CN113452661A - Server side key safety protection method, equipment and medium - Google Patents
Server side key safety protection method, equipment and medium Download PDFInfo
- Publication number
- CN113452661A CN113452661A CN202010228555.7A CN202010228555A CN113452661A CN 113452661 A CN113452661 A CN 113452661A CN 202010228555 A CN202010228555 A CN 202010228555A CN 113452661 A CN113452661 A CN 113452661A
- Authority
- CN
- China
- Prior art keywords
- key
- server
- protected
- protected key
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 3
- 230000000694 effects Effects 0.000 abstract description 5
- 239000010410 layer Substances 0.000 description 26
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 208000008918 voyeurism Diseases 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a server side secret key safety protection method, equipment and a medium, wherein the method comprises the following steps: the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server; and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server. The password (or key) protection system constructed by the method does not need to depend on special hardware equipment, has the characteristics of convenient implementation, low cost and good anti-theft effect, and is suitable for protection management of common passwords and keys of a server side and protection management of private keys in a block chain. By protecting the password, the secret key and the private key, the life and property safety of the user is further guaranteed, the privacy data of the user is protected, the user is protected from economic loss, and the user is protected from danger.
Description
Technical Field
The present application relates to the field of encryption technologies, and in particular, to a method, an apparatus, and a medium for key security protection.
Background
The security system of a certain academic forum is attacked by hackers, and the login name, the password and the mailbox of 600 thousands of users are leaked. Subsequently, the user databases of a plurality of websites such as a famous game forum, a friend making platform and the like are exposed on the network, and a large number of netizens are threatened by privacy disclosure because part of the passwords are displayed in a plaintext manner. Some community forum issues apology letter, which says that 4000 ten thousand users' privacy are revealed by hackers. The stealing in the event is only the password set, and the user can avoid the privacy stealing as long as the user modifies the password in time, so that the user does not need to panic.
The key protection method in the current market has the following common characteristics: the method is a software encryption method, and can prevent various attacks such as 'off-library' and the like, because the secret key is stored by adopting an encryption method, even if data of the database is leaked, an attacker obtains a ciphertext instead of a plaintext, and the data cannot be used. However, if the encrypted key is improperly protected, the service is attacked, the encrypted key is leaked, and the data is still at risk of leakage. Secondly, the hardware encryption method is high in safety compared with a software method, but is high in cost and limited in application scene.
Disclosure of Invention
The embodiment of the specification provides a secret key security protection method, a secret key security protection device and a secret key security protection medium, which are used for solving the following technical problems in the prior art:
when the server is attacked, a large number of passwords stored in the server are stolen;
prevent the server maintainer from guarding against the theft.
The embodiment of the specification adopts the following technical scheme:
a first aspect of an embodiment of the present invention provides a server side key security protection method, including: the protected key is subjected to multi-layer encryption through an encryption algorithm and a security factor and then is stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
In one example, the storing the protected key after performing multi-layer encryption on the protected key by using an encryption algorithm and a security factor to the server includes:
performing a first layer encryption on the protected key through the safety factor and the hash value of the protected key;
and carrying out second-layer encryption on the file formed by the first-layer encryption through a public key.
In one example, the storing the protected key after performing multi-layer encryption on the protected key by using an encryption algorithm and a security factor to the server includes:
encrypting the protected key through the safety factor and the hash value of the protected key, and storing the safety factor, the hash value of the protected key and the encrypted protected key into a specified storage file of the server;
and encrypting the appointed storage file through a public key to obtain a secret file, and storing the secret file into a permanent storage medium of the server, wherein the public key and a corresponding private key thereof are generated by the server.
In one example, the encrypting the protected key by the security factor and the protected key hash value, and storing the security factor, the protected key hash value, and the encrypted protected key in a specified storage file of the server includes:
processing a random number and a hash value of the protected key to form a first encryption key, and encrypting the protected key by using the first encryption key, wherein the random number is one of the security factors;
and storing the digit of the random number, the hash value of the protected key and the encrypted protected key into a specified storage file of the server, wherein the digit of the random number is another one of the security factors.
In one example, further comprising:
and judging whether the server provides service or not, and deleting the protected key stored in the cache memory after the server terminates the service.
In one example, the receiving the outermost encrypted decryption key, enabling the server to obtain the security factor and decrypt the encrypted protected key within the range of the security factor includes:
the server receives the private key, so that the server decrypts the secret file through the private key to obtain the digit of the random number, and the protected key is obtained within the range of the digit of the random number.
In one example, the causing the server to decrypt the secret file through a decryption algorithm to obtain the number of bits of the random number, and obtaining the protected key within the range of the number of bits of the random number includes:
the server decrypts the secret file through a decryption algorithm to obtain a hash value of the protected key, the digit of the random number and the encrypted protected key;
and decrypting the encrypted protected key according to the hash value of the protected key and the digit of the random number to obtain the protected key.
In one example, the decrypting the encrypted protected key according to the hash value of the protected key and the number of bits of the random number to obtain the protected key includes:
generating a new random number according to the digit of the random number;
splicing the hash value of the protected secret key and the new random number to form new splicing information;
calculating a hash value of the new splicing information by using a hash algorithm;
and taking the hash value of the new splicing information as a key, and decrypting the protected key through a decryption algorithm to obtain the protected key.
A second aspect of an embodiment of the present invention provides a server-side key security protection device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
A third aspect of the embodiments of the present invention provides a non-volatile computer storage medium for server-side key security protection, where a computer-executable instruction is stored, and the computer-executable instruction is configured to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
1) and the theft is prevented. When the server is attacked, an attacker cannot see or obtain the original password (or the key) because the original password (or the key) is stored in an encrypted manner;
2) preventing internal thief. The encryption key is not stored at the server, but the result is dynamically calculated after the service is started, and the operation and maintenance personnel cannot see or obtain the encryption key;
3) and (4) double protection. The decryption key of the secret file can be held by different operation and maintenance personnel (or other security personnel) to prevent the theft;
4) the password (or key) protection system constructed by the method does not need to depend on special hardware equipment, and has the characteristics of convenient implementation, low cost and good anti-theft effect;
5) the method is suitable for protection management of common passwords and secret keys of a server side, and is also suitable for protection management of private keys in a block chain. By protecting the password, the secret key and the private key, the life and property safety of the user is further guaranteed, the privacy data of the user is protected, the user is protected from economic loss, and the user is protected from danger.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic flow chart of a method provided by embodiments of the present disclosure;
FIG. 2 is a schematic diagram of encryption logic provided by an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of decryption logic provided by an embodiment of the present disclosure;
fig. 4 is a schematic diagram of an apparatus framework provided in an embodiment of the present specification.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clear, the technical solutions of the present disclosure will be clearly and completely described below with reference to specific embodiments of the present disclosure and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person skilled in the art without making any inventive step based on the embodiments in the description belong to the protection scope of the present application.
The method comprises the steps that information of leaks and user leaks is continuously transmitted in all fields of the internet, a leak report platform publishes leak report titles, for example, a large number of users of certain payment software leak, the leak reports are used for network marketing, the total amount of the leaks reaches 1500-2500 ten thousands, the leak time is unknown, only account numbers of the payment users exist in the leak report titles, and passwords do not exist. There are also some e-commerce platforms for roll-in businesses. In 2014, 85 million bitcoins were stolen from the world's largest bitcoin exchange and the value is 120 billion dollars. In 12 months in 2017, 17% of digital currency is lost due to hacker attack in the Korean Bingzi exchange, and bankruptcy is declared. In 2018, in 1 month, the largest cryptocurrency exchange in japan was attacked by hackers and new currencies worth 5.3 billion dollars were illegally transferred to other exchanges. The market value of the new currencies is the eighth of the global digital currency ranking once, the new currencies are influenced by the theft event, the new currencies are violently dropped by 20% in 5 hours, and the common drop of the global digital currencies is caused. In 2018, in 9 months, a hacker has obtained 3000 thousands of user accounts with 40 thousands of controlled accounts, informed by some social software abroad. They can log in these users' personal homepages at will without entering passwords, take desired data arbitrarily, and the like. The privacy disclosure crisis of the software outbreak enables the company stock price to be once evaporated for 590 hundred million dollars, the company stockholder joint requires the palm pilot to give rights, and meanwhile, many national meetings require the company to personally attend dialectics of stolen and stolen user information.
The security events are closely related to password leakage, subjectively attributed to theft of attackers, objectively and essentially attributed to improper password protection, so that a large amount of passwords are leaked, privacy data leakage and great property loss of people are finally caused, and even life safety of people is threatened. Therefore, it is very important that password protection work is urgent.
The code law of the people's republic of china has been passed through the fourteenth conference of the general committee for the third national representative of people of the people's republic of china at 26 days 10 and 26 in 2019, which was performed from 1 day 1 in 2020. The passing of the cipher Law of the people's republic of China marks that China has special legal guarantee in the aspects of application, management and the like of ciphers. The cipher code method divides the cipher code into three classes of core cipher code, common cipher code and commercial cipher code, and implements classified management. The core password and the common password are used for protecting the country secret information and belong to the country secret; the commercial cipher is used for protecting information which does not belong to national secrets, and citizens, legal persons and other organizations can use the commercial cipher to protect the network and information security according to law.
Based on the above situation, the present password (or secret key) security protection methods are deeply explored to find that the present password (or secret key) protection methods can be divided into two categories: a software encryption method and a hardware encryption method. One is a software encryption method, that is, a password (or a key) is encrypted and then the encrypted result is stored on a permanent storage medium. When the method is used, the encrypted result needs to be decrypted, and then the decrypted password (or key) is compared with the password (or key) input by the user for verification so as to determine whether the verification is successful. And secondly, a hardware encryption method is used, namely the safety of the password (or the secret key) is ensured by using the unique characteristics of hardware, such as the computing power advantage and the non-tampering advantage of the hardware. For example, when designing an algorithm, software may need to calculate for 100 years, and with hardware, it may take only a few seconds to calculate the result.
The embodiment of the application provides a security protection method and a corresponding scheme of a secret key, and the invention provides a brand-new server side password (or secret key) protection method aiming at the situation that private data of a user is leaked, property of the user is lost and even life of the user is threatened due to the fact that the user password, the secret key or the private key is attacked. The protected password (or key) is encrypted by a workload cryptographic algorithm and the encrypted key is further properly processed, protected. The method prevents the protected password (or the secret key) from being revealed due to external attack, and simultaneously prevents internal personnel from peeping the protected password (or the secret key) and the encryption secret key. The method aims to protect the digital assets of the user from being stolen, protect the private data of the user from being leaked, and protect the life safety of the user.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a method provided in an embodiment of the present disclosure. As shown, the method comprises:
s101, performing multi-layer encryption on a protected key through an encryption algorithm and a security factor, and storing the protected key to a server;
s102, receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
The embodiment of the invention provides a brand-new password (or secret key) protection method, belonging to a software encryption password (or secret key) protection method. As will be described in general terms below,
the server side does not directly store the password (or the key) per se, and stores the encrypted result after encrypting the password (or the key) by the server side; the key is not directly stored at the server, only a rough range (security factor) is stored, and the encryption key is prevented from being leaked; after the service is started, the encryption key is looked for within the range. After finding, the decryption protection target original password (or key) is completed, and for convenience of description, the decryption protection target original password (or key) is hereinafter referred to as a key.
According to a specific embodiment of the present invention, in step S101, the storing the protected key after performing multi-layer encryption on the protected key by using the encryption algorithm and the security factor to the server includes: performing a first layer encryption on the protected key through the safety factor and the hash value of the protected key; and carrying out second-layer encryption on the file formed by the first-layer encryption through a public key, wherein the public key and a corresponding private key thereof are generated by the service terminal.
The embodiment of the invention discloses multi-layer encryption of a protected key, and it can be understood that the number of the protected key can be two layers, or three layers or other security layers, which is determined by the requirements and is not particularly limited by the application.
Specifically, in the first layer of encryption, the protected key is encrypted by the security factor and the hash value of the protected key, and the security factor, the hash value of the protected key, and the encrypted protected key are stored in a specified storage file of the server. In the first layer of encryption, the algorithm used may be a symmetric encryption/decryption algorithm, such as SM1, AES, etc.
More specifically, a random number and a hash value of the protected key are processed to form a first encryption key, and the protected key is encrypted using the first encryption key, wherein the random number is one of the security factors. Encrypting the protected key through the safety factor and the hash value of the protected key, and storing the safety factor, the hash value of the protected key and the encrypted protected key into a specified storage file of the server;
correspondingly, in the second layer of encryption, the specified storage file is encrypted through a public key to obtain a secret file, and the secret file is stored in a permanent storage medium of the user side, wherein the public key and a corresponding private key thereof are generated by the server side. And storing the digit of the random number, the hash value of the protected key and the encrypted protected key into a specified storage file of the server, wherein the digit of the random number is another one of the security factors.
It is understood that, in some preferred embodiments of the present invention, the security factor includes, but is not limited to, a random number and a digit thereof, and may also be a serial number, and the like, which are not described herein again.
FIG. 2 is a schematic diagram of encryption logic provided by an embodiment of the present disclosure; the encryption process in the embodiment of the present invention is described in detail below with reference to fig. 2.
First, a first layer of encryption is performed, and a Hash algorithm, such as SM3, SHA256, etc., is used to calculate a Hash value of the protected key, which is named Hash1 for convenience of description, and is represented by Hash1 in fig. 2.
Next, a random number of a designated number of bits is generated, which is named random1 for convenience of the following description and is represented using random1 in fig. 2. The number of bits of the random number can be flexibly set according to different application scenes. The more random numbers, the more space possible, the better the security. The default value of the number of random numbers is set to 8 bits. In a specific scenario, once the random number is set, if the random number is to be changed later, the number of bits of the random number should be greater than the number of bits initially set, otherwise decryption may not be possible.
Next, the Hash1 and random1 are concatenated, and then Hash operations, such as SM3, SHA256 and other Hash algorithms, are performed to obtain Hash values, which are named as HashKey1 for convenience of description, and are represented by HashKey1 in fig. 2.
Next, the HashKey1 is used as a key, and a symmetric encryption/decryption algorithm, such as SM1, AES, and the like, is used to encrypt the protected key to obtain a ciphertext (i.e., the encrypted protected key), which is named as AesSecretText1 for convenience of the following description and is represented by AesSecretText1 in fig. 2.
Next, the number of bits of Hash1, random1, AesSecretText1 is added as a record to the key memory file, which is named SecretMemoryFile1 for convenience of description later, and is represented in fig. 2 using SecretMemoryFile 1.
And finally, second-layer encryption is carried out, public and private keys of asymmetric encryption and decryption algorithms, such as SM2, RSA and the like, are generated, the public key is used for carrying out asymmetric encryption calculation on the file content of the SecretMemoryFile1 to form a secret file, and the secret file is stored in a permanent storage medium of the server. For convenience of the following description, its secret file is named SecretFile 2. The decryption key of the secret file SecretFile2, i.e., the private key, is kept by the operation and maintenance staff (or other security staff) and the decryption key of the secret file SecretFile2 is not stored on the machine.
As described above, in some embodiments of the present application, a dual-layer encryption manner is used, and accordingly, decryption is performed twice during decryption.
According to the specific embodiment of the present invention, in step S102, the outermost encrypted decryption key is sent to the server, so that the server completes the first decryption; then, the server side decrypts the encrypted protected key within the range of the safety factor to complete the second decryption.
The server side receives the private key, so that the server side decrypts the secret file through the private key, and the server side decrypts the secret file through a decryption algorithm to obtain a hash value of the protected key, the digit of the random number and the encrypted protected key; and decrypting the encrypted protected key according to the hash value of the protected key and the digit of the random number to obtain the protected key.
FIG. 3 is a schematic diagram of decryption logic provided by an embodiment of the present disclosure; the decryption process is described in detail below with reference to fig. 3.
When the server-side key security protection service is started, an operation and maintenance person (or other security personnel) is required to input a decryption key of the secret file SecretFile 2. Only if the correct decryption key of the secret file SecretFile2 is entered, the service can unlock the content of the secret file SecretFile2 and thus read the protected content.
The server side password (or key) security protection service reads the content of the secret file SecretFile2, decrypts the content of the secret file SecretFile2 by using a decryption key of the secret file SecretFile2 input by a maintainer and by using an asymmetric encryption and decryption algorithm, such as SM2, RSA and the like, and stores the decrypted content in a computer memory. For convenience of the subsequent description, the decrypted content is named secretmoriyfile 2 and is represented in fig. 3.
The server reads the data record from the cipher (key) memory file secretermemoryfile 2 to obtain the digits of Hash1 and random1, aessecretertext 1.
The server generates a new random number according to the limitation of the number of bits of random1, which is named random2 for convenience of description and is shown in fig. 3. The Hash1 is concatenated with random2 and subjected to a Hash operation, such as SM3, SHA256 and other Hash algorithms, to obtain a Hash value, which is named as HashKey2 for the convenience of description, and is denoted as HashKey2 in fig. 3. The HashKey2 is used as a key of the symmetric encryption and decryption algorithm to try to decrypt the AesSecretText1, resulting in a possible original protected key. And judging whether the decryption step is normally finished, if the decryption is abnormal, repeating the step until the decryption is normally finished.
The server calculates a Hash value of the possible original protected key obtained by the above decryption step, and for convenience of description, the Hash value is named Hash2 and is represented by Hash2 in fig. 3.
The server judges whether the Hash1 is the same as the Hash 2. If the two are the same, the verification is successful, namely the decryption is successful. And after the decryption is successful, the possible original protected key is used as a real original protected key and stored in the memory of the client for use. If not, repeating the steps until the decryption and the verification are successful. Within a predictable number of times (up to 10 random digits plus 1 power), the collision verification must be successful.
In some preferred embodiments of the present invention, the client determines whether the server provides a service, and deletes the protected key stored in the cache memory after the server terminates the service. And (4) taking efficiency into consideration, temporarily storing the decrypted protection target original key into a cache of the client computer, wherein the original key in the memory can be used during service operation. And after the service of the server is closed and restarted, the original key is decrypted again.
Based on the same idea, some embodiments of the present application further provide a device and a non-volatile computer storage medium corresponding to the above method.
Fig. 2 is a schematic diagram of an apparatus framework provided in an embodiment of the present specification, where a key security protection apparatus includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
Some embodiments of the present application provide a non-volatile computer storage medium corresponding to a server-side key security protection of fig. 1, storing computer-executable instructions configured to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the device and media embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for relevant points.
The device and the medium provided by the embodiment of the application correspond to the method one to one, so the device and the medium also have the similar beneficial technical effects as the corresponding method, and the beneficial technical effects of the method are explained in detail above, so the beneficial technical effects of the device and the medium are not repeated herein.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is directed to methods, apparatus (systems), and computer program products according to embodiments of the present invention
A flowchart and/or block diagram of an article. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A server side key security protection method is characterized by comprising the following steps:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
2. The method according to claim 1, wherein the storing the protected key after multi-layer encryption by the encryption algorithm and the security factor to the server comprises:
performing a first layer encryption on the protected key through the safety factor and the hash value of the protected key;
and carrying out second-layer encryption on the file formed by the first-layer encryption through a public key.
3. The method according to claim 1, wherein the storing the protected key after multi-layer encryption by the encryption algorithm and the security factor to the server comprises:
encrypting the protected key through the safety factor and the hash value of the protected key, and storing the safety factor, the hash value of the protected key and the encrypted protected key into a specified storage file of the server;
and encrypting the appointed storage file through a public key to obtain a secret file, and storing the secret file into a permanent storage medium of the server, wherein the public key and a corresponding private key thereof are generated by the server.
4. The method according to claim 3, wherein the encrypting the protected key by the security factor and the protected key hash value and storing the security factor, the protected key hash value and the encrypted protected key in a specified storage file of the server comprises:
processing a random number and a hash value of the protected key to form a first encryption key, and encrypting the protected key by using the first encryption key, wherein the random number is one of the security factors;
and storing the digit of the random number, the hash value of the protected key and the encrypted protected key into a specified storage file of the server, wherein the digit of the random number is another one of the security factors.
5. The method of claim 1, further comprising:
and judging whether the server provides service or not, and deleting the protected key stored in the cache memory after the server terminates the service.
6. The method according to claim 4, wherein the receiving the decryption key encrypted at the outermost layer, enabling the server to obtain the security factor and decrypt the encrypted protected key within the range of the security factor comprises:
the server receives the private key, so that the server decrypts the secret file through the private key to obtain the digit of the random number, and the protected key is obtained within the range of the digit of the random number.
7. The method according to claim 6, wherein said causing the server to decrypt the secret file through a decryption algorithm to obtain the number of bits of the random number, and obtaining the protected key within the range of the number of bits of the random number comprises:
the server decrypts the secret file through a decryption algorithm to obtain a hash value of the protected key, the digit of the random number and the encrypted protected key;
and decrypting the encrypted protected key according to the hash value of the protected key and the digit of the random number to obtain the protected key.
8. The method of claim 7, wherein the decrypting the encrypted protected key according to the hash value of the protected key and the number of bits of the random number to obtain the protected key comprises:
generating a new random number according to the digit of the random number;
splicing the hash value of the protected secret key and the new random number to form new splicing information;
calculating a hash value of the new splicing information by using a hash algorithm;
and taking the hash value of the new splicing information as a key, and decrypting the protected key through a decryption algorithm to obtain the protected key.
9. A server-side key safeguard device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
10. A non-transitory computer storage medium for server-side key security, storing computer-executable instructions configured to:
the protected key is encrypted in multiple layers through an encryption algorithm and a security factor and then stored to a server;
and receiving the decryption key encrypted at the outermost layer, enabling the server to acquire the security factor and decrypt the encrypted protected key within the range of the security factor, and storing the decrypted protected key into a cache memory of the server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010228555.7A CN113452661A (en) | 2020-03-27 | 2020-03-27 | Server side key safety protection method, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010228555.7A CN113452661A (en) | 2020-03-27 | 2020-03-27 | Server side key safety protection method, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113452661A true CN113452661A (en) | 2021-09-28 |
Family
ID=77807833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010228555.7A Pending CN113452661A (en) | 2020-03-27 | 2020-03-27 | Server side key safety protection method, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113452661A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884716A (en) * | 2022-04-28 | 2022-08-09 | 世融能量科技有限公司 | Encryption and decryption method, device and medium |
-
2020
- 2020-03-27 CN CN202010228555.7A patent/CN113452661A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884716A (en) * | 2022-04-28 | 2022-08-09 | 世融能量科技有限公司 | Encryption and decryption method, device and medium |
| CN114884716B (en) * | 2022-04-28 | 2024-02-27 | 世融能量科技有限公司 | Encryption and decryption method, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10757080B2 (en) | Vaultless tokenization engine | |
| Arockiam et al. | Efficient cloud storage confidentiality to ensure data security | |
| KR102224998B1 (en) | Computer-implemented system and method for protecting sensitive data via data re-encryption | |
| CN109829333B (en) | OpenID-based key information protection method and system | |
| AU2020245399B2 (en) | System and method for providing anonymous validation of a query among a plurality of nodes in a network | |
| CN111859446A (en) | Agricultural product traceability information sharing-privacy protection method and system | |
| Süzen et al. | Blockchain-based secure credit card storage system for e-commerce | |
| Jayapandian et al. | A novel approach to enhance multi level security system using encryption with fingerprint in cloud | |
| CN111079157A (en) | Secret fragmentation trusteeship platform based on block chain, equipment and medium | |
| EP3485389A1 (en) | Methods and systems for a redundantly-secure data store using independent networks | |
| CN113452661A (en) | Server side key safety protection method, equipment and medium | |
| US10402573B1 (en) | Breach resistant data storage system and method | |
| Jabbar et al. | Design and implementation of hybrid EC-RSA security algorithm based on TPA for cloud storage | |
| Ullah et al. | TCLOUD: A Trusted Storage Architecture for Cloud Computing | |
| Ramprasath et al. | Protected data sharing using attribute based encryption for remote data checking in cloud environment | |
| El-Kafrawy et al. | Security issues over some cloud models | |
| Vishwakarma et al. | Designing a cryptosystem for data at rest encryption in mobile payments | |
| CN113836239A (en) | Transaction data supervision method, storage medium and computer equipment | |
| Geetha et al. | Blockchain based Mechanism for Cloud Security | |
| Rupa et al. | Study and improved data storage in cloud computing using cryptography | |
| CN109495455A (en) | A kind of data processing system, method and apparatus | |
| CN109522727A (en) | A kind of data processing method, device and equipment | |
| Muhasin et al. | Managing sensitive data in cloud computing for effective information systems’ decisions | |
| Mondal et al. | A Systematic Literature Survey on Data Security Techniques in a Cloud Environment | |
| Akbar et al. | Study and improved data storage in cloud computing using cryptography |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210928 |