CN110858249B

CN110858249B - Database file encryption method, database file decryption method and related devices

Info

Publication number: CN110858249B
Application number: CN201810972631.8A
Authority: CN
Inventors: 廖婷; 曾英佩; 胡亮
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Hangzhou Information Technology Co Ltd
Priority date: 2018-08-24
Filing date: 2018-08-24
Publication date: 2021-11-16
Anticipated expiration: 2038-08-24
Also published as: CN110858249A

Abstract

The invention discloses a database file encryption method, a decryption method and a related device, belonging to the technical field of data security, and the database file encryption method provided by the invention comprises the following steps: when a database file related to any application is encrypted, judging whether encrypted key information exists in a specified directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application; and if so, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information. By adopting the method, the database file is encrypted by using the key information, and the key information is encrypted by using the equipment fingerprint information of the terminal and the application fingerprint information of the application, so that the cracking difficulty of the encrypted key information is improved, and the security of the encrypted database file is further ensured.

Description

Database file encryption method, database file decryption method and related devices

Technical Field

The invention relates to the technical field of data security, in particular to a database file encryption method, a database file decryption method and a related device.

Background

The SQLCipher is an open source database which is expanded on the basis of SQLite, and is mainly characterized in that a data encryption function is added on the basis of the SQLite, and the SQLCipher is used for storing data in a project, so that the safety of a program can be greatly improved. The SQLCipher encryption performance is high, only 5% -15% of overhead is used for encryption, and 100% of encryption of the database is completely performed by adopting an algorithm provided by an OpenSSL encryption library, so that the SQLCipher encryption method is very suitable for database protection in a mobile development process. The SQLCipher supports a plurality of different platforms, for example, the SQLCipher can be applied to Android system-based applications, and other fields are expanded similarly. The database file of the Android system is generally stored in a/data/data/your _ packagename/databases path, the directory can be accessed as long as root authority is obtained, application data can be viewed and edited, and if the database stores some sensitive data which cannot be viewed and operated by a user, the database needs to be encrypted. The SqlCipher does not encrypt the table or the column, but encrypts the whole database db file storing the sensitive data, so that the reliability and the difficult-to-break performance of the key are particularly important.

The existing SQLCipher-based key generation methods include the following methods: 1. directly encrypting by using a plaintext secret key; 2. encrypting the plaintext key to obtain a ciphertext key, and then encrypting the database file by using the ciphertext key; 3. and dynamically generating a plaintext key, then generating a ciphertext key by using an encryption algorithm, and then executing encryption operation. The methods have self applicability in specific occasions, but have various advantages and disadvantages, and when the requirement on safety is high, the secret key is easy to crack by methods such as static analysis, dynamic debugging, decompilation, anti-hook and the like, so that sensitive data of a user can be obtained, and the benefit of the user is damaged.

Therefore, how to improve the security of the database file is one of the primary concerns.

Disclosure of Invention

The embodiment of the invention provides a database file encryption method, a database file decryption method and a related device, which are used for improving the security of database files.

In a first aspect, an embodiment of the present invention provides a database file encryption method, including:

when a database file related to any application is encrypted, judging whether encrypted key information exists in a specified directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application;

and if so, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information.

Therefore, the key information is encrypted by using the key information, and then the key information is encrypted by using the device fingerprint information of the terminal and the application fingerprint information of the application, so that the encrypted key information can be ensured to be applied by one device, and the cracking difficulty of the encrypted database file is improved.

In a second aspect, an embodiment of the present invention provides a database file decryption method, including:

after receiving an operation request aiming at a database file applied in a terminal, acquiring encrypted key information from an appointed directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of the terminal and application fingerprint information of the application;

decrypting the key information from the encrypted key information;

and decrypting the database file by using the key information and operating the decrypted database file.

In a third aspect, an embodiment of the present invention provides a database file encryption apparatus, including:

the system comprises a judging unit, a judging unit and a judging unit, wherein the judging unit is used for judging whether encrypted key information exists in a specified directory of any application when a database file related to the application is encrypted, and the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application;

and the encryption and decryption unit is used for decrypting the key information from the read encrypted key information and encrypting the database file by using the decrypted key information when the judgment result of the judgment unit is yes.

A fourth embodiment of the present invention provides a database file decryption apparatus, including:

the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring encrypted key information from a specified directory of an application after receiving an operation request aiming at a database file applied in the terminal, and the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of the terminal and application fingerprint information of the application;

a first decryption unit operable to decrypt the key information from the encrypted key information;

and the second decryption unit is used for decrypting the database file by using the key information and operating the decrypted database file.

A fifth invention, an embodiment of the present invention provides a communication device, including a memory, a processor, and a computer program stored on the memory and executable on the processor; when the processor executes the program, the database file encryption method is realized according to any one of the items provided by the invention, and/or the database file decryption method is realized according to any one of the items provided by the invention.

In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps in the database file encryption method according to any one of the provided embodiments of the present invention, and/or implements the steps in the database file decryption method according to any one of the provided embodiments of the present invention.

The invention has the beneficial effects that:

according to the database file encryption method provided by the embodiment of the invention, the database file is encrypted by using the key information, and the key information is encrypted by using the equipment fingerprint information of the terminal and the applied fingerprint information, so that the cracking difficulty of the encrypted key information is improved, and the security of the encrypted database file is further ensured.

According to the database file decryption method provided by the embodiment of the invention, after the operation request aiming at the database file applied in the terminal is received, the encrypted key information is read from the specified directory of the application, then the key information is decrypted from the encrypted key information, and then the encrypted database file is decrypted by using the decrypted key information, so that the database file is operated after the decryption is successful, the encrypted key information can be acquired and the key information is decrypted without perception of a user, and the user operation process is simplified.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:

fig. 1 is a schematic structural diagram of a terminal 100 implementing an encryption method or a decryption method for a database file according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of a database file encryption method according to an embodiment of the present invention;

fig. 3 is a flowchart illustrating an encrypted key information generating method according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a process of encrypting key information to obtain encrypted key information according to an embodiment of the present invention;

fig. 5 is a schematic flowchart of a process for acquiring a random number according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of a process of encrypting key information by using device fingerprint information, application fingerprint information, a random number, and a preset sub-key to obtain encrypted key information according to an embodiment of the present invention;

fig. 7 is a schematic flowchart of integrity checking on encrypted key information according to an embodiment of the present invention;

fig. 8 is a second schematic flowchart of a database file encryption method according to an embodiment of the present invention;

fig. 9 is a schematic flowchart of acquiring device fingerprint information of a terminal according to an embodiment of the present invention;

fig. 10 is a schematic flowchart of acquiring application fingerprint information of an application according to an embodiment of the present invention;

fig. 11 is a flowchart illustrating a database file decryption method according to an embodiment of the present invention;

FIG. 12 is a flowchart illustrating a process for decrypting encrypted key information according to an embodiment of the present invention;

fig. 13 is a second schematic flowchart of a database file decryption method according to an embodiment of the present invention;

fig. 14 is a third schematic flowchart of a database file decryption method according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of a database file encryption apparatus according to an embodiment of the present invention;

fig. 16 is a schematic structural diagram of a database file decryption apparatus according to an embodiment of the present invention;

fig. 17 is a schematic diagram of a hardware structure of a terminal device for implementing the database file encryption and decryption method according to the embodiment of the present invention.

Detailed Description

The database file encryption method, the database file decryption method and the related device provided by the embodiment of the invention are used for improving the security of the database file.

The preferred embodiments of the present invention will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are merely for illustrating and explaining the present invention, and are not intended to limit the present invention, and that the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.

To facilitate understanding of the invention, the technical terms involved in the invention are as follows:

1. the terminal is an electronic device which can install various applications and can display objects provided in the installed applications, and the electronic device can be mobile or fixed. For example, a mobile phone, a tablet computer, various wearable devices, a vehicle-mounted device, a Personal Digital Assistant (PDA), a point of sale (POS), a monitoring device in a subway station, or other electronic devices capable of implementing the above functions may be used.

2. An application, i.e., an application program, is a computer program that can perform one or more specific tasks, and has a visual display interface, which can interact with a user, such as an electronic map and a WeChat, and the like, can be referred to as an application.

3. Advanced Encryption Standard (AES), also known as Rijndael Encryption, is a block Encryption Standard adopted by the federal government in the united states.

4. The HMAC operation uses a Hash algorithm, with a key and a Message as inputs, to generate a Message digest as an output.

5. In the description of the embodiments of the invention, the terms "first," "second," and the like are used for descriptive purposes only and not for purposes of indicating or implying relative importance, nor for purposes of indicating or implying order.

In the prior art, the encryption and decryption operation is directly performed on the database by using the plaintext key, but the plaintext key can be set by a user and can also be generated by a random generator, so that the advantages of simple operation and low safety when sensitive data is involved are achieved, and the key is easy to obtain; although the method of encrypting a plaintext key by using an encryption algorithm to obtain a ciphertext key and then performing encryption and decryption operations on a database by using the ciphertext key is adopted in the prior art, the method of encrypting the plaintext key by using the ciphertext key improves the security to a certain extent, but the plaintext key is easy to reversely analyze and deduce according to the encryption algorithm, and the potential safety hazard also exists; although the method for dynamically generating the plaintext key adopted by the prior art has the advantage of difficult cracking because the key is different every time, the cost is increased because the plaintext key is regenerated every time; in addition, in the prior art, a secret key is stored in an application server, and security protection is mainly transferred to communication and server protection, so that although security is improved to a certain extent, communication between the application and the server and security protection pressure of the server are increased. The methods have own application scenes, but when the security requirement of the database file is higher, the methods still have potential safety hazards.

In order to solve the security of the database file in the prior art, the present invention provides a database file encryption method, which can be applied to a terminal installed with a device capable of implementing the method provided by the present invention, and fig. 1 shows a schematic structural diagram of a terminal 100. Referring to fig. 1, the terminal 100 includes: a processor 110, a memory 120, a gravitational acceleration sensor 130, a display unit 1/40, an input unit 150, a Radio Frequency (RF) circuit 160, and a power supply 170, etc.

The processor 110 is a control center of the terminal 100, connects various components using various interfaces and lines, and performs various functions of the terminal 100 by running or executing software programs and/or data stored in the memory 120, thereby performing overall monitoring of the terminal. Alternatively, processor 110 may include one or more processing units; preferably, the processor 110 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 110. In some embodiments, the processor, memory, and/or memory may be implemented on a single chip, or in some embodiments, they may be implemented separately on separate chips.

The memory 120 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, various application programs, and the like; the storage data area may store data created according to the use of the terminal 100, and the like. Further, the memory 120 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device, among others.

The acceleration sensor 130 can detect the acceleration in each direction (generally, three axes), and meanwhile, the acceleration sensor 130 can also be used for detecting the gravity and the direction when the terminal is stationary, and can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and tapping), and the like.

The display unit 140 may be used to display information input by a user or information provided to the user, various menus of the terminal 100, and the like, and in the embodiment of the present invention, the display unit is mainly used to display a display interface of each application program in the terminal 100 and objects such as texts and pictures displayed in the display interface. The display unit 140 may include a display panel 141. The Display panel 141 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.

The input unit 150 may be used to receive information such as numbers or characters input by a user. The input unit 150 may include a touch panel 151 and other input devices 152. The touch panel 151, also referred to as a touch screen, may collect a touch operation performed by a user on or near the touch panel 151 (e.g., an operation performed by the user on or near the touch panel 151 using any suitable object or accessory such as a finger, a touch pen, etc.), for example, the touch panel 151 in the embodiment of the present invention may be used to detect whether there is a pressing operation performed by the user. Specifically, the touch panel 151 may detect a touch operation of a user, detect signals caused by the touch operation, convert the signals into touch point coordinates, transmit the touch point coordinates to the processor 110, receive a command transmitted from the processor 110, and execute the command. In addition, the touch panel 151 may be implemented in various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Other input devices 152 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, power on/off keys, etc.), a trackball, a mouse, a joystick, and the like.

Of course, the touch panel 151 may cover the display panel 141, and when the touch panel 151 detects a touch operation on or near the touch panel, the touch panel is transmitted to the processor 110 to determine the type of the touch event, and then the processor 110 provides a corresponding visual output on the display panel 141 according to the type of the touch event. Although the touch panel 151 and the display panel 141 are two separate components to implement the input and output functions of the terminal 100 in fig. 2, in some embodiments, the touch panel 151 and the display panel 141 may be integrated to implement the input and output functions of the terminal 100.

The terminal 100 may also include RF circuitry 160 that may be used for transmitting and receiving information or data with base stations. In general, the RF circuit 160 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In embodiments of the present invention, RF circuit 160 may communicate with the network and other electronic devices via wireless communications using any communication standard or protocol.

The terminal 100 also includes a power supply 170 (e.g., a battery) for powering the various components, which may be logically coupled to the processor 110 via a power management system to manage charging, discharging, and power consumption via the power management system.

The terminal 100 can also include audio circuitry 180, a speaker 181, and a microphone 182 to provide an audio interface between a user and the terminal. The audio circuit 180 may transmit the electrical signal converted from the received audio data to the speaker 181, and the electrical signal is converted into a sound signal by the speaker 181 and output; on the other hand, the microphone 182 converts the collected sound signal into an electric signal, converts the electric signal into audio data after being received by the audio circuit 180, and outputs the audio data after being processed by the audio data output processor 110, or outputs the audio data to the memory 120 for further processing.

The terminal 100 can also include one or more sensors, such as pressure sensors, gravitational acceleration sensors, proximity light sensors, and the like. Of course, the terminal 100 may further include other components such as a camera according to the requirements of a specific application, and these components are not shown in fig. 1 and are not described in detail since they are not components used in this embodiment of the present application.

Those skilled in the art will appreciate that fig. 1 is merely exemplary of a terminal and is not intended to be limiting and may include more or less components than those shown, or some components may be combined, or different components.

The application scenarios of the database file encryption method and the database file decryption method provided by the invention are that the encryption method and the decryption method provided by the invention are integrated into a Software Development Kit (SDK), then the SDK is integrated into an application developed by an application developer, namely, the SDK is integrated in the SQLCipher, when a user downloads the application integrated with the SDK with the database file encryption and decryption functions in a terminal, the current application generally needs user registration, and some applications may involve transactions such as recharging, in order to avoid that the user needs to enter information such as a user name and password and to ensure the security of the user's data involved in the transaction each time the user logs in to the application, the method provided by the invention can be used for encrypting the database file storing the sensitive data, so that the security of the database file can be ensured, and the security of the sensitive data can be further ensured. In addition, when the database file is detected, the encrypted key information is read by calling the SDK tool internally, and the encrypted database file is decrypted by using the decrypted key information, so that the decryption of the database file is realized, the key information does not need to be manually input by a user, the decryption of the database file can be realized under the condition that the user does not sense, the operation flow is simplified, and the user experience is improved.

The following describes a database file encryption method and a database file decryption method provided according to exemplary embodiments of the present invention with reference to fig. 2 to 17 in conjunction with fig. 1 and the application scenarios described above. It should be noted that the above application scenarios are merely illustrated for the convenience of understanding the spirit and principles of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention may be applied to any scenario where applicable.

Referring to fig. 2, a schematic flow chart of a database file encryption method according to an embodiment of the present invention is shown, and in the following description, the method is applied to the terminal 100 shown in fig. 1 as an example. The specific implementation flow of the method is as follows:

s11, when encrypting the database file related to any application, judging whether the appointed directory of the application has the encrypted key information; if yes, go to step S12; otherwise, step S13 is executed.

The encrypted key information is obtained by encrypting the key information according to the equipment fingerprint information of the terminal and the application fingerprint information of the application, and is described in detail later.

Specifically, the specific directory of the application in the present invention may be determined according to actual situations, and the present invention is not limited to this.

And S12, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information.

If yes in step S11, it indicates that the specified directory of the application stores the encrypted key information, that is, the encryption and storage process of the key information has been performed before.

Specifically, the encrypted key information may be read by internally calling a getTerminalKey () function. In specific implementation, a getTerminalKey () function is added in an SQLiteOpenhelper class of an SQLCipher, and the function is used for calling a ReceiveTerminalKey () function of a TerminalCypto class in a key generation tool SDK to read key information and assigning the key information to a variable password for subsequent encryption and decryption of database db files without directly transmitting the key information in a database operation function.

In the SQLiteOpenHelper class, getwritedatabase (char [ ] passcode) and getReadableDatabase (string passcode) are reloaded, passcode entry parameters are removed, getwritedatabase () and getReadableDatabase () are changed, and a getTerminalKey () function is called inside the function to acquire encrypted key information assigned to passcode.

In the SQLiteDatabase class, openoracredatadatabase (String path, String password, currorfactory factor, SQLiteDatabaseHookdatabaseHook) is reloaded, and as described above, the entry of password is removed, and the entry is changed to openoracredatadatabase (String path, Context, SQLiteDatabase. currorfactory factor, sqlitedatabasehoardobasehook), and the function internal call getterminalswak () function acquires encrypted key information assigned to password.

S13, randomly generating key information and encrypting the database file using the generated key information.

In this step, when it is detected in step S11 that the encrypted key information is not stored in the specified directory, a key information key is randomly generated₂Key information key randomly generated in practical application₂Also a random number. In generating the key information key₂Then, key is pressed₂The key information in the SDK is obtained by adding a getTerminalKey () function in an SQLiteOpenhelper class in the SQLCipher without directly transferring the key information in a database operation function.

By executing the process of steps S11-S13, the generated key information is used to encrypt the database file for any application, thereby ensuring the security of the sensitive data in the database file, and in addition, in order to prevent the key information from being stolen, the invention proposes to use the device fingerprint information of the terminal and the application fingerprint information of the application to encrypt the key information, and then store the encrypted key information into the specified directory of the application, thereby improving the anti-cracking capability of the encrypted key information and further improving the security of the sensitive data in the encrypted database file. In addition, the key information encryption method provided by the invention realizes that different applications on the same terminal are encrypted to obtain different encrypted key information, and different terminals ensure different encrypted key information of the same application of different terminals due to different device fingerprints of the terminals, thereby improving the anti-cracking capability of the encrypted key information.

Preferably, after step S13 is executed, it is further required to perform an encryption process on the randomly generated key information, which may specifically refer to the encryption flow shown in fig. 3 or fig. 4, and the encrypted key information involved in step S11 is also executed according to the encryption flow shown in fig. 3 or fig. 4, which is described in detail below:

in a possible implementation manner, as shown in fig. 3, a schematic flow chart of an encrypted key information generation method provided in an embodiment of the present invention may include the following steps:

and S21, acquiring the device fingerprint information of the terminal and the application fingerprint information of the application.

And S22, encrypting the key information by using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

In steps S21 and S22, the AES encryption algorithm may be used to encrypt the device fingerprint information and the application fingerprint information, and then the encrypted information is used to encrypt the key information to obtain the encrypted key information. The key information in steps S21 and S22 may be the key information involved in step S11, or may be the key information randomly generated in step S13. Because the device fingerprint information of the terminal is used for uniquely identifying the terminal, and the applied application fingerprint information is used for uniquely identifying the application, when the key information is encrypted by using the device fingerprint information and the application fingerprint information of the terminal, the situation that one application in one terminal device corresponds to one encrypted key information can be ensured, the safety and the difficulty of decryption of the encrypted key information are improved, and the safety of sensitive data in a database file encrypted by using the key information is further ensured.

In another possible implementation manner, in order to further improve the security of the encrypted key information, the key information may be encrypted according to the flow shown in fig. 4 to obtain the encrypted key information, including the following steps:

and S31, acquiring the device fingerprint information of the terminal, the application fingerprint information of the application and the random number.

In this step, the random number may be obtained according to the flow shown in fig. 5, including the following steps:

and S41, sending a random number acquisition request to the server of the application.

The random number acquisition request carries the terminal identification of the terminal and the application identification of the application.

Specifically, in order to further ensure the security of the database file, an application in the terminal sends a random number acquisition request to the server, after receiving the random number acquisition request, the server determines whether to generate a random number for the application according to a correspondence between the terminal identifier, the application identifier and the random number, if so, the correspondence inevitably stores the random number corresponding to the terminal identifier carried in the request and the application identifier of the application, then encrypts the random number, and sends the encrypted random number to the terminal. If the corresponding relation is determined not to store the terminal identifier and the application identifier carried in the request, the random number is not generated for the application in the terminal, the random number acquisition request is a first request, a random number is randomly generated for the application in the terminal, and then the random number is encrypted and sent to the terminal.

S42, judging whether the terminal successfully receives the random number issued by the server; if yes, go to step S43; if not, step S47 is executed.

Specifically, whether the terminal sends the response message of the acquisition request to the server may be detected, and the specific content in the response message may be determined by negotiation between the application and the server, so that whether the random number sent by the server is successfully received may be determined according to the response message.

And S43, acquiring the random number issued by the server.

Based on this, when the receiving is successful, the random number issued by the server can be acquired. After successful reception, in order to avoid processing resource waste caused by too many interactions between the application and the server due to obtaining the random number from the server for many times, the present invention proposes that after obtaining the random number, the storage process shown in steps S44 to S46 needs to be executed.

S44, judging whether the terminal has the SE authority of the safety element, if so, executing a step S45; otherwise, step S46 is executed.

And S45, when the fact that the random number is not stored in the SE is determined, encrypting the received random number by using a white box and storing the encrypted random number in the SE.

Specifically, in order to avoid obtaining the random number from the server for multiple times, whether the random number has the SE authority or not is judged in the process of obtaining the random number, if yes, the obtained random number is stored in the SE, the SE authority is difficult to obtain, when the terminal has the SE authority, the terminal is indicated to have higher requirements on the safety, and the SE authority is higher and correspondingly higher in safety, so that the random number is stored in the SE, the safety of the random number is improved, and the difficulty in cracking the encrypted key information is further improved. In addition, in order to further improve the cracking difficulty of the encrypted key information, the invention adopts a white-box encryption method to encrypt the random number before writing the random number into the SE and then stores the encrypted random number into the SE. If the SE stores the random number of the application, the random number of the application stored in the SE may be overwritten with the encrypted random number.

And S46, when the starting position of the database file is determined not to store the random number, encrypting the received random number by a white box and storing the encrypted random number at the starting position of the database file.

When the terminal does not have the SE right, in order to avoid obtaining the random number from the server for multiple times, the invention also judges whether the random number is stored at the starting position of the database file corresponding to the application in the process of obtaining the random number, if not, the received random number is stored at the starting position of the database file, and in order to further improve the cracking difficulty of the encrypted key information, when the random number is stored at the starting position of the database file, the white-box encryption processing can be firstly carried out on the random number, and then the random number after the encryption processing is stored at the starting position of the database file. And when the random number of the application is stored in the database file, updating the random number of the application stored at the starting position of the database file by using the received random number.

S47, determining whether the secure element SE stores a random number; if yes, go to step S48; otherwise, step S49 is executed.

When step S42 fails to receive the random number issued by the server, it indicates that the terminal may not receive the random number issued by the server due to a network anomaly, and at this time, it is determined whether the random number corresponding to the application is stored in the SE, and if the random number corresponding to the application is stored in the SE, the random number of the application is extracted from the SE.

S48, acquiring the random number from the SE.

S49, determining whether the starting position of the database file stores a random number, if so, executing the step S410; otherwise, step S41 is executed again.

S410, acquiring the random number from the starting position of the database file.

In steps S49 to S410, if the SE does not store the random number of the application, it is determined whether the random number of the application is stored at the start position of the database file, and if so, the random number corresponding to the application is extracted from the start position, so that the random number can be acquired by executing steps S41 to S410.

It should be noted that, in the steps shown in steps S41 to S410, the random number may be requested to the server once each time the database file is encrypted, which may ensure dynamic issuing of the random number, and further ensure dynamic change of the encrypted key information, thereby greatly improving security of the encrypted key information, and further improving difficulty in preventing cracking of the database file.

In practical applications, in order to avoid large consumption of terminal processing resources caused by frequent interaction between an application and a server, for an application, the terminal generally sends a random number acquisition request to the server of the application only once for the application, that is, step S41 is executed only once, and when the random number needs to be acquired, only steps S47 to S410 need to be executed to acquire the random number.

The key information used for encrypting the database file is encrypted by the random number issued by the server, so that the condition that all parameters related to the generation of the encrypted key information are stored locally is avoided, the Rand _ GUID allocated by the server for one application of a terminal device is stored at the server, and the Rand _ GUID encrypted by a white box can be extracted from the local SE of the terminal or the starting position backup of the database file only under special conditions such as network failure, so that the safety is improved to a great extent.

And S32, encrypting the key information by using the device fingerprint information, the application fingerprint information, the random number and the preset subkey to obtain the encrypted key information.

In this step, the SHA2 algorithm, the AES algorithm, and the HMAC algorithm may be used to obtain the encrypted key information. Specifically, step S32 may be performed according to the method shown in fig. 6, including the following steps:

and S51, generating a root key according to the device fingerprint information, the application fingerprint information, the random number and the preset subkey.

Specifically, the root key may be generated using the SHA2(SHA2-256) algorithm according to the device fingerprint information, the application fingerprint information, the random number, and the preset subkey. For example, the device fingerprint information is recorded as deviceFingerprint, the application fingerprint information is recorded as appFingerprint, the random number is recorded as Rand _ GuiD, and the preset subkey includes d₁、d₂And d₃For example, the root key may be generated according to the following formula₁：

And S52, encrypting the key information by using the root key to obtain first encryption information.

In particular, the AES algorithm and root key may be utilized₁The key information is encrypted to obtain first encrypted information cipherer 1, which refers to the following formula:

cipher1＝AESEN_key1(key₂) (2)

s53, the first encryption information, the device fingerprint information and the application fingerprint information are encrypted by the root key, and second encryption information is obtained.

In this step, the HMAC and the root key may be used to encrypt the first encryption information, the device fingerprint information, and the application fingerprint information, so as to obtain second encryption information cipherer 2, referring to the following formula:

cipher2＝HMAC_key1(cipher|deviceFingerprint|appFingerprint) (3)

in practice, the HMAC result, i.e. the first 64 bits to the right of the equation, may be taken as the value of the cipherer 2, i.e. the second encryption information.

And S54, encrypting the second encryption information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encryption information.

Specifically, step S54 may be performed by using AES algorithm, and the third encryption information cipher3 may be obtained according to equation (4):

cipher3＝AESEN_K(cipher1|deviceFingerprint|appFingerprint) (4)

specifically, K in the formula (4) is a preset first confusion parameter, and may be determined according to actual situations.

And S55, carrying out or processing on the second encryption information and the third encryption information to obtain encrypted key information.

In this step, the encrypted key information cipher may be obtained according to formula (5):

cipher＝cipher3|cipher2 (5)

s33, storing the encrypted key information in the specified directory of the application.

In this step, the encrypted key information cipher is obtained based on steps S51 to S55, and is stored in the specified directory of the application. Because the device fingerprint information of the terminal is used for uniquely identifying the terminal, the applied application fingerprint information is used for uniquely identifying the application, and then the random number issued by the server for the application is used, when the device fingerprint information, the application fingerprint information and the key information encrypted by the random number issued by the server are used, one application in one terminal device is ensured to correspond to one random number and then to correspond to one encrypted key information, the safety and the cracking difficulty of the encrypted key information are greatly improved, and the safety of sensitive data in a database file encrypted by the key information is further ensured.

Preferably, in order to ensure the accuracy of the encrypted key information stored in the specified directory in the application, after the step S11 is yes, before the step S12 is executed, the method further includes:

and the integrity of the encrypted key information is verified.

In particular, the integrity of the encrypted key information is checked, so that the security of the database file can be improved to a certain extent. When integrity checking is performed on the encrypted key information stored in the designated directory, integrity checking may be performed on the encrypted key information according to the flow shown in fig. 7, and the integrity checking may include the following steps:

s61, the encrypted key information is split into fourth encrypted information and fifth encrypted information.

Specifically, taking the encrypted key information as the cipherer as an example, the cipherer is split into the fourth key information cipherer 4 and the fifth key information cipherer 5.

And S62, decrypting the fifth encrypted information by using the preset first obfuscating parameter, and decrypting sixth encrypted information, the device fingerprint information of the terminal and the application fingerprint information of the application.

In this step, AES decryption algorithm is used to execute step S62, that is, the cipher5 performs AES decryption by using the first obfuscating parameter K, so as to obtain sixth encrypted information cipher6, decrypted device fingerprint information deviceFingerprint1, and decrypted application fingerprint information appringprint 1. '

And S63, carrying out encryption processing on the decrypted sixth encryption information, the device fingerprint information of the terminal and the application fingerprint information of the application by using the root key to obtain seventh encryption information.

Based on step S62, step S63 may be performed using HMAC algorithm, and seventh encrypted information cipher 2' may be obtained according to equation (6):

cipher2‘＝HMAC_key1(cipher1|deviceFingerprint1|appFringerprint1) (6)

s64, judging whether the seventh encryption information is consistent with the fourth encryption information, if so, executing a step S65; otherwise, step S66 is executed.

If it is determined that the seventh encryption information obtained by equation (6) is consistent with the split fourth encryption information, i.e., the cipher 2' is cipher4, step S65 is performed, i.e., the encrypted key information is complete, otherwise, the encrypted key information is incomplete.

And S65, determining that the integrity check of the encrypted key information passes.

And S66, determining that the integrity check of the encrypted key information is not passed.

Whether the encrypted key information is complete can be determined by performing the process shown in fig. 7, and when it is determined that the encrypted key information is not complete, step S13 needs to be performed.

Preferably, the method provided by the present invention may further include a process shown in fig. 8, including the following steps:

and S71, when the version updating of the application is detected, decrypting the key information from the encrypted key information.

In this step, when the version update of the application is detected, which is equivalent to a change in the application, it is necessary to re-encrypt the key information using the application fingerprint information of the updated application. It is necessary to first decrypt the key information from the encrypted key information. The decryption process may be specifically performed according to an inverse process of a process of generating the encrypted key information, thereby decrypting the key information.

And S72, determining the application fingerprint information of the updated application.

Specifically, the dex file, the certificate, and the package name of the updated application may be obtained again, and then the application fingerprint information of the updated application may be determined by using the dex file, the certificate, and the package name of the updated application.

And S73, re-encrypting the key information according to the acquired device fingerprint information of the terminal, the application fingerprint information, the acquired random number and the preset sub-key to obtain new encrypted key information.

In this step, after the application fingerprint information of the updated application is specified, the key information decrypted in step S71 is re-encrypted by the flow shown in fig. 4, and new encrypted key information is obtained. Note that the random number in step S73 may be acquired from the SE or the database file start position.

S74, storing the new encrypted key information in the appointed directory of the application.

After determining new encrypted key information based on the new version of the application, the new encrypted key information is stored in a designated directory of the updated application.

Preferably, the device fingerprint information of the terminal in fig. 3, 4 and 8 can be obtained according to the method shown in fig. 9, including the following steps:

s81, obtaining IMEI of the terminal, Bluetooth multimedia access control address Bluetooth MacAddress and the version number of the operating system used by the terminal.

S82, generating the device fingerprint information of the terminal according to a preset second confusion parameter, the IMEI, the Bluetooth MacAddress and the version number of the operating system.

In steps S81 to S82, the device fingerprint information of the terminal may be determined according to formula (7):

SHA2(IMEI|BluetoothMacAddress|AndroidID|K5) (7)

the equipment fingerprint information of the terminal is used for uniquely identifying the terminal, and the equipment fingerprint information of different terminals is different. In practical application, the first 64 bits in the formula (7) may be used as the device fingerprint information of the terminal, and since the International Mobile Equipment Identity (IMEI), the bluetooth mac address and the version number of the operating system of different terminals are different, the device fingerprint information of different terminals may be obtained. K5 in equation (7) is a second confusion parameter, which may be determined by practical conditions.

Optionally, the determining the application fingerprint information of the application may be performed according to the flow shown in fig. 10, including the following steps:

s91, acquiring the dex file and the certificate of the application and the package name of the application.

And S92, generating application fingerprint information of the application according to a preset third confusion parameter, the dex file, the certificate and the package name.

In steps S91 to S92, application fingerprint information of the application may be determined according to formula (8):

SHA2(dex | certificate | apk packet name | K4) (8)

The application fingerprint information applied in the invention is used for unique application, and the application fingerprint information is different in different applications. In practical application, the first 64 bits in the formula (8) can be taken as the fingerprint information of the application, and the fingerprint information of different applications can be obtained because the dex files, certificates and package names of different applications are different. K4 in formula (8) of the present invention is a third confusion parameter, which can be determined according to practical situations.

The database file encryption method provided by the invention judges whether encrypted key information exists in an appointed directory of any application when encrypting a database file related to the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of a terminal and application fingerprint information of the application; and if so, decrypting the key information from the read encrypted key information, and encrypting the database file by using the decrypted key information. By adopting the method, the database file is encrypted by using the key information, and the key information is encrypted by using the equipment fingerprint information of the terminal and the application fingerprint information of the application, so that the cracking difficulty of the encrypted key information is improved, and the security of the encrypted database file is further ensured.

Based on the same inventive concept, an embodiment of the present invention further provides a database file decryption method, which is described with reference to fig. 11 by taking an example that the method is applied to the terminal 100 shown in fig. 1, and a specific implementation flow of the database file decryption method is as follows:

s101, after receiving an operation request aiming at a database file applied in a terminal, acquiring encrypted key information from a specified directory of the application.

And the encrypted key information is obtained by encrypting the key information according to the equipment fingerprint information of the terminal and the application fingerprint information of the application.

In this step, the encrypted key information may be read by calling a getTerminalKey () function internally. In specific implementation, a getTerminalKey () function is added in an SQLiteOpenhelper class of an SQLCipher, and the function is used for calling a ReceiveTerminalKey () function of a TerminalCypto class in a key generation tool SDK to read key information and assigning the key information to a variable password for subsequent encryption and decryption of database db files without directly transmitting the key information in a database operation function.

Specifically, the encrypted key information may be obtained by referring to the flow shown in fig. 3 or fig. 4, and is not repeated herein.

S102, decrypting the key information from the encrypted key information.

Specifically, the key information may be decrypted according to the method shown in fig. 12, which includes the following steps:

and S111, splitting the encrypted key information into first ciphertext information and second ciphertext information.

In this step, referring to the encryption operation shown in fig. 6, according to the decryption process of the encryption operation, the encrypted key information cipher is first split into the first ciphertext information and the second ciphertext information, and if the application executing the decryption operation is a legal application and there is no attack tool, the split first ciphertext information should be the second encryption information cipher2 in step S53, and the second ciphertext information should be the third encryption information cipher3 in step S54.

And S112, decrypting the second ciphertext information by using a preset first confusion parameter to obtain third ciphertext information.

In this step, the AES decryption operation is performed on the second ciphertext message cipher3 by using the first obfuscation parameter K, so that the third ciphertext message can be decrypted, and similarly, if the application performing the decryption operation is a legal application and there is no attack tool, the decrypted third ciphertext message cipher6 should be the first ciphertext message cipher1 in step S52.

And S113, decrypting the third ciphertext information by using the root key to obtain the key information.

In this step, the root key is used₁Performing decryption processing on the third ciphertext information by using an AES decryption algorithm, as shown in formula (9):

key2＝AESDE_key1(cipher6) (9)

if the operation belongs to a legitimate application, the third ciphertext message ciphertext 6 is the first ciphertext message ciphertext 1.

S103, decrypting the database file by using the key information and operating the decrypted database file.

Specifically, after the decryption is completed, the decrypted key information key is returned₂And a status code of 0. Then utilizes the decrypted key information key₂And carrying out decryption operation on the encrypted database. Then, the database function in the SQLCipher can acquire the key by calling the getTerminalKey function₂And performing the operations of adding, deleting, modifying and checking the database file. When a user calls the SQLCipher to execute relevant operations such as database addition, deletion, modification and check, password parameters do not need to be transmitted, and the generation, management, calling and the like of key information are completely unaware of the user, so that the operation flow of the user is simplified.

Preferably, before decrypting the key information from the encrypted key information, the method further includes:

and the integrity of the encrypted key information is verified.

Specifically, the encrypted key information may be integrity-checked with reference to the flow shown in fig. 7, which will not be described in detail herein.

Preferably, before obtaining the encrypted key information from the specified directory of the application, the process shown in fig. 13 is further included, and includes the following steps:

and S121, acquiring the equipment fingerprint information of the terminal.

In practical application, if the device fingerprint information of the terminal needs to be determined in real time each time, the waste of processing resources of the terminal may be caused, so in the process of determining the encrypted key information, the device fingerprint information of the terminal is stored after the device fingerprint information of the terminal is determined.

And S122, the fingerprint information of the equipment is verified to be passed.

In this step, when step S122 is executed, the process shown in step S9 is executed again to determine the current device fingerprint information of the terminal, and then it is determined whether the currently determined device fingerprint information is consistent with the previously stored device fingerprint information, and if so, the device fingerprint information of the terminal is verified to be passed. The decryption operation is performed only after the device fingerprint information of the terminal is verified, i.e., step S102. And if the equipment fingerprint information is not verified, returning a null value and a corresponding status code.

Further, after the device fingerprint information of the terminal is verified, before the encrypted key information is obtained from the specified directory of the application, the process shown in fig. 14 is further included, and the process includes the following steps:

s131, acquiring application fingerprint information of the application.

In practical application, if the application fingerprint information of the application needs to be determined in real time each time, the processing resources of the terminal may be wasted, so in the process of determining the encrypted key information, the application fingerprint information of the application is stored after the application fingerprint information of the application is determined.

S132, the application fingerprint information is verified to be passed.

In this step, when step S132 is executed, the process shown in step S10 is executed again to determine the current application fingerprint information, and then it is determined whether the current application fingerprint information is consistent with the previously stored application fingerprint information, and if so, the application fingerprint information is verified. The decryption operation is performed only after the application fingerprint information is verified, i.e., step S102.

By executing the database file decryption method provided by the invention, after receiving an operation request aiming at a database file applied in a terminal, encrypted key information is obtained from an appointed directory of the application, wherein the encrypted key information is obtained by encrypting the key information according to equipment fingerprint information of the terminal and application fingerprint information of the application; decrypting the key information from the encrypted key information; and decrypting the database file by using the key information and operating the decrypted database file. By adopting the method, the encrypted key information is read by calling the getTerminalKey () function inside, then the key information is decrypted from the encrypted key information, and then the encrypted database file is decrypted by using the decrypted key information, so that the database file is operated after the decryption is successful, the encrypted key information can be acquired and the key information can be decrypted without perception of a user, and the operation flow of the user is simplified.

According to the method and the device, the key management SDK is integrated on the SQLCipher, the key information used for encrypting the database file is encrypted and stored in combination with the device fingerprint information, the application fingerprint information and the random number issued by the server, the calling of related data operation functions by a user is simplified, key parameters are not required to be transmitted, the operation of the user using the SQLCipher is simplified, and therefore the encryption and decryption operation of the database is not perceived by the user.

Based on the same inventive concept, the embodiment of the invention also provides a database file encryption device, and as the principle of solving the problems of the device is similar to the database file encryption method, the implementation of the device can refer to the implementation of the method, and repeated parts are not described again.

As shown in fig. 15, a schematic structural diagram of a database file encryption apparatus provided in an embodiment of the present invention includes:

a determining unit 141, configured to determine whether encrypted key information exists in a specified directory of any application when a database file related to the application is encrypted, where the encrypted key information is obtained by encrypting the key information according to device fingerprint information of a terminal and application fingerprint information of the application;

an encryption/decryption unit 142, configured to, if the determination result of the determination unit 141 is yes, decrypt key information from the read encrypted key information, and encrypt the database file using the decrypted key information.

In a possible embodiment, the apparatus further includes:

a verifying unit 143, configured to verify integrity of the encrypted key information before the encryption and decryption unit 142 decrypts the key information from the encrypted key information if the determination result of the determining unit 141 is yes.

Preferably, the apparatus further comprises:

a first encryption unit 144, configured to randomly generate key information and encrypt the database file using the generated key information if the determination unit 141 determines that the encrypted key information does not exist in the specified directory or if the verification unit 143 fails to verify the integrity of the encrypted key information.

In another possible implementation manner, the database file encryption apparatus provided by the present invention further includes:

an obtaining unit 145, configured to obtain device fingerprint information of the terminal and application fingerprint information of the application;

a second encryption unit 146, configured to encrypt the key information using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

Preferably, the obtaining unit 145 is further configured to obtain device fingerprint information of the terminal, application fingerprint information of the application, and a random number;

the second encryption unit 146 is further configured to encrypt the key information by using the device fingerprint information, the application fingerprint information, the random number, and a preset sub-key to obtain encrypted key information;

the device, still include:

a storage unit 147, configured to store the encrypted key information in a specified directory of the application.

Preferably, the second encrypting unit 146 is specifically configured to generate a root key according to the device fingerprint information, the application fingerprint information, a random number, and a preset sub-key; encrypting the key information by using the root key to obtain first encrypted information; encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information; encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information; and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

Preferably, the encryption and decryption unit is specifically configured to read the encrypted key information by internally calling a getTerminalKey () function.

Preferably, the verifying unit 143 is specifically configured to determine that the integrity check on the encrypted key information passes according to the following method: splitting the encrypted key information into fourth encryption information and fifth encryption information; decrypting the fifth encrypted information by using a preset first obfuscating parameter, and decrypting sixth encrypted information, equipment fingerprint information of the terminal and application fingerprint information of the application; encrypting the decrypted sixth encrypted information, the device fingerprint information of the terminal and the application fingerprint information of the application by using the root key to obtain seventh encrypted information; and if the seventh encryption information is consistent with the fourth encryption information, determining that the integrity check of the encrypted key information is passed.

In still another possible implementation manner, in the database file encryption device provided by the present invention,

an encryption/decryption unit 142, configured to decrypt key information from the encrypted key information when detecting a version update of an application;

the above-mentioned device still includes:

a determining unit 148 for determining application fingerprint information of the updated application;

the second encrypting unit 146 is further configured to encrypt the key information again according to the acquired device fingerprint information of the terminal, the application fingerprint information, the acquired random number, and a preset sub-key to obtain new encrypted key information;

the storage unit 147 is further configured to store the new encrypted key information in a specified directory of the application.

the obtaining unit 145 is further configured to obtain the random number according to the following method: sending a random number acquisition request to a server of the application, wherein the request carries a terminal identifier of the terminal and an application identifier of the application, so that the server determines the random number of the application according to the corresponding relation among the terminal identifier, the application identifier and the random number; after the random number issued by the server is successfully received, the random number is obtained; if the random number issued by the server is determined to be unsuccessfully received, determining whether the random number is stored in the secure element SE, and if so, acquiring the random number from the SE; if not, when the random number is determined to be stored at the starting position of the database file, the random number is obtained from the starting position of the database file.

Preferably, the apparatus further comprises:

the processing unit 149 is configured to determine whether the terminal has the SE authority of the secure element after the obtaining unit 145 obtains the random number; if yes, encrypting the received random number by using a white box and storing the encrypted random number into the SE when the fact that the random number is not stored in the SE is determined; if not, when the starting position of the database file is determined not to store the random number, encrypting the received random number by using a white box and storing the encrypted random number to the starting position of the database file.

Optionally, the second encryption unit 146 is specifically configured to generate the device fingerprint information of the terminal according to the following method: obtaining an international mobile equipment identification code IMEI, a Bluetooth multimedia access control address Bluetooth MacAddress and a version number of an operating system used by the terminal; and generating the equipment fingerprint information of the terminal according to a preset second confusion parameter, the IMEI, the Bluetooth MacAddress and the version number of the operating system.

Optionally, the second encryption unit 146 is specifically configured to generate application fingerprint information of an application according to the following method: acquiring a dex file and a certificate of the application and a package name of the application; and generating application fingerprint information of the application according to a preset third confusion parameter, the dex file, the certificate and the package name.

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same or in multiple pieces of software or hardware in practicing the invention.

Based on the same inventive concept, the embodiment of the invention also provides a database file decryption device, and as the principle of solving the problems of the device is similar to the database file decryption method, the implementation of the device can refer to the implementation of the method, and repeated parts are not described again.

As shown in fig. 16, a schematic structural diagram of a database file decryption device according to an embodiment of the present invention includes:

an obtaining unit 151, configured to obtain, after receiving an operation request for a database file of an application in a terminal, encrypted key information from a specified directory of the application, where the encrypted key information is obtained by encrypting the key information according to device fingerprint information of the terminal and application fingerprint information of the application;

a first decryption unit 152 configured to decrypt the key information from the encrypted key information;

the second decryption unit 153 is configured to decrypt the database file using the key information and operate the decrypted database file.

In a possible implementation manner, the database file decryption apparatus provided by the present invention further includes:

a verifying unit 154, configured to pass an integrity verification of the encrypted key information before the first decrypting unit 152 decrypts the key information from the encrypted key information.

a first authentication unit 155 for acquiring device fingerprint information of the terminal before the first decryption unit 152 decrypts the key information from the encrypted key information; and the fingerprint information of the equipment is verified to be passed.

a second authentication unit 156 for acquiring application fingerprint information of the application before the first decryption unit 152 decrypts the key information from the encrypted key information after the first authentication unit 155 authenticates the device fingerprint information of the terminal; and the application fingerprint information is verified to be passed.

Preferably, the first decryption unit 152 is specifically configured to split the encrypted key information into first ciphertext information and second ciphertext information; decrypting the second ciphertext information by using a preset first confusion parameter to obtain third ciphertext information; and decrypting the third ciphertext information by using the root key to obtain the key information.

Based on the same inventive concept, the embodiment of the present invention further provides a communication device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor; when the processor executes the program, the database file encryption method or the database file decryption method according to any one of the embodiments of the present invention is implemented.

In addition, an embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions required to be executed by the processor, and includes a program required to be executed by the processor.

In some possible embodiments, various aspects of the database file encryption method or the database file decryption method provided by the present invention may also be implemented in the form of a program product including program code for causing a computer device to perform the steps in the database file encryption method or the database file decryption method according to various exemplary embodiments of the present invention described above in this specification when the program product is run on the computer device, for example, the computer device may perform the database file encryption procedure in steps S11 to S13 shown in fig. 2 or perform the database file decryption procedure in steps S101 to S103 shown in fig. 11.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product for the database file encryption method or the database file decryption method of the embodiments of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a computing device. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the units described above may be embodied in one unit, according to embodiments of the invention. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A database file encryption method is characterized by comprising the following steps:

if yes, decrypting key information from the read encrypted key information, and encrypting the database file by using the decrypted key information;

if the encrypted key information does not exist in the specified directory, randomly generating key information and encrypting the database file by using the generated key information;

acquiring equipment fingerprint information of the terminal, application fingerprint information of the application and a random number;

encrypting the key information by using the equipment fingerprint information, the application fingerprint information, the random number and a preset sub-key to obtain encrypted key information; and are

Storing the encrypted key information into a specified directory of the application;

encrypting the key information by using the device fingerprint information, the application fingerprint information, the random number and the preset sub-key to obtain encrypted key information, which specifically comprises the following steps:

generating a root key according to the equipment fingerprint information, the application fingerprint information, the random number and a preset sub-key;

encrypting the key information by using the root key to obtain first encrypted information;

encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information;

encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information;

and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

2. The method of claim 1, prior to decrypting key information from the encrypted key information, further comprising:

and the integrity of the encrypted key information is verified.

3. The method of claim 1 or 2, further comprising:

and if the integrity check of the encrypted key information does not pass, randomly generating key information and encrypting the database file by using the generated key information.

4. The method of claim 3, further comprising:

acquiring equipment fingerprint information of the terminal and application fingerprint information of the application;

and encrypting the key information by using the device fingerprint information and the application fingerprint information to obtain encrypted key information.

5. The method of claim 1, wherein reading the encrypted key information specifically comprises:

the encrypted key information is read by internally calling a getTerminalKey () function.

6. The method of claim 2, wherein the integrity check of the encrypted key information is determined by:

splitting the encrypted key information into fourth encryption information and fifth encryption information;

decrypting the fifth encrypted information by using a preset first obfuscating parameter, and decrypting sixth encrypted information, equipment fingerprint information of the terminal and application fingerprint information of the application;

encrypting the decrypted sixth encrypted information, the device fingerprint information of the terminal and the application fingerprint information of the application by using the root key to obtain seventh encrypted information;

and if the seventh encryption information is consistent with the fourth encryption information, determining that the integrity check of the encrypted key information is passed.

7. The method of claim 1, further comprising:

decrypting key information from the encrypted key information when version update of an application is detected;

determining application fingerprint information of the updated application;

according to the acquired equipment fingerprint information of the terminal, the application fingerprint information, the acquired random number and a preset sub-key, carrying out encryption processing on the key information again to obtain new encrypted key information;

storing the new encrypted key information in a designated directory of the application.

8. The method of claim 1 or 7, wherein the random number is obtained as follows:

sending a random number acquisition request to a server of the application, wherein the request carries a terminal identifier of the terminal and an application identifier of the application, so that the server determines the random number of the application according to the corresponding relation among the terminal identifier, the application identifier and the random number;

after the random number issued by the server is successfully received, the random number is obtained;

if the random number issued by the server is determined to be unsuccessfully received, determining whether the random number is stored in the secure element SE, and if so, acquiring the random number from the SE; if not, when the random number is determined to be stored at the starting position of the database file, the random number is obtained from the starting position of the database file.

9. The method of claim 8, after obtaining the random number, further comprising:

judging whether the terminal has the SE authority of the safety element;

if yes, encrypting the received random number by using a white box and storing the encrypted random number into the SE when the fact that the random number is not stored in the SE is determined;

if not, when the starting position of the database file is determined not to store the random number, encrypting the received random number by using a white box and storing the encrypted random number to the starting position of the database file.

10. The method of claim 1 or 4, wherein the device fingerprint information of the terminal is generated according to the following method:

obtaining an international mobile equipment identification code IMEI, a Bluetooth multimedia access control address Bluetooth MacAddress and a version number of an operating system used by the terminal;

and generating the equipment fingerprint information of the terminal according to a preset second confusion parameter, the IMEI, the Bluetooth MacAddress and the version number of the operating system.

11. The method of claim 1 or 4, wherein the application fingerprint information of the application is generated according to the following method:

acquiring a dex file and a certificate of the application and a package name of the application;

and generating application fingerprint information of the application according to a preset third confusion parameter, the dex file, the certificate and the package name.

12. A method for decrypting a database file, comprising:

decrypting the key information from the encrypted key information;

decrypting the database file by using the key information and operating the decrypted database file;

the decrypting the key information from the encrypted key information specifically includes:

splitting the encrypted key information into first ciphertext information and second ciphertext information;

decrypting the second ciphertext information by using a preset first confusion parameter to obtain third ciphertext information;

decrypting the third ciphertext information by using a root key to obtain the key information;

the root key is generated according to the device fingerprint information, the application fingerprint information, the random number and a preset subkey; the obtaining process of the encrypted key information comprises the following steps: encrypting the key information by using the root key to obtain first encrypted information; encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information; encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information; and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

13. The method of claim 12, further comprising, prior to decrypting the key information from the encrypted key information:

and the integrity of the encrypted key information is verified.

14. The method of claim 12, prior to obtaining the encrypted key information from the specified directory of applications, further comprising:

acquiring equipment fingerprint information of the terminal; and are

And the fingerprint information of the equipment is verified to be passed.

15. The method of claim 14, wherein after verifying the device fingerprint information of the terminal, before obtaining the encrypted key information from the specified directory of the application, further comprising:

acquiring application fingerprint information of the application; and are

And the application fingerprint information is verified to be passed.

16. A database file encryption apparatus, comprising:

the encryption and decryption unit is used for decrypting the key information from the read encrypted key information and encrypting the database file by using the decrypted key information when the judgment result of the judgment unit is yes;

a first encryption unit configured to randomly generate key information and encrypt the database file using the generated key information if the judgment unit judges that there is no encrypted key information in the specified directory;

an acquisition unit, configured to acquire device fingerprint information of the terminal, application fingerprint information of the application, and a random number;

the second encryption unit is used for encrypting the key information by using the equipment fingerprint information, the application fingerprint information, the random number and a preset sub-key to obtain encrypted key information;

a storage unit for storing the encrypted key information in a specified directory of the application;

the second encryption unit is specifically configured to generate a root key according to the device fingerprint information, the application fingerprint information, a random number, and a preset subkey; encrypting the key information by using the root key to obtain first encrypted information; encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information; encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information; and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

17. A database file decryption apparatus, comprising:

the second decryption unit is used for decrypting the database file by using the key information and operating the decrypted database file;

the first decryption unit is specifically configured to split the encrypted key information into first ciphertext information and second ciphertext information; decrypting the second ciphertext information by using a preset first confusion parameter to obtain third ciphertext information; decrypting the third ciphertext information by using a root key to obtain the key information; the root key is generated according to the device fingerprint information, the application fingerprint information, the random number and a preset subkey; the obtaining process of the encrypted key information comprises the following steps: encrypting the key information by using the root key to obtain first encrypted information; encrypting the first encryption information, the equipment fingerprint information and the application fingerprint information by using the root key to obtain second encryption information; encrypting the second encrypted information, the device fingerprint information and the application fingerprint information by using a preset first obfuscating parameter to obtain third encrypted information; and carrying out OR processing on the second encryption information and the third encryption information to obtain encrypted key information.

18. A communication device comprising a memory, a processor and a computer program stored on the memory and executable on the processor; the processor is characterized in that when executing the program, the processor realizes the database file encryption method according to any one of claims 1 to 11 and/or realizes the database file decryption method according to any one of claims 12 to 15.

19. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for encrypting a database file according to any one of claims 1 to 11 and/or the steps of the method for decrypting a database file according to any one of claims 12 to 15.