CN109617696B - Data encryption and data decryption method and device - Google Patents

Data encryption and data decryption method and device Download PDF

Info

Publication number
CN109617696B
CN109617696B CN201910005259.8A CN201910005259A CN109617696B CN 109617696 B CN109617696 B CN 109617696B CN 201910005259 A CN201910005259 A CN 201910005259A CN 109617696 B CN109617696 B CN 109617696B
Authority
CN
China
Prior art keywords
service request
random number
preset algorithm
data
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910005259.8A
Other languages
Chinese (zh)
Other versions
CN109617696A (en
Inventor
李春强
杜翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Chengshi Wanglin Information Technology Co Ltd
Original Assignee
Beijing Chengshi Wanglin Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Chengshi Wanglin Information Technology Co Ltd filed Critical Beijing Chengshi Wanglin Information Technology Co Ltd
Priority to CN201910005259.8A priority Critical patent/CN109617696B/en
Publication of CN109617696A publication Critical patent/CN109617696A/en
Application granted granted Critical
Publication of CN109617696B publication Critical patent/CN109617696B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method and a device for data encryption and data decryption, wherein the method comprises the following steps: when first equipment makes a service request to second equipment, generating corresponding service request data, a first random number, a second random number and a service request parameter; selecting a parameter factor in a service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a first signature; encrypting the service request data by adopting a dynamic key to obtain encrypted data; and sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second device. Therefore, the dynamic key and the first signature are dynamically generated by adopting a preset algorithm and a random number according to the service request, are not fixedly stored, are effectively not multiplexed at a time, effectively avoid risks caused by leakage and increase the cracking difficulty of the encrypted data; the safety of data transmission is improved.

Description

Data encryption and data decryption method and device
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for data encryption and data decryption.
Background
With the rapid development of science and technology, daily life and work gradually present informatization. Information is transmitted based on modern communication technology, information is easy to be intercepted by attackers and the like, people pay more and more attention to the safety of the information in the information transmission process, and therefore the transmitted information needs to be encrypted to enhance the safety.
In the prior art, a fixed key is generally used to encrypt transmission information, and the encrypted transmission information is obtained and transmitted. Specifically, for two devices needing information transfer, a fixed symmetric key is generated in advance, and information transfer is realized by symmetric encryption based on the symmetric key, or a fixed asymmetric key is generated in advance, and information transfer is realized by asymmetric encryption based on the asymmetric key.
However, the inventor has found through research that the fixed key such as the symmetric key or the asymmetric key is generated in advance and stored in the device side, and an attacker can attack the device side by using various attack means to acquire the stored fixed key, and can decipher the transmitted encrypted information by using the acquired fixed key. The fixed key of the encryption mode is easy to leak, so that the encrypted information is easy to crack, and the safety of information transmission is reduced.
Disclosure of Invention
The technical problem to be solved by the application is to provide a method and a device for data encryption and data decryption, so that risks caused by secret key leakage are effectively avoided, the decryption difficulty of encrypted data is increased, and the security of data transmission is greatly improved.
In a first aspect, an embodiment of the present application provides a data encryption method, which is applied to a first device, and the method includes:
generating service request data, a first random number, a second random number and a service request parameter based on a service request to second equipment;
selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key; selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature;
encrypting the service request data by using the dynamic key to generate encrypted data;
and sending the service request to the second device, wherein the service request carries the encrypted data, the first signature, the first random number, the second random number and the service request parameter.
Optionally, the service request parameter at least includes a first device identifier or one other service request parameter.
Optionally, the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
Optionally, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
Optionally, the method further includes:
acquiring an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
In a second aspect, an embodiment of the present application provides a method for decrypting data, which is applied to a second device, and the method includes:
receiving a service request sent by first equipment, wherein the service request carries encrypted data, a first signature, a first random number, a second random number and a service request parameter;
selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature;
if the second signature is matched with the first signature, selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key;
and decrypting the encrypted data by using the dynamic key to obtain service request data.
Optionally, the service request parameter at least includes a first device identifier or one other service request parameter.
Optionally, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
Optionally, the method further includes:
receiving an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
Optionally, the method further includes:
and if the second signature is not matched with the first signature, forbidding the service request of the first equipment to the second equipment.
In a third aspect, an embodiment of the present application provides an apparatus for data encryption, where the apparatus is applied to a first device, and the apparatus includes:
a first generating unit, configured to generate service request data, a first random number, a second random number, and a service request parameter based on a service request to a second device;
the second generation unit is used for selecting parameter factors in the service request parameters according to a first preset algorithm and the first random number to generate dynamic keys; selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature;
an encryption generating unit, configured to encrypt the service request data with the dynamic key to generate encrypted data;
a first sending unit, configured to send the service request to a second device, where the service request carries the encrypted data, the first signature, the first random number, the second random number, and the service request parameter.
Optionally, the service request parameter at least includes a first device identifier or one other service request parameter.
Optionally, the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
Optionally, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
Optionally, the method further includes:
a first obtaining unit, configured to obtain an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second sending unit is used for sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
In a fourth aspect, an embodiment of the present application provides an apparatus for decrypting data, which is applied to a second device, and the apparatus includes:
the first receiving unit is used for receiving a service request sent by first equipment, wherein the service request carries encrypted data, a first signature, a first random number, a second random number and a service request parameter;
a third generating unit, configured to select a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature;
a fourth generating unit, configured to select a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key if the second signature is matched with the first signature;
and the decryption obtaining unit is used for decrypting the encrypted data by using the dynamic key to obtain the service request data.
Optionally, the service request parameter at least includes a first device identifier or one other service request parameter.
Optionally, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
Optionally, the method further includes:
a second receiving unit, configured to receive an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second obtaining unit is used for obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
Optionally, the method further includes:
a prohibiting unit, configured to prohibit the service request from the first device to the second device if the second signature is not matched with the first signature.
In a fifth aspect, an embodiment of the present application provides a data encryption device, where the data encryption device includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method for data encryption according to any one of the first aspect above according to instructions in the program code.
In a sixth aspect, an embodiment of the present application provides a computer-readable storage medium for storing program codes, where the program codes are used to execute the method for encrypting data in any one of the above first aspects.
In a seventh aspect, an embodiment of the present application provides a data decryption device, where the data decryption device includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method for encrypting data according to any one of the second aspect.
In an eighth aspect, the present application provides a computer-readable storage medium for storing program codes for executing the method for decrypting data according to any one of the second aspects.
Compared with the prior art, the method has the advantages that:
by adopting the technical scheme of the embodiment of the application, when the first equipment makes a service request to the second equipment, firstly, corresponding service request data, a first random number, a second random number and a service request parameter are generated; secondly, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a first signature; then, encrypting the service request data by adopting a dynamic key to obtain encrypted data; and finally, sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second device. Therefore, the dynamic key and the first signature are both dynamically generated by adopting a preset algorithm and a random number aiming at the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the dynamic key encrypts the service request data, and the cracking difficulty of the encrypted data is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a system framework related to an application scenario in an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for encrypting data according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a method for decrypting data according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a method for decrypting data and decrypting data according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for decrypting data according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for decrypting data according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
As people pay more and more attention to the security of information, the transmitted information needs to be encrypted in the information transmission process. Generally, the transfer information is encrypted by using a fixed key, and the encrypted information obtained by encrypting is transferred. For example, a fixed symmetric key or an asymmetric key is generated in advance, and information transfer is realized by performing symmetric encryption based on the symmetric key, or information transfer is realized by performing asymmetric encryption based on the asymmetric key. However, the inventor has found through research that the fixed key such as the symmetric key or the asymmetric key is generated in advance and stored in the device side, and an attacker can use various attack means to attack the device side to obtain the stored fixed key, for example, use decompilation means to obtain the fixed key stored in the device side, and the fixed key can decipher the encrypted information transmitted by the device side. The fixed key of the encryption mode is easy to leak, so that the encrypted information is easy to crack, and the safety of information transmission is reduced.
In order to solve the problem, in the embodiment of the present application, when a first device makes a service request to a second device, first, corresponding service request data, a first random number, a second random number, and a service request parameter are generated; secondly, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a first signature; then, encrypting the service request data by adopting a dynamic key to obtain encrypted data; and finally, sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second device. Therefore, the dynamic key and the first signature are both dynamically generated by adopting a preset algorithm and a random number aiming at the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the dynamic key encrypts the service request data, and the decryption difficulty of the encrypted data is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
For example, one of the scenarios in the embodiment of the present application may be applied to the scenario shown in fig. 1, where the scenario includes a first device 101 and a second device 102. The first device 101 needs to make a service request to the second device 102, and service request data corresponding to the service request needs to be encrypted to prevent an attacker from intercepting and breaking the service request. It can be understood that this scenario is only one example of the scenario provided in the embodiment of the present application, and the embodiment of the present application is not limited to this scenario.
The following describes in detail a specific implementation manner of the method and apparatus for data encryption and data decryption in the embodiments of the present application by way of embodiments with reference to the accompanying drawings.
Exemplary method
Method embodiment one
Referring to fig. 2, a flow chart of a method for encrypting data in the embodiment of the present application is shown. In this embodiment, applied to the first device, the method may include the following steps:
step 201: service request data, a first random number, a second random number, and a service request parameter are generated based on a service request to a second device.
It can be understood that, in a scenario where the first device has privacy to the service request of the second device and needs to be kept secret, service request data corresponding to the service request needs to be encrypted. Because a traditional fixed key encryption mode such as a symmetric key or an asymmetric key is adopted, an attacker can easily attack the fixed key stored at the equipment end to decipher the encrypted service request data. Considering that the service request has corresponding service request parameters, in order to generate a dynamic key conveniently and quickly, the service request parameters can be randomly selected to generate an encryption key and a data signature, which are recorded as the dynamic key and the first signature.
It should be noted that, in consideration of the lengths of the generated dynamic key and the first signature, and the randomness of the lengths of the dynamic key and the first signature generated each time, a random number may be obtained and recorded as a first random number, which is used to select a service request parameter to generate a dynamic key, where the length of the dynamic key is the first random number; another random number can be obtained and recorded as a second random number, which is used for selecting the service request parameter to generate a first signature, and the length of the first signature is the second random number. Based on this, in the embodiment of the present application, when a first device makes a service request for a second device, first, service request data corresponding to the service request, a first random number used for generating a dynamic key and a first signature, a second random number, and a service request parameter should be obtained.
It should be further noted that, for one service request, common service request parameters include the first device identifier and other service request parameters except the first device identifier, and the other service request parameters may be, for example, a service request identifier and the like. The service request parameter for generating the dynamic key and the first signature may be the first device identifier, or may be any one of other service request parameters, and of course, the service request parameter for generating the dynamic key and the first signature may also be a combination of the first device identifier and any one or more other service request parameters, or a combination of any more other service request parameters. Therefore, in some implementations of embodiments of the present application, the service request parameter includes at least a first device identification or one other service request parameter.
Step 202: selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key; and selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature.
It can be understood that, after the first random number and the service request parameter are obtained in step 201, the service request parameter is used to generate a dynamic key, the first random number determines the length of the dynamic key, which is equivalent to that the first random number is used to determine which parameter factors are selected from the service request parameter to generate the dynamic key, however, for the dynamic key, an algorithm for determining which parameter factors are selected from the service request parameter to generate the dynamic key is further required, and is marked as a first preset algorithm, and then the parameter factors in the service request parameter are selected by using the first preset algorithm and the first random number to generate the dynamic key.
Similarly, after the second random number and the service request parameter are obtained in step 201, the service request parameter is used to generate the first signature, the second random number determines the length of the first signature, which is equivalent to that the second random number is used to determine which parameter factors are selected from the service request parameter to generate the first signature, however, for the first signature, an algorithm for determining which parameter factors are selected from the service request parameter to generate the first signature is required to be recorded as the second preset algorithm, and then the parameter factors in the service request parameter are selected by using the second preset algorithm and the second random number to generate the first signature.
It should be noted that, the first random number and the first preset algorithm are combined to determine a parameter factor for generating a dynamic key selected from the service request parameters, and the second random number and the second preset algorithm are combined to determine a parameter factor for generating a first signature selected from the service request parameters; in order to make the generated dynamic key and the first signature different, at least the first random number and the second random number are different; or the first preset algorithm and the second preset algorithm are different; of course, the first preset algorithm and the second preset algorithm may be different when the first random number and the second random number are different. Thus, in some implementations of embodiments of the present application, the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
For example, assuming that the service request parameter includes a first device identifier and three other service request parameters, the first random number is 8, the second random number is 6, and the first preset algorithm and the second preset algorithm are different, an 8-bit parameter factor may be selected from the first device identifier and the three other service request parameters based on the first preset algorithm to generate a dynamic key, for example, a 2-bit parameter factor is selected from four data of the first device identifier and the three other service request parameters to generate the dynamic key; based on a second preset algorithm, a 6-bit parameter factor is selected from the first device identifier and the three other service request parameters to generate a first signature, for example, a 3-bit parameter factor is selected from the first device identifier, and then a 1-bit parameter factor is selected from each of the three other service request parameters to generate the first signature.
It should be noted that, since the subsequent second device needs to perform decryption operation corresponding to the encryption operation of the first device, and considering the security of the first preset algorithm and the second preset algorithm, it is not easy for an attacker to intercept the decryption operation, an algorithm agreed in advance by the first device and the second device should be selected, so that the first preset algorithm and the second preset algorithm can be defined without transmitting a specific algorithm between the first device and the second device. That is, in some implementations of the embodiments of the present application, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
Step 203: and encrypting the service request data by using the dynamic key to generate encrypted data.
It can be understood that the dynamic key generated in step 202 is used to encrypt the service request data, and then step 203 is executed after step 202, and the service request data is encrypted by using the dynamic key to obtain encrypted data, and the randomness, the single-time non-reusability, and the non-fixed storage property of the dynamic key can increase the difficulty of cracking the encrypted data, thereby improving the security of the encrypted service request data.
Step 204: and sending the service request to the second device, wherein the service request carries the encrypted data, the first signature, the first random number, the second random number and the service request parameter.
It will be understood that after the encrypted data is obtained in step 203, the encrypted data and the first signature obtained in step 202 and the first random number, the second random number and the service request parameter obtained in step 201 need to be sent to the second device together, so that the second device not only obtains the encrypted service request data and the first signature, but also specifies the first random number, the second random number and the service request parameter used for generating the dynamic key and the first signature.
It should be noted that, the first preset algorithm and the second preset algorithm are predetermined by the first device and the second device, and there are the following two cases: the first situation is that the first device and the second device only agree on a first preset algorithm and a second preset algorithm in advance, no message needs to be transmitted between the first device and the second device, and the second device can determine the first preset algorithm and the second preset algorithm applied in each service request encryption process of the first device; the second situation is that the first device and the second device agree on a plurality of algorithms in advance, and the second device does not know a first preset algorithm and a second preset algorithm applied in each service request encryption process of the first device, and at this time, the first device needs to notify the second device of an identifier of the first preset algorithm and an identifier of the second preset algorithm. Thus, in some implementations of embodiments of the present application, for example, the following steps may also be included:
step A: acquiring an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and B, step B: and sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
Through various implementation manners provided by this embodiment, when a first device makes a service request to a second device, first, corresponding service request data, a first random number, a second random number, and a service request parameter are generated; secondly, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a first signature; then, encrypting the service request data by adopting a dynamic key to obtain encrypted data; and finally, sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second device. Therefore, the dynamic key and the first signature are both dynamically generated by adopting a preset algorithm and a random number aiming at the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the dynamic key encrypts the service request data, and the cracking difficulty of the encrypted data is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
Method embodiment two
Referring to fig. 3, a schematic flow chart of another data decryption method in the embodiment of the present application is shown. In this embodiment, applied to the second device, the method may include the following steps:
step 301: and receiving a service request sent by first equipment, wherein the service request carries encrypted data, a first signature, a first random number, a second random number and a service request parameter.
The service request parameters received by the second device and sent by the first device are the same as the above based on the description of the service request parameters generated by the first device corresponding to the service request. Therefore, in some implementations of the embodiments of the present application, the service request parameter includes at least a first device identification or one other service request parameter.
It should be noted that, based on the description of the first preset algorithm and the second preset algorithm applied by the first device, the first preset algorithm and the second preset algorithm applied by the second device are the same as those described above. Therefore, in some implementations of embodiments of the present application, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
It should be noted that, in the case that the first device and the second device agree in advance a plurality of algorithms, based on the identifier of the first preset algorithm and the identifier of the second preset algorithm sent by the first device, the second device may determine, from the plurality of algorithms agreed in advance, the first preset algorithm and the second preset algorithm used by the first device based on the identifier of the first preset algorithm and the identifier of the second preset algorithm. Therefore, in some implementations of the embodiments of the present application, for example, the following steps may also be included:
step C: receiving the identifier of the first preset algorithm and the identifier of the second preset algorithm;
step D: and obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
Step 302: and selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature.
It will be appreciated that the second device first needs to verify the first signature it receives before decrypting the encrypted data in order to determine whether the encrypted data it receives was sent by the first device and has not been tampered with. Specifically, first, the second device selects a parameter factor in a service request parameter sent by the first device to regenerate a data signature based on a determined second preset algorithm and a second random number sent by the first device, and records the data signature as a second signature, and then verifies the first signature by using the second signature.
Step 303: and if the second signature is matched with the first signature, selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key.
It can be understood that, verifying the received first signature by using the second signature regenerated by the second device specifically is to compare and match the second signature with the first signature, and if the second signature matches with the first signature, it indicates that the encrypted data received by the second device is indeed sent by the first device and has not been tampered, and at this time, the second device may select a parameter factor in the service request parameter sent by the first device to regenerate the dynamic key used for decrypting the encrypted data based on the determined first preset algorithm and the first random number sent by the first device.
It should be noted that, when the second signature regenerated by the second device does not match the first signature sent by the first device, it indicates that the encrypted data received by the second device is tampered by an attacker, and at this time, the second device no longer correctly responds to the service request sent by the first device, and it is necessary to prohibit rejection of the service request. Therefore, in some implementations of the embodiments of the present application, for example, the method may further include: and if the second signature is not matched with the first signature, forbidding the service request of the first equipment to the second equipment.
Step 304: and decrypting the encrypted data by using the dynamic key to obtain service request data.
It is understood that the dynamic key obtained in step 303 is used to decrypt the encrypted data, and after step 303, the service request data can be obtained by decrypting the encrypted data based on the dynamic key, so as to clarify the specific content of the service request sent by the first device, so as to perform a correct response later.
Through various implementation manners provided by this embodiment, when the second device receives a service request carrying encrypted data, a first signature, a first random number, a second random number, and a service request parameter, of the first device; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a second signature; if the second signature is matched with the first signature, selecting a parameter factor in a service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; and decrypting the encrypted data by using the dynamic key to obtain service request data. Therefore, the dynamic key, the first signature and the second signature are used for encrypting and decrypting the dynamic key, the first signature and the second signature are dynamically generated by adopting a preset algorithm and a random number according to the service request, and are not fixed keys and are not fixedly stored, so that the risk caused by leakage is effectively avoided; the encrypted data is obtained by encrypting the service request data by the dynamic key, and the cracking difficulty is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
Method embodiment three
Referring to fig. 4, a schematic flow chart diagram of another method for data encryption and data decryption in the embodiment of the present application is shown. In this embodiment, the method may include, for example, the steps of:
step 401: the first device generates service request data, a first random number, a second random number, and a service request parameter based on a service request to the second device.
Step 402: the first equipment selects parameter factors in the service request parameters according to a first preset algorithm and a first random number to generate a dynamic key; and selecting a parameter factor in the service request parameter according to a second preset algorithm and a second random number to generate a first signature.
Step 403: the first device encrypts the service request data using the dynamic key to generate encrypted data.
Step 404: the first device sends a service request to the second device, wherein the service request carries encrypted data, a first signature, a first random number, a second random number and a service request parameter.
Step 405: and the second equipment selects a parameter factor in the service request parameter according to a second preset algorithm and a second random number to generate a second signature.
Step 406: the second device verifies whether the second signature and the first signature are matched, if yes, step 407-408 is executed; if not, go to step 409.
Step 407: and the second equipment selects parameter factors in the service request parameters according to the first preset algorithm and the first random number to generate a dynamic key.
Step 408: and the second equipment decrypts the encrypted data by using the dynamic key to obtain the service request data.
Step 409: and forbidding the service request of the first equipment to the second equipment.
Through various implementation manners provided by this embodiment, when a first device makes a service request to a second device, the first device generates corresponding service request data, a first random number, a second random number, and a service request parameter; selecting parameter factors in the service request parameters by using a first preset algorithm and a first random number to generate a dynamic key, and selecting the parameter factors in the service request parameters by using a second preset algorithm and a second random number to generate a first signature; encrypting the service request data by adopting a dynamic key to obtain encrypted data; and sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second equipment. The second device selects a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a second signature; if the second signature is verified to be matched with the first signature, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; and decrypting the encrypted data by using the dynamic key to obtain service request data. Therefore, the dynamic key, the first signature and the second signature are dynamically generated by adopting a preset algorithm and a random number aiming at the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the dynamic key encrypts the service request data, and the cracking difficulty of the encrypted data is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
Exemplary devices
Apparatus embodiment one
Referring to fig. 5, a schematic structural diagram of an apparatus for encrypting data in an embodiment of the present application is shown. In this embodiment, the apparatus is applied to the first device, and may specifically include:
a first generating unit 501, configured to generate service request data, a first random number, a second random number, and a service request parameter based on a service request for a second device;
a second generating unit 502, configured to select a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key; selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature;
an encryption generating unit 503, configured to encrypt the service request data with the dynamic key to generate encrypted data;
a first sending unit 504, configured to send the service request to a second device, where the service request carries the encrypted data, the first signature, the first random number, the second random number, and the service request parameter.
In some implementations of the embodiments of the present application, the service request parameter includes at least a first device identifier or one other service request parameter.
In some implementations of embodiments of the present application, the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
In some implementations of embodiments of the present application, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
In some implementations of embodiments of the present application, the apparatus further comprises:
a first obtaining unit, configured to obtain an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second sending unit is used for sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
Through various implementation manners provided by this embodiment, when a first device makes a service request to a second device, first, corresponding service request data, a first random number, a second random number, and a service request parameter are generated; secondly, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a first signature; then, encrypting the service request data by adopting a dynamic key to obtain encrypted data; and finally, sending a service request carrying the encrypted data, the first signature, the first random number, the second random number and the service request parameter to the second device. Therefore, the dynamic key and the first signature are both dynamically generated by adopting a preset algorithm and a random number aiming at the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the dynamic key encrypts the service request data, and the cracking difficulty of the encrypted data is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
Device embodiment II
Referring to fig. 6, a schematic structural diagram of an apparatus for decrypting data in an embodiment of the present application is shown. In this embodiment, the apparatus may specifically include, for example, as applied to the second device:
a first receiving unit 601, configured to receive a service request sent by a first device, where the service request carries encrypted data, a first signature, a first random number, a second random number, and a service request parameter;
a third generating unit 602, configured to select a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature;
a fourth generating unit 603, configured to select a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key if the second signature is matched with the first signature;
a decryption obtaining unit 604, configured to decrypt the encrypted data with the dynamic key to obtain service request data.
In some implementations of the embodiments of the present application, the service request parameter includes at least a first device identifier or one other service request parameter.
In some implementations of embodiments of the present application, the first preset algorithm and the second preset algorithm are pre-agreed by the first device and the second device.
In some implementations of embodiments of the present application, the apparatus further comprises:
a second receiving unit, configured to receive an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second obtaining unit is used for obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
In some implementations of embodiments of the present application, the apparatus further comprises:
a prohibiting unit, configured to prohibit the service request from the first device to the second device if the second signature is not matched with the first signature.
Through various implementation manners provided by this embodiment, when the second device receives a service request carrying encrypted data, a first signature, a first random number, a second random number, and a service request parameter of the first device; selecting a parameter factor in the service request parameter by using a second preset algorithm and a second random number to generate a second signature; if the second signature is verified to be matched with the first signature, selecting a parameter factor in the service request parameter by using a first preset algorithm and a first random number to generate a dynamic key; and decrypting the encrypted data by using the dynamic key to obtain service request data. Therefore, the dynamic key, the first signature and the second signature are dynamically generated by adopting a preset algorithm and a random number according to the service request, are not fixed keys and are not fixedly stored, and the risk caused by leakage is effectively avoided; the encrypted data is obtained by encrypting the service request data by the dynamic key, so that the cracking difficulty is increased; the dynamic secret key is effective once and is not multiplexed, so that the safety of data transmission is greatly improved.
In addition, to the first embodiment of the method, an embodiment of the present application further provides a data encryption device, where the data encryption device includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the method for encrypting data according to the first method embodiment according to the instructions in the program code.
In addition, for the first method embodiment, the present application further provides a computer-readable storage medium, where the computer-readable storage medium is used to store a program code, and the program code is used to execute the method for encrypting data in the first method embodiment.
In addition, to the second embodiment of the method, an embodiment of the present application further provides a data decryption device, where the data decryption device includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to execute the method for encrypting data according to the second method embodiment according to the instructions in the program code.
In addition, for the second method embodiment, an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium is used to store a program code, and the program code is used to execute the method for decrypting data in the second method embodiment.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed in the embodiment corresponds to the method disclosed in the embodiment, so that the description is simple, and the relevant points can be referred to the description of the method part.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a preferred embodiment of the present application and is not intended to limit the present application in any way. Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application. Those skilled in the art can make numerous possible variations and modifications to the disclosed solution, or modify it to equivalent embodiments, using the methods and techniques disclosed above, without departing from the scope of the claimed solution. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present application still fall within the protection scope of the technical solution of the present application without departing from the content of the technical solution of the present application.

Claims (24)

1. A method for encrypting data, applied to a first device, comprising:
generating service request data, a first random number, a second random number and a service request parameter based on a service request to a second device; the first random number is different from the second random number;
selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key; selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature;
the first random number is used for selecting the service request parameter to generate the dynamic key, and the length of the dynamic key is the first random number;
encrypting the service request data by using the dynamic key to generate encrypted data;
and sending the service request to the second device, wherein the service request carries the encrypted data, the first signature, the first random number, the second random number and the service request parameter.
2. The method of claim 1, wherein the service request parameter comprises at least a first device identification or one other service request parameter.
3. The method of claim 1, wherein the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
4. The method of claim 1, wherein the first predetermined algorithm and the second predetermined algorithm are pre-agreed upon by the first device and the second device.
5. The method of claim 1, further comprising:
acquiring an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
6. A method for decrypting data, applied to a second device, comprising:
receiving a service request sent by first equipment, wherein the service request carries encrypted data, a first signature, a first random number, a second random number and a service request parameter; the first random number is different from the second random number;
selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature;
if the second signature is matched with the first signature, selecting a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key;
the first random number is used for selecting the service request parameter to generate the dynamic key, and the length of the dynamic key is the first random number;
and decrypting the encrypted data by using the dynamic key to obtain service request data.
7. The method of claim 6, wherein the service request parameter comprises at least a first device identification or one other service request parameter.
8. The method of claim 6, wherein the first predetermined algorithm and the second predetermined algorithm are pre-agreed upon by the first device and the second device.
9. The method of claim 6, further comprising:
receiving the identifier of the first preset algorithm and the identifier of the second preset algorithm;
and obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
10. The method of claim 6, further comprising:
and if the second signature is not matched with the first signature, forbidding the first equipment to request the service of the second equipment.
11. An apparatus for encrypting data, applied to a first device, comprising:
a first generating unit, configured to generate service request data, a first random number, a second random number, and a service request parameter based on a service request to a second device; the first random number is different from the second random number;
the second generation unit is used for selecting parameter factors in the service request parameters according to a first preset algorithm and the first random number to generate dynamic keys; selecting a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a first signature; the first random number is used for selecting the service request parameter to generate the dynamic key, and the length of the dynamic key is the first random number;
an encryption generating unit, configured to encrypt the service request data with the dynamic key to generate encrypted data;
a first sending unit, configured to send the service request to a second device, where the service request carries the encrypted data, the first signature, the first random number, the second random number, and the service request parameter.
12. The apparatus of claim 11, wherein the service request parameter comprises at least a first device identification or one other service request parameter.
13. The apparatus of claim 11, wherein the first random number and the second random number are different; and/or the first preset algorithm is different from the second preset algorithm.
14. The apparatus of claim 11, wherein the first predetermined algorithm and the second predetermined algorithm are pre-agreed upon by the first device and the second device.
15. The apparatus of claim 11, further comprising:
a first obtaining unit, configured to obtain an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second sending unit is used for sending the identifier of the first preset algorithm and the identifier of the second preset algorithm to the second equipment.
16. An apparatus for decrypting data, applied to a second device, comprising:
a first receiving unit, configured to receive a service request sent by a first device, where the service request carries encrypted data, a first signature, a first random number, a second random number, and a service request parameter; the first random number is different from the second random number;
a third generating unit, configured to select a parameter factor in the service request parameter according to a second preset algorithm and the second random number to generate a second signature;
a fourth generating unit, configured to select a parameter factor in the service request parameter according to a first preset algorithm and the first random number to generate a dynamic key if the second signature is matched with the first signature; the first random number is used for selecting the service request parameter to generate the dynamic key, and the length of the dynamic key is the first random number;
and the decryption obtaining unit is used for decrypting the encrypted data by using the dynamic key to obtain the service request data.
17. The apparatus of claim 16, wherein the service request parameter comprises at least a first device identification or one other service request parameter.
18. The apparatus of claim 16, wherein the first predetermined algorithm and the second predetermined algorithm are pre-agreed upon by the first device and the second device.
19. The apparatus of claim 16, further comprising:
a second receiving unit, configured to receive an identifier of the first preset algorithm and an identifier of the second preset algorithm;
and the second obtaining unit is used for obtaining the first preset algorithm and the second preset algorithm according to the identifier of the first preset algorithm and the identifier of the second preset algorithm.
20. The apparatus of claim 16, further comprising:
a prohibiting unit, configured to prohibit the service request from the first device to the second device if the second signature is not matched with the first signature.
21. A data encryption device, characterized in that the data encryption device comprises a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method of data encryption of any one of claims 1-5 according to instructions in the program code.
22. A computer-readable storage medium, characterized in that the computer-readable storage medium is configured to store a program code for performing the method of data encryption according to any one of claims 1-5.
23. A data decryption device, characterized in that the data decryption device comprises a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method of data decryption of any one of claims 6-10 according to instructions in the program code.
24. A computer-readable storage medium, characterized in that the computer-readable storage medium is configured to store a program code for performing the method of data decryption of any of claims 6-10.
CN201910005259.8A 2019-01-03 2019-01-03 Data encryption and data decryption method and device Active CN109617696B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910005259.8A CN109617696B (en) 2019-01-03 2019-01-03 Data encryption and data decryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910005259.8A CN109617696B (en) 2019-01-03 2019-01-03 Data encryption and data decryption method and device

Publications (2)

Publication Number Publication Date
CN109617696A CN109617696A (en) 2019-04-12
CN109617696B true CN109617696B (en) 2022-08-19

Family

ID=66016137

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910005259.8A Active CN109617696B (en) 2019-01-03 2019-01-03 Data encryption and data decryption method and device

Country Status (1)

Country Link
CN (1) CN109617696B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431846B (en) * 2019-05-30 2022-12-02 杭州海康威视数字技术股份有限公司 Data transmission method, device and system
CN112468470B (en) * 2020-11-16 2022-10-11 北京字节跳动网络技术有限公司 Data transmission method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104796745A (en) * 2015-03-26 2015-07-22 成都市斯达鑫辉视讯科技有限公司 Safety protection method for set top box
CN105763331A (en) * 2014-12-19 2016-07-13 北大方正集团有限公司 Data encryption method, device, data decryption method and device
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN109039997A (en) * 2017-06-12 2018-12-18 北京金山云网络技术有限公司 Key preparation method, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106487749B (en) * 2015-08-26 2021-02-19 阿里巴巴集团控股有限公司 Key generation method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105763331A (en) * 2014-12-19 2016-07-13 北大方正集团有限公司 Data encryption method, device, data decryption method and device
CN104796745A (en) * 2015-03-26 2015-07-22 成都市斯达鑫辉视讯科技有限公司 Safety protection method for set top box
CN106603234A (en) * 2015-10-14 2017-04-26 阿里巴巴集团控股有限公司 Method, device and system for device identity authentication
CN109039997A (en) * 2017-06-12 2018-12-18 北京金山云网络技术有限公司 Key preparation method, apparatus and system

Also Published As

Publication number Publication date
CN109617696A (en) 2019-04-12

Similar Documents

Publication Publication Date Title
CN107294937B (en) Data transmission method based on network communication, client and server
CN106612180B (en) Method and device for realizing session identification synchronization
CN108111497B (en) Mutual authentication method and device for camera and server
WO2018076365A1 (en) Key negotiation method and device
CN108632296B (en) Dynamic encryption and decryption method for network communication
CN112565205B (en) Credible authentication and measurement method, server, terminal and readable storage medium
US11438316B2 (en) Sharing encrypted items with participants verification
CN109474419A (en) A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN105187369B (en) A kind of data access method and device
CN113014380B (en) File data password management method and device, computer equipment and storage medium
KR20220025155A (en) Data protection and recovery systems and methods
CN110855695A (en) Improved SDN network security authentication method and system
CN112311533A (en) Terminal identity authentication method, system and storage medium
CN111740995A (en) Authorization authentication method and related device
CN109617696B (en) Data encryption and data decryption method and device
KR101358375B1 (en) Prevention security system and method for smishing
CN112733200B (en) Information processing method, encryption machine and information processing system of service key
CN114499837A (en) Method, device, system and equipment for preventing leakage of message
CN117436043A (en) Method and device for verifying source of file to be executed and readable storage medium
CN104394532A (en) Anti-brute force safe log-in method for mobile terminal
CN102404363A (en) Access method and access device
CN112688949B (en) Access method, device, equipment and computer readable storage medium
JP5376663B2 (en) TRANSMITTING DEVICE, RECEIVING DEVICE, AND MANAGEMENT SERVER FOR ENCRYPTED DATA DISTRIBUTION, TRANSMITTING PROGRAM, RECEIVING PROGRAM, AND MANAGING PROGRAM FOR ENCRYPTED DATA DISTRIBUTION, ENCRYPTED DATA DISTRIBUTION SYSTEM, AND ENCRYPTED DATA DISTRIBUTION METHOD
CN114765531B (en) Authentication method, quantum key calling method, device and quantum password network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant