CN110912683B - Password storage method and device and password verification method and device - Google Patents

Abstract

The invention discloses a password storage method and device and a password verification method and device. The password storage method comprises the following steps: acquiring a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored. The invention solves the technical problems of lower reliability and higher risk of password processing in the related technology.

Description

Password storage method and device and password verification method and device

Technical Field

The invention relates to the technical field of computer information security, in particular to a password storage method and device and a password verification method and device.

Background

The computer is a modern electronic computing machine used for high-speed computing, can perform numerical computation and logic computation, has a memory function, is a modern intelligent electronic device which can operate according to a program and automatically process mass data at high speed, is spread throughout general schools, enterprises and public institutions and enters thousands of households, and becomes an essential tool in the information society. However, while computers are essential tools for life, study or work, computer information security is also a security issue that users must consider, and information security issues are becoming prominent. For example, there are currently information systems that are exposed to drag libraries, and how to minimize the loss when dragging libraries occurs is an important issue. In addition, the user password is the most important data in the database, and the storage of the user password is very important, however, in the related art, a great hole exists in the security of the processing of the user password, so that the information of the user is also at risk of leakage.

Aiming at the problems that the processing reliability of the password is low and the risk is high in the related technology, an effective solution is not provided at present.

Disclosure of Invention

The embodiment of the invention provides a password storage method and device and a password verification method and device, which at least solve the technical problems of low password processing reliability and high risk in the related technology.

According to an aspect of an embodiment of the present invention, there is provided a password storage method, including: acquiring a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processing data by adopting the salt to obtain a password stub of the password; storing the encrypted salt and the cryptographic stub.

According to another aspect of the embodiments of the present invention, there is also provided a password authentication method, including: receiving a password to be verified; performing data processing on the password to be verified to obtain data to be verified; decrypting the encrypted salt by using the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting correct salt by using processing data, and the processing data is obtained by processing a correct password; decrypting the password stub by adopting the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data.

According to another aspect of the embodiments of the present invention, there is also provided a closed password storage method, including: acquiring a closed password storage instruction from a client; acquiring data to be stored, wherein the data to be stored comprises a password and salt to be added into the password; encrypting the salt by adopting the processing data corresponding to the password to obtain encrypted salt; encrypting the processing data by adopting the salt to obtain a password stub of the password; storing the encrypted salt and the cryptographic stub; and feeding back the completion state of the closed password storage to the client.

According to another aspect of the embodiments of the present invention, there is also provided a password storage apparatus, including: the first acquisition module is used for acquiring the password and the salt to be added into the password; the first processing module is used for carrying out data processing on the password to obtain processing data; the first encryption module is used for encrypting the salt by adopting the processing data to obtain encrypted salt; the second encryption module is used for encrypting the processing data by adopting the salt to obtain a password stub of the password; and the first storage module is used for storing the encrypted salt and the password stub.

According to another aspect of the embodiments of the present invention, there is also provided a password authentication apparatus, including: the receiving module is used for receiving the password to be verified; the second processing module is used for carrying out data processing on the password to be verified to obtain data to be verified; the first decryption module is used for decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting correct salt by adopting processing data, and the processing data is obtained by processing a correct password; the second decryption module is used for decrypting the password stub by adopting the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and the verification module is used for determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data.

According to another aspect of the embodiments of the present invention, there is provided a closed password storage apparatus, including: the third acquisition module is used for acquiring a closed password storage instruction from the client; the third obtaining module is further configured to obtain data to be stored, where the data to be stored includes a password and salt to be added to the password; the third encryption module is used for encrypting the salt by adopting the processing data corresponding to the password to obtain encrypted salt; the fourth encryption module is used for encrypting the processing data by adopting the salt to obtain a password stub of the password; the fourth storage module is used for storing the encrypted salt and the password stub; and the feedback module is used for feeding back the completion state of the closed password storage to the client.

According to another aspect of the embodiments of the present invention, there is also provided a storage medium, the storage medium including a stored program, wherein when the program runs, the apparatus on which the storage medium is located is controlled to perform at least one of the following methods: the password storage method of any one of the above, the password authentication method of any one of the above, and the closed password storage method of the above.

According to another aspect of the embodiments of the present invention, there is also provided a processor for executing a program, where the program executes to perform at least one of the following methods: the password storage method of any one of the above, the password authentication method of any one of the above, and the closed password storage method of the above.

According to another aspect of the embodiments of the present invention, there is also provided a computing device, including: a memory storing a computer program and a processor executing the computer program stored in the memory, wherein the computer program when executed performs at least one of the following methods: the password storage method of any one of the above, the password authentication method of any one of the above, and the closed password storage method of the above.

In the embodiment of the invention, the salt to be added into the password can be obtained while the password is obtained, and after the password is subjected to data processing to obtain processing data, the processing data is adopted to encrypt the salt to obtain encrypted salt; in addition, salt is adopted to encrypt the processing data to obtain a password stub of the password, and the encrypted salt and the password stub are processed to eliminate the salt, the password hash and the plaintext storage of the password and the salt, so that the password is safer.

In addition, in the embodiment of the invention, different encryption algorithms and key lengths can be selected to balance the security intensity level and the performance required by the user.

By adopting the password storage method provided by the embodiment of the invention, the password and the salt to be added into the password are obtained; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored.

It is easy to note that, in the embodiment of the present invention, after the password and the salt to be added to the password are obtained, the salt is encrypted by using the processing data obtained by processing the password to obtain the encrypted salt, that is, in the embodiment of the present invention, the salt to be added to the password is not stored in the clear text, but is encrypted, so that the security of the password is improved.

Therefore, the password storage method provided by the embodiment of the invention realizes the purposes of encrypting salt to be added into the password to obtain encrypted salt and encrypting the processing data of data processing of the password by using the salt to obtain the password stub of the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of lower reliability of password processing and higher risk in the related technology.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:

fig. 1 is a block diagram of a hardware configuration of a computer terminal for implementing a password storage method according to an embodiment of the present invention;

FIG. 2 is a flowchart of a password storage method according to a first embodiment of the present invention;

FIG. 3 is a flow diagram of an alternative password storage method according to an embodiment of the present invention;

FIG. 4 is a flow chart of an alternative password storage method according to one embodiment of the present invention;

FIG. 5 is a flow diagram of a method of password authentication according to an embodiment of the present invention;

FIG. 6 is a flowchart of a password authentication method according to a first embodiment of the invention;

FIG. 7 is a flowchart of a closed password storage method according to an embodiment of the present invention;

FIG. 8 is a diagram of a password storage apparatus according to a second embodiment of the present invention;

FIG. 9 is a diagram of a password authentication device according to a second embodiment of the invention;

FIG. 10 is a diagram of a closed password storage apparatus according to a second embodiment of the present invention; and

fig. 11 is a block diagram of a computer terminal according to a third embodiment of the present invention.

Detailed Description

In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some terms or terms appearing in the description of the embodiments of the present invention are applicable to the following explanations:

dragging the library: is a term used in the field of databases and refers to the derivation of data from a database. It can be solved through database security protection technology, wherein, database security technology mainly includes: the system comprises a database missing scanning system, a database encryption system, a database firewall system, a data desensitization system and a database security audit system.

Message digest algorithm (MD 5): is a widely used cryptographic hash function that can generate a 128-bit hash value to ensure the integrity of the information transmission.

The Secure Hash Algorithm (SHA) is a cryptographic Hash function family, which is a FIPS (Fips authenticated Secure Hash Algorithm) and can calculate a character string with a fixed length corresponding to a digital message.

Symmetric encryption algorithm: in the symmetric encryption algorithm, a data sender processes a plaintext (original data) and an encryption key together through a special encryption algorithm, and then the plaintext and the encryption key are changed into a complex encryption ciphertext to be sent out. After receiving the ciphertext, if the recipient wants to decode the original text, the recipient needs to decrypt the ciphertext by using the key used for encryption and the inverse algorithm of the same algorithm to recover the ciphertext into a readable plaintext.

Advanced Encryption Standard (AES) is a block Encryption standard.

Data Encryption Standard (DES): is a block algorithm using key encryption.

Stream Cipher algorithm (Rivest Cipher, abbreviated RC): a stream encryption algorithm, the key length is variable, and the encryption and decryption use the same key, so the method also belongs to a symmetric encryption algorithm.

Secret key: refers to a secret information used to perform cryptographic applications such as encryption, decryption, integrity verification, etc. In symmetric cryptography, the same key is used for encryption and decryption, and therefore the key needs to be kept secret.

Example 1

There is also provided, in accordance with an embodiment of the present invention, a method embodiment of a method for password storage, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.

The method embodiment provided by embodiment 1 of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware block diagram of a computer terminal (or mobile device) for implementing the password storage method, and as shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more processors 102 (shown with 102a, 102b, … …, 102n in the figure) (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), and a memory 104 for storing data. Besides, the method can also comprise the following steps: a transmission module 106, a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.

It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).

The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the password storage method in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the password storage method described above. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The transmission module is used for receiving or sending data through a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission module may be a Radio Frequency (RF) module for communicating with the internet in a wireless manner.

The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).

It should be noted here that, in some embodiments, the computer terminal shown in fig. 1 may be a mobile device, and the mobile device may have a touch display (also referred to as a "touch screen" or a "touch display screen"). In some embodiments, the computer device (or mobile device) shown in fig. 1 above has a Graphical User Interface (GUI) with which a user can interact by making finger contacts and/or gesture contacts on the touch screen surface, where the human interaction function optionally includes the following interactions: executable instructions for creating web pages, drawing, word processing, making electronic documents, games, video conferencing, instant messaging, emailing, call interfacing, playing digital video, playing digital music, and/or web browsing, etc., for performing the above-described human-computer interaction functions, are configured/stored in one or more processor-executable computer program products or readable storage media.

In order to ensure the integrity, safety and confidentiality of information data and information systems, a method for salting a password is commonly used in the related art, the salt added to the password is a plaintext, and the salted storage is also the plaintext, which also has the risk of leakage.

In cryptography, salt refers to inserting an arbitrarily fixed location of the hash content (e.g., a password) into a particular string prior to hashing. This way of adding strings to the hash is called salting. The effect is to make the hash result after salting different from the result without salting. This process may add additional security in different application scenarios.

In order to solve the technical problem, in a first embodiment of the present invention, a password storage method and a password authentication method are provided, and the password storage method and the password authentication method provided in the first embodiment are described in detail below.

In the above operating environment, in the related art, when a password is acquired and needs to be stored, a generally adopted method is the above-mentioned method for salting the password, although the salting method can increase the security of the password to a certain extent, and a salting method can be also added to further improve the security, but regardless of whether the salting is added once or the salting is added repeatedly, the final salting method still needs to be stored in a plaintext manner, and the storing in the plaintext manner always has a great risk, so that in the related art, a chained salting storage method is adopted for the password, which has a great risk of being leaked.

As an optional embodiment, the password storage method provided in the embodiment of the present invention is a closed password storage manner, that is, salt is used for encryption processing of the password, and the password is used for encryption processing of the salt, so that neither the password nor the salt is stored in a plaintext manner, thereby effectively reducing the risk of leakage.

The present invention provides a password storage method as shown in fig. 2. Fig. 2 is a flowchart of a password storage method according to a first embodiment of the present invention, and as shown in fig. 2, the password storage method includes the following steps:

step S202, the password and the salt to be added into the password are obtained.

Optionally, in this embodiment of the present invention, salt is used in the meaning of cryptography, and means that a specific character string is inserted into an arbitrary fixed position of hash content between hashes, so that a hash result after salt addition is different from a hash result without salt addition.

In the embodiment of the invention, the hash content can be a password, namely, a specific character string is inserted into any fixed position of the password, so that the unsalted password is different from the salted password, thereby increasing the security of the password.

In this step S202, the user can set the password P while initializing salt1 to be added to the password.

And step S204, performing data processing on the password to obtain processed data.

In the step S204, the data processing the password to obtain the processing data may include: and carrying out hash processing on the password to obtain first hash data used as processing data.

As an alternative embodiment, the processing the data of the password to obtain the processed data may include: and acquiring another salt, and carrying out hash processing on the password and the another salt to obtain second hash data used as processing data.

Where hash refers to a hash function, that is, an input of arbitrary length is transformed by a hash algorithm into an output of fixed length, that is, a hash value, the transformation is a compression mapping, that is, the space of a hash value is usually much smaller than that of an input, and different inputs may be hashed into the same output, so it is impossible to determine a unique input from a hash value.

And S206, encrypting the salt by adopting the processing data to obtain the encrypted salt.

In the step S206, the salt to be added to the password acquired in the step S202 needs to be encrypted, and compared with a method of storing the salt in a plaintext in the related art, even if the salt is used to process the password, the risk of leakage still exists.

