CN112825095A - Method, apparatus, electronic device and medium for protecting sensitive information in application - Google Patents

Method, apparatus, electronic device and medium for protecting sensitive information in application Download PDF

Info

Publication number
CN112825095A
CN112825095A CN201911152102.4A CN201911152102A CN112825095A CN 112825095 A CN112825095 A CN 112825095A CN 201911152102 A CN201911152102 A CN 201911152102A CN 112825095 A CN112825095 A CN 112825095A
Authority
CN
China
Prior art keywords
application
sensitive information
encrypting
secret key
encryption key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911152102.4A
Other languages
Chinese (zh)
Inventor
方城
吴松
单宏强
洪敬风
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201911152102.4A priority Critical patent/CN112825095A/en
Publication of CN112825095A publication Critical patent/CN112825095A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The present disclosure provides a method for protecting sensitive information in an application, comprising: acquiring characteristic information of the application; generating a digital fingerprint according to the characteristic information, wherein the digital fingerprint comprises data used for representing the self characteristics of the application; generating an encryption key based on the digital fingerprint; and encrypting the sensitive information based on the encryption key, wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key. The present disclosure also provides an apparatus, an electronic device, and a computer-readable storage medium for protecting sensitive information in an application.

Description

Method, apparatus, electronic device and medium for protecting sensitive information in application
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for protecting sensitive information in an application.
Background
The application server typically has some sensitive information stored therein, such as credentials to access external services. To secure the credentials, the credentials are typically stored in the application server after being encrypted.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: if the key used for encrypting the sensitive information is stored in the local server, the key is easy to obtain, and the sensitive information is easy to leak; if the key is stored on a remote server, the complexity of the application is increased.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, an electronic device, and a medium for protecting sensitive information in an application.
One aspect of the present disclosure provides a method for protecting sensitive information in an application, comprising: acquiring characteristic information of the application; generating a digital fingerprint according to the characteristic information, wherein the digital fingerprint comprises data used for representing the self characteristics of the application; generating an encryption key based on the digital fingerprint; and encrypting the sensitive information based on the encryption key, wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key.
According to an embodiment of the present disclosure, the application includes java application, and the feature information includes: the storage paths of the plurality of jar files applied by the java are respectively stored; or the summary information of each jar file is generated by encrypting the jar files according to a summary algorithm.
According to an embodiment of the present disclosure, the application includes java application, and the feature information includes: the obtaining of the characteristic information of the application includes: acquiring a class loader of the application; determining whether the application is deployed in a Tomcat container; and reading a storage path of the plurality of jar files from a first type of the class loader if the application is determined to be deployed in the Tomcat container; or reading the storage paths of the plurality of jar files from the class loader of the second type under the condition that the application is not deployed in the Tomcat container.
According to an embodiment of the disclosure, the feature information includes respective storage paths of a plurality of jar files of the java application, and the generating the digital fingerprint according to the feature information includes: sequencing the storage paths of the plurality of jar files according to a preset rule, and merging the storage paths of the plurality of jar files which are sequenced to generate a data string; and encrypting the data string using a digest algorithm to generate a digital fingerprint using the data string.
According to the embodiment of the disclosure, sorting the storage paths of the plurality of jar files according to a preset rule comprises: and arranging the storage paths of the plurality of jar files in an ascending order or a descending order according to the size of the character strings of the storage paths.
According to an embodiment of the present disclosure, the encrypting the secret key of the sensitive information based on the encryption key includes: generating a random number as a secret key of the sensitive information; encrypting the secret key with the encryption key to generate a ciphertext of the secret key; encrypting the sensitive information based on the secret key; and storing the ciphertext of the secret key to facilitate decryption of the sensitive information.
Another aspect of the present disclosure provides an apparatus for protecting sensitive information in an application, comprising: the acquisition module is used for acquiring the characteristic information of the application; a first generation module, configured to generate a digital fingerprint according to the feature information, where the digital fingerprint includes data representing a feature of the application; a second generation module to generate an encryption key based on the digital fingerprint; and an encryption module configured to encrypt the sensitive information based on the encryption key, wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key.
According to an embodiment of the present disclosure, an encryption module includes: a first generation submodule, configured to generate a random number, where the random number is used as a secret key of the sensitive information; a second generation submodule, configured to encrypt the secret key with the encryption key to generate a ciphertext of the secret key; an encryption sub-module for encrypting the sensitive information based on the secret key; and the storage submodule is used for storing the ciphertext of the secret key so as to decrypt the sensitive information.
Another aspect of the present disclosure provides an electronic device comprising one or more processors; a storage device to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of the above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, the problem that sensitive information in an application is easy to leak can be at least partially solved, and therefore, the technical effect of improving the safety of the sensitive information in the application can be achieved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a flow diagram of a method for protecting sensitive information in an application, in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of obtaining feature information of an application according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of a method of generating a digital fingerprint from feature information according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a method of secret key encryption of sensitive information based on an encryption key in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates a schematic diagram of an apparatus for protecting sensitive information in an application, according to an embodiment of the present disclosure; and
fig. 6 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
An embodiment of the present disclosure provides a method for protecting sensitive information in an application, including: acquiring characteristic information of an application; generating a digital fingerprint according to the characteristic information, wherein the digital fingerprint comprises data used for representing the self characteristics of the application; generating an encryption key based on the digital fingerprint; and encrypting the sensitive information based on an encryption key. Wherein encrypting the sensitive information based on the encryption key comprises: the sensitive information or the secret key of the sensitive information is encrypted with an encryption key.
According to the embodiment of the present disclosure, in the application server, it is generally required to store the credentials for accessing the external service in the configuration file, for example, the account password of the database. To secure sensitive information such as credentials, the sensitive information may be encrypted, for example, and the encrypted ciphertext may be stored in a database. And the protection of the key used for encrypting the sensitive information becomes the key for protecting the security of the sensitive information. Since the key itself also needs to be able to be used by the application service to decrypt the credential cryptogram (e.g., database password), the key itself cannot use an irreversible algorithm such as Secure Hash. If symmetric encryption protection is again used on the key, the key that encrypted the key becomes the object of protection again. This forms a protective dead cycle. In actual practice, many application services simply store the key in the local file in the clear, and do not protect the key. If the keys are stored on a remote server, the complexity of the application service is increased, and the external dependency that is generated also reduces the availability of the application service. Therefore, sensitive information in an application cannot be effectively protected in the related art.
FIG. 1 schematically shows a flow diagram of a method for protecting sensitive information in an application, in accordance with an embodiment of the present disclosure.
As shown in fig. 1, the method includes operations S101 to S104.
In operation S101, feature information of an application is acquired.
According to the embodiment of the present disclosure, the feature information of the application may be features of the application itself, and the application may be uniquely determined according to the features.
According to the embodiment of the disclosure, the application may be, for example, a java application, and the feature information may be, for example, a storage path of each of a plurality of jar files of the java application, or digest information of each of the plurality of jar files, the digest information being generated by encrypting the plurality of jar files according to a digest algorithm.
It is to be understood that the application may be other applications and is not limited to java applications. The characteristic information of an application may be any characteristic that the application has, and the characteristic may not be available to other applications.
In operation S102, a digital fingerprint is generated according to the feature information, wherein the digital fingerprint includes data representing own features of the application.
The digital fingerprint may be, for example, binary data generated using features of the application itself, only in relation to the application itself, different applications producing different digital fingerprints.
In operation S103, an encryption key is generated based on the digital fingerprint.
According to embodiments of the present disclosure, the digital fingerprint may be used directly as an encryption key. Alternatively, the result of transforming the digital fingerprint according to a predetermined rule may be used as the encryption key, for example, the result of encrypting the digital fingerprint may be used as the encryption key.
In operation S104, sensitive information is encrypted based on the encryption key. Wherein encrypting the sensitive information based on the encryption key comprises: a secret key to sensitive information or sensitive information of the encryption key is utilized.
According to one embodiment of the present disclosure, sensitive information is directly encrypted using an encryption key. According to another embodiment of the present disclosure, the encryption key encrypts a secret key of the sensitive information, for example. Wherein the secret key is a key used for encrypting sensitive information.
In particular, for example, in an embodiment where the digital fingerprint is directly used as an encryption key, the digital fingerprint may be used as a key for encrypting the sensitive information, and the sensitive information may be encrypted by using a symmetric encryption technique. Alternatively, the digital fingerprint may be used as a key for encrypting the secret key, which is encrypted using a symmetric encryption technique.
According to the embodiment of the disclosure, the method encrypts the sensitive information by generating the digital fingerprint according to the characteristics of the application, and the encryption key generated by the digital fingerprint does not need to be stored on the ground. When decryption is needed, the server can determine the encryption key according to the characteristics of the application, so that the encryption key is prevented from being leaked, and the security of sensitive information is improved. Wherein, the landing storage may refer to storing the encryption key in the storage unit
Fig. 2 schematically shows a flowchart of a method of obtaining feature information of an application according to an embodiment of the present disclosure.
As shown in fig. 2, the method may include operations S111 to S131. In the method, the characteristic information includes storage paths of a plurality of jar files of the java application.
In operation S111, a class loader of an application is acquired.
For example, a system class loader for java applications may be obtained through classloader.getsystemlessloader (), and for example, a thread class loader may be obtained through thread.
According to an embodiment of the present disclosure, for example, an SDK may be designed, and a class loader of an application may be acquired through the SDK.
In operation S121, it is determined whether the application is deployed in a Tomcat container (a type of java web server).
In operation S131, in case that it is determined that the application is deployed in the Tomcat container, reading a storage path of a plurality of jar files from the first type loader; or reading the storage paths of the plurality of jar files from the second type loader under the condition that the application is not deployed in the Tomcat container.
According to an embodiment of the disclosure, if the application is deployed in the Tomcat container, the plurality of jar files of the application may be loaded by the thread class loader, so that the storage paths of the plurality of jar files may be read from the thread class familiarity device.
If the application is not deployed in the Tomcat container, the plurality of jar files of the application may be loaded by the system class loader, so that the storage paths of the plurality of jar files may be read from the system class loader.
According to an embodiment of the present disclosure, both the SystemClassLoader and the ContextClassLoader are actually URLClassloader. The URL list URL [ ] URLs ═ of Jar that they load can be obtained, for example, using the following code ((URL lass loader) ctxl).
According to the embodiment of the disclosure, the method can acquire the storage paths of a plurality of jar files from different class loaders for different types of applications. Therefore, the method can be applied to applications deployed in Tomcat containers and applications not deployed in Tomcat containers, and the application range of the method is expanded.
According to an embodiment of the present disclosure, the feature information includes respective storage paths of a plurality of jar files of the java application, and the generating the digital fingerprint according to the feature information includes: sequencing the storage paths of the plurality of jar files according to a preset rule, and merging the storage paths of the plurality of sequenced jar files to generate a data string; and encrypting the data string using a digest algorithm to generate a digital fingerprint using the data string.
Fig. 3 schematically illustrates a flow chart of a method of generating a digital fingerprint from feature information according to an embodiment of the present disclosure.
As shown in fig. 3, the method may include operations S112 to S122.
In operation S112, the storage paths of the plurality of jar files are sorted according to a preset rule, and the sorted storage paths of the plurality of jar files are merged to generate a data string.
According to the embodiment of the disclosure, the storage paths of the plurality of jar files may be arranged in an ascending order or a descending order according to the size of the character strings of the storage paths, for example. Specifically, for example, 3 jar files are included, and the storage paths thereof are aac, vuk, and kde, respectively. The aac, vuk and kde are compared in character string, that is, the comparison is started from the first left character of the character string, the larger is large, the smaller is small, and if equal, the comparison of the following characters is continued. The ascending order by size of string comparison may be aac, kde, vuk. The data string resulting from merging the 3 storage paths may be aaackdevuk.
It should be understood that aac, kde, vuk are merely schematic representations of the storage path for illustrating the present embodiment, and do not represent actual storage path formats.
In operation S122, the data string is encrypted using a digest algorithm to generate a digital fingerprint using the data string.
The aacldevuk may be normalized to a 16 byte digital fingerprint using, for example, the SHA256(Secure Hash Algorithm 2) Algorithm.
FIG. 4 schematically illustrates a flow chart of a method of encrypting a secret key of sensitive information based on an encryption key according to an embodiment of the disclosure.
As shown in fig. 4, the method may include operations S114 to S144.
In operation S114, a random number is generated as a secret key of the sensitive information.
According to embodiments of the present disclosure, the random number may be, for example, a random binary number. The binary number may be used as a secret key for sensitive information.
The secret key is encrypted with the encryption key to generate a ciphertext of the secret key in operation S124. For example, the encryption key may be used as a key for encrypting the secret key, and the secret key may be encrypted by a symmetric key encryption algorithm.
In operation S134, the sensitive information is encrypted based on the secret key. For example, the sensitive information may be encrypted by a symmetric key encryption algorithm using a binary number as a secret key of the sensitive information.
In operation S144, the ciphertext of the secret key is stored to facilitate decryption of the sensitive information. The ciphertext of the encrypted secret key may be stored locally, for example.
According to the embodiment of the disclosure, the method uses the random number as the secret key of the sensitive information, encrypts the sensitive information by using the secret key to generate the ciphertext of the sensitive information, and uses the encryption key generated by the digital fingerprint to encrypt the secret key so as to generate the ciphertext of the secret key, and stores the ciphertext of the secret key for decryption. The method further improves the security of the sensitive information.
Fig. 5 schematically shows a schematic diagram of an apparatus 500 for protecting sensitive information in an application according to an embodiment of the present disclosure.
As shown in fig. 5, the apparatus 500 may include an obtaining module 510, a first generating module 520, a second generating module 530, and an encrypting module 540.
The obtaining module 510 may, for example, perform operation S101 described above with reference to fig. 1, for obtaining the feature information of the application.
The first generating module 520 may, for example, perform operation S102 described above with reference to fig. 1, for generating a digital fingerprint according to the feature information, wherein the digital fingerprint includes data representing the feature of the application.
The second generating module 530, for example, may perform operation S103 described above with reference to fig. 1 for generating an encryption key based on the digital fingerprint.
The encryption module 540, for example, may perform operation S104 described above with reference to fig. 1, for encrypting the sensitive information based on the encryption key. Wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key.
According to an embodiment of the present disclosure, the application includes java application, and the feature information includes: the storage paths of the plurality of jar files applied by the java are respectively stored; or the summary information of each jar file is generated by encrypting the jar files according to a summary algorithm.
According to an embodiment of the disclosure, the feature information includes storage paths of a plurality of jar files of the java application, and the obtaining the feature information of the application includes: acquiring a class loader of the application; determining whether the application is deployed in a Tomcat container; and reading a storage path of the plurality of jar files from a first class loader if the application is determined to be deployed in a Tomcat container; or reading the storage paths of the plurality of jar files from a second class loader if the application is not deployed in the Tomcat container.
According to an embodiment of the disclosure, the feature information includes respective storage paths of a plurality of jar files of the java application, and the generating the digital fingerprint according to the feature information includes: sequencing the storage paths of the plurality of jar files according to a preset rule, and merging the storage paths of the plurality of jar files which are sequenced to generate a data string; and encrypting the data string using a digest algorithm to generate a digital fingerprint using the data string.
According to the embodiment of the disclosure, sorting the storage paths of the plurality of jar files according to a preset rule comprises: and arranging the storage paths of the plurality of jar files in an ascending order or a descending order according to the size of the character strings of the storage paths.
According to an embodiment of the present disclosure, an encryption module includes: the first generation submodule is used for generating a random number, and the random number is used as a secret key of the sensitive information; the second generation submodule is used for encrypting the secret key by using the encryption key so as to generate a ciphertext of the secret key; the encryption submodule is used for encrypting the sensitive information based on the secret key; and the storage submodule is used for storing the ciphertext of the secret key so as to decrypt the sensitive information.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the obtaining module 510, the first generating module 520, the second generating module 530, and the encrypting module 540 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the obtaining module 510, the first generating module 520, the second generating module 530, and the encrypting module 540 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware by any other reasonable manner of integrating or packaging a circuit, or may be implemented in any one of three implementations of software, hardware, and firmware, or in a suitable combination of any of them. Alternatively, at least one of the obtaining module 510, the first generating module 520, the second generating module 530 and the encrypting module 540 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
Fig. 6 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include onboard memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 600 may also include input/output (I/O) interface 605, input/output (I/O) interface 605 also connected to bus 604, according to an embodiment of the disclosure. The electronic device 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 602 and/or RAM 603 described above and/or one or more memories other than the ROM 602 and RAM 603.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. A method for protecting sensitive information in an application, comprising:
acquiring characteristic information of the application;
generating a digital fingerprint according to the characteristic information, wherein the digital fingerprint comprises data used for representing the self characteristics of the application;
generating an encryption key based on the digital fingerprint; and
encrypting the sensitive information based on the encryption key,
wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key.
2. The method of claim 1, wherein the application comprises a java application, and the feature information comprises:
the storage paths of the plurality of jar files applied by the java are respectively stored; or the summary information of each jar file is generated by encrypting the jar files according to a summary algorithm.
3. The method of claim 2, wherein the characterizing information comprises a storage path of a plurality of jar files of the java application, and the obtaining the characterizing information of the application comprises:
acquiring a class loader of the application;
determining whether the application is deployed in a Tomcat container; and
reading a storage path of the plurality of jar files from a first type of the class loader if the application is determined to be deployed in a Tomcat container; or reading the storage paths of the plurality of jar files from the class loader of the second type under the condition that the application is not deployed in the Tomcat container.
4. The method of claim 2, wherein the characterizing information includes a storage path of each of a plurality of jar files of the java application, and the generating a digital fingerprint from the characterizing information includes:
sequencing the storage paths of the plurality of jar files according to a preset rule, and merging the storage paths of the plurality of jar files which are sequenced to generate a data string; and
the data string is encrypted using a digest algorithm to generate a digital fingerprint using the data string.
5. The method according to claim 4, wherein the sorting the storage paths of the plurality of jar files according to a preset rule comprises:
and arranging the storage paths of the plurality of jar files in an ascending order or a descending order according to the size of the character strings of the storage paths.
6. The method of claim 1, wherein the encrypting the secret key of the sensitive information based on the encryption key comprises:
generating a random number as a secret key of the sensitive information;
encrypting the secret key with the encryption key to generate a ciphertext of the secret key;
encrypting the sensitive information based on the secret key; and
storing the ciphertext of the secret key to facilitate decryption of the sensitive information.
7. An apparatus for protecting sensitive information in an application, comprising:
the acquisition module is used for acquiring the characteristic information of the application;
a first generation module, configured to generate a digital fingerprint according to the feature information, where the digital fingerprint includes data representing a feature of the application;
a second generation module to generate an encryption key based on the digital fingerprint; and
an encryption module to encrypt the sensitive information based on the encryption key,
wherein encrypting the sensitive information based on the encryption key comprises: encrypting the sensitive information or a secret key of the sensitive information with the encryption key.
8. The apparatus of claim 7, the encryption module comprising:
a first generation submodule, configured to generate a random number, where the random number is used as a secret key of the sensitive information;
a second generation submodule, configured to encrypt the secret key with the encryption key to generate a ciphertext of the secret key;
an encryption sub-module for encrypting the sensitive information based on the secret key; and
and the storage submodule is used for storing the ciphertext of the secret key so as to decrypt the sensitive information.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-6.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 6.
CN201911152102.4A 2019-11-20 2019-11-20 Method, apparatus, electronic device and medium for protecting sensitive information in application Pending CN112825095A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911152102.4A CN112825095A (en) 2019-11-20 2019-11-20 Method, apparatus, electronic device and medium for protecting sensitive information in application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911152102.4A CN112825095A (en) 2019-11-20 2019-11-20 Method, apparatus, electronic device and medium for protecting sensitive information in application

Publications (1)

Publication Number Publication Date
CN112825095A true CN112825095A (en) 2021-05-21

Family

ID=75907815

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911152102.4A Pending CN112825095A (en) 2019-11-20 2019-11-20 Method, apparatus, electronic device and medium for protecting sensitive information in application

Country Status (1)

Country Link
CN (1) CN112825095A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116192388A (en) * 2023-04-26 2023-05-30 广东广宇科技发展有限公司 Mixed key encryption processing method based on digital fingerprint

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103853943A (en) * 2014-02-18 2014-06-11 优视科技有限公司 Program protection method and device
US20160357980A1 (en) * 2015-06-04 2016-12-08 Microsoft Technology Licensing, Llc Secure storage and sharing of data by hybrid encryption using predefined schema
CN109460674A (en) * 2018-10-23 2019-03-12 上海金档信息技术有限公司 A kind of JAVA application program guard method
CN109635586A (en) * 2018-12-13 2019-04-16 苏州科达科技股份有限公司 Media file encryption key managing method, system, equipment and storage medium
CN110032874A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 A kind of date storage method, device and equipment
CN110324143A (en) * 2019-05-24 2019-10-11 平安科技(深圳)有限公司 Data transmission method, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103853943A (en) * 2014-02-18 2014-06-11 优视科技有限公司 Program protection method and device
US20160357980A1 (en) * 2015-06-04 2016-12-08 Microsoft Technology Licensing, Llc Secure storage and sharing of data by hybrid encryption using predefined schema
CN109460674A (en) * 2018-10-23 2019-03-12 上海金档信息技术有限公司 A kind of JAVA application program guard method
CN109635586A (en) * 2018-12-13 2019-04-16 苏州科达科技股份有限公司 Media file encryption key managing method, system, equipment and storage medium
CN110032874A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 A kind of date storage method, device and equipment
CN110324143A (en) * 2019-05-24 2019-10-11 平安科技(深圳)有限公司 Data transmission method, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116192388A (en) * 2023-04-26 2023-05-30 广东广宇科技发展有限公司 Mixed key encryption processing method based on digital fingerprint

Similar Documents

Publication Publication Date Title
US10721080B2 (en) Key-attestation-contingent certificate issuance
US10410018B2 (en) Cryptographic assurances of data integrity for data crossing trust boundaries
US8631507B2 (en) Method of using signatures for measurement in a trusted computing environment
US8874922B2 (en) Systems and methods for multi-layered authentication/verification of trusted platform updates
US20110154501A1 (en) Hardware attestation techniques
US20070235517A1 (en) Secure digital delivery seal for information handling system
US10417436B2 (en) TPM 2.0 platform hierarchy authentication after UEFI post
CN116340955A (en) Data processing method, device and equipment based on block chain
KR101745843B1 (en) Methods and devices for protecting private data
CN106055936A (en) Method and device for encryption/decryption of executable program data package
US11030280B2 (en) Hardware based identities for software modules
WO2021080791A1 (en) Private password constraint validation
US10528708B2 (en) Prevention of unauthorized resource updates
CN112825095A (en) Method, apparatus, electronic device and medium for protecting sensitive information in application
CN111510462A (en) Communication method, system, device, electronic equipment and readable storage medium
US20230017231A1 (en) Securely executing software based on cryptographically verified instructions
US20190121987A1 (en) Light-weight context tracking and repair for preventing integrity and confidentiality violations
Peterson Leveraging asymmetric authentication to enhance security-critical applications using Zynq-7000 all programmable SoCs
CN114615087B (en) Data sharing method, device, equipment and medium
CN111639354B (en) Data encryption method and device, data decryption method and device and electronic equipment
CN115952518B (en) Data request method, device, electronic equipment and storage medium
JP6063317B2 (en) Terminal device and determination method
CN111562916B (en) Method and device for sharing algorithm
CN112329026A (en) Data processing method, device, system, computing equipment and medium
Rawat et al. Enhanced Security Mechanism for Cryptographic File Systems Using Trusted Computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination