CN112613058A - Method and device for retrieving encryption key, electronic equipment and storage medium - Google Patents
Method and device for retrieving encryption key, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112613058A CN112613058A CN202011614460.5A CN202011614460A CN112613058A CN 112613058 A CN112613058 A CN 112613058A CN 202011614460 A CN202011614460 A CN 202011614460A CN 112613058 A CN112613058 A CN 112613058A
- Authority
- CN
- China
- Prior art keywords
- key
- encryption
- handle
- recovery
- ciphertext
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 82
- 238000011084 recovery Methods 0.000 claims abstract description 100
- 230000008569 process Effects 0.000 claims abstract description 38
- 238000004590 computer program Methods 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 16
- 230000003287 optical effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a method and a device for retrieving an encryption key, electronic equipment and a storage medium, wherein the method comprises the following steps: when the encryption key of the object needs to be recovered, acquiring a key handle of the object; determining a corresponding recovery key according to the key handle, wherein the recovery key and the key handle are generated in the process of encrypting the object; and decrypting the key ciphertext based on the recovery key to obtain an encryption key. By recovering the encryption key, the situation that the user forgets the encryption key to cause data loss is avoided.
Description
Technical Field
The present application relates to the field of data security technologies, and in particular, to a method and an apparatus for retrieving an encryption key, an electronic device, and a storage medium.
Background
The current general software system supports exporting data or generating files, the content of the files needs to be encrypted based on the consideration of security, and meanwhile, in order to ensure the security of the key for encrypting the content of the files, the key cannot be stored in the system or fixedly generated in advance, and a user needs to input a secret encryption key by himself.
In such a scenario, a situation that a user forgets a key after the file is encrypted may occur, so that when the file is reused subsequently, the file decryption fails, and thus data stored in the file is unavailable.
Disclosure of Invention
The embodiment of the application provides an encryption key retrieving method, an encryption key retrieving device, electronic equipment and a storage medium, which are used for avoiding the situation that data is unavailable due to the fact that an encrypted object cannot be decrypted.
In a first aspect, an embodiment of the present application provides a method for retrieving an encryption key, where the method includes:
when an encryption key of an object needs to be recovered, acquiring a key handle of the object;
determining a corresponding recovery key according to the key handle, wherein the recovery key and the key handle are generated in the process of encrypting the object;
and decrypting the key ciphertext based on the recovery key to obtain the encryption key.
In the embodiment of the application, for example, when a user forgets to encrypt a key, the encrypted key needs to be recovered, at this time, a key handle of an object is obtained, the key handle and the recovered key are randomly generated in the encryption process, and the recovered key corresponding to the key handle is determined by using the corresponding characteristic between the handle and the accessed object; and then, the key ciphertext is decrypted based on the recovery key to obtain an encryption key. Therefore, when the user forgets the key, the encryption key can be obtained through the decryption process, and the condition that data is lost due to forgetting the encryption key is avoided.
In some exemplary embodiments, before obtaining the key handle of the object, the method further includes:
after the encryption key is applied to encrypt the object, a recovery key and a key handle corresponding to the recovery key are randomly generated;
and encrypting the encryption key by using the recovery key to obtain a key ciphertext.
Compared with the method that only the encryption key is used for encrypting the object in the ordinary encryption process, the method has the advantages that the encryption key exists in the form of a key ciphertext after being encrypted by the randomly generated recovery key; and the key handle is used to subsequently look up the recovery key. Therefore, the safety of the whole data is ensured by recovering the key and the key handle and safely storing the corresponding relation between the recovered key and the key handle.
In some exemplary embodiments, the method further comprises:
storing the key handle and the key ciphertext to a key information segment of an object to be decrypted;
the obtaining the key handle of the object comprises:
identifying a key information segment of the object to be decrypted;
and reading the key handle of the object from the key information segment.
In the above embodiment, since the key handle and the key ciphertext are both stored in the key information segment of the object to be decrypted, the key information segment may be first identified in the object to be decrypted, and then the key handle may be directly read from the key information segment. Therefore, the information for recovering the encryption key and the key ciphertext are ensured to be stored together, and the loss is avoided.
In some exemplary embodiments, the determining the corresponding recovery key according to the key handle includes:
acquiring the corresponding relation between each key handle and each recovery key;
and determining a recovery key corresponding to the key handle of the object to be decrypted according to the corresponding relation.
In the embodiment, the recovery key of the current object to be decrypted is determined according to the corresponding relationship between the key handle and the recovery key, so that the risk that the recovery key is stolen after the object is attacked due to the fact that the recovery key is directly stored in the object is avoided, and the data security is improved.
In some exemplary embodiments, the object to be decrypted further includes a ciphertext segment and an algorithm description information segment;
wherein the ciphertext segment and the algorithm description information segment are determined by:
encrypting the content of the object by using an encryption key, and storing the obtained ciphertext into a ciphertext section of the object to be decrypted;
and storing the encryption algorithm for encrypting the content of the object to the algorithm description information segment of the object to be decrypted.
In the embodiment, the encryption algorithm is written into the object to be decrypted, so that the situation that the encryption algorithm cannot be decrypted due to upgrading can be avoided.
In some exemplary embodiments, before obtaining the key handle of the object, the method further includes:
and determining the detected working key as the set working key.
In the above embodiment, in order to improve security, after determining that the user has the operation authority when determining that the detected work key is the set work key, the key handle of the object may be acquired to start the process of recovering the encryption key.
In a second aspect, an embodiment of the present application provides an apparatus for retrieving an encryption key, including:
the key handle acquisition module is used for acquiring the key handle of the object when the encryption key of the object needs to be recovered;
a recovery key determining module, configured to determine a corresponding recovery key according to the key handle, where the recovery key and the key handle are generated in an encryption process of the object;
and the encryption key determining module is used for decrypting the key ciphertext based on the recovery key to obtain the encryption key.
In some exemplary embodiments, the apparatus further includes a generating module, configured to randomly generate a recovery key and a key handle corresponding to the recovery key after the object is encrypted by applying the encryption key before the key handle of the object is obtained; and encrypting the encryption key by using the recovery key to obtain a key ciphertext.
In some exemplary embodiments, the apparatus further includes a first storage module, configured to store the key handle and the key ciphertext to a key information segment of an object to be decrypted;
the key handle acquisition module is specifically configured to:
identifying a key information segment of the object to be decrypted;
and reading the key handle of the object from the key information segment.
In some exemplary embodiments, the recovery key determination module is specifically configured to:
acquiring the corresponding relation between each key handle and each recovery key;
and determining a recovery key corresponding to the key handle of the object to be decrypted according to the corresponding relation.
In some exemplary embodiments, the object to be decrypted further includes a ciphertext segment and an algorithm description information segment;
the system further comprises a second storage module, which is used for determining the ciphertext segment and the algorithm description information segment in the following way:
encrypting the content of the object by using an encryption key, and storing the obtained ciphertext into a ciphertext section of the object to be decrypted;
and storing the encryption algorithm for encrypting the content of the object to the algorithm description information segment of the object to be decrypted.
In some exemplary embodiments, the method further includes determining that the detected work key is the set work key before obtaining the key handle of the object.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of any one of the methods when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having stored thereon computer program instructions, which, when executed by a processor, implement the steps of any of the methods described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a diagram of a display interface of a decryption process in the prior art;
FIG. 2 is a diagram of a display interface in the prior art when a key is incorrectly input;
FIG. 3 is a display interface diagram of a decryption process according to an embodiment of the present application;
FIG. 4 is a diagram of a display interface for another decryption process provided by an embodiment of the present application;
fig. 5 is a flowchart of a method for retrieving an encryption key according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an encrypted file according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an encrypted file with a TLV storage structure according to an embodiment of the present application;
fig. 8 is a flowchart of an encryption process according to an embodiment of the present application;
FIG. 9 is a flowchart of a decryption process according to an embodiment of the present application;
fig. 10 is a display interface diagram illustrating an authentication failure in a decryption process according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of an encryption/decryption system according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of an apparatus for retrieving an encryption key according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Any number of elements in the drawings are by way of example and not by way of limitation, and any nomenclature is used solely for differentiation and not by way of limitation.
For convenience of understanding, terms referred to in the embodiments of the present application are explained below:
(1) encryption key: a key applied when encrypting the file content;
(2) and (3) recovering the key: the encryption key is randomly generated when the encryption key is encrypted, and the encryption key is recovered when the user forgets to encrypt the encryption key;
(3) and (4) a working key: verifying whether the user has the authority to start recovering the encryption key;
(4) and (3) authentication key: verifying whether a user has the authority to log in the encryption/decryption system, such as a system administrator;
(5) ciphertext: encrypting the file content, wherein the encrypted file content is called a ciphertext;
(6) and (3) secret key cryptograph: and encrypting the encrypted cipher text by the encryption key provided by the user.
(7) Key handling: a handle is an identifier used to represent an object or item, may be used to describe a file, and is generally used to retrieve another object, and may be in the form of an integer, an object, or a pointer, whose purpose is to establish a unique relationship with the object being accessed. And the accessed object of the key handle is the recovery key.
When the existing system encrypts the file, the encryption requirement on the content of the file is only met, but the user may forget the encryption key, so that when the file is reused subsequently, the file decryption fails, and finally, the user data is unavailable. In a specific example, fig. 1 is a display interface diagram of a decryption process in the prior art, and referring to fig. 1, a user can input an encryption key in a popup window; FIG. 2 is a diagram of a display interface in the prior art when a key is incorrectly input; in this case, the number of user input errors reaches an upper limit, and if the upper limit is 3 times, the user cannot open the file, and finally the user data is unavailable.
In the method for retrieving the encryption key, when the system generates an encrypted file, the encryption key of the file content is embedded into the file after being encrypted. When a user decrypts a file, if the user can remember the file encryption key, the user can directly use the encryption key to decrypt the file; if the encryption key is forgotten, the recovery key is decrypted through a key handle in the system after the system authentication is passed, the encryption key and the encryption algorithm information used in the encryption are decrypted by the recovery key, and then the file is decrypted by the decrypted encryption key and the decrypted encryption algorithm.
After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In specific implementation, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
Fig. 3 is a display interface diagram of a decryption process according to an embodiment of the present application, and referring to fig. 3, two decryption methods may be provided for a user: the input encryption key is decrypted or the key is restored when the encryption key is forgotten. In practical application, if the user remembers the encryption key, the encryption key can be input in the key input box on the left side; if the user does not remember the encryption key, the right trigger button of 'recovering the encryption key' can be clicked to recover the encryption key; in addition, the user may not be very certain about the encryption key currently in memory, and may choose to input the encryption key to decrypt the key first, or may choose to recover the encryption key.
Fig. 4 is a display interface diagram of another decryption process provided in an embodiment of the present application, and referring to fig. 4, the system may also provide a way for a user to input an encryption key for decryption, and when the number of times of encryption key errors input by the user exceeds a preset number, pop up yes and no trigger buttons to enable or disable recovery of the encryption key, and if the user selects yes, then recover the encryption key by using the method of the embodiment of the present application. When the encryption key is recovered, the system can decrypt by using the encryption key, and the user can view the file content.
Of course, the method provided in the embodiment of the present application is not limited to be used in the application scenarios shown in fig. 3 and fig. 4, and may also be used in other possible application scenarios, and the embodiment of the present application is not limited. The functions that can be implemented by each device in the application scenarios shown in fig. 3 and fig. 4 will be described together in the following method embodiments, and will not be described in detail herein.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide the method operation steps as shown in the following embodiments or figures, more or less operation steps may be included in the method based on the conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application.
The following describes the technical solution provided by the embodiment of the present application with reference to the application scenarios shown in fig. 3 and fig. 4.
Referring to fig. 5, an embodiment of the present application provides a method for recovering an encryption key, including the following steps:
s501, when the encryption key of the object needs to be recovered, the key handle of the object is obtained.
S502, determining a corresponding recovery key according to the key handle, wherein the recovery key and the key handle are generated in the process of encrypting the object.
S503, decrypting the key ciphertext based on the recovery key to obtain the encryption key.
In the embodiment of the application, for example, when a user forgets to encrypt a key, the encrypted key needs to be recovered, at this time, a key handle of an object is obtained, the key handle and the recovered key are randomly generated in the encryption process, and the recovered key corresponding to the key handle is determined by using the corresponding characteristic between the handle and the accessed object; and then, the key ciphertext is decrypted based on the recovery key to obtain an encryption key. Therefore, when the user forgets the key, the encryption key can be obtained through the decryption process, and the condition of data loss caused by forgetting the encryption key is avoided.
Referring to S501, the object in this embodiment of the present application refers to an encrypted object, and in an actual application process, the encrypted object may be a file, and may also be in other forms such as application software, and the file is taken as an example for description here. When a user wants to open an encrypted file, the user may forget the encryption key, and at this time, the user needs to recover the encryption key used to encrypt the file. In order to complete the recovery process of the encryption key, firstly, a key handle of the object needs to be acquired, then, a recovery key corresponding to the key handle is determined according to the key handle, and the recovery key is applied to recover the encryption key.
And the encryption process for the file is completed before the recovery process of the encryption key. The encryption process of the file can be divided into two parts, wherein the first part is to encrypt the content of the file by applying an encryption algorithm to obtain a ciphertext; the second part is to encrypt the encryption key by applying an encryption algorithm and a recovery key to obtain a key ciphertext; the encryption algorithm for encrypting the file content and the algorithm for encrypting the encryption key do not necessarily have to be linked, and may be the same or different. Specifically, during the encryption process of the file, a recovery key and a key handle corresponding to the recovery key are randomly generated, where the key handle may be identification data with a length of 256 bytes, and the key handle is used for querying the recovery key in the encryption system during decryption. And the recovery key and the corresponding key handle exist in the system, even if the system is attacked, an attacker can not obtain the encryption key only by obtaining the recovery key, and can not obtain the encrypted file content. And encrypting the encryption key by using the recovery key to obtain a key ciphertext. The encryption algorithm applied when encrypting the encryption key is generally an encryption algorithm stored in advance by the system, or an encryption algorithm applied randomly by the system, and is not limited herein. Therefore, even if a file is illegally accessed, the file encryption key of the user cannot be decrypted because the key is not restored. Therefore, the safety of the encryption key is ensured, and the safety of the original data of the user is further ensured.
In this way, the randomly generated key handle and the obtained key ciphertext are stored in the encryption key information segment of the object to be decrypted, and the encryption key information segment stores the relevant information of the encryption key information, so that the encryption key information segment of the object to be decrypted can be identified, and the key handle is read from the encryption key information segment. Taking TLV (Type-length-value) structure storage as an example, the TLV structure is a data structure and is used for parsing a piece of data in a memory or a file. The structure is divided into three parts: a type description field T, a data length L and specific data content V. The type description field T is typically an enumerated value, with different enumerated values indicating different meanings of the content. The data length L is used to describe the length of the following data content V, typically in bytes. The length of the T and L fields is typically fixed, e.g., 1 to 4 bytes, and the V field length is variable. Therefore, the way of identifying the key information segment may be to identify the key information segment by identifying the value of the T field.
Referring to S502, since multiple recovery keys may be stored in advance in the encryption system, or multiple encrypted files exist in the same encryption system, each encrypted file randomly generates a key handle during the encryption process, so that multiple recovery keys may exist in the system. At this time, after the key handle of the current encrypted file is obtained, the recovery key corresponding to the key handle of the current file to be decrypted is determined according to the corresponding relation between each key handle and each recovery key.
Referring to S503, the key ciphertext is decrypted based on the recovery key to obtain an encryption key. In one specific example, the encryption key is 123, the randomly generated recovery key is 456, the corresponding key handle is a, and the encryption key is encrypted 789 in ciphertext form with the recovery key 456, referred to as the key ciphertext. Specifically, the recovery key 456 is applied to decrypt 789 in the form of a ciphertext according to a decryption algorithm corresponding to an applied encryption algorithm when the encryption key is encrypted, so as to obtain the encryption key 123. It should be noted that the above keys are only for convenience of expression, and each key in the actual application process may be in a more complicated form such as a set length or a set data type.
In addition, in order to improve security, when a user forgets an encryption key and needs to recover the encryption key, the identity of the user is verified, for example, whether the user has the right to recover the encryption key is verified. Specifically, each user has its own working key, which is associated with the right to start recovering the encryption key, for example, if the working key belongs to one of the setting keys, it is determined that the user has the right to start recovering the encryption key. For example, when a user logs in the system for the first time, the user needs to input an authentication key, the key is used for authenticating the user when logging in the system, and the authentication is passed, which indicates that the user has the right to access the system. In summary, the authentication key, the work key, the recovery key and the key handle form a three-layer key architecture. The safety of the recovery key is ensured through the authentication key and the working key, and the encryption key is recovered when the user forgets the file encryption key through the safe storage of the recovery key, so that the safety of the whole data can be ensured.
The above-mentioned process is a decryption process in which the user forgets to encrypt the key, and in order to ensure the integrity of the embodiment of the present application, the encryption process is described next.
Specifically, the encrypted file stores various types of information in segments, and the encrypted ciphertext and the encrypted information are stored in the segments. The file header comprises magic word information, encryption algorithm description information and encryption key information; the encrypted file content is a ciphertext obtained by encrypting an original file, and each group of information is respectively stored in a magic field, an encryption algorithm description information segment, an encryption key information segment and a ciphertext segment. Fig. 6 shows a schematic diagram of an encrypted file format, where the magic word, the encryption algorithm description information, and the encryption key information are file headers, and the ciphertext is the encrypted file content. The magic words are fixed at the head of the file, and other sections have no fixed sequence. In a specific example, the length of the magic word is fixed 8 bytes, and the content is fixed as: the contents of the magic words 'S', 'E', 'L', 'F', 'D', 'E', 'F', '0' can be used to determine the file type, so that the type of the file to be decrypted can be first determined by the magic words, and if it is of a type that can be decrypted by the current system, a key input interface is presented to the user. In addition, the content of the object is encrypted by applying an encryption key, and the obtained ciphertext is stored to a ciphertext section of the object to be decrypted; the encryption algorithm for encrypting the content of the object is stored in the algorithm description information segment of the object to be decrypted, so that the ciphertext can be decrypted according to the encryption algorithm and the encryption key. In addition, the encryption algorithm is stored in the encryption object, the condition that the current system cannot decrypt due to the upgrade of the encryption algorithm can be avoided, and the system can obtain the latest encryption algorithm according to the encryption algorithm stored in the encryption object. Thus, even if the encryption algorithm is upgraded, the encrypted file can be decrypted.
In a specific example, fig. 7 shows a schematic diagram of an encrypted file format of a TLV storage structure, and referring to fig. 7, a magic word part is fixed to 8 bytes in length, and the content is fixed to: s ', ' E ', ' L ', ' F ', ' D ', ' E ', ' F ', ' 0 '; the encryption algorithm information segment, the encryption key information segment and the ciphertext segment are stored by adopting a TLV structure. The specific contents of the encrypted file will be described below with a specific example.
Encryption algorithm information segment:
t (type) enumeration value is 1. When the TLV structure is analyzed, T is 1, and the data content of the segment is the description information of the encryption algorithm. The fixed length of T is 8 bytes. L (length) represents the length of the subsequent content of the segment. For example, L ═ 8, indicates that V is 8 bytes in length. The fixed length of L is 8 bytes. V (value) is the encryption algorithm segment content. The content is an OID (Object identifier) definition of the encryption algorithm or a custom enumeration of the encryption algorithm.
For example: since 1.2.156.10197.1.104 applies OID definitions representing the SM4 group key algorithm in the specification for keys. Content 1.2.156.10197.1.104, indicating that the file was encrypted using the SM4 group key algorithm in the commercial key.
Encryption key information segment:
t (type) enumeration value is 2. When the TLV structure is parsed, T is 2, which indicates that the piece of data content is encryption key information. The fixed length of T is 8 bytes. L (length) represents the length of the subsequent content of the segment. For example, when L is 512, it indicates that V has a length of 512 bytes. The fixed length of L is 8 bytes. V (value) is the encryption key information content. The handle a of the content key encryption key and the ciphertext of the ciphertext 789 after the key encryption. The handle of the encryption key is identification data with the length of 256 bytes, which is generated when a recovery key is randomly generated when the encryption system encrypts. The identification data is used to query the recovery key in the cryptographic system. The recovery key and the key handle are securely stored in the encryption system.
A secret document section:
t (type) enumeration value is 3. When the TLV structure is analyzed, T is 3, the data content of the segment is indicated as ciphertext information. The fixed length of T is 8 bytes. L (length) represents the length of the subsequent content of the segment. For example, L1024 indicates that V is 1024 bytes in length. The fixed length of L is 8 bytes. V (value) is ciphertext content. The content is a ciphertext obtained by encrypting the user original file by using the encryption key.
On the basis of the above technical solution, fig. 8 shows a flowchart of an encryption process.
S801, importing the original file of the file to be encrypted into the system.
S802, creating a new file, and writing magic words into the file header of the new file.
S803, encrypting the content of the original file by using the encryption key to obtain a ciphertext, and writing the ciphertext into a ciphertext section of the new file.
S804, writing the encryption algorithm used in encryption into the encryption algorithm description information segment of the new file.
S805, randomly generating a recovery key and a corresponding key handle.
S806, the recovery key is applied to encrypt the encryption key of the original file to obtain a key ciphertext.
S807, the key ciphertext and the key handle are written into the encryption key information segment of the new file.
S808, saving the recovery key and the key handle.
The magic word, the encryption algorithm description information segment, the encryption key information segment and the ciphertext segment form an encrypted file, the process of creating the magic word and the storage process of each information segment have no obvious sequence relation, the steps are only an example, and no specific limitation is formed.
In the embodiment, the encryption algorithm and the key information are written into the ciphertext in a segmented manner; randomly generating a recovery key and a key handle during encryption, and encrypting a file encryption key of a user by using the recovery key; the recovery key and the key handle are safely stored in the system key hardware module, so that the storage safety of the encryption key is improved.
On the basis of the above technical solution, fig. 9 shows a flowchart of a decryption process.
And S901, importing the ciphertext file.
S902, reading the magic word of the ciphertext file to verify the file format.
And S903, if the file format passes the verification, determining the current decryption mode.
And S904, if the current decryption mode is the decryption mode of 'inputting encryption key', receiving the encryption key input by the user.
S905, if the current decryption mode is the decryption mode of 'recovering the encryption key', verifying the work key of the user.
S906, if the work key is successfully verified, the encrypted key information segment is read to obtain the key ciphertext and the key handle.
Specifically, if the work key fails to be verified, the user may be prompted through a popup window, for example, the user is prompted to "no match, you do not have the right to recover the encryption key", see fig. 10.
S907, inquiring the recovery key according to the key handle, and decrypting the key ciphertext by using the recovery key to obtain the encryption key of the user file.
S908, the encrypted text segment and the encryption algorithm information segment are read, and the encrypted text segment is decrypted by applying the recovered encryption key and the encryption algorithm.
And S909, storing the decrypted plaintext file.
In the above embodiment, in the decryption process, the user may select the decryption mode, and input the encryption key or recover the file encryption key by himself; analyzing an encryption algorithm and key encryption information from the ciphertext file; verifying the identity of the user through the authentication key and the working key, and then inquiring a recovery key through the key handle; and recovering the user file encryption key by the recovery key.
On the basis of the above technical solution, the embodiment of the present application further provides a system, which is configured to execute the method for retrieving the encryption/encryption key of the foregoing embodiment, and referring to fig. 11, the system includes an authentication module 111, a file encryption module 112, a file decryption module 113, and a key secure storage module 114. Specifically, the authentication module 111 is used for authenticating a system administrator, and after the administrator passes authentication, the administrator can perform management of the work key, such as adding a new work key and removing an old work key, and initializing and modifying the work key. The file encryption module 112 is used for the system administrator to generate an encrypted file according to the encryption algorithm selected by the user and the input encryption key, and simultaneously randomly generate a recovery key and a key handle to be stored in the key security storage module. And a file decryption module 113 for the system administrator to decrypt the file according to the encryption algorithm selected by the user and the inputted encryption key, and if the system administrator forgets the encryption key, the encryption key and the encryption algorithm may be decrypted by the module, and then the file may be decrypted. The key security storage Module 114 is used to store various keys used in the system, and the entity of the key security storage Module may be security key hardware, such as a Trusted Platform Module (TPM) or an encrypted file system.
As shown in fig. 12, based on the same inventive concept as the above-mentioned method for retrieving an encryption key, an embodiment of the present application further provides an apparatus for retrieving an encryption key, which includes a key handle obtaining module 121, a recovery key determining module 122, and an encryption key determining module 123.
A key handle obtaining module 121, configured to obtain a key handle of an object when an encryption key of the object needs to be recovered;
a recovery key determining module 122, configured to determine a corresponding recovery key according to a key handle, where the recovery key and the key handle are generated in an object encryption process;
and the encryption key determining module 123 is configured to decrypt the key ciphertext based on the recovered key to obtain an encryption key.
In the embodiment of the application, for example, when a user forgets to encrypt a key, the encrypted key needs to be recovered, at this time, a key handle of an object is obtained, the key handle and the recovered key are randomly generated in the encryption process, and the recovered key corresponding to the key handle is determined by using the corresponding characteristic between the handle and the accessed object; and then, the key ciphertext is decrypted based on the recovery key to obtain an encryption key. Therefore, when the user forgets the key, the encryption key can be obtained through the decryption process, and the condition of data loss caused by forgetting the encryption key is avoided.
In some exemplary embodiments, the apparatus further includes a generating module, configured to randomly generate a recovery key and a key handle corresponding to the recovery key after the encryption key is applied to encrypt the object before obtaining the key handle of the object; and encrypting the encryption key by using the recovery key to obtain a key ciphertext.
In some exemplary embodiments, the apparatus further includes a first storage module, configured to store the key handle and the key ciphertext to a key information segment of the object to be decrypted;
the key handle obtaining module is specifically configured to:
identifying a key information segment of an object to be decrypted;
the key handle of the object is read from the key information segment.
In some exemplary embodiments, the recovery key determination module 122 is specifically configured to:
acquiring the corresponding relation between each key handle and each recovery key;
and determining a recovery key corresponding to the key handle of the object to be decrypted according to the corresponding relation.
In some exemplary embodiments, the object to be decrypted further includes a ciphertext segment and an algorithm description information segment;
the system also comprises a second storage module, which is used for determining the ciphertext section and the algorithm description information section in the following modes:
encrypting the content of the object by using the encryption key, and storing the obtained ciphertext into a ciphertext segment of the object to be decrypted;
and storing the encryption algorithm for encrypting the content of the object into the algorithm description information segment of the object to be decrypted.
In some exemplary embodiments, the method further includes determining the detected working key to be the set working key before obtaining the key handle of the object.
The device for retrieving an encryption key and the method for retrieving an encryption key provided by the embodiment of the application adopt the same inventive concept, can obtain the same beneficial effects, and are not described herein again.
Based on the same inventive concept as the above method for retrieving the encryption key, an embodiment of the present application further provides an electronic device, which may be specifically a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a server, and the like. As shown in fig. 13, the electronic device may include a processor 131 and a memory 132.
The Processor 131 may be a general-purpose Processor, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; the computer storage media may be any available media or data storage device that can be accessed by a computer, including but not limited to: various media that can store program codes include a removable Memory device, a Random Access Memory (RAM), a magnetic Memory (e.g., a flexible disk, a hard disk, a magnetic tape, a magneto-optical disk (MO), etc.), an optical Memory (e.g., a CD, a DVD, a BD, an HVD, etc.), and a semiconductor Memory (e.g., a ROM, an EPROM, an EEPROM, a nonvolatile Memory (NAND FLASH), a Solid State Disk (SSD)).
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media that can store program codes include a removable Memory device, a Random Access Memory (RAM), a magnetic Memory (e.g., a flexible disk, a hard disk, a magnetic tape, a magneto-optical disk (MO), etc.), an optical Memory (e.g., a CD, a DVD, a BD, an HVD, etc.), and a semiconductor Memory (e.g., a ROM, an EPROM, an EEPROM, a nonvolatile Memory (NAND FLASH), a Solid State Disk (SSD)).
The above embodiments are only used to describe the technical solutions of the present application in detail, but the above embodiments are only used to help understanding the method of the embodiments of the present application, and should not be construed as limiting the embodiments of the present application. Modifications and substitutions that may be readily apparent to those skilled in the art are intended to be included within the scope of the embodiments of the present application.
Claims (10)
1. A method for recovering an encryption key, comprising:
when an encryption key of an object needs to be recovered, acquiring a key handle of the object;
determining a corresponding recovery key according to the key handle, wherein the recovery key and the key handle are generated in the process of encrypting the object;
and decrypting the key ciphertext based on the recovery key to obtain the encryption key.
2. The method of claim 1, wherein before obtaining the key handle of the object, further comprising:
after the encryption key is applied to encrypt the object, a recovery key and a key handle corresponding to the recovery key are randomly generated;
and encrypting the encryption key by using the recovery key to obtain a key ciphertext.
3. The method of claim 2, further comprising:
storing the key handle and the key ciphertext to a key information segment of an object to be decrypted;
the obtaining the key handle of the object comprises:
identifying a key information segment of the object to be decrypted;
and reading the key handle of the object from the key information segment.
4. The method of claim 3, wherein determining the corresponding recovery key based on the key handle comprises:
acquiring the corresponding relation between each key handle and each recovery key;
and determining a recovery key corresponding to the key handle of the object to be decrypted according to the corresponding relation.
5. The method according to claim 3, wherein the object to be decrypted further comprises a ciphertext segment and an algorithm description information segment;
wherein the ciphertext segment and the algorithm description information segment are determined by:
encrypting the content of the object by using an encryption key, and storing the obtained ciphertext into a ciphertext section of the object to be decrypted;
and storing the encryption algorithm for encrypting the content of the object to the algorithm description information segment of the object to be decrypted.
6. The method according to any one of claims 1 to 5, further comprising, before obtaining the key handle of the object:
and determining the detected working key as the set working key.
7. An apparatus for retrieving an encryption key, comprising:
the key handle acquisition module is used for acquiring the key handle of the object when the encryption key of the object needs to be recovered;
a recovery key determining module, configured to determine a corresponding recovery key according to the key handle, where the recovery key and the key handle are generated in an encryption process of the object;
and the encryption key determining module is used for decrypting the key ciphertext based on the recovery key to obtain the encryption key.
8. The apparatus according to claim 7, further comprising a generating module, configured to randomly generate a recovery key and a key handle corresponding to the recovery key after the object is encrypted by applying the encryption key before the key handle of the object is obtained; and encrypting the encryption key by using the recovery key to obtain a key ciphertext.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 6 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium having computer program instructions stored thereon, which, when executed by a processor, implement the steps of the method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011614460.5A CN112613058A (en) | 2020-12-30 | 2020-12-30 | Method and device for retrieving encryption key, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011614460.5A CN112613058A (en) | 2020-12-30 | 2020-12-30 | Method and device for retrieving encryption key, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112613058A true CN112613058A (en) | 2021-04-06 |
Family
ID=75249551
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011614460.5A Pending CN112613058A (en) | 2020-12-30 | 2020-12-30 | Method and device for retrieving encryption key, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112613058A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1324028A (en) * | 2000-05-11 | 2001-11-28 | 松下电器产业株式会社 | Document managing device |
| CN1697367A (en) * | 2004-04-02 | 2005-11-16 | 微软公司 | A method and system for recovering password protected private data via a communication network without exposing the private data |
| CN102420821A (en) * | 2011-11-28 | 2012-04-18 | 飞天诚信科技股份有限公司 | Method and system for improving transmission security of file |
| CN103220293A (en) * | 2013-04-23 | 2013-07-24 | 福建伊时代信息科技股份有限公司 | File protecting method and file protecting device |
| CN106788996A (en) * | 2016-12-08 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of operating system password remapping method and system |
| CN107925577A (en) * | 2014-06-13 | 2018-04-17 | 百可德罗德公司 | The method and computer program product for generating and managing for encryption key |
| CN110032874A (en) * | 2019-01-31 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
| CN111414628A (en) * | 2019-01-08 | 2020-07-14 | 阿里巴巴集团控股有限公司 | Data storage method and device and computing equipment |
| CN111669530A (en) * | 2020-05-07 | 2020-09-15 | 浙江大华技术股份有限公司 | Method for setting video playback permission, video recording equipment and computer equipment |
| CN111800273A (en) * | 2020-06-30 | 2020-10-20 | 联想(北京)有限公司 | Information processing method, electronic device, and storage medium |
-
2020
- 2020-12-30 CN CN202011614460.5A patent/CN112613058A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1324028A (en) * | 2000-05-11 | 2001-11-28 | 松下电器产业株式会社 | Document managing device |
| CN1697367A (en) * | 2004-04-02 | 2005-11-16 | 微软公司 | A method and system for recovering password protected private data via a communication network without exposing the private data |
| CN102420821A (en) * | 2011-11-28 | 2012-04-18 | 飞天诚信科技股份有限公司 | Method and system for improving transmission security of file |
| CN103220293A (en) * | 2013-04-23 | 2013-07-24 | 福建伊时代信息科技股份有限公司 | File protecting method and file protecting device |
| CN107925577A (en) * | 2014-06-13 | 2018-04-17 | 百可德罗德公司 | The method and computer program product for generating and managing for encryption key |
| CN106788996A (en) * | 2016-12-08 | 2017-05-31 | 郑州云海信息技术有限公司 | A kind of operating system password remapping method and system |
| CN111414628A (en) * | 2019-01-08 | 2020-07-14 | 阿里巴巴集团控股有限公司 | Data storage method and device and computing equipment |
| CN110032874A (en) * | 2019-01-31 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of date storage method, device and equipment |
| CN111669530A (en) * | 2020-05-07 | 2020-09-15 | 浙江大华技术股份有限公司 | Method for setting video playback permission, video recording equipment and computer equipment |
| CN111800273A (en) * | 2020-06-30 | 2020-10-20 | 联想(北京)有限公司 | Information processing method, electronic device, and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 郑汉垣: "快速获取WPS加密文件的密钥", 龙岩师专学报 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9740849B2 (en) | Registration and authentication of computing devices using a digital skeleton key | |
| US8533492B2 (en) | Electronic device, key generation program, recording medium, and key generation method | |
| US8175268B2 (en) | Generating and securing archive keys | |
| US8844049B2 (en) | Method for generating a cryptographic key for a protected digital data object on the basis of current components of a computer | |
| US20070074038A1 (en) | Method, apparatus and program storage device for providing a secure password manager | |
| EP2051181A1 (en) | Information terminal, security device, data protection method, and data protection program | |
| EP2803011B1 (en) | Detection of invalid escrow keys | |
| US20100011221A1 (en) | Secured storage device with two-stage symmetric-key algorithm | |
| CN110826091B (en) | File signature method and device, electronic equipment and readable storage medium | |
| US20190018762A1 (en) | Test methodology for detection of unwanted cryptographic key destruction | |
| US8499357B1 (en) | Signing a library file to verify a callback function | |
| US8144876B2 (en) | Validating encrypted archive keys with MAC value | |
| KR20100106110A (en) | Secure boot data total management system, methods for generating and verifying a verity of matadata for managing secure boot data, computer-readable recording medium storing program for executing any of such methods | |
| US8494169B2 (en) | Validating encrypted archive keys | |
| CN108376212B (en) | Execution code security protection method and device and electronic device | |
| KR101405915B1 (en) | Method for writing data by encryption and reading the data thereof | |
| CN110674525A (en) | Electronic equipment and file processing method thereof | |
| CN111010275A (en) | Key management method, method for generating key and key management system | |
| CN112613058A (en) | Method and device for retrieving encryption key, electronic equipment and storage medium | |
| CN110909318B (en) | Operating system anti-theft method and device for user equipment and terminal | |
| CN112464203A (en) | Data format detection method based on intelligent password key application interface and electronic equipment | |
| CN112800492A (en) | Control method and device for decrypting disk data | |
| CN108667594B (en) | Software program module integrity detection method based on PKI public key algorithm | |
| WO2021098968A1 (en) | Device and method for ransomware decryption | |
| CN116089967B (en) | Data rollback prevention method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |