CN108737087B - Protection method for mailbox account password and computer readable storage medium - Google Patents
Protection method for mailbox account password and computer readable storage medium Download PDFInfo
- Publication number
- CN108737087B CN108737087B CN201810341234.0A CN201810341234A CN108737087B CN 108737087 B CN108737087 B CN 108737087B CN 201810341234 A CN201810341234 A CN 201810341234A CN 108737087 B CN108737087 B CN 108737087B
- Authority
- CN
- China
- Prior art keywords
- mailbox
- account password
- cloud server
- application
- mobile terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
Abstract
The invention discloses a method for protecting a mailbox account password and a computer readable storage medium, wherein the method comprises the following steps: the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server; the client application of the mobile terminal acquires account password information of the mailbox from the mailbox application and sends the account password information to the trusted application in the safe operating system; the trusted application encrypts the account password information to obtain an account password ciphertext and sends the account password ciphertext to the client application; the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts an association relation by using the temporary encryption key and a first encryption algorithm, and then sends the association relation to a cloud server; and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship. The invention can effectively ensure the safety of the account number and the password of the mailbox.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a method for protecting a mailbox account password and a computer readable storage medium.
Background
Android is the most popular smart phone operating system at present, and far exceeds the smart phone operating systems of apples, blackberries and the like. Mail is an important part of work and life of people, and an Android system provides an important mailbox program. Users typically use mailboxes provided by the system to send and receive different mail items based on convenience. The main stream system of Android customizes respective safe mailboxes of manufacturers, such as Huashi, Samsung, millet, OPPO and the like, and mailboxes of various third-party applications, such as QQ mailboxes, network email message masters and the like. Since mailbox applications need to be compatible with various mailbox accounts and need to transmit account passwords in plaintext, it is decided that the mailbox applications can only store original account passwords. At this time, if the related algorithm is analyzed reversely, the original account and password information can be obtained.
Through actual reverse analysis, it can be known that an operating system in the Android formation mainly uses manufacturers, such as Huashi, Samsung, millet and charm self-contained mailbox systems, to encrypt and store a user login mailbox account in a database through algorithms such as AES or DES, and the encryption algorithm can be reversed through a reverse analysis technology, so that the content in the database is obtained, and password cracking is performed. And the QQ mailbox and the network mailbox master with higher third-party mailbox application account for are encrypted and then stored in the database. A cracker only needs to acquire the database and then can decrypt the encrypted data of the database by reversely analyzing and cracking the encryption and decryption algorithm, so that the plaintext of the mailbox account password is obtained. Even some mailbox applications do not encrypt the account password, but store it in the clear.
Therefore, the mailbox applications have vulnerabilities in the aspect of mailbox account password protection, and mailbox account password leakage risks exist. For some users who are less security conscious, the passwords are generally similar or identical, revealing that the passwords are more extremely insecure for the user.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the protection method of the mailbox account password and the computer readable storage medium are provided, and the safety of the mailbox account password can be effectively ensured.
In order to solve the technical problems, the invention adopts the technical scheme that: a method for protecting a mailbox account password comprises the following steps:
the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server;
the method comprises the steps that a client application of the mobile terminal obtains account password information of a mailbox from a mailbox application and sends the account password information to a trusted application in a safe operating system;
the trusted application encrypts the account password information to obtain an account password ciphertext, and sends the account password ciphertext to the client application;
the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts an association relation by using the temporary encryption key and a first encryption algorithm, and then sends the association relation to a cloud server;
and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship.
The invention also relates to a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
The invention has the beneficial effects that: the risk that the mailbox account password stored in a local database can be broken is avoided by storing the data after the mailbox account password of the mobile terminal is encrypted in the cloud server, and the safety of the mailbox account password is improved; the safety of the account password of the mailbox is further improved by encrypting the account password information in the safety operation system; the mobile terminal and the cloud server negotiate a key and an encryption algorithm in advance, so that a safety channel between the mobile terminal and the cloud server is established, interactive data between the mobile terminal and the cloud server are encrypted and transmitted again through the negotiated key and the negotiated encryption algorithm, the problem that the encrypted data are leaked due to the fact that the data are captured and intercepted in an interaction process is solved, the safety of communication data is ensured, and the safety of a mailbox account password is effectively guaranteed.
Drawings
FIG. 1 is a flowchart of a method for protecting a mailbox account password according to the present invention;
FIG. 2 is a flowchart of a method according to a first embodiment of the present invention;
FIG. 3 is a flowchart of a method of step S1 according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a process of establishing a secure channel according to a third embodiment of the present invention;
FIG. 5 is a schematic diagram of an encryption and storage process according to a third embodiment of the present invention;
fig. 6 is a schematic diagram of a decryption login process in the third embodiment of the present invention.
