CN113326518B - Data processing method and device - Google Patents
Data processing method and device Download PDFInfo
- Publication number
- CN113326518B CN113326518B CN202110640239.5A CN202110640239A CN113326518B CN 113326518 B CN113326518 B CN 113326518B CN 202110640239 A CN202110640239 A CN 202110640239A CN 113326518 B CN113326518 B CN 113326518B
- Authority
- CN
- China
- Prior art keywords
- user
- key
- random number
- discrete
- encryptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 122
- 238000000034 method Methods 0.000 claims abstract description 64
- 230000008569 process Effects 0.000 claims abstract description 12
- 238000004422 calculation algorithm Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 9
- 238000003860 storage Methods 0.000 claims description 7
- 238000012423 maintenance Methods 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000011218 segmentation Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a data processing method and device, wherein the method comprises the following steps: the encryption machine receives a data processing request sent by a user side, wherein the data processing request is used for indicating the encryption processing or decryption processing of data; the encryption machine obtains an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request; the encryption machine decrypts the encrypted random number to obtain a user random number; the encryptor determines a discrete factor according to the user random number; the encryption machine carries out discrete operation on the root key of the encryption machine based on the discrete factors to obtain a user key; and the encryptor processes the data indicated by the data processing request through the user key. The method can only generate the user key in the use process, does not store the user key, and can further improve the data security on the premise of reducing the key maintenance cost.
Description
Technical Field
The present disclosure relates to the field of data processing technologies of financial technologies (Fintech), and in particular, to a data processing method and apparatus.
Background
In recent years, with the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changed to the financial technology (Fintech), but due to the requirements of security and real-time performance of the financial industry, higher requirements are also put on the technologies. For example, in order to ensure the property and information security of the user, the security of the user data is correspondingly emphasized, and correspondingly, the data encryption and decryption technology is also required to be higher.
In the prior art, in order to ensure the security of user data, the user data is stored in an encrypted manner. The data encryption modes can be classified into two modes; one is to encrypt and store user data by a unified encryption key; this encryption method has low cost of storing and maintaining the encryption key, but accordingly, since the user data of all users are encrypted by one encryption key, once the encryption key is cracked, the user data of all users may be leaked. The other data encryption mode is that an encryption key is allocated to each user, and the user data of each user is encrypted by using the encryption key corresponding to the user; this approach increases the security of the user data, but correspondingly, also increases the key maintenance costs.
Therefore, a data processing method and apparatus are needed to further improve data security while reducing the cost of key maintenance.
Disclosure of Invention
The embodiment of the invention provides a data processing method and a data processing device, which can further improve the data security on the premise of reducing the key maintenance cost.
In a first aspect, an embodiment of the present invention provides a data processing method, including:
the encryption machine receives a data processing request sent by a user side, wherein the data processing request is used for indicating the encryption processing or decryption processing of data; the encryption machine obtains an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request; the encryption machine decrypts the encrypted random number to obtain a user random number; the encryptor determines a discrete factor according to the user random number; the encryption machine carries out discrete operation on the root key of the encryption machine based on the discrete factors to obtain a user key; and the encryptor processes the data indicated by the data processing request through the user key.
In the above method, when a user needs to perform data processing such as encryption and decryption on user data, an encrypted random number needs to be obtained to obtain the user random number, a discrete factor is determined according to the user random number, and a root key of an encryptor is subjected to discrete operation by the discrete factor to obtain a user key. That is, the user key is obtained through layer-by-layer calculation, if an attacker wants to obtain the user key, the user key needs to be cracked layer by layer, so that the data security is improved, and correspondingly, the fact that the user key is dynamically generated instead of being always stored in the device is also explained. Compared with the prior art that the secret key is always stored in the background server, the user secret key in the method is not directly acquired by an attacker, so that the user data security is improved; moreover, since only the encrypted random number and the root key are stored, even if an attacker obtains the encrypted random number and the root key, the user key cannot be obtained, and the user data security is further improved. In addition, since the root key has global uniqueness. In the key maintenance level, the data processing mechanism only needs root key maintenance, so that the key maintenance cost is reduced.
Optionally, the data processing request further comprises an encrypted user password; the encryption machine decrypts the encrypted random number to obtain a user random number, and the method comprises the following steps: the encryptor determines the user random number according to the encrypted random number and the encrypted user password; the encryptor determines a discrete factor according to the user random number, including: the encryptor determines the discrete factor based on the user random number and the encrypted user password.
In the method, the discrete factor is acquired according to the random number of the user, the encrypted user password is also required to be acquired, and the encrypted user password is not stored in the data processing mechanism; even if the attacker obtains the encrypted random number and the corresponding decryption algorithm, and the user random number and the corresponding encryption algorithm, the user password is not encrypted by the user, and the discrete factor is not obtained. Therefore, the security of the data can be greatly improved.
Optionally, before the encryptor receives the data processing request sent by the user terminal, the method further includes: the encryption machine receives a registration request of the user, wherein the registration request comprises the encrypted user password and the unique user identifier; the encryptor generates the user random number corresponding to the user unique identifier, encrypts the user random number by using the encrypted user password, and obtains the encrypted random number; and the encryption machine correspondingly stores the encrypted random number and the unique user identifier.
In the method, a user acquires a user random number through encrypting a user password registration, the user random number is encrypted by acquiring the encrypted user password, the obtained encrypted random number is stored by an encryptor in a corresponding manner with a unique user identifier. Thus, when the subsequent user needs to encrypt data or decrypt data, the encryption opportunity obtains the user random number according to the encrypted user password and the encrypted random number in the data processing request such as the encryption request or the decryption request, so as to encrypt data or decrypt data. Therefore, even if an attacker acquires the encrypted random number and does not encrypt the user password, the attacker cannot acquire the user random number, decrypt the data to steal the data, and improve the data security.
Optionally, the encrypted user password is obtained by encrypting the input user password by the user terminal through a hash algorithm; the encryptor determines a discrete factor from the user random number and the encrypted user password, including: and the encryptor performs exclusive OR operation on the user random number and the encrypted user password to obtain the discrete factor.
In the method, after the user side encrypts the user password, the encrypted user password is obtained, and the encrypted user password is sent to the encryptor. Thus, an attacker cannot acquire the real user password, and data security is improved. The encryptor performs exclusive OR operation on the user random number and the encrypted user password to obtain a discrete factor. Thus, even if an attacker acquires the encrypted user password and the user random number, the attacker cannot acquire the discrete factor, and the attacker is determined to be in the attack scene of 'one-step one-interception', so that the difficulty of the attacker in acquiring the user key is increased, and the data security is improved.
Optionally, the encryptor performs discrete operation on the root key of the encryptor based on the discrete factor to obtain a user key, including: the encryptor divides the discrete factors into a first discrete key and a second discrete key; the encryption machine performs discrete operation on the root key through the first discrete key to obtain an immature user key; and the encryptor carries out discrete operation on the immature user key through the second discrete key to obtain the user key. In the method, the encryption machine divides the discrete factors into a first discrete key and a second discrete key; performing discrete operation on the root key according to the first discrete key to obtain an immature user key; and further performing discrete operation on the immature user key according to the second discrete key to obtain the user key. Therefore, each user is ensured to have independent user keys, so that the user keys among the users are not repeated, and the coupling between the user keys and the root keys is cut off so as to block the relevance of encryption and decryption of user data.
Optionally, the encryptor performs discrete operation on the root key through the first discrete key to obtain an immature user key, including: the encryption machine performs discrete operation on the root key through the first discrete key to obtain a part of immature user keys; the encryption machine carries out discrete operation on the root key through the reverse first discrete key to obtain another part of immature user key; and the encryptor combines the obtained two parts of the immature user keys to obtain the immature user keys.
In the method, the encryption machine carries out discrete operation on the more secret key by using the forward first discrete secret key and the reverse first discrete secret key respectively to obtain two parts of the immature user secret key respectively, and the immature user secret key is obtained after the two parts are combined. Therefore, the relevance between the user key and the root key is further reduced, and the coupling between the user key and the root key is effectively cut off; the privacy of the user key for each user may also be improved.
Optionally, after the encryptor processes the data indicated by the data processing request, the method further includes: the encryptor clears the memory of the encryptor.
In the method, the memory of the encryption machine is cleared, so that the information such as the user key, the user random number and the like in the encryption machine is not acquired by an attacker, and the safety of the user data is improved.
Optionally, before the encryptor receives the data processing request sent by the user terminal, the method further includes:
the encryptor acquires the root key and stores the root key.
In the method, the root key is acquired through the encryption machine, so that the safety of the root key is improved.
In a second aspect, an embodiment of the present invention provides a data processing apparatus, including:
the receiving and transmitting module is used for receiving a data processing request sent by a user side, wherein the data processing request is used for indicating the encryption processing or decryption processing of data;
the processing module is used for acquiring an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request; decrypting the encrypted random number to obtain a user random number; determining a discrete factor according to the user random number; performing discrete operation on the root key of the encryptor based on the discrete factor to obtain a user key; and processing the data indicated by the data processing request through the user key.
In a third aspect, embodiments of the present application further provide a computing device, including: a memory for storing a program; a processor for calling a program stored in said memory, and executing the method as described in the various possible designs of the first aspect according to the obtained program.
In a fourth aspect, embodiments of the present application also provide a computer-readable non-volatile storage medium, including a computer-readable program, which when read and executed by a computer, causes the computer to perform the method as described in the various possible designs of the first aspect.
These and other implementations of the present application will be more readily understood in the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data processing architecture according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a data processing architecture according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a data processing method according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a data processing method according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of a data processing method according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a system architecture for data processing according to an embodiment of the present invention, where in a registration flow: the user terminal 101 receives a user password input by a user; the user terminal 101 encrypts the user password to obtain an encrypted user password, generates a user unique identifier, and generates a registration request according to the encrypted user password and the user unique identifier; the user terminal 101 sends the registration request to the encryptor 102. The encryptor 102 generates a user random number for the user unique identifier after receiving the registration request, generates an encrypted random number from the encrypted user password and the user random number, and stores the encrypted random number in the database 103 in correspondence with the user unique identifier.
In the data encryption flow: the user terminal 101 encrypts a user password input by a user to obtain an encrypted user password, and generates a data processing request according to the trigger of the user, so that the data processing request contains data to be encrypted, a user unique identifier and the encrypted user password; the client 101 sends the data processing request to the encryptor 102. The encryptor 102 obtains an encrypted random number corresponding to the user unique identifier in the database 103 according to the user unique identifier in the data processing request, decrypts the encrypted random number according to the encrypted user password in the data processing request to obtain a user random number, calculates a discrete factor according to the user random number and the encrypted user password, and calculates and obtains a user key according to the discrete factor and a root key; the data to be encrypted is encrypted according to the user key, and after the encrypted data is obtained, the encrypted data is stored in correspondence with the user unique identifier and the encrypted random number of the user in the database 103. The encryptor 102 determines that the data processing request processing is completed, and clears the memory.
In the data decryption flow: the user terminal 101 encrypts a user password input by a user to obtain an encrypted user password, and generates a data processing request according to the trigger of the user, so that the data processing request comprises a data identifier to be decrypted, a user unique identifier and the encrypted user password; the client 101 sends the data processing request to the encryptor 102. The encryptor 102 acquires corresponding data to be decrypted from the database 103 according to the data identifier to be decrypted; the encryptor 102 obtains an encrypted random number corresponding to the user unique identifier in the database 103 according to the user unique identifier in the data processing request, decrypts the encrypted random number according to the encrypted user password in the data processing request to obtain a user random number, calculates a discrete factor according to the user random number and the encrypted user password, and calculates and obtains a user key according to the discrete factor and a root key; and decrypting the data to be decrypted according to the user key, and transmitting the decrypted data to the user terminal 101 after obtaining the decrypted data. The encryptor 102 determines that the data processing request processing is completed, and clears the memory.
As shown in fig. 2, the system architecture for data processing provided in the embodiment of the present invention includes a user end 201, a background server end 202, an encryptor 203, and a database 204; when the user terminal 201 does not need to generate the unique user identifier, the background server 202 may be configured to generate the unique user identifier for the user and notify the user terminal 201 of the unique user identifier when receiving the registration request. And the encryptor 203 may also be enabled to store the user unique identifier and the encrypted random number in the database 204 correspondingly after receiving the user unique identifier of the background server and generating the encrypted random number. The system architecture in fig. 1 and 2 is only one implementation example in the present application, and is not limited to the specific implementation of the system architecture and the like of the data processing in the present application.
Based on the above system architecture, an embodiment of the present application provides a data processing method flow, as shown in fig. 3, including:
step 301, an encryptor receives a data processing request sent by a user side, where the data processing request is used to instruct encryption processing or decryption processing to data;
step 302, the encryptor acquires an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request;
step 303, the encryptor decrypts the encrypted random number to obtain a user random number;
step 304, the encryptor determines a discrete factor according to the user random number;
step 305, the encryptor performs discrete operation on the root key of the encryptor based on the discrete factor to obtain a user key;
and 306, the encryptor processes the data indicated by the data processing request through the user key.
In the above method, when a user needs to perform data processing such as encryption and decryption on user data, an encrypted random number needs to be obtained to obtain the user random number, a discrete factor is determined according to the user random number, and a root key of an encryptor is subjected to discrete operation by the discrete factor to obtain a user key. That is, the user key is obtained through layer-by-layer calculation, if an attacker wants to obtain the user key, the user key needs to be cracked layer by layer, so that the data security is improved, and correspondingly, the fact that the user key is dynamically generated instead of being always stored in the device is also explained. Compared with the prior art that the secret key is always stored in the background server, the user secret key in the method is not directly acquired by an attacker, so that the user data security is improved; moreover, since only the encrypted random number and the root key are stored, even if an attacker obtains the encrypted random number and the root key, the user key cannot be obtained, and the user data security is further improved. In addition, since the root key has global uniqueness. In the key maintenance level, the data processing mechanism only needs root key maintenance, so that the key maintenance cost is reduced.
The embodiment of the application provides a data processing method, wherein the data processing request also comprises an encrypted user password; the encryption machine decrypts the encrypted random number to obtain a user random number, and the method comprises the following steps: the encryptor determines the user random number according to the encrypted random number and the encrypted user password; the encryptor determines a discrete factor according to the user random number, including: the encryptor determines the discrete factor based on the user random number and the encrypted user password. That is, the encrypted random number is obtained by encrypting the user password and the corresponding algorithm, and the discrete factor is obtained by encrypting the user password and the corresponding algorithm. In one example, the encrypted random number may be cracked according to an encrypted user password and a reverse cracking algorithm of a symmetric algorithm to obtain the user random number. The user random number may be encrypted according to an encrypted user password and an exclusive-or algorithm to obtain a discrete factor. The symmetric algorithm may be SM4 (national commercial cryptographic algorithm), 3DES (triple data encryption algorithm), etc., and the specific configuration of the algorithm is not limited herein and may be set as required. In addition, as can be seen from the above, the discrete factor needs to be obtained when the user key is obtained, the user random number and the encrypted user password need to be obtained when the discrete factor is obtained, and the encrypted user password also needs to be obtained when the user random number is obtained. That is, each time the user initiates a request for encrypting or decrypting data, the user needs to authorize and input a user password (pwd), the user end encrypts the user password for the first time through a hash algorithm, and a series of processes such as encrypting and decrypting subsequent data are completed according to the Kpwd. That is, the data processing flow does not directly store the encrypted user password, so that the background server cannot independently complete the whole data encryption and data decryption flow, that is, the risk of leakage of user data under the condition of no user authorization when the data processing system of the background server is attacked can be effectively avoided through a forced intervention data processing mechanism of the encrypted user password.
It should be noted that, because the user password is user sensitive data, and the background server, the encryptor and the database are not required to be saved, if the problem of lost user password is required to be considered, a backup cloud of the user password can be introduced, and the backup cloud can be supported by a server independent of the data processing mechanism and set in the system architecture, and can also be supported by other backup clouds, such as WeChat, QQ and the like, and the backup cloud is not limited specifically herein.
The embodiment of the application provides a user registration method, before an encryption machine receives a data processing request sent by a user side, the method further comprises the following steps: the encryption machine receives a registration request of the user, wherein the registration request comprises the encrypted user password and the unique user identifier; the encryptor generates the user random number corresponding to the user unique identifier, encrypts the user random number by using the encrypted user password, and obtains the encrypted random number; and the encryption machine correspondingly stores the encrypted random number and the unique user identifier. In one example, when a user registers for the first time, the encryptor receives a registration request and generates a user random number Seed uniquely identified for the user, and here, by way of example, a random number generation module in the encryptor or a software pseudo-random number generation algorithm can obtain a Seed of 32 (Byte) or 64 (Byte) so that the generation of the Seed of each user should satisfy randomness. The encryptor encrypts the Seed according to the encrypted user password Kpwd to obtain an encrypted random number Enc (Seed), and the encryptor correspondingly stores the Enc (Seed) and the unique user identifier. The encryptor may encrypt the Seed according to a preset encryption key to obtain an encrypted random number Enc (Seed), and store Enc (Seed) and the unique user identifier. If the system architecture of the data processing does not include an encryptor, for example, the system architecture includes a user side, a background server side and a database, the Seed is preferably encrypted by Kpwd to obtain Enc (Seed), so that the data security is improved. The algorithm for encrypting the Seed may use 3DES or SM4 in the symmetric encryption algorithm. For example, enc (Seed) =3des (Kpwd, seed), or Enc (Seed) =sm4 (Kpwd, seed).
The embodiment of the application provides a discrete factor obtaining method, wherein the encrypted user password is obtained by encrypting an input user password by a hash algorithm through the user side; the encryptor determines a discrete factor from the user random number and the encrypted user password, including: and the encryptor performs exclusive OR operation on the user random number and the encrypted user password to obtain the discrete factor. That is, after the user terminal receives the user password input by the user, the user password needs to be encrypted through a hash algorithm, so that the security of the user password is ensured. In the initial stage of inputting a user password by a user, namely in the first time, a discrete algorithm is called to encrypt the user password to obtain an encrypted user password Kpwd, and the encrypted user password Kpwd is used as an independent Kpwd of each user to participate in the operation in the subsequent data processing flow, and an exemplary specific Kpwd generation formula can be as follows: kpwd=hash (pwd); alternatively, kpwd= [ SHA256 (pwd) ] L32; alternatively, kpwd= [ SM3 (pwd) ] L32. Wherein HASH is a HASH algorithm; SHA256 is a hash algorithm that uses a hash value of 256 bits in length; SM3 is a domestic hash algorithm. The above formula can be understood that after the user password pwd is discretized, the previous 32 bits (16 Byte data) of the data interception is Kpwd, wherein if the 3DES algorithm is adopted, parity check operation is required to be added. Then, illustratively, the discrete factor kpeed is obtained based on Kpwd, kpeed=seed' Kpwd.
The embodiment of the application provides a user key obtaining method, wherein the encryption machine carries out discrete operation on a root key of the encryption machine based on the discrete factor to obtain a user key, and the method comprises the following steps: the encryptor divides the discrete factors into a first discrete key and a second discrete key; the encryption machine performs discrete operation on the root key through the first discrete key to obtain an immature user key; and the encryptor carries out discrete operation on the immature user key through the second discrete key to obtain the user key. Illustratively, the discrete factor Kseed obtained in the above method is used as the discrete factor in the formula ki= DisKseed (i) (Kroot) to calculate the user key Ki; essentially, the formula comprises two parts: ki ' =3des (Kroot, kseed_l) |3des (Kroot, notkseed_l) and ki=3des (Ki ', kseed_r) |3des (Ki ', notkseed_r).
Wherein, the first discrete key Kseed_L is 8Bytes of the cut high order of Kseed (16 Bytes), the second discrete key Kseed_R is 8Bytes of the cut low order of Kseed (16 Bytes), and the root key Kroot (16 Bytes). Then, according to the formula Ki '=3des (Kroot, kseed_l) |3des (Kroot, notify_l), performing a first standard PBOC discrete operation on Kroot by kseed_l to obtain an immature user key Ki' (16 Byte); it can also be considered that the formula is that the Kfeed_L is 3DES encrypted by Kroot to obtain high 8Bytes of Ki ', the Kfeed_L is inverted and then 3DES encrypted by Kroot to obtain low 8Bytes of Ki ', and the immature user key Ki ' is obtained by merging; or 3DES encryption is carried out on Kseed_L through Kroot to obtain low 8Bytes of Ki ', 3DES encryption is carried out on Kroot after the Kseed_L is inverted to obtain high 8Bytes of Ki ', and the high 8Bytes are combined to obtain an immature user key Ki '; the specific calculation mode is only an example and is not limited to the calculation mode of the immature user key, for example, the size of Ki' may be not only 16Bytes but also 32Bytes and the like; alternatively, the Kfeed_L is 3 DES-encrypted by Kroot to obtain 8Bytes higher than Ki ', and the Kfeed_L is added/subtracted to fix array etc. to obtain Kfeed_L ', and then 3 DES-encrypted by Kroot to obtain 8Bytes lower than Ki '. And (3) performing first standard PBOC discrete operation on the Ki ' through the Kseed_R according to a formula of Ki=3DES (Ki ', kseed_R) |3DES (Ki ', NOTKseed_R) to obtain a user key Ki (16 Byte). That is, the final user key Ki is obtained by performing a second PBOC decentralized calculation on the immature user key Ki' by using kseed_r as a second stage discrete factor. And then, encrypting or decrypting the user data according to the user key Ki, wherein the user key is only calculated and obtained when in use and is not directly stored, so that the data security can be effectively improved. The high 8Bytes after segmentation of the first discrete key Kseed_L is Kseed (16 Bytes) and the low 8Bytes after segmentation of the second discrete key Kseed_R is Kseed (16 Bytes) are just one segmentation example of a discrete factor, and the low 8Bytes after segmentation of the first discrete key Kseed_L is Kseed (16 Bytes) and the high 8Bytes after segmentation of the second discrete key Kseed_R is Kseed (16 Bytes) can also be adopted; the specific splitting method of the discrete factor is not limited here. In addition, the discrete operation method is used to obtain the user key, so as to ensure that the user keys of the users are almost different, and block the coupling between the user key and the root key. Similarly, the data security can be improved by encrypting the data using the user key using the symmetric encryption algorithm, but the symmetric encryption algorithm is not the only operation method and can be specifically set according to the needs.
The embodiment of the application provides a data processing method, after the encryption machine processes the data indicated by the data processing request, the method further comprises the following steps: the encryptor clears the memory of the encryptor. That is, after the encryption machine completes the encryption of the data or the decryption of the data, the user key, the discrete factor, the user random number and the like in the memory are deleted, so that the leakage of the sensitive data and the leakage of the user data caused by the leakage of the sensitive data are prevented.
The embodiment of the application also provides a data processing method, before the encryption machine receives the data processing request sent by the user terminal, the method further comprises the following steps: the encryptor acquires the root key and stores the root key. In one example, a developer can generate a unique root key Kroot of the system through manual plaintext recording or an automatic random mode in an encryption machine, wherein the root key is used as the highest-level key of the system, can be stored in the encryption machine or stored in an external storage device such as a database after being encrypted, and provides reliable security assurance through the encryption machine.
Based on the above method flow, the embodiment of the present application provides a data processing method flow, as shown in fig. 4, including:
step 401, the encryptor acquires the root key.
Step 402, the user terminal receives the user password, encrypts the user password by using a hash algorithm to obtain an encrypted user password, and generates a user unique identifier.
Step 403, the encryptor generates a registration request according to the unique user identifier and the encrypted user password.
Step 404, the user sends the registration request to the encryptor.
Step 405, after receiving the registration request, the encryptor generates a user random number for the unique user identifier, and encrypts the user random number through an encrypted user password and a symmetric encryption algorithm to obtain an encrypted random number.
Step 406, the encryptor stores the encrypted random number and the unique user identifier in a database.
Step 407, the user side generates a data processing request according to operations such as storing data by the user, and sends the data processing request to the encryptor.
Step 408, the encryptor receives a data processing request, where the data processing request includes the data to be encrypted, the unique user identifier, and the encrypted user password.
And 409, the encryptor acquires the encrypted random number corresponding to the unique user identifier in the database according to the unique user identifier, and decrypts the encrypted random number according to the encrypted user password and the reverse symmetric encryption algorithm to acquire the user random number.
Step 410, the encryptor performs exclusive or operation on the user random number and the confidential user password to obtain a discrete factor.
Step 411, the encryptor obtains a root key, where the root key may be stored in the encryptor or in a database.
Step 412, the encryptor calculates the discrete factor and the root key by a discrete operation method to obtain the user key.
Step 413, the encryptor encrypts the data to be encrypted through the user key and the symmetric encryption algorithm to obtain encrypted user data.
And step 414, the encryptor sends the encrypted data to be encrypted to a database, and the data is stored corresponding to the unique user identifier and the encrypted random number.
Step 415, the encryptor determines that the data processing request is processed, and clears the memory.
Here, the above-mentioned steps are not exclusive, and the steps 401 to 406 are registration processes, and may be performed before or after the steps 407 to 415 of the data processing process; step 411 may be performed before or after any of step 408, step 409, and step 410. Accordingly, the above-described process steps are merely examples, and are not intended to limit the implementation of the present invention.
Based on the above method flow, the embodiment of the present application provides a data processing method flow, as shown in fig. 5, including:
in step 501, the user side generates a data processing request according to operations such as storing data by the user, and sends the data processing request to the encryptor.
Step 502, the encryptor receives a data processing request, where the data processing request includes a to-be-decrypted data identifier, the user unique identifier, and the encrypted user password.
Step 503, the encryptor obtains the encrypted random number corresponding to the unique user identifier in the database according to the unique user identifier, and decrypts the encrypted random number according to the encrypted user password and the inverse symmetric encryption algorithm to obtain the user random number.
Step 504, the encryptor performs exclusive or operation on the user random number and the confidential user password to obtain a discrete factor.
Step 505, the encryptor obtains a root key, where the root key may be stored in the encryptor or in a database.
Step 506, the encryptor calculates the discrete factor and the root key by a discrete operation method to obtain the user key.
Step 507, the encryptor obtains the data to be decrypted according to the data identifier to be decrypted.
And step 508, the encryptor decrypts the data to be decrypted through the user key and the symmetric encryption algorithm to obtain encrypted and decrypted user data.
Step 509, the encryptor sends the decrypted user data to the user terminal.
Step 510, the encryptor determines that the data processing request is processed, and clears the memory.
It should be noted that the above-mentioned steps of the flow are not exclusive, and step 507 may be performed before and after any of steps 503 to 506. Accordingly, the above-described process steps are merely examples, and are not intended to limit the implementation of the present invention.
Based on the same concept, an embodiment of the present invention provides a data processing apparatus, and fig. 6 is a schematic diagram of a data processing apparatus provided in an embodiment of the present application, where, as shown in fig. 6, the apparatus includes:
the transceiver module 601 is configured to receive a data processing request sent by a user side, where the data processing request is used to instruct encryption processing or decryption processing to data;
the processing module 602 is configured to obtain, according to a user unique identifier in the data processing request, an encrypted random number corresponding to the user unique identifier; decrypting the encrypted random number to obtain a user random number; determining a discrete factor according to the user random number; performing discrete operation on the root key of the encryptor based on the discrete factor to obtain a user key; and processing the data indicated by the data processing request through the user key.
Optionally, the data processing request further comprises an encrypted user password; the processing module 602 is specifically configured to: the encryptor determines the user random number according to the encrypted random number and the encrypted user password; the processing module 602 is specifically configured to: the encryptor determines the discrete factor based on the user random number and the encrypted user password.
Optionally, the processing module 602 is further configured to: receiving a registration request of the user side, wherein the registration request comprises the encrypted user password and the unique user identifier; the encryptor generates the user random number corresponding to the user unique identifier, encrypts the user random number by using the encrypted user password, and obtains the encrypted random number; and the encryption machine correspondingly stores the encrypted random number and the unique user identifier.
Optionally, the encrypted user password is obtained by encrypting the input user password by the user terminal through a hash algorithm; the processing module 602 is specifically configured to: and the encryptor performs exclusive OR operation on the user random number and the encrypted user password to obtain the discrete factor.
Optionally, the processing module 602 is specifically configured to: the encryptor divides the discrete factors into a first discrete key and a second discrete key; the encryption machine performs discrete operation on the root key through the first discrete key to obtain an immature user key; and the encryptor carries out discrete operation on the immature user key through the second discrete key to obtain the user key.
Optionally, the processing module 602 is specifically configured to: the encryption machine performs discrete operation on the root key through the first discrete key to obtain a part of immature user keys; the encryption machine carries out discrete operation on the root key through the reverse first discrete key to obtain another part of immature user key; and the encryptor combines the obtained two parts of the immature user keys to obtain the immature user keys. Optionally, the processing module 602 is further configured to: the encryptor clears the memory of the encryptor.
Optionally, the processing module 602 is further configured to: the encryptor acquires the root key and stores the root key.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method of data processing, the method comprising:
the encryption machine receives a data processing request sent by a user side, wherein the data processing request is used for indicating the encryption processing or decryption processing of data;
the encryption machine obtains an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request;
the encryption machine decrypts the encrypted random number to obtain a user random number;
the encryptor determines a discrete factor according to the user random number;
the encryption machine carries out discrete operation on the root key of the encryption machine based on the discrete factors to obtain a user key;
and the encryptor processes the data indicated by the data processing request through the user key.
2. The method of claim 1, wherein the data processing request further includes an encrypted user password;
the encryption machine decrypts the encrypted random number to obtain a user random number, and the method comprises the following steps:
the encryptor determines the user random number according to the encrypted random number and the encrypted user password;
the encryptor determines a discrete factor according to the user random number, including:
the encryptor determines the discrete factor based on the user random number and the encrypted user password.
3. The method as set forth in claim 2, wherein before the encryptor receives the data processing request sent by the user terminal, the method further includes:
the encryption machine receives a registration request of the user, wherein the registration request comprises the encrypted user password and the unique user identifier;
the encryptor generates the user random number corresponding to the user unique identifier, encrypts the user random number by using the encrypted user password, and obtains the encrypted random number;
and the encryption machine correspondingly stores the encrypted random number and the unique user identifier.
4. The method as claimed in claim 2, wherein the encrypted user password is obtained by encrypting the input user password by a hash algorithm by the user terminal;
the encryptor determines a discrete factor from the user random number and the encrypted user password, including:
and the encryptor performs exclusive OR operation on the user random number and the encrypted user password to obtain the discrete factor.
5. The method of claim 1, wherein the encryptor performs a discrete operation on a root key of the encryptor based on the discrete factor to obtain a user key, comprising:
the encryptor divides the discrete factors into a first discrete key and a second discrete key;
the encryption machine performs discrete operation on the root key through the first discrete key to obtain an immature user key;
and the encryptor carries out discrete operation on the immature user key through the second discrete key to obtain the user key.
6. The method of claim 5, wherein the encryptor performs a discrete operation on the root key with the first discrete key to obtain an immature user key, comprising:
the encryption machine performs discrete operation on the root key through the first discrete key to obtain a part of immature user keys;
the encryption machine carries out discrete operation on the root key through the reverse first discrete key to obtain another part of immature user key;
and the encryptor combines the obtained two parts of the immature user keys to obtain the immature user keys.
7. The method of any of claims 1-4, wherein after the encryptor processes the data indicated by the data processing request, further comprising:
the encryptor clears the memory of the encryptor.
8. A data processing apparatus, the apparatus comprising:
the receiving and transmitting module is used for receiving a data processing request sent by a user side, wherein the data processing request is used for indicating the encryption processing or decryption processing of data;
the processing module is used for acquiring an encrypted random number corresponding to the unique user identifier according to the unique user identifier in the data processing request; decrypting the encrypted random number to obtain a user random number; determining a discrete factor according to the user random number; performing discrete operation on the root key of the encryption machine based on the discrete factor to obtain a user key; and processing the data indicated by the data processing request through the user key.
9. A computer readable storage medium, characterized in that the computer readable storage medium stores a program which, when run on a computer, causes the computer to implement the method of any one of claims 1 to 7.
10. A computer device, comprising:
a memory for storing a computer program;
a processor for invoking a computer program stored in said memory, performing the method according to any of claims 1 to 7 in accordance with the obtained program.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110640239.5A CN113326518B (en) | 2021-06-09 | 2021-06-09 | Data processing method and device |
| PCT/CN2021/139263 WO2022257411A1 (en) | 2021-06-09 | 2021-12-17 | Data processing method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110640239.5A CN113326518B (en) | 2021-06-09 | 2021-06-09 | Data processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113326518A CN113326518A (en) | 2021-08-31 |
| CN113326518B true CN113326518B (en) | 2024-02-02 |
Family
ID=77420118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110640239.5A Active CN113326518B (en) | 2021-06-09 | 2021-06-09 | Data processing method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113326518B (en) |
| WO (1) | WO2022257411A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113326518B (en) * | 2021-06-09 | 2024-02-02 | 深圳前海微众银行股份有限公司 | Data processing method and device |
| CN116707802B (en) * | 2023-08-04 | 2023-12-12 | 河南省信息化集团有限公司 | Authorization management method and system based on key encryption key (KEK) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015180604A1 (en) * | 2014-05-28 | 2015-12-03 | 大唐移动通信设备有限公司 | Secret communication control method, secret communication method, and apparatus |
| CN107707347A (en) * | 2017-10-27 | 2018-02-16 | 深圳市文鼎创数据科技有限公司 | The backup method and device of user key, the introduction method and device of user key |
| WO2018149110A1 (en) * | 2017-02-14 | 2018-08-23 | 华为技术有限公司 | Key protection method and apparatus |
| CN110059458A (en) * | 2019-03-12 | 2019-07-26 | 北京中海闻达信息技术有限公司 | A kind of user password encryption and authentication method, apparatus and system |
| CN111385084A (en) * | 2018-12-27 | 2020-07-07 | 中国电信股份有限公司 | Key management method and device for digital assets and computer readable storage medium |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7457411B2 (en) * | 2003-03-13 | 2008-11-25 | New Mexico Technical Research Foundation | Information security via dynamic encryption with hash function |
| US7280956B2 (en) * | 2003-10-24 | 2007-10-09 | Microsoft Corporation | System, method, and computer program product for file encryption, decryption and transfer |
| CN105978686A (en) * | 2016-05-10 | 2016-09-28 | 杭州海兴电力科技股份有限公司 | Key management method and system |
| CN108462686B (en) * | 2018-01-08 | 2020-09-04 | 平安科技(深圳)有限公司 | Method and device for acquiring dynamic key, terminal equipment and storage medium |
| CN108460597B (en) * | 2018-03-23 | 2022-03-15 | 银联商务股份有限公司 | Key management system and method |
| CN108718233B (en) * | 2018-03-27 | 2021-04-13 | 北京安御道合科技有限公司 | Encryption method, computer equipment and storage medium |
| CN113326518B (en) * | 2021-06-09 | 2024-02-02 | 深圳前海微众银行股份有限公司 | Data processing method and device |
-
2021
- 2021-06-09 CN CN202110640239.5A patent/CN113326518B/en active Active
- 2021-12-17 WO PCT/CN2021/139263 patent/WO2022257411A1/en unknown
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015180604A1 (en) * | 2014-05-28 | 2015-12-03 | 大唐移动通信设备有限公司 | Secret communication control method, secret communication method, and apparatus |
| WO2018149110A1 (en) * | 2017-02-14 | 2018-08-23 | 华为技术有限公司 | Key protection method and apparatus |
| CN107707347A (en) * | 2017-10-27 | 2018-02-16 | 深圳市文鼎创数据科技有限公司 | The backup method and device of user key, the introduction method and device of user key |
| CN111385084A (en) * | 2018-12-27 | 2020-07-07 | 中国电信股份有限公司 | Key management method and device for digital assets and computer readable storage medium |
| CN110059458A (en) * | 2019-03-12 | 2019-07-26 | 北京中海闻达信息技术有限公司 | A kind of user password encryption and authentication method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022257411A1 (en) | 2022-12-15 |
| CN113326518A (en) | 2021-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10439804B2 (en) | Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes | |
| CN110855671B (en) | Trusted computing method and system | |
| US9735962B1 (en) | Three layer key wrapping for securing encryption keys in a data storage system | |
| US8787566B2 (en) | Strong encryption | |
| CN110650010B (en) | Method, device and equipment for generating and using private key in asymmetric key | |
| JP7454564B2 (en) | Methods, user devices, management devices, storage media and computer program products for key management | |
| CN105450620A (en) | Information processing method and device | |
| US8422673B2 (en) | Method and system for protecting against unity keys | |
| CN113326518B (en) | Data processing method and device | |
| CN111526007B (en) | Random number generation method and system | |
| CN113572604B (en) | Method, device and system for sending secret key and electronic equipment | |
| CN113904768B (en) | Online offline decryption method based on SM9 key packaging mechanism | |
| CN115442032A (en) | Data processing method, system on chip and readable storage medium | |
| CN113722741A (en) | Data encryption method and device and data decryption method and device | |
| CN113645235A (en) | Distributed data encryption and decryption system and encryption and decryption method | |
| CN108256346A (en) | Guard method, encipherment protection device and the embedded system device of critical data | |
| WO2020144758A1 (en) | Secure computing device and client device | |
| CN109936448A (en) | A kind of data transmission method and device | |
| CN110020533A (en) | A kind of method for security protection and terminal of VR resource | |
| CN114329390A (en) | Financial institution database access password protection method and system | |
| CN112688781A (en) | Key processing method and device | |
| CN107483387A (en) | A kind of method of controlling security and device | |
| CN112149166A (en) | Unconventional password protection method and intelligent bank machine | |
| CN111131158A (en) | Single byte symmetric encryption and decryption method, device and readable medium | |
| CN112913184A (en) | Key rotation cycle for computing block cipher based encryption scheme systems and methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |