CN115333728A - Data decryption method, data decryption device and storage medium - Google Patents
Data decryption method, data decryption device and storage medium Download PDFInfo
- Publication number
- CN115333728A CN115333728A CN202210825197.7A CN202210825197A CN115333728A CN 115333728 A CN115333728 A CN 115333728A CN 202210825197 A CN202210825197 A CN 202210825197A CN 115333728 A CN115333728 A CN 115333728A
- Authority
- CN
- China
- Prior art keywords
- information
- terminal
- key information
- data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Signal Processing For Digital Recording And Reproducing (AREA)
Abstract
The present disclosure relates to a data decryption method, a data decryption apparatus, and a storage medium. The data decryption method comprises the following steps: receiving first key information sent by a server in response to the fact that the encrypted data of the terminal are triggered to be decrypted, and determining second key information corresponding to the terminal; decrypting the encrypted data based on the first key information and the second key information. The security of data decryption can be improved through the method and the device.
Description
Technical Field
The present disclosure relates to the field of data security technologies, and in particular, to a data decryption method, a data decryption apparatus, and a storage medium.
Background
In modern computer technology, data reading is a routine task. In the related art, while providing data recovery reading for a user, in order to ensure the security of the data itself, security authentication is usually performed before providing the data. Taking a terminal configured with an android system as an example, data stored in the terminal is usually encrypted in a full disk, and the data encrypted in the full disk is associated with a screen locking password of a user. On this basis, the user can read the encrypted data only if the correct screen locking password is entered.
Since in the related art, the terminal performs data decryption as long as someone inputs a correct password. Therefore, in the data decryption mode of the related art, the possibility that other people acquire user data in a cracking attack mode exists, so that the data security of the user is threatened.
Disclosure of Invention
To overcome the problems in the related art, the present disclosure provides a data decryption method, a data decryption apparatus, and a storage medium.
According to a first aspect of the embodiments of the present disclosure, there is provided a data decryption method, applied to a terminal, including:
receiving first key information sent by a server in response to the fact that the encrypted data of the terminal are triggered to be decrypted, and determining second key information corresponding to the terminal; decrypting the encrypted data based on the first key information and the second key information.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server; the terminal obtains the encrypted data by adopting the following method: encrypting data of the terminal based on the second key information and the third key information to obtain the encrypted data; the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner: generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal; wherein the second secret information is deleted after the terminal generates the third key information.
In one embodiment, the receiving the first key information sent by the server includes: sending a data decryption request to the server, wherein the data decryption request is used for triggering the server to perform user identity verification under the condition of receiving the data decryption request; and receiving first key information sent by the server under the condition that the user identity verification is passed.
In one embodiment, before sending the data decryption request to the server, the method further includes: performing first verification on the second key information; and responding to the first verification passing of the second key information, and sending a data decryption request to the server.
In one embodiment, the method further comprises: performing second verification on the closing instruction in response to receiving the closing instruction for indicating to close the first verification; and under the condition that the second verification of the closing instruction is determined to pass, closing the first verification based on the closing instruction, so that the terminal cannot decrypt data based on the first verification.
According to a second aspect of the embodiments of the present disclosure, there is provided a data decryption method, applied to a server, including:
generating first key information; and sending the first key information to a terminal so that the terminal decrypts the encrypted data of the terminal based on the first key information and second key information corresponding to the terminal.
In one embodiment, the encrypted data is obtained by the terminal encrypting data of the terminal based on the second key information and third key information, the third key information is generated by the terminal based on second public information and second private information, and the third key information and the first key information have the same key negotiation DH value; the second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates the third key information; the generating of the first key information includes: and generating the first key information based on first public information and first private information, wherein the first public information is public information of the terminal, and the first private information is private information of the server.
In one embodiment, before generating the first key information, the method further includes: and triggering to perform user identity verification and determining that the user identity verification is passed in response to the received data decryption request sent by the terminal.
In one embodiment, the data decryption request is sent by the terminal upon determining that the first authentication of the second key information is passed.
According to a third aspect of the embodiments of the present disclosure, a data acquisition method is provided, which is applied to a terminal and includes:
responding to the situation that encrypted target data cannot be obtained from the terminal based on the mixed cipher ciphertext, receiving first secret key information sent by a server, and determining second secret key information corresponding to the terminal; and decrypting the encrypted target data based on the first key information and the second key information to acquire the target data from the terminal.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server; the terminal pre-encrypts the target data in the following way: encrypting the target data based on the second key information and the third key information to obtain the encrypted target data; the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner: generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal; wherein the second secret information is deleted after the terminal generates the third key information.
According to a fourth aspect of the embodiments of the present disclosure, there is provided a data decryption apparatus, applied to a terminal, including:
the receiving unit is used for receiving first key information sent by a server in response to the fact that the encrypted data of the terminal are triggered to be decrypted; a determining unit, configured to determine second key information corresponding to the terminal; a processing unit, configured to decrypt the encrypted data based on the first key information and the second key information.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server; the terminal obtains the encrypted data by adopting the following method: encrypting data of the terminal based on the second key information and the third key information to obtain the encrypted data; the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner: generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal; wherein the second secret information is deleted after the terminal generates the third key information.
In one embodiment, the receiving unit receives the first key information sent by the server in the following manner: sending a data decryption request to the server, wherein the data decryption request is used for triggering the server to perform user identity verification under the condition of receiving the data decryption request; and receiving first key information sent by the server under the condition that the user identity verification is passed.
In one embodiment, the receiving unit sends a data decryption request to the server as follows: performing first verification on the second key information; and responding to the first verification passing of the second key information, and sending a data decryption request to the server.
In one embodiment, the processing unit is further configured to: performing second verification on a closing instruction in response to receiving the closing instruction for indicating to close the first verification; and under the condition that the second verification of the closing instruction is determined to pass, closing the first verification based on the closing instruction, so that the terminal cannot decrypt data based on the first verification.
According to a fifth aspect of the embodiments of the present disclosure, there is provided a data decryption apparatus, applied to a server, including:
a generation unit configured to generate first key information; and the sending unit is used for sending the first key information to a terminal so that the terminal can decrypt the encrypted data of the terminal based on the first key information and the second key information corresponding to the terminal.
In one embodiment, the encrypted data is obtained by the terminal by encrypting data of the terminal based on the second key information and third key information, the third key information is generated by the terminal based on second public information and second private information, and the third key information and the first key information have the same key agreement DH value; the second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates the third key information; the generation unit generates the first key information in the following manner: and generating the first key information based on first public information and first private information, wherein the first public information is public information of the terminal, and the first private information is private information of the server.
In one embodiment, before generating the first key information, the generating unit is further configured to: and responding to the received data decryption request sent by the terminal, triggering user identity verification and determining that the user identity verification passes.
In one embodiment, the data decryption request is sent by the terminal upon determining that the first authentication of the second key information is passed.
According to a sixth aspect of the embodiments of the present disclosure, there is provided a data acquisition apparatus, applied to a terminal, including:
a receiving unit which receives first key information sent by a server in response to the terminal being unable to acquire encrypted target data from the terminal based on a hybrid cipher text; the determining unit is used for determining second key information corresponding to the terminal; and the processing unit is used for decrypting the encrypted target data based on the first key information and the second key information so as to acquire the target data from the terminal.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server; the terminal pre-encrypts the target data in the following way: encrypting the target data based on the second key information and the third key information to obtain the encrypted target data; the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner: generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal; wherein the second secret information is deleted after the terminal generates the third key information.
According to a seventh aspect of the embodiments of the present disclosure, there is provided a data decryption apparatus, including:
a processor; a memory for storing processor-executable instructions;
wherein the processor is configured to: the data decryption method of the first aspect or any one of the embodiments of the first aspect is performed.
According to an eighth aspect of embodiments of the present disclosure, there is provided a storage medium, where instructions are stored, and when executed by a processor, the instructions enable the processor to execute the data decryption method described in the first aspect or any one of the implementation manners of the first aspect, or execute the data decryption method described in the second aspect or any one of the implementation manners of the second aspect.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects: the terminal can receive the first key information sent by the server through the terminal and determine the second key information corresponding to the terminal under the condition that the encrypted data is triggered to be decrypted. Further, the encrypted data may be decrypted by the first key information and the second key information. In the process, the data decryption needs to be performed by the terminal and the server together, so that the data decryption process can be completed under supervision of both the terminal and the server, and compared with a method for completing the data decryption by one side of the terminal in the related art, the method has higher safety and reliability.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic flow chart of full-disc encryption of user data in the related art.
Fig. 2 is a schematic flow chart of decrypting encrypted user data in the related art.
Fig. 3 is a flow chart illustrating a method of data decryption in accordance with an exemplary embodiment.
Fig. 4 is a schematic diagram illustrating a process for performing data decryption using a key agreement algorithm according to an exemplary embodiment.
Fig. 5 is a flowchart illustrating a process for performing data encryption using a key agreement algorithm according to an exemplary embodiment.
FIG. 6 is a flow chart illustrating another method of data decryption according to an example embodiment.
Fig. 7 is a flow chart illustrating yet another method of data decryption in accordance with an exemplary embodiment.
FIG. 8 is a flowchart illustrating a method of shutting down a first authentication, according to an example embodiment.
FIG. 9 is a flowchart illustrating a closing of a first verification by a close command in accordance with an exemplary embodiment.
Fig. 10 is a flow diagram illustrating a terminal performing data encryption according to an example embodiment.
Fig. 11 is a flowchart illustrating a terminal performing data decryption according to an exemplary embodiment.
Fig. 12 is a flow chart illustrating a method of data decryption in accordance with an exemplary embodiment.
FIG. 13 is a flow chart illustrating another method of data decryption according to an example embodiment.
Fig. 14 is a flowchart illustrating yet another data decryption method according to an example embodiment.
FIG. 15 is a flow chart illustrating a method of data acquisition according to an exemplary embodiment.
Fig. 16 is a block diagram illustrating a data decryption apparatus applied to a terminal according to an exemplary embodiment.
Fig. 17 is a block diagram illustrating a data decryption apparatus applied to a server according to an exemplary embodiment.
Fig. 18 is a block diagram illustrating a data acquisition apparatus applied to a terminal according to an exemplary embodiment.
FIG. 19 is a block diagram illustrating an apparatus for data decryption in accordance with an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure.
In the drawings, the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The described embodiments are only a subset of the embodiments of the present disclosure, and not all embodiments. The embodiments described below with reference to the drawings are exemplary and intended to be illustrative of the present disclosure, and should not be construed as limiting the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure. Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
In modern computer technology, data decryption is a routine task. In the related art, when providing a data decryption service to a user, in order to ensure the security of the data itself, security authentication is usually performed before decrypting the data. Taking a terminal equipped with an android system as an example, data stored in the terminal is usually encrypted in a full disk manner, and the data encryption is performed through key information generated by the terminal and authentication information input by a user. On this basis, the terminal can perform data decryption only in the case where the user performs information authentication and the authentication is passed. Fig. 1 is a schematic flow chart of a related art for performing full-disc encryption on user data, and as shown in fig. 1, when a user performs data encryption, password setting is performed. In this case, the terminal obtains a hybrid Password (Synthetic Password) by solving the random number, and encrypts the hybrid Password by the Password input by the user to obtain a hybrid Password ciphertext. Further, the terminal encrypts the user data with the hybrid password. Specifically, the hybrid password is derived to obtain a Disk Encryption Key (Disk Encryption Key), and then the user data is encrypted by the Disk Encryption Key to obtain encrypted data. On the basis, the user can decrypt the encrypted user data in a password input mode subsequently. Fig. 2 is a schematic diagram illustrating a process of decrypting encrypted user data in the related art, and as shown in fig. 2, in a case that a user inputs a correct password, a terminal decrypts a hybrid password ciphertext through the password input by the user, so as to obtain a hybrid password. On the basis, the terminal obtains the full disk encryption key through derivation processing of the mixed password, and further decrypts the user data ciphertext through the full disk encryption key to obtain the user data.
Since in the related art, the terminal performs data decryption as long as someone inputs a correct password. Therefore, the data decryption method in the related art has the possibility that others acquire the user data in a cracking attack manner, so that the data security of the user is threatened.
In view of this, the present disclosure provides a data decryption method, where a terminal may decrypt encrypted data through received key information transmitted by a receiving server and its own key information in a case where it is determined that the encrypted data is triggered to be decrypted. In the process, the data decryption needs to be participated in by the terminal and the server together, so the data decryption process can be supervised and completed by the terminal and the server, and compared with the method for completing the data decryption by the terminal on one side in the related art, the method has higher safety and reliability. For convenience of description, the key information transmitted by the server is referred to as first key information, and the key information corresponding to the terminal is referred to as second key information.
In the embodiment of the present disclosure, the server interacting with the terminal may be, for example, a server of a terminal manufacturer. For example, when the terminal is triggered to decrypt data, the terminal may complete decryption of the data in an interactive manner with a terminal manufacturer server, and the method may meet the actual requirement for function optimization of the terminal.
Fig. 3 is a flowchart illustrating a data decryption method according to an exemplary embodiment, where the data decryption method is used in a terminal, as shown in fig. 3, and includes the following steps.
In step S11, in response to determining that the encrypted data of the terminal is triggered to be decrypted, receiving first key information sent by the server, and determining second key information corresponding to the terminal.
In step S12, the encrypted data is decrypted based on the first key information and the second key information.
According to the data decryption method provided by the embodiment of the disclosure, the terminal cannot complete single-side data decryption through the second key information, and the server cannot complete single-side data decryption through the first key information.
Generally, during data encryption or data decryption, the key information used by the terminal needs to be kept consistent, and during data encryption, the terminal or the server still has the possibility of storing the corresponding information used for data encryption. On the basis, the terminal or the server has the potential safety hazard of executing single-side data decryption by using the information interacted during data encryption.
In view of this, in an embodiment of the present disclosure, data encryption and data decryption may be performed through two sets of information between the terminal and the server, respectively. For convenience of description, information provided by a terminal is referred to as first public information (pubRandom) and information provided by a server is referred to as first private information (primmessage) in a data decryption process. Accordingly, in the data encryption process, the information provided by the terminal is referred to as second private information (priRandom), and the information provided by the server is referred to as second public information (pubMessage). Further, the key information generated by the second public information and the second private information is referred to as third key information. On this basis, the first key information referred to in the above embodiments may be understood as being generated by the server based on the first public information and the first private information.
For example, in order to enable two sets of information configured between the terminal and the server to generate consistent key information, a key agreement algorithm (Diffie-Hellman, DH) may be introduced. And because of being restricted by the self protocol, the terminal or the server can not send the private information of the terminal or the server. Therefore, the data encryption process and the data decryption process need to be completed by the terminal or the server respectively.
Fig. 4 is a schematic diagram illustrating a process for performing data decryption using a key agreement algorithm according to an exemplary embodiment. For example, as shown in fig. 4, in the data decryption process, the first public information of the terminal may be acquired at the server side, and then the corresponding first key information may be generated at the server side by using the first private information of the server and the first public information of the terminal. Further, the server sends the first key information to the terminal, so that the terminal generates a key required for decrypting the data through the first key information and the second key information, and further completes decryption of the encrypted data.
Fig. 5 is a flowchart illustrating a process for performing data encryption using a key agreement algorithm according to an exemplary embodiment. For example, as shown in fig. 5, for the data encryption flow, the second public information of the server may be acquired at the terminal side, and then the corresponding third key information may be generated at the terminal side according to the second private information of the terminal and the second public information of the server. Further, the terminal can generate a key required by the encrypted data through the second key information and the third key information, and then encrypt the data of the terminal with the obtained key to obtain the encrypted data. The data decryption is carried out through the first public information provided by the terminal and the first private information provided by the server, the data encryption is carried out through the second private information provided by the terminal and the second public information provided by the server, and the first private information and the third private information are obtained through a key agreement algorithm. Therefore, the key agreement algorithm can ensure that the third key information and the first key information have the same key agreement value. On this basis, the terminal can delete the second private information held during data encryption so that data decryption can be performed only by information that has not been interacted between the terminal and the server (i.e., the first private information of the server and the first public information of the terminal). In this case, neither the terminal nor the server holds the second private information, and the one-side data decryption cannot be executed by the second private information and the second public information used in the data encryption process.
In one embodiment, an additional authentication step may be configured on the server side before the server sends the first key information. For example, the server may perform user identity verification before sending the first key information.
Fig. 6 is a flowchart illustrating another data decryption method according to an exemplary embodiment, and as shown in fig. 6, the execution method of step S23 in the embodiment of the present disclosure is similar to that of step S12 in fig. 3, and is not described herein again.
In step S21, in response to determining that the encrypted data of the terminal is triggered to be decrypted, a data decryption request is sent to the server.
In the embodiment of the present disclosure, the data decryption request is used to trigger the server to perform user identity verification when receiving the data decryption request. The verification method of the user identity verification includes, but is not limited to, telephone verification, voice verification and/or face recognition verification, and may be adjusted according to actual requirements, and the disclosure is not specifically limited herein.
In step S22, the first key information sent by the server when the user identity verification passes is received, and the second key information corresponding to the terminal is determined.
According to the data decryption method provided by the embodiment of the disclosure, in the decryption process of the terminal data, the user identity verification can be performed through the server, the security of data decryption is further improved, and the actual requirements of the user for data decryption can be met.
In this embodiment of the disclosure, the second key information represents key information corresponding to the terminal, and this information may be obtained based on input of the user when the user triggers data decryption. For example, the user inputs a corresponding screen locking password in a touch manner, and obtains second key information according to the input screen locking password. For another example, the user inputs an authentication answer corresponding to the authentication question in a text input manner, and obtains the second key information according to the authentication answer. On this basis, the second key information may be authenticated before the data decryption request is transmitted to the server to transmit the data decryption request to the server in a case where it is determined that the second key information is authenticated. For convenience of description, the authentication performed on the second key information will be referred to as a first authentication hereinafter.
Fig. 7 is a flowchart illustrating another data decryption method according to an exemplary embodiment, and as shown in fig. 7, steps S33 and S34 in the embodiment of the present disclosure are similar to the execution method of steps S22 and S23 in fig. 6, and are not described herein again.
In step S31, in response to determining that the encrypted data of the terminal is triggered to be decrypted, first verification is performed on the second key information.
In step S32, in response to the first verification passing of the second key information, a data decryption request is sent to the server.
The data decryption method provided by the embodiment of the disclosure sends the data decryption request to the server only under the condition that the second key information is determined to be verified, so that the information interaction cost generated when the data decryption is triggered each time can be reduced.
For example, the user may also turn off the data decryption mode based on the first verification according to actual needs. For example, the user closes the data decryption mode based on the first verification by issuing a close instruction. On this basis, the present disclosure also needs to perform corresponding verification on the closing instruction issued by the user, and for convenience of description, the verification performed on the closing instruction is referred to as second verification.
Fig. 8 is a flowchart illustrating a method for shutting down a first authentication, as shown in fig. 8, according to an exemplary embodiment, including the following steps.
In step S41, in response to receiving a close instruction for instructing to close the first verification, the close instruction is subjected to second verification.
In step S42, in the case where it is determined that the second verification of the close instruction passes, the first verification is closed based on the close instruction, so that the terminal cannot decrypt data based on the first verification.
According to the data decryption method provided by the embodiment of the disclosure, under the condition that the first verification is closed, the data decryption mode based on the second key information is closed. On the basis, the terminal cannot perform data decryption in a first verification mode on the second key information, so that the requirement of a user for closing the data decryption mode in an actual application scene is met.
For example, the first authentication may be configured as a security issue authentication and the second authentication may be configured as a lock screen password authentication. On the basis, the user can close the data decryption mode of data decryption by security problem verification in a mode of verifying the screen locking password.
FIG. 9 is a flowchart illustrating a closing of a first verification by a close command in accordance with an exemplary embodiment. For example, as shown in fig. 9, the terminal may receive a closing instruction indicating to close the first authentication, and trigger the screen locking password authentication configured for the second authentication mode. In this case, the terminal acquires the screen locking password input by the user, and performs second verification of the screen locking password. Further, if the verification result is that the screen locking password is wrong, a prompt is returned to the user that the password is wrong, and the first verification is refused to be closed. And if the verification result is that the screen locking password is correct, deleting the pre-stored related data for executing the first verification so that the user cannot decrypt the data in a first verification mode. For example, the relevant data for performing the first verification may include, for example, an answer cryptographic label, a full disc encryption key ciphertext, and the first public information of the terminal. The deletion of the answer password tag can ensure that the terminal cannot perform first verification, and the deletion of the full disk encryption key ciphertext and the first public information can ensure that the terminal cannot skip the first verification to complete data decryption. In addition, it should be noted that the above embodiments are only exemplary application scenarios of the first verification and the second verification, and the practical application manner is not limited thereto.
For the convenience of understanding, the following takes an interaction scenario between the terminal and the terminal vendor server as an example, and a complete flow of data decryption and data encryption is exemplarily described.
Fig. 10 is a flow chart illustrating a terminal performing data encryption according to an example embodiment. For example, as shown in fig. 10, a user may set a plurality of verification questions according to his/her preference and fill in corresponding verification answers, and the terminal side may also provide fixed questions configured by default for the user to select and fill in. On this basis, the terminal can configure a registration answer password (enroledanswerpassword) through the verification answer input by the user, further perform signature processing on the registration answer password to obtain an enroledanswersignature (enroledanswersignature), and store the registration answer signature in a Trusted Execution Environment (TEE) for calling when data is decrypted and verified. The configuration of the registration answer password may be, for example, performing head-to-tail concatenation on a plurality of verification answers according to an answer sequence, and performing hash processing on a concatenated answer string to obtain the registration answer password. In addition, compared with the password of the registration answer, the signature of the registration answer has higher security, so that the data security in the data decryption process can be further ensured by storing the signature of the registration answer.
Further, in the data encryption process, the terminal generates second private information through a random number algorithm, and generates first public information corresponding to the second private information one by one through a corresponding algorithm. On the basis, in one aspect, the terminal may store the generated first public information in the trusted execution environment, and call the generated first public information when the prepared data is decrypted. On the other hand, the terminal may receive the second public information sent by the terminal manufacturer server, and obtain the key agreement value (DH value) by performing the key agreement algorithm processing on the second private information and the second public information. On the basis, the registered answer password and the key negotiation value are subjected to key processing to obtain a symmetric key (symmetricKey), and a full-disk encryption key (DiskEncryptKey) is encrypted through the symmetric key to obtain and store a full-disk encryption ciphertext. The full-disc encryption key may be understood as a key for encrypting or decrypting data, and the key may be generated by a hybrid password (synthetic password), for example, by generating the hybrid password by a random number algorithm, and then deriving the hybrid password to obtain the full-disc encryption key.
Fig. 11 is a flow diagram illustrating a terminal performing data decryption in accordance with an example embodiment. For example, as shown in fig. 11, the user may decrypt data by inputting a verification answer for a question previously input by the user and a question fixedly configured in the system. Specifically, the input verification answers may be spliced according to a sorting manner of the verification questions, and the spliced verification answers are subjected to hash processing to obtain an answer password (if the user inputs a correct answer, the answer password here is the registered answer password). Further, the TEE reads the registration answer password label and performs signature verification processing on the answer password obtained based on the user input. On the basis, if the signature verification passes, reading first public information corresponding to the terminal, and sending the first public information to a terminal manufacturer server for key agreement algorithm processing. Before the terminal manufacturer server performs the key agreement algorithm processing, the terminal manufacturer server can also perform identity verification on the user through telephone verification or face recognition and the like, so as to ensure that the user himself is the trigger data decryption. Correspondingly, if the verification is not passed, a prompt of wrong answer is returned, and the data decryption is terminated. For the situation that the signature verification fails, the terminal may record the number of times that the signature verification fails, and set the waiting time for triggering data decryption again according to the number of times, for example, as shown in table 1 below.
TABLE 1
On this basis, the terminal manufacturer server may send the obtained key agreement value to the terminal, so that the terminal performs key processing through the answer password (i.e., the second key information) and the key agreement value (i.e., the first key information) to obtain the symmetric key. Further, the terminal can decrypt the full disk encryption key ciphertext through the symmetric key, and further decrypt the encrypted data through the full disk encryption key obtained through decryption to obtain decrypted data.
Based on the same conception, the present disclosure provides a data decryption method applied to a server, which is used for completing data decryption by the server in cooperation with a terminal, and please refer to any embodiment of the data decryption method applied to the terminal if relevant contents are unclear.
Fig. 12 is a flowchart illustrating a data decryption method according to an exemplary embodiment, where the data decryption method is applied to a server, as shown in fig. 12, and includes the following steps.
In step S51, first key information is generated.
In step S52, the first key information is transmitted to the terminal.
The method provided by the embodiment of the disclosure transmits the first key information to the terminal, so that the terminal decrypts the encrypted data of the terminal based on the first key information and the second key information corresponding to the terminal.
In the embodiment of the disclosure, the encrypted data is obtained by encrypting the data of the terminal by the terminal based on the second key information and the third key information, and the third key information is generated by the terminal based on the second public information and the second private information. The second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates the third key information. And, the third key information has the same key agreement value as the first key information.
For example, the first key information may be generated by the server based on the first public information and the first private information.
Fig. 13 is a flowchart illustrating another data decryption method according to an exemplary embodiment, and as shown in fig. 13, step S62 in the embodiment of the present disclosure is similar to the execution method of step S52 in fig. 12, and is not described herein again.
In step S61, first key information is generated based on the first public information and the first private information.
The first public information is public information of the terminal, and the first private information is private information of the server. In the embodiment of the disclosure, the terminal completes data encryption through the second public information of the server and the second private information of the terminal, and after the data encryption, neither the terminal nor the server holds the second private information. Therefore, under the condition of finishing data encryption, the terminal and the server can not execute single-side data decryption through the second private information and the second public information used in the data encryption process, and the method further improves the security of the encrypted data.
Further, the identity verification of the user may be performed on the server side, so that the server generates the first key information in case the user identity verification passes.
Fig. 14 is a flowchart illustrating another data decryption method according to an exemplary embodiment, and as shown in fig. 15, the execution method of step S73 in the embodiment of the present disclosure is similar to that of step S52 in fig. 12, and is not repeated here.
In step S71, in response to receiving the data decryption request sent by the terminal, user identity verification is triggered.
In step S72, first key information is generated in response to the user identity verification passing.
For example, the data decryption request may be transmitted by the terminal in a case where it is determined that the first authentication on the second key information passes.
Generally, a terminal is configured with only one data decryption mode, and if a user cannot complete data decryption in the configured only mode, data of the terminal cannot be decrypted and acquired in any other mode. In view of this, the present disclosure provides a data obtaining method applied to a terminal on the basis of the above data decryption method, which combines the data decryption method provided by the present disclosure with an existing data decryption manner to recover and obtain data when a user cannot obtain encrypted data through the existing decryption manner.
In addition, it should be noted that, in the data acquisition method provided by the present disclosure, the terminal also needs to cooperate with the server, and for the server-side implementation, reference may be made to any of the above-mentioned data decryption methods applied to the server. Accordingly, if there is ambiguity regarding the implementation on the terminal side, reference may also be made to any of the embodiments of the data decryption method applied to the terminal described above.
FIG. 15 is a flowchart illustrating a data acquisition method according to an exemplary embodiment, as shown in FIG. 15, including the following steps.
In step S81, in response to failing to acquire the encrypted target data from the terminal based on the hybrid password ciphertext, the first key information sent by the server is received, and the second key information corresponding to the terminal is determined.
In step S82, the encrypted target data is decrypted based on the first key information and the second key information to acquire the target data from the terminal.
In the embodiment of the present disclosure, the terminal cannot acquire the encrypted target data based on the mixed cipher text, that is, the user cannot decrypt and acquire the data of the terminal through a data decryption method in the related art. Taking fig. 2 as an example, the terminal cannot acquire the encrypted target data based on the mixed password ciphertext, for example, the user may forget the preconfigured password. On this basis, the present disclosure can decrypt the encrypted target data by the first key information and the second key information to acquire the target data from the terminal.
In the embodiment of the present disclosure, the encryption and decryption of the target data may also be performed by a key negotiation algorithm. For example, the terminal may generate third key information through the second public information of the server and the second private information of the terminal, and further encrypt the target data through the second key information and the third key information to obtain encrypted target data. Further, the terminal may delete the second private information after generating the third key information, so that the terminal cannot decrypt the encrypted target data with the second private information and the second public information. Accordingly, the server may generate the first key information through the first public information of the terminal and the first private information of the server.
The data acquisition method provided by the embodiment of the disclosure can be applied to a scene where a user cannot unlock the terminal through the screen locking password. In this scenario, on the one hand, the user can acquire the data of the terminal through the steps S81 and S82. On the other hand, the user can unlock the screen locking password of the terminal in a flashing manner. On the basis, the user can re-import the acquired data into the terminal so that the terminal can unlock the screen locking password under the condition of keeping the data.
Based on the same conception, the embodiment of the disclosure also provides a data decryption device applied to the terminal.
It is understood that the data decryption apparatus provided by the embodiments of the present disclosure includes a hardware structure and/or a software module for performing the above functions. The disclosed embodiments can be implemented in hardware or a combination of hardware and computer software, in combination with the exemplary elements and algorithm steps disclosed in the disclosed embodiments. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
Fig. 16 is a block diagram illustrating a data decryption apparatus applied to a terminal according to an exemplary embodiment. Referring to fig. 16, the apparatus 100 includes a receiving unit 101, a determining unit 102, and a processing unit 103.
And the receiving unit 101 is used for receiving the first key information sent by the server in response to the fact that the encrypted data of the terminal is triggered to be decrypted. The determining unit 102 is configured to determine second key information corresponding to the terminal. A processing unit 103 configured to decrypt the encrypted data based on the first key information and the second key information.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server. The terminal obtains the encrypted data by adopting the following method: and encrypting the data of the terminal based on the second key information and the third key information to obtain encrypted data. The third key information and the first key information have the same key negotiation DH value, and the terminal generates the third key information and the first key information in advance in the following mode: and generating third key information based on the second public information and the second private information, wherein the second public information is the public information of the server, and the second private information is the private information of the terminal. Wherein the second private information is deleted after the terminal generates the third key information.
In one embodiment, the receiving unit 101 receives the first key information sent by the server in the following manner: and sending a data decryption request to the server, wherein the data decryption request is used for triggering the server to perform user identity verification under the condition of receiving the data decryption request. And receiving first key information sent by the server under the condition that the user identity verification is passed.
In one embodiment, the receiving unit 101 sends a data decryption request to the server as follows: first verification is performed on the second key information. And responding to the first verification passing of the second key information, and sending a data decryption request to the server.
In one embodiment, the processing unit 103 is further configured to: and performing second verification on the closing instruction in response to receiving the closing instruction for indicating to close the first verification. And under the condition that the second verification of the closing instruction is determined to pass, closing the first verification based on the closing instruction, so that the terminal cannot decrypt data based on the first verification.
Based on the same conception, the embodiment of the disclosure also provides a data decryption device applied to the server.
Fig. 17 is a block diagram illustrating a data decryption apparatus applied to a server according to an exemplary embodiment. Referring to fig. 17, the apparatus 200 includes a generating unit 201 and a transmitting unit 202.
A generating unit 201 for generating first key information. A sending unit 202, configured to send the first key information to the terminal, so that the terminal decrypts the encrypted data of the terminal based on the first key information and the second key information corresponding to the terminal.
In one embodiment, the encrypted data is obtained by the terminal encrypting data of the terminal based on the second key information and the third key information, the third key information is generated by the terminal based on the second public information and the second private information, and the third key information and the first key information have the same key negotiation DH value. The second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates third key information. The generation unit 201 generates the first key information in the following manner: and generating first key information based on the first public information and the first private information, wherein the first public information is the public information of the terminal, and the first private information is the private information of the server.
In one embodiment, before generating the first key information, the generating unit 201 is further configured to: and responding to a received data decryption request sent by the terminal, triggering user identity verification and determining that the user identity verification passes.
In one embodiment, the data decryption request is sent by the terminal upon determining that the first authentication of the second key information passes.
Based on the same conception, the embodiment of the disclosure also provides a data acquisition device applied to the terminal.
Fig. 18 is a block diagram illustrating a data acquisition apparatus applied to a terminal according to an exemplary embodiment. Referring to fig. 18, the apparatus 300 includes a receiving unit 301, a determining unit 302, and a processing unit 303.
The receiving unit 301 receives the first key information transmitted by the server in response to failing to acquire the encrypted target data from the terminal based on the hybrid cipher text. A determining unit 302, configured to determine second key information corresponding to the terminal. A processing unit 303, configured to decrypt the encrypted target data based on the first key information and the second key information to obtain the target data from the terminal.
In one embodiment, the first key information is generated by the server based on first public information and first private information, the first public information is public information of the terminal, and the first private information is private information of the server. The terminal pre-encrypts the target data in the following way: and encrypting the target data based on the second key information and the third key information to obtain the encrypted target data. The third key information and the first key information have the same key negotiation DH value, and the terminal generates the third key information and the first key information in advance in the following mode: and generating third key information based on the second public information and the second private information, wherein the second public information is the public information of the server, and the second private information is the private information of the terminal. Wherein the second private information is deleted after the terminal generates the third key information.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 19 is a block diagram illustrating an apparatus 400 for data decryption in accordance with an example embodiment. For example, the apparatus 400 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, an exercise device, a personal digital assistant, and the like.
Referring to fig. 19, the apparatus 400 may include one or more of the following components: a processing component 402, a memory 404, a power component 406, a multimedia component 408, an audio component 410, an input/output (I/O) interface 412, a sensor component 414, and a communication component 416.
The processing component 402 generally controls overall operation of the apparatus 400, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing component 402 may include one or more processors 420 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 402 can include one or more modules that facilitate interaction between the processing component 402 and other components. For example, the processing component 402 can include a multimedia module to facilitate interaction between the multimedia component 408 and the processing component 402.
The memory 404 is configured to store various types of data to support operations at the apparatus 400. Examples of such data include instructions for any application or method operating on the device 400, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 404 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The multimedia component 408 includes a screen that provides an output interface between the device 400 and the user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 408 includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the apparatus 400 is in an operation mode, such as a photographing mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 410 is configured to output and/or input audio signals. For example, audio component 410 includes a Microphone (MIC) configured to receive external audio signals when apparatus 400 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in the memory 404 or transmitted via the communication component 416. In some embodiments, audio component 410 also includes a speaker for outputting audio signals.
The I/O interface 412 provides an interface between the processing component 402 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor component 414 includes one or more sensors for providing various aspects of status assessment for the apparatus 400. For example, the sensor assembly 414 may detect an open/closed state of the apparatus 400, the relative positioning of the components, such as a display and keypad of the apparatus 400, the sensor assembly 414 may also detect a change in the position of the apparatus 400 or a component of the apparatus 400, the presence or absence of user contact with the apparatus 400, orientation or acceleration/deceleration of the apparatus 400, and a change in the temperature of the apparatus 400. The sensor assembly 414 may include a proximity sensor configured to detect the presence of a nearby object in the absence of any physical contact. The sensor assembly 414 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 414 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 416 is configured to facilitate wired or wireless communication between the apparatus 400 and other devices. The apparatus 400 may access a wireless network based on a communication standard, such as WiFi,4G or 5G, or a combination thereof. In an exemplary embodiment, the communication component 416 receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 416 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, ultra Wideband (UWB) technology, bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the apparatus 400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium comprising instructions, such as the memory 404 comprising instructions, executable by the processor 420 of the apparatus 400 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It is understood that "a plurality" in this disclosure means two or more, and other words are analogous. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. The singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It will be further understood that the terms "first," "second," and the like are used to describe various information and that such information should not be limited by these terms. These terms are only used to distinguish one type of information from another, and do not indicate a particular order or degree of importance. Indeed, the terms "first," "second," and the like are fully interchangeable. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure.
It is further understood that, unless otherwise specified, "connected" includes direct connections between the two without other elements and indirect connections between the two with other elements.
It is further to be understood that while operations are depicted in the drawings in a particular order, this is not to be understood as requiring that such operations be performed in the particular order shown or in serial order, or that all illustrated operations be performed, to achieve desirable results. In certain environments, multitasking and parallel processing may be advantageous.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the scope of the appended claims.
Claims (24)
1. A data decryption method is applied to a terminal, and comprises the following steps:
receiving first key information sent by a server in response to the fact that the encrypted data of the terminal are triggered to be decrypted, and determining second key information corresponding to the terminal;
decrypting the encrypted data based on the first key information and the second key information.
2. The data decryption method of claim 1, wherein the first key information is generated by the server based on first public information and first private information, the first public information being public information of the terminal, the first private information being private information of the server;
the terminal obtains the encrypted data by adopting the following method:
encrypting data of the terminal based on the second key information and the third key information to obtain encrypted data;
the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner:
generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal;
wherein the second secret information is deleted after the terminal generates the third key information.
3. The data decryption method according to claim 1 or 2, wherein the receiving the first key information sent by the server comprises:
sending a data decryption request to the server, wherein the data decryption request is used for triggering the server to perform user identity verification under the condition of receiving the data decryption request;
and receiving first key information sent by the server under the condition that the user identity verification is passed.
4. The data decryption method of claim 3, wherein the sending of the data decryption request to the server comprises:
performing first verification on the second key information;
and responding to the first verification passing of the second key information, and sending a data decryption request to the server.
5. The data decryption method of claim 4, wherein the method further comprises:
performing second verification on the closing instruction in response to receiving the closing instruction for indicating to close the first verification;
and under the condition that the second verification of the closing instruction is determined to pass, closing the first verification based on the closing instruction, so that the terminal cannot decrypt data based on the first verification.
6. A data decryption method, applied to a server, the method comprising:
generating first key information;
and sending the first key information to a terminal so that the terminal decrypts the encrypted data of the terminal based on the first key information and second key information corresponding to the terminal.
7. The data decryption method according to claim 6, wherein the encrypted data is obtained by the terminal encrypting data of the terminal based on the second key information and third key information, the third key information is generated by the terminal based on second public information and second private information, and the third key information has the same key agreement DH value as the first key information;
the second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates the third key information;
the generating of the first key information includes:
and generating the first key information based on first public information and first private information, wherein the first public information is public information of the terminal, and the first private information is private information of the server.
8. The data decryption method according to claim 6 or 7, wherein before the generating the first key information, the method further comprises:
and triggering to perform user identity verification and determining that the user identity verification is passed in response to the received data decryption request sent by the terminal.
9. The data decryption method according to claim 8, wherein the data decryption request is transmitted by the terminal in a case where it is determined that the first authentication on the second key information is passed.
10. A data acquisition method is applied to a terminal and comprises the following steps:
responding to the situation that encrypted target data cannot be obtained from the terminal based on the mixed cipher ciphertext, receiving first secret key information sent by a server, and determining second secret key information corresponding to the terminal;
and decrypting the encrypted target data based on the first key information and the second key information to acquire the target data from the terminal.
11. The data acquisition method according to claim 10, wherein the first key information is generated by the server based on first public information and first private information, the first public information being public information of the terminal, the first private information being private information of the server;
the terminal encrypts the target data in advance by adopting the following method:
encrypting the target data based on the second key information and the third key information to obtain the encrypted target data;
the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner:
generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal;
wherein the second secret information is deleted after the terminal generates the third key information.
12. A data decryption apparatus, applied to a terminal, comprising:
the receiving unit is used for receiving first key information sent by a server in response to the fact that the encrypted data of the terminal are triggered to be decrypted;
the determining unit is used for determining second key information corresponding to the terminal;
a processing unit, configured to decrypt the encrypted data based on the first key information and the second key information.
13. The data decryption apparatus according to claim 12, wherein the first key information is generated by the server based on first public information and first private information, the first public information being public information of the terminal, the first private information being private information of the server;
the terminal obtains the encrypted data by adopting the following method:
encrypting data of the terminal based on the second key information and the third key information to obtain the encrypted data;
the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner:
generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal;
wherein the second secret information is deleted after the terminal generates the third key information.
14. The data decryption apparatus according to claim 12 or 13, wherein the receiving unit receives the first key information transmitted by the server in such a manner that:
sending a data decryption request to the server, wherein the data decryption request is used for triggering the server to perform user identity verification under the condition of receiving the data decryption request;
and receiving first key information sent by the server under the condition that the user identity verification is passed.
15. The data decryption apparatus according to claim 14, wherein the receiving unit sends a data decryption request to the server in such a manner that:
performing first verification on the second key information;
and responding to the first verification passing of the second key information, and sending a data decryption request to the server.
16. The data decryption device of claim 15, wherein the processing unit is further configured to:
performing second verification on the closing instruction in response to receiving the closing instruction for indicating to close the first verification;
and under the condition that the second verification of the closing instruction is determined to pass, closing the first verification based on the closing instruction so that the terminal cannot decrypt data based on the first verification.
17. A data decryption apparatus, applied to a server, the apparatus comprising:
a generation unit configured to generate first key information;
and the sending unit is used for sending the first key information to a terminal so that the terminal can decrypt the encrypted data of the terminal based on the first key information and the second key information corresponding to the terminal.
18. The data decryption apparatus according to claim 17, wherein the encrypted data is obtained by the terminal encrypting data of the terminal based on the second key information and third key information, the third key information is generated by the terminal based on second public information and second private information, and the third key information has a same key agreement DH value as the first key information;
the second public information is public information of the server, the second private information is private information of the terminal, and the second private information is deleted after the terminal generates the third key information;
the generation unit generates the first key information in the following manner:
and generating the first key information based on first public information and first private information, wherein the first public information is public information of the terminal, and the first private information is private information of the server.
19. The data decryption apparatus according to claim 17 or 18, wherein, before generating the first key information, the generation unit is further configured to:
and responding to the received data decryption request sent by the terminal, triggering user identity verification and determining that the user identity verification passes.
20. The data decryption apparatus according to claim 19, wherein the data decryption request is transmitted by the terminal in a case where it is determined that the first authentication on the second key information is passed.
21. A data acquisition device is characterized by being applied to a terminal and comprising:
a receiving unit which receives first key information sent by a server in response to the terminal being unable to acquire encrypted target data from the terminal based on a hybrid cipher text;
a determining unit, configured to determine second key information corresponding to the terminal;
a processing unit, configured to decrypt the encrypted target data based on the first key information and the second key information, so as to obtain the target data from the terminal.
22. The apparatus according to claim 21, wherein the first key information is generated by the server based on first public information and first private information, the first public information being public information of the terminal, the first private information being private information of the server;
the terminal pre-encrypts the target data in the following way:
encrypting the target data based on the second key information and the third key information to obtain the encrypted target data;
the third key information and the first key information have the same key negotiation DH value, and are generated in advance by the terminal in the following manner:
generating third key information based on second public information and second private information, wherein the second public information is public information of the server, and the second private information is private information of the terminal;
wherein the second secret information is deleted after the terminal generates the third key information.
23. A data decryption apparatus, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to: performing the data decryption method of any one of claims 1 to 5, or performing the data decryption method of any one of claims 6 to 9, or performing the data acquisition method of claim 10 or 11.
24. A storage medium having stored therein instructions which, when executed by a processor, enable the processor to carry out the data decryption method of any one of claims 1 to 5, or carry out the data decryption method of any one of claims 6 to 9, or carry out the data acquisition method of claim 10 or 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210825197.7A CN115333728A (en) | 2022-07-14 | 2022-07-14 | Data decryption method, data decryption device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210825197.7A CN115333728A (en) | 2022-07-14 | 2022-07-14 | Data decryption method, data decryption device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115333728A true CN115333728A (en) | 2022-11-11 |
Family
ID=83918441
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210825197.7A Pending CN115333728A (en) | 2022-07-14 | 2022-07-14 | Data decryption method, data decryption device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115333728A (en) |
-
2022
- 2022-07-14 CN CN202210825197.7A patent/CN115333728A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3657370B1 (en) | Methods and devices for authenticating smart card | |
| EP3001640B1 (en) | Secure information exchange methods and wearable device | |
| US10193875B2 (en) | Method and apparatus for controlling access to surveillance video | |
| CN109146470B (en) | Method and device for generating payment code | |
| CN108269334A (en) | Method for unlocking, terminal device and smart lock | |
| CN104967511A (en) | Processing method for enciphered data, and apparatus thereof | |
| CN104955031A (en) | Information transmission method and device | |
| KR101639147B1 (en) | Method, device, program and storage medium for sending information in voice service | |
| TWI761843B (en) | Access control method and device, electronic device and storage medium | |
| CN110765434A (en) | Identity authentication method and device, electronic equipment and storage medium | |
| CN110738778B (en) | Access control method and device, equipment and storage medium | |
| CN105281907A (en) | Encrypted data processing method and apparatus | |
| US9667784B2 (en) | Methods and devices for providing information in voice service | |
| CN111917728A (en) | Password verification method and device | |
| CN113055169B (en) | Data encryption method and device, electronic equipment and storage medium | |
| CN114221764A (en) | Public key updating method, device and equipment based on block chain | |
| CN105120452B (en) | Transmit the method, apparatus and system of information | |
| CN112115464B (en) | Unlocking processing method and device, electronic equipment and storage medium | |
| US10402562B2 (en) | Method and device for encrypting application | |
| CN106485151B (en) | Method and device for controlling flashing | |
| CN107302519B (en) | Identity authentication method and device for terminal equipment, terminal equipment and server | |
| CN108924136B (en) | Authorization authentication method, device and storage medium | |
| CN115333728A (en) | Data decryption method, data decryption device and storage medium | |
| CN107318148B (en) | Wireless local area network access information storage method and device | |
| CN116167065A (en) | Data security encryption and security decryption method for ciphertext database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |