CN107948152B - Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment - Google Patents

Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment Download PDF

Info

Publication number
CN107948152B
CN107948152B CN201711179733.6A CN201711179733A CN107948152B CN 107948152 B CN107948152 B CN 107948152B CN 201711179733 A CN201711179733 A CN 201711179733A CN 107948152 B CN107948152 B CN 107948152B
Authority
CN
China
Prior art keywords
salt
information
user
user identity
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711179733.6A
Other languages
Chinese (zh)
Other versions
CN107948152A (en
Inventor
赵子云
于涛
崔精兵
屈亚鑫
毕磊
张洁烽
王炳堪
张友旭
任光辉
郭长宇
郭晓龙
姜澎
吴彬
苏蒙
王俊豪
申金娟
张森炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201711179733.6A priority Critical patent/CN107948152B/en
Publication of CN107948152A publication Critical patent/CN107948152A/en
Application granted granted Critical
Publication of CN107948152B publication Critical patent/CN107948152B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The embodiment of the invention discloses an information storage method, an information acquisition method, an information storage device, an information acquisition device and information storage equipment. The method comprises the following steps: acquiring user identity information of a user in a second application, which is generated by a first application; performing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, and performing at least one round of encryption on the user identity information by adopting a second salt group to obtain a secret key, wherein each of the first salt group and the second salt group comprises at least one salt; encrypting information to be stored by adopting a secret key to obtain encrypted information; and correspondingly storing the user identification and the encryption information into an information database of the second application. According to the embodiment of the invention, the user identity information is taken as the basic character string, the salt adding encryption algorithm is adopted to generate the user identification and the secret key, the secret key is adopted to encrypt the information, and then the user identification and the encrypted information are correspondingly stored.

Description

Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment
Technical Field
The embodiment of the invention relates to the technical field of information storage, in particular to an information storage method, an information acquisition device and information storage equipment.
Background
How to better store and manage the sensitive information, so as to better ensure the security of the sensitive information and protect the privacy of users has been a problem which is concerned and regarded by various large companies and enterprises. The sensitive information of the user may include information such as name, gender, date of birth, certificate number, contact number, etc.
In order to improve the security of the sensitive information, it is necessary to perform security processing such as encryption on the sensitive information and store the information. In the related art, an encryption storage scheme based on a hash algorithm is provided. Taking the storage of the sensitive information of the target user as an example, performing hash calculation on the sensitive information of the target user to obtain encrypted information, and then correspondingly storing the user account of the target user and the encrypted information into a sensitive information database. The user account of the target user may be an account registered by the target user when the target user logs in a certain network service, and is used for uniquely identifying the identity of the target user.
However, for sensitive information encrypted by the hash algorithm, a hacker can crack the sensitive information by using a rainbow table (rainbow tables) technology, and the security is low. And when the sensitive information of a certain user is required to be acquired, the corresponding sensitive information can be found directly based on the user account of the user.
Disclosure of Invention
The embodiment of the invention provides an information storage method, an information acquisition device and information storage equipment, which can be used for solving the problems of low difficulty in searching and cracking and low safety of information storage schemes provided by the related technology. The technical scheme is as follows:
in a first aspect, an information storage method is provided, and the method includes:
acquiring user identity information of a user in a second application, which is generated by a first application;
performing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
performing at least one round of encryption on the user identity information by adopting a second salt group to obtain a secret key, wherein the second salt group comprises at least one salt;
encrypting information to be stored by adopting the key to obtain encrypted information;
and correspondingly storing the user identification and the encryption information into an information database of the second application.
In a second aspect, an information acquisition method is provided, and the method includes:
acquiring user identity information of a user in a second application, which is generated by a first application;
performing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
performing at least one round of encryption on the user identity information by adopting a second salt group to obtain a secret key, wherein the second salt group comprises at least one salt;
acquiring encryption information stored corresponding to the user identification from an information database of the second application;
and decrypting the encrypted information by adopting the key to obtain plaintext information.
In a third aspect, there is provided an information storage apparatus, the apparatus comprising:
the information acquisition module is used for acquiring the user identity information of the user in the second application, which is generated by the first application;
the first encryption module is used for executing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
a second encryption module, configured to perform at least one round of encryption on the user identity information by using a second salt group to obtain a secret key, where the second salt group includes at least one salt;
the third encryption module is used for encrypting the information to be stored by adopting the secret key to obtain encrypted information;
and the information storage module is used for correspondingly storing the user identification and the encrypted information into an information database of the second application.
In a fourth aspect, an information acquisition apparatus is provided, the apparatus including:
the information acquisition module is used for acquiring the user identity information of the user in the second application, which is generated by the first application;
the first encryption module is used for executing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
a second encryption module, configured to perform at least one round of encryption on the user identity information by using a second salt group to obtain a secret key, where the second salt group includes at least one salt;
the information acquisition module is used for acquiring the encrypted information stored corresponding to the user identification from the information database of the second application;
and the information decryption module is used for decrypting the encrypted information by adopting the secret key to obtain plaintext information.
In a fifth aspect, there is provided a computer device comprising a processor and a memory having stored therein at least one instruction, at least one program, set of codes, or set of instructions that, when executed by the processor, implement a method according to the first or second aspect.
In a sixth aspect, there is provided a computer readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions which, when executed, implement a method according to the first or second aspect.
In a seventh aspect, there is provided a computer program product for performing the method of the first or second aspect when the computer program product is executed.
The technical scheme provided by the embodiment of the invention can bring the following beneficial effects:
the method comprises the steps that user identity information is used as a basic character string, a salt adding encryption algorithm is adopted to encrypt the user identity information to obtain a user identifier and a secret key, the secret key is adopted to encrypt information to be stored to obtain encrypted information, and then the user identifier and the encrypted information are correspondingly stored; on one hand, the encrypted information is obtained by encrypting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information to be stored by adopting a hash algorithm, the method and the device have the advantages that the encrypted information cracking difficulty is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic illustration of an implementation environment provided by one embodiment of the invention;
FIG. 2 is a flow chart of a method for storing information provided by an embodiment of the invention;
FIG. 3 is a flow chart of a method for storing information provided by another embodiment of the present invention;
FIG. 4 is a schematic diagram of an information storage process to which embodiments of the present invention relate;
FIG. 5 is a schematic diagram of four elements involved in an information storage process provided by an embodiment of the invention;
FIG. 6 is a flow chart of an information acquisition method provided by an embodiment of the invention;
fig. 7 is a flowchart of an information acquisition method according to another embodiment of the present invention;
FIG. 8 is a schematic diagram of an information acquisition process according to an embodiment of the present invention;
FIG. 9 is a block diagram of an information storage device provided by one embodiment of the present invention;
fig. 10 is a block diagram of an information acquisition apparatus provided by an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
In the method provided by the embodiment of the present invention, the execution subject of each step may be any electronic device with a data access function, such as a server, a terminal device, a cloud device, a data center device, and the like. In one example, when the execution subject is a server, the server may be a background server of a network service provider for performing secure encrypted storage management on information of a user. The network service provider may be any application such as a social-type application, an instant messaging application, a payment-type application, a web-shopping application, a game application, and the like.
In one example, as shown in FIG. 1, one implementation environment to which embodiments of the invention may relate may include: a terminal 110 and a server 120.
The terminal 110 may be an electronic device such as a mobile phone, a tablet computer, a personal computer, and the like.
The server 120 may be a server, a server cluster composed of a plurality of servers, or a cloud computing service center. The server 120 may be a background server of the network service provider, and accordingly, an application client running the network service provider may be installed in the terminal 110, and the user accesses information in the background server through the application client.
The implementation environment shown in fig. 1 is only exemplary and explanatory, and the information may be stored in the server 120, in addition to the server 120, in the terminal 110, or in the terminal 110 and the server 120 synchronously, or in other devices (such as a cloud-end device and a data center device) having a communication connection with the server 120, which is not limited in this embodiment of the present invention. With the development of science and technology and the appearance of new service scenes, the information storage mode can be changed, but the technical scheme provided by the embodiment of the invention is also applicable to similar problems in the new service scenes.
In the embodiment of the present invention, the specific content of the accessed information is not limited, and may be, for example, sensitive information such as the name, sex, date of birth, certificate number, contact phone number, family member, payroll record, resume, communication record, photo album, etc. of the user, or any other information that needs to be encrypted for storage, such as files, data, etc.
Referring to fig. 2, a flowchart of an information storage method according to an embodiment of the present invention is shown. The method may include the steps of:
step 201, user identity information of a user in a second application generated by a first application is acquired.
The first application and the second application are two different application programs, for example, the first application is an instant messaging application, and the second application is an online shopping application. In the embodiment of the invention, the second application is used for carrying out safe encrypted storage management on the information of the user.
The user identity information refers to information capable of uniquely identifying the identity of the user in the second application, and different users have different user identity information, for example, the user identity information may be a user account or other unique identifier. In the embodiment of the invention, the user identity information of the user in the second application is generated by the first application. Optionally, the second application does not store the user identity information, and it calls the first application to provide the user identity information to it each time it needs to obtain the user identity information.
Illustratively, a client of the second application provides a two-dimensional code for a user, invokes the first application by scanning and recognizing the two-dimensional code to generate user identity information of the user in the second application according to a user account of the user in the second application, and provides the user identity information to the second application. After the second application acquires the user identity information, the information to be stored can be stored based on the user identity information by adopting the method steps provided below, and after the storage process is completed, the user identity information does not need to be stored in the background of the second application. When the information needs to be stored again or acquired, the above process is repeated.
Step 202, performing at least one round of encryption on the user identity information by using the first salt group to obtain a user identifier.
In the embodiment of the invention, the user identity information is encrypted by adopting a salt encryption method to obtain the user identification. The salt adding encryption method is to splice information to be encrypted with a character string as salt (salt), and then perform hash calculation on the spliced character string to obtain an encryption result. The salt is typically an n-bit random number, also called encrypted salt, and n is a positive integer. The first salt group includes at least one salt, each of which can be randomly generated.
The user identification is also called user id (identity) and is the unique identification information of the user in the information database. For different users, because the user identity information is different, the user identifiers obtained by encryption are also different, that is, different users have different user identifiers in the information database. The information database is a database for storing information of users, and the information is usually encrypted and then stored, so that the security of the information is improved. And correspondingly storing the user identification and the encrypted information in an information database.
In one example, the first salt group includes a salts, a being a positive integer. The above step 202 may include the following sub-steps:
1. splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is equal to 1, the ith-1 round encryption result (namely, the 0 th round encryption result) is user identity information;
2. and when i is smaller than a, making i equal to i +1, and executing from the step 1 again until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
Exemplarily, assuming that a is 3, that is, the first salt group includes 3 salts, which are respectively denoted as salt1, salt2, and salt3, and assuming that the User identity information is denoted by a and the User identifier is denoted by User ID, the process of generating the User ID is as follows: (1) carrying out primary hash calculation on the A + salt1 to obtain B, (2) carrying out primary hash calculation on the B + salt2 to obtain C, and (3) carrying out primary hash calculation on the C + salt3 to obtain a User ID. The + mentioned above means that two character strings are spliced.
The above algorithm for generating the user identification may be referred to as PBKDF2 (passed-Based Key derivation 2) algorithm. The quantity a of the salt in the first salt group can be preset according to the requirement on complexity, and if the complexity requirement is high, the value of a is larger, and the difficulty in cracking the user identification is larger. Splicing the encrypted result with salt, wherein salt can be spliced behind the encrypted result, namely the last character of the encrypted result is spliced with the first character of the salt; the encrypted result can also be spliced behind the salt, i.e. the last character of the salt is spliced with the first character of the encrypted result; or splicing the two by adopting other combination modes. The Algorithm used for the hash calculation may be an SHA256 Algorithm, an SHA1 Algorithm, an MD5(Message Digest Algorithm 5) Algorithm, and the like, which is not limited in this embodiment of the present invention.
And step 203, performing at least one round of encryption on the user identity information by adopting the second group of salts to obtain a secret key.
In step 202, the user identifier is generated based on the user identity information, and in the embodiment of the present invention, the key is also generated based on the user identity information. The key is used to encrypt the information to be stored. In the embodiment of the invention, a symmetric encryption algorithm is adopted to encrypt the information, namely, the encryption key and the decryption key are the same.
Similarly, in the embodiment of the present invention, the user identity information is encrypted by using a salt encryption method to obtain a secret key. The second salt group includes at least one salt, each of which may be randomly generated. Because the salts in both the first and second salt groups are randomly generated strings, the salts in the first and second salt groups will generally not be identical. In addition, the number of salts included in the first salt group may be the same as or different from the number of salts included in the second salt group, and this is not limited in the embodiment of the present invention.
In one example, the second salt group includes b salts, b being a positive integer. The step 203 may include the following sub-steps:
1. splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result (namely, the 0 th round encryption result) is user identity information;
2. and when j is smaller than b, making j equal to j +1, and executing from the step 1 again until j is equal to b, ending the process, and determining the j-th round encryption result as the key.
Exemplarily, assuming that b is 4, that is, the second salt group includes 4 salts, which are respectively denoted as salt4, salt5, salt6, and salt7, assuming that the user identity information is denoted by a and the key is denoted by secret key, the process of generating secret key is as follows: (1) performing hash calculation on the A + salt4 for one time to obtain D, (2) performing hash calculation on the D + salt5 for one time to obtain E, (3) performing hash calculation on the E + salt6 for one time to obtain F, and (4) performing hash calculation on the F + salt7 for one time to obtain a secret key. The + mentioned above means that two character strings are spliced.
The above algorithm for generating the key may be referred to as the PBKDF2 algorithm. The amount b of the salt in the second salt group can be preset according to the requirement on complexity, and if the complexity requirement is high, the larger the value of b is, the larger the difficulty of cracking the key is. Splicing the encrypted result with salt, wherein salt can be spliced behind the encrypted result, namely the last character of the encrypted result is spliced with the first character of the salt; the encrypted result can also be spliced behind the salt, i.e. the last character of the salt is spliced with the first character of the encrypted result; or splicing the two by adopting other combination modes. The algorithm used for the hash calculation may be an SHA256 algorithm, an SHA1 algorithm, an MD5 algorithm, and the like, which is not limited in the embodiment of the present invention.
In addition, in the embodiment of the present invention, the execution sequence of the above step 202 and step 203 is not limited, and the step 203 may be executed after the step 202, before the step 202, or simultaneously with the step 202.
And step 204, encrypting the information to be stored by adopting the key to obtain encrypted information.
When the information of any user needs to be stored, the user identification and the key of the user are respectively generated based on the user identity information of the user, and then the generated key is adopted to encrypt the information of the user to obtain encrypted information.
In the embodiment of the present invention, the symmetric Encryption Algorithm used for Encryption is not limited, and examples include a DES (Data Encryption Standard) Algorithm, a 3DES Algorithm, a Blowfish Algorithm, an RC5 Algorithm, and an IDEA (International Data Encryption Algorithm) Algorithm.
And step 205, correspondingly storing the user identification and the encrypted information into an information database of the second application.
Optionally, the encrypted information is stored in a database, which may be referred to as an information database, and the user identifier and the encrypted information are correspondingly stored in the information database. In the information database, the user identification is used as a main key of the encryption information so as to distinguish the encryption information of different users. Illustratively, the data stored in the information database is as shown in the following Table-1:
user identification of user 1 Encryption information of user 1
User identification of user 2 Encryption information of user 2
User identification of user 3 Encryption information of user 3
TABLE-1
In summary, in the information storage method provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the key, the key is used to encrypt the information to be stored, so as to obtain the encrypted information, and then the user identifier and the encrypted information are stored correspondingly; on one hand, the encrypted information is obtained by encrypting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information to be stored by adopting a hash algorithm, the method and the device have the advantages that the encrypted information cracking difficulty is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
In addition, the initial content of the whole information encryption storage process is user identity information, the user identity information is generated by the first application, when the second application needs to store the user information, the user identity information is acquired through the first application at first, and the user identity information is not stored by the second application, so even if the information database of the second application is stolen, a hacker cannot acquire the user identity information, and the encrypted information in the information database cannot be successfully decrypted.
Referring to fig. 3, a flowchart of an information storage method according to another embodiment of the invention is shown. The method may include the steps of:
step 301, obtaining user identity information of a user in a second application generated by a first application.
Step 301 is the same as step 201 in the embodiment of fig. 2, and refer to the description in the embodiment of fig. 2, which is not repeated herein.
Step 302, performing at least one hash calculation on the user identity information to obtain a character string as a salt identifier.
The salt identification, also known as salt ID, is the unique identification information of the user in the salt database. For different users, because the user identity information is different, the salt identifications obtained through the hash calculation are also different, that is, different users have different salt identifications in the salt database. The salt database refers to a database for storing salts (i.e., the above-mentioned first salt group and second salt group) used when the user's information is stored in encrypted form. And correspondingly storing the salt identification and the salt in a salt database.
In one possible implementation, a hash calculation is performed on the user identity information to obtain a string as the salt identifier.
In another possible implementation, a first hash calculation is performed on the user identity information to obtain a character string as a salt; and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as a salt identifier. The user identity information and the salt are spliced, wherein the salt can be spliced behind the user identity information, namely the last character of the user identity information is spliced with the first character of the salt; the user identity information can also be spliced behind the salt, namely the last character of the salt is spliced with the first character of the user identity information; or splicing the two by adopting other combination modes. The algorithm used for the hash calculation may be an SHA256 algorithm, an SHA1 algorithm, an MD5 algorithm, and the like, which is not limited in the embodiment of the present invention. Compared with the first embodiment, the salt mark generated by the embodiment has higher cracking difficulty.
Step 303, generate a first salt group and a second salt group.
Each salt in the first and second salt groups is randomly generated, i.e., each salt is a randomly generated string. The first salt group includes at least one salt and the second salt group includes at least one salt.
Optionally, in order to improve the difficulty in cracking the user identifier and the key and further improve the difficulty in cracking the encrypted information, the first salt group includes at least two salts, and/or the second salt group includes at least two salts.
Optionally, when the first salt group includes at least two salts, the at least two salts may be arranged in sequence in a list form, and in a subsequent process of performing at least one round of encryption on the user identity information by using the first salt group to obtain the user identifier, the salts are sequentially selected according to an arrangement order of the at least two salts to be encrypted. For example, assuming that the list corresponding to the first salt group includes a salts, the process of encrypting the user identity information by using the first salt group to obtain the user identifier is as follows: 1. splicing the ith-1 round encryption result with the ith salt in the list corresponding to the first salt group, and performing hash calculation on the spliced character string to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is 1, the ith-1 round encryption result (namely the 0 th round encryption result) is user identity information; 2. and when i is smaller than a, making i equal to i +1, and executing from the step 1 again until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
Similarly, when the second salt group includes at least two salts, the at least two salts may be arranged in sequence in a list form, and in a process of subsequently performing at least one round of encryption on the user identity information by using the second salt group to obtain the key, the salts are sequentially selected for encryption according to the arrangement order of the at least two salts. For example, assuming that the list corresponding to the second salt group includes b salts, the process of encrypting the user identity information by using the second salt group to obtain the key is as follows: 1. splicing the j-1 th round encryption result with the jth salt in the list corresponding to the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result (namely, the 0 th round encryption result) is user identity information; 2. and when j is smaller than b, making j equal to j +1, and executing from the step 1 again until j is equal to b, ending the process, and determining the j-th round encryption result as the key.
In addition, in the embodiment of the present invention, the execution order of the above steps 301 and 303 is not limited, and the step 303 may be executed after the step 301, before the step 301, or simultaneously with the step 301.
And step 304, correspondingly storing the salt identifications and the first salt group and the second salt group.
Optionally, the salt group is stored in a database, which may be referred to as a salt database, and the salt identifier and the first salt group and the second salt group are stored in the salt database respectively. In the salt database, the salt identifier serves as the primary key of the salt to distinguish between salts of different users. Illustratively, the data stored in the salt database is shown in Table-2 below:
Figure BDA0001478933760000101
Figure BDA0001478933760000111
TABLE-2
Step 305, performing at least one round of encryption on the user identity information by using the first salt group to obtain a user identifier.
And step 306, performing at least one round of encryption on the user identity information by adopting the second group of salts to obtain a secret key.
And 307, encrypting the information to be stored by using the key to obtain encrypted information.
And 308, correspondingly storing the user identification and the encrypted information into an information database of the second application.
The steps 305-308 are the same as the steps 202-205 in the embodiment of fig. 2, and refer to the description in the embodiment of fig. 2, which is not repeated herein.
With reference to fig. 4 in combination, a schematic diagram of an information storage process according to an embodiment of the present invention is shown. The process mainly comprises the following 4 parts:
1. generating salt identification and storing corresponding to salt
Performing hash calculation on the user identity information once to obtain a character string as salt; and splicing the user identity information and the salt, and performing hash calculation on the spliced character string to obtain a character string as a salt identifier. And storing the salt identifier as a main key of the salt into a salt database, and generating a first salt group and a second salt group corresponding to the salt identifier, wherein the salts in the first salt group and the second salt group are randomly generated. The above-mentioned part 1 corresponds to step 301-304 in the embodiment of FIG. 3.
2. Generating a user identification
And encrypting the user identity information by using the first salt group by using a PBKDF2 algorithm to obtain the user identification. And storing the user identification as a main key of the user information in an information database. Section 2 above corresponds to step 305 in the embodiment of fig. 3.
3. Generating a secret key
And encrypting the user identity information by using a second salt group by using a PBKDF2 algorithm to obtain a key. Section 3 above corresponds to step 306 in the embodiment of fig. 3.
4. Encrypted storage
When the information to be stored of the user exists, the information to be stored is encrypted by adopting the secret key to obtain encrypted information, and then the encrypted information is stored in the information database corresponding to the user identification. The above-mentioned part 4 corresponds to the step 307-308 in the embodiment of fig. 3.
As shown in fig. 5, in the embodiment of the present invention, the following 4 parts are involved in the information storage process: user identity information 51, salt database 52, information database 53, encryption logic code 54. The encrypted logic code is used to implement the various method steps in the embodiments of fig. 2 and 3 described above. The 4 parts of contents are stored independently, and if a hacker needs to crack the encrypted information, the 4 parts of contents need to be acquired simultaneously, so that the cracking difficulty is greatly improved.
In summary, in the information storage method provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the key, the key is used to encrypt the information to be stored, so as to obtain the encrypted information, and then the user identifier and the encrypted information are stored correspondingly; on one hand, the encrypted information is obtained by encrypting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information to be stored by adopting a hash algorithm, the method and the device have the advantages that the encrypted information cracking difficulty is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
Referring to fig. 6, a flowchart of an information obtaining method according to an embodiment of the present invention is shown. The method may include the steps of:
step 601, obtaining user identity information of a user in a second application generated by a first application.
The first application and the second application are two different application programs, for example, the first application is an instant messaging application, and the second application is an online shopping application. In the embodiment of the invention, the second application is used for carrying out safe encrypted storage management on the information of the user.
The user identity information refers to information capable of uniquely identifying the identity of the user in the second application, and different users have different user identity information, for example, the user identity information may be a user account or other unique identifier. In the embodiment of the invention, the user identity information of the user in the second application is generated by the first application. Optionally, the second application does not store the user identity information, and it calls the first application to provide the user identity information to it each time it needs to obtain the user identity information.
Illustratively, a client of the second application provides a two-dimensional code for a user, invokes the first application by scanning and recognizing the two-dimensional code to generate user identity information of the user in the second application according to a user account of the user in the second application, and provides the user identity information to the second application. After the second application acquires the user identity information, the information stored by the user can be decrypted and acquired by adopting the method steps provided below based on the user identity information, and after the acquisition process is completed, the user identity information does not need to be stored in the background of the second application. When the information needs to be acquired again or stored, the above process is repeated.
Step 602, performing at least one round of encryption on the user identity information by using the first salt group to obtain a user identifier.
In the embodiment of the invention, the user identity information is encrypted by adopting a salt encryption method to obtain the user identification. The salt adding encryption method is to splice information to be encrypted with a character string as salt (salt), and then perform hash calculation on the spliced character string to obtain an encryption result. The salt is typically an n-bit random number, also called encrypted salt, and n is a positive integer. The first salt group includes at least one salt, each of which can be randomly generated.
The user identification, also called user ID, is the unique identification information of the user in the information database. For different users, because the user identity information is different, the user identifiers obtained by encryption are also different, that is, different users have different user identifiers in the information database. The information database is a database for storing information of users, and the information is usually encrypted and then stored, so that the security of the information is improved. And correspondingly storing the user identification and the encrypted information in an information database.
In one example, the first salt group includes a salts, a being a positive integer. The above step 602 may include the following sub-steps:
1. splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is equal to 1, the ith-1 round encryption result (namely, the 0 th round encryption result) is user identity information;
2. and when i is smaller than a, making i equal to i +1, and executing from the step 1 again until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
Exemplarily, assuming that a is 3, that is, the first salt group includes 3 salts, which are respectively denoted as salt1, salt2, and salt3, and assuming that the User identity information is denoted by a and the User identifier is denoted by User ID, the process of generating the User ID is as follows: (1) carrying out primary hash calculation on the A + salt1 to obtain B, (2) carrying out primary hash calculation on the B + salt2 to obtain C, and (3) carrying out primary hash calculation on the C + salt3 to obtain a User ID. The + mentioned above means that two character strings are spliced.
The above algorithm for generating the user identification may be referred to as the PBKDF2 algorithm. The quantity a of the salt in the first salt group can be preset according to the requirement on complexity, and if the complexity requirement is high, the value of a is larger, and the difficulty in cracking the user identification is larger. Splicing the encrypted result with salt, wherein salt can be spliced behind the encrypted result, namely the last character of the encrypted result is spliced with the first character of the salt; the encrypted result can also be spliced behind the salt, i.e. the last character of the salt is spliced with the first character of the encrypted result; or splicing the two by adopting other combination modes. The algorithm used for the hash calculation may be an SHA256 algorithm, an SHA1 algorithm, an MD5 algorithm, and the like, which is not limited in the embodiment of the present invention.
Step 603, performing at least one round of encryption on the user identity information by using the second group of salts to obtain a secret key.
In step 602, the user identifier is generated based on the user identity information, and in the embodiment of the present invention, the key is also generated based on the user identity information. In the embodiment of the invention, a symmetric encryption algorithm is adopted to encrypt the information to be stored, namely, the encryption key and the decryption key are the same. Therefore, the key is used for encrypting the information to be stored and decrypting the encrypted information to obtain plaintext information.
Similarly, in the embodiment of the present invention, the user identity information is encrypted by using a salt encryption method to obtain a secret key. The second salt group includes at least one salt, each of which may be randomly generated. Because the salts in both the first and second salt groups are randomly generated strings, the salts in the first and second salt groups will generally not be identical. In addition, the number of salts included in the first salt group may be the same as or different from the number of salts included in the second salt group, and this is not limited in the embodiment of the present invention.
In one example, the second salt group includes b salts, b being a positive integer. The step 603 may include the following sub-steps:
1. splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result (namely, the 0 th round encryption result) is user identity information;
2. and when j is smaller than b, making j equal to j +1, and executing from the step 1 again until j is equal to b, ending the process, and determining the j-th round encryption result as the key.
Exemplarily, assuming that b is 4, that is, the second salt group includes 4 salts, which are respectively denoted as salt4, salt5, salt6, and salt7, assuming that the user identity information is denoted by a and the key is denoted by secret key, the process of generating secret key is as follows: (1) performing hash calculation on the A + salt4 for one time to obtain D, (2) performing hash calculation on the D + salt5 for one time to obtain E, (3) performing hash calculation on the E + salt6 for one time to obtain F, and (4) performing hash calculation on the F + salt7 for one time to obtain a secret key. The + mentioned above means that two character strings are spliced.
The above algorithm for generating the key may be referred to as the PBKDF2 algorithm. The amount b of the salt in the second salt group can be preset according to the requirement on complexity, and if the complexity requirement is high, the larger the value of b is, the larger the difficulty of cracking the key is. Splicing the encrypted result with salt, wherein salt can be spliced behind the encrypted result, namely the last character of the encrypted result is spliced with the first character of the salt; the encrypted result can also be spliced behind the salt, i.e. the last character of the salt is spliced with the first character of the encrypted result; or splicing the two by adopting other combination modes. The algorithm used for the hash calculation may be an SHA256 algorithm, an SHA1 algorithm, an MD5 algorithm, and the like, which is not limited in the embodiment of the present invention.
In addition, in the embodiment of the present invention, the execution order of the above step 602 and step 603 is not limited, and the step 603 may be executed after the step 602, before the step 602, or simultaneously with the step 602.
Step 604, obtaining the encrypted information stored corresponding to the user identifier from the information database of the second application.
When information of any user needs to be acquired, a user identifier and a secret key of the user are respectively generated based on user identity information of the user, then the user identifier of the user is used as a main key, encryption information stored corresponding to the user identifier of the user is acquired from an information database, and the acquired encryption information is the encrypted information of the user.
Step 605, decrypting the encrypted information by using the key to obtain plaintext information.
After the encrypted information is obtained, the encrypted information is decrypted by using a key by using a decryption algorithm corresponding to the encryption algorithm used when the encrypted information is generated by encryption, so that plaintext information is obtained.
In summary, in the information obtaining method provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the secret key, the user identifier is used to obtain the corresponding encrypted information, and then the secret key is used to decrypt the encrypted information, so as to obtain the plaintext information; on one hand, the plaintext information needs to be decrypted by adopting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information by adopting a hash algorithm, the encrypted information decryption difficulty in the embodiment of the invention is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
Referring to fig. 7, a flowchart of an information obtaining method according to another embodiment of the invention is shown. The method may include the steps of:
step 701, obtaining user identity information of a user in a second application generated by a first application.
Step 701 is the same as step 601 in the embodiment of fig. 6, and refer to the description in the embodiment of fig. 6, which is not repeated herein.
Step 702, performing at least one hash calculation on the user identity information to obtain a character string as a salt identifier.
The salt identification, also known as salt ID, is the unique identification information of the user in the salt database. For different users, because the user identity information is different, the salt identifications obtained through the hash calculation are also different, that is, different users have different salt identifications in the salt database. The salt database refers to a database for storing salts (i.e., the above-mentioned first salt group and second salt group) used when the user's information is stored in encrypted form. And correspondingly storing the salt identification and the salt in a salt database.
In one possible implementation, a hash calculation is performed on the user identity information to obtain a string as the salt identifier.
In another possible implementation, a first hash calculation is performed on the user identity information to obtain a character string as a salt; and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as a salt identifier. The user identity information and the salt are spliced, wherein the salt can be spliced behind the user identity information, namely the last character of the user identity information is spliced with the first character of the salt; the user identity information can also be spliced behind the salt, namely the last character of the salt is spliced with the first character of the user identity information; or splicing the two by adopting other combination modes. The algorithm used for the hash calculation may be an SHA256 algorithm, an SHA1 algorithm, an MD5 algorithm, and the like, which is not limited in the embodiment of the present invention. Compared with the first embodiment, the salt mark generated by the embodiment has higher cracking difficulty.
Step 703, obtaining a first salt group and a second salt group stored corresponding to the salt identifier.
Each salt in the first and second salt groups is randomly generated, i.e., each salt is a randomly generated string. The first salt group includes at least one salt and the second salt group includes at least one salt.
When salt of any user needs to be acquired, the salt identifier of the user is used as a main key, a first salt group and a second salt group which are stored correspondingly to the salt identifier of the user are acquired from a salt database, the acquired first salt group and the acquired second salt group are the salt used for generating the user identifier and the key of the user, and in the subsequent decryption process, the user identifier and the key of the user are generated by using the first salt group and the second salt group.
Step 704, performing at least one round of encryption on the user identity information by using the first salt group to obtain a user identifier.
Step 705, performing at least one round of encryption on the user identity information using the second set of salts to obtain a key.
Step 706, obtaining the encrypted information stored corresponding to the user identifier from the information database of the second application.
Step 707, the encrypted information is decrypted by using the key to obtain the plaintext information.
The above step 704-707 is the same as the step 602-605 in the embodiment of fig. 6, and reference is made to the description in the embodiment of fig. 6, which is not repeated herein.
With reference to fig. 8, a schematic diagram of an information acquisition process according to an embodiment of the present invention is shown. The process mainly comprises the following 4 parts:
1. generating salt mark, inquiring salt database to obtain corresponding salt
Performing hash calculation on the user identity information once to obtain a character string as salt; and splicing the user identity information and the salt, and performing hash calculation on the spliced character string to obtain a character string as a salt identifier. And taking the salt identifier as a main key, and acquiring a first salt group and a second salt group corresponding to the salt identifier from a salt database. The above-mentioned part 1 corresponds to step 701-703 in the embodiment of fig. 7.
2. Generating a user identification
And encrypting the user identity information by using the first salt group by using a PBKDF2 algorithm to obtain the user identification. And taking the user identification as a main key, and acquiring the encrypted information corresponding to the user identification from the information database. Section 2 above corresponds to step 704 in the embodiment of fig. 7.
3. Generating a secret key
And encrypting the user identity information by using a second salt group by using a PBKDF2 algorithm to obtain a key. Section 3 above corresponds to step 705 in the embodiment of fig. 7.
4. Decryption process
And decrypting the obtained encrypted information by adopting the secret key to obtain plaintext information. The above-mentioned part 4 corresponds to the step 706-707 in the embodiment of fig. 7.
In summary, in the information obtaining method provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the secret key, the user identifier is used to obtain the corresponding encrypted information, and then the secret key is used to decrypt the encrypted information, so as to obtain the plaintext information; on one hand, the plaintext information needs to be decrypted by adopting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information by adopting a hash algorithm, the encrypted information decryption difficulty in the embodiment of the invention is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Referring to fig. 9, a block diagram of an information storage device according to an embodiment of the invention is shown. The device has the function of realizing the information storage method provided by the method example, and the function can be realized by hardware or by hardware executing corresponding software. The apparatus may include: an information acquisition module 910, a first encryption module 920, a second encryption module 930, a third encryption module 940, and an information storage module 950.
An information obtaining module 910, configured to obtain user identity information of the user in the second application, where the user identity information is generated by the first application.
The first encryption module 920 is configured to perform at least one round of encryption on the user identity information by using a first salt group to obtain a user identifier, where the first salt group includes at least one salt.
The second encryption module 930 performs at least one round of encryption on the user identity information using a second salt group to obtain a key, where the second salt group includes at least one salt.
And a third encryption module 940, configured to encrypt the information to be stored by using the key to obtain encrypted information.
An information storage module 950, configured to correspondingly store the user identifier and the encrypted information in an information database of the second application.
In summary, in the information storage apparatus provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the key, the key is used to encrypt the information to be stored, so as to obtain the encrypted information, and then the user identifier and the encrypted information are stored correspondingly; on one hand, the encrypted information is obtained by encrypting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information to be stored by adopting a hash algorithm, the method and the device have the advantages that the encrypted information cracking difficulty is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
In an alternative embodiment provided based on the embodiment of fig. 9, the first salt group includes a salts, where a is a positive integer;
the first encryption module 920 is configured to:
splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is 1, the ith-1 round encryption result is the user identity information;
and when i is smaller than a, making i equal to i +1, splicing the ith-1 round encryption result with the ith salt in the first salt group, performing hash calculation on the spliced character string once to obtain the ith round encryption result, starting execution until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
In another alternative embodiment provided based on the embodiment of fig. 9, the second salt group includes b salts, where b is a positive integer;
the second encryption module 930, configured to:
splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result is the user identity information;
and when j is smaller than b, making j equal to j +1, splicing the j-1 th round encryption result with the j-th salt in the second salt group again, performing hash calculation on the spliced character string once to obtain a j-th round encryption result, ending the process until j is equal to b, and determining the j-th round encryption result as the secret key.
In another optional embodiment provided based on the embodiment of fig. 9, the apparatus further comprises: a salt generation module, a salt identifier generation module and a salt storage module (not shown in the figure).
A salt generation module to generate the first salt group and the second salt group, wherein each salt in the first salt group and the second salt group is randomly generated.
And the salt identifier generation module is used for executing at least one hash calculation on the user identity information to obtain a character string as a salt identifier.
And the salt storage module is used for correspondingly storing the salt identifications, the first salt group and the second salt group.
Optionally, the salt identifier generating module is configured to perform a first hash calculation on the user identity information to obtain a character string as salt; and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as the salt identifier.
Referring to fig. 10, a block diagram of an information acquiring apparatus according to an embodiment of the present invention is shown. The device has the function of realizing the information acquisition method provided by the method example, and the function can be realized by hardware or by hardware executing corresponding software. The apparatus may include: the information encryption device comprises an information acquisition module 1010, a first encryption module 1020, a second encryption module 1030, an information acquisition module 1040 and an information decryption module 1050.
An information obtaining module 1010, configured to obtain user identity information of the user in the second application, where the user identity information is generated by the first application.
A first encryption module 1020, configured to perform at least one round of encryption on the user identity information by using a first salt group to obtain a user identifier, where the first salt group includes at least one salt.
A second encryption module 1030, configured to perform at least one round of encryption on the user identity information using a second salt group to obtain a key, where the second salt group includes at least one salt.
The information obtaining module 1040 is configured to obtain, from the information database of the second application, encrypted information stored in correspondence with the user identifier.
And an information decryption module 1050, configured to decrypt the encrypted information with the key to obtain plaintext information.
In summary, in the information obtaining apparatus provided in the embodiment of the present invention, the user identity information is used as the basic character string, the salt encryption algorithm is used to encrypt the user identity information, so as to obtain the user identifier and the secret key, the user identifier is used to obtain the corresponding encrypted information, and then the secret key is used to decrypt the encrypted information, so as to obtain the plaintext information; on one hand, the plaintext information needs to be decrypted by adopting the key, and the key is generated by a salt-added encryption algorithm, so that compared with the method of directly encrypting and storing the information by adopting a hash algorithm, the encrypted information decryption difficulty in the embodiment of the invention is improved, and the safety is improved; on the other hand, the user identifier is also generated by a salt adding encryption algorithm instead of a plaintext user account, so that when the user wants to acquire the information stored by a certain user, the corresponding information cannot be found directly based on the user account of the user, and the corresponding information can be found only by generating the accurate user identifier, so that the cracking difficulty is further improved, and the safety is further improved.
In an alternative embodiment provided based on the embodiment of fig. 10, the first salt group includes a salts, where a is a positive integer;
the first encryption module 1020 is configured to:
splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is 1, the ith-1 round encryption result is the user identity information;
and when i is smaller than a, making i equal to i +1, splicing the ith-1 round encryption result with the ith salt in the first salt group, performing hash calculation on the spliced character string once to obtain the ith round encryption result, starting execution until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
In another alternative embodiment provided based on the embodiment of fig. 10, the second salt group includes b salts, where b is a positive integer;
the second encryption module 1030 is configured to:
splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result is the user identity information;
and when j is smaller than b, making j equal to j +1, splicing the j-1 th round encryption result with the j-th salt in the second salt group again, performing hash calculation on the spliced character string once to obtain a j-th round encryption result, ending the process until j is equal to b, and determining the j-th round encryption result as the secret key.
In another optional embodiment provided based on the embodiment of fig. 10, the apparatus further comprises: a salt identifier generation module and a salt acquisition module (not shown in the figure).
And the salt identifier generation module is used for executing at least one hash calculation on the user identity information to obtain a character string as a salt identifier.
A salt obtaining module, configured to obtain the first salt group and the second salt group stored in correspondence with the salt identifier, where each salt in the first salt group and the second salt group is randomly generated.
Optionally, the salt identifier generating module is configured to: performing a first hash calculation on the user identity information to obtain a character string as salt; and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as the salt identifier.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Referring to fig. 11, a schematic structural diagram of a computer device according to an embodiment of the present invention is shown. For example, the computer device may be a server for implementing the method provided by the above embodiments. Specifically, the method comprises the following steps:
the computer device 1100 includes a Central Processing Unit (CPU)1101, a system memory 1104 including a Random Access Memory (RAM)1102 and a Read Only Memory (ROM)1103, and a system bus 1105 connecting the system memory 1104 and the central processing unit 1101. The computer device 1100 also includes a basic input/output system (I/O system) 1106, which facilitates transfer of information between devices within the computer, and a mass storage device 1107 for storing an operating system 1113, application programs 1114 and other program modules 1115.
The basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse, keyboard, etc. for user input of information. Wherein the display 1108 and input device 1109 are connected to the central processing unit 1101 through an input output controller 1110 connected to the system bus 1105. The basic input/output system 1106 may also include an input/output controller 1110 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 1110 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 1107 is connected to the central processing unit 1101 through a mass storage controller (not shown) that is connected to the system bus 1105. The mass storage device 1107 and its associated computer-readable media provide non-volatile storage for the computer device 1100. That is, the mass storage device 1107 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM drive.
Without loss of generality, the computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. The system memory 1104 and mass storage device 1107 described above may be collectively referred to as memory.
The computer device 1100 may also operate as a remote computer connected to a network via a network, such as the internet, in accordance with various embodiments of the invention. That is, the computer device 1100 may connect to the network 1112 through the network interface unit 1111 that is coupled to the system bus 1105, or may connect to other types of networks or remote computer systems using the network interface unit 1111.
The memory has stored therein at least one instruction, at least one program, set of codes, or set of instructions configured to be executed by one or more processors to implement the above-described information storage method or information acquisition method.
In an exemplary embodiment, there is also provided a computer-readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which when executed by a processor of a computer device, implements the functions of the respective steps in the information storage method or the information acquisition method as described above.
Alternatively, the computer-readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above description is only exemplary of the present invention and should not be taken as limiting the invention, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. An information storage method, the method comprising:
acquiring user identity information of a user account generated by a first application in a second application, wherein the second application calls the first application to provide the user identity information for the second application when acquiring the user identity information;
performing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
performing at least one round of encryption on the user identity information by adopting a second salt group to obtain a secret key, wherein the second salt group comprises at least one salt;
encrypting information to be stored by adopting the key to obtain encrypted information;
and correspondingly storing the user identification and the encryption information into an information database of the second application.
2. The method of claim 1, wherein the first salt group comprises a salts, wherein a is a positive integer;
the step of performing at least one round of encryption on the user identity information by adopting the first salt group to obtain a user identifier comprises the following steps:
splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is 1, the ith-1 round encryption result is the user identity information;
and when i is smaller than a, making i equal to i +1, splicing the ith-1 round encryption result with the ith salt in the first salt group, performing hash calculation on the spliced character string once to obtain the ith round encryption result, starting execution until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
3. The method of claim 1, wherein the second salt group comprises b salts, wherein b is a positive integer;
the performing at least one round of encryption on the user identity information by using the second salt group to obtain a key includes:
splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result is the user identity information;
and when j is smaller than b, making j equal to j +1, splicing the j-1 th round encryption result with the j-th salt in the second salt group again, performing hash calculation on the spliced character string once to obtain a j-th round encryption result, ending the process until j is equal to b, and determining the j-th round encryption result as the secret key.
4. The method according to any one of claims 1 to 3, further comprising:
generating the first and second salt groups, wherein each salt in the first and second salt groups is randomly generated;
performing at least one hash calculation on the user identity information to obtain a character string as a salt identifier;
and correspondingly storing the salt identifications and the first salt group and the second salt group.
5. The method of claim 4, wherein performing at least one hash calculation on the user identity information to obtain a string as a salt identifier comprises:
performing a first hash calculation on the user identity information to obtain a character string as salt;
and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as the salt identifier.
6. An information acquisition method, characterized in that the method comprises:
acquiring user identity information of a user account generated by a first application in a second application, wherein the second application calls the first application to provide the user identity information for the second application when acquiring the user identity information;
performing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
performing at least one round of encryption on the user identity information by adopting a second salt group to obtain a secret key, wherein the second salt group comprises at least one salt;
acquiring encryption information stored corresponding to the user identification from an information database of the second application;
and decrypting the encrypted information by adopting the key to obtain plaintext information.
7. The method of claim 6, wherein the first salt group comprises a salts, wherein a is a positive integer;
the step of performing at least one round of encryption on the user identity information by adopting the first salt group to obtain a user identifier comprises the following steps:
splicing the ith-1 round encryption result with the ith salt in the first salt group, and performing hash calculation on the spliced character string once to obtain an ith round encryption result, wherein the initial value of i is 1, and when i is 1, the ith-1 round encryption result is the user identity information;
and when i is smaller than a, making i equal to i +1, splicing the ith-1 round encryption result with the ith salt in the first salt group, performing hash calculation on the spliced character string once to obtain the ith round encryption result, starting execution until i is equal to a, ending the process, and determining the ith round encryption result as the user identifier.
8. The method of claim 6, wherein the second salt group comprises b salts, wherein b is a positive integer;
the performing at least one round of encryption on the user identity information by using the second salt group to obtain a key includes:
splicing the j-1 th round encryption result with the j-th salt in the second salt group, and performing hash calculation on the spliced character string to obtain a j-th round encryption result, wherein the initial value of j is 1, and when j is 1, the j-1 th round encryption result is the user identity information;
and when j is smaller than b, making j equal to j +1, splicing the j-1 th round encryption result with the j-th salt in the second salt group again, performing hash calculation on the spliced character string once to obtain a j-th round encryption result, ending the process until j is equal to b, and determining the j-th round encryption result as the secret key.
9. The method according to any one of claims 6 to 8, wherein after obtaining the user identity information of the user account generated by the first application in the second application, further comprising:
performing at least one hash calculation on the user identity information to obtain a character string as a salt identifier;
and acquiring the first salt group and the second salt group which are stored correspondingly to the salt identifications, wherein each salt in the first salt group and the second salt group is randomly generated.
10. The method of claim 9, wherein performing at least one hash calculation on the user identity information to obtain a string as a salt identifier comprises:
performing a first hash calculation on the user identity information to obtain a character string as salt;
and splicing the user identity information and the salt, and executing second hash calculation on the spliced character string to obtain a character string as the salt identifier.
11. An information storage apparatus, characterized in that the apparatus comprises:
the information acquisition module is used for acquiring user identity information of a user account generated by a first application in a second application, wherein the second application calls the first application to provide the user identity information for the second application when acquiring the user identity information;
the first encryption module is used for executing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
a second encryption module, configured to perform at least one round of encryption on the user identity information by using a second salt group to obtain a key, where the second salt group includes at least one salt;
the third encryption module is used for encrypting the information to be stored by adopting the secret key to obtain encrypted information;
and the information storage module is used for correspondingly storing the user identification and the encrypted information into an information database of the second application.
12. An information acquisition apparatus, characterized in that the apparatus comprises:
the information acquisition module is used for acquiring user identity information of a user account generated by a first application in a second application, wherein the second application calls the first application to provide the user identity information for the second application when acquiring the user identity information;
the first encryption module is used for executing at least one round of encryption on the user identity information by adopting a first salt group to obtain a user identifier, wherein the first salt group comprises at least one salt;
a second encryption module, configured to perform at least one round of encryption on the user identity information by using a second salt group to obtain a key, where the second salt group includes at least one salt;
the information acquisition module is used for acquiring the encrypted information stored corresponding to the user identification from the information database of the second application;
and the information decryption module is used for decrypting the encrypted information by adopting the secret key to obtain plaintext information.
13. A computer device comprising a processor and a memory, the memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which when executed by the processor, implement the method of any one of claims 1 to 10.
14. A computer-readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions which, when executed, implement a method according to any one of claims 1 to 10.
CN201711179733.6A 2017-11-23 2017-11-23 Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment Active CN107948152B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711179733.6A CN107948152B (en) 2017-11-23 2017-11-23 Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711179733.6A CN107948152B (en) 2017-11-23 2017-11-23 Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment

Publications (2)

Publication Number Publication Date
CN107948152A CN107948152A (en) 2018-04-20
CN107948152B true CN107948152B (en) 2021-05-14

Family

ID=61930868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711179733.6A Active CN107948152B (en) 2017-11-23 2017-11-23 Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment

Country Status (1)

Country Link
CN (1) CN107948152B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616533B (en) * 2018-04-27 2021-02-19 正方软件股份有限公司 Sensitive data encryption method and device
CN109599170A (en) * 2018-12-05 2019-04-09 易必祥 Medical management method and system based on big data
CN109858255A (en) * 2018-12-19 2019-06-07 杭州安恒信息技术股份有限公司 Data encryption storage method, device and realization device
CN109670329A (en) * 2018-12-28 2019-04-23 东信和平科技股份有限公司 A kind of safe lead-in and lead-out method of server data and server
CN110048835A (en) * 2019-03-27 2019-07-23 北京三快在线科技有限公司 The method and apparatus of encryption, storage medium
CN110008745B (en) * 2019-03-29 2024-01-16 深圳供电局有限公司 Encryption method, computer equipment and computer storage medium
CN110717827B (en) * 2019-09-03 2022-08-30 网联清算有限公司 Database determination method and device and transaction processing system
CN111062047B (en) * 2019-12-25 2022-07-08 中国联合网络通信集团有限公司 Data storage method, system, device and storage medium
CN110781419B (en) * 2020-01-02 2020-04-28 成都四方伟业软件股份有限公司 Multi-system cooperative use method based on block chain
CN113486375B (en) * 2021-07-16 2024-04-19 青岛海尔科技有限公司 Storage method and device of equipment information, storage medium and electronic device
CN115242540B (en) * 2022-08-03 2023-09-26 平安银行股份有限公司 Data processing method and system

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7716206B2 (en) * 2004-11-01 2010-05-11 At&T Intellectual Property I, L.P. Communication networks and methods and computer program products for performing searches thereon while maintaining user privacy
CN102594779A (en) * 2011-01-05 2012-07-18 中国移动通信集团公司 User data processing method and device thereof
CN102638468A (en) * 2012-04-12 2012-08-15 华为技术有限公司 Method, sending end, receiving end and system for protecting information transmission safety
CN103116730A (en) * 2013-01-21 2013-05-22 厦门市美亚柏科信息股份有限公司 Deciphering method and system of data protection application programming interface (DPAPI) enciphered data
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
CN104079539A (en) * 2013-03-28 2014-10-01 阿里巴巴集团控股有限公司 Data privacy storage method and client
CN104734854A (en) * 2013-12-23 2015-06-24 西门子公司 Secure Provision of a Key
CN105978878A (en) * 2016-05-11 2016-09-28 腾讯科技(深圳)有限公司 Webpage verification method and device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
CN107070948A (en) * 2017-05-23 2017-08-18 广东工业大学 Signature and verification method based on hybrid encryption algorithm in cloud storage
CN107104787A (en) * 2017-04-26 2017-08-29 山东开创云软件有限公司 A kind of cipher set-up method for resisting password cracking
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7228417B2 (en) * 2002-02-26 2007-06-05 America Online, Inc. Simple secure login with multiple-authentication providers
US20060095786A1 (en) * 2004-11-01 2006-05-04 Aaron Jeffrey A Communication networks and methods and computer program products for preventing tracking of network activity thereon through use of identity pseudonym domains
US9660972B1 (en) * 2012-06-25 2017-05-23 Amazon Technologies, Inc. Protection from data security threats
US9935948B2 (en) * 2015-09-18 2018-04-03 Case Wallet, Inc. Biometric data hashing, verification and security

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7716206B2 (en) * 2004-11-01 2010-05-11 At&T Intellectual Property I, L.P. Communication networks and methods and computer program products for performing searches thereon while maintaining user privacy
CN102594779A (en) * 2011-01-05 2012-07-18 中国移动通信集团公司 User data processing method and device thereof
CN102638468A (en) * 2012-04-12 2012-08-15 华为技术有限公司 Method, sending end, receiving end and system for protecting information transmission safety
CN103116730A (en) * 2013-01-21 2013-05-22 厦门市美亚柏科信息股份有限公司 Deciphering method and system of data protection application programming interface (DPAPI) enciphered data
CN104079539A (en) * 2013-03-28 2014-10-01 阿里巴巴集团控股有限公司 Data privacy storage method and client
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
CN104734854A (en) * 2013-12-23 2015-06-24 西门子公司 Secure Provision of a Key
CN105978878A (en) * 2016-05-11 2016-09-28 腾讯科技(深圳)有限公司 Webpage verification method and device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
CN107104787A (en) * 2017-04-26 2017-08-29 山东开创云软件有限公司 A kind of cipher set-up method for resisting password cracking
CN107231346A (en) * 2017-05-03 2017-10-03 北京海顿中科技术有限公司 A kind of method of cloud platform identification
CN107070948A (en) * 2017-05-23 2017-08-18 广东工业大学 Signature and verification method based on hybrid encryption algorithm in cloud storage

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
前端数据加密分析;潘潘;《计算机与网络》;20170826(第16期);全文 *
口令加密算法安全性分析与对比;祁鑫;《网络空间安全》;20170306;第7卷(第11期);第34-38页 *

Also Published As

Publication number Publication date
CN107948152A (en) 2018-04-20

Similar Documents

Publication Publication Date Title
CN107948152B (en) Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment
EP3910907B1 (en) Retrieving access data for blockchain networks using highly available trusted execution environments
EP3610606B1 (en) Managing sensitive data elements in a blockchain network
CA3058236C (en) Retrieving public data for blockchain networks using highly available trusted execution environments
CN109074579B (en) Method and system for protecting computer software using distributed hash table and blockchain
US10402571B2 (en) Community-based de-duplication for encrypted data
US10091230B1 (en) Aggregating identity data from multiple sources for user controlled distribution to trusted risk engines
US10917249B2 (en) Processing data elements stored in blockchain networks
US10951396B2 (en) Tamper-proof management of audit logs
CN111737720B (en) Data processing method and device and electronic equipment
US10120870B2 (en) System and method for searching distributed files across a plurality of clients
JP2019079280A (en) File verification device, file transfer system and program
KR20220092811A (en) Method and device for storing encrypted data
US10536276B2 (en) Associating identical fields encrypted with different keys
CN115694949A (en) Private data sharing method and system based on block chain
CN116583833A (en) Self-auditing blockchain
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN109828832B (en) Block chain-based data circulation method, device, equipment and medium
US20200097457A1 (en) Data management method, data management apparatus, and non-transitory computer readable medium
WO2020130864A1 (en) System for automatic management and depositing of documents (images) hash in block-chain technology
CN113609531B (en) Information interaction method, device, equipment, medium and product based on block chain
US11856085B2 (en) Information management system and method for the same
CN113761585A (en) Data processing method, device and system
CN117034370B (en) Data processing method based on block chain network and related equipment
US20230291583A1 (en) System And Method For Authenticating Devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant