CN111901287B

CN111901287B - Method and device for providing encryption information for light application and intelligent equipment

Info

Publication number: CN111901287B
Application number: CN201911003298.0A
Authority: CN
Inventors: 不公告发明人
Original assignee: Individual
Current assignee: Individual
Priority date: 2019-10-22
Filing date: 2019-10-22
Publication date: 2022-12-23
Anticipated expiration: 2039-10-22
Also published as: CN111901287A

Abstract

The invention discloses a method and a device for providing encryption information for light applications and intelligent equipment. The light application is connected with a corresponding application server through a network, the application server is connected with an encryption server through the network, and the method comprises the following steps: acquiring a user identifier and a first master key; receiving a calling request sent by the light application, wherein the calling request comprises an application identifier, and the application identifier is determined to be the application identifier of the light application when a publishing server publishes a code packet of the light application; and generating encryption information according to the first master key and the application identifier and transmitting the encryption information to the light application. The method can ensure that the encrypted information generated according to the same master key is really the encrypted information used for the light applications, and different light applications cannot be counterfeited with each other to obtain the encrypted information; and the user is not required to confirm whether to authorize or not, so that the use convenience of the user is improved, and the use experience of the user is enhanced.

Description

Method and device for providing encryption information for light application and intelligent equipment

[ technical field ] A

The invention relates to the technical field of intelligent equipment, in particular to a method and a device for providing encryption information for light application and intelligent equipment.

[ background ] A method for producing a semiconductor device

With the gradual application of the light application technology, data encryption related operations (such as identity authentication, data encryption and decryption, integrity verification, and the like) are often involved in the interaction process of the light application and a corresponding application server, but how to safely and conveniently provide encryption information (such as an application key, an encryption value, and the like) for the light application in operation so that the light application can perform the data encryption related operations is a current problem.

It is important to note that the above background information is only used to enhance an understanding of the background of the present invention and, thus, may include prior art information that does not constitute a part of the present disclosure as known to one of ordinary skill in the art.

[ summary of the invention ]

The present invention is directed to a method, an apparatus, and an intelligent device for providing encrypted information for light applications, so as to solve at least some of the problems due to the limitations and disadvantages of the related art, and includes the following technical solutions:

in a first aspect, a method for providing encryption information for a light application is provided, where the light application is connected to a corresponding application server through a network, and the application server is connected to an encryption server through the network, and the method includes:

acquiring a user identifier and a first master key, and storing an association relation between the user identifier and a second master key on the encryption server, wherein the value of the second master key is the same as that of the first master key;

receiving a calling request sent by the light application, wherein the calling request is used for acquiring encrypted information, the calling request comprises an application identifier, the application identifier is determined to be the application identifier of the light application when a publishing server publishes a code packet of the light application, and the application identifier is consistent with the application identifier of the application server determined by the encryption server according to identity information of the application server;

generating encryption information according to the first master key and the application identifier;

and transmitting the user identification and the encryption information to the light application so that the light application performs data encryption related operation with the application server according to the user identification and the encryption information.

Preferably, the acquiring the user identifier and the first master key includes:

acquiring the pre-stored user identification and the first master key; or,

and carrying out key agreement with the encryption server to obtain the user identification and the first master key.

Preferably, the performing key agreement with the encryption server to obtain the user identifier and the first master key includes:

and based on a Subscriber Identity Module (SIM) and the encryption server, performing authentication and key agreement based on a subscriber data system to acquire the subscriber identity and the first master key.

Preferably, before the receiving the call request sent by the light application, the method further includes:

acquiring the application identification, wherein the application identification is associated with the code package of the light application;

and injecting the application identification into the light application, so that the application identification is included in the call request sent by the light application.

Preferably, the obtaining the application identifier includes:

the downloading request requesting the publishing server to download the code package comprises the application identifier, the application identifier is obtained from the downloading request, and the application identifier is used for associating the code package on the publishing server; or,

setting the application identifier in a configuration file included in the code packet, and acquiring the application identifier from the configuration file, wherein when the publishing server publishes the code packet, the application identifier set in the configuration file is determined to be the application identifier of the light application.

Preferably, before the obtaining the application identifier from the configuration file, the method further includes:

and performing signature verification on the code packet, and continuing to execute the subsequent steps only if the code packet passes the signature verification.

Preferably, the injecting the application identification into the light application comprises:

in the example of the light application, defining a global variable for an application identifier, and assigning the application identifier to the global variable, so that when the light application generates the call request, the light application acquires the application identifier by acquiring the value of the global variable; or,

and injecting the application identification into a corresponding calling parameter in a calling function of the light application, wherein the calling function is used for executing and sending the calling request.

Preferably, after the receiving the call request sent by the light application and before the generating encryption information according to the first master key and the application identifier, the method further includes:

determining whether the application identifier is an authorized application identifier;

if yes, executing the encryption information generated according to the first master key and the application identifier;

if not, the encryption information is not generated according to the first master key and the application identifier.

Preferably, the determining whether the application identifier is an authorized application identifier includes:

sending the application identifier to the encryption server so that the encryption server determines whether the application identifier is an authorized application identifier;

if receiving the information which is fed back by the encryption server and represents that the application identification is authorized, determining that the application identification is authorized;

otherwise, determining that the application identification is not authorized.

Preferably, the generating encryption information according to the first master key and the application identifier includes:

generating a first application key according to the first master key and the application identifier, wherein the first application key is the encrypted information, and the generation mode of the first application key is consistent with the generation mode of a second application key generated by the encryption server according to the second master key and the application identifier of the application server, so that the values of the first application key and the second application key are the same; or,

generating a third application key according to the first master key and the application identifier, and encrypting data according to the third application key to generate a first encrypted value, wherein the first encrypted value is the encrypted information, and the generation manner of the third application key is consistent with the generation manner of a fourth application key generated by the encryption server according to the second master key and the application identifier of the application server, so that the values of the third application key and the fourth application key are the same; or,

encrypting information including the application identifier according to the first master key to generate a second encrypted value, wherein the second encrypted value is the encrypted information, after the user identifier and the second encrypted value are transmitted to the light application, the light application transmits the user identifier and the second encrypted value to the encryption server through the application server, so that the encryption server obtains the second master key according to the user identifier, and then verifies the second encrypted value according to the second master key and the application identifier of the application server.

Preferably, the encrypting the data according to the third application key to generate a first encrypted value includes:

encrypting data using a symmetric encryption algorithm according to the third application key to generate the first encrypted value; or,

encrypting data using a message authentication code algorithm according to the third application key to generate the first encrypted value.

Preferably, the encrypting the information including the application identification according to the first master key to generate a second encrypted value includes:

generating a fifth application key according to the first master key, wherein the generation mode of the fifth application key is consistent with the generation mode of a sixth application key generated by the encryption server according to the second master key, so that the values of the fifth application key and the sixth application key are the same;

generating first verification information according to the application identifier, wherein the generation mode of the first verification information is consistent with the generation mode of second verification information generated by the encryption server, so that the values of the first verification information and the second verification information are the same;

and encrypting the first verification information according to the fifth application key to generate the second encryption value.

Preferably, the generating a fifth application key according to the first master key includes:

using the first master key as the fifth application key; or,

generating the fifth application key according to information including the first master key.

Preferably, the generating the first verification information according to the application identifier includes:

taking the application identification as the first verification information; or,

and generating the first verification information according to the information comprising the application identification.

Preferably, the encrypting the first authentication information according to the fifth application key to generate the second encrypted value includes:

encrypting the first verification information by using a message authentication code algorithm according to the fifth application key to generate the second encrypted value; or,

encrypting information including the first authentication information using a symmetric encryption algorithm according to the fifth application key to generate the second encrypted value.

Preferably, the invocation request of the light application is received through JSBridge, and the user identification and the encryption information are passed to the light application through JSBridge.

In a second aspect, an apparatus for providing encrypted information for a light application, the light application being connected to a corresponding application server via a network, the application server being connected to an encryption server via the network, the apparatus comprising:

a key obtaining module, configured to obtain a user identifier and a first master key, where an association relationship between the user identifier and a second master key is stored in the encryption server, and a value of the second master key is the same as a value of the first master key;

a receiving module, configured to receive a call request sent by the light application, where the call request is used to obtain encrypted information, the call request includes an application identifier, and when a publishing server publishes a code packet of the light application, it is determined that the application identifier is the application identifier of the light application, and the application identifier is consistent with an application identifier of the application server, which is determined by the encrypting server according to identity information of the application server;

the encryption module is used for generating encryption information according to the first master key and the application identifier;

and the transmission module is used for transmitting the user identification and the encryption information to the light application so that the light application performs data encryption related operation with the application server according to the user identification and the encryption information.

Preferably, the key obtaining module includes:

a first key obtaining unit, configured to obtain the pre-stored user identifier and the first master key; or,

and the second key acquisition unit is used for carrying out key agreement with the encryption server so as to acquire the user identifier and the first master key.

Preferably, the encryption module includes:

a first encryption unit, configured to generate a first application key according to the first master key and the application identifier, where the first application key is the encrypted information, and a generation manner of the first application key is consistent with a generation manner of a second application key generated by the encryption server according to the second master key and the application identifier of the application server, so that values of the first application key and the second application key are the same; or,

a second encryption unit, configured to generate a third application key according to the first master key and the application identifier, and encrypt data according to the third application key to generate a first encrypted value, where the first encrypted value is the encrypted information, and a generation manner of the third application key is consistent with a generation manner of a fourth application key generated by the encryption server according to the second master key and the application identifier of the application server, so that values of the third application key and the fourth application key are the same; or,

and the third encryption unit is used for encrypting information comprising the application identifier according to the first master key to generate a second encrypted value, wherein the second encrypted value is the encrypted information, after the user identifier and the second encrypted value are transmitted to the light application, the light application transmits the user identifier and the second encrypted value to the encryption server through the application server, so that the encryption server obtains the second master key according to the user identifier, and then verifies the second encrypted value according to the second master key and the application identifier of the application server.

Preferably, the third encryption unit includes:

an application key generation subunit, configured to generate a fifth application key according to the first master key, where a generation manner of the fifth application key is consistent with a generation manner of a sixth application key generated by the encryption server according to the second master key, so that values of the fifth application key and the sixth application key are the same;

a verification information generation subunit, configured to generate first verification information according to the application identifier, where a generation manner of the first verification information is consistent with a generation manner of second verification information generated by the encryption server, so that values of the first verification information and the second verification information are the same;

and an encryption information generation subunit, configured to encrypt the first authentication information according to the fifth application key to generate the second encrypted value.

Preferably, the apparatus further comprises:

an application identifier obtaining module, configured to obtain the application identifier, where the application identifier is associated with a code package of the light application;

and the injection module is used for injecting the application identifier into the light application so that the calling request sent by the light application comprises the application identifier.

Preferably, the application identifier obtaining module includes:

a first identifier obtaining unit, configured to obtain the application identifier from a download request, where the download request is a download request for requesting the publishing server to download the code package, the download request includes the application identifier, and the application identifier is used on the publishing server to associate with the code package; or,

a second identifier obtaining unit, configured to obtain the application identifier from a configuration file, where the configuration file is a configuration file included in the code package, and the application identifier is set in the configuration file, and when the publishing server publishes the code package, the application identifier set in the configuration file is determined to be the application identifier of the light application.

Preferably, the injection module comprises:

a first injection unit, configured to assign a value to a global variable by the application identifier, so that when the light application generates the call request, the application identifier is obtained by obtaining a value of the global variable, where the global variable is used to define the application identifier in an instance of the light application; or,

and the second injection unit is used for injecting the application identifier into a corresponding calling parameter in a calling function of the light application, wherein the calling function is used for executing and sending the calling request.

Preferably, the apparatus further comprises an authorization module, configured to determine whether the application identifier is an authorized application identifier; if yes, executing the encryption module; if not, the encryption module is not executed.

Preferably, the authorization module further comprises:

an identifier sending unit, configured to send the application identifier to the encryption server, so that the encryption server determines whether the application identifier is an authorized application identifier;

a feedback receiving unit, configured to receive information fed back by the encryption server;

the authorization confirming unit is used for confirming whether the application identifier is authorized or not according to the feedback information; if the feedback information is information indicating that authorization is carried out, determining that the application identifier is authorized; otherwise, determining that the application identification is not authorized.

In a third aspect, a client is provided, wherein the client includes the method for providing encryption information for a light application according to the first aspect.

There is provided a smart operating system, characterized in that the smart operating system includes the method for providing encryption information for light applications according to the first aspect.

Providing a smart device, the smart device comprising: a memory, and a processor, configured to execute a program stored in the memory, where the program when executed implements a method for providing encryption information for a light application according to the first aspect.

There is provided a storage medium characterized in that the storage medium has stored therein a program for implementing a method for providing encrypted information for a light application including the above-described first aspect.

In summary, the technical solution provided by the present invention operates in a host environment, receives a call request of a light application, where the call request includes an application identifier, generates encryption information according to a first master key and the application identifier, and transmits a user identifier and the encryption information to the light application, so that the light application performs an operation related to data encryption with an application server according to the user identifier and the encryption information. According to the technical scheme provided by the invention, as the application identifier included in the call request sent by the light application can be determined to be credible, the encryption information generated according to the first master key and the application identifier is really the encryption information used for the light application, the same master key can be used for providing the encryption information for a plurality of different light applications, and the plurality of different light applications cannot be counterfeited with each other to obtain the encryption information.

[ description of the drawings ]

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a schematic diagram of a network architecture according to various embodiments of the present invention;

FIG. 2 is a flow diagram illustrating an embodiment of a method for providing encryption information for a light application;

FIG. 3 is a schematic diagram of a first embodiment of an apparatus for providing encrypted information for light applications;

FIG. 4 is a diagram illustrating a second embodiment of an apparatus for providing encrypted information for light applications;

FIG. 5 is a schematic diagram of a third embodiment of an apparatus for providing encrypted information for light applications;

fig. 6 is a schematic structural diagram of a fourth embodiment of an apparatus for providing encrypted information for light applications.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

[ detailed description ] embodiments

In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

1. Related noun terms

To facilitate understanding, some terms referred to herein are introduced and described.

The intelligent equipment: the equipment with the data calculation processing function comprises user intelligent equipment such as a smart phone, a smart television and a tablet personal computer, and also comprises Internet of things intelligent equipment such as a smart watch and a smart bracelet.

The intelligent operating system comprises: the operating system is applied to the smart device, such as an Android (Android) system (including a system based on Android system deep development), an iOS system developed by apple corporation (including a system based on iOS system deep development), or other systems.

Light application: a lightweight application is a point-and-play full-function application which does not need to be installed, not only has user experience comparable to or even superior to that of a locally installed application, but also has the characteristics of being retrievable and intelligently distributed of a web application, and is also called a fast application, a small program and the like, such as a hundred-degree light application, a WeChat small program, a Paobao small program, a fast application provided by mainstream mobile phone manufacturers and the like.

The host environment: the light applications are provided with some necessary capabilities (e.g., network data communication, data encryption, etc.) and environments for running support such that the light applications can be made without concern for the implementation of these logics and without concern for the underlying architecture of the hosting environment, including the client, the smart operating system, or the smart device, etc. For example, for a wechat applet, its hosting environment is a wechat client; for fast applications released by mainstream mobile phone manufacturers, the host environment is an intelligent operating system.

Code package: a code file for launching the light application.

And (3) user identification: an identification for identifying a user.

Application identification: for uniquely identifying the light application and also for uniquely identifying the application server to which the light application corresponds.

Message authentication code: also known as MAC (Message authentication code), encrypts the information to be protected with a key to produce a string of numbers that is unique and one-to-one for the information to be protected, that cannot be forged by others, and that is a valid proof of the authenticity of the information sent by the sender of the information. Therefore, the message authentication code can effectively protect the integrity of the information and realize non-repudiation and non-counterfeiting of the sender. Message authentication code algorithms including hash-based message authentication code (HMAC), cipher block chaining message authentication code (CBC-MAC), galois Message Authentication Code (GMAC), etc., and hash functions with keyed encryption also work equally well.

Symmetric encryption algorithm: refers to an Encryption algorithm using the same key for Encryption and decryption, such as Triple Data Encryption Standard (DES), advanced Encryption Standard (AES), and the like.

JSbridge: the method is used for realizing data communication between the native application and the JavaScript application.

2. Description of the implementation Environment

Referring to fig. 1, a schematic structural diagram of a network architecture according to various embodiments of the present invention is shown. The network architecture comprises a host environment, an application server, a publishing server and an encryption server.

The release server is used for auditing and releasing the code packages uploaded by the developer, and each light application has a corresponding code package on the release server, so that the host environment can download the code packages. In some embodiments, the publishing server is divided into a plurality of modules or servers including a code package audit module and a software warehouse, where the code package audit module or server is used to audit a code package uploaded by a developer, and the software warehouse module or server is used to store the code package that passes the audit and is downloaded by the intelligent device.

The host environment downloads the code package of the light application from the publishing server through the portal of the light application, and the portal of the light application is used for discovering, opening and accessing the light application and comprises portal modes such as an application store, an intelligent assistant, two-dimension code scanning, a search engine, short messages, texts and the like.

After downloading the code packet of the light application, the host environment runs the code packet, and the running process comprises verifying and analyzing the code packet, executing the analyzed view layer code through a rendering engine, executing the logic layer code through a JavaScript engine and the like.

And the light application performs data encryption related operations such as identity authentication, data encryption and decryption, integrity verification and the like with the application server according to the acquired user identification and encryption information. It will be appreciated that the network data communication of the light application with the application server is typically performed by the light application invoking the network data communication capabilities of the hosting environment.

The application server is provided by a third-party application service provider, also called a developer server, and is used for carrying out network data communication with the light application and providing business application data and services required by a user, such as information, shopping, social contact and the like, for the light application; carrying out network data communication with the encryption server, and acquiring a second master key associated with the user identifier in the association relationship between the user identifier and the second master key according to the user identifier when the encryption server receives the user identifier forwarded by the application server; the application server registers identity information on the encryption server, when the application server passes the identity authentication of the encryption server, the encryption server acquires an application identifier of the application server according to the identity information of the application server, and the application identifier of the application server is consistent with the application identifier of the light application. Therefore, the encryption server provides the encryption service to the application server according to the obtained second master key and the application identifier of the application server, for example, provides the application key or the encryption result; and the application server realizes the operations related to the data encryption of the identity authentication, the data encryption and decryption, the integrity verification and the like of the light application according to the provided encryption service.

It is understood that, in an actual network application environment, a plurality of hosting environments may be included, each hosting environment having one or more light applications running thereon, each light application performing network data communication with a corresponding application server, and each application server performing network data communication with an encryption server.

It should be noted that the publishing server and the encryption server are logically servers, and may be integrated as one or more functional modules on different physical servers or cloud servers, or may be both located on the same physical server or cloud server.

It should be noted that the network architecture shown in fig. 1 is not limiting to the implementation environment, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components, as will be appreciated by those skilled in the art. The network architecture shown in fig. 1 is only for enhancement of understanding of the present technology and therefore may include information that does not constitute prior art known to those of ordinary skill in the art.

3. Method embodiment for providing encryption information for light application

Referring to fig. 2, a flowchart of an embodiment of a method for providing encryption information for a light application according to the present invention is shown. This embodiment is exemplified by the method applied to the host environment in the implementation environment shown in fig. 1, and the method includes:

step 201, obtaining a user identifier and a first master key, and storing an association relationship between the user identifier and a second master key on an encryption server, wherein the value of the second master key is the same as that of the first master key.

The method comprises the steps of obtaining a user identifier and a first master key, and establishing and storing an association relationship between the user identifier and a second master key on an encryption server, namely, the second master key can be searched and obtained in the association relationship according to the user identifier on the encryption server, and the values of the second master key and the first master key are the same.

The obtained user identifier and the first master key may be pre-stored user identifiers and first master keys, for example, when the smart device is produced, the user identifier and the first master key for the smart device are respectively generated and written into each smart device, the hosting environment has the right to obtain the user identifier and the first master key, and meanwhile, the association relationship between the user identifier and the second master key is established and stored on the encryption server, and the value of the second master key is the same as that of the first master key.

The obtained user identifier and the first master key may also be generated after key agreement with the encryption server. For example, taking an authentication and key agreement process embodiment in "an identity authentication method, an intelligent device, and an authentication server" (application number: 2019107750779) referred to in the patent application document as an example, an encryption server is taken as an authentication server in the authentication and key agreement process embodiment, the intelligent device performs authentication and key agreement based on a subscriber identity module SIM and the encryption server based on a subscriber data system, after the authentication and key agreement is successfully performed, the intelligent device obtains a temporary subscriber identity and generates a first master key, where the temporary subscriber identity is a subscriber identity; the host environment obtains the temporary user identifier and the first master key, and meanwhile, an association relation between the temporary user identifier and a second master key is established on the encryption server, and the value of the second master key is the same as that of the first master key.

It should be noted that, in the authority control, the light application should not directly acquire the first master key, for example, the authority control mechanism based on the host environment, and the light application can only call and acquire data according to an interface provided by the host environment, but cannot directly acquire the first master key.

Step 202, receiving a call request sent by the light application, where the call request is used to obtain the encrypted information, the call request includes an application identifier, the application identifier is determined to be the application identifier of the light application when the publishing server publishes the code packet of the light application, and the application identifier is consistent with the application identifier of the application server determined by the encryption server according to the identity information of the application server.

The host environment provides several abstracted Application Programming Interfaces (APIs) to the light Application, including providing an Interface for obtaining cryptographic information, in order to provide system services, native capabilities, etc. to the light Application. Preferably, the interface is implemented by JSBridge.

And the light application sends a calling request to the host environment according to the interface to acquire the encrypted information, wherein the calling request comprises the application identification of the light application. Accordingly, the host environment receives the call request sent by the light application and obtains the application identification. It is understood that the light application described in the present embodiment is a light application downloaded and run by the host environment as described in the "implementation environment description"; the call request is typically triggered by the host environment executing a corresponding call function in the logic layer code of the light application through the JavaScript engine.

The naming of the application identity may be the reverse of the domain name of the application server, e.g. if the domain name of the application server is app. Of course, the application identifier may be another character string. And when the encryption server determines the application identifier of the application server according to the identity information of the application server, the obtained application identifier of the application server is consistent with the application identifier of the light application. The encryption server determines an implementation mode of an application identifier of the application server according to the identity information of the application server, and an application account number for identity authentication from the application server to the encryption server can be used as the application identifier of the application server; the domain name of the application server can be acquired as the application identifier of the application server, and if the application identifier is the reverse of the domain name of the application server, the acquired domain name is reversed so as to be consistent with the application identifier of the light application; the corresponding relationship between the identity information of the application server and the application identifier may also be pre-stored in the encryption server, the encryption server obtains the identity information of the application server (for example, obtains the identity information of the application account, the IP, or the domain name of the application server), and then searches for and obtains the application identifier of the application server in the corresponding relationship according to the obtained identity information.

In order to ensure that the obtained application identifier is indeed the application identifier of the light application, that is, in order to avoid that other light applications counterfeit the application identifier of the light application, the code package of the light application needs to be issued on the issuing server for an audit performed when the code package is issued on the issuing server, so that the application identifier associated with the code package of the light application issued on the issuing server is indeed the application identifier of the light application. The auditing manner includes manual auditing or automatic auditing, which is not limited in this embodiment.

Further, in order to enable the light application to include the application identifier of the light application in the call request sent by the light application, before this step is implemented, the hosting environment acquires the application identifier associated with the code packet of the light application, and takes the acquired application identifier as the application identifier included in the call request, that is, injects the acquired application identifier into the light application, so that the application identifier is included in the call request sent by the light application. Specifically, the following embodiments may be included:

in a first embodiment, an application identifier is included in a download request requesting the publishing server to download the code package of the light application, and the application identifier is obtained from the download request and used on the publishing server to associate the code package of the light application.

The method includes the steps that an application identifier is used on an issuing server to uniquely associate a code packet of a light application, the code packet of the light application can be searched and obtained through the application identifier, for example, the application identifier associated with a developer is recorded on the issuing server, when the developer uploads the code packet of the light application to the issuing server to be checked and issued, the issuing server obtains the application identifier associated with the developer according to identity information of the developer, and then the code packet uploaded by the developer is associated on the issuing server through the application identifier associated with the developer, so that the code packet uploaded by the developer can be searched and obtained according to the associated application identifier.

The method comprises the steps that an application identifier is included in a downloading request of a code package requesting for downloading the light application from an issuing server, the host environment downloads the code package of the light application according to the downloading request, and the application identifier is obtained from the downloading request. For example, the host environment first obtains a download request through an entry of the light application (for example, obtains the download request after scanning and analyzing the two-dimensional code), where the download request includes an application identifier, and the host environment obtains the application identifier included in the download request; then the host environment requests the issuing server to download the code packet of the light application according to the downloading request; and when receiving a downloading request comprising the application identifier, the issuing server acquires the corresponding associated code packet according to the application identifier and feeds the code packet back to the host environment.

Therefore, when the host environment downloads and runs the code package, the application identifier obtained from the downloading request is injected into the light application, so that the application identifier is included in the calling request sent by the light application.

For example, when the host environment runs the light applications, each light application is respectively run in an independent instance, so that the running light applications can be isolated from each other, and therefore, in the instance of the light application, a global variable for application identification is defined, and the global variable is assigned with the obtained application identification; when the light application generates a call request, the value of the global variable is obtained, and the application identifier of the light application can be obtained.

For another example, in the calling function corresponding to the call request sent by the light application, the corresponding call parameter may be set to include the application identifier, so that when the host environment parses the code packet of the light application, the obtained application identifier is injected into the corresponding call parameter of the calling function, so that the application identifier is included in the call request sent by the light application.

In the second embodiment, an application identifier is set in a configuration file included in the code package of the light application, and the application identifier is obtained from the configuration file, and when the publishing server publishes the code package of the light application, it is determined that the application identifier set in the configuration file is indeed the application identifier of the light application.

The code package of the light application comprises a global configuration file for setting global configuration, an application identifier of the light application can be set in the global configuration file, and a developer sets the application identifier in a corresponding configuration item of the global configuration file. For example, the global configuration file is manifest.json, where the package configuration item is used to set the application identifier, and the application identifier of the light application is "com.

When the developer uploads the code package of the light application to the publishing server for auditing, the publishing server only passes the auditing if the publishing server determines that the application identifier set by the corresponding configuration item in the global configuration file is indeed the application identifier of the light application. For example, an application identifier associated with a developer is recorded on the publishing server, when the developer uploads a code package of the light application to the publishing server for auditing, the publishing server acquires the application identifier associated with the developer according to identity information of the developer and acquires application identifiers set by corresponding configuration items in a global configuration file of the code package, and then compares whether the application identifiers are consistent with each other, if so, the application identifier of the light application is determined to be approved, and the code package of the light application can be published.

Therefore, when the host environment downloads and runs the code package, the code package is analyzed to obtain the global configuration file, then the application identifier is obtained from the global configuration file, and the obtained application identifier is injected into the light application, so that the call request sent by the light application comprises the application identifier. For a specific injection manner, reference may be made to the first embodiment described above, and details are not described herein.

Further, the publishing server signs the code package, and then verifies the signature of the code package before the hosting environment runs the code package (including before the application identifier is obtained from the configuration file), and only if the code package passes the signature verification, the code package is run. Thus, since the authenticity of the code package is verified by the signature verification mechanism, it can be further determined that the obtained application identification is authentic.

It should be noted that, in the second embodiment, the application identifier set in the configuration file is not necessarily used for associating the code package of the light application on the publishing server, and both identifiers may be the same identifier or may not be the same identifier, and preferably, both identifiers are the same identifier, so that the complexity of the developer in code development and the complexity of the publishing server in auditing are reduced.

Step 203, optionally, determining whether the application identifier is an authorized application identifier; if so, the following step 204 is performed.

After the application identifier of the light application is obtained, determining whether the application identifier is an authorized application identifier or not by the host environment; if the authorization is passed, execute step 204; if not, the following step 204 and the subsequent steps are not executed.

In the process of registering the third-party application (including the light application and the corresponding application server) on the encryption server, and the like, the encryption server records whether the third-party application is in an authorized state, namely, the encryption server marks the authorized state to the application identification of the third-party application.

The host environment and the encryption server are in network data communication, the host environment sends the application identification to the encryption server, and the encryption server determines whether the application identification is authorized application identification.

The encryption server acquires a corresponding authorized state according to the application identifier sent by the host environment, and if the application identifier is the authorized state, the encryption server feeds back information indicating that the application identifier is authorized to the host environment; if not, the feedback indicates that there is no authorized information.

When the hosting environment receives the information indicating that the application identifier is authorized, determining that the application identifier is the application identifier authorized by the encryption server, and continuing to execute the following step 204; otherwise, if the information indicating that there is no authorization is received, or if the information fed back by the encryption server is not received within the set time, the following step 204 and the subsequent steps are not continuously performed.

The advantage of implementing the determination whether the application identity is an application identity authorized by the cryptographic server is that it can be determined whether the application identity is an application identity already authorized on the cryptographic server before generating the cryptographic information, so that the step of generating cryptographic information for an invalid application identity can be avoided.

And 204, generating encryption information according to the first master key and the application identification.

Generating encryption information according to the obtained first master key and the obtained application identifier, where the generated encryption information may be an application key or an encrypted value after encryption, and the method specifically includes:

in a first embodiment, a first application key is generated according to the first master key and the application identifier, where the first application key is encryption information, and a generation manner of the first application key is consistent with a generation manner of a second application key generated by an encryption server according to the second master key and the application identifier of the application server, so that values of the first application key and the second application key are the same.

The hosting environment generates a first application key from the first master key and the application identification. For example, taking the formula of the key derivation algorithm as an example, it can be expressed as: DK = PBKDF2 (pashrrase, salt, c, dkLen), wherein: DK is a generated first application key, PBKDF2 is a key derivation algorithm, passprirase is a character string which comprises the first master key and the application identification and is combined and spliced; salt is a Salt value, in this example a fixed string; c is the number of iterations; dkLen is the key output length, which can be generated to meet the requirements according to the encryption algorithm used.

After the host environment generates the first application key, the host environment passes the user identification and the first application key to the light application. The light application performs data encryption related operations with the corresponding application server according to the user identifier and the first application key delivered by the host environment, such as:

the light application transmits the user identification to a corresponding application server, and the application server transmits the user identification to an encryption server; the encryption server searches a corresponding second master key in the incidence relation between the user identifier and the second master key according to the user identifier, and generates a second application key according to the corresponding second master key and the application identifier of the application server, the generation mode of the encryption server for generating the second application key is consistent with the generation mode of the host environment for generating the first application key, including key derivation algorithm, input information and selected parameters, wherein the application identifier of the application server is determined by the encryption server according to the identity information of the application server; since the second master key of the user identifier is the same as the value of the first master key, the application identifier of the application server is the same as the application identifier used by the hosting environment when generating the first application key, and the first application key and the second application key are generated in the same manner, the value of the generated second application key is the same as the value of the first application key.

Thus, the encryption server can perform data encryption related operations on the data related to the user identification forwarded by the application server according to the second application key; or, the encryption server may also send the second application key to the application server, so that the application server performs data encryption related operations between the light application and the second application key; the data encryption related operations include identity authentication, data encryption and decryption, integrity verification and the like.

In a second embodiment, a third application key is generated according to the first master key and the application identifier, and data is encrypted according to the third application key to generate a first encrypted value, where the generated first encrypted value is encrypted information, and a generation manner of the third application key is consistent with a generation manner of a fourth application key generated by an encryption server according to the second master key and the application identifier of an application server, so that values of the third application key and the fourth application key are the same.

And the host environment generates a third application key according to the first master key and the application identification, and the generation mode of the third application key is consistent with the generation mode of a fourth application key generated by the encryption server according to the second master key and the application identification of the application server, so that the values of the third application key and the fourth application key are the same. In particular, reference may also be made to the embodiment of generating the first application key in the first embodiment.

In contrast to the second embodiment, after the third application key is generated by the hosting environment, the third application key is not passed to the light application, but the data is encrypted according to the third application key to generate the first cryptographic value. The data may be data carried in the call request by the light application, or may be data generated by the host environment, which is not limited in this embodiment.

Since the third application key generated by the host environment and the fourth application key generated by the encryption server have the same value, according to the actual needs of the data encryption related operations, the host environment may encrypt the data by using a symmetric encryption algorithm or a message authentication code algorithm according to the third application key to generate an encryption result (i.e., generate the first encryption value), and the application server or the encryption server may decrypt or verify the first encryption value according to the fourth application key. For example:

the host environment encrypts data according to the third application key by using a symmetric encryption algorithm or a message authentication code algorithm to generate an encryption result (i.e. generate a first encryption value); taking an Android system as an example, the host environment may invoke a corresponding symmetric encryption algorithm in the Cipher class to encrypt the data to generate a first encrypted value, or the host environment may invoke a message authentication code algorithm in the Mac class to encrypt the data to generate the first encrypted value;

the host environment transmits the user identification and the first encryption value to the light application, the light application transmits the user identification and the first encryption value to a corresponding application server, and the application server transmits the user identification to the encryption server;

the encryption server searches a corresponding second master key in the incidence relation between the user identifier and the second master key according to the user identifier, and generates a fourth application key according to the corresponding second master key and the application identifier of the application server, the generation mode of the fourth application key generated by the encryption server is consistent with the generation mode of a third application key generated by a host environment, including key derivation algorithm, input information and selected parameters, wherein the application identifier of the application server is determined by the encryption server according to the identity information of the application server;

the encryption server transmits the fourth application key to the application server, and if the first encrypted value is generated by encrypting data by using a symmetric encryption algorithm in the host environment, the application server can decrypt the data of the first encrypted value according to the fourth application key and by using the same symmetric encryption algorithm; if the first encryption value is generated by encrypting data by using a message authentication code algorithm in the host environment, the application server generates or acquires data with the same value as the data generated by generating the first encryption value in the host environment, and verifies the first encryption value according to the fourth application key and the data with the same message authentication code algorithm and the same value; or,

the application server transmits the user identification and the first encrypted value to an encryption server, the encryption server generates a fourth application key, then carries out data decryption or verification on the first encrypted value according to the fourth application key, and feeds back the decrypted or verified result to the application server.

The second embodiment differs from the first embodiment in that in the first embodiment, after the host environment generates the application key, the generated application key is passed to the light application, and data encryption-related operations are performed by the light application based on the generated application key; in the second embodiment, however, the hosting environment not only generates the application key but also performs data encryption-related operations based on the generated application key, passing the generated encrypted value to the light application.

In a third embodiment, information including the application identifier is encrypted according to the first master key to generate a second encrypted value, the generated second encrypted value is encrypted information, after the user identifier and the second encrypted value are transmitted to the light application, the light application transmits the user identifier and the second encrypted value to the encryption server through the application server, so that the encryption server obtains the second master key according to the user identifier, and then verifies the second encrypted value according to the second master key and the application identifier of the application server.

Specific embodiments of the third embodiment include:

generating a fifth application key from the first master key, for example, using the first master key as the fifth application key, or generating the fifth application key from information including the first master key;

generating first verification information according to the application identifier, for example, using the application identifier as the first verification information, or generating the first verification information according to information including the application identifier;

encrypting the first verification information according to the fifth application key to generate a second encrypted value, e.g., encrypting the first verification information using a message authentication code algorithm according to the fifth application key to generate a second encrypted value; or encrypting information including the first authentication information using a symmetric encryption algorithm according to the fifth application key to generate a second encrypted value;

transmitting the user identifier and the second encrypted value to a light application, transmitting the user identifier and the second encrypted value to a corresponding application server by the light application, and transmitting the user identifier and the second encrypted value to an encryption server by the application server;

the encryption server searches a corresponding second master key in the incidence relation between the user identifier and the second master key according to the user identifier, and generates a sixth application key according to the corresponding second master key, wherein the generation mode of the sixth application key generated by the encryption server is consistent with the generation mode of a fifth application key generated by a host environment, including key derivation algorithm, input information and selected parameters, so that the values of the sixth application key and the fifth application key are the same;

the encryption server generates second verification information according to the application identifier of the application server, the generation mode of the second verification information is consistent with the generation mode of the first verification information generated by the host environment, so that the values of the second verification information and the first verification information are the same, wherein the application identifier of the application server is determined by the encryption server according to the identity information of the application server;

the encryption server verifies the second encrypted value according to the sixth application key and the second verification information, for example: if the second encrypted value is generated by encrypting the first verification information according to a fifth application key by using a message authentication code algorithm, the encryption server verifies the second encrypted value according to the sixth application key and the second verification information by using the same message authentication code algorithm; the encryption server encrypts the second verification information by using the same message authentication code algorithm according to the sixth application key to generate a third encrypted value, compares whether the third encrypted value is consistent with the second encrypted value, and if so, determines that the second encrypted value is successfully verified; or,

if the second encrypted value is generated by the host environment encrypting the information including the first authentication information using a symmetric encryption algorithm according to the fifth application key, the encryption server authenticating the second encrypted value using the same symmetric encryption algorithm according to the sixth application key and the second authentication information; the encryption server decrypts the second encrypted value by using the same symmetric encryption algorithm according to the sixth application key to obtain a plaintext, acquires first verification information from the plaintext obtained by decryption, compares whether the second verification information is consistent with the first verification information obtained by decryption, and determines that the second encrypted value is successfully verified if the second verification information is consistent with the first verification information obtained by decryption;

after the encryption server determines that the second encryption value is verified successfully, the encryption server feeds back a response message indicating that the verification is successful to the application server, or after the encryption server determines that the second encryption value is verified unsuccessfully, the encryption server feeds back a response message indicating that the verification is unsuccessful to the application server; and the application server executes corresponding operation according to the received response message.

The third embodiment differs from the first two embodiments mainly in that: in the first two embodiments, the host environment generates an application key according to the first master key and the application identifier, and the encryption server generates an application key according to the second master key and the application identifier; in the third embodiment, the host environment generates the application key according to the first master key, and the encryption server generates the application key according to the second master key, that is, the application identifier is not necessarily included in the information for generating the application key. Since the information for generating the application key in the third embodiment does not necessarily include the application identifier, which makes the generated application key not bound to the light application and the application server, the authentication process performed on the encryption server is performed instead of sending the application key to the application server to perform the authentication process, according to the authentication process of the application key generated on the encryption server on the encrypted value, so as to avoid the application key from being leaked to the application server; in the first two embodiments, the process of decrypting or verifying the data according to the application key generated on the encryption server may be executed on the encryption server or on the application server.

And step 205, transmitting the user identification and the encryption information to the light application, so that the light application performs data encryption related operation to the application server according to the user identification and the encryption information.

The host environment passes the user identification and the encryption information to the light application according to a data communication mechanism with the light application. For example, the interface between the host environment and the light application is implemented via JSBridge in step 202, i.e. a request for invocation of the light application is received via the JSBridge protocol, and the user identification and the encryption information are transmitted back to the light application via JSBridge in this step.

After the light application receives the user identifier and the encryption information delivered by the host environment, an operation related to data encryption can be executed to a corresponding application server according to the user identifier and the encryption information. The implementation manner of the light application performing the data encryption related operation to the corresponding application server according to the user identifier and the encryption information may refer to the implementation manner described in step 204, and details are not described herein again according to a difference between the implementation manners of generating the encryption information in step 204.

It should be further noted that, after the step 201 is implemented once, the steps 202 to 205 may be implemented multiple times, that is, the host environment may implement the processes described in the steps 202 to 205 for the same light application or different light applications multiple times based on the user identifier and the first master key obtained in the step 201, so as to provide the encryption information for the same light application or different light applications multiple times.

In summary, in the method provided in this embodiment, the host environment receives a call request of the light application, where the call request includes an application identifier, generates encryption information according to the first master key and the application identifier, and transmits the user identifier and the encryption information to the light application, so that the light application performs an operation related to data encryption with the application server according to the user identifier and the encryption information. Compared with the prior art, the technical effects brought by the embodiment at least comprise: in the first aspect, since it can be determined that the application identifier included in the invocation request sent by the light application is authentic, the encryption information generated according to the first master key and the application identifier is indeed the encryption information for the light application, so that the host environment can provide encryption information for a plurality of different light applications with the same master key, and the plurality of different light applications cannot be counterfeited from each other to obtain the encryption information; in the second aspect, it may be further determined whether the application identifier is an application identifier that has been authorized on the encryption server, so that the step of generating encryption information for an invalid application identifier may be avoided.

4. Embodiment one of an apparatus for providing encryption information for light applications

Referring to fig. 3, a schematic structural diagram of a first apparatus for providing encrypted information for a light application according to an embodiment of the present invention is shown, and for convenience of description, only the portions related to the embodiment of the present invention are shown. The present embodiment is exemplified by the host environment in which the apparatus is applied to the implementation environment shown in fig. 1, and the apparatus includes:

a key obtaining module 301, configured to obtain a user identifier and a first master key, and store, on the encryption server, an association relationship between the user identifier and a second master key, where the value of the second master key is the same as that of the first master key;

a receiving module 302, configured to receive a call request sent by the light application, where the call request is used to obtain encrypted information, the call request includes an application identifier, and when a publishing server publishes a code packet of the light application, it is determined that the application identifier is an application identifier of the light application, and the application identifier is consistent with an application identifier of the application server determined by the encryption server according to identity information of the application server;

an encryption module 303, configured to generate encryption information according to the first master key and the application identifier;

a delivering module 304, configured to deliver the user identifier and the encryption information to the light application, so that the light application performs an operation related to data encryption with the application server according to the user identifier and the encryption information.

Preferably, the key obtaining module 301 includes:

and the second key acquisition unit is used for carrying out key agreement with the encryption server so as to acquire the user identification and the first master key.

Preferably, the encryption module 303 includes:

Preferably, the third encryption unit includes:

the authentication information generation subunit is used for generating first authentication information according to the application identifier, wherein the generation mode of the first authentication information is consistent with the generation mode of second authentication information generated by the encryption server, so that the values of the first authentication information and the second authentication information are the same;

and an encryption information generation subunit configured to encrypt the first authentication information according to the fifth application key to generate the second encrypted value.

5. Second embodiment of an apparatus for providing encrypted information for light applications

Please refer to fig. 4, which illustrates a schematic structural diagram of a second apparatus for providing encrypted information for a light application according to an embodiment of the present invention. The device is provided by the first device embodiment for providing the encrypted information for the light application, and further comprises the following modules:

an application identifier obtaining module 401, configured to obtain the application identifier, where the application identifier is associated with the code packet of the light application;

an injecting module 402, configured to inject the application identifier into the light application, so that the application identifier is included in the call request sent by the light application.

Preferably, the application identifier obtaining module 401 includes:

a second identifier obtaining unit, configured to obtain the application identifier from a configuration file, where the configuration file is a configuration file included in the code packet, and the configuration file is provided with the application identifier, and when the publishing server publishes the code packet, the application identifier set in the configuration file is determined to be the application identifier of the light application.

Preferably, the injection module 402 comprises:

6. Third embodiment of device for providing encrypted information for light application

Please refer to fig. 5, which illustrates a schematic structural diagram of a third apparatus for providing encrypted information for a light application according to an embodiment of the present invention. The apparatus is provided in the first embodiment of the apparatus for providing encrypted information for a light application, and further includes an authorization module 501, where the authorization module 501 is configured to determine whether the application identifier is an authorized application identifier; if yes, executing the encryption module 303; if not, the encryption module 303 is not executed.

Preferably, the authorization module 501 further includes an identifier sending unit, a feedback receiving unit, and an authorization determining unit, where:

the authorization confirming unit is used for confirming whether the application identifier is authorized according to the feedback information; if the feedback information is information indicating authorization, determining that the application identifier is authorized; otherwise, determining that the application identification is not authorized.

This embodiment may also form an optional embodiment with the apparatus provided in the second apparatus embodiment for providing encrypted information for light applications, that is, using the same or similar implementation manner as this embodiment, after connecting the authorization module 501 with the receiving module 302 and the encryption module 303 in the second apparatus embodiment for providing encrypted information for light applications, the apparatus shown in fig. 6 is formed, where, when the authorization module 501 determines that the application identifier is an authorized application identifier, the encryption module 303 is executed; if not, the encryption module 303 is not executed. The detailed description is omitted.

The apparatuses provided in the first to third embodiments of the apparatus for providing encryption information for light applications and the implementation method in the embodiment of the method for providing encryption information for light applications belong to the same concept, and specific implementation principles and effects thereof can be seen in the method embodiments, and are not described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," "includes," "passing," "sending," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system.

The terms "first," "second," "third," and the like (if any) are used solely to distinguish one from another and are not used to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.

The method, apparatus and system of the present invention can be implemented in a number of ways. For example, the methods, apparatus and systems of the present invention may be implemented by software, hardware, firmware or any combination of software, hardware and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A method for providing encryption information for a light application, the method being applied to a hosting environment, the hosting environment downloading and running the light application from a publishing server, the light application being connected to a corresponding application server through a network, the application server being connected to an encryption server through the network, the method comprising:

receiving a call request sent by the light application, wherein the call request is used for acquiring encrypted information, the call request comprises an application identifier, the application identifier is determined to be the application identifier of the light application when the publishing server publishes the code packet of the light application, and the application identifier is consistent with the application identifier of the application server determined by the encryption server according to the identity information of the application server;

and correspondingly, the encryption server provides encryption service for the application server according to the second master key and the application identifier of the application server, so that the application server and the light application execute the data encryption related operation.

2. The method of claim 1, wherein obtaining the user identifier and the first master key comprises:

acquiring the pre-stored user identification and the first master key; or,

3. The method of claim 2, wherein the performing key agreement with the encryption server to obtain the user identifier and the first master key comprises:

4. The method of claim 1, wherein the receiving the call request sent by the light application further comprises, before:

5. The method of claim 4, wherein the obtaining the application identification comprises:

the downloading request requesting the publishing server to download the code package comprises the application identifier, the application identifier is obtained from the downloading request, and the application identifier is used for being associated with the code package on the publishing server; or,

6. The method of claim 5, further comprising, prior to said obtaining the application identification from the configuration file:

7. The method of claim 4, wherein the injecting the application identification into the light application comprises:

8. The method according to claim 1, further comprising, after the receiving the call request sent by the light application and before the generating encryption information according to the first master key and the application identification:

9. The method of claim 7, wherein determining whether the application identifier is an authorized application identifier comprises:

otherwise, determining that the application identification is not authorized.

10. The method of claim 1, wherein generating encryption information based on the first master key and the application identification comprises:

and after the user identifier and the second encrypted value are transmitted to the light application, the light application transmits the user identifier and the second encrypted value to the encryption server through the application server, so that the encryption server acquires the second master key according to the user identifier, and then verifies the second encrypted value according to the second master key and the application identifier of the application server.

11. The method of claim 10, wherein the encrypting data according to the third application key to generate a first encrypted value comprises:

12. The method of claim 10, wherein the encrypting information including the application identification according to the first master key to generate a second encrypted value comprises:

generating a fifth application key according to the first master key, wherein the generation mode of the fifth application key is consistent with the generation mode of the sixth application key generated by the encryption server according to the second master key, so that the values of the fifth application key and the sixth application key are the same;

13. The method of claim 12, wherein generating a fifth application key from the first master key comprises:

using the first master key as the fifth application key; or,

14. The method of claim 12, wherein generating the first authentication information according to the application identifier comprises:

using the application identification as the first verification information; or,

15. The method according to claim 12, wherein the generating the second encrypted value by encrypting the first authentication information according to the fifth application key comprises:

16. The method of claim 1 wherein the invocation request for the light application is received via JSBridge and the user identification and the encryption information are passed to the light application via JSBridge.

17. An apparatus for providing encryption information for a light application, the apparatus downloading and running the light application from a distribution server, the light application being connected to a corresponding application server through a network, the application server being connected to an encryption server through the network, the apparatus comprising:

a receiving module, configured to receive a call request sent by the light application, where the call request is used to obtain encrypted information, the call request includes an application identifier, the application identifier is determined to be the application identifier of the light application when the publishing server publishes the code packet of the light application, and the application identifier is consistent with the application identifier of the application server determined by the encryption server according to the identity information of the application server;

a transfer module, configured to transfer the user identifier and the encryption information to the light application, so that the light application performs data encryption related operations with the application server according to the user identifier and the encryption information;

corresponding to the operation related to the data encryption, the encryption server provides an encryption service to the application server according to the second master key and the application identification of the application server, so that the application server and the light application execute the operation related to the data encryption.

18. The apparatus of claim 17, wherein the key obtaining module comprises:

19. The apparatus of claim 17, wherein the encryption module comprises:

20. The apparatus according to claim 19, wherein the third encryption unit comprises:

21. The apparatus of claim 17, further comprising:

22. The apparatus of claim 21, wherein the application identity obtaining module comprises:

23. The apparatus of claim 21, wherein the injection module comprises:

24. The apparatus of claim 17, further comprising an authorization module configured to determine whether the application identifier is an authorized application identifier; if yes, executing the encryption module; if not, the encryption module is not executed.

25. The apparatus of claim 24, wherein the authorization module further comprises:

26. A smart device, the smart device comprising: a memory, a processor for executing a program stored by the memory, the program when executed performing a method comprising any of claims 1 to 16.

27. A storage medium characterized in that the storage medium has a program stored therein for implementing a method comprising any one of claims 1 to 16.