CN115600215A - System startup method, system information processing method, device, equipment and medium thereof - Google Patents
System startup method, system information processing method, device, equipment and medium thereof Download PDFInfo
- Publication number
- CN115600215A CN115600215A CN202211333411.3A CN202211333411A CN115600215A CN 115600215 A CN115600215 A CN 115600215A CN 202211333411 A CN202211333411 A CN 202211333411A CN 115600215 A CN115600215 A CN 115600215A
- Authority
- CN
- China
- Prior art keywords
- root key
- encryption
- configuration file
- information
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 230000010365 information processing Effects 0.000 title claims abstract description 27
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 238000003860 storage Methods 0.000 claims abstract description 29
- 238000012545 processing Methods 0.000 claims abstract description 21
- 230000004044 response Effects 0.000 claims abstract description 7
- 238000012795 verification Methods 0.000 claims description 41
- 230000006870 function Effects 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 17
- 230000004913 activation Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 13
- 238000004422 calculation algorithm Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000009826 distribution Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
- G06F9/4451—User profiles; Roaming
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system starting method, a system information processing method, a device, equipment and a medium thereof. Reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file in response to a system starting instruction; decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key; setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file; and starting the system based on the updated configuration file. The system starting method and the system information processing method provided by the invention adopt encryption technology processing and password storage processing to the system information, add decryption technology processing to the starting and using of the system, ensure the safe starting of the system and the safe storage of the information, solve the storage safety problem of a root key used for encrypting and decrypting the system information and improve the reliability of the system to information management.
Description
Technical Field
The present invention relates to the field of system information security technologies, and in particular, to a system startup method, a system information processing method, an apparatus, a device, and a medium thereof.
Background
In the technical field of system information security, some measures are needed to protect information and prevent information leakage, and the cryptographic technology is one of the main means for protecting information security, and is used for encryption protection and security authentication of system information.
At present, the protection of the information adopts a key encryption mode, and the storage management of the encrypted information is added while encryption is carried out. The key encryption mode adopts symmetric encryption and asymmetric encryption, the storage method comprises the steps of storing an encryption root key in the same level or a uniform configuration file of sensitive information, storing the encryption root key in the starting parameters of application, managing the encryption root key by system operation and maintenance personnel and the like.
For the currently adopted scheme, the security requirement of the user on the system information cannot be met. Most of the system information is stored in a clear text form in a configuration file or an environment variable of the system, however, the configuration file and the environment variable of the system are files which are easy to see, so that the encrypted information of the system is easy to obtain, and once the encrypted information of the system is obtained, the security of the system is difficult to maintain.
Disclosure of Invention
The invention provides a system starting method, a system information processing device, equipment and a medium thereof, which are used for solving the problems of easy leakage of system information and system safety.
According to an aspect of the present invention, there is provided a system startup method, including:
reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file in response to a system starting instruction;
decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key;
setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file;
and starting the system based on the updated configuration file.
According to another aspect of the present invention, there is provided a system information processing method including:
acquiring system sensitive information, encrypting the system sensitive information based on a working key to obtain encrypted system sensitive information, and encrypting the working key based on a root key;
acquiring an encryption and decryption password, and encrypting the root key based on the encryption and decryption password to obtain an encrypted root key;
storing the encrypted root key into a root key repository, and setting the encryption and decryption passwords and the encryption sensitive information in a configuration file.
According to another aspect of the present invention, there is provided a system startup device, including:
the key reading module is used for responding to a system starting instruction, reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file;
the root key acquisition module is used for decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key;
the configuration file updating module is used for setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file;
and the system starting module is used for starting the system based on the updated configuration file.
According to another aspect of the present invention, there is provided a system information processing apparatus including:
the information encryption module is used for acquiring system sensitive information, encrypting the system sensitive information based on the working key to obtain encrypted system sensitive information, and encrypting the working key based on the root key;
the root key encryption module is used for acquiring the encryption and decryption passwords and encrypting the root key based on the encryption and decryption passwords to obtain an encrypted root key;
and the information storage module is used for storing the encrypted root key into the root key library and setting the encryption and decryption passwords and the encryption sensitive information in the configuration file.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the system booting method and/or the system information processing method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the system booting method and/or the system information processing method of any one of the embodiments of the present invention when executed.
According to the technical scheme of the embodiment of the invention, the encryption processing is performed on the system information to obtain the data such as the root key, the encrypted password and the like, and the key and the password are respectively stored in different files or databases or servers. When the system is started, the key and the decryption password thereof are obtained, decryption is carried out through a decryption technology, the plaintext of the root key and the plaintext of the sensitive information are obtained, and the system is started. The problem of the storage safety of the root key used for encrypting and decrypting the system information and the problem of the safe starting of the system are solved, the protection of the system information is enhanced, the probability of system information leakage is reduced, and the safety of the system is improved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a system booting method according to an embodiment of the present invention;
fig. 2 is a flowchart of an information processing method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system startup device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a system information processing apparatus according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in other sequences than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a system startup method provided in an embodiment of the present invention, where the embodiment is applicable to a case where a system is started by a startup instruction, and the method may be executed by a system startup device, where the system startup device may be implemented in a form of hardware and/or software, and the system startup device may be configured in an electronic device, such as a computer, a mobile phone, a game machine, a server, and the like. As shown in fig. 1, the method includes:
and S110, responding to a system starting instruction, reading an encrypted root key from a root key library, and reading an encryption and decryption password from a configuration file.
The starting instruction refers to a command for the electronic device to execute a power-on operation, and the command may be composed of a string of binary numbers or a signal given by a switching device, where the starting instruction is not limited. The start instruction may be generated in response to a start operation, for example, in a case where a start operation such as pressing of a start key or selection of a start control is detected, or a start gesture is detected, the start instruction is generated. It will be appreciated that the type of system that is activated is not limited herein.
The key is a parameter for the electronic device to encrypt and decrypt the data information, and may be a string of seemingly irregular numbers, or a structured character string composed of a plurality of parts, and the like, and the key may be generated by a pseudo-random generator based on the system, or may be generated by an encryption algorithm based on a password based on the system. The root key is an encryption key for the data protection key, and is generally automatically generated by the system after being approved by a professional key installer. The root key library is a database for storing encrypted root keys, that is, a database for storing root key ciphertexts, and may be created by a database generator, or may be generated by executing a script file. The root keystore may be obtained from hardware devices in the system, from an external server, or from a public root key management system. The configuration file is a file for storing information such as program and system configuration parameters, user information, initial settings and the like, different programs or systems use configuration files with different formats, and the configuration files are automatically generated in the development process of the system.
The response to the system start instruction is that the system detects the start instruction, the system will execute a series of operations to react to the start instruction, for example, after receiving the start instruction, the root key of the system and the corresponding decryption password are obtained, and the system start operation is completed. The reading of the encryption root key is obtained based on the root key library, and the encryption root key is obtained by traversing the record in the root key library. The reading of the encryption and decryption passwords is obtained based on the configuration file, and the decryption password matched with the obtained encryption root key is obtained.
In this embodiment, the encryption root key is stored in the root key library, the encryption and decryption passwords are set in the configuration file, and the encryption root key and the encryption and decryption passwords are stored in different storage locations, so that the difficulty of simultaneously acquiring the encryption root key and the encryption and decryption passwords and the difficulty of cracking the root key are increased, the security risk of the root key is reduced, and the security of system data is further improved.
Optionally, reading the encrypted root key from the root key repository includes: based on a preset function, acquiring a system certificate, and sending the system certificate to a root key library for verification; and under the condition of successful verification, acquiring the encrypted root key fed back by the root key library.
The preset function is a function for executing system startup, and may be some preset function modules, or may be a segment of reusable code block, where the preset function is not limited herein. The preset function can be generated by a function model or obtained by packaging some programs. The system credential refers to an identity that can be verified by the system, and the system credential may include, but is not limited to, a username and a password of the system, a registration certificate, and the like, and the system credential may be generated by random distribution by the system, random distribution by the server, distribution by the system administrator, and the like.
The verification of the system credential is to determine whether the credential can be verified by the identity of the system. The verification mode can be verified by a system identity verification module, or by a management system. Feedback refers to the result given by the system/device to the input signal, and the feedback may be a signal, a string of characters output after the program is executed, or the like, and the feedback may be output through the control model, obtained through the execution of the program, or given through the management system.
Specifically, the system detects a starting instruction, calls a preset function, obtains a system certificate, sends the system certificate to the management system, successfully verifies the system, accesses the root key library, traverses all data and obtains an encryption root key. The preset function can be understood as that the preset function is a preset main function which comprises credential information acquisition, information matching and encryption and decryption functions, the main function can acquire credential information randomly distributed by the system, the main function can use the credential information as a system credential and send the system credential to a management system to which the root key bank belongs, the management system verifies the system credential to obtain a verification result, and in the case that the verification result is successful, the root key bank is logged in, data in the root key bank is traversed, an encryption root key is found, and then the encryption root key corresponding to the system credential is output as an output parameter. Here, the root keystore may store encrypted root keys of different systems, and correspondingly, the root keystore may store the encrypted root keys in association with system information (for example, an identifier), and correspondingly, in the case that the system credential is successfully verified, the root keystore may be matched according to the system information (for example, system information in the system credential, or system information in a system start instruction, etc.) to obtain the successfully matched encrypted root key.
Illustratively, a start key of the electronic device is pressed, the system detects a start instruction, acquires a system credential such as a user name and a password by calling a main function, and sends the system credential to a root key management system to which a root key repository belongs, the root key management system completes authentication, accesses the root key repository when the authentication is successful, and acquires an encrypted root key corresponding to the system credential.
In this embodiment, once a system start instruction is generated, the system responds to the start instruction, and obtains the encryption root key and the encryption/decryption password from different storage locations, and can obtain the encryption root key from the root key library and obtain the encryption/decryption password from the system configuration file, thereby increasing the difficulty in obtaining the root key and improving the security of the root key.
And S120, decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key.
The decryption processing is to process the encrypted information by using a corresponding algorithm and a key, and decrypt the ciphertext into the plaintext. The decryption process can be completed by a decryption function module or by decrypting an open source component, wherein the open source component comprises but is not limited to a component Jasypt, and an encryption component can be transformed according to the encryption and decryption requirements. The decrypted root key refers to plaintext information for obtaining the root key through a decryption technique. The decrypted root key can be obtained through processing of a module with a decryption function, or can be obtained through decryption by adopting a decryption component.
Specifically, the decrypted root key is obtained by decrypting the encrypted root key in the root key repository in the system by a certain decryption technique according to the encryption/decryption password in the configuration file. It can be understood that the decryption technique may be to complete decryption by the open source component, or may be to use the decryption algorithm model, take the encryption/decryption password and the encryption root key as input parameters of the open source component and/or the decryption algorithm model, and output a plaintext of the encryption root key after processing.
Illustratively, an Encryption/decryption password and an encrypted root key are obtained, and the encrypted root key is used as an input parameter, and a decrypted root key is obtained through a Data Encryption Standard (DES) decryption algorithm.
In this embodiment, the encryption and decryption password is used to decrypt the encrypted root key, so that the decryption speed of the encrypted root key of the system is increased, the root key can be obtained quickly, and the starting speed of the system is increased.
S130, setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file.
The environment variables are parameters of a specified system operating environment in the system, and include information used by one or more system applications, and the environment variables corresponding to different applications are different. The environment variable can be obtained by script initialization during system startup, can be set by a system registry, can be set by a system instruction, and can be obtained by automatically generating a configuration file by an open source component.
Specifically, the plaintext information of the root key is obtained through decryption processing, and is set to the corresponding environment variable in the configuration file, so that the configuration file is updated.
Illustratively, the plaintext of the root key is obtained through a decryption algorithm, and the obtained plaintext of the root key is set to an environment variable' Jasypt.
In this embodiment, the system automatically acquires the plaintext information of the root key and automatically assigns the plaintext information to the environment variable of the configuration file, so that a system operator is prevented from manually modifying the configuration file, and the accuracy of updating the configuration file is improved. The decrypted root key is set in the configuration file and is used as an environment variable, so that the system can be conveniently started through the updated configuration file.
And S140, starting the system based on the updated configuration file.
Wherein, the updated configuration file is a file after adding/modifying/deleting parameters in the system configuration file. The update of the configuration file can be automatically completed by the system, or the configuration file can be manually edited by a system operator for updating, or the update can be completed through a preset function.
Specifically, the preset function assigns the obtained plaintext information of the root key to an environment variable of the open source component to complete updating of the configuration file, and the system is started through the updated configuration file.
Illustratively, the preset function main function acquires plaintext information of the root key, sets the plaintext information to an environment variable "Jasypt. Encrypt. Password" of the open source component Jasypt, updates a configuration file of the open source component, and further completes system startup.
Optionally, the system starting is performed based on the updated configuration file, and the method includes: and analyzing to obtain system sensitive information based on the decrypted root key in the updated configuration file, and starting the system based on the system sensitive information.
Optionally, the decrypting the root key based on the updated configuration file includes: reading the decrypted root key from the environment variable in the updated configuration file, and decrypting the encrypted working key based on the decrypted root key to obtain a decrypted working key; and processing the encrypted system sensitive information based on the decrypted working key to obtain the system sensitive information.
Among other things, system sensitive information is information that could jeopardize personal and property security upon leakage, illegal provision, or abuse. The system sensitive information includes but is not limited to user name, password, technical and experimental data, etc. The working key is a key that encrypts data, also referred to as a data key. The key includes but is not limited to a PIN key, a MAC key, a track key, etc., and may be automatically generated by an encryption component, or may be automatically generated at the same time as generating a configuration file, etc.
The read of the decrypted root key is completed based on a preset function, the encrypted sensitive information in the configuration file is read through the read function in the preset function, and then the decryption of the encrypted sensitive information is completed through a decryption technology. The method for reading the configuration includes, but is not limited to, using Properties configuration class object methods, calling methods of the development framework, and the like. The encrypted sensitive information is obtained through a reading method, and the technologies for decrypting the encrypted sensitive information include, but are not limited to, an encryption and decryption source opening component, a decryption algorithm, a decryption model and the like. The acquisition of the system sensitive information is completed by combining the working key, the encrypted sensitive information and the encryption and decryption technology, and in some embodiments, a decryption model may be called, and the working key and the encrypted sensitive information are input to the decryption model to obtain the decrypted sensitive information output by the decryption model. In some embodiments, decryption is directly completed through a decryption algorithm, the working key and the encrypted sensitive information are used as input parameters of the decryption algorithm, and the decrypted sensitive information given by the algorithm result is obtained through processing of the decryption algorithm.
Specifically, a root key of the system is obtained, then an environment variable set for the decryption system is set, the decryption system is started, the decryption system processes the obtained work key, then the encrypted sensitive information in the configuration file is obtained, the decryption system decrypts the encrypted sensitive information, and a plaintext of the sensitive information is obtained.
Illustratively, the system configures the acquired root key to an environment variable of the open source component Jasypt, and then starts a Springboot environment, wherein the Springboot decrypts the root key and the encrypted sensitive information according to a rule of the component Jasypt to acquire a clear text of the sensitive information.
According to the technical scheme of the embodiment, the system starting method responds to a system starting instruction, the obtained system certificate is sent to the root key management system to which the root key database belongs, the root key management system verifies the system certificate, after verification is completed, the root key management system logs in and looks up the root key database, the database is traversed, and the encrypted root key corresponding to the system certificate is obtained. And the preset function decrypts the encrypted root key and the encrypted password acquired from the configuration file through a decryption technology to acquire a plaintext of the root key. The preset function configures the root key to an environment variable of the open source component Jasypt, starts a Springboot environment, completes decryption processing on the working key and the encrypted sensitive information through the open source component, finally obtains a plaintext of the sensitive information, and completes starting of the system. By the system starting method and the method for storing the root key and the encrypted sensitive information in different positions, the problem of easy information leakage is solved, the difficulty in obtaining the key information is increased, the protection on the root key and the sensitive information is enhanced, and the safety of the system is improved.
Example two
Fig. 2 is a flowchart of a system information processing method according to a second embodiment of the present invention, and this embodiment is a processing method added to information in the above embodiments. The method may be performed by a system information processing apparatus, which may be implemented in the form of hardware and/or software, and which may be configured in an electronic device such as a computer, a mobile phone, a game machine, a server, or the like. As shown in fig. 2, the method includes:
s210, system sensitive information is obtained, the system sensitive information is encrypted based on the working key to obtain encrypted system sensitive information, and the working key is encrypted based on the root key.
The system sensitive information refers to basic environment information of the system, such as system information, middleware version, user information and the like, and once leakage occurs, more attack paths and methods can be provided for an attacker. The system sensitive information can be obtained from system configuration files and system environment variables, and can also be obtained from a server through system instructions. In order to protect these system sensitive information, it needs to be encrypted.
Specifically, the sensitive information of the system is processed through an encryption technology to obtain a corresponding work key, and in order to avoid leakage of the security information, the encryption technology is continuously adopted to encrypt the work key to obtain a root key corresponding to the work key.
Illustratively, system sensitive information, such as a user name and a password, is acquired, and in order to protect the system sensitive information, the system sensitive information is encrypted by a symmetric encryption Algorithm (AES), and is stored in a configuration file of the system after being encrypted. In order to strengthen the security of the sensitive information of the system, the working key is further encrypted through an encryption technology based on the root key.
In this embodiment, the system sensitive information is encrypted, and the obtained key is encrypted again, so that the encryption processing manner reduces the risk of leakage of the system sensitive information, and improves the security of the system sensitive information.
S220, acquiring the encryption and decryption passwords, and encrypting the root key based on the encryption and decryption passwords to obtain an encrypted root key.
The encryption and decryption password is a password set for protecting data such as software and files on the electronic device. The encryption and decryption passwords comprise an encryption password and a decryption password, and the encryption password and the decryption password can be the same password or different passwords according to different encryption modes. The encryption and decryption password can be obtained by calling a password model, and the encrypted information and the encryption and decryption password are obtained by inputting the information to be encrypted to the encryption model, or the encryption and decryption password can be obtained by executing the encryption instruction on the information to be encrypted by adopting the encryption and decryption instruction.
The encryption root key is obtained based on the encryption and decryption passwords, and the encryption root key is obtained by encrypting the root key through the encryption and decryption passwords. It is to be understood that the encryption process may use an encryption model, and input an encryption password and a root key to the encryption model to obtain an encrypted root key, or may use an encryption component, and use the encryption password and the root key as input parameters of the encryption component, and obtain the encrypted root key through the encryption process of the encryption component, or read a configuration file in the system or the server to obtain the encrypted root key.
Specifically, the encryption and decryption passwords are generally stored in a configuration file of the electronic device, the encryption and decryption passwords are obtained by reading the configuration file, the root key is encrypted, and the encrypted root key is obtained. It is to be understood that the encryption process may utilize an open source component for key encryption, may use an encryption algorithm to complete encryption of the root key, and so on.
Illustratively, the system adopts the open source encryption component to encrypt sensitive information to obtain a work key and encrypted sensitive information, and then encrypts the work key through the open source encryption component.
In the embodiment, the encryption and decryption passwords generated by the encryption component and the password generation model are obtained, the encryption and decryption passwords are adopted to encrypt the root key, the encrypted root key is obtained, the root key is dynamically generated and is not stored, the confidentiality of the root key is enhanced, and the safety of the system is improved.
And S230, storing the encrypted root key into a root key library, and setting the encryption and decryption password and the encryption sensitive information in a configuration file.
Wherein the setting of the configuration file is a parameter setting of an environment variable in the configuration file. The parameters in the configuration file can be added, modified or deleted by a system operator, or the configuration file can be set by a preset function, or a server can be called to set the parameters of the configuration file.
Specifically, the system obtains information such as an encryption root key, a root key, an encryption/decryption password, and encrypted sensitive information, and stores the information in different locations for security of the root key, where the storage locations may include, but are not limited to, a system configuration file, a configuration file of an encryption/decryption component, a server, a management system, and the like, for example, the encryption root key is stored in a root key repository in the root key management system, and the encrypted sensitive information and a decryption password of the encryption root key are stored in the configuration file of the system.
Illustratively, the system obtains the sensitive information, adopts an open source encryption component to perform encryption processing, stores the encrypted sensitive information and the encrypted and decrypted password in a configuration file of the system, encrypts a working key to obtain a root key, needs to encrypt the root key in order to protect the root key, stores the encrypted root key in a root key library in a root key management system, and stores the encrypted and decrypted password in the configuration file.
Further, the method further comprises: and acquiring system verification information, and sending the system verification information to the root key library so that the root key library adds the system verification information to a white list to perform identity verification under the condition that the root key is requested by the system.
The system verification information is identification information. The system verification information can be short message verification information, IP address verification information, user name and password verification information, two-dimensional code verification information and the like. The system verification information can be obtained by system random distribution, can also be obtained by professional management workers in a distributed manner, and can also be obtained by the user applying to the system. White list refers to a list that can be trusted. The information in the white list includes, but is not limited to, a username and password, a user IP, mail, application software, etc. In one embodiment, the IP address white list is a list that records the IP addresses of users that are allowed to access the system or server. Generally, an application identifier corresponding to a system is recorded in a white list of IP addresses, and the corresponding IP address can be searched according to the application identifier, where the existing IP address is an IP address allowing access to the system.
Specifically, the preset function acquires system verification information and sends the system verification information to a root key library in a root key management system, and part of information in the verification information is stored in a white list, wherein the white list information may include but is not limited to information such as an IP address, a user name, a password, and a mail. When the system requests to acquire the encryption root key and the root key information, the system verification information needs to be verified through a white list, and whether the verification information requested by the system is applied is trustable or not is determined.
Illustratively, after system verification information is acquired, the system verification information is sent to a system white list and a root key management system of a root key library, one or more pieces of information in the verification information are stored in the white list, and all information or all information except an IP address of the verification information is stored in the root key library. If a request for access to the root keystore is detected, the authentication information provided by the user requesting access is authenticated using the stored authentication information.
In this embodiment, the root key, the encryption and decryption password, and the encrypted sensitive information are respectively stored in the root key and the configuration file, so that the difficulty in obtaining the information at the same time is increased, the difficulty in obtaining the sensitive information is increased, and the protection effect of the system on the sensitive information is improved.
According to the technical scheme of the embodiment, the difficulty of an external system for acquiring the encrypted information and the key thereof is increased, the risk of sensitive information leakage is reduced, the storage safety of system information is improved, and the safety of the system is improved by acquiring the sensitive information, performing encryption and decryption technology on the sensitive information, performing encryption and decryption processing on the working key and the root key, and storing the encrypted information and the encrypted key in different positions respectively.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a system startup device according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes:
a key reading module 310, configured to, in response to a system start instruction, read an encrypted root key from a root keystore, and read an encryption/decryption password from a configuration file;
a root key obtaining module 320, configured to decrypt the encrypted root key based on the encryption/decryption password to obtain a decrypted root key;
a configuration file updating module 330, configured to set the decrypted root key as an environment variable in a configuration file, to obtain an updated configuration file;
and the system starting module 340 is configured to start the system based on the updated configuration file.
Optionally, the key reading module 310 is specifically configured to:
based on a preset function, acquiring a system certificate, and sending the system certificate to a root key library for verification;
and under the condition of successful verification, acquiring an encrypted root key fed back by the root key library.
Optionally, the system starting module 340 includes:
the sensitive information decryption unit is used for analyzing and obtaining system sensitive information based on the decrypted root key in the updated configuration file;
and the system starting unit is used for starting the system based on the system sensitive information.
Optionally, the sensitive information decryption unit is specifically configured to:
reading the decrypted root key from the environment variable in the updated configuration file, and decrypting the encrypted working key based on the decrypted root key to obtain a decrypted working key;
and processing the encrypted system sensitive information based on the decrypted working key to obtain the system sensitive information.
According to the technical scheme of the embodiment, through mutual cooperation of the modules, operations such as starting a system and acquiring system information in the electronic equipment are realized, and the system information comprises information such as system credential information, an encryption root key, an encryption and decryption password, a root key and decrypted sensitive information. The embodiment of the invention completes the safe starting of the system by verifying the system certificate information, decrypting the encryption root key and updating the configuration file, thereby improving the safety of the starting of the system.
The system starting device provided by the embodiment of the invention can execute the system starting method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of a system information processing apparatus according to a fourth embodiment of the present invention.
As shown in fig. 4, the apparatus includes:
the information encryption module 410 is configured to obtain system sensitive information, encrypt the system sensitive information based on the work key to obtain encrypted system sensitive information, and encrypt the work key based on the root key;
a root key encryption module 420, configured to obtain an encryption/decryption password, and encrypt the root key based on the encryption/decryption password to obtain an encrypted root key;
and the information storage module 430 is used for storing the encrypted root key into the root key library and setting the encryption and decryption password and the encryption sensitive information in a configuration file.
Further, the apparatus further comprises an information verification module, specifically configured to:
and acquiring system verification information, and sending the system verification information to the root key library so that the root key library adds the system verification information to a white list to perform identity verification under the condition that the root key is requested by the system.
According to the technical scheme of the embodiment, through mutual cooperation of the modules, operations such as information encryption, root key encryption and information storage in the electronic equipment are realized. The embodiment of the invention avoids storing the encrypted sensitive information in the same or same level configuration file, enhances the difficulty of obtaining the encrypted sensitive information and the secret key by external electronic equipment, reduces the leakage risk of the sensitive information and improves the safety of system information.
The system information processing device provided by the embodiment of the invention can execute the system information processing method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 5 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention. The electronic device 10 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to the bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as a system startup method and/or a system information processing method.
In some embodiments, the system startup method and/or the system information processing method may be implemented as a computer program that is tangibly embodied on a computer-readable storage medium, such as the storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the system startup method and/or the system information processing method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the system startup method and/or the system information processing method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
The computer program for implementing the system startup method and/or the system information processing method of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
Example six
An embodiment of the present invention further provides a computer-readable storage medium, where a computer instruction is stored, and the computer instruction is used to enable a processor to execute a system startup method, where the method includes:
reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file in response to a system starting instruction; decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key; setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file; and starting the system based on the updated configuration file.
And/or, the computer instructions are for causing a processor to perform a system information processing method comprising:
acquiring system sensitive information, encrypting the system sensitive information based on a working key to obtain encrypted system sensitive information, and encrypting the working key based on a root key; acquiring an encryption and decryption password, and encrypting the root key based on the encryption and decryption password to obtain an encrypted root key; storing the encrypted root key into a root key repository, and setting the encryption and decryption passwords and the encryption sensitive information in a configuration file.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A system startup method, comprising:
reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file in response to a system starting instruction;
decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key;
setting the decrypted root key as an environment variable in the configuration file to obtain an updated configuration file;
and starting the system based on the updated configuration file.
2. The method of claim 1, wherein reading the encrypted root key from the root keystore comprises:
acquiring a system certificate based on a preset function, and sending the system certificate to the root key library for verification;
and under the condition of successful verification, acquiring the encrypted root key fed back by the root key library.
3. The method of claim 1, wherein the performing system boot based on the updated configuration file comprises:
and analyzing to obtain system sensitive information based on the decrypted root key in the updated configuration file, and starting the system based on the system sensitive information.
4. The method of claim 3, wherein parsing to obtain system sensitive information based on the decrypted root key in the updated configuration file comprises:
reading the decrypted root key from the environment variable in the updated configuration file, and decrypting the encrypted working key based on the decrypted root key to obtain a decrypted working key;
and processing the encrypted system sensitive information based on the decrypted working key to obtain the system sensitive information.
5. A system information processing method, comprising:
acquiring system sensitive information, encrypting the system sensitive information based on a working key to obtain encrypted system sensitive information, and encrypting the working key based on a root key;
acquiring an encryption and decryption password, and encrypting the root key based on the encryption and decryption password to obtain an encrypted root key;
and storing the encryption root key into a root key library, and setting the encryption and decryption passwords and the encryption sensitive information in a configuration file.
6. The method of claim 5, further comprising:
and acquiring system verification information, and sending the system verification information to the root key library so that the root key library adds the system verification information to a white list to perform identity verification under the condition that a system requests a root key.
7. A system activation device, comprising:
the key reading module is used for responding to a system starting instruction, reading an encryption root key from a root key library and reading an encryption and decryption password from a configuration file;
the root key acquisition module is used for decrypting the encrypted root key based on the encryption and decryption passwords to obtain a decrypted root key;
a configuration file updating module, configured to set the decrypted root key as an environment variable in the configuration file, so as to obtain an updated configuration file;
and the system starting module is used for starting the system based on the updated configuration file.
8. A system information processing apparatus characterized by comprising:
the information encryption module is used for acquiring system sensitive information, encrypting the system sensitive information based on a working key to obtain encrypted system sensitive information, and encrypting the working key based on a root key;
the root key encryption module is used for acquiring an encryption and decryption password and encrypting the root key based on the encryption and decryption password to obtain an encrypted root key;
and the information storage module is used for storing the encrypted root key into a root key library and setting the encryption and decryption password and the encrypted sensitive information in a configuration file.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the system startup method of any one of claims 1-4, and/or the system information processing method of any one of claims 5-6.
10. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions for causing a processor to implement the system startup method of any one of claims 1 to 4, and/or the system information processing method of any one of claims 5 to 6 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211333411.3A CN115600215A (en) | 2022-10-28 | 2022-10-28 | System startup method, system information processing method, device, equipment and medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211333411.3A CN115600215A (en) | 2022-10-28 | 2022-10-28 | System startup method, system information processing method, device, equipment and medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115600215A true CN115600215A (en) | 2023-01-13 |
Family
ID=84850672
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211333411.3A Pending CN115600215A (en) | 2022-10-28 | 2022-10-28 | System startup method, system information processing method, device, equipment and medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115600215A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117278803A (en) * | 2023-11-21 | 2023-12-22 | 深圳软牛科技有限公司 | DRM video decryption method, device, equipment and storage medium |
-
2022
- 2022-10-28 CN CN202211333411.3A patent/CN115600215A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117278803A (en) * | 2023-11-21 | 2023-12-22 | 深圳软牛科技有限公司 | DRM video decryption method, device, equipment and storage medium |
| CN117278803B (en) * | 2023-11-21 | 2024-05-17 | 深圳软牛科技有限公司 | DRM video decryption method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484185B2 (en) | Method and system for distributing attestation key and certificate in trusted computing | |
| US10985913B2 (en) | Method and system for protecting data keys in trusted computing | |
| EP3123692B1 (en) | Techniques to operate a service with machine generated authentication tokens | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| US10922117B2 (en) | VTPM-based virtual machine security protection method and system | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| CN111737366A (en) | Private data processing method, device, equipment and storage medium of block chain | |
| US20170099144A1 (en) | Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN114363088B (en) | Method and device for requesting data | |
| CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
| CN112926101B (en) | Disk partition encryption method, system, device and computer readable medium | |
| CN115600215A (en) | System startup method, system information processing method, device, equipment and medium thereof | |
| CN115549930B (en) | Verification method for logging in operating system | |
| CN112565156A (en) | Information registration method, device and system | |
| CN114866228A (en) | Method, system, storage medium and terminal for realizing soft password module | |
| CN114117388A (en) | Device registration method, device registration apparatus, electronic device, and storage medium | |
| CN116389168B (en) | Identity authentication method and device | |
| CN112788061B (en) | Authentication method, authentication device, authentication apparatus, authentication storage medium, and authentication program product | |
| CN117494162A (en) | Data storage encryption system, method, equipment and medium | |
| CN116488903A (en) | Key management method, device, computer equipment and storage medium | |
| CN115859329A (en) | Encryption and decryption method and device | |
| CN114861207A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| CN117240573A (en) | White box key management system, method, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |