CN111475832B

CN111475832B - Data management method and related device

Info

Publication number: CN111475832B
Application number: CN202010586905.7A
Authority: CN
Inventors: 张向前; 刘惠明
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-06-24
Filing date: 2020-06-24
Publication date: 2021-01-12
Anticipated expiration: 2040-06-24
Also published as: CN111475832A

Abstract

The application discloses a data management method and a related device, which can be applied to a cloud file storage process. By acquiring the verification information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key in a trusted execution environment to obtain a result identifier; then obtaining the result identification from the trusted execution environment; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Because the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

Description

Data management method and related device

Technical Field

The present application relates to the field of computer technologies, and in particular, to a data management method and a related apparatus.

Background

With the development of internet technology, more and more data contents appear in the life of people, a large amount of important privacy data of a user are stored in corresponding personal mobile equipment, and once a mobile phone of the user is lost or a screen locking password is cracked, the important data of the user can be leaked. Therefore, it is necessary to separately store important data of the user on the personal device in an encrypted manner. However, the important data encryption storage application is still required to protect the safety of important private data under the condition that other people physically contact the mobile phone and can unlock the screen. Therefore, there is a need to design a stronger local encryption scheme on mobile devices.

Generally, data content is stored in an encrypted space, and a user can manage encryption of the data content by managing a password.

However, the storage mode of the encryption space is easy to crack, and due to the complexity of the network environment, malicious codes easily bypass password protection, and the security of data encryption is affected.

Disclosure of Invention

In view of this, the present application provides a data management method, which can effectively avoid the intrusion of malicious codes and the influence of terminal authority management on data security, and improve the data management security.

A first aspect of the present application provides a method for data management, which may be applied to a system or a program including a data management function in a terminal device, and specifically includes: acquiring verification information;

processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information;

obtaining the result identification from the trusted execution environment;

and if the result identification indicates that the encryption key is matched with the target key, encrypting target data based on the target key to obtain encrypted data.

Optionally, in some possible implementation manners of the present application, the processing the verification information according to a preset rule to generate an encryption key includes:

determining the encryption characteristics according to equipment characteristic information, wherein the equipment characteristic information is determined based on equipment identification or network address identification;

and generating the target key together according to the encryption characteristic and the verification information.

Optionally, in some possible implementations of the present application, the method further includes:

responding to the marking instruction to acquire user characteristic information;

and combining the user characteristic information with the equipment characteristic information to update the equipment characteristic information.

Optionally, in some possible implementations of the present application, the generating the encryption key according to the encryption feature and the verification information jointly includes:

converting the encryption characteristics and the verification information into target format data;

and arranging the target format data according to a preset sequence to generate the target key.

Optionally, in some possible implementation manners of the present application, if the result identifier indicates that the encryption key matches the target key, encrypting target data based on the target key to obtain encrypted data includes:

if the result identification indicates that the target keys are matched, responding to a data selection instruction to acquire the target data, wherein the data selection instruction is used for indicating the data content of a target category or a target format;

and encrypting target data based on the target key to obtain the encrypted data.

acquiring decryption information in response to the decryption instruction;

processing the decryption information according to the preset rule to generate a decryption key;

comparing the decryption key with the target key to obtain a result identifier, wherein the result identifier is used for indicating extraction of the encrypted data, the result identifier is obtained by the output of the trusted execution environment, the result identifier is different from the decryption information, and the result identifier is different from the verification information.

Optionally, in some possible implementation manners of the present application, the processing the decryption information according to the preset rule to generate a decryption key includes:

determining the encryption characteristics corresponding to the preset rules;

generating the decryption key based on the encryption characteristic and the decryption information.

acquiring identification information in response to an identification setting instruction;

setting comparison result information for the identification information, wherein the comparison result information is used for indicating a comparison result of the decryption key and the target key;

and associating the identification information with the comparison result information to update the result identification.

if the result identifier indicates that the decryption key is the same as the target key, determining revision information in response to a password modification instruction;

and updating the target key according to the revision information.

responding to the trigger of the target virtual element to acquire an initialization interface;

acquiring an initial password based on the initialization interface;

and processing the initial password according to the preset rule to generate the target secret key.

determining an encryption dimension in response to the characteristic input instruction;

obtaining the encryption characteristics based on the encryption dimension;

updating the preset rule based on the encryption characteristics.

Optionally, in some possible implementations of the present application, the data management method is applied to a mobile terminal, and the trusted execution environment is trustzone.

A second aspect of the present application provides an apparatus for data management, comprising: an acquisition unit configured to acquire authentication information;

the generating unit is used for processing the verification information according to a preset rule to generate an encryption key, the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information;

the obtaining unit is further configured to obtain the result identifier from the trusted execution environment;

and the management unit is used for encrypting the target data based on the target key to obtain encrypted data if the result identification indicates that the encryption key is matched with the target key.

Optionally, in some possible implementation manners of the present application, the generating unit is specifically configured to determine the encryption characteristic according to device characteristic information, where the device characteristic information is determined based on a device identifier or a network address identifier;

the generating unit is specifically configured to generate the target key jointly according to the encryption feature and the verification information.

Optionally, in some possible implementation manners of the present application, the generating unit is specifically configured to obtain the user feature information in response to the marking instruction;

the generating unit is specifically configured to combine the user feature information with the device feature information to update the device feature information.

Optionally, in some possible implementation manners of the present application, the generating unit is specifically configured to convert the encryption characteristic and the verification information into target format data;

the generating unit is specifically configured to arrange the target format data according to a preset order to generate the target key.

Optionally, in some possible implementations of the present application, the management unit is specifically configured to obtain the target data in response to a data selection instruction, where the data selection instruction is used to indicate a data content of a target category or a target format;

the management unit is specifically configured to encrypt target data based on the target key to obtain the encrypted data.

Optionally, in some possible implementations of the present application, the management unit is specifically configured to obtain decryption information in response to a decryption instruction;

the management unit is specifically configured to process the decryption information according to the preset rule to generate a decryption key;

the management unit is specifically configured to compare the decryption key with the target key to obtain a result identifier, where the result identifier is used to indicate extraction of the encrypted data, the result identifier is obtained by outputting from the trusted execution environment, the result identifier is different from the decryption information, and the result identifier is different from the verification information.

Optionally, in some possible implementation manners of the present application, the management unit is specifically configured to determine the encryption feature corresponding to the preset rule;

the management unit is specifically configured to generate the decryption key based on the encryption characteristic and the decryption information.

Optionally, in some possible implementation manners of the present application, the management unit is specifically configured to obtain the identifier information in response to the identifier setting instruction;

the management unit is specifically configured to set comparison result information for the identification information, where the comparison result information is used to indicate a comparison result between the decryption key and the target key;

the management unit is specifically configured to associate the identifier information with the comparison result information, so as to update the result identifier.

Optionally, in some possible implementations of the present application, the management unit is specifically configured to determine revision information in response to a password modification instruction if the result identifier indicates that the decryption key is the same as the target key;

the management unit is specifically configured to update the target key according to the revision information.

Optionally, in some possible implementation manners of the present application, the management unit is specifically configured to obtain an initialization interface in response to a trigger of a target virtual element;

the management unit is specifically configured to obtain an initial password based on the initialization interface;

the management unit is specifically configured to process the initial password according to the preset rule to generate the target key.

Optionally, in some possible implementations of the present application, the management unit is specifically configured to determine an encryption dimension in response to a feature input instruction;

the management unit is specifically configured to obtain the encryption characteristics based on the encryption dimension;

the management unit is specifically configured to update the preset rule based on the encryption characteristic.

A third aspect of the present application provides a computer device comprising: a memory, a processor, and a bus system; the memory is used for storing program codes; the processor is configured to perform the method of data management according to any one of the first aspect or the first aspect according to instructions in the program code.

A fourth aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of data management of the first aspect or any of the first aspects.

According to the technical scheme, the embodiment of the application has the following advantages:

by acquiring the verification information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Therefore, the encryption process of the target data is realized, the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment responding to the external instruction is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a diagram of a network architecture in which a data management system operates;

fig. 2 is a flowchart of a data management process according to an embodiment of the present application;

fig. 3 is a flowchart of a method for data management according to an embodiment of the present application;

fig. 4 is a schematic view of a data management scenario provided in an embodiment of the present application;

fig. 5 is a schematic view of another scenario of data management provided in an embodiment of the present application;

FIG. 6 is a flow chart of another method for data management provided by an embodiment of the present application;

FIG. 7 is a flow chart of another method for data management provided by an embodiment of the present application;

fig. 8 is a schematic view of another scenario of data management provided in an embodiment of the present application;

fig. 9 is a schematic view of another scenario of data management provided in an embodiment of the present application;

FIG. 10 is a flow chart of another method for data management provided by an embodiment of the present application;

fig. 11 is a schematic view of another scenario of data management provided in an embodiment of the present application;

FIG. 12 is a flow chart of another method of data management provided by an embodiment of the present application;

fig. 13 is a schematic structural diagram of a data management apparatus according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a terminal device according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides a data management method and a related device, which can be applied to a system or a program containing a data management function in terminal equipment and can acquire verification information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information; then obtaining a result identification from the trusted execution environment; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Therefore, the encryption process of the target data is realized, the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment responding to the external instruction is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "corresponding" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some nouns that may appear in the embodiments of the present application are explained.

IMEI: abbreviation of international mobile equipment identity; commonly known as "mobile phone serial number", and "mobile phone serial number", is used to identify each independent mobile phone in the GSM mobile network, and is equivalent to the identification number of the mobile phone.

Media Access Control address (Media Access Control or Medium Access Control): also referred to as physical addresses, hardware addresses, to define the location of the network device.

It should be understood that the data management method provided by the present application may be applied to a system or a program including a data management function in a terminal device, such as a file privacy cabinet, specifically, the data management system may operate in a network architecture as shown in fig. 1, which is a network architecture diagram of the data management system, as can be seen from the figure, the data management system may provide data management with multiple information sources, and a terminal establishes a connection with a server through a network, and then receives data sent by the server, and performs data encryption management locally; it is understood that, fig. 1 shows various terminal devices, in an actual scenario, there may be more or fewer types of terminal devices participating in the data management process, and the specific number and type depend on the actual scenario, which is not limited herein, and in addition, fig. 1 shows one server, but in an actual scenario, there may also be participation of multiple servers, especially in a scenario of multi-content application interaction, the specific number of servers depends on the actual scenario.

In this embodiment, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.

It should be noted that the data management method provided in this embodiment may also be performed offline, that is, without the participation of a server, when the terminal performs the data management process locally.

It is understood that the data management system described above may be run on a personal mobile terminal, such as: the application of the file secrecy cabinet can be operated on a server, and can also be operated on third-party equipment to provide data management so as to obtain a data management processing result of an information source; the specific data management system may be operated in the device in the form of a program, may also be operated as a system component in the device, and may also be used as one of cloud service programs, and a specific operation mode is determined according to an actual scene, which is not limited herein.

A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.

At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (ID, ID entry), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object.

The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided in advance into stripes according to a group of capacity measures of objects stored in a logical volume (the measures often have a large margin with respect to the capacity of the actual objects to be stored) and Redundant Array of Independent Disks (RAID), and one logical volume can be understood as one stripe, thereby allocating physical storage space to the logical volume.

With the development of internet technology, more and more data contents need to be stored in the cloud, a large amount of important privacy data of a user are stored in corresponding personal mobile equipment, and once a mobile phone of the user is lost or a screen locking password is cracked, the important data of the user can be leaked. Therefore, it is necessary to separately store important data of the user on the personal device in an encrypted manner. However, the important data encryption storage application is still required to protect the safety of important private data under the condition that other people physically contact the mobile phone and can unlock the screen. Therefore, there is a need to design a stronger local encryption scheme on mobile devices.

In order to solve the above problem, the present application proposes a method for data management, which is applied in the flow framework of data management shown in fig. 2, as shown in fig. 2, for a flow framework diagram of data management provided by an embodiment of the present application, first, a client determines an execution operation on data in response to a data management instruction input by a user, and executes the operation in a trusted execution environment, for example, encrypting and storing a key in the trusted execution environment; and the result identification is output in the trusted execution environment in response to the data management instruction, namely the encryption process involved in the data management process is not involved, and the encrypted/decrypted data is displayed at the client.

It can be understood that the method provided by the present application may be a program written as a processing logic in a hardware system, or may be a data management device that implements the processing logic in an integrated or external manner. As one implementation, the data management apparatus obtains the authentication information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information; then obtaining a result identification from the trusted execution environment; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Therefore, the encryption process of the target data is realized, the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment responding to the external instruction is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

With reference to the above flow architecture, a method for data management in the present application will be introduced below, please refer to fig. 3, where fig. 3 is a flow chart of a method for data management according to an embodiment of the present application, and the embodiment of the present application at least includes the following steps:

301. and acquiring verification information.

In this embodiment, the verification information may be obtained through an encryption instruction for encrypting the file, that is, verifying whether an object performing encryption is a target object; the encryption instruction may be triggered by a contact operation of the user on the terminal device, for example: touch, click and other operations; the method can also be triggered by the non-contact operation of the user on the terminal device, such as voice input, air touch screen and the like, and the specific operation form depends on the actual scene.

It is understood that the authentication information may be in the form of characters, such as numbers, codes, etc.; the verification information may also be in the form of an image, such as a shape, a picture, and the like, and the verification information may also be in the form of audio, such as voice, and the specific form of the verification information depends on the actual scene, which is not limited herein.

In some embodiments, when a user needs to encrypt a target file (picture, video, document, etc.), the user needs to first enter an encryption program, such as: a file safe; at this time, in order to verify that the executed user is the holder of the device, the user needs to be authenticated; at this time, the user needs to input authentication information, such as a password, to perform the authentication process. Specifically, in one possible scenario, the verification information is character information input by the user through the touch screen.

302. Processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information.

In this embodiment, the encryption key is used for comparing with a target key, and the target key is a key set by initialization. In addition, the target key is stored in the trusted execution environment, that is, the encryption key is used for comparing with the target key stored in the trusted execution environment to obtain a result identifier; the output content of the trusted execution environment in response to the external instruction is the result identification. The external instruction includes an operation instruction for data management, such as an encryption instruction, a decryption instruction, and the like.

It is understood that a Trusted Execution Environment (TEE) is a secure area within the CPU. It runs in a separate environment and in parallel with the operating system. The CPU ensures that the confidentiality and integrity of the code and data in the TEE are protected. By using both hardware and software to protect data and code, TEE is more secure than operating systems. Trusted applications running in the TEE can access all functions of the device main processor and memory, while hardware isolation protects these components from user-installed applications running in the main operating system. The code and data running in the TEE are confidential and non-tamperable.

Specifically, the TEE has different implementation schemes on different CPUs, for example, the technology for implementing the TEE on an ARM chip, that is, a general mobile terminal CPU, is TrustZone, and as the ARM is customized by different manufacturers, there are many practical schemes, for example, Kinibi, QSEE, TEE OS, Knox, and the like; the technology for implementing the TEE on the Intel CPU is Software protection Extensions (SGX), which is a hardware-level privacy protection computing technology, so that an application program can execute codes and protect secrets in a trusted execution environment, and developers can directly control the security of the application program.

It is to be appreciated that the encryption key generation of step 302 may be performed in the trusted execution environment or outside the trusted execution environment, that is, the authentication information is transmitted to the trusted execution environment and the encryption key generation is performed by the trusted execution environment, or the encryption key is generated outside the trusted execution environment and the encryption key is transmitted to the trusted execution environment.

Optionally, the setting of the preset rule may be based on an encryption characteristic of at least one dimension. Specifically, the encryption characteristic may be determined based on device characteristic information, and the encryption characteristic is first determined according to the device characteristic information, where the device characteristic information is determined based on a device identifier or a network address identifier, such as an imei identifier, a mac address, and the like; and then jointly generating an encryption key according to the encryption characteristics and the verification information. Therefore, the complexity of the key is improved, the key is associated with the equipment, the situation of key repetition is not easy to occur, and the security of data encryption is improved.

Optionally, the encryption characteristic may also be determined based on user characteristic information. Specifically, the user characteristic information may be a user identifier recorded in the terminal device, for example, a social account logged in the terminal device; or may be text information that is instantly entered by the user, such as a string of characteristic characters entered by the user. In a scene input by a user, firstly, responding to a marking instruction to acquire user characteristic information; then combining the user characteristic information with the equipment characteristic information to update the equipment characteristic information, thereby improving the confidentiality of the equipment characteristic information; it is understood that the encryption key may also be obtained by combining the user characteristic information and the authentication information, and the process should also be included in the solution provided in the present application.

In a possible scenario, the setting of the device feature information and the user feature information may be performed in the same interface, as shown in fig. 4, where fig. 4 is a schematic view of a scenario of a method for data management provided in an embodiment of the present application. The method for managing data provided by this embodiment is applied to a file lockers application, and a user can click a user setting button a1 to enter a setting page of a user name (user characteristic information), a device identifier, and a network identifier, and the user can input or modify the corresponding identifier individually, thereby improving the security of a key.

In addition, for the process of generating the encryption key according to the encryption characteristic and the verification information together, the encryption characteristic and the verification information can be converted into target format data; the target format data is then arranged in a preset order to generate an encryption key. For example, the encryption feature and the authentication information are both converted into text information in XML format, then arranged in the order of the encryption feature before the authentication information to obtain a text sequence, and then the text sequence is encrypted using AES algorithm to generate an encryption key.

It can be understood that the selection of the target format and the setting of the sequence arrangement are examples, and specifically, the encryption feature and the verification information may be generated into a hash sequence and the like together; the setting of the encryption algorithm can also be a DES algorithm, and the specific encryption algorithm selection is determined by the actual scene.

In some embodiments, the process of generating the encryption key may be a process of performing secondary encryption on the authentication information input by the user, that is, an intruder cannot directly acquire the authentication information, and the encryption process may be automatically generated after the user inputs the authentication information, or may be generated after the authentication information is transmitted to the trusted execution environment; and then, a comparison process of the encryption key and the target key is carried out in the trusted execution environment to obtain a result identifier for indicating whether the encryption key is matched with the target key. For example: the verification information input by the user is 123, the verification information is encrypted according to the user identification and the equipment identification to generate an encryption key, then the encryption key is input in a trusted execution environment and compared with a target key, and the obtained output result is 0 or 1, so that the corresponding key matching process can be known according to the meaning corresponding to the result identification.

303. A result identification is obtained from the trusted execution environment.

In this embodiment, the process of comparing the encryption key with the target key is performed in the trusted execution environment, and the information output by the trusted execution environment is only the result identifier, such as 0 or 1; the result identifications have respective corresponding meanings. Therefore, even if an attacker obtains the highest authority of the mobile device, the attacker cannot obtain the target key, and the confidentiality of the target key is ensured.

In some embodiments, the end system or application may receive the result identification from the trusted execution environment.

Specifically, the result identifier and the corresponding meaning thereof may be set immediately or used in a history, and the specific manner is determined by the actual scene.

304. And if the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data.

In this embodiment, the encryption process of the target data is performed after the encryption key is matched with the target key, for example, after entering the file locker application, the corresponding target data is selected for encryption. In addition, the result identifier indicates that the encryption key matches the target key, that is, the meaning corresponding to the character indicated by the result identifier is that the encryption key matches the target key, so only the identifier corresponding to the result is fed back in the trusted execution environment, for example: 1 indicates that the key is correct, so that even if an attacker obtains the highest authority of the mobile device, the key cannot be obtained, and the confidentiality of the key is ensured.

Optionally, the selection of the target data may also be in response to a data selection instruction, where the data selection instruction is used to indicate a target category or a target format of data content; the target data is then encrypted based on the target key to obtain encrypted data. As shown in fig. 5, fig. 5 is a schematic view of another scenario of a data management method according to an embodiment of the present application. After the user clicks to enter the safe, the user can move the data in the album into the safe, specifically, the screening button B1 can be clicked, so that the data content of the target category is popped up, and the user can quickly select the target data by clicking the corresponding category, so that the efficiency of data management is improved.

In some embodiments, this embodiment is applied to a file safe application, and if a result identifier output from a trusted execution environment corresponding to the file safe is 1, it indicates that an encryption key matches a target key, that is, a user inputting authentication information is a valid user, and the user may enter the file safe application and encrypt an external file or call or modify an existing file in the file safe.

With reference to the foregoing embodiments, by acquiring authentication information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information; then obtaining a result identification from the trusted execution environment; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Therefore, the encryption process of the target data is realized, the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment responding to the external instruction is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

For the above data management process, encryption management of data is mainly introduced, in a possible scenario, the trusted execution environment is TrustZone, the corresponding encryption process is shown in fig. 6, and fig. 6 is a flowchart of another data management method provided in this embodiment of the present application; firstly, a user needs to input a password when entering a file safe; after the password is input, the program calculates according to the password input by the user and the algorithm (preset rule) same as the initialization, namely executes the process of generating the key, thereby obtaining the encryption key; then inputting the encryption key into TrustZone to compare with the original key stored in TrustZone, namely entering TrustZone verification; if the key is incorrect, 0 is returned (result identification) and the user can re-enter the password. If the key is correct, 1 is returned (result identification); then the user selects the data to be encrypted (moved into a file secrecy cabinet), namely, the process of selecting the data is executed; and encrypting the data by using a key by adopting encryption algorithms such as AES, DES and the like, namely executing a process of encrypting the data, thereby obtaining the encrypted data based on the TrustZone confidential environment.

Correspondingly, a decryption process in a scenario where the trusted execution environment is TrustZone is described below, please refer to fig. 7, and fig. 7 is a flowchart of another data management method provided in the embodiment of the present application. Firstly, a user needs to input a password when entering a file safe; after the user inputs the password, the program executes a process of generating the key according to the password input by the user, so as to generate the encryption key, wherein the algorithm involved in the process of generating the key is the same as the algorithm used in the process of initializing the key; and then inputting an encryption key generated by the password input by the user into the TrustZone for verification, namely comparing the encryption key with an original key (target key) stored in the TrustZone, if the key is incorrect, returning to 0, and the user needs to input the password again. If the key is correct, 1 is returned; then, the user selects data needing to be decrypted (moved out of the file secrecy cabinet) from the encrypted data, namely, a process of selecting the decrypted data is executed; and then, decrypting the selected data by adopting symmetric decryption algorithms such as AES, DES and the like so as to recover plaintext data and finish the data decryption process.

Specifically, for the determining process of the decryption key, the encryption characteristics corresponding to the preset rules may be determined first; a decryption key is then generated based on the encryption characteristics and the decryption information. Namely, the decryption process is carried out on the premise of knowing the composition of the decryption key structure, so that the decryption efficiency is improved.

In a possible scenario, as shown in fig. 8, fig. 8 is a schematic view of another data management method provided in this embodiment of the present application, in which a user clicks an input box C1 in a file safe interface and inputs a password, so as to perform step 801: decryption information is obtained in response to the decryption instruction. Then, step 802 is performed: and processing the decryption information according to a preset rule to generate a decryption key. Then, step 803 is performed: and outputting a result identifier. Wherein the result flag may be 0 indicating that the password is correct and 1 indicating that the password is incorrect, or vice versa.

Optionally, the meaning of the result identification can also be modified. Specifically, first, identification information is acquired in response to an identification setting instruction; then setting comparison result information for the identification information, wherein the comparison result information is used for indicating the comparison result of the decryption key and the target key; and further associating the identification information with the comparison result information so as to update the result identification. For example: the modification is that a represents that the password is correct, b represents that the password is wrong, and the meaning of specific identification depends on the actual scene.

In addition, the password can be modified after decryption, namely when the result identifier indicates that the decryption key is the same as the target key, the revision information is determined in response to the password modification instruction; the target key is then updated according to the revision information.

In another possible scenario, after entering a file safe, a user may perform an operation of moving an encrypted file therein, please refer to fig. 9, where fig. 9 is a schematic view of another scenario of a data management method provided in an embodiment of the present application, where the diagram shows that the user may click encrypted data in different categories of directories after clicking to enter the safe, for example, after clicking a picture directory, all pictures in the encrypted data may be screened out, and further the user may click to move out to delete the pictures, or click to move in to modify the picture directory, and the like.

The above embodiment introduces the processes of data encryption and decryption in the data management process, and both the processes of data encryption and decryption are related to the target key, and a generation process of the target key in the scenario that the trusted execution environment is TrustZone, that is, a password initialization process, is described below, as shown in fig. 10, and fig. 10 is a flowchart of another data management method provided in the embodiment of the present application. Firstly, a user opens a file secrecy cabinet; then the user sets a password, wherein the complexity of the password can be limited according to the security level of the system; after setting the password, combining the password of the user with some characteristics (such as imei, mac address and the like) of the equipment by using a key generation algorithm by the program, then calculating by using a hash algorithm, and using the obtained hash value as a target key; then calling TrustZone interface, storing the target key in TrustZone, and not making any backup in the system and program.

In a possible scenario, the initialization process corresponds to invoking an initialization interface, as shown in fig. 11, where fig. 11 is a flowchart of another data management method provided in the embodiment of the present application. The figure shows the acquisition of an initialization interface in response to the triggering of target virtual element D1; then obtaining an initial password based on the initialization interface, wherein the initial password can be in response to the input of the user; and further processing the initial password according to a preset rule to generate a target key. In the process of generating the target key, the preset rule can be adjusted through setting the encryption dimension D2, and the encryption dimension is determined in response to the characteristic input instruction specifically; then, acquiring encryption characteristics based on the encryption dimension; and updating the preset rule based on the encryption characteristics. For example, the device feature in the encryption dimension D2 is selected, the input password and the device feature are merged and encrypted, so as to ensure the security of data encryption.

Next, an overall flow of the management process is described with reference to the drawings, please refer to fig. 12, and fig. 12 is a flowchart of another data management method according to an embodiment of the present application. The file secrecy cabinet is started firstly, and a user needs to perform initialization setting on the file secrecy cabinet when starting the file secrecy cabinet for the first time, wherein the initialization setting includes information such as setting passwords. Then, after the user sets the password, the program generates a key for encrypting data according to the password of the user and the device information (such as mac address, imei number and the like) through a key generation algorithm. The program then deposits the generated key uniquely to TrustZone and does not store the key elsewhere in the device.

Further, after the user performs the initialization, the file secrecy cabinet can be used. First, at the file locker entry interface, the user is required to enter a password. Where the user enters the password and proceeds to the next step. The program generates the key1 by the same key generation algorithm as the initialization phase after entering the password. The program then enters key1 directly into TrustZone; verifying the key through TrustZone, and returning to the program 1 if the verification is successful; if the verification fails, return to procedure 0. Correspondingly, if the verification is successful, the user password is correct, and the key1 is also correct. The user can enter the file lockers and use the key1 to encrypt and decrypt the files. And if the verification fails, prompting the user to input the password again.

In combination with the above embodiments, it can be seen that by using TrustZone to verify and store the user key, TrustZone only returns 0 or 1 after verifying whether the key is correct, and does not return the true decryption key to the user. Therefore, even if an attacker obtains the highest authority of the mobile device, the attacker cannot obtain the key, and the security of data is ensured.

In order to better implement the above-mentioned aspects of the embodiments of the present application, the following also provides related apparatuses for implementing the above-mentioned aspects. Referring to fig. 13, fig. 13 is a schematic structural diagram of a data management apparatus according to an embodiment of the present application, where the data management apparatus 1300 includes:

an obtaining unit 1301, configured to obtain verification information;

a generating unit 1302, configured to process the verification information according to a preset rule to generate an encryption key, where the encryption key is used to compare, in a trusted execution environment, with a target key stored in the trusted execution environment to obtain a result identifier, where the result identifier is used to indicate whether the encryption key is matched with the target key, and the preset rule is set according to an encryption feature of at least one dimension, where the encryption feature includes device feature information or user feature information;

the obtaining unit 1301 is further configured to obtain the result identifier from the trusted execution environment;

and the management unit 1303 is configured to encrypt target data based on the target key to obtain encrypted data if the result identifier indicates that the encryption key matches the target key.

Optionally, in some possible implementations of the present application, the generating unit 1302 is specifically configured to determine the encryption characteristic according to device characteristic information, where the device characteristic information is determined based on a device identifier or a network address identifier;

the generating unit 1302 is specifically configured to generate the target key according to the encryption feature and the verification information.

Optionally, in some possible implementations of the present application, the generating unit 1302 is specifically configured to obtain user feature information in response to a marking instruction;

the generating unit 1302 is specifically configured to combine the user feature information with the device feature information to update the device feature information.

Optionally, in some possible implementations of the present application, the generating unit 1302 is specifically configured to convert the encryption feature and the verification information into target format data;

the generating unit 1302 is specifically configured to arrange the target format data according to a preset order to generate the target key.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to respond to a data selection instruction to obtain the target data, where the data selection instruction is used to indicate a data content of a target category or a target format;

the management unit 1303 is specifically configured to encrypt target data based on the target key to obtain the encrypted data.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to obtain decryption information in response to a decryption instruction;

the management unit 1303 is specifically configured to process the decryption information according to the preset rule to generate a decryption key;

the management unit 1303 is specifically configured to compare the decryption key with the target key to obtain a result identifier, where the result identifier is used to indicate extraction of the encrypted data, the result identifier is obtained by outputting the trusted execution environment, the result identifier is different from the decryption information, and the result identifier is different from the verification information.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to determine the encryption feature corresponding to the preset rule;

the management unit 1303 is specifically configured to generate the decryption key based on the encryption characteristic and the decryption information.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to obtain the identifier information in response to the identifier setting instruction;

the management unit 1303 is specifically configured to set comparison result information for the identification information, where the comparison result information is used to indicate a comparison result between the decryption key and the target key;

the management unit 1303 is specifically configured to associate the identifier information with the comparison result information, so as to update the result identifier.

Optionally, in some possible implementations of the present application, the management unit 1303 is specifically configured to determine revision information in response to a password modification instruction if the result identifier indicates that the decryption key is the same as the target key;

the management unit 1303 is specifically configured to update the target key according to the revision information.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to obtain an initialization interface in response to triggering of a target virtual element;

the management unit 1303 is specifically configured to obtain an initial password based on the initialization interface;

the management unit 1303 is specifically configured to process the initial password according to the preset rule to generate the target key.

Optionally, in some possible implementation manners of the present application, the management unit 1303 is specifically configured to determine an encryption dimension in response to a feature input instruction;

the management unit 1303 is specifically configured to obtain the encryption characteristics based on the encryption dimension;

the management unit 1303 is specifically configured to update the preset rule based on the encryption characteristic.

By acquiring the verification information; processing the verification information according to a preset rule to generate an encryption key, wherein the encryption key is used for comparing with a target key stored in a trusted execution environment in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise equipment characteristic information or user characteristic information; then obtaining a result identification from the trusted execution environment; and when the result identification indicates that the encryption key is matched with the target key, encrypting the target data based on the target key to obtain encrypted data. Therefore, the encryption process of the target data is realized, the target key is only stored in the trusted execution environment, the direct invasion of malicious codes is avoided, and the output content of the trusted execution environment responding to the external instruction is the result identifier, so that the influence of the authority management process on the data security is avoided, and the security of data management is improved.

An embodiment of the present application further provides a terminal device, as shown in fig. 14, which is a schematic structural diagram of another terminal device provided in the embodiment of the present application, and for convenience of description, only a portion related to the embodiment of the present application is shown, and details of the specific technology are not disclosed, please refer to a method portion in the embodiment of the present application. The terminal may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a point of sale (POS), a vehicle-mounted computer, and the like, taking the terminal as the mobile phone as an example:

fig. 14 is a block diagram illustrating a partial structure of a mobile phone related to a terminal provided in an embodiment of the present application. Referring to fig. 14, the handset includes: radio Frequency (RF) circuitry 1410, memory 1420, input unit 1430, display unit 1440, sensor 1450, audio circuitry 1460, wireless fidelity (WiFi) module 1470, processor 1480, and power supply 1490. Those skilled in the art will appreciate that the handset configuration shown in fig. 14 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

The following describes each component of the mobile phone in detail with reference to fig. 14:

RF circuit 1410 may be used for receiving and transmitting signals during a message transmission or call, and in particular, for processing received downlink information of a base station to processor 1480; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 1410 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuitry 1410 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), etc.

The memory 1420 may be used to store software programs and modules, and the processor 1480 executes various functional applications and data processing of the cellular phone by operating the software programs and modules stored in the memory 1420. The memory 1420 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, memory 1420 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

The input unit 1430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. In particular, the input unit 1430 may include a touch panel 1431 and other input devices 1432. The touch panel 1431, also referred to as a touch screen, may collect touch operations performed by a user on or near the touch panel 1431 (for example, operations performed by the user on or near the touch panel 1431 using any suitable object or accessory such as a finger or a stylus, and a range of touch operations on the touch panel 1431 with a gap), and drive a corresponding connection device according to a preset program. Alternatively, the touch panel 1431 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device and converts it to touch point coordinates, which are provided to the processor 1480 and can receive and execute commands from the processor 1480. In addition, the touch panel 1431 may be implemented by various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. In addition to the touch panel 1431, the input unit 1430 may also include other input devices 1432. In particular, other input devices 1432 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

The display unit 1440 may be used to display information input by or provided to the user and various menus of the mobile phone. The display unit 1440 may include a display panel 1441, and optionally, the display panel 1441 may be configured in the form of a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), or the like. Further, touch panel 1431 can overlay display panel 1441, and when touch panel 1431 detects a touch operation on or near touch panel 1431, it can transmit to processor 1480 to determine the type of touch event, and then processor 1480 can provide a corresponding visual output on display panel 1441 according to the type of touch event. Although in fig. 14, the touch panel 1431 and the display panel 1441 are two independent components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 1431 and the display panel 1441 may be integrated to implement the input and output functions of the mobile phone.

The handset may also include at least one sensor 1450, such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that adjusts the brightness of the display panel 1441 according to the brightness of ambient light, and a proximity sensor that turns off the display panel 1441 and/or the backlight when the mobile phone is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally three axes), can detect the magnitude and direction of gravity when the mobile phone is stationary, can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and tapping) and the like, and can also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor and the like, which are not described herein again.

Audio circuitry 1460, speaker 1461, microphone 1462 may provide an audio interface between a user and a cell phone. The audio circuit 1460 can transmit the received electrical signal converted from the audio data to the loudspeaker 1461, and the electrical signal is converted into a sound signal by the loudspeaker 1461 and output; on the other hand, the microphone 1462 converts collected sound signals into electrical signals, which are received by the audio circuit 1460 and converted into audio data, which are then processed by the audio data output processor 1480, and then passed through the RF circuit 1410 for transmission to, for example, another cellular phone, or for output to the memory 1420 for further processing.

WiFi belongs to short-distance wireless transmission technology, and the mobile phone can help a user to receive and send e-mails, browse webpages, access streaming media and the like through a WiFi module 1470, and provides wireless broadband internet access for the user. Although fig. 14 shows the WiFi module 1470, it is understood that it does not belong to the essential constitution of the handset and can be omitted entirely as needed within the scope not changing the essence of the invention.

The processor 1480, which is the control center of the mobile phone, connects various parts of the entire mobile phone by using various interfaces and lines, and performs various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 1420 and calling data stored in the memory 1420, thereby integrally monitoring the mobile phone. Alternatively, the processor 1480 may include one or more processing units; alternatively, the processor 1480 may integrate an application processor, which handles primarily operating systems, user interfaces, and applications, etc., with a modem processor, which handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1480.

The handset also includes a power supply 1490 (e.g., a battery) that powers the various components, optionally, the power supply may be logically connected to the processor 1480 via a power management system, thereby implementing functions such as managing charging, discharging, and power consumption via the power management system.

Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.

In the embodiment of the present application, the processor 1480 included in the terminal also has a function of executing the respective steps of the page processing method as described above.

Also provided in the embodiments of the present application is a computer-readable storage medium, which stores data management instructions and when the computer-readable storage medium is executed on a computer, causes the computer to perform the steps performed by the data management apparatus in the methods described in the embodiments shown in fig. 3 to 12.

Also provided in the embodiments of the present application is a computer program product including data management instructions, which when run on a computer, causes the computer to perform the steps performed by the data management apparatus in the method described in the embodiments of fig. 3 to 12.

An embodiment of the present application further provides a data management system, where the data management system may include the data management apparatus in the embodiment described in fig. 13 or the terminal device described in fig. 14.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a data management device, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. A method of data management, comprising:

acquiring authentication information in an encryption program;

the encryption program processes the verification information according to a preset rule to generate an encryption key, and transmits the encryption key to a trusted execution environment, wherein the trusted execution environment runs in an independent environment and runs in parallel with an operating system, the encryption key is used for comparing with a target key stored in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise device characteristic information or user characteristic information;

the encryption program acquires the result identifier from the trusted execution environment, wherein the target key cannot be obtained by analyzing the result identifier, and the result identifier and the meaning corresponding to the result identifier are set in real time;

and if the result identification indicates that the encryption key is matched with the target key, the encryption program encrypts target data based on the target key to obtain encrypted data.

2. The method according to claim 1, wherein the encryption program processes the authentication information according to a preset rule to generate an encryption key, comprising:

the encryption program determines the encryption characteristics according to the equipment characteristic information, and the equipment characteristic information is determined based on equipment identification or network address identification;

the encryption program generates the encryption key jointly according to the encryption characteristic and the verification information.

3. The method of claim 2, further comprising:

the encryption program responds to a marking instruction to acquire the user characteristic information;

the encryption program combines the user characteristic information with the device characteristic information to update the device characteristic information.

4. The method of claim 2, wherein the cryptographic program jointly generates the cryptographic key from the cryptographic features and the authentication information, comprising:

the encryption program converts the encryption characteristics and the verification information into target format data;

and the encryption program arranges the target format data according to a preset sequence to generate the encryption key.

5. The method of claim 1, wherein if the result identifier indicates that the encryption key matches the target key, the encryption program encrypts target data based on the target key to obtain encrypted data, comprising:

if the result identification indicates that the target keys are matched, the encryption program responds to a data selection instruction to acquire the target data, wherein the data selection instruction is used for indicating the data content of the target type or the target format;

and the encryption program encrypts target data based on the target key to obtain the encrypted data.

6. The method of claim 1, further comprising:

the encryption program responds to the decryption instruction to acquire decryption information;

the encryption program processes the decryption information according to the preset rule to generate a decryption key;

the encryption program compares the decryption key with the target key to obtain a result identifier, the result identifier is used for indicating extraction of the encrypted data, the result identifier is obtained by the output of the trusted execution environment, the result identifier is different from the decryption information, and the result identifier is different from the verification information.

7. The method according to claim 6, wherein the encrypting program processes the decryption information according to the preset rule to generate a decryption key, comprising:

the encryption program determines the encryption characteristics corresponding to the preset rules;

the encryption program generates the decryption key based on the encryption characteristic and the decryption information.

8. The method of claim 6, further comprising:

the encryption program acquires identification information in response to an identification setting instruction;

the encryption program sets comparison result information for the identification information, wherein the comparison result information is used for indicating a comparison result of the decryption key and the target key;

and the encryption program associates the identification information with the comparison result information so as to update the result identification.

9. The method of claim 6, further comprising:

if the result identifier indicates that the decryption key is the same as the target key, the encryption program determines revision information in response to a password modification instruction;

the encryption program updates the target key according to the revision information.

10. The method of claim 1, further comprising:

the encryption program responds to the triggering of the target virtual element to acquire an initialization interface;

the encryption program acquires an initial password based on the initialization interface;

and the encryption program processes the initial password according to the preset rule to generate the target key.

11. The method of claim 10, further comprising:

the encryption program determining an encryption dimension in response to a characteristic input instruction;

the encryption program obtains the encryption characteristics based on the encryption dimension;

and the encryption program updates the preset rule based on the encryption characteristic.

12. The method according to claim 1, wherein the data management method is applied to a mobile terminal, and the trusted execution environment is trustzone.

13. An apparatus for data management, comprising:

an acquisition unit configured to acquire authentication information in an encryption program;

the generating unit is used for processing the verification information according to a preset rule to generate an encryption key and transmitting the encryption key into a trusted execution environment, wherein the trusted execution environment runs in an independent environment and runs in parallel with an operating system, the encryption key is used for comparing with a target key stored in the trusted execution environment to obtain a result identifier, the result identifier is used for indicating whether the encryption key is matched with the target key or not, the preset rule is set according to encryption characteristics of at least one dimension, and the encryption characteristics comprise device characteristic information or user characteristic information;

the obtaining unit is further configured to obtain the result identifier from the trusted execution environment, where the target key cannot be obtained through parsing of the result identifier, and the result identifier and the setting of the meaning corresponding to the result identifier are set in real time;

14. A computer device, the computer device comprising a processor and a memory:

the memory is used for storing program codes; the processor is configured to perform the method of data management of any of claims 1 to 12 according to instructions in the program code.

15. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of data management of any of the preceding claims 1 to 12.