CN115599596B

CN115599596B - Data processing method, electronic device, system and storage medium

Info

Publication number: CN115599596B
Application number: CN202211132892.1A
Authority: CN
Inventors: 李赤阳; 韩庆; 刘德钱
Original assignee: Petal Cloud Technology Co Ltd
Current assignee: Petal Cloud Technology Co Ltd
Priority date: 2022-09-16
Filing date: 2022-09-16
Publication date: 2023-07-18
Anticipated expiration: 2042-09-16
Also published as: CN115599596A

Abstract

The application provides a data processing method, electronic equipment, a system and a storage medium, wherein the method comprises the following steps: receiving a first recovery request sent by a second device, wherein the first recovery request is used for the second device to request to negotiate a key with a server, the first recovery request comprises a second public key, and the second public key is a public key generated by the second device; and receiving a second recovery request sent by the second device, wherein the second recovery request is used for the second device to request the server to send the backup data. The method provided by the application is beneficial to improving the recovery efficiency of the backed-up sensitive data.

Description

Data processing method, electronic device, system and storage medium

Technical Field

The present disclosure relates to the field of communications, and in particular, to a data processing method, an electronic device, a system, and a storage medium.

Background

Currently, a user may encrypt the sensitive data through a password or the like, and then back up the sensitive data, wherein the back-up mode may be to store the encrypted sensitive data in a server, and the password may be a screen locking password, a personal identification number (Personal identification number, PIN) or the like. When the user needs to restore the backed-up sensitive data, a backup restoration request can be initiated to the server, the backup restoration request can carry a password, and the user can successfully download the backed-up sensitive data after the server authenticates the password.

However, in the process of recovering the backed-up sensitive data by the user, the existing recovery mechanism needs to interact with the server for multiple times, and needs multiple encryption and decryption operations, so that the efficiency is low.

Disclosure of Invention

The application provides a data processing method, electronic equipment, a system and a storage medium, which are beneficial to improving the recovery efficiency of backup sensitive data.

In a first aspect, the present application provides a data processing method, applied to a first device, including:

responding to a password input by a user, and generating a first salt value and a second salt value;

generating password authentication information based on the password and the first salt;

generating a data encryption key based on the password and the second salt;

encrypting the backup data by using the data encryption key to obtain a backup data ciphertext;

encrypting the password authentication information, the second salt value and the backup data ciphertext by using a first public key to obtain a first ciphertext, wherein the first public key is a public key generated by a server;

and sending a backup request to the server, wherein the backup request is used for requesting the server to store the first ciphertext, and the backup request comprises the first ciphertext and the first salt value.

In one possible implementation manner, the method further includes:

and receiving a backup response sent by the server, wherein the backup response is used for informing the first equipment whether the backup is successful.

In one possible implementation manner, the backup request further includes a user identifier, where the user identifier is used to identify identity information of a user, and the user identifier is bound with the first ciphertext and the first salt.

In a second aspect, the present application provides a data processing method, applied to a second device, including:

generating a second public key and a second private key in response to a password input by a user;

sending a first recovery request to a server, wherein the first recovery request is used for requesting to negotiate a key with the server, and the first recovery request comprises the second public key;

receiving a first response sent by the server, wherein the first response comprises a first salt value and a challenge word, the first salt value is generated by first equipment when data is backed up, and the challenge word is generated by the server;

and sending a second recovery request to a server, wherein the second recovery request is used for requesting the server to send backup data.

In the method, the backup data is restored through the two interactions between the second device and the server, so that the interaction times between the restoring device and the server can be reduced, and the backup data restoring efficiency can be improved.

In one possible implementation manner, the first recovery request includes a second public key ciphertext, where the second public key ciphertext is obtained by encrypting a first public key that is a public key generated by the server.

In the method, the security of the second public key can be improved by encrypting and transmitting the second public key.

In one possible implementation manner, the first recovery request further includes a user identifier, where the user identifier is used to identify identity information of the user.

In one possible implementation manner, the second recovery request includes a first password authentication code, where the first password authentication code is used to compare with a second password authentication code to perform password authentication, and the second password authentication code is a password authentication code generated by the server.

In one possible implementation manner, the method further includes:

Generating a first password authentication key based on the password authentication information and the second public key;

a first password authentication code is generated based on the first password authentication key and the challenge word.

In one possible implementation manner, the second recovery request further includes a user identifier, where the user identifier is used to identify identity information of the user.

In one possible implementation manner, the method further includes:

receiving an authentication error indication sent by the server, wherein the authentication error indication is used for indicating that the authentication code of the second equipment password is wrong,

and generating the first password authentication code again, and sending the first password authentication code to the server.

In one possible implementation manner, the method further includes:

receiving an authentication failure notification sent by the server, wherein the authentication failure notification is used for notifying the second equipment that authentication fails;

stopping authentication based on the authentication failure notification.

In one possible implementation manner, the method further includes:

and receiving a second response sent by the server, wherein the second response comprises a second ciphertext, and the second ciphertext is obtained by encrypting a second salt value and a backup data ciphertext by the server by using the second public key.

In the application, the backup data ciphertext is encrypted by using the second public key and then transmitted, so that the safety of the backup data can be further improved.

In one possible implementation manner, the method further includes:

decrypting the second ciphertext by using the second private key to obtain the second salt value and the backup data ciphertext;

generating a data encryption key based on the password and the second salt;

and decrypting the backup data ciphertext by using the data encryption key to obtain backup data.

In a third aspect, the present application provides a data processing method, applied to a server, including:

receiving a first recovery request sent by a second device, wherein the first recovery request is used for the second device to request to negotiate a key with the server, and the first recovery request comprises a second public key, and the second public key is a public key generated by the second device;

transmitting a first response to the second device, the first response including a first salt and a challenge word, the first salt being transmitted by the first device to the server, the challenge word being generated by the server;

and receiving a second recovery request sent by the second device, wherein the second recovery request is used for the second device to request the server to send backup data.

In the method, the data recovery is realized through two times of interaction, so that the interaction times between the server and the recovery equipment can be reduced, and the burden of the server can be reduced.

In one possible implementation manner, the first recovery request includes a second public key ciphertext, and the method further includes:

and decrypting the second public key ciphertext by using a first private key to obtain a second public key, wherein the first private key is a private key generated by the server.

In the present application, by reducing the number of decryption times in the server, the calculation amount of the server can be reduced, and the load on the server can be further reduced.

In one possible implementation manner, the first recovery request further includes a user identifier, where the user identifier is used to identify identity information of the user, and the method further includes:

binding the user identification with the challenge word and the second public key.

In one possible implementation manner, after the receiving the first recovery request sent by the second device, the method further includes:

judging whether the authentication failure times exceeds a preset threshold value;

and if the authentication failure times exceeds a preset threshold, sending an authentication failure notification to the second device, wherein the authentication failure notification is used for notifying the second device that the authentication fails.

In one possible implementation manner, the second recovery request includes the user identifier and a first password authentication code, and the method further includes:

generating a second password authentication code based on the user identification;

and comparing the first password authentication code with the second password authentication code to authenticate.

In one possible implementation manner, the generating the second password authentication code based on the user identifier includes:

obtaining a corresponding second public key and a corresponding first ciphertext according to the user identification query;

decrypting the first ciphertext by using a first private key to obtain password authentication information, a second salt value and backup data ciphertext;

generating a second password authentication key based on the password authentication information and the second public key;

a second password authentication code is generated based on the second password authentication key and the challenge word.

In one possible implementation manner, the method further includes:

and if the comparison is inconsistent, sending an authentication error indication to the second device, wherein the authentication error indication is used for indicating that the password authentication code of the second device is wrong.

In one possible implementation manner, after the receiving the second recovery request sent by the second device, the method further includes:

In one possible implementation manner, the method further includes:

encrypting the second salt value and the backup data ciphertext by using the second public key to obtain a second ciphertext;

and sending a second response to the second device, wherein the second response comprises the second ciphertext.

In a fourth aspect, the present application provides a data processing apparatus, for application to a first device, comprising:

the generation module is used for responding to the password input by the user and generating a first salt value and a second salt value; generating password authentication information based on the password and the first salt; generating a data encryption key based on the password and the second salt;

the encryption module is used for encrypting the backup data by using the data encryption key to obtain a backup data ciphertext; encrypting the password authentication information, the second salt value and the backup data ciphertext by using a first public key to obtain a first ciphertext, wherein the first public key is a public key generated by a server;

The sending module is used for sending a backup request to the server, wherein the backup request is used for requesting the server to store the first ciphertext, and the backup request comprises the first ciphertext and the first salt value.

In one possible implementation manner, the data processing apparatus further includes:

and the receiving module is used for receiving a backup response sent by the server, wherein the backup response is used for informing the first equipment whether the backup is successful or not.

