CN110858249A - A kind of database file encryption method, decryption method and related device - Google Patents

Abstract

The invention discloses a database file encryption method, a decryption method and a related device, belonging to the technical field of data security, and the database file encryption method provided by the invention comprises the following steps: when a database file related to any application is encrypted, judging whether encrypted key information exists in a specified directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application; and if so, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information. By adopting the method, the database file is encrypted by using the key information, and the key information is encrypted by using the equipment fingerprint information of the terminal and the application fingerprint information of the application, so that the cracking difficulty of the encrypted key information is improved, and the security of the encrypted database file is further ensured.

Description

A kind of database file encryption method, decryption method and related device

technical field

The invention relates to the technical field of data security, in particular to a database file encryption method, a decryption method and a related device.

Background technique

SQLCipher is an open source database extended on the basis of SQLite. It mainly adds data encryption function on the basis of SQLite. Using it to store data in the project can greatly improve the security of the program. SQLCipher has high encryption performance, only 5%-15% of the overhead is used for encryption, and the algorithm provided by the OpenSSL encryption library is used to completely encrypt 100% of the database, so it is very suitable for database protection in the mobile development process. SQLCipher supports many different platforms, for example, it can be applied to Android-based systems, and similar expansions in other fields. The database files of the Android system are generally stored in the /data/data/your_packagename/databases path. As long as you have root privileges, you can enter this directory, and you can view and edit application data. If the database stores some sensitive data that users are not allowed to view and operate data, the database must be encrypted. SqlCipher does not encrypt tables or columns, but encrypts the entire database db file that stores sensitive data, so the reliability and difficulty of cracking the key are particularly important.

The existing SQLCipher-based key generation methods are as follows: 1. Encrypt directly with the plaintext key; 2. Encrypt the plaintext key to obtain the ciphertext key, and then use the ciphertext key to encrypt the database file; 3. Dynamically generate the plaintext key, then use the encryption algorithm to generate the ciphertext key, and then perform the encryption operation. The above methods have their own applicability in specific occasions, but each has its own advantages and disadvantages. When the security requirements are high, it is very easy to crack the key through static analysis, dynamic debugging, decompilation and anti-hook methods, so as to obtain the Sensitive data of users and harm the interests of users.

Therefore, how to improve the security of database files is one of the primary considerations.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide a database file encryption method, a decryption method and a related device, so as to improve the security of the database file.

In a first aspect, an embodiment of the present invention provides a database file encryption method, including:

When encrypting a database file involved in any application, determine whether there is encrypted key information in the specified directory of the application, wherein the encrypted key information is based on the device fingerprint information of the terminal and the application fingerprint information of the application. The key information is obtained by encrypting;

If so, decrypt the key information from the read encrypted key information, and encrypt the database file by using the decrypted key information.

In this way, by using the key information for encryption, and then using the device fingerprint information of the terminal and the application fingerprint information of the application to encrypt the key information, it is possible to ensure that one device, one application and one encrypted key information, thereby improving the encrypted database. The difficulty of cracking the file.

In a second aspect, an embodiment of the present invention provides a method for decrypting a database file, including:

After receiving the operation request for the database file of the application in the terminal, obtain encrypted key information from the specified directory of the application, wherein the encrypted key information is based on the device fingerprint information of the terminal and the application's Obtained by encrypting the key information using fingerprint information;

Decrypt the key information from the encrypted key information;

The database file is decrypted by using the key information and the decrypted database file is operated.

In a third aspect, an embodiment of the present invention provides a database file encryption device, including:

The judgment unit is used to judge whether there is encrypted key information in the specified directory of the application when encrypting the database file involved in any application, wherein the encrypted key information is based on the device fingerprint information of the terminal and the application. obtained by encrypting the key information with the application fingerprint information;

an encryption/decryption unit, configured to decrypt the key information from the read encrypted key information when the judgment result of the judgment unit is yes, and encrypt the database by using the decrypted key information document.

In the fourth invention, an embodiment of the present invention provides a database file decryption device, including:

an obtaining unit, configured to obtain encrypted key information from a specified directory of the application after receiving an operation request for the database file applied in the terminal, wherein the encrypted key information is based on the device fingerprint of the terminal The information and the application fingerprint information of the application are obtained by encrypting the key information;

a first decryption unit for decrypting the key information from the encrypted key information;

The second decryption unit is configured to use the key information to decrypt the database file and operate the decrypted database file.

In the fifth invention, an embodiment of the present invention provides a communication device, including a memory, a processor, and a computer program stored on the memory and running on the processor; when the processor executes the program, the Any one of the database file encryption methods provided by the present invention, and/or implement any one of the database file decryption methods provided by the present invention.

In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the steps in the database file encryption method as provided in any one of the present invention , and/or implement the steps in the database file decryption method as provided in any one of the present invention.

Beneficial effects of the present invention:

In the database file encryption method provided by the embodiment of the present invention, the database file is encrypted by using key information. Since the key information is encrypted by using the device fingerprint information of the terminal and the application fingerprint information of the application, the key information is encrypted. The difficulty of cracking the encrypted key information is improved, thereby ensuring the security of the encrypted database file.

In the database file decryption method provided by the embodiment of the present invention, after receiving an operation request for a database file applied in a terminal, the encrypted key information is read from a specified directory of the application, and then decrypted from the encrypted key information. Obtain the key information, and then use the decrypted key information to decrypt the encrypted database file, so that the database file can be operated after the decryption is successful, so that the user can obtain the encrypted key information without perception and decrypt the key. information, which simplifies the user operation process.

Other features and advantages of the present invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description, claims, and drawings.

Description of drawings

The accompanying drawings described herein are used to provide further understanding of the present invention and constitute a part of the present invention. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the attached image:

1 is a schematic structural diagram of a terminal 100 for implementing a database file encryption method or a decryption method according to an embodiment of the present invention;

2 is one of the schematic flowcharts of a database file encryption method provided by an embodiment of the present invention;

3 is one of the schematic flowcharts of a method for generating encrypted key information provided by an embodiment of the present invention;

4 is a schematic flowchart of encrypting key information to obtain encrypted key information according to an embodiment of the present invention;

5 is a schematic flowchart of obtaining a random number according to an embodiment of the present invention;

6 is a schematic flowchart of performing encryption processing on key information to obtain encrypted key information by utilizing device fingerprint information, application fingerprint information, random numbers, and preset subkeys according to an embodiment of the present invention;

7 is a schematic flowchart of performing integrity verification on encrypted key information according to an embodiment of the present invention;

8 is a second schematic flowchart of a database file encryption method provided by an embodiment of the present invention;

9 is a schematic flowchart of acquiring device fingerprint information of a terminal according to an embodiment of the present invention;

10 is a schematic flowchart of obtaining application fingerprint information of an application according to an embodiment of the present invention;

11 is one of the schematic flowcharts of a method for decrypting a database file according to an embodiment of the present invention;

12 is a schematic flowchart of decrypting encrypted key information provided by an embodiment of the present invention;

13 is a second schematic flowchart of a method for decrypting a database file according to an embodiment of the present invention;

14 is a third schematic flowchart of a method for decrypting a database file provided by an embodiment of the present invention;

15 is a schematic structural diagram of a database file encryption device provided by an embodiment of the present invention;

16 is a schematic structural diagram of an apparatus for decrypting a database file provided by an embodiment of the present invention;

FIG. 17 is a schematic diagram of a hardware structure of a terminal device implementing the method for encrypting and decrypting a database file provided by an embodiment of the present invention.

Detailed ways

The database file encryption method, decryption method and related device provided by the embodiments of the present invention are used to improve the security of the database file.

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings. It should be understood that the preferred embodiments described herein are only used to illustrate and explain the present invention, but not to limit the present invention, and in the case of no conflict, the present invention The embodiments in and features in the embodiments can be combined with each other.

To facilitate understanding of the present invention, in the technical terms involved in the present invention:

1. A terminal is an electronic device that can install various application programs and can display objects provided in the installed application programs. The electronic device can be mobile or fixed. For example, mobile phones, tablet computers, various wearable devices, in-vehicle devices, personal digital assistants (PDAs), point of sales (POS), monitoring devices in subway stations, or other electronic devices that can realize the above functions equipment, etc.

2. An application, that is, an application program, is a computer program that can complete one or more specific tasks. It has a visual display interface and can interact with users. For example, electronic maps and WeChat can be called applications.

3. Advanced Encryption Standard (AES), also known as Rijndael encryption in cryptography, is a block encryption standard adopted by the US federal government.

4. Hash-based Message Authentication Code (HMAC) related to the key. The HMAC operation uses a hash algorithm, takes a key and a message as input, and generates a message digest as output.

5. In the description of the embodiments of the present invention, words such as "first" and "second" are only used for the purpose of distinguishing the description, and cannot be understood as indicating or implying relative importance, nor can they be understood as indicating or implying the order. .

The prior art adopts the plaintext key to directly perform encryption and decryption operations on the database, but the plaintext key here can be set by the user or generated by a random generator. The advantage of this is that the operation is simple, and the disadvantage is that the key is easy When sensitive data is involved, the security is very low; the existing technology adopts the method of "using an encryption algorithm to encrypt the plaintext key to obtain the ciphertext key, and then using the ciphertext key to encrypt and decrypt the database". Although the use of ciphertext key encryption improves the security to a certain extent, it is still easy to reversely analyze and derive the plaintext key according to the encryption algorithm, and there are also security risks; the method of dynamically generating the plaintext key adopted in the prior art , although the key is different each time, it has the advantage of being difficult to be cracked, but each time the plaintext key is regenerated, the overhead will increase; The focus of protection is shifted to the protection of communication and server. Although the security is improved to a certain extent, it will increase the pressure on the communication between the application and the server and the security protection of the server itself. The above methods have their own application scenarios, but when the security requirements of database files are high, the above methods still have security risks.

In order to solve the security of database files in the prior art, the present invention proposes a database file encryption method, which can be applied to a terminal capable of implementing the method provided by the present invention. FIG. 1 shows a terminal 100 Schematic. 1 , the terminal 100 includes: a processor 110, a memory 120, a gravitational acceleration sensor 130, a display unit 1/40, an input unit 150, a radio frequency (RF) circuit 160, a power supply 170, and the like.

The processor 110 is the control center of the terminal 100, uses various interfaces and lines to connect various components, and executes various functions of the terminal 100 by running or executing software programs and/or data stored in the memory 120, so as to control the terminal 100. Perform overall monitoring. Optionally, the processor 110 may include one or more processing units; preferably, the processor 110 may integrate an application processor and a modem processor, wherein the application processor mainly processes the operating system, user interface, and application programs, etc. , the modem processor mainly deals with wireless communication. It can be understood that, the above-mentioned modulation and demodulation processor may not be integrated into the processor 110 . In some embodiments, the processor, memory, can be implemented on a single chip, and in some embodiments, they can also be implemented separately on separate chips.

The memory 120 may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system, various application programs, etc.; the stored data area may store data and the like created according to the use of the terminal 100 . In addition, the memory 120 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device, or the like.

The gravitational acceleration sensor 130 can detect the magnitude of acceleration in various directions (generally three axes), and at the same time, the gravitational acceleration sensor 130 can also be used to detect the magnitude and direction of gravity when the terminal is stationary, and can be used for applications that recognize the posture of the mobile phone (such as horizontal and vertical screens). Switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.

The display unit 140 can be used to display the information input by the user or the information provided to the user and various menus of the terminal 100, etc. In the embodiment of the present invention, it is mainly used to display the display interface of each application program in the terminal 100 and the display interface displayed in the display interface. Objects such as text, pictures, etc. The display unit 140 may include a display panel 141 . The display panel 141 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD), an organic light-emitting diode (Organic Light-Emitting Diode, OLED), and the like.

The input unit 150 may be used to receive information such as numbers or characters input by the user. The input unit 150 may include a touch panel 151 and other input devices 152 . Among them, the touch panel 151, also called a touch screen, can collect the user's touch operations on or near it (for example, the user uses any suitable objects or accessories such as a finger, a touch pen, etc. on the touch panel 151 or on the touch panel 151 ). nearby operations), for example, the touch panel 151 in the embodiment of the present invention can be used to detect whether there is a user's pressing operation. Specifically, the touch panel 151 can detect the user's touch operation, and detect the signals brought by the touch operation, convert these signals into contact coordinates, send them to the processor 110, and receive and execute the commands sent by the processor 110. . In addition, the touch panel 151 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. Other input devices 152 may include, but are not limited to, one or more of physical keyboards, function keys (such as volume control keys, power switch keys, etc.), trackballs, mice, joysticks, and the like.

Of course, the touch panel 151 may cover the display panel 141. When the touch panel 151 detects a touch operation on or near it, it transmits it to the processor 110 to determine the type of the touch event, and then the processor 110 determines the type of the touch event according to the type of the touch event. Corresponding visual outputs are provided on the display panel 141 . Although in FIG. 2, the touch panel 151 and the display panel 141 are used as two independent components to realize the input and output functions of the terminal 100, in some embodiments, the touch panel 151 and the display panel 141 may be integrated And realize the input and output functions of the terminal 100 .

The terminal 100 may also include an RF circuit 160, which may be used to transmit and receive information or data with the base station. Typically, the RF circuit 160 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, and the like. In this embodiment of the present invention, the RF circuit 160 may communicate with the network and other electronic devices through wireless communication, and the wireless communication may use any communication standard or protocol.

The terminal 100 also includes a power supply 170 (such as a battery) for supplying power to various components. The power supply can be logically connected to the processor 110 through a power management system, so as to manage charging, discharging, and power consumption through the power management system.

The terminal 100 may further include an audio circuit 180, a speaker 181, and a microphone 182 to provide an audio interface between the user and the terminal. The audio circuit 180 can transmit the electrical signal converted from the received audio data to the speaker 181, and the speaker 181 converts it into a sound signal for output; on the other hand, the microphone 182 converts the collected sound signal into an electrical signal, which is received by the audio circuit 180. The audio data is then converted into audio data, and then the audio data is processed and output by the output processor 110, or the audio data is output to the memory 120 for further processing.

The terminal 100 may further include one or more sensors, such as a pressure sensor, a gravitational acceleration sensor, a proximity light sensor, and the like. Of course, according to the needs of specific applications, the above-mentioned terminal 100 may also include other components such as a camera. Since these components are not the key components used in the embodiments of the present application, they are not shown in FIG. 1 and will not be described in detail.

Those skilled in the art can understand that FIG. 1 is only an example of a terminal, and does not constitute a limitation on the terminal, and may include more or less components than the one shown, or combine some components, or different components.

The application scenario of the database file encryption method and the database file decryption method provided by the present invention is to integrate the encryption method and decryption method provided by the present invention into a software tool development kit (Software Development Kit, SDK), and then integrate the SDK into application development In the application developed by the developer, that is, integrating the above SDK in SQLCipher, when the user downloads the application integrating the above SDK with the database file encryption and decryption function in the terminal, the current application generally requires the user to register, and some applications will involve recharge, etc. For transactions, in order to avoid users needing to input information such as user names and passwords every time they log in to the application and to ensure the security of the data of users involved in transactions, the method provided by the present invention can be used to encrypt the database files that store these sensitive data, thereby The security of database files can be guaranteed, thereby ensuring the security of sensitive data. In addition, when a database file is detected, the encrypted key information is read by calling the SDK tool internally, and the encrypted database file is decrypted by using the decrypted key information, so as to realize the decryption of the database file without the need for the user to manually enter the key Information, the database file can be decrypted without the user's perception, which not only simplifies the operation process but also improves the user experience.

The following describes the database file encryption method and the database file decryption method provided according to the exemplary embodiment of the present invention with reference to FIG. 2 to FIG. 17 in conjunction with FIG. 1 and the application scenarios described above. It should be noted that the above application scenarios are only shown for the convenience of understanding the spirit and principle of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention can be applied to any scenario where applicable.

Referring to FIG. 2 , it is a schematic flowchart of a database file encryption method provided by an embodiment of the present invention. In the following introduction process, the method is applied to the terminal 100 shown in FIG. 1 as an example. The specific implementation process of the method is as follows:

S11. When encrypting a database file involved in any application, determine whether there is encrypted key information in the designated directory of the application; if so, go to step S12; otherwise, go to step S13.

The encrypted key information in the present invention is obtained by encrypting the key information according to the device fingerprint information of the terminal and the application fingerprint information of the application, which will be described in detail later.

Specifically, the specified directory of the application in the present invention may be determined according to the actual situation, which is not limited in the present invention.

S12. Decrypt the key information from the read encrypted key information, and encrypt the database file by using the decrypted key information.

When the determination result in step S11 is yes, it indicates that encrypted key information is stored in the designated directory of the application, that is, the encryption and storage process of the key information has been performed before.

Specifically, the encrypted key information can be read by calling the getTerminalKey() function internally. In specific implementation, the getTerminalKey() function is added to the SQLiteOpenHelper class of SQLCipher. This function is used to call the ReceiveTerminalKey() function of the TerminalCypto class in the key generation tool SDK to read the key information, and assign it to the variable password for Subsequent encryption and decryption of the database db file does not need to directly pass the key information in the database operation function.

In the SQLiteOpenHelper class, getWritableDatabase(char[]password) and getReadableDatabase(String password) are overloaded, and the password input parameter is removed, and changed to getWritableDatabase() and getReadableDatabase(). Encrypted key information.

In the SQLiteDatabase class, overloaded openOrCreateDatabase(String path, Stringpassword, CursorFactory factory, SQLiteDatabaseHookdatabaseHook), the same as above, remove the password input parameter and change it to openOrCreateDatabase(String path, Context context, SQLiteDatabase.CursorFactory factory, SQLiteDatabaseHook databaseHook), the function The getTerminalKey() function is called internally to obtain the encrypted key information assigned to password.

S13. Randomly generate key information and encrypt the database file using the generated key information.

In this step, when it is detected in step S11 that the encrypted key information is not stored in the above designated directory, a key information key ₂ is randomly generated, and the randomly generated key information key ₂ is also a random number in practical applications. After the key information key ₂ is generated, pass the key ₂ to the ReceiveTerminalKey function of the TerminalCypto class in the SDK tool. In SQLCipher, the getTerminalKey() function added in the SQLiteOpenHelper class is used to obtain the key information in the SDK without needing to The key information is directly passed in the database operation function.

By executing the flow of steps S11 to S13, for any application, the generated key information encrypts the database file, thereby ensuring the security of the sensitive data in the database file. In addition, in order to prevent the key information from being stolen, the present invention It is proposed to use the device fingerprint information of the terminal and the application fingerprint information of the application to encrypt the key information, and then store the encrypted key information in the specified directory of the application, thereby improving the anti-cracking ability of the encrypted key information , which further improves the security of sensitive data in encrypted database files. In addition, by using the key information encryption method provided by the present invention, different applications on the same terminal are encrypted to obtain different encrypted key information, and different terminals have different device fingerprints, so the same application of different terminals is also guaranteed. The encrypted key information is different, thereby improving the anti-cracking capability of the encrypted key information.

Preferably, after step S13 is performed, it is also necessary to encrypt the randomly generated key information. For details, please refer to the encryption process shown in FIG. 3 or FIG. 4 . In addition, the encrypted key information involved in step S11 is also It is performed according to the encryption process shown in Figure 3 or Figure 4, and is described in detail below:

In a possible implementation manner, as shown in FIG. 3 , it is a schematic flowchart of a method for generating encrypted key information provided by an embodiment of the present invention, which may include the following steps:

S21. Acquire device fingerprint information of the terminal and application fingerprint information of the application.

S22. Encrypt key information by using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

In steps S21 and S22, the above-mentioned device fingerprint information and application fingerprint information can be encrypted by using the AES encryption algorithm, and then the encrypted key information can be obtained by encrypting the key information using the encrypted information. The key information in steps S21 and S22 may be the key information involved in step S11, or may be the key information randomly generated in step S13. Since the device fingerprint information of the terminal is used to uniquely identify the terminal, and the application fingerprint information of the application is used to uniquely identify the application, when the device fingerprint information and the application fingerprint information of the terminal are used to encrypt the key information, one application in one terminal device can be guaranteed. Corresponding to an encrypted key information, the security of the encrypted key information and the difficulty of cracking are improved, thereby ensuring the security of sensitive data in the database file encrypted by the key information.

In another possible implementation, in order to further improve the security of the encrypted key information, the encrypted key information can also be obtained by encrypting the key information according to the process shown in FIG. 4 , including the following steps:

S31. Acquire device fingerprint information of the terminal, application fingerprint information of the application, and a random number.

In this step, the random number can be obtained according to the process shown in Figure 5, including the following steps:

S41. Send a random number acquisition request to an application server.

In the present invention, the random number acquisition request carries the terminal identification of the terminal and the application identification of the application.

Specifically, in order to further ensure the security of the database file, the application in the terminal will send a random number acquisition request to the server. relationship, it will determine whether to generate a random number for the application, and if so, the random number corresponding to the terminal identification carried in the request and the application identification of the application must be stored in the above corresponding relationship, and then the above random number is encrypted, and the encrypted The random number is sent to the terminal. If it is determined that the terminal identification and application identification carried in the request are not stored in the above corresponding relationship, it indicates that a random number is not generated for the application in the terminal, indicating that the random number acquisition request is the first request, and the The application in the terminal randomly generates a random number, then encrypts the random number and sends the encrypted random number to the terminal.

S42: Determine whether the terminal has successfully received the random number sent by the server; if yes, go to step S43; if not, go to step S47.

Specifically, it can be detected whether the terminal sends the response message of the acquisition request to the server, and the specific content of the response message can be determined by the application and the server through negotiation, so whether the response message sent by the server is successfully received can be determined according to the response message. random number.

S43: Obtain the random number issued by the server.

Based on this, upon successful reception, the random number sent by the server can be obtained. After successful reception, in order to avoid the waste of processing resources caused by too many interactions between the application and the server caused by obtaining the random number from the server for many times, the present invention proposes that after the random number is obtained, it is also necessary to perform the steps shown in steps S44 to S46. stored procedure.

S44. Determine whether the terminal has the security element SE authority, if yes, execute step S45; otherwise, execute step S46.

S45. When it is determined that the random number is not stored in the SE, encrypt the received random number with a white box and store the encrypted random number in the SE.

Specifically, in order to avoid obtaining random numbers from the server multiple times, the present invention will determine whether the random number has the SE authority, and if so, the obtained random number will be stored in the SE, because the SE authority is relatively difficult to obtain. Yes, when the terminal has the SE authority, it indicates that the terminal has higher security requirements, and because the SE authority is higher, the corresponding security is also higher, so storing the random number in the SE will increase the random number. Security, which in turn increases the difficulty of cracking the encrypted key information. In addition, in order to further improve the difficulty of cracking the encrypted key information, the present invention adopts the white box encryption method to encrypt the random number before writing the random number into the SE, and then stores the encrypted random number in the SE. If the random number of the application is stored in the SE, the random number of the application stored in the SE can be overwritten with the encrypted random number.

S46. When it is determined that the random number is not stored in the starting position of the database file, encrypt the received random number with a white box and store the encrypted random number at the starting position of the database file.

When the terminal does not have the SE authority, in order to avoid obtaining the random number from the server multiple times, the present invention will also determine whether the random number is stored in the starting position of the database file corresponding to the application when the random number is obtained. The received random number is stored at the beginning of the database file. In order to further improve the difficulty of cracking the encrypted key information, when the random number is stored at the beginning of the database file, white-box encryption can be performed on the random number first, and then Store the encrypted random number at the beginning of the database file. When the random number of the application is stored in the database file, the random number of the application stored in the starting position of the database file is updated by using the received random number.

S47 , determine whether a random number is stored in the secure element SE; if so, go to step S48 ; otherwise, go to step S49 .

When the random number sent by the server is not successfully received in step S42, it indicates that the terminal may not be able to receive the random number sent by the server due to a network abnormality. At this time, it is judged whether the random number corresponding to the application is stored in the SE. Then the random number of the application is extracted from SE.

S48. Obtain a random number from the SE.

S49: Determine whether a random number is stored in the starting position of the database file, if so, execute step S410; otherwise, execute step S41 again.

S410. Obtain the random number from the starting position of the database file.

In steps S49 to S410, when the random number of the application is not stored in the SE, it is judged whether the random number of the application is stored in the starting position of the database file, and if so, the random number corresponding to the application is extracted from the above starting position, and the number of the random number corresponding to the application is extracted from the above starting position. The random number can be obtained by executing steps S41-S410.

It should be noted that the steps shown in steps S41 to S410 may request a random number from the server every time the database file is encrypted, so as to ensure the dynamic distribution of the random number, thereby ensuring the dynamic change of the encrypted key information, thereby greatly reducing the need for The security of the encrypted key information is improved, and the difficulty of preventing cracking of the database file is further improved.

In practical applications, in order to avoid the large consumption of terminal processing resources caused by frequent interaction between the application and the server, for an application, the terminal generally sends a random number acquisition request to the application server only once for the application, that is, step S41 only Execute once, and only need to execute steps S47 to S410 to obtain the random number when the random number needs to be obtained.

By using the random number issued by the server to encrypt the key information used to encrypt the database file, it is avoided that all parameters related to the generation of encrypted key information are stored locally, and the Rand_GUID allocated by the server for a terminal device and an application On the server side, the Rand_GUID encrypted with the white box is extracted from the backup of the local SE of the terminal or the starting position of the database file only in special cases such as network failure, which greatly improves the security.

S32: Encrypt the key information by using the device fingerprint information, the application fingerprint information, the random number and the preset subkey to obtain encrypted key information.

In this step, the encrypted key information can be obtained by using the SHA2 algorithm, the AES algorithm and the HMAC algorithm. Specifically, step S32 may be performed according to the method shown in FIG. 6, including the following steps:

S51. Generate a root key according to the device fingerprint information, the application fingerprint information, the random number and the preset subkey.

Specifically, the root key can be generated by using the SHA2 (SHA2-256) algorithm according to the device fingerprint information, the application fingerprint information, the random number and the preset subkey. For example, taking the device fingerprint information as deviceFingerprint, the application fingerprint information as appFingerprint, the random number as Rand_GuID, and the preset subkeys including d ₁ , d ₂ and d ₃ as an example, the following formula can be used for illustration. Generate root key key ₁ :

key ₁ =SHA2(d ₁ |d ₂ |d ₃ |deviceFingerprint|appFingerprint|Rand_GuID) (1)

S52: Encrypt the key information by using the root key to obtain first encrypted information.

Specifically, the AES algorithm and the root key key ₁ can be used to encrypt the key information to obtain the first encrypted information cipher1, with reference to the following formula:

cipher1=AESEN _key1 (key ₂ ) (2)

S53. Perform encryption processing on the first encrypted information, the device fingerprint information and the application fingerprint information by using the root key to obtain second encrypted information.

In this step, HMAC and the root key can be used to encrypt the first encrypted information, the device fingerprint information and the application fingerprint information to obtain the second encrypted information cipher2, with reference to the following formula:

cipher2=HMAC _key1 (cipher|deviceFingerprint|appFingerprint) (3)

In practical applications, the HMAC result, that is, the first 64 bits on the right side of the equation, can be taken as the value of cipher2, that is, the second encrypted information.

S54: Encrypt the second encrypted information, the device fingerprint information, and the application fingerprint information by using a preset first obfuscation parameter to obtain third encrypted information.

Specifically, step S54 can be performed by using the AES algorithm, and the third encrypted information cipher3 can be obtained according to formula (4):

cipher3=AESEN _K (cipher1|deviceFingerprint|appFingerprint) (4)

Specifically, K in the formula (4) is a preset first confusion parameter, which can be determined according to the actual situation.

S55. Perform OR processing on the second encrypted information and the third encrypted information to obtain encrypted key information.

In this step, the encrypted key information cipher can be obtained according to formula (5):

cipher=cipher3|cipher2 (5)

S33. Store the encrypted key information in a specified directory of the application.

In this step, the encrypted key information cipher can be obtained based on steps S51 to S55, and stored in the designated directory of the application. Since the device fingerprint information of the terminal is used to uniquely identify the terminal, and the application fingerprint information of the application is used to uniquely identify the application, and then based on the random number issued by the server for the terminal and the application, the device fingerprint information, application fingerprint information and When the random number encrypted key information is sent by the server, it is guaranteed that an application in a terminal device corresponds to a random number and then corresponds to an encrypted key information, which greatly improves the security of the encrypted key information and the difficulty of cracking, further The security of sensitive data in database files encrypted with key information is guaranteed.

Preferably, in order to ensure the accuracy of the encrypted key information stored in the specified directory in the application, the present invention proposes that after the judgment result in step S11 is yes, and before step S12 is executed, the method further includes:

The integrity check of the encrypted key information is passed.

Specifically, by performing integrity check on the encrypted key information, the security of the database file can be improved to a certain extent. When performing integrity verification on the encrypted key information stored in the specified directory, the integrity verification can be performed on the encrypted key information according to the process shown in FIG. 7, which may include the following steps:

S61. Split the encrypted key information into fourth encrypted information and fifth encrypted information.

Specifically, taking the encrypted key information as a cipher as an example, the cipher is split into fourth key information cipher4 and fifth key information cipher5.

S62. Decrypt the fifth encrypted information by using the preset first obfuscation parameter, and decrypt the sixth encrypted information, the device fingerprint information of the terminal, and the application fingerprint information of the application.

In this step, step S62 is performed by using the AES decryption algorithm, that is, cipher5 is decrypted by AES using the first obfuscation parameter K, and the sixth encrypted information cipher6, the decrypted device fingerprint information deviceFingerprint1, and the decrypted application fingerprint information appFingerprint1 can be obtained. ’

S63 , encrypting the decrypted sixth encrypted information, the device fingerprint information of the terminal, and the application fingerprint information of the application by using the root key to obtain seventh encrypted information.

Based on step S62, the HMAC algorithm can be used to perform step S63, and the seventh encrypted information cipher2' can be obtained according to formula (6):

cipher2'=HMAC _key1 (cipher1|deviceFingerprint1|appFringerprint1) (6)

S64: Determine whether the seventh encrypted information is consistent with the fourth encrypted information, if so, go to step S65; otherwise, go to step S66.

If it is determined that the seventh encrypted information obtained by formula (6) is consistent with the split fourth encrypted information, that is, cipher2'=cipher4, then step S65 is executed, that is, the encrypted key information is complete, otherwise the encrypted key information is not whole.

S65. Determine that the integrity check of the encrypted key information passes.

S66. Determine that the integrity check of the encrypted key information fails.

Whether the encrypted key information is complete can be determined by executing the flow shown in FIG. 7 , and when it is determined that the encrypted key information is incomplete, step S13 needs to be executed.

Preferably, the method provided by the present invention may also include the process shown in FIG. 8 , including the following steps:

S71. Decrypt the key information from the encrypted key information when the version update of the application is detected.

In this step, when the version update of the application is detected, it is equivalent that the application has changed, so the key information needs to be re-encrypted by using the application fingerprint information of the updated application. Therefore, it is necessary to decrypt the key information from the encrypted key information first. Specifically, the decryption process may be performed according to the inverse process of the process of generating the encrypted key information, thereby decrypting the key information.

S72. Determine the application fingerprint information of the updated application.

Specifically, the dex file, the certificate and the package name of the updated application can be obtained again, and then the application fingerprint of the updated application can be determined by using the updated dex file, the certificate and the package name of the updated application. information.

S73. Re-encrypt the key information to obtain new encrypted key information according to the acquired device fingerprint information of the terminal, the application fingerprint information, the acquired random number and the preset subkey.

In this step, after the application fingerprint information of the updated application is determined, the key information decrypted in step S71 is re-encrypted by using the flow shown in FIG. 4 to obtain new encrypted key information. It should be noted that the random number in step S73 can be obtained from the SE or the starting position of the database file.

S74. Store the new encrypted key information in a specified directory of the application.

After the new encrypted key information is determined based on the new version of the application, the new encrypted key information is stored in the designated directory of the updated application.

Preferably, the device fingerprint information of the terminals in FIG. 3 , FIG. 4 and FIG. 8 can be obtained according to the method shown in FIG. 9 , including the following steps:

S81. Obtain the IMEI of the terminal, the Bluetooth multimedia access control address BluetoothMacAddress, and the version number of the operating system used by the terminal.

S82. Generate device fingerprint information of the terminal according to the preset second confusion parameter, the IMEI, the BluetoothMacAddress, and the version number of the operating system.

In steps S81-S82, the device fingerprint information of the terminal can be determined according to formula (7):

SHA2(IMEI|BluetoothMacAddress|AndroidID|K5) (7)

In the present invention, the device fingerprint information of the terminal is used to uniquely identify the terminal, and different terminals have different device fingerprint information. In practical applications, the first 64 bits in formula (7) can be used as the device fingerprint information of the terminal, because the version numbers of the International Mobile Equipment Identity (IMEI), BluetoothMacAddress and operating system of different terminals are different. Therefore, it can be concluded that the device fingerprint information of different terminals is different. In formula (7), K5 is the second confusion parameter, which can be determined by the actual situation.

Optionally, the application fingerprint information of the application can be determined according to the process shown in FIG. 10, including the following steps:

S91. Obtain a dex file, a certificate of the application, and a package name of the application.

S92. Generate application fingerprint information of the application according to the preset third obfuscation parameter, the dex file, the certificate, and the package name.

In steps S91-S92, the application fingerprint information of the application can be determined according to formula (8):

SHA2(dex|certificate|apk package name|K4) (8)

The application fingerprint information applied in the present invention is used for a unique application, and different applications have different application fingerprint information. In practical applications, the first 64 bits in formula (8) can be taken as the fingerprint information of the application. Since the dex files, certificates and package names of different applications are different, it can be concluded that the application fingerprint information of different applications is different. K4 in the formula (8) of the present invention is the third confusion parameter, which can be determined according to the actual situation.

In the database file encryption method provided by the present invention, when encrypting a database file involved in any application, it is judged whether there is encrypted key information in the designated directory of the application, wherein the encrypted key information is based on the device fingerprint of the terminal. information and the application fingerprint information of the application to encrypt the key information; if so, decrypt the key information from the read encrypted key information, and use the decrypted key information to encrypt the database file. By adopting the above method, the database file is encrypted by using the key information. Since the key information is encrypted by using the device fingerprint information of the terminal and the application fingerprint information of the application, the encrypted key information is improved. Therefore, the security of the encrypted database file is guaranteed.

Based on the same inventive concept, an embodiment of the present invention further provides a method for decrypting a database file. Referring to FIG. 11 , the method is applied to the terminal 100 shown in FIG. 1 as an example for description. The specific method for decrypting a database file is described. The implementation process is as follows:

S101. After receiving an operation request for a database file of an application in a terminal, obtain encrypted key information from a specified directory of the application.

The encrypted key information is obtained by encrypting the key information according to the device fingerprint information of the terminal and the application fingerprint information of the application.

In this step, the encrypted key information can be read by calling the getTerminalKey() function internally. In specific implementation, the getTerminalKey() function is added to the SQLiteOpenHelper class of SQLCipher. This function is used to call the ReceiveTerminalKey() function of the TerminalCypto class in the key generation tool SDK to read the key information, and assign it to the variable password for Subsequent encryption and decryption of the database db file does not need to directly pass the key information in the database operation function.

Specifically, the encrypted key information can be obtained by referring to the flow shown in FIG. 3 or FIG. 4 , and details are not repeated here.

S102. Decrypt the key information from the encrypted key information.

Specifically, the key information can be decrypted according to the method shown in Figure 12, including the following steps:

S111. Split the encrypted key information into first ciphertext information and second ciphertext information.

In this step, referring to the encryption operation shown in FIG. 6, according to the decryption process of the encryption operation, the encrypted key information cipher is firstly split into the first cipher text information and the second cipher text information, if the application of the decryption operation is performed For legitimate application and no attack tool, the split first cipher text information should be the second encrypted information cipher2 in step S53, and the second cipher text information should be the third encrypted information cipher3 in step S54.

S112. Decrypt the second ciphertext information by using the preset first obfuscation parameter to obtain third ciphertext information.

In this step, the AES decryption operation is performed on the second ciphertext information cipher3 by using the first obfuscation parameter K, and the third ciphertext information can be decrypted. Similarly, if the application performing the decryption operation is a legitimate application and there is no attack tool, the decrypted The third cipher text information cipher6 should be the first encrypted information cipher1 in step S52.

S113. Decrypt the third ciphertext information by using the root key to obtain the key information.

In this step, the third ciphertext information is decrypted using the AES decryption algorithm using the root key key ₁ , as shown in the reference formula (9):

key2=AESDE _key1 (cipher6) (9)

If the operation of the application belongs to a legitimate application, the third cipher text information cipher6=the first encrypted information cipher1.

S103: Decrypt the database file by using the key information and operate the decrypted database file.

Specifically, after the decryption is completed, the decrypted key information key ₂ and status code 0 are returned. Then use the decrypted key information key ₂ to decrypt the encrypted database. Then the database function in SQLCipher can obtain key ₂ by calling the getTerminalKey function to perform addition, deletion, modification, and query operations on the database file. When users call SQLCipher to perform database addition, deletion, modification, and other related operations, they do not need to pass in the password parameter. The generation, management, and invocation of key information are completely unaware of the user, which simplifies the user operation process.

Preferably, before decrypting the key information from the encrypted key information, the method further includes:

The integrity check of the encrypted key information is passed.

Specifically, the integrity check of the encrypted key information may be performed with reference to the flow shown in FIG. 7 , which will not be described in detail here.

Preferably, before obtaining the encrypted key information from the specified directory of the application, the process shown in FIG. 13 is also included, including the following steps:

S121. Obtain device fingerprint information of the terminal.

In practical applications, if the device fingerprint information of the terminal needs to be determined in real time every time, the processing resources of the terminal may be wasted. Therefore, in the process of determining the encrypted key information, after the device fingerprint information of the terminal is determined, the terminal The device fingerprint information is stored.

S122. Pass the verification of the device fingerprint information.

In this step, when step S122 is performed, the current device fingerprint information of the terminal is determined by executing the process shown in step 9 again, and then it is determined whether the currently determined device fingerprint information is consistent with the previously stored device fingerprint information, and if so, then The device fingerprint information of the terminal is verified and passed. The decryption operation is performed only after the verification of the device fingerprint information of the terminal is passed, that is, step S102. If the verification of the device fingerprint information fails, a null value and a corresponding status code are returned.

Further, after the device fingerprint information of the terminal is verified and passed, before obtaining the encrypted key information from the specified directory of the application, the process shown in FIG. 14 is also included, including the following steps:

S131. Obtain application fingerprint information of an application.

In practical applications, if the application fingerprint information of the application needs to be determined in real time every time, the processing resources of the terminal may be wasted. Therefore, in the process of determining the encrypted key information, after the application fingerprint information of the application is determined, the application The application fingerprint information is stored.

S132. Pass the verification of the application fingerprint information.

In this step, when step S132 is performed, the current application fingerprint information of the application is determined by executing the process shown in step 10 again, and then it is determined whether the currently determined application fingerprint information is consistent with the previously stored application fingerprint information, and if so, then Verification of the application fingerprint information is passed. The decryption operation is performed only after the verification of the application fingerprint information is passed, that is, step S102.

By executing the database file decryption method provided by the present invention, after receiving the operation request for the database file applied in the terminal, the encrypted key information is obtained from the specified directory of the application, wherein the encrypted key information It is obtained by encrypting the key information according to the device fingerprint information of the terminal and the application fingerprint information of the application; decrypting the key information from the encrypted key information; using the key information to encrypt the database Decrypt the file and operate on the decrypted database file. Using the above method, the encrypted key information is read by calling the getTerminalKey() function internally, then the key information is decrypted from the encrypted key information, and the encrypted database file is decrypted using the decrypted key information, thereby After the decryption is successful, the database file is operated, so that the user can acquire the encrypted key information without perception and decrypt the key information, which simplifies the user operation process.

The invention integrates the key management SDK on SQLCipher, combines the device fingerprint information, the application fingerprint information and the random number issued by the server to encrypt and store the key information used to encrypt the database file, simplifies the user's invocation of relevant data operation functions, and does not require Passing in the key parameter simplifies the user's operation of using SQLCipher, so that the database encryption and decryption operations are unaware of the user.

Based on the same inventive concept, an embodiment of the present invention also provides a database file encryption device. Since the above-mentioned device solves the problem in a similar way to the database file encryption method, the implementation of the above-mentioned device can refer to the implementation of the method, and the repetition will not be repeated. Repeat.

As shown in FIG. 15, it is a schematic structural diagram of a database file encryption device provided by an embodiment of the present invention, including:

The judging unit 141 is configured to judge whether there is encrypted key information in the specified directory of the application when encrypting the database file involved in any application, wherein the encrypted key information is based on the device fingerprint information of the terminal and the The application fingerprint information of the application is obtained by encrypting the key information;

The encryption and decryption unit 142 is configured to decrypt the key information from the read encrypted key information when the judgment result of the judgment unit 141 is yes, and encrypt the encrypted key information with the decrypted key information. description database file.

In a possible implementation, the device further includes:

The checking unit 143 is configured to check the completeness of the encrypted key information before the encryption and decryption unit 142 decrypts the key information from the encrypted key information when the judgment result of the judgment unit 141 is yes. Sex check passed.

Preferably, the device further comprises:

The first encryption unit 144 is used for if the above judgment unit 141 judges that the encrypted key information does not exist in the specified directory, or the verification unit 143 does not check the integrity of the encrypted key information. When passed, the key information is randomly generated and the database file is encrypted using the generated key information.

In yet another possible implementation, the database file encryption device provided by the present invention further includes:

an obtaining unit 145, configured to obtain the device fingerprint information of the terminal and the application fingerprint information of the application;

The second encryption unit 146 is configured to perform encryption processing on the key information by using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

Preferably, the obtaining unit 145 is further configured to obtain the device fingerprint information of the terminal, the application fingerprint information and the random number of the application;

The second encryption unit 146 is further configured to perform encryption processing on the key information by using the device fingerprint information, the application fingerprint information, the random number and the preset subkey to obtain encrypted key information;

The device also includes:

The storage unit 147 is configured to store the encrypted key information in a specified directory of the application.

Preferably, the second encryption unit 146 is specifically configured to generate a root key according to the device fingerprint information, the application fingerprint information, the random number and the preset subkey; using the root key pair performing encryption processing on the key information to obtain first encrypted information; using the root key to perform encryption processing on the first encrypted information, the device fingerprint information and the application fingerprint information to obtain second encrypted information; using The preset first obfuscation parameter performs encryption processing on the second encrypted information, the device fingerprint information and the application fingerprint information to obtain third encrypted information; the second encrypted information and the third encrypted information are encrypted Perform or process to obtain encrypted key information.

Preferably, the encryption and decryption unit is specifically configured to read the encrypted key information by calling the getTerminalKey() function internally.

Preferably, the verification unit 143 is specifically configured to determine that the integrity verification of the encrypted key information has passed according to the following method: splitting the encrypted key information into fourth encrypted information and first encrypted key information. Five encrypted information; decrypt the fifth encrypted information by using the preset first obfuscation parameter, and decrypt the sixth encrypted information, the device fingerprint information of the terminal and the application fingerprint information of the application; use the root key to decrypt the decrypted information. Encrypting the sixth encrypted information, the device fingerprint information of the terminal, and the application fingerprint information of the application to obtain seventh encrypted information; if it is determined that the seventh encrypted information is consistent with the fourth encrypted information, then determine the encryption key The integrity check of the information is passed.

In yet another possible implementation, in the database file encryption device provided by the present invention,

The encryption and decryption unit 142 is further configured to decrypt the key information from the encrypted key information when the version update of the application is detected;

The above device also includes:

a determining unit 148, configured to determine the application fingerprint information of the updated application;

The second encryption unit 146 is further configured to re-encrypt the key information according to the acquired device fingerprint information of the terminal, the application fingerprint information, the acquired random number and the preset subkey. Get the new encrypted key information;

The storage unit 147 is further configured to store the new encrypted key information in a specified directory of the application.

In yet another possible implementation, the database file encryption device provided by the present invention further includes:

The obtaining unit 145 is further configured to obtain a random number according to the following method: sending a random number obtaining request to the server of the application, where the request carries the terminal identification of the terminal and the application identification of the application, so that the server Determine the random number of the application according to the correspondence between the terminal identifier, the application identifier and the random number; after it is determined that the random number sent by the server is successfully received, the random number is obtained; if it is determined that the random number is not successfully received To the random number issued by the server, determine whether the random number is stored in the security element SE, and if so, obtain the random number from the SE; if not, when it is determined that the random number is stored in the starting position of the database file, the The random number is obtained from the starting position of the file.

Preferably, the device further comprises:

The processing unit 149 is configured to, after the acquisition unit 145 acquires the random number, determine whether the terminal has the security element SE authority; if so, when it is determined that the random number is not stored in the SE, receive the The random number is encrypted with a white box and the encrypted random number is stored in the SE; if not, when it is determined that the random number is not stored in the starting position of the database file, the received random number is encrypted with a white box and stored in the SE. The encrypted random number is stored at the beginning of the database file.

Optionally, the second encryption unit 146 is specifically configured to generate the device fingerprint information of the terminal according to the following method: obtain the international mobile equipment identification code IMEI of the terminal, the Bluetooth multimedia access control address BluetoothMacAddress and the operating system used by the terminal. The device fingerprint information of the terminal is generated according to the preset second confusion parameter, the IMEI, the BluetoothMacAddress and the version number of the operating system.

Optionally, the second encryption unit 146 is specifically configured to generate the application fingerprint information of the application according to the following method: obtain the dex file of the application, the certificate and the package name of the application; according to the preset third confusion parameters, the dex file, the certificate and the package name to generate the application fingerprint information of the application.

For the convenience of description, the above parts are divided into modules (or units) according to their functions and described respectively. Of course, when implementing the present invention, the functions of each module (or unit) may be implemented in one or more software or hardware.

Based on the same inventive concept, an embodiment of the present invention also provides a database file decryption device. Since the above-mentioned device solves the problem in a similar manner to the database file decryption method, the implementation of the above-mentioned device can refer to the implementation of the method, and the repetition will not be repeated. Repeat.

As shown in FIG. 16, it is a schematic structural diagram of a database file decryption apparatus provided by an embodiment of the present invention, including:

The obtaining unit 151 is configured to obtain encrypted key information from a specified directory of the application after receiving an operation request for the database file of the application in the terminal, wherein the encrypted key information is based on the device of the terminal. The fingerprint information and the application fingerprint information of the application are obtained by encrypting the key information;

a first decryption unit 152, configured to decrypt the key information from the encrypted key information;

The second decryption unit 153 is configured to decrypt the database file by using the key information and operate the decrypted database file.

In a possible implementation, the database file decryption device provided by the present invention further includes:

The verification unit 154 is configured to pass the integrity verification of the encrypted key information before the first decryption unit 152 decrypts the key information from the encrypted key information.

In a possible implementation, the database file decryption device provided by the present invention further includes:

The first verification unit 155 is configured to obtain the device fingerprint information of the terminal before the first decryption unit 152 decrypts the key information from the encrypted key information; Verification passed.

In a possible implementation, the database file decryption device provided by the present invention further includes:

The second verification unit 156 is configured to decrypt the encrypted key information from the encrypted key information in the first decryption unit 152 after the first verification unit 155 successfully verifies the device fingerprint information of the terminal. Before obtaining the key information, the application fingerprint information of the application is obtained; and the verification of the application fingerprint information is passed.

Preferably, the first decryption unit 152 is specifically configured to split the encrypted key information into first ciphertext information and second ciphertext information; The ciphertext information is decrypted to obtain third ciphertext information; the third ciphertext information is decrypted by using the root key to obtain the key information.

Based on the same inventive concept, an embodiment of the present invention also provides a communication device, including a memory, a processor, and a computer program stored on the memory and running on the processor; when the processor executes the program Implement the database file encryption method or the database file decryption method according to any one of the embodiments of the present invention.

In addition, an embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions to be executed by the above-mentioned processor, and includes a program to be executed by the above-mentioned processor.

In some possible implementations, various aspects of the database file encryption method or the database file decryption method provided by the present invention can also be implemented in the form of a program product, which includes program code, and when the program product runs on a computer device When the program code is used to cause the computer device to execute the steps in the database file encryption method according to various exemplary embodiments of the present invention described above in this specification, or the steps in the database file decryption method, for example, the The computer device may perform the database file encryption process in steps S11 to S13 shown in FIG. 2 , or the database file decryption process in steps S101 to S103 shown in FIG. 11 .

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples (non-exhaustive list) of readable storage media include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

The program product for the database file encryption method or the database file decryption method of the embodiments of the present invention may employ a portable compact disk read only memory (CD-ROM) and include program code, and may be executed on a computing device. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal in baseband or as part of a carrier wave, carrying readable program code therein. Such propagated data signals may take a variety of forms including, but not limited to, electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable signal medium can also be any readable medium, other than a readable storage medium, that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming Language - such as the "C" language or similar programming language. The program code may execute entirely on the user computing device, partly on the user device, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server execute on. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (eg, using an Internet service) provider to connect via the Internet).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, this division is merely exemplary and not mandatory. Indeed, in accordance with embodiments of the present invention, the features and functions of two or more units described above may be embodied in one unit. Conversely, the features and functions of one unit described above may be further subdivided to be embodied by multiple units.

Furthermore, although the operations of the methods of the present invention are depicted in the figures in a particular order, this does not require or imply that the operations must be performed in the particular order, or that all illustrated operations must be performed to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined to be performed as one step, and/or one step may be decomposed into multiple steps to be performed.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

Although the preferred embodiments of the present invention have been described, additional changes and modifications to these embodiments may occur to those skilled in the art once the basic inventive concepts are known. Therefore, the appended claims are intended to be construed to include the preferred embodiment and all changes and modifications that fall within the scope of the present invention.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit and scope of the invention. Thus, provided that these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include these modifications and variations.

Claims (22)

1. A database file encryption method is characterized by comprising the following steps:

when a database file related to any application is encrypted, judging whether encrypted key information exists in a specified directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application;

and if so, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information.

2. The method of claim 1, prior to decrypting key information from the encrypted key information, further comprising:

and the integrity of the encrypted key information is verified.

3. The method of claim 1 or 2, further comprising:

and if the encrypted key information does not exist in the specified directory or the integrity check of the encrypted key information fails, randomly generating the key information and encrypting the database file by using the generated key information.

4. The method of claim 3, further comprising:

acquiring equipment fingerprint information of the terminal and application fingerprint information of the application;

and encrypting the key information by using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

5. The method of claim 3, further comprising:

acquiring equipment fingerprint information of the terminal, application fingerprint information of the application and a random number;

encrypting the key information by using the equipment fingerprint information, the application fingerprint information, the random number and a preset sub-key to obtain encrypted key information; and are

Storing the encrypted key information in a specified directory of the application.

6. The method of claim 5, wherein encrypting the key information using the device fingerprint information, the application fingerprint information, the random number, and a preset subkey to obtain encrypted key information comprises:

generating a root key according to the equipment fingerprint information, the application fingerprint information, the random number and a preset sub-key;

encrypting the key information by using the root key to obtain first encrypted information;

encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information;

encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information;

and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

7. The method of claim 1, wherein reading the encrypted key information specifically comprises:

the encrypted key information is read by internally calling a getTerminalKey () function.

8. The method of claim 2, wherein the integrity check of the encrypted key information is determined by:

splitting the encrypted key information into fourth encryption information and fifth encryption information;

decrypting the fifth encrypted information by using a preset first obfuscating parameter, and decrypting sixth encrypted information, equipment fingerprint information of the terminal and application fingerprint information of the application;

encrypting the decrypted sixth encrypted information, the device fingerprint information of the terminal and the application fingerprint information of the application by using the root key to obtain seventh encrypted information;

and if the seventh encryption information is consistent with the fourth encryption information, determining that the integrity check of the encrypted key information is passed.

9. The method of claim 1, further comprising:

decrypting key information from the encrypted key information when version update of an application is detected;

determining application fingerprint information of the updated application;

according to the acquired equipment fingerprint information of the terminal, the application fingerprint information, the acquired random number and a preset sub-key, carrying out encryption processing on the key information again to obtain new encrypted key information;

storing the new encrypted key information in a designated directory of the application.

10. A method as claimed in claim 5, 6 or 9, wherein the random number is obtained by:

sending a random number acquisition request to a server of the application, wherein the request carries a terminal identifier of the terminal and an application identifier of the application, so that the server determines the random number of the application according to the corresponding relation among the terminal identifier, the application identifier and the random number;

after the random number issued by the server is successfully received, the random number is obtained;

if the random number issued by the server is determined to be unsuccessfully received, determining whether the random number is stored in the secure element SE, and if so, acquiring the random number from the SE; if not, when the random number is determined to be stored at the starting position of the database file, the random number is obtained from the starting position of the database file.

11. The method of claim 10, after acquiring the random number, further comprising:

judging whether the terminal has the SE authority of the safety element;

if yes, encrypting the received random number by using a white box and storing the encrypted random number into the SE when the fact that the random number is not stored in the SE is determined;

if not, when the starting position of the database file is determined not to store the random number, encrypting the received random number by using a white box and storing the encrypted random number to the starting position of the database file.

12. The method of claim 1, 4, 5 or 6, wherein the device fingerprint information of the terminal is generated according to the following method:

obtaining an international mobile equipment identification code IMEI, a Bluetooth multimedia access control address Bluetooth MacAddress and a version number of an operating system used by the terminal;

and generating the equipment fingerprint information of the terminal according to a preset second confusion parameter, the IMEI, the Bluetooth MacAddress and the version number of the operating system.

13. The method of claim 1, 4, 5 or 6, wherein the application fingerprint information for the application is generated as follows:

acquiring a dex file and a certificate of the application and a package name of the application;

and generating application fingerprint information of the application according to a preset third confusion parameter, the dex file, the certificate and the package name.

14. A method for decrypting a database file, comprising:

after receiving an operation request aiming at a database file applied in a terminal, acquiring encrypted key information from an appointed directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of the terminal and application fingerprint information of the application;

decrypting the key information from the encrypted key information;

and decrypting the database file by using the key information and operating the decrypted database file.

15. The method of claim 14, wherein prior to decrypting the key information from the encrypted key information, further comprising:

and the integrity of the encrypted key information is verified.

16. The method of claim 14, prior to obtaining the encrypted key information from the specified directory of applications, further comprising:

acquiring equipment fingerprint information of the terminal; and are

And the fingerprint information of the equipment is verified to be passed.

17. The method of claim 16, wherein after verifying the device fingerprint information of the terminal, before obtaining the encrypted key information from the specified directory of the application, further comprising:

acquiring application fingerprint information of the application; and are

And the application fingerprint information is verified to be passed.

18. The method according to any one of claims 14 to 17, wherein decrypting the key information from the encrypted key information specifically comprises:

splitting the encrypted key information into first ciphertext information and second ciphertext information;

decrypting the second ciphertext information by using a preset first confusion parameter to obtain third ciphertext information;

and decrypting the third ciphertext information by using the root key to obtain the key information.

19. A database file encryption apparatus, comprising:

the system comprises a judging unit, a judging unit and a judging unit, wherein the judging unit is used for judging whether encrypted key information exists in a specified directory of any application when a database file related to the application is encrypted, and the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application;

and the encryption and decryption unit is used for decrypting the key information from the read encrypted key information and encrypting the database file by using the decrypted key information when the judgment result of the judgment unit is yes.

20. A database file decryption apparatus, comprising:

the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring encrypted key information from a specified directory of an application after receiving an operation request aiming at a database file applied in the terminal, and the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of the terminal and application fingerprint information of the application;

a first decryption unit operable to decrypt the key information from the encrypted key information;

and the second decryption unit is used for decrypting the database file by using the key information and operating the decrypted database file.

21. A communication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor; the processor is characterized in that when executing the program, the processor realizes the database file encryption method according to any one of claims 1 to 13 and/or the database file decryption method according to any one of claims 14 to 18.

22. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the database file encryption method according to any one of claims 1 to 13 and/or the steps of the database file decryption method according to any one of claims 14 to 18.

Images