As an alternative embodiment, the salt is encrypted, in this embodiment, the processing data obtained by processing the data of the password in step S204 is encrypted to obtain the encrypted salt. Of course, the method for encrypting the salt in the embodiment of the present invention includes, but is not limited to, the method described in step S206, and may further include other encryption algorithms that can be used to improve the security of the password.

It should be noted that the above encryption algorithm may include, but is not limited to, the following: the encryption method comprises a DES encryption algorithm, an AES encryption algorithm, an RSA encryption algorithm, a BASE64 encryption algorithm, an MD5 encryption algorithm and the like, wherein the specific selection mode of the encryption algorithm can be reasonably selected according to the security requirements of users.

The DES encryption algorithm is a block cipher, data is encrypted by using 64 bits as blocks, the length of a key of the DES encryption algorithm is 56 bits, the same algorithm is used for encryption and decryption, the key is kept secret, and the public algorithm includes an encryption algorithm and a decryption algorithm, so that only a user who has mastered the same key as a transmission mode can decipher ciphertext data encrypted by the DES encryption algorithm.

Optionally, the AES encryption algorithm is a high-level encryption standard in cryptography, and the encryption algorithm employs a symmetric component cryptosystem.

The RSA encryption algorithm described above is currently the most influential public key encryption algorithm, an algorithm that can be used for both encryption and digital signature, and which is resistant to all cryptographic attacks known so far.

In addition, the BASE64 encryption algorithm is one of the most common encoding methods for transmitting 8-bit byte codes on a network, and can be used for transmitting long identification information in the HTTP environment.

The MD5 encryption algorithm is a hash function widely used in the field of computer security to provide protection for message integrity, and is widely used for cryptographic authentication and key identification of various software, and is typically used to generate a message digest on a piece of information to prevent tampering.

And S208, encrypting the processing data by adopting salt to obtain a password stub of the password.

In order to obtain the information for verifying the password, a password stub of the password may be obtained in step S208, and optionally, the processed data may be encrypted using salt to obtain the password stub.

Step S210, storing the encrypted salt and the password stub.

In this embodiment, the password and the salt to be added to the password may be obtained; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the password storage method provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability in password processing and high risk in the related technology.

As an optional embodiment, the password storage method provided in the embodiment of the present invention may be applied to various account password management systems, and is used to implement secure storage of a password. For example, for an e-commerce platform, there are a large number of users, and the large number of users all need corresponding accounts and passwords to register, log in or use. These accounts and passwords need to have a high level of security because they are important credentials for registering information, associating records. The following describes an embodiment of the present invention by taking an e-commerce platform as an example.

It should be noted that, the e-commerce platform includes a seller user and a buyer user, the seller user has a corresponding seller user account and password, and the buyer user has a corresponding buyer user account and password, both of which are used to perform different operations on the e-commerce platform.

Based on the above-mentioned complete password storage method, the following takes the buyer password corresponding to the buyer user in the e-commerce platform as an example.

Step S200A, receiving a registration request of a buyer user through a user registration interface, where the registration request is used to request identity registration with the identity of the buyer on the e-commerce platform, and during the registration process, an account requested to be registered by the buyer user and a buyer password corresponding to the account input by the buyer user need to be received;

in step S202A, after the server of the e-commerce platform obtains the buyer password input by the buyer user, salt to be added to the buyer password is determined. It should be noted that the salt to be added to the buyer password may be a salt sequence added to the buyer password sequence, or a salt character added to the buyer password sequence.

As an optional embodiment, after the buyer password and the salt to be added to the buyer password are obtained, the buyer password may be directly stored according to the buyer password or the salt, and for increasing security, after certain preprocessing is performed on the buyer password, the buyer password may be stored according to the preprocessed data and the salt. In this embodiment, the buyer password is preferably stored after performing some pre-processing on the buyer password.

In step S204A, the buyer password is processed to obtain processed data.

As an alternative embodiment, when performing data processing on the buyer password, the data processing method may be multiple, for example, certain scrambling processing may be performed, predetermined hash processing may also be performed, and the data processing method may be flexibly selected according to the characteristics of the buyer password.

Step S206A, encrypting the salt by adopting the processing data to obtain encrypted salt;

as an alternative embodiment, when the salt is encrypted by using the processing data, a plurality of encryption algorithms may be used for encryption, for example, a symmetric encryption algorithm, an asymmetric encryption algorithm, or the like may be used for encryption.

Step S208A, the processed data is encrypted by using salt to obtain the password stub of the buyer password.

As an optional embodiment, when the salt is used to encrypt the processing data, a plurality of encryption algorithms may be correspondingly used to encrypt the processing data, for example, a symmetric encryption algorithm may be used to encrypt the processing data, an asymmetric encryption algorithm may be used to encrypt the processing data, and the like.

Step S210A, storing the encrypted salt and the password stub.

As an alternative embodiment, when the obtained encrypted salt and the password stub are stored, the storage mode may be selected first, for example, the two may be stored jointly or separately. Both may be stored in one database or may be stored in different databases.

In the embodiment, the buyer password is stored, and the salt is encrypted by the buyer password, so that no plaintext storage mode exists when the buyer password is stored, the risk of leakage is avoided, and the technical effect of improving the security of the buyer password is achieved.

In an alternative embodiment, the data processing performed on the password in step S204 to obtain the processing data may include multiple manners, for example, the following two alternative manners are listed in the embodiment of the present invention, and the following two manners are described in detail below. Needless to say, the method of processing the password to obtain the processed data in step S204 is not limited to the following two methods.

In one aspect, the data processing the password in step S204 to obtain the processed data may include: the password is subjected to hash processing to obtain first hash data serving as processing data.

On the other hand, the data processing of the password in the step S204 to obtain the processing data may include: and acquiring another salt, and carrying out hash processing on the password and the another salt to obtain second hash data used as processing data.

In an optional implementation manner, the password storage method may further include: carrying out Hash processing on the password to obtain first Hash data; and encrypting the other salt by adopting the first hash data to obtain the other encrypted salt, and storing the other encrypted salt.

It should be noted that, storing the encrypted salt and the password stub in step S210 may include: storing the encryption salt, the other encryption salt and the password stub in a separate storage manner, wherein the separate storage manner may include: logically separate storage or physically separate storage.

In the following, a detailed description may be given of a first embodiment of the present invention, in which an encrypted salt, another encrypted salt, and a password stub are stored separately, and fig. 3 is a flowchart of an alternative password storage method according to the first embodiment of the present invention, as shown in fig. 3, the password storage method may include the following steps:

determining a separate storage mode according to the security level of the password; under the condition that the security level of the password is higher than a preset level, storing the encryption salt, the other encryption salt and the password stub in a physical separated storage mode; and in the case that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode.

Step S301, determining the adopted separate storage mode according to the security level of the password.

And step S302, under the condition that the security level of the password is higher than a preset level, storing the encryption salt, the other encryption salt and the password stub in a physically separated storage mode.

And step S303, under the condition that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode.

In this embodiment, storing the encrypted salt, the further encrypted salt and the passstub separately may comprise: determining a separate storage mode according to the security level of the password; under the condition that the security level of the password is higher than a preset level, storing the encrypted salt, the other encrypted salt and the password stub in a physically separated storage mode; and in the case that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode. In the optional embodiment, a security level can be set for the password, and the encryption salt, the other encryption salt and the password stub are stored in a physically separated storage mode under the condition that the security level is higher than a preset level; under the condition that the security level of the password is not higher than the preset level, the encryption salt, the other encryption salt and the password stub are stored in a logic separated storage mode, so that the flexibility of storing the encryption salt, the other encryption salt and the password stub is increased, and the security of the password is also increased.

The following describes the password storage method in the first embodiment in detail with reference to the accompanying drawings.

Fig. 4 is a flowchart of another alternative password storage method according to a first embodiment of the present invention, and as shown in fig. 4, the password storage method may include the following steps:

in step S401, the user sets a password P.

In step S402, salts salt1 and salt2 are initialized. Wherein steps S401 and S402 correspond to step S202 in fig. 2, and the password and the salt to be added to the password are acquired.

Optionally, each randomly generated random sequence of random length 1: rand _ text 1; and simultaneously randomly generating a random sequence 2 with random length each time: rand _ text 2.

Wherein salt1 is rand _ text1 or hash (rand _ text1), namely salt 1; salt2 is rand _ text2 or hash (rand _ text2), namely salt 2.

In step S403, a ciphertext of the salt 1(S1) is generated, and the key is hash (p). That is, corresponding to step S204, the password is subjected to data processing to obtain processed data; and step S206, encrypting the salt by adopting the processing data to obtain the encrypted salt.

Alternatively, the ciphertext of salt 1(S1), i.e., encrypted salt1, may be generated by a first formula, where the first formula is: s1 ═ E (hash (p), salt 1). Note that hash (x) indicates a hash algorithm, for example, MD5, SHA1, SHA256, slow hash, or the like. In the embodiment of the invention, x is a password P. E (k, x) represents a symmetric encryption algorithm, where k is a key, and in the embodiment of the present invention, k is a key hash (p), and x is data to be encrypted, that is, salt (including salt1 and salt 2). Specifically, the symmetric encryption algorithm may include, but is not limited to, the following: AES encryption algorithm, DES encryption algorithm, RC4 encryption algorithm, etc.

In step S404, a ciphertext of the salt 2(S2) is generated, and the key is hash (p). That is, corresponding to step S204 in fig. 2, the password is subjected to data processing to obtain processed data; and step S206, encrypting the salt by adopting the processing data to obtain the encrypted salt.

Optionally, the ciphertext of salt 2(S2), that is, encrypted salt2, may be generated by a second formula, where the second formula is: s2 ═ E (hash (P + salt1), salt 2). Note that hash (x) indicates a hash algorithm, for example, MD5, SHA1, SHA256, slow hash, or the like. In the embodiment of the invention, x is a password P. E (k, x) represents a symmetric encryption algorithm, where k is a key, and in the embodiment of the present invention, k is a key hash (p), and x is data to be encrypted, that is, salt (including salt1 and salt 2). Specifically, the symmetric encryption algorithm may include, but is not limited to, the following: AES encryption algorithm, DES encryption algorithm, RC4 encryption algorithm, etc.

In step S405, a cryptographic Stub (SP) of the password is generated, and the key is salt 2. Corresponding to the above step S208 in fig. 2, the processed data is encrypted using salt to obtain the password stub of the password.

Optionally, a cryptographic Stub (SP) of the password may be generated by a third formula, where the third formula is: SP ═ E (salt2, hash (P + salt 1)).

Step S406, storing the obtained S1, S2 and SP separately or in any combination. Corresponding to the above step S210 in fig. 2, the encrypted salt and the cryptographic stub are stored.

Alternatively, the logical or physical separation may be selected according to the security level.

In an alternative embodiment, fig. 5 is a flowchart of a password authentication method according to an embodiment of the present invention, and as shown in fig. 5, the method includes:

in step S501, a password to be authenticated is received.

Step S503, data processing is carried out on the password to be verified to obtain data to be verified.

And step S505, decrypting the encrypted salt by using the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by using the processing data, and the processing data is obtained by processing the correct password.

And step S507, decrypting the password stub by adopting the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting the correct salt.

In step S509, it is determined that the password to be authenticated passes authentication when the decryption result is consistent with the processed data.

In this embodiment, after receiving the password to be authenticated, performing data processing on the password to be authenticated to obtain data to be authenticated; decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by adopting the processing data, and the processing data is obtained by processing the correct password; decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the password verification method provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability in password processing and high risk in the related technology.

As an alternative embodiment, when the above-mentioned exemplary buyer password is stored by using the above-mentioned password storage method, an embodiment of corresponding buyer password authentication is correspondingly provided, which is described in detail below.

In step S501A, the server of the e-commerce platform receives the password of the buyer to be verified.

As an alternative embodiment, when a buyer user needs to purchase and consume on the E-commerce platform, an account and a password need to be logged in for realizing the safe verification of the account and the password due to the order placement. And the server of the E-commerce platform receives the account input by the buyer user and the buyer password to be verified for subsequent verification.

Step S503A, performing data processing on the password of the buyer to be verified to obtain data to be verified. It should be noted that, before verifying the password of the buyer to be verified, it is preferable to avoid affecting the complexity of the verification process, and the password of the buyer to be verified may be preprocessed first, so as to directly obtain the data to be verified.

And step S505A, decrypting the encrypted salt by using the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by using the processing data, and the processing data is obtained by processing the correct buyer password.

As an optional embodiment, when the encrypted salt is decrypted by using the data to be verified, a decryption algorithm corresponding to the encryption algorithm used in the above password storage method may be used for decryption, for example, a symmetric decryption algorithm may be used for decryption, an asymmetric decryption algorithm may also be used for decryption, and the like.

And step S507A, decrypting the password stub by using the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by using the correct salt.

As an optional embodiment, when the verification salt is used to decrypt the password stub, a decryption algorithm corresponding to the encryption algorithm used in the password storage method may be used to decrypt the password stub, for example, a symmetric decryption algorithm may be used to decrypt the password stub, or an asymmetric decryption algorithm may be used to decrypt the password stub.

In step S509A, in the case that the decryption result is consistent with the processed data, it is determined that the password of the buyer to be authenticated is authenticated.

According to the embodiment, the buyer password to be verified is verified, and the decryption method corresponding to encryption is adopted, namely the password to be verified is adopted to decrypt the encrypted salt, and the verification salt is also adopted to decrypt the password stub, so that no plaintext exists when the buyer password is verified, the risk of leakage is avoided, and the technical effect of improving the security of the buyer password is achieved.

As an alternative embodiment, in step S503, the processing the password to be authenticated to obtain the data to be authenticated may include: and carrying out hash processing on the password to be verified to obtain third hash data serving as the data to be verified.

As another optional embodiment, in step S503, the processing the password to be authenticated to obtain the data to be authenticated includes: and acquiring another salt, and performing hash processing on the password to be verified and the another salt to obtain fourth hash data serving as data to be verified, wherein the another salt is the salt which is combined with the correct password to perform data processing to obtain processed data.

A password authentication method according to an embodiment of the present invention is described in detail below with reference to the accompanying drawings.

Fig. 6 is a flowchart of a password authentication method according to a first embodiment of the present invention, and as shown in fig. 6, the password authentication method may include the following steps:

step S601, the user sends a user name and a password P or a hash (P).

In step S602, the server decrypts S1 with the cryptographic hash (p) to obtain salt 1.

Optionally, S1 may be decrypted by a fourth formula, where the fourth formula is: salt1 ═ D (hash (p), S1).

In step S603, the server decrypts S2 with the cryptographic hash (p) to obtain salt 2.

Optionally, S2 may be decrypted by a fifth formula, where the fifth formula is: salt2 ═ D (hash (p), S2).

Step S604, after the server decrypts the SP by using salt2, the obtained content is compared with hash (P + salt 1); when the comparison result is that the obtained content is consistent with the hash (P + salt1), step S605 is executed; otherwise, step S606 is executed.

In step S605, the password is verified.

In step S606, the password authentication fails.

In an alternative embodiment, fig. 7 is a flowchart of a closed password storage method according to a first embodiment of the present invention, and as shown in fig. 7, the closed password storage method includes:

step S702, a closed password storage instruction is acquired from the client.

The closed password storage instruction is used for instructing the password to be stored in a closed mode, namely, for instructing bidirectional encryption after receiving data to be stored (namely, the password and salt to be added into the password). Specifically, after the password and the salt to be added to the password are obtained, the password is subjected to data processing to obtain processing data, the salt is encrypted by the processing data to obtain encrypted salt, and the processing data is encrypted by the salt to obtain the password stub of the password. The data processing method may be various, for example, a certain scrambling process, a predetermined hash process, or the like, and may be flexibly selected according to the characteristics of the buyer password. Therefore, the plaintext storage of salt is avoided, an encrypted ciphertext ring is constructed in a circulating encryption mode, the ciphertext ring not only eliminates the defect of plaintext storage of a secret key, but also ensures the safety of the check password.

Step S704, obtaining data to be stored, where the data to be stored includes a password and salt to be added to the password.

Optionally, in this embodiment of the present invention, salt is defined as meaning in cryptography, which means that a specific character string is inserted into any fixed position of the hash content between hashes, so that the hash result after salting and the hash result without salting are different.

In the embodiment of the present invention, the hash content may be a password, that is, a specific character string is inserted into any fixed position of the password, so that the unsalted password is different from the salted password, thereby increasing the security of the password.

And step S706, encrypting the salt by adopting the processing data corresponding to the password to obtain the encrypted salt.

The processing data may be obtained according to the method in step S204, and is not described herein again. In addition, the salt is encrypted to obtain the encrypted salt in the same manner as that in step S206, and the details are not repeated here.

Step S708, encrypting the processed data by using salt to obtain a password stub of the password.

Step S710, storing the encrypted salt and the password stub.

Step S712, the completion status of the closed password storage is fed back to the client.

In this embodiment, the closed password storage instruction may be obtained by obtaining the closed password from the client; simultaneously acquiring data to be stored, wherein the data to be stored comprises a password and salt to be added into the password; then, encrypting the salt by adopting processing data corresponding to the password to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; storing the encrypted salt and the password stub; and feeding back the completion state of the closed password storage to the client. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt used for improving the password in the related technology, the closed password storage method provided by the embodiment of the invention can realize the purpose of ciphertext storage of the salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability of password processing and high risk in the related technology.

As an alternative embodiment, the encryption of salt1 may be omitted. This alternative embodiment is described in detail below in two ways:

1. the password storage method comprises the following steps:

a. generating a ciphertext of the salt 2(S2), the key being hash (p); specifically, S2 ═ E (hash (p), salt 2).

b. Generating a user password Stub (SP), wherein the secret key is salt 2; specifically, SP ═ E (salt2, hash (p)).

c. The resulting S2, SP are stored separately or in any combination. Alternatively, the logical or physical separation may be selected according to the security level.

2. The password verification method comprises the following steps:

a. the user sends a username and password P or hash (P).

b. The server decrypts S1 with the cryptographic hash HASH (P) to get salt 1.

c. Server cryptographic hash (p) decryption S2 results in salt 2.

d. After the SP is decrypted by the server through salt2, the obtained content is compared with the password hash (HASH) (P), and if the obtained content is consistent with the password hash (HASH) (P), the verification is passed.

The password storage method and the password verification method provided by the embodiment of the invention can achieve the following beneficial effects:

1. salt, a user password hash are eliminated, and the user password plus the plaintext storage of the salt hash value.

2. If the dragged library must know the password or the hash of the password to decrypt S1, S2, SP, the attacker returns to the original problem.

3. If the SP breaches the user' S password using S1, S2, then three decryptions are required for each round of attempts, and the amount of two hash operations is greatly increased over before.

4. The selection of different encryption algorithms and key lengths allows a balance to be struck between the level of security strength and performance required by the user.

In the first embodiment of the invention, the encrypted ciphertext ring can be established by using a circular encryption method. In addition, the plaintext storage of the key is eliminated in this ciphertext ring, while ensuring that the password can be verified. And the performance is scalable, and different encryption algorithms and key lengths can be selected to balance the performance with the security strength level required by the user.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.

Through the above description of the embodiments, those skilled in the art can clearly understand that the password storage method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.

Example 2

According to an embodiment of the present invention, there is further provided a password storage apparatus for implementing the password storage method, fig. 8 is a schematic diagram of a password storage apparatus according to a second embodiment of the present invention, and as shown in fig. 8, the password storage apparatus includes: a first obtaining module 81, a first processing module 83, a first encryption module 85, a second encryption module 87 and a first storage module 89. Wherein the content of the first and second substances,

a first obtaining module 81, configured to obtain the password and the salt to be added to the password.

The first processing module 83 is configured to perform data processing on the password to obtain processed data.

And a first encryption module 85, configured to encrypt the salt with the processing data to obtain an encrypted salt.

And a second encryption module 87, configured to encrypt the processing data with salt to obtain a password stub of the password.

A first storage module 89, configured to store the encrypted salt and the cryptographic stub.

In this embodiment, the password and the salt to be added to the password may be acquired by the first acquisition module 81; meanwhile, the first processing module 83 is used for carrying out data processing on the password to obtain processing data; then, the salt is encrypted by using the first encryption module 85 by adopting the processing data to obtain encrypted salt; then, the second encryption module 87 is used for encrypting the processing data by adopting salt to obtain a password stub of the password; and stores the encrypted salt and the cryptographic stub using the first storage module 89. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt used for improving the password in the related technology, the password storage device provided by the embodiment of the invention can realize the purpose of ciphertext storage of the salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability of password processing and high risk in the related technology.

As an alternative embodiment, the first processing module may include: and the first acquisition unit is used for carrying out hash processing on the password to obtain first hash data serving as processing data.

As an alternative embodiment, the first processing module may include: and a second acquisition unit configured to acquire another salt, and perform hash processing on the password and the another salt to obtain second hash data used as the processing data.

As an optional embodiment, the password storage apparatus may further include: the second acquisition module is used for carrying out hash processing on the password to obtain first hash data; and the second storage module is used for encrypting the other salt by adopting the first hash data to obtain the other encrypted salt and storing the other encrypted salt.

As an optional embodiment, the password storage apparatus may further include: the third storage module is used for storing the encrypted salt, the other encrypted salt and the password stub in a separate storage mode, wherein the separate storage mode comprises the following steps: logically separate storage or physically separate storage.

As an alternative embodiment, the third storage module may include: the determining unit is used for determining the adopted separate storage mode according to the security level of the password; the first storage unit is used for storing the encryption salt, the other encryption salt and the password stub in a physically separated storage mode under the condition that the security level of the password is higher than a preset level; and the second storage unit is used for storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode under the condition that the security level of the password is not higher than the preset level.

In addition, according to another aspect of the embodiment of the present invention, there is provided a password authentication apparatus, where the password authentication apparatus corresponds to the password authentication method shown in fig. 5, and fig. 9 is a schematic diagram of a password authentication apparatus according to a second embodiment of the present invention, and as shown in fig. 9, the password authentication apparatus may include: a receiving module 91, a second processing module 93, a first decryption module 95, a second decryption module 97 and a verification module 99. Wherein the content of the first and second substances,

the receiving module 91 is configured to receive a password to be authenticated.

And the second processing module 93 is configured to perform data processing on the password to be authenticated to obtain data to be authenticated.

The first decryption module 95 is configured to decrypt the encrypted salt with the data to be verified to obtain the verified salt, where the encrypted salt is obtained by encrypting the correct salt with the processing data, and the processing data is obtained by processing the correct password.

And a second decryption module 97, configured to decrypt the stub password with the verification salt to obtain a decryption result, where the stub password encrypts the processing data with the correct salt to obtain the decryption result.

And the verification module 99 is configured to determine that the password to be verified passes verification when the decryption result is consistent with the processed data.

In this embodiment, the password to be authenticated may be received by the receiving module 91; meanwhile, the second processing module 93 is utilized to perform data processing on the password to be verified to obtain data to be verified; then, the first decryption module 95 is used for decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by adopting the processing data, and the processing data is obtained by processing the correct password; the second decryption module 97 is used for decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification by using the verification module 99 under the condition that the decryption result is consistent with the processed data. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the password verification device provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems that the password processing reliability is low and the risk is high in the related technology.

As an alternative embodiment, the second processing module may include: and the third acquisition unit is used for carrying out hash processing on the password to be verified to obtain third hash data serving as the data to be verified.

As an alternative embodiment, the second processing module may include: and the fourth acquisition unit is used for acquiring another salt, and performing hash processing on the password to be verified and the another salt to obtain fourth hash data serving as data to be verified, wherein the another salt is the salt which is combined with the correct password to perform data processing to obtain processed data.

Preferably, according to another aspect of the embodiments of the present invention, there is further provided a closed password storage apparatus, and fig. 10 is a schematic diagram of a closed password storage apparatus according to a second embodiment of the present invention, as shown in fig. 10, the closed password storage apparatus includes: a third obtaining module 1001, a third encrypting module 1003, a fourth encrypting module 1005, a fourth storing module 1007 and a feedback module 1009. The closed password storage device will be described in detail below.

A third obtaining module 1001, configured to obtain a closed password storage instruction from the client.

The third obtaining module 1001 is further configured to obtain data to be stored, where the data to be stored includes a password and a salt to be added to the password.

The third encryption module 1003 is configured to encrypt the salt by using the processing data corresponding to the password, so as to obtain an encrypted salt.

A fourth encrypting module 1005, configured to encrypt the processing data with salt to obtain a password stub of the password.

And a fourth storage module 1007, configured to store the encrypted salt and the password stub.

A feedback module 1009 is configured to feed back the completion status of the closed password storage to the client.

In this embodiment, a third obtaining module 1001 may be utilized for obtaining a closed password storage instruction from a client; the third obtaining module 1001 is further configured to obtain data to be stored, where the data to be stored includes a password and salt to be added to the password; then, the third encryption module 1003 is used for encrypting the salt by adopting the processing data corresponding to the password to obtain encrypted salt; secondly, the fourth encryption module 1005 is used for encrypting the processing data by adopting salt to obtain a password stub of the password; then, the fourth storage module 1007 is used for storing the encrypted salt and the password stub; and feeds back the completion status of the closed password storage to the client using the feedback module 1009. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the closed password storage device provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability in password processing and high risk in the related technology.

It should be noted here that the first obtaining module 81, the first processing module 83, the first encryption module 85, the second encryption module 87 and the first storage module 89 correspond to steps S202 to S210 in embodiment 1; in addition, the receiving module 91, the second processing module 93, the first decryption module 95, the second decryption module 97, and the verification module 99 correspond to steps S501 to S509 in embodiment 1; the third acquisition module 1001, the third encryption module 1003, the fourth encryption module 1005, the fourth storage module 1007, and the feedback module 1009 correspond to steps S702 to S712 in embodiment 1. Each module is the same as the example and application scenario realized by the corresponding step, but is not limited to the disclosure of the first embodiment. It should be noted that the above modules as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.

Example 3

The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.

In this embodiment, the computer terminal may execute the program code of the following steps in the password storage method of the application program: acquiring a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored.

Optionally, in this embodiment, the computer terminal may execute the program code of the following steps in the password authentication method for the application program: receiving a password to be verified; carrying out data processing on the password to be verified to obtain data to be verified; decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting correct salt by adopting processing data, and the processing data is obtained by processing a correct password; decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data.

Alternatively, fig. 11 is a block diagram of a computer terminal according to a third embodiment of the present invention. As shown in fig. 11, the computer terminal 111 may include: one or more processors 1101 (only one of which is shown), a memory 1103, and peripheral interfaces, display screens, and network modules.

The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the password storage method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implementing the password storage method. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, which may be connected to the computer terminal 111 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

In addition, the memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the password authentication method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, so as to implement the password authentication method described above. The memory may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory located remotely from the processor, which may be connected to the computer terminal 111 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: acquiring a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored.

Optionally, the processor may further execute the program code of the following steps: the password is subjected to hash processing to obtain first hash data serving as processing data.

Optionally, the processor may further execute the program code of the following steps: and acquiring another salt, and carrying out hash processing on the password and the another salt to obtain second hash data used as processing data.

Optionally, the processor may further execute the program code of the following steps: carrying out hash processing on the password to obtain first hash data; and encrypting the other salt by adopting the first hash data to obtain the other encrypted salt, and storing the other encrypted salt.

Optionally, the processor may further execute the program code of the following steps: storing the encrypted salt, the other encrypted salt and the password stub in a separate storage mode, wherein the separate storage mode comprises the following steps: logically separate storage or physically separate storage.

Optionally, the processor may further execute the program code of the following steps: determining a separate storage mode according to the security level of the password; under the condition that the security level of the password is higher than a preset level, storing the encrypted salt, the other encrypted salt and the password stub in a physically separated storage mode; and in the case that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode.

As an alternative embodiment, the processor may call the information and the application program stored in the memory through the transmission device to execute the following steps: receiving a password to be verified; carrying out data processing on the password to be verified to obtain data to be verified; decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by adopting the processing data, and the processing data is obtained by processing the correct password; decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data.

Optionally, the processor may further execute the program code of the following steps: and carrying out hash processing on the password to be verified to obtain third hash data serving as the data to be verified.

Optionally, the processor may further execute the program code of the following steps: and acquiring another salt, and performing hash processing on the password to be verified and the another salt to obtain fourth hash data serving as data to be verified, wherein the another salt is the salt which is combined with the correct password to perform data processing to obtain processed data.

In the embodiment of the invention, a secret storage method is provided, which can acquire a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the password storage method provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability in password processing and high risk in the related technology.

The embodiment of the invention also provides a secret verification method, which can adopt that after the password to be verified is received, the data of the password to be verified is processed to obtain the data to be verified; decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by adopting the processing data, and the processing data is obtained by processing the correct password; decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt used for improving the password in the related technology, the password verification method provided by the embodiment of the invention can realize the purpose of ciphertext storage of the salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability of password processing and high risk in the related technology.

The embodiment of the invention also provides a closed password storage method, which comprises the steps of obtaining data to be stored after obtaining a closed password storage instruction from a client, wherein the data to be stored comprises a password and salt to be added into the password; encrypting the salt by adopting processing data corresponding to the password to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; storing the encrypted salt and the password stub; and feeding back the completion state of the closed password storage to the client. Compared with the defect that the password still has a risk of leakage caused by plaintext storage of salt for improving the password in the related technology, the password verification method provided by the embodiment of the invention can realize the purpose of ciphertext storage of salt to be added into the password, achieves the technical effect of improving the security of the password, and further solves the technical problems of low reliability in password processing and high risk in the related technology.

It can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, computer terminal 111 may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.

Example 4

The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store program codes executed by the password storage method, the password authentication method, and the closed password storage method provided in the first embodiment.

Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.

As an alternative embodiment, in the present embodiment, the storage medium is configured to store program code for performing the following steps: acquiring a password and salt to be added into the password; processing the password to obtain processed data; encrypting the salt by adopting the processing data to obtain encrypted salt; encrypting the processed data by adopting salt to obtain a password stub of the password; the encrypted salt and the cryptographic stub are stored.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the password is subjected to hash processing to obtain first hash data serving as processing data.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: and acquiring another salt, and carrying out hash processing on the password and the another salt to obtain second hash data used as processing data.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: carrying out Hash processing on the password to obtain first Hash data; and encrypting the other salt by adopting the first hash data to obtain the other encrypted salt, and storing the other encrypted salt.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: storing the encrypted salt, the other encrypted salt and the password stub in a separate storage mode, wherein the separate storage mode comprises the following steps: logically separate storage or physically separate storage.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the storage of the encrypted salt, the other encrypted salt and the password stub in a separate storage mode comprises the following steps: determining a separate storage mode according to the security level of the password; under the condition that the security level of the password is higher than a preset level, storing the encrypted salt, the other encrypted salt and the password stub in a physically separated storage mode; and in the case that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode.

As another alternative embodiment, in the present embodiment, the storage medium is configured to store program code for performing the steps of: receiving a password to be verified; carrying out data processing on the password to be verified to obtain data to be verified; decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting the correct salt by adopting the processing data, and the processing data is obtained by processing the correct password; decrypting the password stub by adopting verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt; and determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: and carrying out hash processing on the password to be verified to obtain third hash data serving as the data to be verified.

Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: and acquiring another salt, and performing hash processing on the password to be verified and the another salt to obtain fourth hash data serving as data to be verified, wherein the another salt is the salt which is combined with the correct password to perform data processing to obtain processed data.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided by the present invention, it should be understood that the disclosed technical contents can be realized by other modes. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of logical function division, and in actual implementation, there may be other division manners, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is substantially or partly contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.

Claims (14)

1. A method of password storage, comprising:

acquiring a password and salt to be added into the password;

processing the password to obtain processed data;

encrypting the salt by adopting the processing data to obtain encrypted salt;

encrypting the processing data by adopting the salt to obtain a password stub of the password;

storing the encrypted salt and the cryptographic stub;

wherein the data processing the password to obtain the processing data comprises: and acquiring another salt, and carrying out hash processing on the password and the another salt to obtain second hash data used as the processing data.

2. The method of claim 1, wherein data processing the password to obtain the processed data comprises:

and carrying out hash processing on the password to obtain first hash data used as the processing data.

3. The method of claim 1, further comprising:

carrying out hash processing on the password to obtain first hash data;

and encrypting the other salt by adopting the first hash data to obtain another encrypted salt, and storing the other encrypted salt.

4. The method of claim 3, wherein the encrypted salt, the another encrypted salt, and the cryptographic stub are stored in separate storage, wherein the separate storage comprises: logically separate storage or physically separate storage.

5. The method of claim 4, wherein storing the encrypted salt, the another encrypted salt, and the cryptographic stub separately comprises:

determining a separate storage mode according to the security level of the password;

in the case that the security level of the password is higher than a predetermined level, storing the encryption salt, the other encryption salt and the password stub in a physically separated storage manner;

and in the case that the security level of the password is not higher than the preset level, storing the encryption salt, the other encryption salt and the password stub in a logic separated storage mode.

6. A method of password authentication, comprising:

receiving a password to be verified;

performing data processing on the password to be verified to obtain data to be verified;

decrypting the encrypted salt by using the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting correct salt by using processing data, and the processing data is obtained by processing a correct password;

decrypting the password stub by adopting the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt;

determining that the password to be verified passes verification under the condition that the decryption result is consistent with the processing data;

the data processing of the password to be verified to obtain the data to be verified comprises the following steps: and acquiring another salt, and performing hash processing on the password to be verified and the another salt to obtain fourth hash data used as the data to be verified, wherein the another salt is a salt which is combined with the correct password to perform data processing to obtain processed data.

7. The method according to claim 6, wherein the data processing of the password to be authenticated to obtain the data to be authenticated comprises:

and carrying out hash processing on the password to be verified to obtain third hash data serving as the data to be verified.

8. A method for closed password storage, comprising:

acquiring a closed password storage instruction from a client;

acquiring data to be stored, wherein the data to be stored comprises a password and salt to be added into the password;

encrypting the salt by adopting the processing data corresponding to the password to obtain encrypted salt;

encrypting the processing data by adopting the salt to obtain a password stub of the password;

storing the encrypted salt and the cryptographic stub;

feeding back the completion state of the closed password storage to the client;

wherein, the encrypting the salt by adopting the processing data corresponding to the password to obtain the encrypted salt comprises: acquiring another salt, and performing hash processing on the password and the another salt to obtain second hash data serving as the processing data; and encrypting the salt by adopting the processing data to obtain encrypted salt.

9. A cryptographic storage device, comprising:

the first acquisition module is used for acquiring the password and salt to be added into the password;

the first processing module is used for carrying out data processing on the password to obtain processing data;

the first encryption module is used for encrypting the salt by adopting the processing data to obtain encrypted salt;

the second encryption module is used for encrypting the processing data by adopting the salt to obtain a password stub of the password;

the storage module is used for storing the encrypted salt and the password stub;

the first processing module is further configured to acquire another salt, and perform hash processing on the password and the another salt to obtain second hash data used as the processing data.

10. A password authentication apparatus, comprising:

the receiving module is used for receiving the password to be verified;

the second processing module is used for carrying out data processing on the password to be verified to obtain data to be verified;

the first decryption module is used for decrypting the encrypted salt by adopting the data to be verified to obtain verified salt, wherein the encrypted salt is obtained by encrypting correct salt by adopting processing data, and the processing data is obtained by processing a correct password;

the second decryption module is used for decrypting the password stub by adopting the verification salt to obtain a decryption result, wherein the password stub is obtained by encrypting the processing data by adopting correct salt;

the verification module is used for determining that the password to be verified passes the verification under the condition that the decryption result is consistent with the processed data;

the second processing module is further configured to obtain another salt, perform hash processing on the password to be verified and the another salt, and obtain fourth hash data used as the data to be verified, where the another salt is a salt that performs data processing in combination with the correct password to obtain processed data.

11. A closed password storage device, comprising:

the third acquisition module is used for acquiring a closed password storage instruction from the client;

the third obtaining module is further configured to obtain data to be stored, where the data to be stored includes a password and salt to be added to the password;

the third encryption module is used for encrypting the salt by adopting the processing data corresponding to the password to obtain encrypted salt;

the fourth encryption module is used for encrypting the processing data by adopting the salt to obtain a password stub of the password;

the fourth storage module is used for storing the encrypted salt and the password stub;

the feedback module is used for feeding back the completion state of the closed password storage to the client;

the third encryption module is further configured to obtain another salt, and perform hash processing on the password and the another salt to obtain second hash data used as the processing data; and encrypting the salt by using the processing data to obtain encrypted salt.

12. A storage medium storing a program, wherein when the program is run, an apparatus in which the storage medium is located is controlled to perform at least one of the following methods: the password storage method of any one of claims 1 to 5, the password authentication method of any one of claims 6 to 7, and the closed password storage method of claim 8.

13. A processor, wherein the processor is configured to run a program, wherein the program when running performs at least one of the following methods: the password storage method of any one of claims 1 to 5, the password authentication method of any one of claims 6 to 7, and the closed password storage method of claim 8.

14. A computing device, wherein the computing device comprises: a memory and a processor, wherein,

the memory has stored thereon a computer program that,

the processor configured to execute a computer program stored in the memory, the computer program when executed performing at least one of the following methods: the password storage method of any one of claims 1 to 5, the password authentication method of any one of claims 6 to 7, and the closed password storage method of claim 8.

Images