In a fifth aspect, the present application provides a data processing apparatus, for use in a second device, comprising:

the generation module is used for responding to the password input by the user and generating a second public key and a second private key;

a sending module, configured to send a first recovery request to a server, where the first recovery request is used to request to negotiate a key with the server, and the first recovery request includes the second public key;

the receiving module is used for receiving a first response sent by the server, wherein the first response comprises a first salt value and a challenge word, the first salt value is generated by first equipment when data is backed up, and the challenge word is generated by the server;

The sending module is further configured to send a second recovery request to the server, where the second recovery request is used to request the server to send backup data.

In one possible implementation manner, the generating module is further configured to generate password authentication information based on the password and the first salt value; generating a first password authentication key based on the password authentication information and the second public key; a first password authentication code is generated based on the first password authentication key and the challenge word.

In one possible implementation manner, the receiving module is further configured to receive an authentication error indication sent by the server, where the authentication error indication is used to indicate that the second device password authentication code is wrong;

the sending module is further configured to generate the first password authentication code again, and send the first password authentication code to the server.

In one possible implementation manner, the receiving module is further configured to receive an authentication failure notification sent by the server, where the authentication failure notification is used to notify the second device that authentication fails; stopping authentication based on the authentication failure notification.

In one possible implementation manner, the receiving module is further configured to receive a second response sent by the server, where the second response includes a second ciphertext, and the second ciphertext is obtained by encrypting, by the server, the second salt value and the backup data ciphertext using the second public key.

The decryption module is used for decrypting the second ciphertext by using the second private key to obtain the second salt value and the backup data ciphertext;

generating a data encryption key based on the password and the second salt;

In a sixth aspect, the present application provides a data processing apparatus, applied to a server, including:

the device comprises a receiving module, a first recovery module and a second recovery module, wherein the receiving module is used for receiving a first recovery request sent by second equipment, the first recovery request is used for the second equipment to request to negotiate a key with the server, the first recovery request comprises the second public key, and the second public key is a public key generated by the second equipment;

the sending module is used for sending a first response to the second device, wherein the first response comprises a first salt value and a challenge word, the first salt value is sent to the server by the first device, and the challenge word is generated by the server;

the receiving module is further configured to receive a second recovery request sent by the second device, where the second recovery request is used for the second device to request the server to send backup data.

In one possible implementation manner, the first recovery request includes a second public key ciphertext, and the data processing apparatus further includes:

and the decryption module is used for decrypting the second public key ciphertext by using a first private key to obtain a second public key, wherein the first private key is a private key generated by the server.

In one possible implementation manner, the first recovery request further includes a user identifier, where the user identifier is used to identify identity information of a user, and the data processing apparatus further includes:

and the binding module is used for binding the user identifier with the challenge word and the second public key.

the judging module is used for judging whether the authentication failure times exceed a preset threshold value;

In one possible implementation manner, the second recovery request includes the user identifier and the first password authentication code, and the data processing apparatus further includes:

An authentication module for generating a second password authentication code based on the user identification;

In one possible implementation manner, the authentication module is further configured to obtain a corresponding second public key and a corresponding first ciphertext according to the user identifier query;

In one possible implementation manner, the sending module is further configured to send an authentication error indication to the second device if the comparison is inconsistent, where the authentication error indication is used to indicate that the password authentication code of the second device is wrong.

the encryption module is used for encrypting the second salt value and the backup data ciphertext by using the second public key to obtain a second ciphertext;

the sending module is further configured to send a second response to the second device, where the second response includes the second ciphertext.

In a seventh aspect, the present application provides a first device, comprising: a processor and a memory for storing a computer program; the processor is configured to run the computer program to implement the data processing method according to the first aspect.

In an eighth aspect, the present application provides a second apparatus comprising: a processor and a memory for storing a computer program; the processor is configured to execute the computer program to implement the data processing method according to the second aspect.

In a ninth aspect, the present application provides a server, including: a processor and a memory for storing a computer program; the processor is configured to run the computer program to implement the data processing method according to the third aspect.

In a tenth aspect, the present application provides a computer readable storage medium having a computer program stored therein, which when run on a computer causes the computer to implement the data processing method according to the first to third aspects.

In an eleventh aspect, the present application provides a computer program which, when run on a processor of a first device, causes the first device to perform the data processing method as described in the first aspect, or when run on a processor of a second device, causes the second device to perform the data processing method as described in the second aspect, or when run on a processor of a server, causes the server to perform the data processing method as described in the third aspect.

In one possible design, the program in the eleventh aspect may be stored in whole or in part on a storage medium packaged with the processor, or in part or in whole on a memory not packaged with the processor.

In a twelfth aspect, the present application provides a data processing system comprising a first device according to the seventh aspect, a second device according to the eighth aspect, and a server according to the ninth aspect.

Drawings

FIG. 1 is a schematic structural diagram of one embodiment of an electronic device provided herein;

fig. 2 is an application scenario architecture diagram provided in an embodiment of the present application;

FIG. 3 is a flow chart of one embodiment of a data processing method provided herein;

FIG. 4 is a flowchart illustrating another embodiment of a data processing method provided herein;

FIG. 5 is a schematic diagram illustrating the structure of an embodiment of a data processing apparatus provided herein;

FIG. 6 is a schematic diagram of another embodiment of a data processing apparatus provided herein;

FIG. 7 is a schematic diagram of a data processing apparatus according to another embodiment of the present application;

fig. 8 is a schematic structural diagram of another embodiment of an electronic device provided in the present application.

Detailed Description

In the embodiment of the present application, unless otherwise specified, the character "/" indicates that the front-rear association object is one or a relationship. For example, A/B may represent A or B. "and/or" describes an association relationship of an association object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone.

It should be noted that the terms "first," "second," and the like in the embodiments of the present application are used for distinguishing between description and not necessarily for indicating or implying a relative importance or number of features or characteristics that are indicated, nor does it imply a sequential order.

In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. Furthermore, "at least one item(s)" below, or the like, refers to any combination of these items, and may include any combination of single item(s) or plural items(s). For example, at least one (one) of A, B or C may represent: a, B, C, a and B, a and C, B and C, or A, B and C. Wherein each of A, B, C may itself be an element or a collection comprising one or more elements.

In this application embodiments, "exemplary," "in some embodiments," "in another embodiment," etc. are used to indicate an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.

"of", "corresponding" and "corresponding" in the embodiments of the present application may be sometimes used in combination, and it should be noted that the meaning to be expressed is consistent when the distinction is not emphasized. In the embodiments of the present application, communications and transmissions may sometimes be mixed, and it should be noted that, when the distinction is not emphasized, the meaning expressed is consistent. For example, a transmission may include sending and/or receiving, either nouns or verbs.

The equal to that relates to in this application embodiment can be with being greater than even using, is applicable to the technical scheme that adopts when being greater than, also can be with being less than even using, is applicable to the technical scheme that adopts when being less than. It should be noted that when the number is equal to or greater than the sum, the number cannot be smaller than the sum; when the value is equal to or smaller than that used together, the value is not larger than that used together.

Based on the above-mentioned problems, the embodiments of the present application provide a data processing method, which is applied to an electronic device, which may be a fixed terminal, for example, a notebook computer, a desktop computer, or the like, and the electronic device may also be a mobile terminal, which may also be referred to as a User Equipment (UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a User terminal, a wireless communication device, a User agent, or a User Equipment. The mobile terminal may be a Station (ST) in a WLAN, may be a cellular telephone, a cordless telephone, a session initiation protocol (Session Initiation Protocol, SIP) phone, a wireless local loop (Wireless Local Loop, WLL) station, a personal digital assistant (Personal Digital Assistant, PDA) device, a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a car networking terminal, a computer, a laptop computer, a handheld communication device, a handheld computing device, a satellite radio, a wireless modem card, a television Set Top Box (STB), a customer premise equipment (customer premise equipment, CPE) and/or other devices for communicating over a wireless system as well as next generation communication systems, such as a mobile terminal in a 5G network or a mobile terminal in a future evolved public land mobile network (Public Land Mobile Network, PLMN) network, etc. The electronic device may also be a wearable device. The wearable device can also be called as a wearable intelligent device, and is a generic name for intelligently designing daily wearing and developing wearable devices by applying a wearable technology, such as a smart watch, a smart bracelet and the like.

Fig. 1 is a schematic diagram schematically illustrating a structure of an electronic device 100.

The electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (universal serial bus, USB) interface 130, a charge management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, keys 190, a motor 191, an indicator 192, a camera 193, a display 194, and a subscriber identity module (subscriber identification module, SIM) card interface 195, etc. The sensor module 180 may include a pressure sensor 180A, a gyro sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, and the like.

It should be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation on the electronic device 100. In other embodiments of the present application, electronic device 100 may include more or fewer components than shown, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The controller can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may hold instructions or data that the processor 110 has just used or recycled. If the processor 110 needs to reuse the instruction or data, it can be called directly from the memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby improving the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others.

The I2C interface is a bi-directional synchronous serial bus comprising a serial data line (SDA) and a serial clock line (derail clock line, SCL). In some embodiments, the processor 110 may contain multiple sets of I2C buses. The processor 110 may be coupled to the touch sensor 180K, charger, flash, camera 193, etc., respectively, through different I2C bus interfaces. For example: the processor 110 may be coupled to the touch sensor 180K through an I2C interface, such that the processor 110 communicates with the touch sensor 180K through an I2C bus interface to implement a touch function of the electronic device 100.

The I2S interface may be used for audio communication. In some embodiments, the processor 110 may contain multiple sets of I2S buses. The processor 110 may be coupled to the audio module 170 via an I2S bus to enable communication between the processor 110 and the audio module 170. In some embodiments, the audio module 170 may transmit an audio signal to the wireless communication module 160 through the I2S interface, to implement a function of answering a call through the bluetooth headset.

PCM interfaces may also be used for audio communication to sample, quantize and encode analog signals. In some embodiments, the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface. In some embodiments, the audio module 170 may also transmit audio signals to the wireless communication module 160 through the PCM interface to implement a function of answering a call through the bluetooth headset. Both the I2S interface and the PCM interface may be used for audio communication.

The UART interface is a universal serial data bus for asynchronous communications. The bus may be a bi-directional communication bus. It converts the data to be transmitted between serial communication and parallel communication. In some embodiments, a UART interface is typically used to connect the processor 110 with the wireless communication module 160. For example: the processor 110 communicates with a bluetooth module in the wireless communication module 160 through a UART interface to implement a bluetooth function. In some embodiments, the audio module 170 may transmit an audio signal to the wireless communication module 160 through a UART interface, to implement a function of playing music through a bluetooth headset.

The MIPI interface may be used to connect the processor 110 to peripheral devices such as a display 194, a camera 193, and the like. The MIPI interfaces include camera serial interfaces (camera serial interface, CSI), display serial interfaces (display serial interface, DSI), and the like. In some embodiments, processor 110 and camera 193 communicate through a CSI interface to implement the photographing functions of electronic device 100. The processor 110 and the display 194 communicate via a DSI interface to implement the display functionality of the electronic device 100.

The GPIO interface may be configured by software. The GPIO interface may be configured as a control signal or as a data signal. In some embodiments, a GPIO interface may be used to connect the processor 110 with the camera 193, the display 194, the wireless communication module 160, the audio module 170, the sensor module 180, and the like. The GPIO interface may also be configured as an I2C interface, an I2S interface, a UART interface, an MIPI interface, etc.

The USB interface 130 is an interface conforming to the USB standard specification, and may specifically be a Mini USB interface, a Micro USB interface, a USB Type C interface, or the like. The USB interface 130 may be used to connect a charger to charge the electronic device 100, and may also be used to transfer data between the electronic device 100 and a peripheral device. And can also be used for connecting with a headset, and playing audio through the headset. The interface may also be used to connect other terminal devices, such as AR devices, etc.

It should be understood that the interfacing relationship between the modules illustrated in the embodiments of the present invention is only illustrative, and is not meant to limit the structure of the electronic device 100. In other embodiments of the present application, the electronic device 100 may also use different interfacing manners, or a combination of multiple interfacing manners in the foregoing embodiments.

The charge management module 140 is configured to receive a charge input from a charger. The charger can be a wireless charger or a wired charger. In some wired charging embodiments, the charge management module 140 may receive a charging input of a wired charger through the USB interface 130. In some wireless charging embodiments, the charge management module 140 may receive wireless charging input through a wireless charging coil of the electronic device 100. The charging management module 140 may also supply power to the terminal device through the power management module 141 while charging the battery 142.

The power management module 141 is used for connecting the battery 142, and the charge management module 140 and the processor 110. The power management module 141 receives input from the battery 142 and/or the charge management module 140 to power the processor 110, the internal memory 121, the display 194, the camera 193, the wireless communication module 160, and the like. The power management module 141 may also be configured to monitor battery capacity, battery cycle number, battery health (leakage, impedance) and other parameters. In other embodiments, the power management module 141 may also be provided in the processor 110. In other embodiments, the power management module 141 and the charge management module 140 may be disposed in the same device.

The wireless communication function of the electronic device 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, a modem processor, a baseband processor, and the like.

The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. Each antenna in the electronic device 100 may be used to cover a single or multiple communication bands. Different antennas may also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed into a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.

The mobile communication module 150 may provide a solution for wireless communication including 2G/3G/4G/5G, etc., applied to the electronic device 100. The mobile communication module 150 may include at least one filter, switch, power amplifier, low noise amplifier (low noise amplifier, LNA), etc. The mobile communication module 150 may receive electromagnetic waves from the antenna 1, perform processes such as filtering, amplifying, and the like on the received electromagnetic waves, and transmit the processed electromagnetic waves to the modem processor for demodulation. The mobile communication module 150 can amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through the antenna 1 to radiate. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be disposed in the processor 110. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be provided in the same device as at least some of the modules of the processor 110.

The modem processor may include a modulator and a demodulator. The modulator is used for modulating the low-frequency baseband signal to be transmitted into a medium-high frequency signal. The demodulator is used for demodulating the received electromagnetic wave signal into a low-frequency baseband signal. The demodulator then transmits the demodulated low frequency baseband signal to the baseband processor for processing. The low frequency baseband signal is processed by the baseband processor and then transferred to the application processor. The application processor outputs sound signals through an audio device (not limited to the speaker 170A, the receiver 170B, etc.), or displays images or video through the display screen 194. In some embodiments, the modem processor may be a stand-alone device. In other embodiments, the modem processor may be provided in the same device as the mobile communication module 150 or other functional module, independent of the processor 110.

The wireless communication module 160 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wireless fidelity (wireless fidelity, wi-Fi) network), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field wireless communication technology (near field communication, NFC), infrared technology (IR), etc., as applied to the electronic device 100. The wireless communication module 160 may be one or more devices that integrate at least one communication processing module. The wireless communication module 160 receives electromagnetic waves via the antenna 2, modulates the electromagnetic wave signals, filters the electromagnetic wave signals, and transmits the processed signals to the processor 110. The wireless communication module 160 may also receive a signal to be transmitted from the processor 110, frequency modulate it, amplify it, and convert it to electromagnetic waves for radiation via the antenna 2.

In some embodiments, antenna 1 and mobile communication module 150 of electronic device 100 are coupled, and antenna 2 and wireless communication module 160 are coupled, such that electronic device 100 may communicate with a network and other devices through wireless communication techniques. The wireless communication techniques may include the Global System for Mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR techniques, among others. The GNSS may include a global satellite positioning system (global positioning system, GPS), a global navigation satellite system (global navigation satellite system, GLONASS), a beidou satellite navigation system (beidou navigation satellite system, BDS), a quasi zenith satellite system (quasi-zenith satellite system, QZSS) and/or a satellite based augmentation system (satellite based augmentation systems, SBAS).

The electronic device 100 implements display functions through a GPU, a display screen 194, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display 194 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.

The display screen 194 is used to display images, videos, and the like. The display 194 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (AMOLED) or an active-matrix organic light-emitting diode (matrix organic light emitting diode), a flexible light-emitting diode (flex), a mini, a Micro led, a Micro-OLED, a quantum dot light-emitting diode (quantum dot light emitting diodes, QLED), or the like. In some embodiments, the electronic device 100 may include 1 or N display screens 194, N being a positive integer greater than 1.

The electronic device 100 may implement photographing functions through an ISP, a camera 193, a video codec, a GPU, a display screen 194, an application processor, and the like.

The ISP is used to process data fed back by the camera 193. For example, when photographing, the shutter is opened, light is transmitted to the camera photosensitive element through the lens, the optical signal is converted into an electric signal, and the camera photosensitive element transmits the electric signal to the ISP for processing and is converted into an image visible to naked eyes. ISP can also optimize the noise, brightness and skin color of the image. The ISP can also optimize parameters such as exposure, color temperature and the like of a shooting scene. In some embodiments, the ISP may be provided in the camera 193.

The camera 193 is used to capture still images or video. The object generates an optical image through the lens and projects the optical image onto the photosensitive element. The photosensitive element may be a charge coupled device (charge coupled device, CCD) or a Complementary Metal Oxide Semiconductor (CMOS) phototransistor. The photosensitive element converts the optical signal into an electrical signal, which is then transferred to the ISP to be converted into a digital image signal. The ISP outputs the digital image signal to the DSP for processing. The DSP converts the digital image signal into an image signal in a standard RGB, YUV, or the like format. In some embodiments, electronic device 100 may include 1 or N cameras 193, N being a positive integer greater than 1.

The digital signal processor is used for processing digital signals, and can process other digital signals besides digital image signals. For example, when the electronic device 100 selects a frequency bin, the digital signal processor is used to fourier transform the frequency bin energy, or the like.

Video codecs are used to compress or decompress digital video. The electronic device 100 may support one or more video codecs. In this way, the electronic device 100 may play or record video in a variety of encoding formats, such as: dynamic picture experts group (moving picture experts group, MPEG) 1, MPEG2, MPEG3, MPEG4, etc.

The NPU is a neural-network (NN) computing processor, and can rapidly process input information by referencing a biological neural network structure, for example, referencing a transmission mode between human brain neurons, and can also continuously perform self-learning. Applications such as intelligent awareness of the electronic device 100 may be implemented through the NPU, for example: image recognition, face recognition, speech recognition, text understanding, etc.

The external memory interface 120 may be used to connect an external memory card, such as a Micro SD card, to enable expansion of the memory capabilities of the electronic device 100. The external memory card communicates with the processor 110 through an external memory interface 120 to implement data storage functions. For example, files such as music, video, etc. are stored in an external memory card.

The internal memory 121 may be used to store computer executable program code including instructions. The internal memory 121 may include a storage program area and a storage data area. The storage program area may store an application program (such as a sound playing function, an image playing function, etc.) required for at least one function of the operating system, etc. The storage data area may store data created during use of the electronic device 100 (e.g., audio data, phonebook, etc.), and so on. In addition, the internal memory 121 may include a high-speed random access memory, and may further include a nonvolatile memory such as at least one magnetic disk storage device, a flash memory device, a universal flash memory (universal flash storage, UFS), and the like. The processor 110 performs various functional applications of the electronic device 100 and data processing by executing instructions stored in the internal memory 121 and/or instructions stored in a memory provided in the processor.

The electronic device 100 may implement audio functions through an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, an application processor, and the like. Such as music playing, recording, etc.

The audio module 170 is used to convert digital audio information into an analog audio signal output and also to convert an analog audio input into a digital audio signal. The audio module 170 may also be used to encode and decode audio signals. In some embodiments, the audio module 170 may be disposed in the processor 110, or a portion of the functional modules of the audio module 170 may be disposed in the processor 110.

The speaker 170A, also referred to as a "horn," is used to convert audio electrical signals into sound signals. The electronic device 100 may listen to music, or to hands-free conversations, through the speaker 170A.

A receiver 170B, also referred to as a "earpiece", is used to convert the audio electrical signal into a sound signal. When electronic device 100 is answering a telephone call or voice message, voice may be received by placing receiver 170B in close proximity to the human ear.

Microphone 170C, also referred to as a "microphone" or "microphone", is used to convert sound signals into electrical signals. When making a call or transmitting voice information, the user can sound near the microphone 170C through the mouth, inputting a sound signal to the microphone 170C. The electronic device 100 may be provided with at least one microphone 170C. In other embodiments, the electronic device 100 may be provided with two microphones 170C, and may implement a noise reduction function in addition to collecting sound signals. In other embodiments, the electronic device 100 may also be provided with three, four, or more microphones 170C to enable collection of sound signals, noise reduction, identification of sound sources, directional recording functions, etc.

The earphone interface 170D is used to connect a wired earphone. The earphone interface 170D may be a USB interface 130 or a 3.5mm open mobile terminal platform (open mobile terminal platform, OMTP) standard interface, a american cellular telecommunications industry association (cellular telecommunications industry association of the USA, CTIA) standard interface.

The pressure sensor 180A is used to sense a pressure signal, and may convert the pressure signal into an electrical signal. In some embodiments, the pressure sensor 180A may be disposed on the display screen 194. The pressure sensor 180A is of various types, such as a resistive pressure sensor, an inductive pressure sensor, a capacitive pressure sensor, and the like. The capacitive pressure sensor may be a capacitive pressure sensor comprising at least two parallel plates with conductive material. The capacitance between the electrodes changes when a force is applied to the pressure sensor 180A. The electronic device 100 determines the strength of the pressure from the change in capacitance. When a touch operation is applied to the display screen 194, the electronic apparatus 100 detects the touch operation intensity according to the pressure sensor 180A. The electronic device 100 may also calculate the location of the touch based on the detection signal of the pressure sensor 180A. In some embodiments, touch operations that act on the same touch location, but at different touch operation strengths, may correspond to different operation instructions. For example: and executing an instruction for checking the short message when the touch operation with the touch operation intensity smaller than the first pressure threshold acts on the short message application icon. And executing an instruction for newly creating the short message when the touch operation with the touch operation intensity being greater than or equal to the first pressure threshold acts on the short message application icon.

The gyro sensor 180B may be used to determine a motion gesture of the electronic device 100. In some embodiments, the angular velocity of electronic device 100 about three axes (i.e., x, y, and z axes) may be determined by gyro sensor 180B. The gyro sensor 180B may be used for photographing anti-shake. For example, when the shutter is pressed, the gyro sensor 180B detects the shake angle of the electronic device 100, calculates the distance to be compensated by the lens module according to the angle, and makes the lens counteract the shake of the electronic device 100 through the reverse motion, so as to realize anti-shake. The gyro sensor 180B may also be used for navigating, somatosensory game scenes.

The air pressure sensor 180C is used to measure air pressure. In some embodiments, electronic device 100 calculates altitude from barometric pressure values measured by barometric pressure sensor 180C, aiding in positioning and navigation.

The magnetic sensor 180D includes a hall sensor. The electronic device 100 may detect the opening and closing of the flip cover using the magnetic sensor 180D. In some embodiments, when the electronic device 100 is a flip machine, the electronic device 100 may detect the opening and closing of the flip according to the magnetic sensor 180D. And then according to the detected opening and closing state of the leather sheath or the opening and closing state of the flip, the characteristics of automatic unlocking of the flip and the like are set.

The acceleration sensor 180E may detect the magnitude of acceleration of the electronic device 100 in various directions (typically three axes). The magnitude and direction of gravity may be detected when the electronic device 100 is stationary. The method can also be used for identifying the gesture of the terminal equipment, and is applied to the applications such as horizontal and vertical screen switching, pedometers and the like.

A distance sensor 180F for measuring a distance. The electronic device 100 may measure the distance by infrared or laser. In some embodiments, the electronic device 100 may range using the distance sensor 180F to achieve quick focus.

The proximity light sensor 180G may include, for example, a Light Emitting Diode (LED) and a light detector, such as a photodiode. The light emitting diode may be an infrared light emitting diode. The electronic device 100 emits infrared light outward through the light emitting diode. The electronic device 100 detects infrared reflected light from nearby objects using a photodiode. When sufficient reflected light is detected, it may be determined that there is an object in the vicinity of the electronic device 100. When insufficient reflected light is detected, the electronic device 100 may determine that there is no object in the vicinity of the electronic device 100. The electronic device 100 can detect that the user holds the electronic device 100 close to the ear by using the proximity light sensor 180G, so as to automatically extinguish the screen for the purpose of saving power. The proximity light sensor 180G may also be used in holster mode, pocket mode to automatically unlock and lock the screen.

The ambient light sensor 180L is used to sense ambient light level. The electronic device 100 may adaptively adjust the brightness of the display 194 based on the perceived ambient light level. The ambient light sensor 180L may also be used to automatically adjust white balance when taking a photograph. Ambient light sensor 180L may also cooperate with proximity light sensor 180G to detect whether electronic device 100 is in a pocket to prevent false touches.

The fingerprint sensor 180H is used to collect a fingerprint. The electronic device 100 may utilize the collected fingerprint feature to unlock the fingerprint, access the application lock, photograph the fingerprint, answer the incoming call, etc.

The temperature sensor 180J is for detecting temperature. In some embodiments, the electronic device 100 performs a temperature processing strategy using the temperature detected by the temperature sensor 180J. For example, when the temperature reported by temperature sensor 180J exceeds a threshold, electronic device 100 performs a reduction in the performance of a processor located in the vicinity of temperature sensor 180J in order to reduce power consumption to implement thermal protection. In other embodiments, when the temperature is below another threshold, the electronic device 100 heats the battery 142 to avoid the low temperature causing the electronic device 100 to be abnormally shut down. In other embodiments, when the temperature is below a further threshold, the electronic device 100 performs boosting of the output voltage of the battery 142 to avoid abnormal shutdown caused by low temperatures.

The touch sensor 180K, also referred to as a "touch device". The touch sensor 180K may be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, which is also called a "touch screen". The touch sensor 180K is for detecting a touch operation acting thereon or thereabout. The touch sensor may communicate the detected touch operation to the application processor to determine the touch event type. Visual output related to touch operations may be provided through the display 194. In other embodiments, the touch sensor 180K may also be disposed on the surface of the electronic device 100 at a different location than the display 194.

The bone conduction sensor 180M may acquire a vibration signal. In some embodiments, bone conduction sensor 180M may acquire a vibration signal of a human vocal tract vibrating bone pieces. The bone conduction sensor 180M may also contact the pulse of the human body to receive the blood pressure pulsation signal. In some embodiments, bone conduction sensor 180M may also be provided in a headset, in combination with an osteoinductive headset. The audio module 170 may analyze the voice signal based on the vibration signal of the sound portion vibration bone block obtained by the bone conduction sensor 180M, so as to implement a voice function. The application processor may analyze the heart rate information based on the blood pressure beat signal acquired by the bone conduction sensor 180M, so as to implement a heart rate detection function.

The keys 190 include a power-on key, a volume key, etc. The keys 190 may be mechanical keys. Or may be a touch key. The electronic device 100 may receive key inputs, generating key signal inputs related to user settings and function controls of the electronic device 100.

The motor 191 may generate a vibration cue. The motor 191 may be used for incoming call vibration alerting as well as for touch vibration feedback. For example, touch operations acting on different applications (e.g., photographing, audio playing, etc.) may correspond to different vibration feedback effects. The motor 191 may also correspond to different vibration feedback effects by touching different areas of the display screen 194. Different application scenarios (such as time reminding, receiving information, alarm clock, game, etc.) can also correspond to different vibration feedback effects. The touch vibration feedback effect may also support customization.

The indicator 192 may be an indicator light, may be used to indicate a state of charge, a change in charge, a message indicating a missed call, a notification, etc.

The SIM card interface 195 is used to connect a SIM card. The SIM card may be inserted into the SIM card interface 195, or removed from the SIM card interface 195 to enable contact and separation with the electronic device 100. The electronic device 100 may support 1 or N SIM card interfaces, N being a positive integer greater than 1. The SIM card interface 195 may support Nano SIM cards, micro SIM cards, and the like. The same SIM card interface 195 may be used to insert multiple cards simultaneously. The types of the plurality of cards may be the same or different. The SIM card interface 195 may also be compatible with different types of SIM cards. The SIM card interface 195 may also be compatible with external memory cards. The electronic device 100 interacts with the network through the SIM card to realize functions such as communication and data communication. In some embodiments, the electronic device 100 employs esims, i.e.: an embedded SIM card. The eSIM card can be embedded in the electronic device 100 and cannot be separated from the electronic device 100.

The data processing method provided in the embodiment of the present application will now be described with reference to fig. 2 to 4.

Fig. 2 is an application scenario architecture diagram provided in an embodiment of the present application. As shown in fig. 2, the application scenario includes a first device, a second device, and a server. The first device and the second device may be the electronic device 100, and the first device may include sensitive data. It will be appreciated that the sensitive data may include private data and other data containing sensitive information, such as personal information of the user, account information, chat records in social software, gallery, etc., and the specific type of the sensitive data is not particularly limited in the embodiments of the present application. In a specific application scenario, the first device may be a backup device, for example, the user may encrypt the sensitive data in the first device and upload the encrypted sensitive data to the server; and the second device may be a recovery device, for example, the user may request the server to recover the sensitive data through the second device, so that the server sends the sensitive data to the second device after receiving the request of the second device, thereby achieving recovery of the sensitive data.

Fig. 3 is a schematic flow chart of an embodiment of a data processing method provided in the present application, where in the embodiment shown in fig. 3, a backup of sensitive data may be implemented, and specifically includes the following steps:

In step 301, the first device generates a first salt value and a second salt value in response to a password entered by a user.

Specifically, a user may operate on a first device to initiate a backup of sensitive data. Illustratively, the user may input a password in the first device, and in response to the password input by the user, the first device may first generate a first Salt value salt_auth and a second Salt value salt_enc, where the password may be a lock screen password or a PIN code, and the form of the password is not limited in particular in this application. The first Salt value salt_auth and the second Salt value salt_enc may be generated by a random function, and the type of the random function is not particularly limited in this application.

In step 302, the first device generates password authentication information based on the first Salt salt_auth and the password.

Specifically, after the first device generates the first Salt value salt_auth, password authentication information may be generated based on the first Salt value salt_auth and a Password, where the Password authentication information may be a Password authentication parameter auth_base, and the Password authentication parameter auth_base may be generated by a pseudo-random function, and by taking a pseudo-random function as an example, a calculation formula of the Password authentication parameter auth_base may be as follows, where the example is that a Password-based key derivation function 2 (Password-Based Key Derivation Function, pbkdf2):

Authbase=pbkdf 2 (password, salt_auth);

it will be appreciated that the above pseudo-random function PBKDF2 is merely illustrative, and is not limiting of embodiments of the present application, and that in some embodiments other pseudo-random functions may be used.

In step 303, the first device generates a data encryption key based on the second Salt salt_enc and the password.

In particular, the data encryption key may be used to encrypt sensitive data to increase the security of the sensitive data. After the first device generates the second Salt value salt_enc, the Data encryption Key data_key may be generated based on the second Salt value salt_enc and the password, and the Data encryption Key data_key may also be generated by a pseudo-random function, for example, the pseudo-random function may be PBKDF2 or other pseudo-random functions, which is not limited in particular in the embodiment of the present application. Taking the pseudo-random function as PBKDF2 as an example, the calculation formula of the Data encryption Key data_key can be as follows:

data_key=pbkdf 2 (password, salt_enc).

It is understood that the execution sequence of this step 303 may be different from the execution sequence of the step 302. For example, step 303 may be performed before step 302, or step 303 may be performed after step 302, or step 303 may be performed simultaneously with step 302, which is not particularly limited in the embodiment of the present application.

In step 304, the first device encrypts the sensitive data using the data encryption key to obtain a sensitive data ciphertext.

Specifically, after the first device generates the Data encryption Key data_key, the sensitive Data may be encrypted using the Data encryption Key data_key, thereby obtaining the sensitive Data ciphertext c_ kek.

In step 305, the first device encrypts the password authentication information, the second salt value and the sensitive data ciphertext using the first public key to obtain a first ciphertext.

Specifically, the first public key is a public key of a public-private key pair generated by the server, wherein the public-private key pair is a key pair generated by an asymmetric key algorithm, and the public-private key pair can comprise a public key and a private key, and the first private key is a private key of the public-private key pair generated by the server.

After the first device obtains the password authentication information auth_base, the second Salt value salt_enc, and the sensitive data ciphertext c_ kek, the first public key may be used to encrypt the password authentication information auth_base, the second Salt value salt_enc, and the sensitive data ciphertext c_ kek, so as to obtain a first ciphertext c_hsmpk.

It can be understood that the manner of encrypting the password authentication information auth_base, the second Salt value salt_enc and the sensitive data ciphertext c_ kek by using the first public key may be: encrypting password authentication information Auth_Base, a second Salt value Salt_enc and sensitive data ciphertext C_ kek by using a first public key respectively, wherein the first ciphertext C_hsmpk comprises encrypted password authentication information Auth_Base, encrypted second Salt value Salt_enc and encrypted sensitive data ciphertext C_ kek; or the first public key is used for encrypting the password authentication information Auth_Base, the second Salt value salt_enc and the sensitive data ciphertext C_ kek, which can be as follows: the password authentication information auth_base, the second salt_enc, and the sensitive data ciphertext c_ kek are packaged and encrypted, and then the first ciphertext c_hsmpk may include an encrypted data packet, where the data packet includes the password authentication information auth_base, the second salt_enc, and the sensitive data ciphertext c_ kek.

At step 306, the first device sends a backup request to the server. Correspondingly, the server receives a backup request sent by the first device.

Specifically, after the first device obtains the first ciphertext c_hsmpk, a backup request may be sent to the server, where the backup request is used to request the server to backup the sensitive data, where the backup request may include the first ciphertext c_hsmpk, a user identifier, and a first Salt value salt_auth, where the user identifier is used to identify identity information of the user, so as to avoid other illegal users from stealing the sensitive data.

Because the first ciphertext C_hsmpk is encrypted by the Data Key data_Key of the first device, the server cannot acquire the plaintext of the sensitive Data, so that the security of the backup Data can be ensured.

In step 307, the server stores the first ciphertext.

Specifically, after receiving the backup request sent by the first device, the server may obtain the first ciphertext c_hsmpk, the user identifier, and the first Salt value salt_auth in the backup request, and store the first ciphertext c_hsmpk, so that when the user request is recovered in the future, the first ciphertext c_hsmpk may be sent to the requesting user. In addition, the server can bind the user identifier with the first ciphertext C_hsmpk and the first Salt value salt_auth so as to facilitate searching when the user requests recovery.

In some alternative embodiments, the server may also record the number of authentication failures of the user, which is used to characterize the cumulative number of authentication failures of the user when requesting recovery of sensitive data. Illustratively, at the time of backup, since the user has not yet started requesting restoration, the initial value of the authentication failure number may be 0.

The server sends a backup response to the first device, step 308. Correspondingly, the first device receives the backup response sent by the server.

In particular, the backup response may include a backup success notification or a backup failure notification. For example, after the server successfully stores the first ciphertext c_hsmpk, a backup success notification may be sent to the first device, for notifying the first device that the sensitive data has been successfully backed up in the server; and after the server fails to store the first ciphertext C_hsmpk, a backup failure notification can be sent to the first device, wherein the backup failure notification is used for notifying the first device that the sensitive data is not successfully backed up in the server.

The backup of sensitive data is illustrated above by FIG. 3, followed by the restoration of sensitive data by FIG. 4.

Fig. 4 is a schematic flow chart of another embodiment of the data processing method provided in the present application, where in the embodiment shown in fig. 4, recovery of sensitive data may be implemented, and specifically includes the following steps:

In response to the password entered by the user, the second device generates a second public key and a second private key, step 401.

Specifically, the second public key and the second private key are a pair of public-private key pairs generated by the second device based on an asymmetric key algorithm.

The user may operate on the second device to request recovery of the sensitive data. For example, the user enters a password on the second device, and the second device may generate the second public key and the second private key in response to the password entered by the user.

In step 402, the second device encrypts the second public key using the first public key to obtain a second public key ciphertext.

Specifically, after the second device generates the second public key, the second public key may be encrypted using the first public key, so that a second public key ciphertext may be obtained, and thus security of the second public key may be improved.

In step 403, the second device sends a first recovery request to the server. Correspondingly, the server receives a first recovery request sent by the second device.

In particular, the first recovery request may be considered as a recovery pre-request, and the first recovery request is used for performing key negotiation, that is, obtaining a key through the first recovery request negotiation, where the key is used for encrypting the recovered data to ensure the security of data transmission. The first recovery request may include a user identification and a second public key ciphertext.

In step 404, the server generates a challenge word.

Specifically, when the server receives the first recovery request, a Challenge word authchallenge may be generated. The Challenge word authchallenge may be generated based on a random function, and the type of the random function is not limited in the embodiments of the present application.

In some alternative embodiments, before executing step 404, the server may further determine whether the number of authentication failures is greater than or equal to a preset threshold, for example, taking the preset threshold as 10 times, and if the number of authentication failures is less than 10 times, the server may further execute step 404; if the number of authentication failures is greater than or equal to 10, the server may stop authentication and stop recovery of the sensitive data, that is, refuse to send the sensitive data to be recovered to the second device.

In some alternative embodiments, after the server stops authentication, an authentication failure notification may also be sent to the second device for notifying the second device of the authentication failure.

In step 405, the server decrypts the second public key ciphertext using the first private key to obtain the second public key.

Specifically, after the second server receives the first recovery request, the second public key ciphertext in the first recovery request may be obtained. The server may then decrypt the second public key ciphertext using the first private key, thereby obtaining plaintext of the second public key.

It is understood that the execution sequence of step 405 may be different from the execution sequence of step 404. For example, step 405 may be performed before step 404, or step 405 may be performed after step 404, or step 405 may be performed simultaneously with step 404, which is not particularly limited in the embodiment of the present application.

In step 406, the server binds the user identifier in the first recovery request and the second public key in the first recovery request with the challenge word.

Specifically, since the server may generate a different challenge word each time the user requests recovery, the challenge word may be used to generate a password authentication code that may be used for authentication by binding the user identification with the challenge word and the second public key, thereby further improving security.

Step 407, the server obtains the corresponding first salt value according to the user identification query in the first recovery request.

Specifically, after the server receives the first recovery request, the server may further perform a query according to the user identifier in the first recovery request, so that the first Salt salt_auth corresponding to the user identifier may be obtained by the query.

The server sends a first response to the second device, step 408. Correspondingly, the second device receives the first response sent by the server.

Specifically, after the server obtains the challenge word and the first Salt value salt_auth, a first response may be sent to the second device, where the first response is used to respond to the first recovery request, and the first response may include the challenge word and the first Salt value salt_auth.

Step 409, the second device generates password authentication information based on the first salt value and the password.

Specifically, the method for generating the password authentication information by the second device based on the first salt_auth and the password may refer to the method for generating the password authentication information by the first device based on the first salt_auth and the password in the above embodiment, which is not described herein.

The second device generates a first password authentication key based on the password authentication information and the second public key, step 410.

Specifically, after the second device obtains the password authentication information, the first password authentication key auth_key may be generated based on the password authentication information and the second public key. The second device may generate the first password authentication key auth_key based on the password authentication information and the second public key by: a first password authentication key auth_key is generated based on a key derivation function. Illustratively, taking the key derivation function as a key derivation function (HMAC-based Key Derivation Function, HKDF) based on the hash operation message authentication code as an example, the calculation formula of the first password authentication key auth_key may be as follows:

Auth_ key=hkdf (second public key, auth_ Base).

In step 411, the second device generates a first password authentication code based on the first password authentication key and the challenge word.

Specifically, the first password authentication code auth_mac is used for authenticating a second recovery request of the user by the server, so that sensitive data to be recovered is sent to the second device after the second recovery request of the user is authenticated by the server.

After the second device obtains the first password authentication key auth_key, the second device may generate the first password authentication code auth_mac according to the first password authentication key auth_key and the challenge word in the first response, where the manner of generating the first password authentication code auth_mac by the second device according to the first password authentication key auth_key and the challenge word in the first response may be: the first password authentication code auth_mac is generated based on the Hash-operation message authentication code (Hash-based Message Authentication Code, HMAC), and an exemplary calculation formula of the first password authentication code auth_mac may be as follows:

Auth_Mac＝HMAC(Auth_key，Auth_Challenge)。

the second device sends a second resume request to the server, step 412. Correspondingly, the server receives a second recovery request sent by the second device.

Specifically, the second recovery request is used for requesting to transmit the sensitive data, and the second recovery request may include the user identifier and the first password auth_mac.

In step 413, the server obtains the corresponding first ciphertext according to the user identifier query, and decrypts the first ciphertext by using the first private key to obtain the password authentication information, the second salt value and the sensitive data ciphertext.

Specifically, after receiving the second recovery request, the server may first perform a query according to the user identifier in the second recovery request, so as to obtain the first ciphertext c_hsmpk corresponding to the user identifier. Then, the first ciphertext c_hsmpk may be decrypted using the first private key, whereby password authentication information auth_base, the second Salt value salt_enc, and the sensitive data ciphertext c_ kek may be obtained.

In some alternative embodiments, before performing step 413, the server may further determine whether the number of authentication failures is greater than or equal to a preset threshold, for example, the preset threshold is 10 times, and if the number of authentication failures is less than 10 times, the server may further perform step 413; if the number of authentication failures is greater than or equal to 10, the server may stop authentication and stop recovery of the sensitive data, that is, refuse to send the sensitive data to be recovered to the second device.

In step 414, the server generates a second password authentication key based on the second public key and the password authentication information obtained by decryption.

Specifically, the second public key may be obtained by the server by querying the user identifier in the second recovery request, and it is understood that the second public key is obtained after decrypting the second public key ciphertext by the first private key in step 405.

After the server queries to obtain the second public key, the second password authentication key auth_key' may be generated based on the second public key and the password authentication information auth_base obtained by decrypting. The method for generating the second password authentication key auth_key' by the server based on the second public key and the password authentication information auth_base obtained by decryption may specifically refer to the method for generating the first password authentication key auth_key by the second device based on the second public key and the password authentication information auth_base, which is not described herein.

The server generates a second password authentication code based on the challenge word and the second password authentication key, step 415.

Specifically, after the server obtains the second password authentication key auth_key ', the second password authentication code auth_mac ' may be generated based on the Challenge word auth_challenge and the second password authentication key auth_key ', where a manner in which the server generates the second password authentication code auth_mac ' based on the Challenge word auth_challenge and the second password authentication key auth_key ' may refer to a manner in which the second device generates the first password authentication code auth_mac based on the Challenge word auth_challenge and the first password authentication key auth_key, which will not be described herein.

In step 416, the server authenticates based on the first password authentication code and the second password authentication code.

Specifically, the manner in which the server performs authentication based on the first password authentication code and the second password authentication code may be: the server compares the first password authentication code with the second password authentication code, and if the first password authentication code is identical to the second password authentication code, it can determine that the authentication passes, so that step 417 can be further performed, and the number of authentication failures can be initialized to 0; if the first password authentication code is different from the second password authentication code, authentication failure can be determined, so that an authentication error indication can be sent to the second device, and the authentication failure number can be increased by 1, wherein the authentication error indication is used for indicating that the password authentication code of the second device is wrong, so that the second device can generate the first password authentication code again, and the first password authentication code is sent to the server, so that authentication is initiated again until the authentication failure number reaches a preset threshold value.

In step 417, the server encrypts the second salt value and the sensitive data ciphertext using the second public key to obtain a second ciphertext.

Specifically, after the authentication is passed, the server may encrypt the second Salt value salt_enc and the sensitive data ciphertext c_ kek using the second public key, thereby obtaining a second ciphertext c_pktmp.

The server encrypts the second Salt value salt_enc and the sensitive data ciphertext c_ kek by using the second public key may be as follows: the second Salt value salt_enc and the sensitive data ciphertext c_ kek are encrypted using a second public key, respectively, and the second ciphertext c_pktmp may include the encrypted second Salt value salt_enc and the encrypted sensitive data ciphertext c_ kek. Or the server encrypts the second Salt value salt_enc and the sensitive data ciphertext c_ kek by using the second public key may be: the second Salt value salt_enc and the sensitive data ciphertext c_ kek are packaged and encrypted by using the second public key, and then the second ciphertext c_pktmp may include an encrypted data packet, where the data packet includes the second Salt value salt_enc and the sensitive data ciphertext c_ kek.

The server sends a second response to the second device, step 418. Correspondingly, the second device receives the second response sent by the server.

Specifically, the second response may include the second ciphertext c_pktmp, where the second ciphertext c_pktmp is encrypted data that is encrypted by the second public key, and the second public key is a data encryption key that is negotiated by the second device and the server in a secure manner, so that security of the second ciphertext c_pktmp may be improved.

In step 419, the second device decrypts the second secret using the second private key to obtain the second salt value and the sensitive data ciphertext.

Specifically, after the second device receives the second response sent by the server, the second ciphertext c_pktmp in the second response may be obtained. The second device may then decrypt the second ciphertext c_pktmp using the second private key, thereby obtaining a second Salt value salt_enc and the sensitive data ciphertext c_ kek.

The second device obtains a data encryption key based on the password and the second salt calculation, step 420.

Specifically, after the second device obtains the second Salt value salt_enc, the Data encryption Key data_key may be obtained by calculation based on the password and the second Salt value salt_enc. For example, reference may be made to the calculation formula in the above embodiment

Data_key=pbkdf 2 (password, salt_enc);

the Data encryption Key data_key can thus be obtained by calculation by the above calculation formula.

And step 421, the second device decrypts the sensitive data ciphertext by using the data encryption key to obtain the sensitive data.

In some alternative embodiments, the authentication process of the password authentication code, the negotiation process of the second public key, and the recording process of the authentication failure times may be performed in the hardware security module (Hardware security module, HSM), thereby further improving the security of data recovery.

It will be appreciated that the above embodiments are only exemplified by sensitive data, but do not constitute a limitation of the embodiments of the present application, and in some embodiments, the technical solutions of the embodiments of the present application are also applicable to non-sensitive data.

In the embodiment of the application, the sensitive data is obtained through two interactions between the second device and the server, so that the interaction times between the device and the server can be reduced, and the data recovery efficiency is improved. In addition, since the calculation amount of the decryption calculation is far greater than that of the encryption calculation, in the embodiment of the application, the server only carries out the decryption calculation for 2 times, thereby greatly reducing the calculation amount and improving the data recovery efficiency.

Fig. 5 is a schematic structural diagram of an embodiment of a data processing apparatus according to the present application, as shown in fig. 5, where the data processing apparatus 50 is applied to a first device, the data processing apparatus 50 may include: a generating module 51, an encrypting module 52 and a transmitting module 53; wherein, the liquid crystal display device comprises a liquid crystal display device,

a generating module 51, configured to generate a first salt value and a second salt value in response to a password input by a user; generating password authentication information based on the password and the first salt; generating a data encryption key based on the password and the second salt;

The encryption module 52 is configured to encrypt the backup data by using the data encryption key to obtain a backup data ciphertext; encrypting the password authentication information, the second salt value and the backup data ciphertext by using a first public key to obtain a first ciphertext, wherein the first public key is a public key generated by a server;

and a sending module 53, configured to send a backup request to the server, where the backup request is used to request the server to store the first ciphertext, and the backup request includes the first ciphertext and the first salt.

In one possible implementation manner, the data processing apparatus 50 further includes:

The embodiment shown in fig. 5 provides a data processing apparatus 50 that can be used to implement the technical solution of the method embodiment shown in the present application, and the implementation principle and technical effects thereof can be further referred to in the related description of the method embodiment.

Fig. 6 is a schematic structural diagram of an embodiment of a data processing apparatus according to the present application, as shown in fig. 6, where the data processing apparatus 60 is applied to a second device, the data processing apparatus 60 may include: a generating module 61, a transmitting module 62 and a receiving module 63; wherein, the liquid crystal display device comprises a liquid crystal display device,

a generation module 61, configured to generate a second public key and a second private key in response to a password input by a user;

a sending module 62, configured to send a first recovery request to a server, where the first recovery request is used to request to negotiate a key with the server, and the first recovery request includes the second public key;

a receiving module 63, configured to receive a first response sent by the server, where the first response includes a first salt value and a challenge word, where the first salt value is generated by a first device when data is backed up, and the challenge word is generated by the server;

the sending module 62 is further configured to send a second recovery request to the server, where the second recovery request is used to request the server to send backup data.

In one possible implementation manner, the generating module 61 is further configured to generate password authentication information based on the password and the first salt value; generating a first password authentication key based on the password authentication information and the second public key; a first password authentication code is generated based on the first password authentication key and the challenge word.

In one possible implementation manner, the receiving module 63 is further configured to receive an authentication error indication sent by the server, where the authentication error indication is used to indicate that the second device password authentication code is wrong;

The sending module 62 is further configured to re-generate the first password authentication code, and send the first password authentication code to the server.

In one possible implementation manner, the receiving module 63 is further configured to receive an authentication failure notification sent by the server, where the authentication failure notification is used to notify the second device that authentication fails; stopping authentication based on the authentication failure notification.

In one possible implementation manner, the receiving module 63 is further configured to receive a second response sent by the server, where the second response includes a second ciphertext, and the second ciphertext is obtained by encrypting, by the server, the second salt value and the backup data ciphertext using the second public key.

In one possible implementation manner, the data processing apparatus 60 further includes:

generating a data encryption key based on the password and the second salt;

The embodiment shown in fig. 6 provides a data processing device 60 that can be used to implement the technical solution of the method embodiment shown in the present application, and the implementation principle and technical effects thereof can be further referred to in the related description of the method embodiment.

Fig. 7 is a schematic structural diagram of an embodiment of a data processing apparatus according to the present application, as shown in fig. 7, where the data processing apparatus 70 is applied to a server, the data processing apparatus 70 may include: a receiving module 71 and a transmitting module 72; wherein, the liquid crystal display device comprises a liquid crystal display device,

a receiving module 71, configured to receive a first recovery request sent by a second device, where the first recovery request is used by the second device to request to negotiate a key with the server, and the first recovery request includes the second public key, where the second public key is a public key generated by the second device;

a sending module 72, configured to send a first response to the second device, where the first response includes a first salt value and a challenge word, where the first salt value is sent to the server by the first device, and the challenge word is generated by the server;

the receiving module 71 is further configured to receive a second recovery request sent by the second device, where the second recovery request is used by the second device to request the server to send backup data.

In one possible implementation manner, the first recovery request includes a second public key ciphertext, and the data processing apparatus 70 further includes:

In one possible implementation manner, the first recovery request further includes a user identifier, where the user identifier is used to identify identity information of the user, and the data processing apparatus 70 further includes:

In one possible implementation manner, the data processing apparatus 70 further includes:

In one possible implementation manner, the second recovery request includes the user identifier and the first password authentication code, and the data processing apparatus 70 further includes:

In one possible implementation manner, the sending module 72 is further configured to send an authentication error indication to the second device if the comparison is inconsistent, where the authentication error indication is used to indicate that the password authentication code of the second device is wrong.

the sending module 72 is further configured to send a second response to the second device, where the second response includes the second ciphertext.

The embodiment shown in fig. 7 provides a data processing device 70 that may be used to implement the technical solution of the method embodiment shown in the present application, and the implementation principle and technical effects may be further referred to in the related description of the method embodiment.

It should be understood that the above division of the respective modules of the data processing apparatus 50 shown in fig. 5, the data processing apparatus 60 shown in fig. 6, and the data processing apparatus 70 shown in fig. 7 is merely a division of logic functions, and may be fully or partially integrated into one physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; it is also possible that part of the modules are implemented in the form of software called by the processing element and part of the modules are implemented in the form of hardware. For example, the detection module may be a separately established processing element or may be implemented integrated in a certain chip of the electronic device. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.

For example, the modules above may be one or more integrated circuits configured to implement the methods above, such as: one or more specific integrated circuits (Application Specific Integrated Circuit; hereinafter ASIC), or one or more microprocessors (Digital Signal Processor; hereinafter DSP), or one or more field programmable gate arrays (Field Programmable Gate Array; hereinafter FPGA), etc. For another example, the modules may be integrated together and implemented in the form of a System-On-a-Chip (SOC).

In the above embodiments, the processor may include, for example, a CPU, a DSP, a microcontroller, or a digital signal processor, and may further include a GPU, an embedded Neural Network Processor (NPU) and an image signal processor (Image Signal Processing; ISP), where the processor may further include a necessary hardware accelerator or a logic processing hardware circuit, such as an ASIC, or one or more integrated circuits for controlling the execution of the program in the technical solution of the present application, and so on. Further, the processor may have a function of operating one or more software programs, which may be stored in a storage medium.

Fig. 8 is a schematic structural diagram of an electronic device 800 according to an embodiment of the present application, where the electronic device 800 may include: at least one processor; and at least one memory communicatively coupled to the processor. The electronic device 800 may be a server. The memory stores program instructions executable by the processor, and the processor may be configured to execute actions performed by the server provided in the embodiments of the present application by using the program instructions.

As shown in fig. 8, the electronic device 800 may be embodied in the form of a general purpose computing device. Components of electronic device 800 may include, but are not limited to: one or more processors 810, a memory 820, a communication bus 840 that connects the various system components (including the memory 820 and the processor 810), and a communication interface 830.

Communication bus 840 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include industry standard architecture (Industry Standard Architecture, ISA) bus, micro channel architecture (Micro Channel Architecture, MAC) bus, enhanced ISA bus, video electronics standards association (Video Electronics Standards Association, VESA) local bus, and peripheral component interconnect (Peripheral Component Interconnection, PCI) bus.

Electronic device 800 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by electronic device 800 and includes both volatile and nonvolatile media, removable and non-removable media.

Memory 820 may include computer system readable media in the form of volatile memory, such as random access memory (Random Access Memory, RAM) and/or cache memory. Electronic device 800 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. Although not shown in fig. 8, a disk drive for reading from and writing to a removable non-volatile disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk such as, for example, optical disk read only memory (Compact Disc Read Only Memory, CD-ROM), digital versatile disk read only memory (Digital Video Disc Read Only Memory, DVD-ROM), or other optical media, may be provided. In such cases, each drive may be coupled to communication bus 840 through one or more data medium interfaces. Memory 820 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the embodiments of the present application.

A program/utility having a set (at least one) of program modules may be stored in the memory 820, such program modules include, but are not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules generally perform the functions and/or methods in the embodiments described herein.

The electronic device 800 may also communicate with one or more external devices (e.g., keyboard, pointing device, display, etc.), one or more devices that enable a user to interact with the electronic device 800, and/or any device (e.g., network card, modem, etc.) that enables the electronic device 800 to communicate with one or more other computing devices. Such communication may occur through communication interface 830. Moreover, electronic device 800 may also communicate with one or more networks (e.g., local area network (Local Area Network, LAN), wide area network (Wide Area Network, WAN) and/or public network, such as the internet) via a network adapter (not shown in fig. 8) that may communicate with other modules of the electronic device via communication bus 840. It should be appreciated that although not shown in fig. 8, other hardware and/or software modules may be used in connection with electronic device 800, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, disk array (Redundant Arrays of Independent Drives, RAID) systems, tape drives, data backup storage systems, and the like.

Embodiments of the present application also provide a computer-readable storage medium having a computer program stored therein, which when run on a computer, causes the computer to perform the methods provided by the embodiments shown in the present application.

Embodiments of the present application also provide a computer program product comprising a computer program which, when run on a computer, causes the computer to perform the methods provided by the embodiments shown in the present application.

In the embodiments of the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relation of association objects, and indicates that there may be three kinds of relations, for example, a and/or B, and may indicate that a alone exists, a and B together, and B alone exists. Wherein A, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of the following" and the like means any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c may represent: a, b, c, a and b, a and c, b and c or a and b and c, wherein a, b and c can be single or multiple.

Those of ordinary skill in the art will appreciate that the various elements and algorithm steps described in the embodiments disclosed herein can be implemented as a combination of electronic hardware, computer software, and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In several embodiments provided herein, any of the functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (hereinafter referred to as ROM), a random access Memory (Random Access Memory) and various media capable of storing program codes such as a magnetic disk or an optical disk.

The foregoing is merely specific embodiments of the present application, and any person skilled in the art may easily conceive of changes or substitutions within the technical scope of the present application, which should be covered by the protection scope of the present application. The protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A data processing method applied to a first device, the method comprising:

generating a data encryption key based on the password and the second salt;

2. The method according to claim 1, wherein the method further comprises:

3. The method of claim 1 or 2, wherein the backup request further comprises a user identification, wherein the user identification is used to identify identity information of a user, and the user identification is bound to the first ciphertext and the first salt.

4. A data processing method applied to a second device, the method comprising:

a first recovery request is sent to a server, wherein the first recovery request is used for requesting to negotiate a key with the server, the first recovery request comprises a second public key ciphertext and a user identifier, the second public key ciphertext is obtained by encrypting the second public key through a first public key, the first public key is a public key generated by the server, and the user identifier is used for identifying identity information of a user;

generating a first password authentication code based on the first password authentication key and the challenge word;

sending a second recovery request to the server, wherein the second recovery request is used for requesting the server to send backup data;

receiving a second response sent by the server, wherein the second response comprises a second ciphertext, and the second ciphertext is obtained by encrypting a second salt value and a backup data ciphertext by the server by using the second public key;

generating a data encryption key based on the password and the second salt;

5. The method of claim 4, wherein the second recovery request includes a first password authentication code for comparison with a second password authentication code for password authentication, wherein the second password authentication code is the server-generated password authentication code.

6. The method of claim 5, wherein the second recovery request further comprises a user identification, wherein the user identification is used to identify identity information of the user.

7. The method according to claim 5 or 6, characterized in that the method further comprises:

receiving an authentication error indication sent by the server, wherein the authentication error indication is used for indicating that the authentication code of the second equipment password is wrong;

8. The method of claim 7, wherein the method further comprises:

stopping authentication based on the authentication failure notification.

9. A data processing method applied to a server, the method comprising:

receiving a first recovery request sent by a second device, wherein the first recovery request is used for the second device to request to negotiate a key with the server, the first recovery request comprises a second public key ciphertext and a user identifier, the second public key ciphertext is obtained by encrypting the second public key through a first public key, the first public key is a public key generated by the server, the second public key is a public key generated by the second device, and the user identifier is used for identifying identity information of a user;

Decrypting the second public key ciphertext by using a first private key to obtain a second public key, wherein the first private key is a private key generated by the server;

binding the user identifier with a challenge word and the second public key, wherein the challenge word is generated by the server;

transmitting a first response to the second device, the first response including a first salt value and the challenge word, the first salt value being transmitted by the first device to the server;

receiving a second recovery request sent by the second device, wherein the second recovery request is used for the second device to request the server to send backup data, and the second recovery request comprises the user identifier and a first password authentication code;

decrypting the first ciphertext by using the first private key to obtain password authentication information, a second salt value and backup data ciphertext;

generating a second password authentication code based on the second password authentication key and the challenge word;

comparing the first password authentication code with the second password authentication code to authenticate;

10. The method of claim 9, wherein after receiving the first resume request sent by the second device, the method further comprises:

11. The method according to claim 9, wherein the method further comprises:

12. The method of claim 9, wherein after receiving the second resume request sent by the second device, the method further comprises:

13. A first device, comprising: a processor and a memory for storing a computer program; the processor being adapted to run the computer program for implementing a data processing method according to any of claims 1-3.

14. A second device, comprising: a processor and a memory for storing a computer program; the processor being operative to execute the computer program for implementing a data processing method as claimed in any one of claims 4 to 8.

15. A server, comprising: a processor and a memory for storing a computer program; the processor being operative to execute the computer program for implementing a data processing method as claimed in any one of claims 9 to 12.

16. A data processing system comprising a first device according to claim 13, a second device according to claim 14 and a server according to claim 15.

17. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when run on a first device, implements the data processing method according to any of claims 1-3; or when said computer program is run on a second device, implementing a data processing method as claimed in any of claims 4-8; or when said computer program is run on a server, to implement a data processing method as claimed in any one of claims 9-12.