CN115146285A - File encryption and decryption method and device - Google Patents

File encryption and decryption method and device Download PDF

Info

Publication number
CN115146285A
CN115146285A CN202110341853.1A CN202110341853A CN115146285A CN 115146285 A CN115146285 A CN 115146285A CN 202110341853 A CN202110341853 A CN 202110341853A CN 115146285 A CN115146285 A CN 115146285A
Authority
CN
China
Prior art keywords
file
information
index
key
white
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110341853.1A
Other languages
Chinese (zh)
Inventor
杨君
祁麟
林超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202110341853.1A priority Critical patent/CN115146285A/en
Publication of CN115146285A publication Critical patent/CN115146285A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a file encryption and decryption method and device, relating to the field of information security, wherein the encryption method comprises the following steps: slicing an original file to generate a plurality of data blocks and determining a standard splicing sequence of the data blocks; performing disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file; determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing sequence to obtain index indication information; carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information; and adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file. According to the file encryption and decryption method and device, the index table of the data block after the file is sliced is encrypted or decrypted through the white box, and the safety of the file content and the encryption and decryption efficiency are improved.

Description

File encryption and decryption method and device
Technical Field
The application relates to the field of information security, in particular to a file encryption and decryption method and device.
Background
When an application program runs at a client, a plurality of resource files are required to be acquired from a server, and many resource files are content sensitive, cannot be directly stored in a clear text at the client and need to be stored in an encrypted mode. zip is a file format that can be used for encrypted storage of files, however, the common schemes such as zip encryption have two major drawbacks:
one is that zip encryption schemes generally employ the original symmetric encryption method, under most terminal environments, an attacker can easily steal the terminal in a memory scanning mode;
secondly, the zip encryption scheme encrypts the whole file content, the encryption and decryption time is influenced by the size of the file, and when the file is large, the encryption and decryption time is long.
Therefore, it is necessary to provide a new encryption and decryption scheme to improve the security of the file content and the efficiency of encryption and decryption.
Disclosure of Invention
In order to improve the security of file contents and the encryption and decryption efficiency, the application provides a file encryption and decryption method and device. The specific technical scheme is as follows:
in a first aspect, the present application provides a file encryption method, which is applied to a server, and the method includes:
slicing an original file to generate a plurality of data blocks and determining a standard splicing sequence of the data blocks;
performing disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file;
determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing sequence to obtain index indication information;
carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information;
and adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file.
In a second aspect, the present application provides a file decryption method, which is applied to a client, and the method includes:
acquiring an encrypted file from a server;
determining index table ciphertext information of the encrypted file according to the file header of the encrypted file;
carrying out white-box decryption on the index table ciphertext information based on a white-box decryption key preset at the client to obtain index surface ciphertext information;
determining a plurality of data blocks in the encrypted file and a standard splicing sequence of the data blocks according to the index table plaintext information;
and splicing the data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
In a third aspect, the present application provides a file encryption apparatus, which is applied to a server, and the apparatus includes:
the slicing module is used for slicing an original file, generating a plurality of data blocks and determining a standard splicing sequence of the data blocks;
the disorder splicing module is used for performing disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file;
the index module is used for determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing sequence to obtain index indication text information;
the encryption module is used for carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information;
and the generating module is used for adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file.
In a fourth aspect, the present application provides a file decryption apparatus, which is applied to a client, and the apparatus includes:
the file acquisition module is used for acquiring the encrypted file from the server;
the ciphertext acquisition module is used for determining the index table ciphertext information of the encrypted file according to the file head of the encrypted file;
the decryption module is used for carrying out white-box decryption on the index table ciphertext information based on a white-box decryption key preset at the client side to obtain index showing text information;
the index module is used for determining a plurality of data blocks in the encrypted file and the standard splicing sequence of the data blocks according to the index presentation information;
and the positive sequence splicing module is used for splicing the data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
In a fifth aspect, the present application provides a computer-readable storage medium having at least one instruction or at least one program stored therein, the at least one instruction or at least one program being loaded and executed by a processor to implement a file encryption method according to the first aspect or a file decryption method according to the second aspect.
In a sixth aspect, the present application provides a computer device comprising a processor and a memory, wherein at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded by the processor and executed to implement a file encryption method according to the first aspect or a file decryption method according to the second aspect.
In a seventh aspect, the present invention provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. A processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions to cause the computer device to perform a file encryption method as described in the first aspect or a file decryption method as described in the second aspect.
The file encryption and decryption method and device have the following technical effects:
according to the scheme provided by the application, the original file is segmented to obtain the data blocks with smaller storage units, the data blocks after disorder are spliced to serve as the file data content of the encrypted file, only the index table of the data blocks is encrypted, and compared with a mode of encrypting all the file data content, the file volume added by the encrypted file is smaller, so that the file transmission between a server side and a client side is facilitated; in addition, only the way of encrypting the index table without encrypting the data content of the file and correspondingly only the way of searching the spliced data block according to the index table by the decryption index table are needed, so that the time consumption of encryption and decryption can be effectively reduced, and the encryption and decryption of the large file can be better supported;
according to the scheme, the white-box encryption and decryption technology is used, the plaintext key does not exist in the internal memory of the terminal in the decryption process, the key is prevented from being leaked in the terminal environment, and the security of the file content is further improved.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
In order to more clearly illustrate the technical solutions and advantages of the embodiments or the prior art of the present application, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the description below are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment of a file encryption method and a file decryption method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a file encryption method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a file slice provided by an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating out-of-order splicing of data chunks according to an embodiment of the present disclosure;
FIG. 5 is a schematic flowchart of generating an index table according to an embodiment of the present application;
fig. 6 (1) and fig. 6 (2) are schematic diagrams of index information provided by an embodiment of the present application;
fig. 7 is a schematic flowchart of white-box encryption provided by an embodiment of the present application;
FIG. 8 is a diagram illustrating an implementation of white-box cryptography according to an embodiment of the present application;
FIG. 9 is a schematic flowchart of another file encryption method provided in an embodiment of the present application;
fig. 10 is a schematic flowchart of a file decryption method according to an embodiment of the present application;
fig. 11 is a schematic flowchart of white-box decryption provided in an embodiment of the present application;
FIG. 12 is a schematic diagram illustrating a process of searching a data block according to a decrypted index table according to an embodiment of the present application;
fig. 13 is a schematic view of a complete flow chart of a file encryption and decryption method according to an embodiment of the present application;
fig. 14 is a schematic diagram of a file encryption apparatus according to an embodiment of the present application;
fig. 15 is a schematic diagram of a file decryption apparatus according to an embodiment of the present application;
fig. 16 is a schematic hardware structure diagram of an operation end according to an embodiment of the present application;
fig. 17 is a schematic hardware structure diagram of a server according to an embodiment of the present application.
Detailed Description
In order to improve the security of file contents and the efficiency of encryption and decryption, embodiments of the present application provide a file encryption method and device and a file decryption method and device. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. Examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the application described herein may be implemented in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In order to facilitate understanding of the technical solutions and the technical effects thereof described in the embodiments of the present application, the embodiments of the present application explain related terms:
and (3) secret key: key is a parameter input in an algorithm for converting a plaintext into a ciphertext or converting a ciphertext into a plaintext. Keys are divided into symmetric keys and asymmetric keys.
Symmetric encryption algorithm: refers to an encryption algorithm that uses the same key for encryption and decryption. In the symmetric encryption algorithm, a data sender processes a plaintext (original data) and an encryption key together through a special encryption algorithm, and then the plaintext and the encryption key are changed into a complex encryption ciphertext to be sent out. After the receiver receives the ciphertext, if the receiver wants to decode the original text, the receiver needs to decrypt the ciphertext by using the key used for encryption and the inverse algorithm of the same algorithm so as to recover the ciphertext into readable plaintext. In the symmetric encryption algorithm, only one key is used, and both the sender and the receiver use the key to encrypt and decrypt data. Symmetric encryption algorithms are often used to encrypt information such as sensitive data.
AES: advanced Encryption Standard, also known as Rijndael Encryption method, is a block Encryption Standard adopted by the U.S. Federal government, is a next generation Encryption algorithm Standard, and has high speed and high security level.
DES: the Data Encryption Standard is a block algorithm using key Encryption, has high speed and is suitable for occasions where a large amount of Data is encrypted.
White box attack: the white-box attack means that an attacker has complete control capability on a device terminal and can observe and change internal data during program operation. Such an attack environment is called a white-box attack environment. Most intelligent terminal environments (Android, iOS and the like) are a white-box attack environment in many cases.
White box AES: any implementation of AES that resists key extraction in white-box attacks may be referred to as white-box AES.
White box cryptography: the encryption technology is an encryption technology for fusing an algorithm key into an algorithm, and is a cryptographic technology capable of resisting white-box attacks.
Zip: a file format for data compression and document storage.
Referring to fig. 1, which is a schematic diagram of an implementation environment of a file encryption method and a file decryption method according to an embodiment of the present application, as shown in fig. 1, the implementation environment may at least include a client 01 and a server 02.
Specifically, the server 02 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content delivery network), a big data and artificial intelligence platform, and the like. The server 02 may comprise a network communication unit, a processor and a memory etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein. Specifically, the server 02 may be configured to slice an original file to generate a plurality of data blocks, and re-splice the plurality of data blocks after out-of-order processing to obtain file data content of an encrypted file, and meanwhile, establish an index table of the data blocks according to a slicing process and a re-splicing process, encrypt the index table by using a white-box encryption technique, and add the encrypted index table to a file header of the encrypted file, so as to reduce the volume of the file as much as possible while ensuring data security. Specifically, the server 02 transmits the generated encrypted file to the client 01.
Specifically, the client 01 may include a smart phone, a desktop computer, a tablet computer, a notebook computer, a digital assistant, a smart wearable device, a monitoring device, a voice interaction device, and other types of devices, and may also include software running in the devices, such as web pages provided to the user by some service providers, and applications provided to the user by the service providers. Specifically, after the client 01 obtains the encrypted file from the server, the ciphertext index table is determined from the file header of the encrypted file, the ciphertext index table can be decrypted based on a preset white-box decryption key to obtain a plaintext index table, and then a plurality of data blocks in the encrypted file can be searched according to the plaintext index table and spliced again to obtain the file content of the original file.
It can be understood that the encrypted file may be transmitted not only between the server and the client, but also between the server and the server, and between the client and the client.
The embodiment of the present application can also be implemented by combining a Cloud technology, which refers to a hosting technology for unifying series resources such as hardware, software, and a network in a wide area network or a local area network to implement data calculation, storage, processing, and sharing, and can also be understood as a generic term of a network technology, an information technology, an integration technology, a management platform technology, an application technology, and the like applied based on a Cloud computing business model. Cloud technology requires cloud computing as a support. Cloud computing is a computing model that distributes computing tasks across a resource pool formed by a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Specifically, the server 02 and the database are located in the cloud, and the server 02 may be an entity machine or a virtualization machine.
The following describes a file encryption method provided by the present application. Fig. 2 is a flowchart of a file encryption method provided in an embodiment of the present application, and the present application provides the method operation steps described in the embodiment or the flowchart, but may include more or less operation steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. In practice, the system or server product may be implemented in a sequential or parallel manner (e.g., parallel processor or multi-threaded environment) according to the embodiments or methods shown in the figures. Referring to fig. 2, a file encryption method provided in an embodiment of the present application may include the following steps:
s210: slicing an original file to generate a plurality of data blocks and determining a standard splicing sequence of the data blocks.
In one application scenario, when an application program runs on a client, a plurality of resource files are acquired from a server, and many resource files are content-sensitive, cannot be directly stored in the clear at the client, need to be stored in an encrypted manner, and the types of resources can be pictures, audio, video, text resources, or other contents which can be displayed in a computer, and the like. If the original symmetric encryption method is adopted, an attacker can easily steal the key in a memory scanning mode under most terminal environments; if the whole file content is encrypted, the encryption and decryption time is affected by the size of the file, and when the file is large, the encryption and decryption time is long.
In the embodiment of the application, compared with the method for encrypting all data contents of the original file, the method for segmenting, disorderly and repeatedly splicing the data contents of the original file and encrypting the index information of the data contents is adopted, so that the increase of the file volume is reduced, and the file encryption efficiency is improved. Specifically, in the slicing process, the original file may be sliced based on a fixed-length blocking rule or a variable-length blocking rule, the sliced file slice is used as a data block, as shown in fig. 3, the file is an organization unit of data, the file may be sliced to obtain a plurality of data blocks, the numbers in fig. 3 are only used for distinguishing the data blocks, and it may not be necessary to attach an explicit number to the data blocks in some feasible embodiments. The fixed-length blocking is to divide an original file by adopting a predefined block size to obtain a plurality of data blocks with the same data size; the sizes of a plurality of data blocks in the variable-length blocks may be different, and a variable-length block is obtained by segmenting the data blocks based on the file Content of the original file, for example, the CDC (Content-defined Chunking) algorithm is a variable-length block algorithm, and the size of the data blocks is variable. In performing the algorithm, the CDC calculates a data fingerprint for file data using a fixed-size (e.g., 48 bytes) sliding window and takes the window position as the block boundary if the fingerprint satisfies a condition such as when its value modulo a particular integer is equal to a predetermined number. The present application does not limit the document splitting manner.
In an embodiment of the present application, since the index table is encrypted to reduce the file volume increased by encryption, when the file is cut to be over-dense and the data blocks are too many, the index information to be encrypted becomes more, and therefore, the size of the data blocks may be limited, for example, upper and lower limits are set or the number of the data blocks is limited.
In an embodiment of the present application, each generated data block may further include some important information, such as a unique identifier of the original file, sequence information of the slice, and the like, in addition to a partial file content of the original file, specifically, the sequence information of the slice may be represented as a block number of the data block, breakpoint information of the data block, time information of the data block, and the like, and the sequence information of the slice may be used to determine or record a standard splicing order of the data blocks, where the standard splicing order represents an original position of each data block in the plurality of data blocks in the original file, and the standard splicing order of the plurality of data blocks may be determined and recorded in the file splitting process. For file security reasons, these additional information are not retained in the encrypted file after the data blocks are re-spliced into the encrypted file.
S230: and carrying out disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file.
In the embodiment of the application, the data content of the original file is not completely encrypted, but the index information of the data blocks is encrypted to reduce the time consumption of encryption, and the subsequent white-box encryption is relied on to further ensure the file security. The index information has the function of finding out disordered data blocks in the file according to the index and restoring the disordered data blocks to the original file. Fig. 4 shows a schematic diagram of data block out-of-order splicing, where multiple data blocks (as shown in fig. 3) obtained by slicing are subjected to out-of-order splicing and then are re-spliced to obtain a key file, which may be considered as a final required encrypted file, but is different in that at this time, the file head of the key file is not filled with ciphertext data of index information.
S250: and determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing sequence to obtain index indication text information.
In the embodiment of the present application, in consideration of file security, even if additional information such as a number identifier and a slicing time that can directly specify a sequence is defined for a data block during slicing, the data block will not remain in the data block of a key file after being re-spliced into the key file, and thus the data in the index table is data block attribute information that cannot directly derive a standard splicing sequence. Preferably, an offset of the data block or a data amount of the data block may be employed. The offset is the relative position where the data block is stored in the key file, and the data amount characterizes the size of the data block. The offset or amount of data for a block of data may be determined and recorded during the re-splicing process.
In one embodiment of the present application, specifically, as shown in fig. 5, the step S250 may include the steps of:
s251: determining index information corresponding to each data block according to the offset and the data volume of each data block in the key file; the offset characterizes a relative position of the data block in the key file.
Specifically, as shown in fig. 6 (1), the offset ofcast _5 represents the relative start position of the data Block _9 in the key file, and Volume _5 represents the data amount of the data Block _ 9. One data block can be uniquely determined by the offset and the data amount, and therefore, the offset and the data amount can be used as index information of the data block. Of course, the offset may be a relative end position, or one data block may be uniquely determined according to the relative end position and the data size.
S253: and combining the index information corresponding to each data block based on the standard splicing sequence to obtain index indication text information.
Specifically, as can be seen from the foregoing, the standard splicing order represents the original position of each data block in the original file, and after the index information of each data block in the key file is obtained, the index information is combined according to the standard splicing order to serve as the plaintext information of the index table. For example, the index table plaintext information may be represented as: offest _3, volume _3; offest _7, volume _7; offest _4 and volume _4.. The first three groups respectively represent index information of data blocks Block _1, block _2 and Block _3, and the data blocks Block _1, block _2 and Block _3 are respectively data blocks sequentially arranged at the first three positions in the original file slice. The above is a representation form of a standard splicing sequence, correspondingly, after the index table is decrypted at the other end, the data blocks can be sequentially searched according to the sequence of the index information record in the index table, in some feasible embodiments, the record rule and the read search rule of the index information in the index table can be complicated, for example, reverse order recording and reading, and separate recording and reading of odd-even positions, etc., so that the security of the file can be improved to a certain extent.
In another embodiment of the present application, specifically, the index information corresponding to each data block may be further determined according to a first offset and a second offset of each data block in the key file, where the first offset represents a relative start position of the data block in the key file, and the second offset represents a relative end position of the data block in the key file. It will be appreciated that a data Block may be determined by a relative start position and a relative end position, as shown in fig. 6 (2), an offset ofest _9 represents the relative start position of the data Block _9 in the key file, and an offset ofest _10 represents the relative end position of the data Block _9 in the key file. Further, the data size of the data block is determined according to the relative start position and the relative end position, the data size is used as a part of the index information, and the data size of the index information can be relatively reduced when the byte number of the data size is less than the byte number of the offset. It is understood that there may be gaps between the data blocks in fig. 6 (2), and the gaps are not necessarily continuous in the storage of data, i.e. the relative end position of the data Block _9 is not necessarily the relative start position of the data Block _ 6.
S270: and carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information.
In the embodiment of the application, when the terminal decrypts the encrypted file, most of intelligent terminal environments (Android, iOS and the like) are a white-box attack environment under many conditions, and an attacker has complete control capability on terminal equipment and can observe and change internal data during program operation, so that a white-box cryptographic algorithm is constructed by adopting a white-box cryptographic technology to encrypt plaintext information of the index table so as to resist the white-box attack. The white-box cryptographic algorithm is constructed mainly by two strategies, namely white-box standard cryptographic algorithm and brand-new cryptographic algorithm. The standard cryptographic algorithm white-box is characterized in that an original cryptographic algorithm and a key are designed through a white-box cryptographic technology on the basis of a standard cryptographic algorithm security theory and on the premise of not changing the function of the original cryptographic algorithm, and the key security can be effectively ensured in a white-box attack environment.
In one embodiment of the present application, specifically, as shown in fig. 7, the step S270 may include the following steps:
s271: and acquiring a pre-generated original key.
In one possible implementation, a Key Management System (KMS) is provided that generates and protects a Key (Key) using a certified Hardware Security Module (HSM). And the background of the server side requests to acquire the original key from the key management system.
S273: and carrying out white-box cryptographic technology processing on the original secret key and a preset symmetric cryptographic algorithm to generate a white-box library.
In one possible embodiment, the white-box encryption is symmetric encryption, and a symmetric cryptographic algorithm such as AES, DES, etc. may be used. As shown in fig. 8, the white-box cryptographic technique can be divided into a static white-box and a dynamic white-box in terms of implementation, where the static white-box refers to a specific cryptographic algorithm library, also called a white-box library, formed by combining a cryptographic algorithm with a specific key and performing a white-box cryptographic technique, and the white-box library has a specific cryptographic function (secret or decryption), and can effectively protect the security of the original key in a white-box attack environment. The static white-box updates the key and needs to regenerate the white-box library. The dynamic white-box refers to that the white-box library does not need to be updated after being generated, and the original key is converted into a white-box key (such as wb _ key in fig. 8) through the same white-box cryptographic technique. The introduction of the white-box key into the matching white-box library may perform normal encryption or decryption functions. The white-box key is secure and an attacker cannot get any information about the original key by analyzing the white-box key.
For example, the white-box cryptography confuses a key with a symmetric cryptography algorithm, and one possible way is to use a lookup table technology, that is, the key is hidden in a lookup table, and the execution process of the cryptography algorithm is implemented by using the lookup table, so that an attacker cannot obtain key information according to the lookup table. The main implementation mode of the white-box AES algorithm is that an original key is selected, each round of AES is divided into small modules, each small module is scrambled and encoded, and finally, the small modules are represented by some lookup tables respectively. The AES implementation is converted into a look-up process in individual look-up tables.
S275: and inputting the index indication text information into the white box library to obtain the index table ciphertext information.
The white-box cryptographic algorithm in the white-box library confuses the key and the original algorithm, the original key does not appear in the encryption process, and finally, the encrypted index table information is directly obtained.
S290: and adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file.
It can be understood that the file header generally includes a type field, a volume field, etc. representing the file, and does not relate to specific file data content information, and the index table ciphertext information is added to a certain range of positions of the header for the terminal to quickly locate the ciphertext when decrypting. Further, the index table ciphertext information can be converted into data with a fixed byte length through operations such as Hash operation and the like.
According to the file encryption method, the original file is segmented to obtain the data blocks with smaller storage units, the data blocks after disorder are spliced to serve as the file data content of the encrypted file, only the index table of the data blocks is encrypted, and compared with a mode of encrypting all the file data content, the file volume added by the encrypted file is smaller, so that the file transmission between a server and a client is facilitated; in addition, the time consumption of encryption can be effectively reduced only by a mode of encrypting the data content of the file without encrypting the index table, and the encryption of a large file can be better supported; in addition, a white-box encryption technology is used, the encryption process is safer, a plaintext key does not exist in a memory of the terminal in the decryption process, the key is prevented from being leaked in the terminal environment, and the security of the file content is further improved.
The scheme provided by the application not only can be applied to the data transmission safety field, but also can be applied to the terminal data safety field, the Internet of things safety field and the like.
In another embodiment of the present application, specifically as shown in fig. 9, the method may further include the steps of:
s277: a target data block of the plurality of data blocks is determined.
S279: and encrypting the target data block to obtain a ciphertext data block of the target data block.
The file encryption method provided by the embodiment of the application can be used for a scene sensitive to the whole file being completely stolen, but is insensitive to the local content being obtained. However, the above scheme can be supplemented, after the file is sliced, the data blocks containing the sensitive content are encrypted for one more round, and then the subsequent operations such as out-of-order splicing and the like are performed on the data blocks, so that the effect of protecting the local sensitive content is obtained.
A file decryption method provided by the present application is described below. Fig. 10 is a flowchart of a file decryption method provided in an embodiment of the present application, and the present application provides the method operation steps as described in the embodiment or the flowchart, but may include more or less operation steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. In practice, the system or server product may be implemented in a sequential or parallel manner (e.g., parallel processor or multi-threaded environment) according to the embodiments or methods shown in the figures. Referring to fig. 10, a file decryption method according to an embodiment of the present application may include the following steps:
s1010: and acquiring the encrypted file from the server.
In the embodiment of the present application, the encrypted file is obtained by the server side by executing the file encryption method provided in the embodiment of the present application on the original file, so that some steps in the file decryption method provided in the embodiment of the present application are reverse operations of some steps in the file encryption method.
S1030: and determining the index table ciphertext information of the encrypted file according to the file header of the encrypted file.
In the embodiment of the present application, a required index table is determined from a file header, where the index table is encrypted ciphertext information, corresponding to a file encryption method provided by the present application.
In an embodiment of the present application, specifically, the step S1030 may further include:
reading byte data with a preset size from the file head of the encrypted file or reading byte data from the target position range of the file head, and taking the byte data as the index table ciphertext information of the encrypted file.
S1050: and carrying out white-box decryption on the index table ciphertext information based on a white-box decryption key preset at the client to obtain index indication information.
In the embodiment of the application, when the terminal decrypts the encrypted file, most of intelligent terminal environments (Android, iOS and the like) are a white-box attack environment under many conditions, and an attacker has complete control capability on terminal equipment and can observe and change internal data during program operation, so that a white-box cryptographic algorithm is constructed by adopting a white-box cryptographic technology to decrypt index table ciphertext information to resist white-box attack. The decryption process is a reverse operation of the encryption process, and the specific implementation may refer to an embodiment of a file encryption method provided in the present application.
In one embodiment of the present application, specifically, as shown in fig. 11, the step S1050 may include the following steps:
s1051: and acquiring a white-box decryption key preset at the client, wherein the white-box decryption key is obtained by performing white-box cryptographic technology processing on a pre-generated original key.
In some feasible implementation manners, the client needs to acquire the white box decryption key from the cloud, in order to prevent the spoofing of the client, a set of identity authentication system can be provided to perform multi-level authentication of the main account, the sub-account and the like, and the identity of the user is identified through unified identity authentication to prevent the spoofing of the client.
S1053: and transmitting the white-box decryption key into a white-box library preset in the client.
S1055: and decrypting the index table ciphertext information based on the white box library to obtain the index surface ciphertext information.
It can be understood that the decryption process is a reverse operation of the encryption process, and the specific implementation may refer to an embodiment of the file encryption method provided in the present application, which is not described herein again. In the decryption process of the client, the plain text of the original key cannot appear, so that the stealing of the key is avoided.
S1070: and determining a plurality of data blocks in the encrypted file and the standard splicing sequence of the data blocks according to the index table plaintext information.
In the embodiment of the application, the index indication text information records index information such as offsets or data amounts of a plurality of data blocks which can be restored into the original file, and meanwhile, the recording sequence of the index information of each data block in the index table plaintext information can represent the standard splicing sequence of each data block, so that the correct original file can be restored.
In an embodiment of the present application, specifically, as shown in fig. 12, the step S1070 may include the steps of:
s1071: determining a plurality of index information in the index table plaintext information, wherein the index information comprises an offset and a data volume; the offset characterizes a relative position of the data block in the encrypted file.
In particular, the offset may be the relative starting position of a data block in the encrypted file
Figure BDA0002999818240000151
With respect to the termination position, a data block can be uniquely determined by the offset and the data amount. In another possible embodiment, two offsets (relative start and relative end) may be used to uniquely identify a block of data in the encrypted file.
S1073: and searching and reading from the encrypted file according to the offset and the data volume in each index information to obtain each corresponding data block.
S1075: and determining the standard splicing sequence of the plurality of data blocks according to the sequence of each index information in the index indication text information.
Referring to step S253 in this embodiment of the present application, the standard splicing sequence may represent the original position of each data block in the original file, but the recording and reading in the standard splicing sequence may be in a sequence from front to back, or may be in a reverse sequence or in a parity position, which is recorded and read respectively, and only needs to be kept consistent with the recording rule of the file encryption process.
S1090: and splicing the data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
From the foregoing, in the file decryption method provided by the application, only the decryption index table needs to search the spliced data blocks according to the index table, so that the time consumption for decryption can be effectively reduced, and the decryption of large files can be better supported; meanwhile, the white-box decryption technology is used in the file decryption method, the plaintext key does not exist in the memory of the terminal in the decryption process, the key is prevented from being leaked in the terminal environment, and the security of the file content is further improved.
Fig. 13 is a complete flowchart of an encryption method and a decryption method provided in this embodiment of the present application, and as shown in fig. 13, an AES original key and a white-box AES key may be generated based on a key management system, and a background file encryption process at a server and a decryption process at a client may refer to the steps in the foregoing method embodiments for interpretation, which is not described herein again.
An embodiment of the present application further provides a file encryption apparatus 1400, as shown in fig. 14, the apparatus 1400 may include:
the slicing module 1410 is configured to slice the original file, generate a plurality of data blocks, and determine a standard splicing order of the plurality of data blocks.
And the out-of-order splicing module 1420 is configured to perform out-of-order processing on the multiple data blocks, splice the out-of-order processed multiple data blocks, and obtain a key file.
And the index module 1430 is configured to determine index information of each data block in the key file, and combine the index information of each data block based on the standard splicing sequence to obtain index indication information.
And the encrypting module 1440 is configured to perform white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information.
The generating module 1450 is configured to add the index table ciphertext information to the file header of the key file, so as to obtain an encrypted file corresponding to the original file.
In an embodiment of the present application, the index module 1430 may include:
the index subunit is used for determining index information corresponding to each data block according to the offset and the data volume of each data block in the key file; the offset characterizes the relative position of the data block in the key file;
and the splicing subunit is used for combining the index information corresponding to each data block based on the standard splicing sequence to obtain index showing text information.
In an embodiment of the present application, the encryption module 1440 may include:
an acquisition subunit, configured to acquire an original key generated in advance;
the white box processing subunit is used for performing white box cryptographic technology processing on the original secret key and a preset symmetric cryptographic algorithm to generate a white box library;
and the encryption subunit is used for inputting the index indication text information into the white box library to obtain the index table ciphertext information.
In one embodiment of the present application, the apparatus 1400 may further include:
a selecting unit, configured to determine a target data block of the multiple data blocks;
and the data block encryption unit is used for encrypting the target data block to obtain a ciphertext data block of the target data block.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, the division of each functional module is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided in the above embodiments belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiments, which are not described herein again.
An embodiment of the present application further provides a file decryption apparatus 1500, as shown in fig. 15, where the apparatus 1500 may include:
a file obtaining module 1510, configured to obtain the encrypted file from the server;
a ciphertext obtaining module 1520, configured to determine, according to the file header of the encrypted file, index table ciphertext information of the encrypted file;
the decryption module 1530 is configured to perform white-box decryption on the index table ciphertext information based on a white-box decryption key preset at the client, so as to obtain index table ciphertext information;
an indexing module 1540, configured to determine, according to the index manifest information, a plurality of data blocks in the encrypted file and a standard splicing order of the plurality of data blocks;
and the positive sequence splicing module 1550 is configured to splice the plurality of data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
In one embodiment of the present application, the decryption module 1530 may include:
the acquisition subunit is configured to acquire a white-box decryption key preset at the client, where the white-box decryption key is obtained by performing white-box cryptographic processing on a pre-generated original key;
the white box processing subunit is used for transmitting the white box decryption key into a white box library preset in the client;
and the decryption subunit is used for decrypting the index table ciphertext information based on the white box library to obtain the index showing text information.
In one embodiment of the present application, the indexing module 1540 may include:
the index information subunit is used for determining a plurality of index information in the index presentation information, wherein the index information comprises an offset and a data volume; the offset characterizes a relative position of the data block in the encrypted file;
and the searching subunit is used for searching and reading the encrypted file according to the offset and the data volume in each index information to obtain each corresponding data block.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Please refer to fig. 16, which is a schematic diagram illustrating a hardware structure of an operation end according to an embodiment of the present application, where the operation end is configured to implement a file decryption method according to the foregoing embodiment.
The operating terminal 1600 may include RF (Radio Frequency) circuitry 1610, memory 1620 including one or more computer-readable storage media, an input unit 1630, a display unit 1640, a video sensor 1650, audio circuitry 1660, a WiFi (wireless fidelity) module 1670, a processor 1680 including one or more processing cores, and a power supply 160. Those skilled in the art will appreciate that the operative end configuration shown in fig. 16 does not constitute a limitation of the operative end and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.
RF circuitry 1610 may be configured to receive and transmit signals during a message transmission or call, and in particular, receive downlink messages from a base station and process them in one or more processors 1680; in addition, data relating to uplink is transmitted to the base station. In general, RF circuitry 1610 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, an LNA (low noise amplifier), a duplexer, and the like. In addition, the RF circuitry 1610 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to GSM (Global System for mobile communications), GPRS (General Packet Radio Service), CDMA (Code division multiple access), WCDMA (Wideband Code division multiple access), LTE (Long Term Evolution), email, SMS (short messaging Service), etc.
The memory 1620 may be used to store software programs and modules, and the processor 1680 executes the software programs and modules stored in the memory 1620, thereby performing various functional applications and data processing. The memory 1620 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as video data, a phone book, etc.) created according to the use of the operating terminal 1600, and the like. Further, the memory 1620 may comprise high speed random access memory, and may also comprise non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 1620 may also include a memory controller to provide access to memory 1620 by processor 1680 and input unit 1630.
The input unit 1630 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control. Specifically, the input unit 1630 may include an image input device 1631 and other input devices 1632. The image input device 1631 may be a camera or an optical scanning device. The input unit 1630 may include other input devices 1632 in addition to the image input device 1631. In particular, other input devices 1632 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.
The display unit 1640 may be used to display information input by or provided to the user and various graphical user interfaces of the operator 1600, which may be made up of graphics, text, icons, video, and any combination thereof. The Display unit 1640 may include a Display panel 1641, and optionally, the Display panel 1641 may be configured in the form of an LCD (Liquid Crystal Display), an OLED (Organic Light-Emitting Diode), or the like.
The operator terminal 1600 can include at least one video sensor 1650 for capturing video information of a user. The operating end 1600 may also include other sensors (not shown), such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1641 according to the brightness of ambient light, and the proximity sensor may turn off the display panel 1641 and/or the backlight when the operation terminal 1600 moves to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), detect the magnitude and direction of gravity when the mobile phone is stationary, and can be used for applications of recognizing the gesture of the mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometer and tapping), and the like. As for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be further configured at the operation end 1600, detailed descriptions thereof are omitted.
The video circuit 1660, the speaker 1661, and the microphone 1662 can provide a video interface between a user and the operating end 1600. The audio circuit 1660 can transmit the received electrical signal converted from the audio data to the speaker 1661, and the received electrical signal is converted into an acoustic signal by the speaker 1661 for output; on the other hand, the microphone 1662 converts the collected sound signals into electrical signals, which are received by the audio circuit 1660 and then converted into audio data, which are then processed by the audio data output processor 1680 and then transmitted to, for example, another operation terminal via the RF circuit 1610, or output to the memory 1620 for further processing. The audio circuitry 1660 may also include an earbud jack to provide communication of peripheral headphones with the operating end 1600.
WiFi belongs to short-distance wireless transmission technology, and the operation terminal 1600 can help a user to send and receive e-mails, browse webpages, access streaming media and the like through the WiFi module 1670, and provides wireless broadband internet access for the user. Although a WiFi module 1670 is shown in fig. 16, it is understood that it does not belong to the essential constitution of the operation terminal 1600, and can be omitted entirely as needed within the scope not changing the essence of the invention.
The processor 1680 is a control center of the operation terminal 1600, connects various parts of the whole mobile phone by using various interfaces and lines, and executes various functions and processes data of the operation terminal 1600 by running or executing software programs and/or modules stored in the memory 1620 and calling data stored in the memory 1620, thereby monitoring the mobile phone as a whole. Alternatively, processor 1680 may include one or more processing cores; preferably, the processor 1680 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It is to be appreciated that the modem processor described above may not be integrated into processor 1680.
The operating terminal 1600 further includes a power supply 160 (e.g., a battery) for supplying power to various components, which may preferably be logically connected to the processor 1680 via a power management system, so as to manage charging, discharging, and power consumption via the power management system. The power supply 160 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like. Although not shown, the operating terminal 1600 may further include a bluetooth module, etc., which will not be described herein.
Specifically, in this embodiment, the operation terminal 1600 further includes a memory and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by one or more processors. The one or more programs include instructions for performing a file decryption method provided by the above method embodiments.
The embodiment of the present application further provides a server, where the server includes a processor and a memory, where the memory stores at least one instruction, at least one program, a code set, or an instruction set, and the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the file encryption method provided in the foregoing method embodiment.
The memory may be used to store software programs and modules, and the processor may execute various functional applications and detection of abnormal behavior subjects by running the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the apparatus, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
Fig. 17 is a block diagram of a hardware structure of a server according to an embodiment of the present disclosure. As shown in fig. 17, the server 1700 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1710 (the processors 1710 may include but are not limited to a Processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 1730 for storing data, and one or more storage media 1720 (e.g., one or more mass storage devices) for storing applications 1723 or data 1722. Memory 1730 and storage medium 1720 may be transitory or persistent storage, among other things. The program stored on the storage medium 1720 may include one or more modules, each of which may include a sequence of instructions that operate on a server. Still further, the central processor 1710 may be configured to communicate with the storage medium 1720 to execute a series of instruction operations in the storage medium 1720 on the server 1700. The server 1700 may also include one or more power supplies 1760, one or more wired or wireless network interfaces 1750, one or more input output interfaces 1740, and/or one or more operating systems 1721, such as Windows Server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
Input/output interface 1740 may be used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 1700. In one example, i/o Interface 1740 includes a Network adapter (NIC) that can be coupled to other Network devices via a base station to communicate with the internet. In one example, the input/output interface 1740 can be a Radio Frequency (RF) module configured to communicate with the internet via wireless.
It will be understood by those skilled in the art that the structure shown in fig. 17 is only an illustration and is not intended to limit the structure of the electronic device. For example, the server 1700 may also include more or fewer components than shown in FIG. 17, or have a different configuration than shown in FIG. 17.
Embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the operation end reads the computer instruction from the computer readable storage medium, and executes the computer instruction, so that the operation end executes a file decryption method in the above method embodiment; or, the processor of the server reads the computer instruction from the computer readable storage medium, and the processor of the server executes the computer instruction, so that the server executes a file encryption method on the server side in the above method embodiments.
The embodiment of the present application further provides a computer-readable storage medium, which may be disposed in a server to store at least one instruction or at least one program for implementing a method in the method embodiment, where the at least one instruction or the at least one program is loaded and executed by the processor to implement a file encryption method or a file decryption method provided in the method embodiment.
Alternatively, in this embodiment, the storage medium may be located in at least one network server of a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, which can store program codes.
As can be seen from the above embodiments of a method and apparatus for encrypting and decrypting a file provided by the present application,
according to the scheme provided by the application, the original file is segmented to obtain the data blocks with smaller storage units, the data blocks after disorder are spliced to serve as the file data content of the encrypted file, only the index table of the data blocks is encrypted, and compared with a mode of encrypting all the file data content, the file volume added by the encrypted file is smaller, so that the file transmission between a server side and a client side is facilitated; in addition, only the way of encrypting the index table without encrypting the data content of the file and correspondingly only the way of searching the spliced data block according to the index table by the decryption index table are needed, so that the time consumption of encryption and decryption can be effectively reduced, and the encryption and decryption of the large file can be better supported;
according to the scheme, the white-box encryption and decryption technology is used, the plaintext key does not exist in the internal memory of the terminal in the decryption process, the key is prevented from being leaked in the terminal environment, and the security of the file content is further improved.
It should be noted that: the sequence of the embodiments of the present application is only for description, and does not represent the advantages and disadvantages of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A file encryption method is applied to a server side, and is characterized by comprising the following steps:
slicing an original file to generate a plurality of data blocks and determining a standard splicing sequence of the data blocks;
performing disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file;
determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing sequence to obtain index indication information;
carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information;
and adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file.
2. The method of claim 1, wherein the determining the index information of each data block in the key file, and combining the index information of each data block based on the standard splicing order to obtain index profile information comprises:
determining index information corresponding to each data block according to the offset and the data volume of each data block in the key file; the offset characterizes a relative position of the data block in the key file;
and combining the index information corresponding to each data block based on the standard splicing sequence to obtain index indication text information.
3. The method according to claim 1, wherein the white-box encrypting the index table plaintext information based on the original key to obtain index table ciphertext information comprises:
acquiring a pre-generated original key;
carrying out white-box cryptographic technology processing on the original secret key and a preset symmetric cryptographic algorithm to generate a white-box library;
inputting the index caption information into the white-box library, and obtaining the ciphertext information of the index table.
4. The method of claim 1, further comprising:
determining a target data block of the plurality of data blocks;
and encrypting the target data block to obtain a ciphertext data block of the target data block.
5. A file decryption method is applied to a client, and is characterized by comprising the following steps:
acquiring an encrypted file from a server;
determining index table ciphertext information of the encrypted file according to the file header of the encrypted file;
carrying out white-box decryption on the index table ciphertext information based on a white-box decryption key preset at the client to obtain index surface ciphertext information;
determining a plurality of data blocks in the encrypted file and a standard splicing sequence of the data blocks according to the index table plaintext information;
and splicing the data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
6. The method of claim 5, wherein determining index table ciphertext information of the encrypted file from the file header of the encrypted file comprises:
reading byte data with a preset size from the file head of the encrypted file, and taking the byte data as index table ciphertext information of the encrypted file.
7. The method according to claim 5, wherein the white-box decrypting the index table ciphertext information based on a white-box decryption key preset at the client to obtain index table ciphertext information comprises:
acquiring a white box decryption key preset at the client, wherein the white box decryption key is obtained by performing white box cryptographic technology processing on a pre-generated original key;
transmitting the white box decryption key into a white box library preset in the client;
and decrypting the index table ciphertext information based on the white box library to obtain the index surface ciphertext information.
8. The method of claim 5, wherein determining the plurality of data blocks in the encrypted file according to the index table plaintext information comprises:
determining a plurality of index information in the index table plaintext information, wherein the index information comprises an offset and a data volume; the offset characterizes a relative position of the data block in the encrypted file;
and searching and reading the encrypted file according to the offset and the data volume in each index information to obtain each corresponding data block.
9. A file encryption device is applied to a server side, and is characterized by comprising:
the slicing module is used for slicing the original file, generating a plurality of data blocks and determining the standard splicing sequence of the data blocks;
the disorder splicing module is used for performing disorder processing on the plurality of data blocks, and splicing the plurality of data blocks after the disorder processing to obtain a key file;
the index module is used for determining the index information of each data block in the key file and combining the index information of each data block based on the standard splicing sequence to obtain index surface text information;
the encryption module is used for carrying out white-box encryption on the index table plaintext information based on the original key to obtain index table ciphertext information;
and the generating module is used for adding the index table ciphertext information to the file head of the key file to obtain an encrypted file corresponding to the original file.
10. A file decryption apparatus applied to a client, the apparatus comprising:
the file acquisition module is used for acquiring the encrypted file from the server;
the ciphertext acquisition module is used for determining the index table ciphertext information of the encrypted file according to the file head of the encrypted file;
a decryption module for white-box decrypting the index table ciphertext information based on a white-box decryption key preset at the client, obtaining index showing text information;
the index module is used for determining a plurality of data blocks in the encrypted file and the standard splicing sequence of the data blocks according to the index presentation information;
and the positive sequence splicing module is used for splicing the data blocks based on the standard splicing sequence to obtain an original file corresponding to the encrypted file.
CN202110341853.1A 2021-03-30 2021-03-30 File encryption and decryption method and device Pending CN115146285A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110341853.1A CN115146285A (en) 2021-03-30 2021-03-30 File encryption and decryption method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110341853.1A CN115146285A (en) 2021-03-30 2021-03-30 File encryption and decryption method and device

Publications (1)

Publication Number Publication Date
CN115146285A true CN115146285A (en) 2022-10-04

Family

ID=83404526

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110341853.1A Pending CN115146285A (en) 2021-03-30 2021-03-30 File encryption and decryption method and device

Country Status (1)

Country Link
CN (1) CN115146285A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115438365A (en) * 2022-11-08 2022-12-06 山东捷瑞数字科技股份有限公司 File rapid encryption system and method based on digital twin
CN115529192A (en) * 2022-10-25 2022-12-27 武汉天翌数据科技发展有限公司 Method, device, equipment and storage medium for secure transmission of network data
CN115952530A (en) * 2023-03-15 2023-04-11 江西科技学院 Financial data processing method and system for improving confidentiality and computer
CN116484407A (en) * 2023-04-23 2023-07-25 深圳市天下房仓科技有限公司 Data security protection method and device, electronic equipment and storage medium
CN117499023A (en) * 2024-01-02 2024-02-02 深圳市玩视科技股份有限公司 Hardware security method, device and storage medium based on AES algorithm

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529192A (en) * 2022-10-25 2022-12-27 武汉天翌数据科技发展有限公司 Method, device, equipment and storage medium for secure transmission of network data
CN115438365A (en) * 2022-11-08 2022-12-06 山东捷瑞数字科技股份有限公司 File rapid encryption system and method based on digital twin
CN115952530A (en) * 2023-03-15 2023-04-11 江西科技学院 Financial data processing method and system for improving confidentiality and computer
CN115952530B (en) * 2023-03-15 2023-05-23 江西科技学院 Financial data processing method, system and computer for improving confidentiality
CN116484407A (en) * 2023-04-23 2023-07-25 深圳市天下房仓科技有限公司 Data security protection method and device, electronic equipment and storage medium
CN116484407B (en) * 2023-04-23 2024-03-22 深圳市天下房仓科技有限公司 Data security protection method and device, electronic equipment and storage medium
CN117499023A (en) * 2024-01-02 2024-02-02 深圳市玩视科技股份有限公司 Hardware security method, device and storage medium based on AES algorithm
CN117499023B (en) * 2024-01-02 2024-04-09 深圳市玩视科技股份有限公司 Hardware security method, device and storage medium based on AES algorithm

Similar Documents

Publication Publication Date Title
CN110266480B (en) Data transmission method, device and storage medium
CN115146285A (en) File encryption and decryption method and device
CN106850220B (en) Data encryption method, data decryption method and device
CN111600710B (en) Key storage method, device, terminal, server and readable medium
WO2018014723A1 (en) Key management method, apparatus, device and system
CN108989848B (en) Video resource file acquisition method and management system
CN110417543B (en) Data encryption method, device and storage medium
CN108833091B (en) Encryption method, decryption method and device for log file
US8621189B2 (en) System and method for hardware strengthened passwords
CN112287372B (en) Method and apparatus for protecting clipboard privacy
CN109995876B (en) File transmission method, device, system and computer storage medium
CN109886010B (en) Verification picture sending method, verification picture synthesizing method and device, storage medium and terminal
US20150106614A1 (en) Systems and methods of safeguarding user information while interacting with online service providers
CN114629649B (en) Data processing method and device based on cloud computing and storage medium
CN114553612B (en) Data encryption and decryption method and device, storage medium and electronic equipment
CN108710547B (en) Data backup method, device, terminal and storage medium
CN113507482A (en) Data secure transmission method, secure transaction method, system, medium, and device
CN116107520B (en) S3 object storage protocol encrypted data storage method and system
CN111767550B (en) Data storage method and device
EP2469441A1 (en) System and method for hardware strenghtened passwords
CN112187750B (en) Information encryption method and system based on Internet
CN108985109A (en) A kind of date storage method and device
CN113726768A (en) Data transmission method and device, electronic equipment and readable storage medium
US20160063264A1 (en) Method for securing a plurality of contents in mobile environment, and a security file using the same
CN104102504A (en) Client skin picture drawing method and client skin picture drawing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination