CN113726515A - UKEY-based key processing method, storage medium and electronic device - Google Patents

UKEY-based key processing method, storage medium and electronic device Download PDF

Info

Publication number
CN113726515A
CN113726515A CN202111056639.8A CN202111056639A CN113726515A CN 113726515 A CN113726515 A CN 113726515A CN 202111056639 A CN202111056639 A CN 202111056639A CN 113726515 A CN113726515 A CN 113726515A
Authority
CN
China
Prior art keywords
key
server
segmented
ukey
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111056639.8A
Other languages
Chinese (zh)
Other versions
CN113726515B (en
Inventor
黄亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111056639.8A priority Critical patent/CN113726515B/en
Publication of CN113726515A publication Critical patent/CN113726515A/en
Application granted granted Critical
Publication of CN113726515B publication Critical patent/CN113726515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a key processing method based on UKEY, a storage medium and electronic equipment, wherein the method comprises the following steps: generating a plurality of segments of segmented characters based on encryption of the target key and segmented encryption operation; performing a first irreversible operation based on one segmented character, and taking the segmented character after the operation processing as a salt value; acquiring a server public key of each server, and performing encryption operation based on other segmented characters by using the salt value and the server public key to generate a final key factor for storing in the corresponding server; and the UKEY stores the salt value, the server equipment information and the target key information. In the embodiment of the application, the data information is stored through the server, the UKEY and at least three aspects of the password value aiming at the UKEY, and as long as one party is not stolen, the target key cannot be decrypted, so that the safety of the cloud server for storing the target key is improved.

Description

UKEY-based key processing method, storage medium and electronic device
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a key processing method based on a UKEY, a storage medium, and an electronic device.
Background
With the popularization of the internet, the usage amount is increasing, and the network security problem is gradually emphasized by each large network company. And the server cipher machine is used as a network security intermediate device, and is used for protecting data going out from the terminal by using public key encryption and ensuring the correctness of the returned data by using private key decryption. The server cipher machine is used as a platform for realizing the functions of key generation, key storage, key distribution, key destruction, key backup, key updating, key archiving, key recovery and the like, and the safety of the server cipher machine is the most basic and the most important. However, when all data is stored in one server, if a third party acquires the right of the server, the data may be cracked, and thus the security of the data is not high.
Or after the server cryptographic machine is virtualized into the cloud service cryptographic machine distributed according to needs, the data is stored in a distributed mode, and all the data are encrypted and protected by a cloud service provider. In this case, the cloud service provider is breached and the data remains at risk of theft, since it is still operating entirely on the cloud.
Disclosure of Invention
In view of the foregoing problems in the prior art, the present application provides a key processing method based on UKEY, a storage medium, and an electronic device, and an embodiment of the present application adopts the following technical solutions:
on one hand, an embodiment of the present application provides a key processing method based on UKEY, including:
generating a plurality of segments of segmented characters based on encryption of the target key and segmented encryption operation;
performing a first irreversible operation based on one segmented character, and taking the segmented character after the operation processing as a salt value;
acquiring a server public key of each server, and performing encryption operation based on other segmented characters by using the salt value and the server public key to generate a final key factor for storing in the corresponding server; wherein
And the UKEY stores the salt value, the server equipment information and the target key information.
In some embodiments, obtaining a server public key for each server, and performing an encryption operation on the other segmented characters based on the salt value, the password value for UKEY, and the server public key includes:
acquiring a password value aiming at UKEY, performing a second irreversible operation after combining the salt value and the password value, and respectively encrypting other segmented characters by using a result generated by the operation;
and encrypting each encrypted segmented character by using each server public key to obtain each corresponding final key factor.
In some embodiments, said performing a first irreversible operation based on one of said segmented characters, taking the operation-processed segmented character as a salt value, includes:
and carrying out hash operation on the segmented character, and taking the generated hash data as the salt value.
In some embodiments, the generating the final key factor for storage in the respective server comprises:
generating and storing unique identifiers corresponding to the final key factors;
and sending the final key factor corresponding to the unique identifier to a corresponding server for storage.
In some embodiments, the obtaining the server public key of each server includes:
and carrying out certificate authentication with each server, and obtaining the public key of each server through authentication analysis.
In some embodiments, the key processing method further comprises:
acquiring sn codes of the servers based on the certificate to acquire the equipment information of the servers.
In some embodiments, the key processing method further comprises: obtaining a symmetric key;
generating a plurality of segments of segmented characters based on the encryption of the target key and the segmented encryption operation, comprising:
performing first encryption on the target key by using the symmetric key to generate a ciphertext target key, and performing segmented encryption operation on the ciphertext target key to generate M segments of target key segmented characters;
performing second encryption on the symmetric key by using a public key corresponding to the UKEY to generate a ciphertext symmetric key, performing segmented encryption operation on the ciphertext symmetric key, and correspondingly generating M segments of symmetric key segmented characters;
and combining the target key segmented character and the symmetric key segmented character into M segments of the segmented characters.
In some embodiments, the key processing method further comprises:
and deleting the symmetric key, and clearing the memory data along with the end of the operation.
The present application also provides a computer readable storage medium, which stores one or more computer programs, wherein the one or more computer programs, when executed by a processor, implement the steps of the method according to any of the above embodiments.
An embodiment of the present application further provides an electronic device, which at least includes a memory and a processor, where the memory stores an application program, and the processor implements the steps of the method according to any of the above embodiments when executing the application line program on the memory.
Compared with the prior art, the beneficial effects of the embodiment of the application lie in that: the method comprises the steps of processing a target key through encryption and sectional encryption operation to generate a plurality of sections of sectional characters; and after other segmented characters are subjected to encryption operation by utilizing the salt value, the password value aiming at the UKEY and the server public key, a final key factor is generated and stored by the corresponding server. According to the key processing method based on the UKEY, the server stores the encrypted final key factor, the UKEY stores the salt value, the server equipment information and the target key information, and the password value for the UKEY stored by the user, so that the data information is stored in at least three aspects, the target key cannot be decrypted as long as one party is not stolen, and the security of the cloud server for storing the target key is improved.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a key processing method based on UKEY according to a first embodiment of the present application;
fig. 2 is a schematic structural diagram of an electronic device according to a second embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings of the embodiments of the present application. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the application without any inventive step, are within the scope of protection of the application.
Unless defined otherwise, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. As used in this application, the terms "first," "second," and the like do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
Detailed descriptions of known functions and known components are omitted in the present application in order to keep the following description of the embodiments of the present application clear and concise.
In this embodiment, a user inserts a UKEY into a terminal, and logs in an application program after a login interface of the UKEY passes verification, where the authentication may be performed on an account and a PIN code input by the user. The application program is connected with the server cipher machine after being logged in by the UKEY, and the target key is encrypted and subjected to segmented encryption operation by the server cipher machine to generate a plurality of segments of segmented characters; and then, after encryption operation is carried out on one of the segmented characters, the segmented character is stored in the UKEY as a salt value for local storage by a user, and after other segmented characters carry out encryption operation by utilizing the salt value, the password value aiming at the UKEY and the server public key, a final key factor is generated and stored by a corresponding server. In the key processing method based on UKEY provided by this embodiment, the server stores the encrypted final key factor, and UKEY stores the salt value, the server device information, the information of the target key, and the password value for UKEY stored by the user himself, so that the data information is stored in at least three ways. Under the condition that a cloud service provider is broken, or the UKEY is lost, or the password value is leaked, as long as data information of three aspects cannot be acquired at the same time, the target secret key cannot be decrypted, the safety of the cloud server in storing the target secret key is improved, and the storage space of the server cipher machine is released, so that the computing capacity of the server cipher machine is prevented from being influenced.
In addition, by adopting the key processing method based on the UKEY in the embodiment of the application, different target keys can be divided into different segments according to needs, so that the problem of server load balance is considered, distributed storage can be performed according to the idle condition of the server, and the resource utilization rate is improved.
For ease of understanding, the following describes a procedure in which a user performs key processing based on UKEY through UKEY.
In the application, the key processing method based on UKEY can be applied to electronic equipment, the electronic equipment can be a mobile phone, a tablet or a computer and other terminals, and the terminals can be in communication connection with the server, so that a user of the terminal can be connected with the server cipher machine through an application program. After the user inserts the UKEY into the terminal, the user can log in the application program to be connected with the server cipher machine. The server cipher machine has the functions of key storage, key distribution, key destruction, key backup, key updating, key archiving, key recovery and the like, and a user can perform data processing operations such as key generation, data encryption or decryption and the like by connecting with the server through an application program.
Fig. 1 is a key processing method based on UKEY according to an embodiment of the present application. As shown in fig. 1, the key processing method based on UKEY in the embodiment of the present application specifically includes the following steps.
S100, based on the encryption of the target key and the segment encryption operation, a plurality of segments of segment characters are generated.
Before the step, a user inserts a UKEY into the terminal, and the identification and verification of an account number password or a PIN code are completed on a login interface of the UKEY so as to log in an application program. After logging in, the application program is connected with the server cipher machine, and data processing operations such as key generation, data encryption or decryption and the like are performed through the server cipher machine. Since the user keeps the UKEY by himself at ordinary times, it is difficult for a third party or an attacker to acquire the UKEY.
In one specific implementation manner of this step, the server crypto performs encryption operation processing on the target key, and then performs processing through segmented encryption operation, so as to generate a plurality of segments of segmented characters based on the encrypted target key.
In this embodiment, the server cryptographic engine may select a key from the generated key data as the target key according to an operation request of the user, and may perform the encryption operation and the segmented encryption operation processing on the key after the selected key completes the encryption processing on the important data. Of course, it is also possible to generate a new key data as the target key, and perform the encryption operation and the block encryption operation processing on the new key data to obtain the target key when the encryption operation using the target key is required in another terminal.
In some specific embodiments, in order to avoid the need to store a key for encrypting the target key separately, the symmetric key is used for encryption when the target key is encrypted. This symmetric key may be randomly generated by the server crypto-engine or may be selected from a generated key for use in cryptographic processing operations on the target key. Thus, in one embodiment, the above step S100 may be implemented as:
s110, performing first encryption on the target key by using the symmetric key to generate a ciphertext target key, and performing segmented encryption operation on the ciphertext target key to generate M segments of target key segmented characters.
In this step, after the user connects to the server cryptographic machine through the application program, a key is created by using the server cryptographic machine, or a key is selected from pre-generated keys, so as to obtain a symmetric key. The user can perform a first encryption process on the target key through the server cipher machine by using the symmetric key. Accordingly, when the user acquires the ciphertext target key, the symmetric key can be used for decryption processing to acquire the target key for subsequent operations. Further, after the first encryption operation processing is completed, the user performs the segmented encryption operation processing on the ciphertext target key through the server cipher machine, and specifically, the sharer segmented encryption operation processing can be adopted to generate M segments of target key segmented characters. When the target key segmentation character is generated, the number of servers available for target key storage is firstly acquired, so that the number of the servers participating in storage is determined according to the number of the available servers, and then the segmentation parameters of the segmentation encryption operation processing are flexibly set so as to be sent to the corresponding servers for storage after the target key processing is completed.
S120, performing second encryption on the symmetric key by using the public key corresponding to the UKEY to generate a ciphertext symmetric key, performing segmented encryption operation on the ciphertext symmetric key, and correspondingly generating M segments of symmetric key segmented characters.
In the application, after the UKEY is first connected with the server cipher machine, the server cipher machine may correspondingly generate a pair of asymmetric keys, which include a public key and a private key, so that the UKEY may perform encryption or decryption operations after logging in an application program to obtain the asymmetric keys. In this step, the user obtains the public key corresponding to the UKEY through the server cipher machine, and encrypts the symmetric key to generate a ciphertext symmetric key. Accordingly, when the user acquires the symmetric cipher key, the user can perform decryption operation by using the private key of the asymmetric cipher key to acquire the symmetric cipher key. After the symmetric cipher key of the cipher text is generated, the user performs the segmented encryption operation processing on the symmetric cipher key of the cipher text through the server cipher machine, and specifically, the sharer segmented encryption operation processing can be adopted to generate M segments of symmetric cipher key segmented characters. When the symmetric key segmented character is generated, corresponding segmented parameters are set according to the segmented parameters of the ciphertext target key, so that the corresponding symmetric key segmented character is generated according to the number of the target key segmented character, and the subsequent combination processing of the target key segmented character and the symmetric key segmented character can be performed.
S130, combining the target key segmented character and the symmetric key segmented character into M segments of the segmented characters.
In this step, M segments of target key segmented characters and M segments of symmetric key segmented characters are correspondingly combined, so as to generate M segments of the segmented characters. Illustratively, M target key segmented characters are combined after being spliced one by one corresponding to the positive sequence of the corresponding M symmetric key segmented characters according to the positive sequence order to generate M segmented characters. Or the M sections of target key segmented characters are spliced and combined one by one according to the reverse sequence and the positive sequence of the corresponding M sections of symmetric key segmented characters to generate M sections of segmented characters. The specific combination mode can be flexibly set according to the needs of users, and the application is not limited herein.
In this embodiment, after the server cryptographic engine uses the symmetric key to perform the first encryption processing on the target key, the symmetric key is further subjected to the segmented encryption operation processing, so that part of the data of the symmetric key is also incorporated into the segmented character. After the key processing method based on UKEY is completed, the symmetric key is not required to be stored in a local terminal or a server cryptograph, and can be deleted directly, and data used in the calculation process can be removed from a memory. Therefore, the terminal and the cloud service cipher machine can not leave the encryption trace of the target key, and the security of the target key is greatly protected.
For ease of understanding, the embodiments of the present application are set forth in one particular example. After a user inserts the UKEY into the terminal, PIN code identification and verification are completed on a login interface of the UKEY, and an application program on the terminal is logged in so as to be connected with the server cipher machine through the application program.
The user selects the target key for storage through the server crypto-engine, and the target key in this embodiment may have corresponding number information, such as "i", when generated in the server crypto-engine. In a specific embodiment, the target key with the number information of "i" may be generated by the server cryptographic machine in advance, or may be generated based on a selection operation of a user, which is not limited in this application.
And the user acquires the symmetric key K through the server cipher machine to carry out encryption operation on the target key i to generate a ciphertext target key T1. Here, the user may create a key as the target key K by using the server crypto engine, or select a key from pre-generated keys, so as to obtain the symmetric key K. After the ciphertext target key T1 is generated, the ciphertext target key T1 is subjected to segmentation processing by utilizing a sharer segmentation encryption operation, and segmentation parameters are set according to the number of servers which can be used for storing the target key, so that the number of segmented data is ensured not to be limitedThe number of the servers is larger than that of the available servers, and M target key segmentation characters e are obtained based on the segmentation parameters1,e2,……eM
And the user acquires a public key corresponding to the UKEY through the server cipher machine to encrypt the symmetric key K to generate a ciphertext symmetric key K1, and then performs sectional processing on a ciphertext target key K1 by using the shamir sectional encryption operation. Setting corresponding segment parameters according to the segment parameters of the ciphertext target key K, and setting the segment parameters of the symmetric key K according to the number of the segment characters of the target key, thereby generating M segments of the symmetric key segment characters K1,k2,……kM
Segmenting M target key into characters e1,e2,……eMAnd M symmetric key segmentation characters k1,k2,……kMThe combination is performed according to a certain rule, and the specific rule can be flexibly set according to the needs of the user, which is not limited herein. Illustratively, M target key segmented characters adopt a positive sequence order, and are spliced and combined with M symmetrical key segmented characters in the positive sequence to obtain e1k1,e2k2,……eMkMGenerating the segmented character C1,C2,……CM. Or the M sections of target key segmented characters adopt the reverse order and are spliced and combined with the M sections of symmetric key segmented characters in the positive order to obtain e1kM,e2kM-1,……eMk1Generating the segmented character C1,C2,……CMTo perform subsequent operations.
S200, performing a first irreversible operation based on one segmented character, and taking the segmented character after the operation processing as a salt value.
In this step, one segmented character is selected from the plurality of segmented characters to perform a first irreversible operation, so that the segmented characters other than the segmented character are further encrypted based on the segmented character after the operation processing. The server cipher machine can store the segmented characters after the operation processing in the UKEY after the segmented characters are used, so that the user can keep the segmented characters along with the UKEY.
Illustratively, the user may segment the character C from multiple segments through the server crypto engine1,C2,……CMIn which a segmented character C is arbitrarily selectedn(n is any integer from 1 to M) to obtain the salt value.
In some embodiments, performing a first irreversible operation on one of the segmented characters, and taking the operation-processed segmented character as a salt value, includes: and carrying out hash operation on the segmented character, and taking the generated hash data as the salt value. When the hash operation is performed, a hash algorithm can be selected according to the needs of the user to perform the operation, which is not limited herein. For example, the SHA-256 algorithm may be applied to the one segmented character CnAnd performing hash operation to obtain hash data, taking the hash data as a salt value h to perform subsequent encryption operation, and storing the salt value h in the UKEY for the user to keep.
S300, acquiring a server public key of each server, and performing encryption operation on other segmented characters based on the salt value, the password value aiming at UKEY and the server public key to generate a final key factor for storing in the corresponding server; wherein,
the UKEY stores the salt value, the server device information and the target key information.
Before this step, the user may enter the corresponding password value P for storage of the target key. The password value P may be a general-purpose password value for storing a key by the user, or may be a password value specific to the target key whose number information is "i".
In this step, according to the number of segments of the segment data, the corresponding number of servers is determined for performing storage operation. And communicating with the determined servers to acquire the server public keys of the servers.
In some embodiments, the user can communicate with the server through the server cipher machine, exchange the certificate with the server for authentication, and decode the certificateAnalyzing to obtain server public key S of each server1,S2,……SM
And after the user acquires the server public key by using the server cipher machine, performing encryption operation on other segmented characters based on the salt value, the password value and the server public key to generate a final key factor stored in the corresponding server. Here, the server cipher machine may encrypt other segmented characters by using the salt value and the password value in sequence, and then encrypt by using a server public key; or, after the salt value and the password value are combined, other segmented characters are encrypted, and then the public key of the server is used for encryption; or in order to improve the data security, after the salt value and the password value are combined, a second irreversible operation is carried out, other segmented characters are encrypted by using the result of the second irreversible operation, then the server public key is used for encryption, and finally the final key factor stored in the corresponding server is generated.
In one embodiment, obtaining the server public key of each server, and performing an encryption operation on the other segmented characters based on the salt value, the password value for UKEY, and the server public key may be implemented as:
s310, the password value aiming at the UKEY is obtained, the salt value and the password value are combined and then a second irreversible operation is carried out, and other segmented characters are respectively encrypted by using the result generated by the operation.
In this step, the user splices the salt value h and the password value p to obtain the data hp or ph, and then performs a second irreversible operation on the data hp or ph to obtain a second irreversible operation result h2The key is used for encrypting data to be encrypted. The second irreversible operation and the first irreversible operation may be the same or different in algorithm. For example, when the first irreversible operation adopts the SHA-256 algorithm, and the second irreversible operation is performed on the data hp or ph, the operation can be performed by the SHA-256 algorithm, or the operation can be performed by the SHA-512 algorithm to generate the second irreversible operation result h2
Then the server cipher machine utilizes the second irreversible operation result h2And as a key, carrying out encryption calculation on other segmented characters to generate corresponding ciphertext segmented characters.
Illustratively, the server crypto engine utilizes the result h of the second irreversible operation2For addition of CnSegmented character C of1,C2,……CMPerforming encryption operation to generate corresponding ciphertext segmented characters C1_1,C2_1,……CM_1
S320, encrypting each encrypted segmented character by using each server public key to obtain each corresponding final key factor.
When the server public keys are used for encrypting the encrypted segmented characters, the encryption is not required to be carried out in a one-to-one correspondence mode. Illustratively, the public key S of the server 1 may be utilized1Encrypting any bit of other segmented characters, e.g. C2_1Obtaining the corresponding final key factor C2_2The final key factor C in subsequent store operations2_2And correspondingly transmitted to the server 1 for storage.
In some embodiments, generating the final key factor for storage in the respective server may be implemented as:
and S330, generating and storing unique identifications corresponding to the final key factors.
The unique identifier, i.e. the generated one, may uniquely represent an object. In this step, a unique identifier may be generated by the server cryptographic engine, which may be, for example, a character string randomly generated by the server cryptographic engine, for identifying a final key factor object. And after the server cipher machine generates a unique identifier corresponding to the final key factor, storing the unique identifier in the final key factor corresponding to the information of the target key.
S340, the final key factor corresponding to the unique identifier is sent to a corresponding server together for storage.
In this step, the server cipher machine sends the unique identifier corresponding to the final key factor together to the server corresponding to the final key factor, so that the server adds the unique identifier to the final key factor and stores the final key factor in the database.
In this embodiment, when the final key factor needs to be obtained, the server cryptographic machine may obtain the final key factor after being confirmed from the corresponding server through the unique identifier.
In the embodiment of the application, the server cipher machine stores the salt value, the equipment information of the server and the information of the target key in the UKEY for the user to keep.
The device information of the server may include sn-code of the server for uniquely identifying a server. When the final key factors need to be acquired from each server, the server cipher machine acquires the equipment information of the server from the UKEY, and then uniquely determines the server corresponding to the equipment information.
In some embodiments, during the process of the server cipher machine interacting with the server, the sn code of each server is obtained based on the analysis of the certificate, so as to obtain the device information of the server.
The information of the target key comprises the number information of the target key. After the key processing method based on UKEY is completed, the target key is not stored in the server cipher machine.
Illustratively, when a target key needs to be acquired, a user inserts a UKEY into a terminal, logs in a corresponding application program, and operates by connecting with a server cipher machine. The server cipher machine can determine the server which carries out final key factor storage according to the sn code of the server stored by UKEY; and correspondingly searching a unique identifier corresponding to the number information according to the number information of the target key stored by the UKEY, and acquiring a final key factor from the stored server according to the unique identifier. And when the final key factor is obtained, the server cipher machine can decrypt the corresponding final key factor through a server public key obtained after the server cipher machine interacts with the certificate to obtain the ciphertext segmented character, and then decrypts the ciphertext segmented character based on the salt value and the password value aiming at UKEY to obtain other segmented characters. And then splitting according to the combination rule of the target key segmented character and the symmetric key segmented character to obtain M-1 target key segmented characters and M-1 symmetric key segmented characters. And then, respectively operating the M-1 target key segmented characters and the M-1 symmetric key segmented characters by utilizing a shamir segmented encryption operation to obtain a ciphertext target key and a ciphertext symmetric key. And then, decrypting the ciphertext symmetric key by using a private key corresponding to the UKEY to obtain a symmetric key, and decrypting the ciphertext target key by using the symmetric key to obtain the target key.
In some embodiments, the key processing method based on UKEY further includes: and deleting the symmetric key, and clearing the memory data along with the end of the operation. In this embodiment, since the processing procedure is that the application program is operated through the server cryptographic engine, the terminal does not need to store corresponding data locally, the memory data of the terminal is cleared after the operation is finished, and traces in the processing procedure are not revealed on the terminal. Meanwhile, the symmetric key does not need to be stored, the server cipher machine deletes the symmetric key, occupation of storage space is avoided, the computing capability of the server cipher machine is guaranteed not to be affected, meanwhile, an encryption trace of the target key is not left, and safety of a target key processing process is improved.
Embodiments of the present application also provide a computer-readable storage medium carrying one or more computer programs which, when executed by a processor, implement the steps of the method provided in any of the embodiments of the present application.
The storage medium in the present embodiment may be one contained in an electronic device/system; or may exist alone without being assembled into an electronic device/system. The storage medium carries one or more programs which, when executed, implement the steps of a method provided according to any embodiment of the present application.
According to embodiments of the present application, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. Optionally, the specific examples in this embodiment may refer to examples described in any embodiment of this application, and this embodiment is not described herein again. It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
As shown in fig. 2, an electronic device according to an embodiment of the present application is further provided, and includes at least a memory 901 and a processor 902, where the memory 901 stores an application program, and the processor 902 implements the steps of the method provided in any embodiment of the present application when executing the application program in the memory 901.
In this embodiment, the electronic device may include, but is not limited to, a mobile phone, a tablet computer, a computer, and other terminal devices, a user side is disposed on the memory 901, where the user side may be an application program connected to the server cryptographic machine to perform processing operations such as generating a key and encrypting or decrypting data, and a user of the electronic device may perform operations on the user side to implement the steps of the key processing method based on UKEY provided in any embodiment of the present application.
Since the electronic device described in the embodiment of the present application is an electronic device provided with a memory for implementing the method disclosed in the embodiment of the present application, based on the method described in the embodiment of the present application, a person skilled in the art can understand the structure and the variation of the electronic device described in the embodiment of the present application, and thus the description thereof is omitted here.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the present application with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the above detailed description, various features may be grouped together to streamline the application. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, subject matter of the present application can lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the application should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
The embodiments of the present application have been described in detail, but the present application is not limited to these specific embodiments, and those skilled in the art can make various modifications and modified embodiments based on the concept of the present application, and these modifications and modified embodiments should fall within the scope of the present application.

Claims (10)

1. A key processing method based on UKEY comprises the following steps:
generating a plurality of segments of segmented characters based on encryption of the target key and segmented encryption operation;
performing a first irreversible operation based on one segmented character, and taking the segmented character after the operation processing as a salt value;
acquiring a server public key of each server, and performing encryption operation on other segmented characters based on the salt value, the password value aiming at UKEY and the server public key to generate a final key factor for storing in the corresponding server; wherein,
the UKEY stores the salt value, the server device information and the target key information.
2. The method of claim 1, wherein obtaining a server public key for each server, and performing an encryption operation on the other segmented characters based on the salt value, the password value for UKEY, and the server public key comprises:
acquiring the password value aiming at UKEY, performing a second irreversible operation after combining the salt value and the password value, and respectively encrypting other segmented characters by using a result generated by the operation;
and encrypting each encrypted segmented character by using each server public key to obtain each corresponding final key factor.
3. The method of claim 1, wherein said performing a first irreversible operation based on one of said segmented characters, taking the operation-processed segmented character as a salt value, comprises:
and carrying out hash operation on the segmented character, and taking the generated hash data as the salt value.
4. The method of claim 1, wherein the generating final key factors for storage in respective servers comprises:
generating and storing unique identifiers corresponding to the final key factors;
and sending the final key factor corresponding to the unique identifier to a corresponding server for storage.
5. The method of claim 1, wherein the obtaining the server public key of each server comprises:
and carrying out certificate authentication with each server, and obtaining the public key of each server through authentication analysis.
6. The method of claim 5, further comprising:
acquiring sn codes of the servers based on the certificate to acquire the equipment information of the servers.
7. The method according to any one of claims 1-6, further comprising: obtaining a symmetric key;
generating a plurality of segments of segmented characters based on the encryption of the target key and the segmented encryption operation, comprising:
performing first encryption on the target key by using the symmetric key to generate a ciphertext target key, and performing segmented encryption operation on the ciphertext target key to generate M segments of target key segmented characters;
performing second encryption on the symmetric key by using a public key corresponding to the UKEY to generate a ciphertext symmetric key, performing segmented encryption operation on the ciphertext symmetric key, and correspondingly generating M segments of symmetric key segmented characters;
and combining the target key segmented character and the symmetric key segmented character into M segments of the segmented characters.
8. The method of claim 7, further comprising:
and deleting the symmetric key, and clearing the memory data along with the end of the operation.
9. A computer readable storage medium carrying one or more computer programs which, when executed by a processor, implement the steps of a method according to any one of claims 1 to 8.
10. An electronic device comprising at least a memory and a processor, the memory having an application program stored thereon, wherein the processor, when executing an application line program on the memory, implements the steps of the method according to any of claims 1-8.
CN202111056639.8A 2021-09-09 2021-09-09 UKEY-based key processing method, storage medium and electronic device Active CN113726515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111056639.8A CN113726515B (en) 2021-09-09 2021-09-09 UKEY-based key processing method, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111056639.8A CN113726515B (en) 2021-09-09 2021-09-09 UKEY-based key processing method, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN113726515A true CN113726515A (en) 2021-11-30
CN113726515B CN113726515B (en) 2022-09-23

Family

ID=78682889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111056639.8A Active CN113726515B (en) 2021-09-09 2021-09-09 UKEY-based key processing method, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN113726515B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022007A (en) * 2022-05-30 2022-09-06 中国银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN118051898A (en) * 2024-04-12 2024-05-17 杭州海康威视数字技术股份有限公司 UKEY-based offline authorization method, system and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103346998A (en) * 2013-05-18 2013-10-09 北京凯锐立德科技有限公司 File breaking encryption-based file security protection method
US10177909B1 (en) * 2017-09-26 2019-01-08 Cloudflare, Inc. Managing private key access in multiple nodes

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103346998A (en) * 2013-05-18 2013-10-09 北京凯锐立德科技有限公司 File breaking encryption-based file security protection method
US10177909B1 (en) * 2017-09-26 2019-01-08 Cloudflare, Inc. Managing private key access in multiple nodes

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115022007A (en) * 2022-05-30 2022-09-06 中国银行股份有限公司 Data processing method and device, electronic equipment and storage medium
CN115022007B (en) * 2022-05-30 2024-03-01 中国银行股份有限公司 Data processing method, device, electronic equipment and storage medium
CN118051898A (en) * 2024-04-12 2024-05-17 杭州海康威视数字技术股份有限公司 UKEY-based offline authorization method, system and device
CN118051898B (en) * 2024-04-12 2024-06-11 杭州海康威视数字技术股份有限公司 UKEY-based offline authorization method, system and device

Also Published As

Publication number Publication date
CN113726515B (en) 2022-09-23

Similar Documents

Publication Publication Date Title
KR101888903B1 (en) Methods and apparatus for migrating keys
KR20230157929A (en) Transfer cryptocurrency from a remote access restricted wallet
US11329817B2 (en) Protecting data using controlled corruption in computer networks
US20160337124A1 (en) Secure backup and recovery system for private sensitive data
CN107920052B (en) Encryption method and intelligent device
CN109981255B (en) Method and system for updating key pool
US20220014367A1 (en) Decentralized computing systems and methods for performing actions using stored private data
US11757625B2 (en) Multi-factor-protected private key distribution
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN107040520B (en) Cloud computing data sharing system and method
CN113726515B (en) UKEY-based key processing method, storage medium and electronic device
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN113489710B (en) File sharing method, device, equipment and storage medium
CN109347923B (en) Anti-quantum computing cloud storage method and system based on asymmetric key pool
Khan et al. SSM: Secure-Split-Merge data distribution in cloud infrastructure
Yadav et al. Mobile cloud computing issues and solution framework
CN109299618B (en) Quantum-resistant computing cloud storage method and system based on quantum key card
CN113079002B (en) Data encryption method, data decryption method, key management method, medium, and device
JP2020155801A (en) Information management system and method therefor
CN112199730A (en) Method and device for processing application data on terminal and electronic equipment
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool
CN109302283B (en) Anti-quantum computing agent cloud storage method and system based on public asymmetric key pool
CN114553557B (en) Key calling method, device, computer equipment and storage medium
WO2023014895A1 (en) Information dispersal for secure data storage
Jenefa et al. A cloud storage system with data confidentiality and data forwarding

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant