CN115361198A - Decryption method, encryption method, device, computer equipment and storage medium - Google Patents

Decryption method, encryption method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN115361198A
CN115361198A CN202210984706.0A CN202210984706A CN115361198A CN 115361198 A CN115361198 A CN 115361198A CN 202210984706 A CN202210984706 A CN 202210984706A CN 115361198 A CN115361198 A CN 115361198A
Authority
CN
China
Prior art keywords
key
password
terminal equipment
encrypted
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210984706.0A
Other languages
Chinese (zh)
Inventor
党亚林
周生宁
苗志高
俎旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
ICBC Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC, ICBC Technology Co Ltd filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210984706.0A priority Critical patent/CN115361198A/en
Publication of CN115361198A publication Critical patent/CN115361198A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a decryption method, an encryption method, a decryption device, a computer device and a storage medium, which can be used in the field of financial technology or other related fields. The decryption method is applied to the terminal equipment and comprises the following steps: when an application program is started, acquiring a terminal equipment identifier; acquiring a first password value based on the terminal equipment identifier, and encrypting the terminal equipment identifier to acquire an encrypted password key; and receiving the encrypted target key sent by the server, and decrypting the encrypted target key to obtain the target key. The encryption method is applied to a server and comprises the following steps: receiving a first password value and an encrypted password key sent by terminal equipment; obtaining a second password value based on the encrypted password key; and comparing whether the first password value is consistent with the second password value, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment. The method can improve the security of the target key in the encryption and decryption processes.

Description

Decryption method, encryption method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to a decryption method, an encryption method, an apparatus, a computer device, and a storage medium.
Background
With the development of information technology, the requirement on data security is higher and higher. In the development process of the application program of the mobile client, a target key is required to be adopted to symmetrically encrypt the key data, and the encryption process is often the premise of carrying out other operations such as network request, server identity authentication and the like.
In the current development process of an application program, a target key is often stored in a terminal device, and the target key in the terminal device is directly used to symmetrically encrypt and decrypt key data, for example, the target key may be stored in a so (shared object) file or a database of the terminal device, or may be stored in the terminal device in a manner of configuration using a gradle (project automation construction open source tool), but the manner of storing the target key in the terminal device only increases the difficulty of reverse engineering of an attacker, but the target key may be reversely cracked, once the application program is cracked, the target key is at risk of being leaked, and the security of the target key cannot be guaranteed, so that the existing method of storing the target key in the terminal device has the problem that the security of the target key is not high.
Disclosure of Invention
Based on this, it is necessary to provide a decryption method, an encryption method, an apparatus, a computer device, a computer-readable storage medium, and a computer program product, which can improve the security of a target key, in order to solve the problem that the security of the target key is not high in the conventional method of storing the target key in a terminal device.
In a first aspect, the present application provides a decryption method, which is applied to a terminal device. The method comprises the following steps:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment;
obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server;
receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
In one embodiment, obtaining the first password value based on the terminal device identification comprises:
acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier;
dividing the first timestamp by a preset time length to obtain an integer of a division operation result;
and obtaining the first password value through a hash algorithm according to the integer and the terminal equipment identification.
In one embodiment, encrypting the terminal device identifier to obtain an encrypted password key includes:
reading a first public key character string from a prestored server public key file;
and encrypting the terminal equipment identifier based on the first public key character string to obtain an encrypted password key.
In one embodiment, decrypting the encrypted target key to obtain the target key includes:
reading a first private key character string from a prestored private key file of the terminal equipment;
and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
In a second aspect, the present application further provides a decryption apparatus, which is applied to a terminal device. The device comprises:
the data acquisition module is used for acquiring the identifier of the terminal equipment when the application program is started, and the application program runs on the terminal equipment;
the first password acquisition module is used for acquiring a first password value based on the terminal equipment identifier and sending the first password value to the server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server;
the first decryption module is used for receiving the encrypted target key sent by the server and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
In a third aspect, the present application provides an encryption method applied to a server. The method comprises the following steps:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
decrypting the encrypted password key to obtain a decrypted password key;
obtaining a second password value based on the decrypted password key;
comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In one embodiment, decrypting the encrypted password key to obtain a decrypted password key includes:
reading a second private key character string from a prestored server private key file;
and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
In one embodiment, obtaining the second password value based on the decrypted password key comprises:
acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received;
dividing the second timestamp by a preset time length to obtain an integer of a division operation result;
and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
In one embodiment, encrypting the target key to obtain an encrypted target key includes:
reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment;
and encrypting the target key by an asymmetric encryption algorithm based on the second public key character string to obtain an encrypted target key.
In a fourth aspect, the present application further provides an encryption apparatus applied to a server. The device comprises:
the data receiving module is used for receiving the first password value and the encrypted password key sent by the terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
the second decryption module is used for decrypting the encrypted password key to obtain a decrypted password key;
the second password obtaining module is used for obtaining a second password value based on the decrypted password key;
the encryption module is used for comparing whether the first password value is consistent with the second password value; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In a fifth aspect, the present application further provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment;
obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server;
receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
The processor, when executing the computer program, further implements the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
decrypting the encrypted password key to obtain a decrypted password key;
obtaining a second password value based on the decrypted password key;
comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In a sixth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment;
obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server;
receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
The computer program when executed by a processor further realizes the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
decrypting the encrypted password key to obtain a decrypted password key;
obtaining a second password value based on the decrypted password key;
comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In a seventh aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment;
obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server;
receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
The computer program when executed by a processor further realizes the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
decrypting the encrypted password key to obtain a decrypted password key;
obtaining a second password value based on the decrypted password key;
comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
According to the decryption method, the decryption device, the computer equipment, the storage medium and the computer program product, when the application program is started, the terminal equipment identification is obtained, before the encrypted target key is transmitted between the terminal equipment and the server, the terminal equipment firstly obtains the first password value and the encrypted password key based on the terminal equipment identification and transmits the first password value and the encrypted password key to the server, and as the second password value generated by the server based on the encrypted password key is compared with the first password value, the terminal equipment can be regarded as trusted equipment only under the condition that the comparison result is consistent, so that the encrypted target key transmitted by the server is received, the encrypted target key is favorably transmitted only between the trusted terminal equipment and the server, and the safety of the target key can be improved; meanwhile, the terminal equipment receives the encrypted target secret key sent by the server, and the terminal equipment can obtain the target secret key only by decrypting the encrypted target secret key, so that the risk of leakage of the target secret key is effectively avoided.
According to the encryption method, the encryption device, the computer equipment, the storage medium and the computer program product, the server receives a first password value and an encrypted password key which are sent by the terminal equipment, a second password value obtained based on the encrypted password key is used for being compared with the first password value, and the server sends the encrypted target key to the trusted terminal equipment under the condition that the comparison result is consistent, so that a trust relationship can be established between the server and the terminal equipment, the encrypted target key is only transmitted between the trusted terminal equipment and the server, and the safety of the target key can be improved; compared with the terminal equipment under storage, the security of the target secret key stored in the server is higher, the target secret key is encrypted and then sent to the terminal equipment, the security of the target secret key in transmission is ensured, and the security of the target secret key is further improved.
Drawings
FIG. 1 is a diagram of an application environment of a decryption method and an encryption method in one embodiment;
FIG. 2 is a flow diagram illustrating a decryption method in one embodiment;
FIG. 3 is a flow chart illustrating a decryption method in yet another embodiment;
FIG. 4 is a block diagram of a decryption device in one embodiment;
FIG. 5 is a flow diagram illustrating an encryption method in one embodiment;
FIG. 6 is a flow chart illustrating an encryption method in yet another embodiment;
FIG. 7 is a block diagram of an encryption apparatus in one embodiment;
FIG. 8 is a flow diagram illustrating a decryption method and an encryption method in accordance with an exemplary embodiment;
FIG. 9 is a diagram of an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The decryption method and the encryption method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein the terminal device 102 communicates with the server 104 over a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104, or may be located on the cloud or other network server. When the terminal device 102 starts the application program, acquiring a terminal device identifier, wherein the application program runs on the terminal device 102; the terminal device 102 obtains a first password value based on the terminal device identifier, and sends the first password value to the server 104; the terminal device 102 encrypts the terminal device identifier to obtain an encrypted password key, and sends the encrypted password key to the server 104; the terminal device 102 receives the encrypted target key sent by the server 104, and decrypts the encrypted target key to obtain a target key; the encrypted target key is obtained by the server 104 by receiving the first password value and the encrypted password key sent by the terminal device 102, the server 104 decrypts the encrypted password key to obtain the decrypted password key, the server 104 obtains the second password value based on the decrypted password key, the server 104 compares whether the first password value and the second password value are consistent, and if so, the server 104 encrypts the target key; the target key is used to encrypt data in the application. The server 104 receives the first password value and the encrypted password key sent by the terminal device 102; the first password value is obtained by the terminal device 102 based on the terminal device identifier after the terminal device 102 obtains the terminal device identifier when the terminal device 102 starts the application program, and the application program runs on the terminal device 102; the encrypted password key is obtained by encrypting the terminal device identifier by the terminal device 102; the server 104 decrypts the encrypted password key to obtain a decrypted password key; the server 104 obtains a second password value based on the decrypted password key; server 104 compares the first password value and the second password value to determine whether they are consistent; if the two keys are consistent, the server 104 encrypts the target key to obtain an encrypted target key, and sends the encrypted target key to the terminal device 102, where the encrypted target key is used for decryption at the terminal device 102 to obtain the target key. The terminal device 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In one embodiment, as shown in fig. 2, a decryption method is provided, which is described by taking the method as an example applied to the terminal device 102 in fig. 1, and includes the following steps:
s202, when the application program is started, the terminal equipment identification is obtained, and the application program runs on the terminal equipment.
The application program refers to a computer program that is used for completing one or more specific tasks and is run on a terminal device, for example, a banking application program, a game application program, a media playing application program, an office tool application program and an instant messaging application program. The application program starting generally refers to that when the terminal device receives a single click or a double click of an icon of an application program, system software in the terminal device loads a code of the application program into a memory so as to start the application program, or the code of the application program is loaded when the terminal device is started, so that when the terminal device is started, the application program also starts to be started. And when the application program is started, the terminal equipment obtains the terminal equipment identification. Often, a server can communicate with multiple terminal devices at the same time, the terminal device Identifier is identification information used for indicating a specific terminal device, and may be a serial number of the terminal device, or a Universal Unique Identifier (UUID) of the terminal device, and through the device Identifier, the server can accurately identify the specific terminal device, thereby communicating with the terminal device indicated by the device Identifier.
S204, acquiring a first password value based on the terminal equipment identifier, and sending the first password value to a server; and encrypting the terminal equipment identifier to obtain an encrypted password key, and sending the encrypted password key to the server.
The first Password value may be a dynamic Password (OTP), which generates an unpredictable random number combination at regular intervals according to a special algorithm. The dynamic password is a one-time password, and is invalid after being used once, and another dynamic password needs to be replaced when being used next time, so that an attacker is difficult to counterfeit legal identity information. Therefore, by adopting the method for generating the dynamic password, the terminal device identifier is brought into a dynamic password generation algorithm to generate a first password value, the first password value generated each time is different from the first password value generated next time, each first password value can be used only once, and the first password value generated each time is unpredictable, the dynamic password generation algorithm comprises a symmetric algorithm, a HASH algorithm and an HMAC (HASH-based Message Authentication Code), and the first password value is generated in a manner of time synchronization, event synchronization and challenge/response. The terminal equipment encrypts the terminal equipment identification to obtain an encrypted password key, and the encryption method can be an asymmetric encryption algorithm. The asymmetric encryption algorithm is a secret method of a secret key, and the asymmetric encryption algorithm needs two secret keys: public key (public key for short) and private key (private key for short), public key and private key are a pair, called key pair, if the public key is used to encrypt data, only the corresponding private key can be used to decrypt, because the encryption and decryption use two different keys, the algorithm is called asymmetric encryption algorithm. And the terminal equipment sends the generated first password value and the encrypted password key to the server for password value verification in the server so as to establish a trust relationship between the terminal equipment and the server.
S206, receiving the encrypted target key sent by the server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
The encrypted target key is transmitted between the terminal equipment and the server, and the security of the target key is improved. The terminal device receives the encrypted target key sent by the server, decrypts the encrypted target key to obtain the target key, and the decryption method can adopt an asymmetric encryption algorithm. Specifically, the target key is stored in the server, the encrypted target key is generated by the server based on the encryption of the target key stored in the server, the server sends the encrypted target key to the terminal device, the terminal device receives the encrypted target key and decrypts the encrypted target key to obtain the target key, the target key is encrypted, transmitted and decrypted, and finally the target key generated in the terminal device is consistent with the content of the target key stored in the server, the target key generated in the terminal device is used for encrypting data in an application program running on the terminal device, and the target key may be a symmetric key. The encrypted target key received by the terminal specifically comprises the following steps: the server receives the first password value and the encrypted password key sent by the terminal equipment, decrypts the encrypted password key to obtain a decrypted password key, and the method for decrypting the encrypted password key can be an asymmetric encryption algorithm; the server obtains a second password value based on the decrypted password key, wherein the second password value can be a dynamic password; the server compares whether the first password value and the second password value are identical in size. And if the first password value is consistent with the second password value in size, the server encrypts the target key to obtain an encrypted target key, and sends the encrypted target key to the terminal equipment.
According to the decryption method, when the application program is started, the terminal equipment identification is obtained, before the encrypted target key is transmitted between the terminal equipment and the server, the terminal equipment firstly obtains a first password value and the encrypted password key based on the terminal equipment identification and transmits the first password value and the encrypted password key to the server, and the terminal equipment can be regarded as trusted equipment only under the condition that the comparison result is consistent due to the fact that a second password value generated by the server based on the encrypted password key is compared with the first password value, so that the encrypted target key transmitted by the server is received, the encrypted target key is favorably transmitted only between the trusted terminal equipment and the server, and the safety of the target key can be improved; meanwhile, the terminal equipment receives the encrypted target secret key sent by the server, and the terminal equipment can obtain the target secret key only by decrypting the encrypted target secret key, so that the risk of leakage of the target secret key is effectively avoided.
In one embodiment, as shown in fig. 3, obtaining the first password value based on the terminal device identification comprises:
and S302, acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier.
The time stamp is a standard time representation, and is usually a character sequence, and a unique identifier is used to represent the time of a certain time. When the terminal device obtains the terminal device identifier, the terminal device records the obtained time of the terminal device identifier, the terminal device converts the obtained time of the terminal device identifier into a timestamp through a timestamp calculation method, the timestamp is a first timestamp, and the terminal device obtains the first timestamp. For example, the first time stamp is the number of seconds from the greenwich time 1970, 01, 00 hours 00 minutes 00 seconds (beijing time 1970, 01, 08 hours 00 minutes 00 seconds) to the time when the terminal device identifier is acquired.
S304, dividing the first time stamp by a preset time length to obtain an integer of a division operation result.
The terminal device divides the first timestamp by a preset time length to obtain a division operation result, and performs rounding on the division operation result to obtain an integer of the division operation result. For example, the preset duration may be 60 seconds, the first timestamp is divided by the preset duration, and the integer rounded is the number of minutes.
S306, obtaining a first password value through a hash algorithm according to the integer and the terminal equipment identification.
The hash algorithm is a method for converting a character string composed of characters into a fixed-length (generally, a shorter-length) numerical value or an index value, and is also called as a hash algorithm. The value obtained by the hash algorithm is a hash value, and the hash value with shorter length is faster than the original value for searching. Common Hash algorithms include the MD5 Message Digest Algorithm (MD 5 Message-Digest Algorithm) and the SHA Secure Hash Algorithm (SHA). And the terminal equipment brings the integer of the division operation result and the terminal equipment identification into a hash algorithm to obtain a first password value.
In this embodiment, since the hash algorithm is an irreversible algorithm, the security of the first password value can be ensured, and meanwhile, if the hash algorithm is directly performed on the terminal device identifier to obtain the first password value, some decryption websites can easily search for the terminal device identifier through the hash value obtained by hashing, and when the hash algorithm is performed on the terminal device identifier, an integer of the division operation result is added to perform the hash algorithm calculation together.
In one embodiment, encrypting the terminal device identifier to obtain an encrypted password key includes: reading a first public key character string from a prestored server public key file; and encrypting the terminal equipment identification based on the first public key character string to obtain an encrypted password key.
The public key is a public part of the key pair, any terminal device can acquire the server public key file, and the server public key file, namely the pre-stored server public key file, is pre-installed in the terminal device. The server public key is stored in the server public key file in a character string mode, the terminal device reads a first public key character string from the pre-stored server public key file, and the first public key character string is the server public key. And the terminal equipment encrypts the terminal equipment identification by adopting the first public key character string to obtain an encrypted password key.
In the embodiment, the terminal device encrypts the terminal device identifier through the server public key to obtain the encrypted password key, because the public key and the private key exist in pair, the data encrypted by the public key can only be decrypted by the corresponding private key, the server public key forms a pair with the server public key, the encrypted password key can only be decrypted by the server private key to obtain a correct result, the server private key is not public and only stored in the server, and any terminal device cannot obtain the encrypted password key, the encrypted password key obtained based on the first public key character string is transmitted between the terminal device and the server, and the encrypted password key has higher security and is beneficial to improving the security of a target key obtained by the terminal device.
In one embodiment, decrypting the encrypted target key to obtain the target key comprises: reading a first private key character string from a prestored private key file of the terminal equipment; and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
The private key is a private part of the key pair, each terminal device has a private key file, and the private key files of the terminal devices need to be input into an installation package of the application program when the application program is packaged. The terminal device is pre-installed with a terminal device private key file, namely a pre-stored terminal device private key file. The terminal device private key is stored in a terminal device private key file in a character string mode, the terminal device reads a first private key character string from a prestored terminal device private key file, and the first private key character string is the terminal device private key. And the terminal equipment decrypts the encrypted target key by adopting the first private key character string through an asymmetric encryption algorithm to obtain the target key.
In this embodiment, the terminal device decrypts the encrypted target key by using the terminal device private key to obtain the target key. Because the public key and the private key exist in pairs, the data encrypted by the public key can only be decrypted by the corresponding private key to obtain a correct result, if the encrypted target key is encrypted by the public key corresponding to the first private key character string, the encrypted target key is decrypted by the first private key character string, the obtained target key can be consistent with the target key before encryption, and the target key before encryption is the target key stored in the server. The method based on asymmetric encryption and decryption transmits the encrypted target key between the terminal equipment and the server, the encrypted target key has higher security, the security of the target key obtained by the terminal equipment is favorably improved, meanwhile, the encrypted target key can be ensured to be successfully decrypted only by the trusted terminal equipment, and the security of the target key is further improved.
Based on the same inventive concept, the embodiment of the present application further provides a decryption apparatus for implementing the above related decryption method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the decryption device provided below may refer to the limitations on the decryption method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 4, there is provided a decryption apparatus 400 comprising: a data acquisition module 402, a first password acquisition module 404, and a first decryption module 406, wherein:
a data obtaining module 402, configured to obtain a terminal device identifier when an application program is started, where the application program runs on the terminal device.
A first password obtaining module 404, configured to obtain a first password value based on the terminal device identifier, and send the first password value to the server; and encrypting the terminal equipment identification to obtain an encrypted password key, and sending the encrypted password key to the server.
The first decryption module 406 is configured to receive the encrypted target key sent by the server, and decrypt the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
The decryption device acquires the terminal equipment identifier when the application program is started, and before the encrypted target key is transmitted between the terminal equipment and the server, the terminal equipment firstly acquires a first password value and an encrypted password key based on the terminal equipment identifier and transmits the first password value and the encrypted password key to the server; meanwhile, the terminal equipment receives the encrypted target secret key sent by the server, and the terminal equipment can obtain the target secret key only by decrypting the encrypted target secret key, so that the risk of leakage of the target secret key is effectively avoided.
In one embodiment, in obtaining the first password value based on the terminal device identification, the first password obtaining module 404 is further configured to: acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier; dividing the first time stamp by a preset time length to obtain an integer of a division operation result; and obtaining a first password value through a hash algorithm according to the integer and the terminal equipment identification.
In one embodiment, in encrypting the terminal device identifier and obtaining the encrypted password key, the first password obtaining module 404 is further configured to: reading a first public key character string from a prestored server public key file; and encrypting the terminal equipment identification based on the first public key character string to obtain an encrypted password key.
In one embodiment, in decrypting the encrypted target key to obtain the target key, the first decryption module 406 is further configured to: reading a first private key character string from a prestored private key file of the terminal equipment; and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
The various modules in the decryption apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, as shown in fig. 5, an encryption method is provided, which is described by taking the method as an example applied to the server 104 in fig. 1, and includes the following steps:
s502, receiving a first password value and an encrypted password key sent by the terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment.
The server receives a first password value and an encrypted password key sent by the terminal equipment, wherein the first password value is obtained by the following method: when the terminal equipment starts the application program, the terminal equipment acquires the terminal equipment identification, the terminal equipment acquires the first password value based on the terminal equipment identification, and the application program runs on the terminal equipment. The encrypted password key is obtained by the following method: and the terminal equipment encrypts the terminal equipment identifier to obtain an encrypted password key.
S504, the encrypted password key is decrypted to obtain a decrypted password key.
The server decrypts the encrypted password key to obtain a decrypted password key, and the decryption method may be an asymmetric encryption algorithm. Since the decrypted password key is obtained by decrypting the encrypted password key, if the key for decrypting the encrypted password key and the key for encrypting the password key before encryption are a pair of keys, the decrypted password key can be identical to the password key before encryption. For example, in the terminal device, the server public key is used for encryption to obtain the encrypted password key, then in the server, the server private key used for decryption of the encrypted password key is used, the server public key and the server private key are a pair of keys, and then the decrypted password key is consistent with the password key before encryption.
S506, a second password value is obtained based on the decrypted password key.
The server obtains a second password value based on the decrypted password key, the second password value can be a dynamic password, the server brings the decrypted password key into a dynamic password generation algorithm to generate the second password value, the second password value generated each time is different from the second password value generated next time, each second password value can be used only once, the second password value generated each time is unpredictable, the server obtains the second password value based on the decrypted password key, and the adopted dynamic password generation algorithm can be consistent with the dynamic password generation algorithm adopted by the terminal equipment for obtaining the first password value based on the terminal equipment identification.
S508, comparing whether the first password value is consistent with the second password value; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
The target key is stored in the server, the server compares the first password value with the second password value, if the first password value is consistent with the second password value, the fact that the decrypted password key obtained by decryption in the server is consistent with the terminal equipment identifier in the terminal equipment within a preset time length is indicated, the terminal equipment is trusted, the server encrypts the target key to obtain the encrypted target key, and the server sends the encrypted target key to the terminal equipment. The method of encrypting the target key may be an asymmetric encryption algorithm. In the terminal device, the terminal device decrypts the encrypted target key to obtain the target key, and if the key for encrypting the target key in the server and the key for decrypting the encrypted target key in the terminal device are a pair of key pairs, it can be ensured that the target key obtained in the terminal device is consistent with the target key stored in the server. Meanwhile, the encrypted target key is transmitted between the terminal equipment and the server, so that the security of the target key in transmission is ensured, and the security of the target key is further improved.
In the encryption method, the server receives a first password value and an encrypted password key which are sent by the terminal equipment, a second password value obtained based on the encrypted password key is used for being compared with the first password value, and the server sends the encrypted target key to the trusted terminal equipment under the condition that the comparison result is consistent, so that the trust relationship between the server and the terminal equipment is favorably established, the encrypted target key is only transmitted between the trusted terminal equipment and the server, and the safety of the target key can be improved; the target key is stored in the server, the security of the server is higher than that of the terminal device under the storage, the target key is encrypted and then sent to the terminal device, the security of the target key in transmission is guaranteed, and the security of the target key is further improved.
In one embodiment, decrypting the encrypted password key to obtain a decrypted password key includes: reading a second private key character string from a prestored server private key file; and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
The private key is a private key part which is not public in the key pair, and a server private key file, namely a pre-stored server private key file, is pre-installed in the server. The server private key is stored in a server private key file in a character string mode, the server reads a second private key character string from the pre-stored server private key file, and the second private key character string is the server private key. And the server decrypts the encrypted password key by adopting the second private key character string through an asymmetric encryption algorithm to obtain a decrypted password key.
In this embodiment, the server decrypts the encrypted password key by using the server private key to obtain a decrypted password key. Because the public key and the private key exist in pairs, the data encrypted by the public key can only be decrypted by the corresponding private key to obtain a correct result, so if the encrypted password key is encrypted by the public key corresponding to the second private key character string, the encrypted password key is decrypted by the second private key character string, the obtained decrypted password key can only be consistent with the password key before encryption, and the password key before encryption is the terminal equipment identifier. The method based on asymmetric encryption and decryption transmits the encrypted password key between the terminal equipment and the server, the encrypted password key has higher security, the security of the target key obtained by the terminal equipment is favorably improved, meanwhile, the encrypted password key can be ensured to be successfully decrypted only by the trusted terminal equipment, and the security of the target key is further improved.
In one embodiment, as shown in FIG. 6, obtaining the second password value based on the decrypted password key comprises:
and S602, acquiring a second timestamp, wherein the second timestamp is a timestamp corresponding to the time when the first password value and the encrypted password key sent by the terminal equipment are received.
When the server receives the first password value and the encrypted password key sent by the terminal equipment, the server records the moment when the server receives the first password value and the encrypted password key. And by a timestamp calculation method, the server converts the time when the first password value and the encrypted password key are received into a timestamp, the timestamp is a second timestamp, and the server acquires the second timestamp.
And S604, dividing the second timestamp by a preset time length to obtain an integer of a division operation result.
The server divides the second timestamp by a preset time length to obtain a division operation result, and rounds the division operation result to obtain an integer of the division operation result. For example, the second timestamp is a number of seconds, the preset duration may be 60 seconds, the second timestamp is divided by the preset duration, and the integer obtained by rounding is the number of minutes.
S606, according to the decrypted password key and the integer, a second password value is obtained through a hash algorithm.
And the server brings the decrypted password key and the integer of the division operation result into a hash algorithm to obtain a second password value. The hashing algorithm used may be identical to the hashing algorithm used in the terminal device to obtain the first password value based on the integer and the terminal device identification.
In this embodiment, since the hash algorithm is an irreversible algorithm, the security of the second password value can be ensured, and meanwhile, if the second password value is obtained by directly performing the hash algorithm on the decrypted password key, some decryption websites can easily search for the decrypted password key through the hash value obtained by hashing, and when the decrypted password key is subjected to the hash algorithm, an integer of the division result is added to perform the hash algorithm calculation together.
In one embodiment, encrypting the target key to obtain an encrypted target key comprises: reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment; and encrypting the target secret key through an asymmetric encryption algorithm based on the second public key character string to obtain the encrypted target secret key.
The public key is a public part of the key pair, the server can acquire a terminal device public key file of any terminal device, and the server is pre-provided with the terminal device public key file, namely a pre-stored terminal device public key file. The terminal device public key is stored in the terminal device public key file in a character string mode, the server reads a second public key character string from the pre-stored terminal device public key file, and the second public key character string is the terminal device public key. And the server adopts the second public key character string to carry out asymmetric encryption on the target key to obtain an encrypted target key.
In this embodiment, the server encrypts the target key through the public key of the terminal device to obtain the encrypted target key, because the public key and the private key exist in pair, and the data encrypted by the public key can only be decrypted by the corresponding private key, therefore, the public key of the terminal device is the private key of the terminal device in pair with the public key of the terminal device, and the encrypted target key can only be decrypted by the private key of the terminal device to obtain a correct result, while the private key of the terminal device is not public and is only stored in the terminal device, and cannot be obtained by the server and other terminal devices.
Based on the same inventive concept, the embodiment of the present application further provides an encryption apparatus for implementing the encryption method mentioned above. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the encryption device provided below can refer to the limitations on the encryption method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 7, there is provided an encryption apparatus 700 comprising: a data receiving module 702, a second decryption module 704, a second password obtaining module 706, and an encryption module 708, wherein:
a data receiving module 702, configured to receive a first password value and an encrypted password key sent by a terminal device; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment.
And a second decryption module 704, configured to decrypt the encrypted password key to obtain a decrypted password key.
A second password obtaining module 706 configured to obtain a second password value based on the decrypted password key.
An encryption module 708 for comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
According to the encryption device, the server receives the first password value and the encrypted password key sent by the terminal equipment, the second password value obtained based on the encrypted password key is used for being compared with the first password value, the server can send the encrypted target key to the trusted terminal equipment under the condition that the comparison result is consistent, the trust relationship between the server and the terminal equipment is favorably established, the encrypted target key is only transmitted between the trusted terminal equipment and the server, and the safety of the target key can be improved; the target key is stored in the server, the security of the server is higher than that of the terminal device under the storage, the target key is encrypted and then sent to the terminal device, the security of the target key in transmission is guaranteed, and the security of the target key is further improved.
In one embodiment, in decrypting the encrypted password key to obtain a decrypted password key, the second decryption module 704 is further configured to: reading a second private key character string from a prestored server private key file; and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
In one embodiment, in obtaining the second password value based on the decrypted password key, the second password obtaining module 706 is further configured to: acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received; dividing the second timestamp by a preset time length to obtain an integer of a division operation result; and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
In one embodiment, in encrypting the target key to obtain an encrypted target key, the encryption module 708 is further configured to: reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment; and encrypting the target key by an asymmetric encryption algorithm based on the second public key character string to obtain an encrypted target key.
The various modules in the encryption apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
To describe the decryption method, the encryption method and the effect in the present solution in detail, the following description is made with a most detailed embodiment:
aiming at the application scene of application program development in the financial field, the terminal device can be a mobile terminal device, the server can be an independent server or a server cluster formed by a plurality of servers, and the application program runs on the terminal device. Setting an https server authentication mode as bidirectional authentication, installing a terminal device public key file clientpublic key.der while the server installs a server private key, and when an application program of the terminal device is packed, inputting a terminal device private key file clientprivate key.p12 into an application program installation package, wherein the server public key file is prestored in the terminal device.
Fig. 8 is a schematic flowchart of a method for decrypting and encrypting a target key based on a dynamic password, where a terminal device obtains a terminal device identifier when an application is started, and the terminal device identifier may be a UUID and is used as an OTP key. The terminal equipment reads a first public key character string from a prestored server public key file, the first public key character string is a server public key, and based on the first public key character string, the OTP key is encrypted by adopting a state secret SM2 algorithm to obtain an encrypted password key OTP key1. The terminal equipment calls a server interface, a timestamp corresponding to the moment obtained by the terminal equipment identification is obtained and is a first timestamp Ts1, the first timestamp Ts1 is divided by a preset time length 60 and then rounded to obtain a division operation result, and the division operation result is rounded to obtain an integer cTs of the division operation result; according to the integer cTS and the terminal device identifier, a first password Value OTP Value1 is obtained through a hash algorithm, and the first password Value may be calculated by: OTP Value1= HMAC-SHA2 (key, data), where key = OTP key, data = UUID + cTs. The terminal equipment sends a key obtaining request to the server and calls a key obtaining interface of the server, wherein two parameters carried by the key obtaining interface are as follows: an encrypted password key OTP key1 and a first password Value OTP Value1.
After receiving a key obtaining request sent by the terminal equipment, the server obtains an encrypted password key OTP key1 and a first password Value OTP Value1. The server reads a second private key character string from a prestored server private key file, the second private key character string is a server private key, the encrypted password key OTP key1 is decrypted by using the second private key character string and the country key SM2 to obtain a decrypted password key, and the same pair of keys is adopted for encryption and decryption, so that the decrypted password key is the OTP key. The server obtains a timestamp corresponding to the moment when the server receives the first password Value OTP Value1 and the encrypted password key OTP key1 sent by the terminal device, namely the timestamp is a second timestamp Ts2. And dividing the second timestamp Ts2 by a preset time length which is 60 seconds to obtain a division operation result, and rounding the division operation result to obtain an integer sTs of the division operation result. According to the decrypted password key OTP key and the integer sTs, a second password Value OTP Value2 is obtained through a hash algorithm, and the calculation method of OTP Value2 is as follows: OTP Value2= HMAC-SHA2 (key, data), where key = decrypted password key OTP key, data = decrypted password key OTP key + sTs. The server compares whether the first password Value OTP Value1 and the second password Value OTP Value2 are identical. If the first password Value OTP Value1 is consistent with the second password Value OTP Value2, the key and data in the second password Value calculated in the server are consistent with the key and data in the first password Value calculated in the terminal equipment, the terminal equipment is trusted equipment, and the server encrypts the target key to obtain an encrypted target key and sends the encrypted target key to the terminal equipment. The server encrypts the target key to obtain an encrypted target key, specifically, the target key is stored in the server, the server reads a second public key character string of the terminal device from a pre-stored public key file of the terminal device, the second character string is the public key of the terminal device, the public key of the terminal device is used for encrypting the target key to obtain the encrypted target key, and the encrypted target key is used for decrypting the terminal device and obtaining the target key. If the first password Value OTP Value1 is inconsistent with the second password Value OTP Value2, the terminal device is an untrusted device, the server finishes the authentication of the terminal device, and prompts a message of authentication failure to be sent to the terminal device.
And the terminal equipment decrypts the encrypted target key after receiving the encrypted target key sent by the server to obtain the target key, wherein the target key is used for encrypting data in the application program. The method comprises the steps of decrypting an encrypted target key to obtain a target key, specifically, reading a first private key character string from a prestored private key file of the terminal device by the terminal device, wherein the first private key character string is a private key of the terminal device, decrypting the encrypted target key by adopting the first private key character string through an asymmetric encryption algorithm to obtain the target key, wherein the encryption and decryption algorithms of the target key are a pair of key pairs, so that the decrypted target key is the same as the target key before encryption, and if the decrypted private key of the terminal device and the encrypted private key of the terminal device are not a pair of key pairs, namely not the key pair of the same device, the decrypted target key is different from the target key before encryption, and the terminal device cannot use the data in a program corresponding to the decrypted target key to encrypt, so that the condition that the decrypted target key is correct only when the key pair of the same device terminal is encrypted and decrypted is ensured, and the safety of the target key is further ensured. Meanwhile, the target key is stored in the server, so that the workload and the risk caused by local storage in the terminal equipment are reduced.
It should be noted that the decryption method and the encryption method disclosed in the present application are also applicable to other application scenarios where a plurality of terminal devices correspond to one server or a plurality of terminal devices correspond to a plurality of servers, and the application scenarios to which the decryption method and the encryption method are applicable in the present application are not specifically limited. Additionally, time-based dynamic password techniques may be substituted for challenge/response-based dynamic password techniques in the present application.
According to the decryption method and the encryption method, the terminal equipment acquires the terminal equipment identifier when the application program is started, before the encrypted target key is transmitted between the terminal equipment and the server, the terminal equipment firstly acquires a first password value and an encrypted password key based on the terminal equipment identifier and transmits the first password value and the encrypted password key to the server, and as a second password value generated by the server based on the encrypted password key is compared with the first password value, the terminal equipment can be regarded as trusted equipment only under the condition that the comparison result is consistent, so that the encrypted target key transmitted by the server is received, the encrypted target key is favorably transmitted only between the trusted terminal equipment and the server, and the safety of the target key can be improved; meanwhile, the terminal equipment receives the encrypted target secret key sent by the server, and the terminal equipment can obtain the target secret key only by decrypting the encrypted target secret key, so that the risk of leakage of the target secret key is effectively avoided. The server receives a first password value and an encrypted password key sent by the terminal equipment, a second password value obtained based on the encrypted password key is used for being compared with the first password value, the server can send the encrypted target key to the trusted terminal equipment under the condition that the comparison result is consistent, the trust relationship between the server and the terminal equipment is favorably established, the encrypted target key is only transmitted between the trusted terminal equipment and the server, and the safety of the target key can be improved; compared with the terminal equipment under storage, the security of the target secret key stored in the server is higher, the target secret key is encrypted and then sent to the terminal equipment, the security of the target secret key in transmission is ensured, and the security of the target secret key is further improved.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 9. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing a terminal device identification, a first password value, an encrypted password key, a decrypted password key, an encrypted target key, a second password value, a pre-stored server public key file, a pre-stored terminal device private key file, a pre-stored server private key file and a pre-stored terminal device public key file. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a decryption method and an encryption method.
It will be appreciated by those skilled in the art that the configuration shown in fig. 9 is a block diagram of only a portion of the configuration associated with the present application, and is not intended to limit the computing device to which the present application may be applied, and that a particular computing device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment; obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server; receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier; dividing the first timestamp by a preset time length to obtain an integer of a division operation result; and obtaining the first password value through a hash algorithm according to the integer and the terminal equipment identification.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
reading a first public key character string from a prestored server public key file; and encrypting the terminal equipment identifier based on the first public key character string to obtain an encrypted password key.
In one embodiment, the processor when executing the computer program further performs the steps of:
reading a first private key character string from a prestored private key file of the terminal equipment; and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment; decrypting the encrypted password key to obtain a decrypted password key; obtaining a second password value based on the decrypted password key; comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
reading a second private key character string from a prestored server private key file; and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
In one embodiment, the processor when executing the computer program further performs the steps of:
acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received; dividing the second timestamp by a preset time length to obtain an integer of a division operation result; and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment; and encrypting the target key by an asymmetric encryption algorithm based on the second public key character string to obtain an encrypted target key.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment; obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server; receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier; dividing the first timestamp by a preset time length to obtain an integer of a division operation result; and obtaining a first password value through a hash algorithm according to the integer and the terminal equipment identification.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a first public key character string from a prestored server public key file; and encrypting the terminal equipment identifier based on the first public key character string to obtain an encrypted password key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a first private key character string from a prestored private key file of the terminal equipment; and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment; decrypting the encrypted password key to obtain a decrypted password key; obtaining a second password value based on the decrypted password key; comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a second private key character string from a prestored server private key file; and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received; dividing the second timestamp by a preset time length to obtain an integer of a division operation result; and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment; and encrypting the target secret key through an asymmetric encryption algorithm based on the second public key character string to obtain the encrypted target secret key.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment; obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key and sending the encrypted password key to a server; receiving an encrypted target key sent by a server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used to encrypt data in the application.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring a first time stamp, wherein the first time stamp is a time stamp corresponding to the time acquired by the terminal equipment identifier; dividing the first timestamp by a preset time length to obtain an integer of a division operation result; and obtaining the first password value through a hash algorithm according to the integer and the terminal equipment identification.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a first public key character string from a prestored server public key file; and encrypting the terminal equipment identification based on the first public key character string to obtain an encrypted password key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a first private key character string from a prestored private key file of the terminal equipment; and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain the target key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on the terminal equipment identification after the terminal equipment identification is obtained when the terminal equipment starts the application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment; decrypting the encrypted password key to obtain a decrypted password key; obtaining a second password value based on the decrypted password key; comparing whether the first password value and the second password value are consistent; and if the target key is consistent with the target key, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a second private key character string from a prestored server private key file; and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
In one embodiment, the computer program when executed by the processor further performs the steps of:
acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received; dividing the second timestamp by a preset time length to obtain an integer of a division operation result; and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
In one embodiment, the computer program when executed by the processor further performs the steps of:
reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment; and encrypting the target key by an asymmetric encryption algorithm based on the second public key character string to obtain an encrypted target key.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases involved in the embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the various embodiments provided herein may be, without limitation, general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, or the like.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (13)

1. A decryption method, applied to a terminal device, the method comprising:
when an application program is started, acquiring a terminal equipment identifier, wherein the application program runs on the terminal equipment;
obtaining a first password value based on the terminal equipment identification, and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key, and sending the encrypted password key to the server;
receiving an encrypted target key sent by the server, and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used for encrypting data in the application program.
2. The method of claim 1, wherein obtaining the first password value based on the terminal device identification comprises:
acquiring a first timestamp, wherein the first timestamp is a timestamp corresponding to the moment acquired by the terminal equipment identifier;
dividing the first timestamp by a preset time length to obtain an integer of a division operation result;
and obtaining a first password value through a hash algorithm according to the integer and the terminal equipment identification.
3. The method of claim 1, wherein the encrypting the terminal device identifier to obtain an encrypted password key comprises:
reading a first public key character string from a prestored server public key file;
and encrypting the terminal equipment identification based on the first public key character string to obtain an encrypted password key.
4. The method of claim 1, wherein decrypting the encrypted target key to obtain a target key comprises:
reading a first private key character string from a prestored private key file of the terminal equipment;
and based on the first private key character string, decrypting the encrypted target key through an asymmetric encryption algorithm to obtain a target key.
5. An encryption method applied to a server, the method comprising:
receiving a first password value and an encrypted password key sent by terminal equipment; the first password value is obtained based on a terminal equipment identifier after the terminal equipment identifier is obtained when the terminal equipment starts an application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identifier by the terminal equipment;
decrypting the encrypted password key to obtain a decrypted password key;
obtaining a second password value based on the decrypted password key;
comparing whether the first password value and the second password value are consistent; and if so, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
6. The method of claim 5, wherein decrypting the encrypted password key to obtain a decrypted password key comprises:
reading a second private key character string from a prestored server private key file;
and decrypting the encrypted password key based on the second private key character string to obtain a decrypted password key.
7. The method of claim 5, wherein obtaining a second password value based on the decrypted password key comprises:
acquiring a second timestamp which is a timestamp corresponding to the moment when the first password value and the encrypted password key which are sent by the terminal equipment are received;
dividing the second timestamp by a preset time length to obtain an integer of a division operation result;
and obtaining a second password value through a hash algorithm according to the decrypted password key and the integer.
8. The method of claim 5, wherein encrypting the target key to obtain an encrypted target key comprises:
reading a second public key character string of the terminal equipment from a prestored public key file of the terminal equipment;
and encrypting the target key by an asymmetric encryption algorithm based on the second public key character string to obtain an encrypted target key.
9. A decryption apparatus, applied to a terminal device, the apparatus comprising:
the data acquisition module is used for acquiring a terminal equipment identifier when an application program is started, wherein the application program runs on the terminal equipment;
the first password acquisition module is used for acquiring a first password value based on the terminal equipment identification and sending the first password value to a server; encrypting the terminal equipment identification to obtain an encrypted password key, and sending the encrypted password key to the server;
the first decryption module is used for receiving the encrypted target key sent by the server and decrypting the encrypted target key to obtain a target key; the encrypted target key is obtained by the server receiving a first password value and an encrypted password key sent by the terminal equipment, decrypting the encrypted password key to obtain a decrypted password key, obtaining a second password value based on the decrypted password key, comparing whether the first password value and the second password value are consistent, and if so, encrypting the target key; the target key is used for encrypting data in the application program.
10. An encryption apparatus, applied to a server, the apparatus comprising:
the data receiving module is used for receiving the first password value and the encrypted password key sent by the terminal equipment; the first password value is obtained based on a terminal equipment identifier after the terminal equipment identifier is obtained when the terminal equipment starts an application program, and the application program runs on the terminal equipment; the encrypted password key is obtained by encrypting the terminal equipment identification by the terminal equipment;
the second decryption module is used for decrypting the encrypted password key to obtain a decrypted password key;
the second password acquisition module is used for acquiring a second password value based on the decrypted password key;
the encryption module is used for comparing whether the first password value and the second password value are consistent; and if so, encrypting the target key to obtain an encrypted target key, and sending the encrypted target key to the terminal equipment, wherein the encrypted target key is used for decrypting at the terminal equipment and obtaining the target key.
11. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the decryption method of any one of claims 1 to 4 or the encryption method of any one of claims 5 to 8.
12. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the decryption method of any one of claims 1 to 4 or the encryption method of any one of claims 5 to 8.
13. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the decryption method of any one of claims 1 to 4 or the encryption method of any one of claims 5 to 8 when executed by a processor.
CN202210984706.0A 2022-08-17 2022-08-17 Decryption method, encryption method, device, computer equipment and storage medium Pending CN115361198A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210984706.0A CN115361198A (en) 2022-08-17 2022-08-17 Decryption method, encryption method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210984706.0A CN115361198A (en) 2022-08-17 2022-08-17 Decryption method, encryption method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115361198A true CN115361198A (en) 2022-11-18

Family

ID=84003108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210984706.0A Pending CN115361198A (en) 2022-08-17 2022-08-17 Decryption method, encryption method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115361198A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116702218A (en) * 2023-08-07 2023-09-05 腾讯科技(深圳)有限公司 Rendering method, device, terminal and storage medium of three-dimensional model in applet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103475664A (en) * 2013-09-18 2013-12-25 北京工业大学 Credible extraction method for digital evidence of Android
CN110166242A (en) * 2019-05-22 2019-08-23 吉林亿联银行股份有限公司 Message transmitting method and device
CN110401677A (en) * 2019-08-23 2019-11-01 RealMe重庆移动通信有限公司 Acquisition methods, device, storage medium and the electronic equipment of digital publishing rights key
CN112291190A (en) * 2020-07-28 2021-01-29 国网思极网安科技(北京)有限公司 Identity authentication method, terminal and server
CN114584299A (en) * 2022-03-02 2022-06-03 中国建设银行股份有限公司 Data processing method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103475664A (en) * 2013-09-18 2013-12-25 北京工业大学 Credible extraction method for digital evidence of Android
CN110166242A (en) * 2019-05-22 2019-08-23 吉林亿联银行股份有限公司 Message transmitting method and device
CN110401677A (en) * 2019-08-23 2019-11-01 RealMe重庆移动通信有限公司 Acquisition methods, device, storage medium and the electronic equipment of digital publishing rights key
CN112291190A (en) * 2020-07-28 2021-01-29 国网思极网安科技(北京)有限公司 Identity authentication method, terminal and server
CN114584299A (en) * 2022-03-02 2022-06-03 中国建设银行股份有限公司 Data processing method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116702218A (en) * 2023-08-07 2023-09-05 腾讯科技(深圳)有限公司 Rendering method, device, terminal and storage medium of three-dimensional model in applet
CN116702218B (en) * 2023-08-07 2023-12-05 腾讯科技(深圳)有限公司 Rendering method, device, terminal and storage medium of three-dimensional model in applet

Similar Documents

Publication Publication Date Title
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US9979546B2 (en) Controlling access to a resource via a computing device
CN113364760A (en) Data encryption processing method and device, computer equipment and storage medium
US10911538B2 (en) Management of and persistent storage for nodes in a secure cluster
US11606202B2 (en) Methods and systems for secure data transmission
US20130290731A1 (en) Systems and methods for storing and verifying security information
CN110781140B (en) Method, device, computer equipment and storage medium for signing data in blockchain
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
CN111294203B (en) Information transmission method
US9641328B1 (en) Generation of public-private key pairs
WO2019120038A1 (en) Encrypted storage of data
CN117240625B (en) Tamper-resistant data processing method and device and electronic equipment
CN111475690B (en) Character string matching method and device, data detection method and server
CN111859435B (en) Data security processing method and device
CN114499875A (en) Service data processing method and device, computer equipment and storage medium
CN115603907A (en) Method, device, equipment and storage medium for encrypting storage data
CN115982761A (en) Sensitive information processing method and device, electronic equipment and storage medium
CN115348107A (en) Internet of things equipment secure login method and device, computer equipment and storage medium
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
CN108933766B (en) Method and client for improving equipment ID security
US20130290732A1 (en) Systems and methods for storing and verifying security information
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
CN108390758B (en) User password processing method and device and internal control security monitoring system
CN116366289A (en) Safety supervision method and device for remote sensing data of unmanned aerial vehicle
CN115766244A (en) Internet of vehicles information encryption method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination