key to the message sending terminal.

The message sending terminal first sends a message grouping scheme and a request for an encryption public key to the authentication center in order to send a message. The authentication center firstly authenticates the identity of the message sending terminal, and the message grouping scheme and the encrypted public key can be sent to the message sending terminal after the authentication is passed. The identity of the message sending terminal can be authenticated by actively inquiring the identification of the message sending terminal, because if the message sending terminal is allowed to report the identification of the message sending terminal, an unauthorized message sending terminal may know the identification of another authorized message sending terminal and disguise the identification of the another authorized message sending terminal as the identification of the message sending terminal and report the identification of the message sending terminal to the authentication center, and the message sending terminal passes the authentication in a 'mistaking' way. Therefore, the authentication center actively queries the identification of the message sending terminal. Generally, according to the communication protocol between the message sending terminal and the authentication center, when the message sending terminal sends a message to the authentication center, the identification of the message sending terminal is automatically loaded into a specific field of the sent message according to the communication protocol, and the field cannot be manually modified and is dedicated to indicating the identity of the message sender. Thus, the authentication center can acquire the identification of the message sending terminal in a specific field in the message exchanged between the message sending terminal and the authentication center. The identification in this field cannot be tampered with and therefore, in this way, the identification of the messaging terminal is accurately queried. Then, the message sending terminal identification is compared with the authorized terminal identification list. The terminal identities that can be trusted as senders of messages are all registered beforehand in a list of authorized terminal identities in the authentication center. If the message sending terminal identification is in the authorized terminal identification list, the authentication is passed. If the message sending terminal identification is not in the authorized terminal identification list, the authentication fails.

If the authentication center passes the identity authentication of the message sending terminal, the authentication center distributes and sends a message grouping scheme, an encrypted public key corresponding to each group and an encrypted serial number to the message sending terminal. Message grouping schemes are how messages are grouped in order to encrypt them. For example, in message grouping scheme 1, it is specified that messages are divided into three groups: group a1, group B1, group C2. In message grouping scheme 2, it is provided that messages are divided into three groups in a 2:1:1 ratio: group a2, group B2, group C2. The allocation message grouping scheme may take the form of specifying a number of message grouping schemes in advance and then randomly assigning one among them. For example, there are 10 message packet schemes specified in advance: message grouping scheme 1, message grouping scheme 2 … …, message grouping scheme 10. When a message grouping scheme needs to be assigned, a message grouping scheme is randomly assigned therefrom. The encryption public keys corresponding to each group may be a set of encryption public keys that is specified in advance and then randomly assigned one of the public keys. For example, there are 100 public keys in the encrypted public key set (which correspond to 100 private keys). In the above-mentioned message grouping scheme 1 that divides messages equally into group a1, group B1, and group C2, one encrypted public key k1 is randomly allocated among 100 public keys for group a1, one encrypted public key k2 is randomly allocated among 100 public keys for group a2, and one encrypted public key k3 is randomly allocated among 100 public keys for group A3. The encryption serial number is a serial number indicating that this encryption is distinguished from other encryptions. And the authentication center allocates an encrypted serial number to the message sending terminal every time the message grouping scheme and the encrypted public key corresponding to each group are sent to the message sending terminal. Generally, the encrypted serial numbers assigned at each time are different from each other. Therefore, in the subsequent process of searching the message grouping scheme and the encryption public key corresponding to the received encryption serial number according to the corresponding record of the message grouping scheme, the encryption public key and the encryption serial number returned to the message sending terminal by the authentication center, the unique message grouping scheme and the encryption public key can be found.

Then, the message sending terminal divides the message into groups according to the message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypts each group by using the encryption public key corresponding to the group to obtain the encrypted message. Then, the message transmitting terminal transmits the encrypted message together with the encrypted serial number to the message receiving terminal.

For example, assume that the message grouping scheme returned by the certificate authority is message grouping scheme 1, i.e., the messages are divided into group a1, group B1 and group C2, the encrypted public key corresponding to group 1 is k1, the encrypted public key corresponding to group 2 is k2, and the encrypted public key corresponding to group 3 is k 3. The message sending terminal firstly divides the message into 3 groups, encrypts the messages by k1, k2 and k3 respectively and then sends the encrypted messages to the message receiving terminal.

In step 220, the received encrypted message is stored in association with the encrypted serial number.

In the embodiment of the present application, the encryption key of the encrypted message is not held at the message receiving terminal, and even the message receiving terminal does not know the encryption key because decryption is performed by the authentication center. Stored at the message receiving terminal is the received encrypted message and the encrypted serial number. Thus, even if an attacker can take control of the environment in which the encrypted data is executed and stored, the attacker cannot decrypt the encrypted data. In addition, the encrypted message is not encrypted by a single key, but the message sending terminal divides the message into groups according to a message grouping scheme returned by the authentication center and an encrypted public key corresponding to each group and encrypts the message by using the encrypted public key corresponding to the group aiming at each group.

In step 230, in response to the request for obtaining the message content, the correspondingly stored encrypted message and encrypted serial number are sent to the authentication center, so that after the authentication center authenticates the identity of the message receiving terminal and passes the authentication, the authentication center returns a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal, searches for the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypts the encrypted message according to the message grouping scheme and the encrypted private key corresponding to the encrypted public key corresponding to each group.

As previously mentioned, messages are always stored encrypted at the message receiving terminal for information security. When the message receiving terminal wants to know the content of the message, the message receiving terminal sends the encrypted message and the corresponding encrypted serial number to the authentication center in response to a request for acquiring the content of the message. Then, the authentication center authenticates the identity of the message receiving terminal. The identity of the message receiving terminal can be authenticated by actively inquiring the identifier of the message receiving terminal, because if the message receiving terminal is allowed to report the identifier of the message receiving terminal, an unauthorized message receiving terminal (possibly an attacker) may know the identifier of another authorized message receiving terminal and report the identifier of the another authorized message receiving terminal as the identifier of the unauthorized message receiving terminal to the authentication center, and the authentication is passed through 'mistaking a switch' in this way. Therefore, the authentication center actively queries the identification of the message receiving terminal. Generally, according to the communication protocol between the message receiving terminal and the authentication center, when the message receiving terminal sends a message to the authentication center, the identification of the message receiving terminal is automatically loaded into a specific field of the sent message according to the communication protocol, and the field cannot be artificially modified and is specially used for indicating the identity of a communicator with the authentication center. Thus, the authentication center can acquire the message recipient terminal identification in a specific field in the message exchanged between the message recipient terminal and the authentication center. The identity in this field cannot be tampered with and therefore, in this way, the identity of the message receiving terminal is accurately queried. Then, the message receiving terminal identification is compared with the authorized terminal identification list. The terminal identifications that can be trusted for secure communication are registered in advance in an authorized terminal identification list of the authentication center. If the message receiving terminal identification is in the authorized terminal identification list, the authentication is passed. If the message receiving terminal identification is not in the authorized terminal identification list, the authentication fails.

When distributing and sending the message grouping scheme and each encrypted public key to the message sending terminal, the authentication center correspondingly records the grouping scheme, each encrypted public key (possibly each encrypted private key corresponding to the encrypted public key) and the encrypted serial number. Therefore, after the authentication center authenticates the identity of the message receiving terminal and passes the authentication, the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number can be found according to the corresponding record. Since the encryption public key and the encryption private key are generated in pairs, the corresponding encryption private key is actually generated when the encryption public key is generated. The grouping scheme, each encryption public key, each encryption private key corresponding to each encryption public key, and the encryption serial number may also be recorded correspondingly. The authentication center decrypts the encrypted message according to the message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group.

Because the key part of decryption is carried out in the authentication center, even if an attacker can obtain control over the running and storage environments of encrypted data, the attacker cannot crack the encrypted message by reverse engineering by only one encrypted serial number. If the attacker obtains the encrypted serial number, the request of the decrypted data to the authentication center is impossible to succeed because the authentication of the identity of the requester cannot be realized through the authentication center. The message receiving terminal can request the decrypted data because the message receiving terminal can pass the authentication. In this way, even when an attacker can control the encrypted data operation and storage environment, information security can be achieved.

In step 240, the decrypted message content is received from the authentication center.

Referring to fig. 3, an exemplary flow diagram of an asymmetric white-box cryptographic method is shown, according to one embodiment of the present application. The method illustrated in fig. 3 may be performed at the authentication center 101 in fig. 1. The concept of "white box" has been described above. "asymmetric" refers to an encryption technique that employs a combination of public and private keys. Typically, the public key and the private key act as a key pair. For example, in the case of encryption with a public key, decryption is performed with a corresponding private key.

As shown in fig. 3, in step 310, an encrypted message, an encrypted serial number, is received from a message receiving terminal.

The encrypted message is obtained by the message sending terminal according to the message grouping scheme returned by the authentication center and the encrypted public key corresponding to each group by grouping the message into groups and encrypting the group by using the encrypted public key corresponding to the group and sending the group to the message receiving terminal. The authentication center returns the message grouping scheme and the encryption public key to the message sending terminal and also returns the encryption serial number at the same time, so that the message receiving terminal sends the encryption serial number and the encryption message to the authentication center together.

In practice, before step 310, the method further comprises: receiving a message grouping scheme and an encryption public key request from a message sending terminal; authenticating the identity of the message sending terminal; if the authentication is passed, generating a message grouping scheme, an encryption public key corresponding to each group and an encryption serial number; and sending the message grouping scheme, the encrypted public key corresponding to each group and the encrypted serial number to a message sending terminal.

Specifically, a message sending terminal first sends a message grouping scheme and an encryption public key request to a certificate authority in order to send a message. The authentication center firstly authenticates the identity of the message sending terminal, and the message grouping scheme and the encrypted public key can be sent to the message sending terminal after the authentication is passed. The identity of the message sending terminal can be authenticated by actively inquiring the identification of the message sending terminal, because if the message sending terminal is allowed to report the identification of the message sending terminal, an unauthorized message sending terminal may know the identification of another authorized message sending terminal and disguise the identification of the another authorized message sending terminal as the identification of the message sending terminal and report the identification of the message sending terminal to the authentication center, and the message sending terminal passes the authentication in a 'mistaking' way. Therefore, the authentication center actively queries the identification of the message sending terminal. Generally, according to the communication protocol between the message sending terminal and the authentication center, when the message sending terminal sends a message to the authentication center, the identification of the message sending terminal is automatically loaded into a specific field of the sent message according to the communication protocol, and the field cannot be manually modified and is dedicated to indicating the identity of the message sender. Thus, the authentication center can acquire the identification of the message sending terminal in a specific field in the message exchanged between the message sending terminal and the authentication center. The identification in this field cannot be tampered with and therefore, in this way, the identification of the messaging terminal is accurately queried. Then, the message sending terminal identification is compared with the authorized terminal identification list. The terminal identities that can be trusted as senders of messages are all registered beforehand in a list of authorized terminal identities in the authentication center. If the message sending terminal identification is in the authorized terminal identification list, the authentication is passed. If the message sending terminal identification is not in the authorized terminal identification list, the authentication fails. If the authentication center passes the identity authentication of the message sending terminal, the authentication center distributes and sends a message grouping scheme, an encrypted public key corresponding to each group and an encrypted serial number to the message sending terminal. Message grouping schemes are how messages are grouped in order to encrypt them. For example, in message grouping scheme 1, it is specified that messages are divided into three groups: group a1, group B1, group C2. In message grouping scheme 2, it is provided that messages are divided into three groups in a 2:1:1 ratio: group a2, group B2, group C2. The allocation message grouping scheme may take the form of specifying a number of message grouping schemes in advance and then randomly assigning one among them. For example, there are 10 message packet schemes specified in advance: message grouping scheme 1, message grouping scheme 2 … …, message grouping scheme 10. When a message grouping scheme needs to be assigned, a message grouping scheme is randomly assigned therefrom. The encryption public keys corresponding to each group may be a set of encryption public keys that is specified in advance and then randomly assigned one of the public keys. For example, there are 100 public keys in the encrypted public key set (which correspond to 100 private keys). In the above-mentioned message grouping scheme 1 that divides messages equally into group a1, group B1, and group C2, one encrypted public key k1 is randomly allocated among 100 public keys for group a1, one encrypted public key k2 is randomly allocated among 100 public keys for group a2, and one encrypted public key k3 is randomly allocated among 100 public keys for group A3. The encryption serial number is a serial number indicating that this encryption is distinguished from other encryptions. And the authentication center allocates an encrypted serial number to the message sending terminal every time the message grouping scheme and the encrypted public key corresponding to each group are sent to the message sending terminal. Generally, the encrypted serial numbers assigned at each time are different from each other. Therefore, in the subsequent process of searching the message grouping scheme and the encryption public key corresponding to the received encryption serial number according to the corresponding record of the message grouping scheme, the encryption public key and the encryption serial number returned to the message sending terminal by the authentication center, the unique message grouping scheme and the encryption public key can be found.

In one embodiment, the method further comprises, after authenticating the identity of the message sending terminal: generating an encryption private key corresponding to the encryption public key corresponding to each group; and correspondingly storing the generated message grouping scheme, the encryption public key corresponding to each group, the corresponding encryption private key and the encryption serial number.

In the asymmetric encryption technology, since the encryption public key and the encryption private key are generated in pairs, the corresponding encryption private key is actually generated when the encryption public key is generated. The grouping scheme, each encryption public key, each encryption private key corresponding to each encryption public key, and the encryption serial number may also be recorded correspondingly. When the authentication center subsequently decrypts the encrypted message, the encrypted private key is used instead of the encrypted public key, so that the grouping scheme, the encrypted public keys, the encrypted private keys corresponding to the encrypted public keys, and the encrypted serial number are correspondingly recorded, and the authentication center can decrypt the encrypted message according to the message grouping scheme corresponding to the encrypted serial number and the encrypted private keys corresponding to the encrypted public keys corresponding to the groups in the subsequent process.

Then, the message sending terminal divides the message into groups according to the message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypts each group by using the encryption public key corresponding to the group to obtain the encrypted message. Then, the message transmitting terminal transmits the encrypted message together with the encrypted serial number to the message receiving terminal. And the message receiving terminal correspondingly stores the received encrypted message and the encrypted serial number, and sends the correspondingly stored encrypted message and the encrypted serial number to the authentication center when the message content needs to be acquired.

In step 320, the identity of the message receiving terminal is authenticated.

The identity of the message receiving terminal can be authenticated by actively inquiring the identifier of the message receiving terminal, because if the message receiving terminal is allowed to report the identifier of the message receiving terminal, an unauthorized message receiving terminal (possibly an attacker) may know the identifier of another authorized message receiving terminal and report the identifier of the another authorized message receiving terminal as the identifier of the unauthorized message receiving terminal to the authentication center, and the authentication is passed through 'mistaking a switch' in this way. Therefore, the authentication center actively queries the identification of the message receiving terminal. Generally, according to the communication protocol between the message receiving terminal and the authentication center, when the message receiving terminal sends a message to the authentication center, the identification of the message receiving terminal is automatically loaded into a specific field of the sent message according to the communication protocol, and the field cannot be artificially modified and is specially used for indicating the identity of a communicator with the authentication center. Thus, the authentication center can acquire the message recipient terminal identification in a specific field in the message exchanged between the message recipient terminal and the authentication center. The identity in this field cannot be tampered with and therefore, in this way, the identity of the message receiving terminal is accurately queried. Then, the message receiving terminal identification is compared with the authorized terminal identification list. The terminal identifications that can be trusted for secure communication are registered in advance in an authorized terminal identification list of the authentication center. If the message receiving terminal identification is in the authorized terminal identification list, the authentication is passed. If the message receiving terminal identification is not in the authorized terminal identification list, the authentication fails.

In step 330, if the authentication is passed, the message grouping scheme and the encryption public key corresponding to the received encrypted serial number are searched according to the corresponding record of the message grouping scheme, the encryption public key and the encrypted serial number returned to the message sending terminal.

When distributing and sending the message grouping scheme and each encrypted public key to the message sending terminal, the authentication center correspondingly records the grouping scheme, each encrypted public key (possibly each encrypted private key corresponding to the encrypted public key) and the encrypted serial number. Therefore, after the authentication center authenticates the identity of the message receiving terminal and passes the authentication, the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number can be found according to the corresponding record.

In step 340, the encrypted message is decrypted according to the found message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group.

Since the encryption public key and the encryption private key are generated in pairs, the corresponding encryption private key is actually generated when the encryption public key is generated. The grouping scheme, each encryption public key, each encryption private key corresponding to each encryption public key, and the encryption serial number may also be recorded correspondingly. Then, the authentication center decrypts the encrypted message according to the message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group.

In another embodiment, a comparison table of the encryption public key and the encryption private key is additionally arranged. The authentication center obtains the corresponding encrypted private key in the comparison table according to the searched encrypted public key, and then decrypts the encrypted message according to the searched message grouping scheme and the encrypted private key corresponding to the encrypted public key corresponding to each group.

In step 350, the decrypted message content is transmitted to the message receiving terminal.

In one embodiment, the method further comprises: and if the authentication fails, sending an authentication failure message to the message receiving terminal.

Referring to fig. 4, an exemplary flow diagram of an asymmetric white-box cryptographic method is shown, according to one embodiment of the present application. The method illustrated in fig. 4 may be performed at messaging terminal 102 in fig. 1. The concept of "white box" has been described above. "asymmetric" refers to an encryption technique that employs a combination of public and private keys. Typically, the public key and the private key act as a key pair. For example, in the case of encryption with a public key, decryption is performed with a corresponding private key.

As shown in fig. 4, a message packet scheme and encrypted public key request is sent to the authentication center in step 410.

That is, a message sending terminal first sends a message grouping scheme and an encryption public key request to a certificate authority in order to send a message.

In step 420, if the authentication center authenticates the identity of the message sending terminal, a message grouping scheme, an encrypted public key corresponding to each group, and an encrypted serial number are received from the authentication center.

After receiving the request, the authentication center firstly authenticates the identity of the message sending terminal, and the message grouping scheme and the encrypted public key can be sent to the message sending terminal after the authentication is passed. The identity of the message sending terminal can be authenticated by actively inquiring the identification of the message sending terminal, because if the message sending terminal is allowed to report the identification of the message sending terminal, an unauthorized message sending terminal may know the identification of another authorized message sending terminal and disguise the identification of the another authorized message sending terminal as the identification of the message sending terminal and report the identification of the message sending terminal to the authentication center, and the message sending terminal passes the authentication in a 'mistaking' way. Therefore, the authentication center actively queries the identification of the message sending terminal. Generally, according to the communication protocol between the message sending terminal and the authentication center, when the message sending terminal sends a message to the authentication center, the identification of the message sending terminal is automatically loaded into a specific field of the sent message according to the communication protocol. This field cannot be modified manually and is dedicated to indicating the identity of the sender of the message. Thus, the authentication center can acquire the identification of the message sending terminal in a specific field in the message exchanged between the message sending terminal and the authentication center. The identification in this field cannot be tampered with and therefore, in this way, the identification of the messaging terminal is accurately queried. Then, the message sending terminal identification is compared with the authorized terminal identification list. The terminal identities that can be trusted as senders of messages are all registered beforehand in a list of authorized terminal identities in the authentication center. If the message sending terminal identification is in the authorized terminal identification list, the authentication is passed. If the message sending terminal identification is not in the authorized terminal identification list, the authentication fails. If the authentication center passes the identity authentication of the message sending terminal, the authentication center distributes and sends a message grouping scheme, an encrypted public key corresponding to each group and an encrypted serial number to the message sending terminal. Message grouping schemes are how messages are grouped in order to encrypt them. The encryption serial number is a serial number indicating that the current encryption is distinguished from the other encryptions. And the authentication center allocates an encrypted serial number to the message sending terminal every time the message grouping scheme and the encrypted public key corresponding to each group are sent to the message sending terminal. Generally, the encrypted serial numbers assigned at each time are different from each other. Therefore, in the subsequent process of searching the message grouping scheme and the encryption public key corresponding to the received encryption serial number according to the corresponding record of the message grouping scheme, the encryption public key and the encryption serial number returned to the message sending terminal by the authentication center, the unique message grouping scheme and the encryption public key can be found.

In step 430, according to the message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, the message is grouped into groups and encrypted by the encryption public key corresponding to the group for each group, so as to obtain an encrypted message.

In step 440, the encrypted message is transmitted to the message receiving terminal along with the encrypted serial number.

The message sending terminal sends the encrypted message to the message receiving terminal together with the encrypted serial number. Then, the message receiving terminal correspondingly stores the received encrypted message and the encrypted serial number, and sends the correspondingly stored encrypted message and the encrypted serial number to the authentication center when the message content needs to be acquired. The authentication center authenticates the identity of the message receiving terminal.

When distributing and sending the message grouping scheme and each encrypted public key to the message sending terminal, the authentication center correspondingly records the grouping scheme, each encrypted public key, each encrypted private key corresponding to each encrypted public key and the encrypted serial number. Thus, after the authentication center authenticates and authenticates the identity of the message receiving terminal, the message grouping scheme corresponding to the received encrypted serial number and the encrypted private key corresponding to the encrypted public key can be found according to the corresponding record, and then the encrypted message is decrypted according to the found message grouping scheme and the encrypted private key corresponding to the encrypted public key corresponding to each group. Then, the authentication center transmits the decrypted message contents to the message receiving terminal.

It should be noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

With further reference to fig. 5, an exemplary block diagram of an asymmetric white-box cryptographic apparatus 500 in accordance with one embodiment of the present application is shown.

As shown in fig. 5, the asymmetric white-box cryptographic apparatus 500 includes: a first receiving unit 510, configured to receive an encrypted message and an encrypted serial number from a message sending terminal, where the encrypted message is obtained by the message sending terminal dividing the message into groups according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, and encrypting each group with the encrypted public key corresponding to the group, and the authentication center returns the encrypted serial number while returning the message grouping scheme and the encrypted public key to the message sending terminal; a first saving unit 520 configured to save the received encrypted message in correspondence with the encrypted serial number; a first sending unit 530, configured to send, in response to a request for obtaining a message content, an encrypted message and an encrypted serial number that are stored correspondingly to an authentication center, so that after the authentication center authenticates the identity of a message receiving terminal and passes the authentication, the authentication center returns a corresponding record of a message grouping scheme, an encrypted public key and the encrypted serial number to the message sending terminal, searches for the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypts the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; a second receiving unit 540, configured to receive the decrypted message content from the authentication center.

Optionally, the authenticating the identity of the message receiving terminal by the authentication center is performed by obtaining a message receiving terminal identifier in a specific field in a message exchanged between the message receiving terminal and the authentication center, and comparing the message receiving terminal identifier with the authorized terminal identifier list.

Alternatively, if the message receiving terminal identity is in the list of authorized terminal identities, the authentication is passed.

With further reference to fig. 6, an exemplary block diagram of an asymmetric white-box cryptographic apparatus 600 in accordance with one embodiment of the present application is shown.

As shown in fig. 6, the asymmetric white-box cryptographic apparatus 600 includes: a third receiving unit 610, configured to receive an encrypted message and an encrypted serial number from a message receiving terminal, where the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by the authentication center and an encrypted public key corresponding to each group, grouping the message into groups, encrypting the group with the encrypted public key corresponding to the group for each group, and sending the group to the message receiving terminal, and the authentication center returns the encrypted serial number while returning the message grouping scheme and the encrypted public key to the message sending terminal, so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center; a first authentication unit 620 configured to authenticate an identity of a message receiving terminal; a searching unit 630 configured to search, if the authentication passes, the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding record of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal; a decryption unit 640 configured to decrypt the encrypted message according to the searched message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group; a second sending unit 650 configured to send the decrypted message content to the message receiving terminal.

Optionally, the apparatus comprises: and the third sending unit is configured to send an authentication failure message to the message receiving terminal if the authentication fails.

Optionally, the apparatus further comprises: a fourth receiving unit configured to receive the message grouping scheme and the encrypted public key request from the message sending terminal; the second authentication unit is configured to authenticate the identity of the message sending terminal; a first generating unit configured to generate a message grouping scheme, an encrypted public key corresponding to each group, and an encrypted serial number if the authentication is passed; and the fourth sending unit is configured to send the message grouping scheme, the encrypted public key corresponding to each group and the encrypted serial number to the message sending terminal.

Optionally, the apparatus further comprises: a second generation unit configured to generate an encryption private key corresponding to the encryption public key corresponding to each group; and a second storing unit configured to store the generated message grouping scheme, the encryption public key corresponding to each group, the corresponding encryption private key, and the encryption serial number in association with each other.

Optionally, the first authentication unit is further configured to: acquiring a message receiving terminal identifier in a specific field in a message exchanged between a message receiving terminal and an authentication center; and comparing the message receiving terminal identification with the authorized terminal identification list.

Optionally, the second authentication unit is further configured to: acquiring a message sending terminal identifier in a specific field in a message exchanged between a message sending terminal and an authentication center; and comparing the message sending terminal identification with the authorized terminal identification list.

With further reference to fig. 7, an exemplary block diagram of an asymmetric white-box cryptographic apparatus 700 in accordance with one embodiment of the present application is shown.

As shown in fig. 7, the asymmetric white-box cryptographic apparatus 700 includes: a fifth sending unit 710 configured to send the message grouping scheme and the encrypted public key request to the certificate authority; a fifth receiving unit 720, configured to receive the message grouping scheme, the encrypted public key corresponding to each group, and the encrypted serial number from the authentication center if the authentication center passes the identity authentication of the message sending terminal; the encryption unit 730 is configured to divide the messages into groups according to the message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypt each group by using the encryption public key corresponding to the group to obtain an encrypted message; a sixth sending unit 740 configured to send the encrypted message to the message receiving terminal together with the encrypted serial number.

It should be understood that the subsystems or units recited in fig. 5-7 correspond to various steps in the method described with reference to fig. 2-4. Thus, the operations and features described above for the method are equally applicable to fig. 5-7 and the units contained therein and will not be described again here.

Referring now to FIG. 8, shown is a block diagram of a computer system 800 suitable for use in implementing a message receiving terminal according to an embodiment of the present application.

As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for the operation of the system 800 are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other via a bus 804. An input/output (I/O) interface 805 is also connected to bus 804.

The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.

Referring now to FIG. 9, a block diagram of a computer system 900 suitable for implementing a certificate authority of an embodiment of the present application is shown.

As shown in fig. 9, the computer system 900 includes a Central Processing Unit (CPU)901 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the system 900 are also stored. The CPU 901, ROM 902, and RAM 903 are connected to each other via a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.

The following components are connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, and the like; an output section 907 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 908 including a hard disk and the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as necessary. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 910 as necessary, so that a computer program read out therefrom is mounted into the storage section 908 as necessary.

Referring now to FIG. 10, a block diagram of a computer system 1000 suitable for use in implementing a message receiving terminal of an embodiment of the present application is shown.

As shown in fig. 10, the computer system 1000 includes a Central Processing Unit (CPU)1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. In the RAM 1003, various programs and data necessary for the operation of the system 1000 are also stored. The CPU 1001, ROM 1002, and RAM 1003 are connected to each other via a bus 1004. An input/output (I/O) interface 1005 is also connected to bus 1004.

The following components are connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.

In particular, the processes described above with reference to fig. 2-4 may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the methods of fig. 2-4. In such embodiments, the computer program may be downloaded and installed from a network via

communications sections

809, 909, 1009 and/or installed from

removable media

811, 911, 1011.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units or modules described in the embodiments of the present application may be implemented by software or hardware. The described units or modules may also be provided in a processor. The names of these units or modules do not in some cases constitute a limitation of the unit or module itself.

As another aspect, the present application also provides a computer-readable storage medium, which may be the computer-readable storage medium included in the apparatus in the above-described embodiments; or it may be a separate computer readable storage medium not incorporated into the device. The computer readable storage medium stores one or more programs for use by one or more processors in performing the formula input methods described herein.

The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by a person skilled in the art that the scope of the invention as referred to in the present application is not limited to the embodiments with a specific combination of the above-mentioned features, but also covers other embodiments with any combination of the above-mentioned features or their equivalents without departing from the inventive concept. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.

Claims

1. An asymmetric white-box cryptographic method, the method comprising: receiving an encrypted message and an encrypted serial number from a message sending terminal, wherein the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, dividing the message into groups and encrypting the groups by the encrypted public key corresponding to the group, the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number at the same time, and the message is a message to be sent by the sending terminal;

correspondingly storing the received encrypted message and the encrypted serial number;

responding to a request for acquiring message content, sending the encrypted message and the encrypted serial number which are stored correspondingly to an authentication center, so that the authentication center can authenticate the identity of a message receiving terminal and return a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal according to the authentication center after passing the authentication, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypting the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group; the authentication center actively inquires the identification of the message receiving terminal;

receiving the decrypted message content from the authentication center, wherein,

the authentication center authenticates the identity of the message receiving terminal by acquiring the message receiving terminal identification in a specific field in the message exchanged between the message receiving terminal and the authentication center and comparing the message receiving terminal identification with the authorized terminal identification list, if the message receiving terminal identification is in the authorized terminal identification list, the authentication is passed.

2. An asymmetric white-box cryptographic method, the method comprising: receiving an encrypted message and an encrypted serial number from a message receiving terminal, wherein the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, dividing the message into groups, encrypting the groups by the encrypted public key corresponding to the group for each group and sending the groups to the message receiving terminal, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center together, and the message is a message to be sent by the sending terminal;

authenticating the identity of the message receiving terminal; the authentication center actively inquires the identification of the message receiving terminal;

if the authentication is passed, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding records of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal;

decrypting the encrypted message according to the searched message grouping scheme and the encryption private key corresponding to the encryption public key corresponding to each group;

transmitting the decrypted message content to a message receiving terminal;

the method further comprises the following steps before receiving the encrypted message and the encrypted serial number from the message receiving terminal: receiving a message grouping scheme and an encryption public key request from a message sending terminal;

authenticating the identity of the message sending terminal;

if the authentication is passed, generating a message grouping scheme, an encryption public key corresponding to each group and an encryption serial number;

sending the message grouping scheme, the encrypted public key corresponding to each group and the encrypted serial number to a message sending terminal;

wherein the authenticating the identity of the message receiving end comprises:

acquiring a message receiving terminal identifier in a specific field in a message exchanged between a message receiving terminal and an authentication center;

comparing the message receiving terminal identification with the authorized terminal identification list; the authenticating the identity of the message sending terminal comprises:

acquiring a message sending terminal identifier in a specific field in a message exchanged between a message sending terminal and an authentication center;

and comparing the message sending terminal identification with the authorized terminal identification list, and if the authentication fails, sending an authentication failure message to the message receiving terminal.

3. The method according to claim 2, further comprising, after authenticating the identity of the message sending terminal: generating an encryption private key corresponding to the encryption public key corresponding to each group;

and correspondingly storing the generated message grouping scheme, the encryption public key corresponding to each group, the corresponding encryption private key and the encryption serial number.

4. An asymmetric white-box cryptographic method, the method comprising: sending a message grouping scheme and an encryption public key request to an authentication center;

the authentication center actively inquires the identification of the message sending terminal, and if the authentication center passes the identity authentication of the message sending terminal, the authentication center receives a message grouping scheme, an encrypted public key corresponding to each group and an encrypted serial number from the authentication center;

dividing the messages into groups according to a message grouping scheme returned by the authentication center and the encryption public key corresponding to each group, and encrypting the messages by using the encryption public key corresponding to the group aiming at each group to obtain encrypted messages, wherein the messages are messages to be sent;

sending the encrypted message and the encrypted serial number to a message receiving terminal;

wherein the authenticating the identity of the message sending terminal comprises:

and comparing the message sending terminal identification with the authorized terminal identification list.

5. An asymmetric white-box cryptographic apparatus, the apparatus comprising:

the system comprises a first receiving unit, a second receiving unit and a third receiving unit, wherein the first receiving unit is configured to receive an encrypted message and an encrypted serial number from a message sending terminal, the encrypted message is obtained by the message sending terminal by dividing the message into groups according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group and encrypting the messages by the encrypted public key corresponding to the group aiming at each group, the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number at the same time, and the message is a message to be sent by the sending terminal;

the first storage unit is configured to correspondingly store the received encrypted message and the encrypted serial number;

a first sending unit, configured to respond to a request for obtaining message content, send an encrypted message and an encrypted serial number, which are stored correspondingly, to an authentication center, so that the authentication center authenticates the identity of a message receiving terminal and passes the authentication, and then return a corresponding record of a message grouping scheme, an encrypted public key and the encrypted serial number to the message sending terminal according to the authentication center, search for the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, decrypt the encrypted message according to the message grouping scheme and a private key corresponding to the encrypted public key corresponding to each group, wherein the authentication center actively queries the identifier of the message receiving terminal; the authentication center authenticates the identity of the message receiving terminal by acquiring the message receiving terminal identification in a specific field in the message exchanged between the message receiving terminal and the authentication center and comparing the message receiving terminal identification with the authorized terminal identification list; if the message receiving terminal identification is in the authorized terminal identification list, the authentication is passed;

and the second receiving unit is configured to receive the decrypted message content from the authentication center.

6. An asymmetric white-box cryptographic apparatus, the apparatus comprising: a third receiving unit, configured to receive an encrypted message and an encrypted serial number from a message receiving terminal, where the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, grouping the message into groups, encrypting the messages with the encrypted public key corresponding to the group for each group, and sending the encrypted messages to the message receiving terminal, and the authentication center returns the encrypted serial number while returning the message grouping scheme and the encrypted public key to the message sending terminal, so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center together, where the message is a message to be sent by the sending terminal;

the first authentication unit is configured to authenticate the identity of the message receiving terminal; the authentication center actively inquires the identification of the message receiving terminal;

the searching unit is configured to search the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number according to the corresponding records of the message grouping scheme, the encrypted public key and the encrypted serial number returned to the message sending terminal if the authentication is passed;

the decryption unit is configured to decrypt the encrypted messages according to the searched message grouping scheme and the encryption private keys corresponding to the encryption public keys corresponding to the groups;

a second sending unit configured to send the decrypted message content to the message receiving terminal;

the device further comprises: a fourth receiving unit configured to receive the message grouping scheme and the encrypted public key request from the message sending terminal;

the second authentication unit is configured to authenticate the identity of the message sending terminal;

a first generating unit configured to generate a message grouping scheme, an encrypted public key corresponding to each group, and an encrypted serial number if the authentication is passed;

a fourth sending unit, configured to send the message grouping scheme, the encrypted public key corresponding to each group, and the encrypted serial number to a message sending terminal;

the first authentication unit is further configured to:

comparing the message receiving terminal identification with the authorized terminal identification list;

the second authentication unit is further configured to: acquiring a message sending terminal identifier in a specific field in a message exchanged between a message sending terminal and an authentication center;

7. The apparatus of claim 6, wherein the apparatus comprises: third sending bill

And an element configured to send an authentication failure message to the message receiving terminal if the authentication fails.

8. The apparatus of claim 6, further comprising: a second generation unit configured to generate an encryption private key corresponding to the encryption public key corresponding to each group;

and a second storing unit configured to store the generated message grouping scheme, the encryption public key corresponding to each group, the corresponding encryption private key, and the encryption serial number in association with each other.

9. An asymmetric white-box cryptographic apparatus, the apparatus comprising: a fifth sending unit, configured to send the message grouping scheme and the encrypted public key request to the authentication center; the authentication center actively inquires the identification of the message sending terminal;

a fifth receiving unit, configured to receive the message grouping scheme, the encrypted public key corresponding to each group, and the encrypted serial number from the authentication center if the authentication center passes the identity authentication of the message sending terminal;

the encryption unit is configured to divide the messages into groups according to a message grouping scheme returned by the authentication center and an encryption public key corresponding to each group, and encrypt the messages by using the encryption public key corresponding to the group aiming at each group to obtain encrypted messages, wherein the messages are messages to be sent;

a sixth sending unit configured to send the encrypted message together with the encrypted serial number to the message receiving terminal;

acquiring the message sending terminal identification in a specific field in the message exchanged between the message sending terminal and the authentication center.

10. An asymmetric white-box cryptographic apparatus comprising a processor, a memory and a display; the method is characterized in that: the memory includes instructions executable by the processor to cause the processor to perform: receiving an encrypted message and an encrypted serial number from a message sending terminal, wherein the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, dividing the message into groups and encrypting the groups by the encrypted public key corresponding to the group, the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number at the same time, and the message is a message to be sent by the sending terminal; the authentication center actively inquires the identification of the message receiving terminal;

responding to a request for acquiring message content, sending the encrypted message and the encrypted serial number which are stored correspondingly to an authentication center, so that the authentication center can authenticate the identity of a message receiving terminal and return a message grouping scheme, an encrypted public key and a corresponding record of the encrypted serial number to the message sending terminal according to the authentication center after passing the authentication, searching the message grouping scheme and the encrypted public key corresponding to the received encrypted serial number, and decrypting the encrypted message according to the message grouping scheme and an encrypted private key corresponding to the encrypted public key corresponding to each group;

receiving the decrypted message content from the authentication center,

the authentication center authenticates the identity of the message receiving terminal by acquiring the message receiving terminal identification in a specific field in the message exchanged between the message receiving terminal and the authentication center and comparing the message receiving terminal identification with the authorized terminal identification list.

11. An asymmetric white-box cryptographic apparatus comprising a processor, a memory and a display; the method is characterized in that: the memory includes instructions executable by the processor to cause the processor to perform: receiving an encrypted message and an encrypted serial number from a message receiving terminal, wherein the encrypted message is obtained by the message sending terminal according to a message grouping scheme returned by an authentication center and an encrypted public key corresponding to each group, dividing the message into groups, encrypting the groups by the encrypted public key corresponding to the group for each group and sending the groups to the message receiving terminal, and the authentication center returns the message grouping scheme and the encrypted public key to the message sending terminal and also returns the encrypted serial number so that the message receiving terminal sends the encrypted serial number and the encrypted message to the authentication center together, and the message is a message to be sent by the sending terminal; the authentication center actively inquires the identification of the message sending terminal;

authenticating the identity of the message receiving terminal;

transmitting the decrypted message content to a message receiving terminal;

before receiving the encrypted message and the encrypted serial number from the message receiving terminal, the method further comprises the following steps: receiving a message to be encrypted from a message transmitting terminal;

authenticating the identity of the message sending terminal;

if the authentication is passed, generating a message grouping scheme, an encryption key corresponding to each group, and an encryption serial number; encrypting the message to be encrypted according to the generated message grouping scheme and the encryption key corresponding to each group to obtain an encrypted message; transmitting the encrypted message and the encrypted serial number to the message transmitting terminal,

wherein the authenticating the identity of the message receiving end comprises:

obtaining message reception in a specific field in a message exchanged between a message receiving terminal and an authentication center

A terminal identification;

12. An asymmetric white-box cryptographic apparatus comprising a processor, a memory and a display; the method is characterized in that:

the memory includes instructions executable by the processor to cause the processor to perform: sending a message grouping scheme and an encryption public key request to an authentication center;

if the authentication center passes the identity authentication of the message sending terminal, receiving a message grouping scheme from the authentication center, an encrypted public key corresponding to each group and an encrypted serial number;

the authentication center actively inquires the identification of the message sending terminal;