Detailed Description
In order to explain technical contents, objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The most key concept of the invention is as follows: establishing a secure channel between the mobile terminal and the cloud server; storing the encrypted mailbox account password to a cloud server; and E, logging in a mailbox in the safe operating system.
Referring to fig. 1, a method for protecting a mailbox account password includes:
the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server;
the method comprises the steps that a client application of the mobile terminal obtains account password information of a mailbox from a mailbox application and sends the account password information to a trusted application in a safe operating system;
the trusted application encrypts the account password information to obtain an account password ciphertext, and sends the account password ciphertext to the client application;
the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts an association relation by using the temporary encryption key and a first encryption algorithm, and then sends the association relation to a cloud server;
and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship.
From the above description, the beneficial effects of the present invention are: the safety of the account number and the password of the mailbox is effectively ensured.
Further, still include:
when a mailbox is required to be logged in, the client application sends a system account of the mobile terminal to the cloud server;
the cloud server matches a corresponding account password ciphertext according to the system account, encrypts the account password ciphertext by using a temporary encryption key and a first encryption algorithm, and then sends the account password ciphertext to the client application;
the client application decrypts the encrypted account password ciphertext by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain an account password ciphertext and sends the account password ciphertext to the trusted application;
the trusted application decrypts the account password ciphertext to obtain account password information;
and the trusted application sends the account password information to a mailbox server.
According to the description, the mailbox account password is acquired from the cloud server only when the mailbox is logged in, so that the data security is ensured.
Further, the obtaining, by the client application, account password information of the mailbox from the mailbox application specifically includes:
if the mailbox application is the system mailbox application, acquiring an account password plaintext input by a user or acquiring a mailbox account password encrypted by the system mailbox application;
and if the mailbox application is the third-party mailbox application, acquiring the encrypted mailbox account password of the third-party mailbox application.
Further, the acquiring of the mailbox account password encrypted by the third-party mailbox application specifically includes:
and when it is monitored that the encrypted mailbox account password is written into the database by the third-party mailbox application, intercepting the encrypted mailbox account password through a hook mechanism.
According to the description, the encrypted mailbox account password is not stored in a local database, so that the risk of being cracked is avoided.
Further, the sending the account password information to the mailbox server specifically includes:
if the mailbox application is a system mailbox application and the account password information is an account password plaintext, sending the account password plaintext to a mailbox server;
if the mailbox application is a system mailbox application and the account password information is an encrypted mailbox account password, acquiring a third encryption algorithm of the system mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the third encryption algorithm to obtain an account password plaintext;
sending the account password plaintext to a mailbox server;
if the mailbox application is a third-party mailbox application, acquiring a fourth encryption algorithm of the third-party mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the fourth encryption algorithm to obtain an account password plaintext;
and sending the account password plaintext to a mailbox server.
As can be seen from the above description, due to the particularity of the mailbox, the account password plaintext needs to be sent to the mailbox server for logging, and therefore, the mailbox account password encrypted by the mailbox application needs to be decrypted to obtain the plaintext and then sent to the mailbox server.
Further, the negotiating between the mobile terminal and the cloud server for the temporary encryption key and the encryption algorithm specifically includes:
the method comprises the steps that a mobile terminal sends algorithms preset in a safe operation system to a cloud server, wherein the algorithms comprise a first encryption algorithm, a second encryption algorithm and an MAC algorithm;
if the mobile terminal passes the verification of the digital certificate sent by the cloud server, acquiring a public key of the cloud server from the digital certificate;
the secure operating system generates a temporary encryption key;
encrypting the temporary encryption key by using the public key of the cloud server and the second encryption algorithm to obtain a first ciphertext;
performing digest operation on the temporary encryption key to obtain a first hash value;
calculating the temporary encryption key by using the MAC algorithm to obtain a first MAC value;
sending the first ciphertext, the first hash value and the first MAC value to a cloud server;
the cloud server decrypts the first ciphertext by using a private key and a decryption algorithm corresponding to the second encryption algorithm to obtain a temporary encryption key;
performing digest operation on the temporary encryption key obtained by decryption to obtain a second hash value;
calculating the temporary encryption key obtained by decryption by using the MAC algorithm to obtain a second MAC value;
and if the second hash value is consistent with the first hash value and the second MAC value is consistent with the first MAC value, judging that the negotiation is successful.
According to the description, the safety of the communication data is ensured by establishing the safety channel between the cloud server and the mobile terminal, the problem that the encrypted data is leaked due to the fact that the data is captured and intercepted in the interaction process is solved, and the safety of the mailbox account password is further improved.
Further, if the mobile terminal verifies the digital certificate sent by the cloud server, acquiring the public key of the cloud server from the digital certificate specifically includes:
the mobile terminal sends a digital certificate or an equipment serial number of the mobile terminal to a cloud server;
the cloud server compares the digital certificate or the equipment serial number of the mobile terminal with a prestored digital certificate or equipment serial number;
if the digital certificates are consistent, the cloud server sends the digital certificates of the cloud server to the mobile terminal;
the mobile terminal compares the received digital certificate of the cloud server with a prestored digital certificate;
and if the public key is consistent with the public key, the mobile terminal acquires the public key of the cloud server from the digital certificate of the cloud server.
According to the description, the reliability of the two ends is ensured and the safety of the mail box account password is ensured by performing bidirectional identity authentication on the mobile terminal and the cloud server.
The invention also proposes a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps as described above.
Example one
Referring to fig. 2, a first embodiment of the present invention is: a method for protecting a mailbox account password is based on TrustZone and can be applied to terminal equipment of an Android system.
TrustZone is a security platform (Trustplatform) -based concept proposed in the Android system using ARM chips. TrustZone separates two environments of parallel execution: the terminal device using ARM TrustZone technology runs two operating systems, namely a secure operating system (running on TrustZone) and a normal operating system (running in a normal area). The security Monitor (Monitor) controls the transition between the "safe" and "normal" environments. Code isolation can be performed in a secure environment through special design of enhancing security through hardware; the security software provides both basic security services and interfaces to other nodes in the security chain, including the smart card, the operating system and general applications. When the system is in a safe and trusted mode, the difficulty of being cracked is greatly increased, for example, the mainstream reverse dynamic analysis and the HOOK technology will fail, so that the risk of cracking the realization of the APP internal algorithm can be reduced.
As shown in fig. 2, the method comprises the steps of:
s1: the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server.
S2: the client application of the mobile terminal acquires account password information of the mailbox from the mailbox application and sends the account password information to the trusted application in the safe operating system.
Specifically, if the application is a system mailbox application, that is, a mailbox application provided by the terminal system, the mailbox account password plaintext input by the user can be directly acquired from an input interface of the mailbox application, or the mailbox application can be encrypted and then acquired. And if the application is the third-party mailbox application, the encrypted third-party mailbox application is acquired.
Furthermore, when a HOOK (HOOK) mechanism is used, when it is monitored that the mailbox application operates the database, that is, the encrypted mailbox account password is written into the database, the encrypted mailbox account password is intercepted, that is, in this embodiment, the account password information of the mailbox is not stored in the database, but is stored in the cloud server through subsequent steps, so that the risk of being cracked is avoided.
S3: and the trusted application encrypts the account password information to obtain an account password ciphertext and sends the account password ciphertext to the client application. The encryption algorithm in this step may be set in advance in the trusted application.
S4: and the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts the association relationship by using the temporary encryption key and a first encryption algorithm, and then sends the association relationship to the cloud server. Each terminal device of the Android system has a self-contained account, such as a millet account, a Huawei account and the like, and the system can back up short messages, call records, photos and the like of the system on the cloud through the accounts.
S5: and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship.
S6: when the mailbox is required to be logged in, the client application sends the system account of the mobile terminal to the cloud server.
S7: and the cloud server matches a corresponding account password ciphertext according to the system account, encrypts the account password ciphertext by using a temporary encryption key and a first encryption algorithm, and then sends the account password ciphertext to the client application.
S8: and the client application decrypts the encrypted account password ciphertext by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain the account password ciphertext, and sends the account password ciphertext to the trusted application.
S9: the trusted application decrypts the account password ciphertext to obtain account password information; i.e., decrypted using the decryption algorithm corresponding to the encryption algorithm in step S3.
S10: and the trusted application sends the account password information to a mailbox server.
Specifically, if the mailbox application is a system mailbox application and the account password information is an account password plaintext, that is, the account password plaintext is obtained from the system mailbox application in step S2, the account password plaintext is sent to the mailbox server.
If the mailbox application is a system mailbox application and the account password information is an encrypted mailbox account password, that is, the mailbox account password encrypted by the system mailbox application is acquired from the system mailbox application in step S2, acquiring a third encryption algorithm of the system mailbox application; then, decrypting the account password information by using a decryption algorithm corresponding to the third encryption algorithm to obtain an account password plaintext; and sending the account password plaintext to a mailbox server. The third encryption algorithm applied by the system mailbox can be obtained from the system or obtained by reverse analysis and cracking.
If the mailbox application is the third-party mailbox application, that is, in step S2, the mailbox account password encrypted by the third-party mailbox application is acquired from the third-party mailbox application, and then the fourth encryption algorithm of the third-party mailbox application is acquired; then, decrypting the account password information by using a decryption algorithm corresponding to the fourth encryption algorithm to obtain an account password plaintext; and sending the account password plaintext to a mailbox server. The fourth encryption algorithm applied by the third-party mailbox can be obtained by reverse analysis and cracking.
Further, when the user uses a plurality of mailbox applications on one mobile terminal at the same time, unique numbers can be respectively assigned to the mailbox applications, in step S4, the account password ciphertext, the number of the mailbox application and the system account are associated to obtain an association relationship, and in step S6, the client application sends the system account and the number of the mailbox application to the cloud server to retrieve and match the corresponding account password ciphertext.
In the embodiment, the encrypted data storage block of a special mailbox is established on the cloud server, the data after the mailbox account password of the mobile terminal is encrypted is stored in the cloud, the encrypted data is not stored locally, and the account password ciphertext is obtained from the cloud server only when the mailbox is logged in. Since the data is stored locally and there is a risk of being damaged, such as directly deleting reset trustzone or directly damaging the file system, the security of the data can be greatly improved by storing the data to the cloud.
Meanwhile, the cloud server can also record the equipment information, the times, the abnormal information and the like of the mobile terminal logged in by using the mailbox account password. The user can also select whether to share the encrypted information of the cloud mailbox, if so, a sharing code is generated on the cloud server, and the user can log in the mailbox on other mobile terminals through the sharing code.
In the embodiment, the account password information is encrypted and decrypted in the safe operating system, and the account password plaintext is sent to the mailbox server in the safe operating system, so that the safety of the mailbox account password is further improved.
Example two
This embodiment is a further development of step S1 in the first embodiment.
As shown in fig. 3, the step S1 includes the following steps:
s101: the method comprises the steps that a mobile terminal sends algorithms preset in a safe operation system to a cloud server, wherein the algorithms comprise a first encryption algorithm, a second encryption algorithm and an MAC algorithm;
s102: the cloud server authenticates the mobile terminal, and after the authentication is passed, the cloud server sends a digital certificate of the cloud server to the mobile terminal. Specifically, a digital certificate of the mobile terminal is stored in the cloud server in advance, or the digital certificate or the device serial number of the mobile terminal is registered in the cloud server in advance according to a unique identifier of the mobile terminal, such as the device serial number, when authentication is needed, the mobile terminal sends the digital certificate or the device serial number of the mobile terminal to the cloud server, if the digital certificate sent by the mobile terminal is consistent with the pre-stored digital certificate, or the device serial number sent by the mobile terminal is registered, the authentication is judged to be passed, and the mobile terminal is legal.
S103: and the mobile terminal authenticates the cloud server, and after the authentication is passed, a public key of the cloud server is obtained from a digital certificate of the cloud server. Specifically, the digital certificate of the cloud server is stored in the mobile terminal in advance, and if the digital certificate is a third-party mailbox application, the digital certificate can be packaged into an application program when an app manufacturer issues an apk, and if the digital certificate is a system mailbox application, the digital certificate can be stored in a safe storage area of a safe operating system in advance, and can also be stored in an external storage device and imported during each use; and then when the digital certificate sent by the cloud server is received, comparing the digital certificate with a prestored digital certificate, and if the digital certificate is consistent with the prestored digital certificate, judging that the authentication is passed and the cloud server is legal.
S104: the secure operating system generates a temporary encryption key; specifically, a trusted application in the secure operating system generates a temporary encryption key through a random algorithm.
S105: encrypting the temporary encryption key by using the public key of the cloud server and the second encryption algorithm to obtain a first ciphertext; meanwhile, performing digest operation on the temporary encryption key to obtain a first Hash (Hash) value; and calculating the temporary encryption key by using the MAC algorithm to obtain a first MAC value.
S106: sending the first ciphertext, the first hash value and the first MAC value to a cloud server;
s107: the cloud server decrypts the first ciphertext by using a private key and a decryption algorithm corresponding to the second encryption algorithm to obtain a temporary encryption key;
s108: performing digest operation on the temporary encryption key obtained by decryption to obtain a second hash value; and calculating the temporary encryption key obtained by decryption by using the MAC algorithm to obtain a second MAC value.
S109: and judging whether the second hash value is consistent with the first hash value or not and whether the second MAC value is consistent with the first MAC value or not, if so, executing step S110.
S110: and judging that the negotiation is successful.
Preferably, the first encryption algorithm is an AES encryption algorithm, and the second encryption algorithm is an RSA encryption algorithm.
Through the steps, the safety channel of the cloud server and the mobile terminal is established, the account password ciphertext interacted between the cloud server and the mobile terminal is encrypted again through the temporary encryption key and the first encryption algorithm, the problem that encrypted data is leaked due to the fact that data are captured and intercepted in the interaction process is solved, the safety of communication data is guaranteed, and therefore the safety of the mailbox account password is effectively guaranteed.
EXAMPLE III
The present embodiment is a specific application scenario of the foregoing embodiments.
In this embodiment, a client application CA is set in the ordinary operating system, the client application can be built in the system mailbox application as a module, and the client application is used as an interaction module between the ordinary operating system and the secure operating system, invokes Api provided by TrustZone to perform data interaction, and is only responsible for data transmission, and performs data interaction with the cloud server. A trusted application TA is created in the secure operating system, which trusted application is executed in a secure executable environment.
Firstly, bidirectional identity authentication is carried out between the cloud server and the mobile terminal, and a security channel between the cloud server and the mobile terminal is established. As shown in fig. 4, the specific implementation is as follows:
the method comprises the steps that a client application CA acquires relevant algorithms contained in TrustZone from a trusted application TA, wherein the algorithms comprise a first encryption algorithm, a second encryption algorithm and an MAC algorithm, and sends the algorithms to a cloud server, and meanwhile sends authentication information of a mobile terminal to the cloud server; after the cloud server successfully authenticates the mobile terminal, the cloud server returns confirmation and sends a digital certificate carrying a public key of the cloud server to the trusted application TA through the client application CA; the trusted application TA verifies the legality of the cloud server through a digital certificate stored in the APK, randomly generates a temporary encryption key after the verification is passed, encrypts the key by using a public key of the cloud server and a second encryption algorithm to obtain a first ciphertext, performs digest operation on the temporary encryption key to obtain a first Hash value, and calculates the temporary encryption key by using an MAC algorithm to obtain a first MAC value; then, the first ciphertext, the first Hash value and the first MAC value are sent to a cloud server through a client application CA; the cloud server decrypts the first ciphertext by using a private key and a decryption algorithm corresponding to the second encryption algorithm to obtain a temporary encryption key, then performs digest operation on the decrypted temporary encryption key to obtain a second Hash value, and calculates the decrypted temporary encryption key by using an MAC algorithm to obtain a second MAC value; and verifying the temporary encryption key by judging whether the second Hash value is consistent with the first Hash value or not and whether the second MAC value is consistent with the first MAC value or not, if the verification is passed, proving that the negotiation between the key and the encryption algorithm is successful, and sending a confirmation message to the client application CA.
And determining an interactive temporary key, thereby establishing a security channel between the cloud server and the mobile terminal, and carrying out encryption transmission again when the key is used for interacting the encrypted data of the mailbox account password to ensure the security of the transmission channel.
Next, as shown in fig. 5, account password information of the mailbox is acquired from the mailbox application, encrypted in the trusted application TA, associated with the system account of the mobile terminal, and then sent to the cloud server through the secure channel for storage.
If the system mailbox application is adopted, the mailbox account password plaintext can be directly acquired from the input interface, and the mailbox account password encrypted by the system mailbox application can also be intercepted. For third-party mailbox applications, such as QQ mailboxes, Internet Explorer and the like, HOOK can be performed during writing and reading when the third-party mailbox applications operate the database, so that the third-party mailbox applications skip to the client application CA when being written into the database, and the client application CA acquires the encrypted mailbox account password of the third-party mailbox applications.
Specifically, in the Android application, the sqlite3 is used for performing database operation, and the sqlchipher is used for performing encryption and decryption operations on the database, so that the function HOOK can be performed in operations of data insertion, data query, data update and the like of the sqlite3 and the sqlchipher, the function is redirected to the function realized in the embodiment, the function jumps to the HOOK function for encryption when the data update is inserted, and the data is decrypted when the data query is performed.
When the user wants to log in the mailbox, as shown in fig. 6, the mobile terminal obtains the encrypted account password information from the cloud server through the secure channel, decrypts the encrypted account password information in the trusted application TA, and sends the account password plaintext to the mailbox server.
Furthermore, the trusted application TA receives and decrypts the encrypted data transmitted by the cloud server through the client application CA, and meanwhile, a session is established, the decrypted encrypted data is stored in the trusted application TA for a period of time, and before the session fails, the session is maintained in the memory of the TrustZone, so that data is not required to be requested from the cloud server every time a mailbox logs in, and the logging efficiency is improved.
In the embodiment, the encrypted data of the mailbox account password is stored in the cloud server, the credibility of the cloud server is ensured, and the safety of the mailbox account password encryption storage is ensured. And the mailbox account password is encrypted and decrypted by using an algorithm in the TrustZone, so that the difficulty of being reversed and hook is increased, and the encrypted data security is ensured. Meanwhile, the safety of the account number and the password of the third-party mailbox application can be protected.
Example four
This embodiment is a computer-readable storage medium corresponding to the above-described embodiment, on which a computer program is stored, which when executed by a processor implements the steps of:
the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server;
the method comprises the steps that a client application of the mobile terminal obtains account password information of a mailbox from a mailbox application and sends the account password information to a trusted application in a safe operating system;
the trusted application encrypts the account password information to obtain an account password ciphertext, and sends the account password ciphertext to the client application;
the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts an association relation by using the temporary encryption key and a first encryption algorithm, and then sends the association relation to a cloud server;
and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship.
Further, still include:
when a mailbox is required to be logged in, the client application sends a system account of the mobile terminal to the cloud server;
the cloud server matches a corresponding account password ciphertext according to the system account, encrypts the account password ciphertext by using a temporary encryption key and a first encryption algorithm, and then sends the account password ciphertext to the client application;
the client application decrypts the encrypted account password ciphertext by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain an account password ciphertext and sends the account password ciphertext to the trusted application;
the trusted application decrypts the account password ciphertext to obtain account password information;
and the trusted application sends the account password information to a mailbox server.
Further, the obtaining, by the client application, account password information of the mailbox from the mailbox application specifically includes:
if the mailbox application is the system mailbox application, acquiring an account password plaintext input by a user or acquiring a mailbox account password encrypted by the system mailbox application;
and if the mailbox application is the third-party mailbox application, acquiring the encrypted mailbox account password of the third-party mailbox application.
Further, the acquiring of the mailbox account password encrypted by the third-party mailbox application specifically includes:
and when it is monitored that the encrypted mailbox account password is written into the database by the third-party mailbox application, intercepting the encrypted mailbox account password through a hook mechanism.
Further, the sending the account password information to the mailbox server specifically includes:
if the mailbox application is a system mailbox application and the account password information is an account password plaintext, sending the account password plaintext to a mailbox server;
if the mailbox application is a system mailbox application and the account password information is an encrypted mailbox account password, acquiring a third encryption algorithm of the system mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the third encryption algorithm to obtain an account password plaintext;
sending the account password plaintext to a mailbox server;
if the mailbox application is a third-party mailbox application, acquiring a fourth encryption algorithm of the third-party mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the fourth encryption algorithm to obtain an account password plaintext;
and sending the account password plaintext to a mailbox server.
Further, the negotiating between the mobile terminal and the cloud server for the temporary encryption key and the encryption algorithm specifically includes:
the method comprises the steps that a mobile terminal sends algorithms preset in a safe operation system to a cloud server, wherein the algorithms comprise a first encryption algorithm, a second encryption algorithm and an MAC algorithm;
if the mobile terminal passes the verification of the digital certificate sent by the cloud server, acquiring a public key of the cloud server from the digital certificate;
the secure operating system generates a temporary encryption key;
encrypting the temporary encryption key by using the public key of the cloud server and the second encryption algorithm to obtain a first ciphertext;
performing digest operation on the temporary encryption key to obtain a first hash value;
calculating the temporary encryption key by using the MAC algorithm to obtain a first MAC value;
sending the first ciphertext, the first hash value and the first MAC value to a cloud server;
the cloud server decrypts the first ciphertext by using a private key and a decryption algorithm corresponding to the second encryption algorithm to obtain a temporary encryption key;
performing digest operation on the temporary encryption key obtained by decryption to obtain a second hash value;
calculating the temporary encryption key obtained by decryption by using the MAC algorithm to obtain a second MAC value;
and if the second hash value is consistent with the first hash value and the second MAC value is consistent with the first MAC value, judging that the negotiation is successful.
Further, if the mobile terminal verifies the digital certificate sent by the cloud server, acquiring the public key of the cloud server from the digital certificate specifically includes:
the mobile terminal sends a digital certificate or an equipment serial number of the mobile terminal to a cloud server;
the cloud server compares the digital certificate or the equipment serial number of the mobile terminal with a prestored digital certificate or equipment serial number;
if the digital certificates are consistent, the cloud server sends the digital certificates of the cloud server to the mobile terminal;
the mobile terminal compares the received digital certificate of the cloud server with a prestored digital certificate;
and if the public key is consistent with the public key, the mobile terminal acquires the public key of the cloud server from the digital certificate of the cloud server.
In summary, according to the protection method for the mailbox account password and the computer-readable storage medium provided by the invention, the encrypted data of the mailbox account password of the mobile terminal is stored in the cloud server, so that the risk that the encrypted data is stored in a local database and can be cracked is avoided, and the security of the mailbox account password is improved; the safety of the account password of the mailbox is further improved by encrypting the account password information in the safety operation system; the mobile terminal and the cloud server negotiate a key and an encryption algorithm in advance, so that a safety channel between the mobile terminal and the cloud server is established, interactive data between the mobile terminal and the cloud server are encrypted and transmitted again through the negotiated key and the negotiated encryption algorithm, the problem that the encrypted data are leaked due to the fact that the data are captured and intercepted in an interaction process is solved, the safety of communication data is ensured, and the safety of a mailbox account password is effectively guaranteed.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (8)
1. A method for protecting a mailbox account password is characterized by comprising the following steps:
the mobile terminal negotiates a temporary encryption key and a first encryption algorithm with the cloud server;
the method comprises the steps that a client application of the mobile terminal obtains account password information of a mailbox from a mailbox application and sends the account password information to a trusted application in a safe operating system, wherein the account password information comprises an account password;
the trusted application encrypts the account password information to obtain an account password ciphertext, and sends the account password ciphertext to the client application;
the client application associates the account password ciphertext with a system account of the mobile terminal, encrypts an association relation by using the temporary encryption key and a first encryption algorithm, and then sends the association relation to a cloud server;
and the cloud server decrypts the encrypted association relationship by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain and store the association relationship.
2. The method for protecting the mailbox account password according to claim 1, further comprising:
when a mailbox is required to be logged in, the client application sends a system account of the mobile terminal to the cloud server;
the cloud server matches a corresponding account password ciphertext according to the system account, encrypts the account password ciphertext by using a temporary encryption key and a first encryption algorithm, and then sends the account password ciphertext to the client application;
the client application decrypts the encrypted account password ciphertext by using the temporary encryption key and a decryption algorithm corresponding to the first encryption algorithm to obtain an account password ciphertext and sends the account password ciphertext to the trusted application;
the trusted application decrypts the account password ciphertext to obtain account password information;
and the trusted application sends the account password information to a mailbox server.
3. The method for protecting the account password of the mailbox according to claim 2, wherein the step of the client application acquiring the account password information of the mailbox from the mailbox application specifically comprises:
if the mailbox application is the system mailbox application, acquiring an account password plaintext input by a user or acquiring a mailbox account password encrypted by the system mailbox application;
and if the mailbox application is the third-party mailbox application, acquiring the encrypted mailbox account password of the third-party mailbox application.
4. The method for protecting the mailbox account password according to claim 3, wherein the step of obtaining the mailbox account password encrypted by the third party mailbox application specifically comprises:
and when it is monitored that the encrypted mailbox account password is written into the database by the third-party mailbox application, intercepting the encrypted mailbox account password through a hook mechanism.
5. The method for protecting the mailbox account password according to claim 3, wherein the sending the account password information to the mailbox server specifically comprises:
if the mailbox application is a system mailbox application and the account password information is an account password plaintext, sending the account password plaintext to a mailbox server;
if the mailbox application is a system mailbox application and the account password information is an encrypted mailbox account password, acquiring a third encryption algorithm of the system mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the third encryption algorithm to obtain an account password plaintext;
sending the account password plaintext to a mailbox server;
if the mailbox application is a third-party mailbox application, acquiring a fourth encryption algorithm of the third-party mailbox application;
decrypting the account password information by using a decryption algorithm corresponding to the fourth encryption algorithm to obtain an account password plaintext;
and sending the account password plaintext to a mailbox server.
6. The method for protecting a mailbox account password according to claim 1, wherein the negotiation between the mobile terminal and the cloud server of the temporary encryption key and the encryption algorithm specifically comprises:
the method comprises the steps that a mobile terminal sends algorithms preset in a safe operation system to a cloud server, wherein the algorithms comprise a first encryption algorithm, a second encryption algorithm and an MAC algorithm;
if the mobile terminal passes the verification of the digital certificate sent by the cloud server, acquiring a public key of the cloud server from the digital certificate;
the secure operating system generates a temporary encryption key;
encrypting the temporary encryption key by using the public key of the cloud server and the second encryption algorithm to obtain a first ciphertext;
performing digest operation on the temporary encryption key to obtain a first hash value;
calculating the temporary encryption key by using the MAC algorithm to obtain a first MAC value;
sending the first ciphertext, the first hash value and the first MAC value to a cloud server;
the cloud server decrypts the first ciphertext by using a private key and a decryption algorithm corresponding to the second encryption algorithm to obtain a temporary encryption key;
performing digest operation on the temporary encryption key obtained by decryption to obtain a second hash value;
calculating the temporary encryption key obtained by decryption by using the MAC algorithm to obtain a second MAC value;
and if the second hash value is consistent with the first hash value and the second MAC value is consistent with the first MAC value, judging that the negotiation is successful.
7. The method for protecting a mailbox account password according to claim 6, wherein if the mobile terminal verifies the digital certificate sent by the cloud server, the step of obtaining the public key of the cloud server from the digital certificate specifically comprises:
the mobile terminal sends a digital certificate or an equipment serial number of the mobile terminal to a cloud server;
the cloud server compares the digital certificate or the equipment serial number of the mobile terminal with a prestored digital certificate or equipment serial number;
if the digital certificates are consistent, the cloud server sends the digital certificates of the cloud server to the mobile terminal;
the mobile terminal compares the received digital certificate of the cloud server with a prestored digital certificate;
and if the public key is consistent with the public key, the mobile terminal acquires the public key of the cloud server from the digital certificate of the cloud server.
8. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810341234.0A CN108737087B (en) | 2018-04-17 | 2018-04-17 | Protection method for mailbox account password and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810341234.0A CN108737087B (en) | 2018-04-17 | 2018-04-17 | Protection method for mailbox account password and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108737087A CN108737087A (en) | 2018-11-02 |
| CN108737087B true CN108737087B (en) | 2021-04-27 |
Family
ID=63939602
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810341234.0A Active CN108737087B (en) | 2018-04-17 | 2018-04-17 | Protection method for mailbox account password and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108737087B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110231965B (en) * | 2019-06-19 | 2022-05-10 | 京东方科技集团股份有限公司 | Cloud device, application processing method and electronic device |
| CN113032802B (en) * | 2021-03-09 | 2023-09-19 | 航天信息股份有限公司 | Data security storage method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428221A (en) * | 2013-08-26 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Safety logging method, system and device of mobile application |
| CN103618705A (en) * | 2013-11-20 | 2014-03-05 | 浪潮电子信息产业股份有限公司 | Personal code managing tool and method under open cloud platform |
-
2018
- 2018-04-17 CN CN201810341234.0A patent/CN108737087B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428221A (en) * | 2013-08-26 | 2013-12-04 | 百度在线网络技术(北京)有限公司 | Safety logging method, system and device of mobile application |
| CN103618705A (en) * | 2013-11-20 | 2014-03-05 | 浪潮电子信息产业股份有限公司 | Personal code managing tool and method under open cloud platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108737087A (en) | 2018-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
| CN107294937B (en) | Data transmission method based on network communication, client and server | |
| CN107040513B (en) | Trusted access authentication processing method, user terminal and server | |
| US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
| US20110197059A1 (en) | Securing out-of-band messages | |
| CN107317677B (en) | Secret key storage and equipment identity authentication method and device | |
| US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN114024710A (en) | Data transmission method, device, system and equipment | |
| CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
| CN108111497A (en) | Video camera and server inter-authentication method and device | |
| CN111294203B (en) | Information transmission method | |
| CN112702318A (en) | Communication encryption method, decryption method, client and server | |
| CN113806772A (en) | Information encryption transmission method and device based on block chain | |
| KR102017758B1 (en) | Health device, gateway device and method for securing protocol using the same | |
| CN108809936B (en) | Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| CN105262592A (en) | Data interaction method and API interface | |
| US9917694B1 (en) | Key provisioning method and apparatus for authentication tokens | |
| CN108737087B (en) | Protection method for mailbox account password and computer readable storage medium | |
| CN114499837A (en) | Method, device, system and equipment for preventing leakage of message | |
| CN113904767A (en) | System for establishing communication based on SSL | |
| CN110912857B (en) | Method and storage medium for sharing login between mobile applications | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |