CN115766064A - Password application method, device, equipment and storage medium - Google Patents
Password application method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115766064A CN115766064A CN202211173019.7A CN202211173019A CN115766064A CN 115766064 A CN115766064 A CN 115766064A CN 202211173019 A CN202211173019 A CN 202211173019A CN 115766064 A CN115766064 A CN 115766064A
- Authority
- CN
- China
- Prior art keywords
- password
- heterogeneous
- cryptographic
- executors
- redundant
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a password application method, a device, equipment and a storage medium, which relate to the technical field of information security and comprise the following steps: acquiring target key data to be subjected to cryptographic operation; randomly selecting a plurality of password heterogeneous redundant executors from a pre-established password heterogeneous redundant executors pool to obtain a password heterogeneous redundant executors set; respectively distributing the target key data to a plurality of code heterogeneous redundant executors in a code heterogeneous redundant executer set so as to perform code operation on the target key data to obtain a plurality of code operation results; and (4) arbitrating a plurality of cryptographic operation results through an arbitration mechanism, and outputting the arbitrated result as a successful cryptographic operation result. The method and the device integrate the thought of mimicry defense in the cryptographic operation process, randomly select a plurality of heterogeneous executors to perform the cryptographic operation, obtain a unique and correct cryptographic operation result through a arbitration mechanism, and can improve the security of key data and actively cope with various unknown threats in a network space.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for password application.
Background
With the increasing network security situation in recent years, the threat of various business systems such as finance, energy, traffic, government affairs and the like is increasing, and China gradually popularizes commercial cipher technology and cipher application. The service system mainly calls equipment with cipher service capability, such as a cipher machine, to carry out plug-in type cipher resource access, thereby realizing cipher application.
However, with the continuous evolution of the internet and the continuous evolution of attack technologies, attacks on cryptographic engines and cryptographic services have presented the characteristics of "imperceptibility, cooperativity, accuracy" and the like, and network security is in the situation of "easy to attack and defend". Passive protection aiming at a single cipher machine cannot perform security defense on the cipher machine, and the cipher technology cannot be applied to a service system in a plug-in cipher machine mode because the service system cannot normally apply the cipher technology to protect the cipher machine directly by attacking the cipher machine and the like.
In summary, how to ensure the security capability of the service system when applying the cryptographic technology, and solve the problem that the result of the cryptographic application is not trusted and can not be found after the cryptographic engine is attacked, is a problem that needs to be further solved at present.
Disclosure of Invention
In view of the above, an object of the present application is to provide a method, an apparatus, a device and a storage medium for applying a password, which can improve the security of key data and actively cope with various unknown threats in a network space. The specific scheme is as follows:
in a first aspect, the present application discloses a password application method, including:
acquiring target key data to be subjected to cryptographic operation;
randomly selecting a plurality of code heterogeneous redundancy executors from a pre-established code heterogeneous redundancy execution entity pool to obtain a code heterogeneous redundancy execution entity set;
distributing the target key data to a plurality of password heterogeneous redundant executors in the password heterogeneous redundant executors respectively to perform password operation on the target key data to obtain a plurality of password operation results;
and judging the plurality of cryptographic operation results through a judging mechanism to obtain a judging result, and outputting the judging result which is the successful cryptographic operation result.
Optionally, the determining a plurality of cryptographic operation results through a determining mechanism to obtain a determining result, and outputting the cryptographic operation result with the determining result being successful includes:
counting the number of the same results in the plurality of password operation results to obtain a statistical result, and acquiring the maximum value in the statistical result;
and judging whether the maximum value is larger than a preset threshold value, if so, outputting the password operation result corresponding to the maximum value, and otherwise, judging that the abnormal or wrong password heterogeneous redundancy executive bodies exist in the password heterogeneous redundancy executive body pool.
Optionally, the password application method further includes:
if the judgment result is abnormal or wrong, determining the abnormal or wrong heterogeneous redundant executive body of the password;
and judging whether the abnormal or wrong password heterogeneous redundant executive body is continuously kept in the password heterogeneous redundant executive body pool or not according to the tolerance parameter, if not, marking the state of the abnormal or wrong password heterogeneous redundant executive body as unavailable, and updating the state of the password heterogeneous redundant executive body pool.
Optionally, the obtaining of the target key data to be subjected to the cryptographic operation includes:
acquiring target key data to be subjected to cryptographic operation, and randomly generating a random number of a preset byte.
Optionally, the distributing the target key data to a plurality of the heterogeneous redundancy executors in the heterogeneous redundancy executors set to perform cryptographic operation on the target key data to obtain a plurality of cryptographic operation results includes:
respectively distributing the target key data and the random number to a plurality of heterogeneous redundant executors in the heterogeneous redundant executors to disperse a main key in the heterogeneous redundant executors by taking the random number as a key dispersion factor to obtain an encryption key and a target vector;
respectively filling the length of the target key data into integral multiple of the preset bytes through a plurality of code heterogeneous redundancy executors in the code heterogeneous redundancy executors to obtain filled data, and carrying out encryption operation on the filled data by using the encryption key, the target vector and a preset encryption algorithm to obtain a plurality of encryption results;
respectively carrying out decryption operation on the ciphertext data through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of decryption results;
and performing hash operation on the encryption result and the decryption result respectively through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of hash values.
Optionally, the determining, by a determining mechanism, a plurality of cryptographic operation results to obtain a determining result, and outputting the determining result as a successful cryptographic operation result, includes:
if the hash values calculated by the heterogeneous redundant executors of the passwords are the same, outputting the encryption result;
if the hash values calculated by the heterogeneous redundant executors of the passwords are not identical, counting the number of the identical values in the hash values to obtain a counted number, and judging whether the maximum value of the counted number is greater than a preset number or not;
and if the maximum value of the statistical quantity is greater than the preset quantity, outputting the encryption result corresponding to the maximum value of the statistical quantity.
Optionally, the heterogeneous redundant execution entity of passwords includes a server crypto engine, an encryption card and a software crypto module, and all have the functions of key storage, key diffusion, encryption and decryption operation and hash operation.
In a second aspect, the present application discloses a password applying apparatus, comprising:
the key data acquisition module is used for acquiring target key data to be subjected to cryptographic operation;
the random selection module is used for randomly selecting a plurality of password heterogeneous redundant executives from a pre-established password heterogeneous redundant executives pool to obtain a password heterogeneous redundant executives set;
the password operation module is used for respectively distributing the target key data to a plurality of password heterogeneous redundant executors in the password heterogeneous redundant executors set so as to perform password operation on the target key data to obtain a plurality of password operation results;
and the judging and outputting module is used for judging the plurality of password operation results through a judging mechanism to obtain judging results and outputting the successful password operation results of the judging results.
In a third aspect, the present application discloses an electronic device comprising a processor and a memory; wherein the processor implements the aforementioned cryptographic application method when executing the computer program stored in the memory.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the aforementioned cryptographic application method.
It is obvious that, in the present application, target key data to be subjected to cryptographic operation is obtained first, then a plurality of cryptographic heterogeneous redundant executives are randomly selected from a cryptographic heterogeneous redundant executives pool created in advance to obtain a cryptographic heterogeneous redundant executives set, then the target key data is distributed to the plurality of cryptographic heterogeneous redundant executives in the cryptographic heterogeneous redundant executives set respectively, so as to perform cryptographic operation on the target key data to obtain a plurality of cryptographic operation results, then the plurality of cryptographic operation results are arbitrated by a arbitration mechanism to obtain an arbitration result, and the arbitration result is outputted as a successful cryptographic operation result. The method and the device integrate the idea of mimicry defense in the cryptographic operation process, randomly select a plurality of heterogeneous executors to perform cryptographic operation, obtain a unique and correct cryptographic operation result through a arbitration mechanism, can improve the security of key data, perform confidentiality protection on the key data, prevent data tampering, actively deal with various unknown threats in a network space, have high robustness, and still calculate the correct cryptographic operation result due to the plurality of heterogeneous redundant executors of the cipher after a certain cryptographic machine is attacked, thereby effectively solving the problems that the cryptographic application result is untrustworthy and cannot be found after the cryptographic machine is attacked.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a method for applying a password as disclosed herein;
FIG. 2 is a block diagram of a particular cryptographic application mimicry defense system disclosed herein;
FIG. 3 is a flow chart of a particular method of applying a password disclosed herein;
FIG. 4 is a diagram of a particular cryptographic application mimicry defense framework disclosed herein;
FIG. 5 is a schematic diagram of a password applying apparatus according to the present disclosure;
fig. 6 is a block diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
The embodiment of the application discloses a password application method, which is shown in fig. 1 and comprises the following steps:
step S11: and acquiring target key data to be subjected to cryptographic operation.
In this embodiment, plaintext data to be subjected to cryptographic operation is first acquired to obtain target key data, where the target key data includes, but is not limited to, a commercial password and the like.
Step S12: and randomly selecting a plurality of password heterogeneous redundant executives from a pre-established password heterogeneous redundant executor pool to obtain a password heterogeneous redundant executor set.
In this embodiment, after the target key data to be subjected to the cryptographic operation is acquired, a plurality of cryptographic heterogeneous redundant executors may be further randomly and dynamically selected from a pre-created cryptographic heterogeneous redundant executable pool, so as to obtain a cryptographic heterogeneous redundant executable set. The password Heterogeneous Redundancy executor is constructed based on Dynamic Heterogeneous Redundancy (DHR), and includes, but is not limited to, a server cryptographic engine, an encryption card, a software cryptographic module, and the like. It should be noted that each of the heterogeneous redundant executors of the cipher is functionally equivalent, but is composed of different software, hardware and operating systems, and each of the heterogeneous redundant executors has functions of key storage, key diffusion, encryption and decryption operations, and Hash (Hash) operations, where the encryption and decryption operations specifically include, but are not limited to, symmetric encryption and decryption, asymmetric encryption and decryption, and the like.
Step S13: and respectively distributing the target key data to a plurality of code heterogeneous redundant executors in the code heterogeneous redundant executors set so as to perform code operation on the target key data to obtain a plurality of code operation results.
In this embodiment, after a plurality of cryptographic heterogeneous redundant executors are randomly selected from a pre-created cryptographic heterogeneous redundant executable pool to obtain a cryptographic heterogeneous redundant executable set, the target key data is further distributed to the plurality of cryptographic heterogeneous redundant executors in the cryptographic heterogeneous redundant executable set, and then cryptographic operations are performed on the target key data by the cryptographic heterogeneous redundant executors to obtain a plurality of corresponding cryptographic operation results. The cryptographic operation includes, but is not limited to, an encryption operation, a decryption operation, a hash operation, and the like.
Step S14: and judging a plurality of cryptographic operation results through a judging mechanism to obtain a judging result, and outputting the judging result as the successful cryptographic operation result.
In this embodiment, after performing cryptographic operation on the target key data to obtain a plurality of cryptographic operation results, a arbitrator may further arbitrate the plurality of cryptographic operation results to obtain a corresponding arbitration result, and then output the arbitration result as a successful cryptographic operation result. For example, when the heterogeneous redundant executives of the password have three heterogeneous redundant executives of the password of the server, the encryption card and the software password module in a centralized way, the three heterogeneous redundant executives of the password respectively carry out password operation on target key data to obtain corresponding three password operation results, then whether the three password operation results are all consistent or not is judged, if the three password operation results are all consistent, the three heterogeneous redundant executives of the password are all normal, and the password operation result of any heterogeneous redundant executives of the password can be directly output; if two of the three are consistent, it is indicated that one of the three password heterogeneous redundancy executors has an abnormality, and any one of two consistent password operation results can be directly output; if the three are different, it is indicated that all the three cipher heterogeneous redundancy executors are wrong or abnormal, and the cipher operation fails.
Further, after the determining the cryptographic operation result by the determining mechanism to obtain the determined result, the method may further include: if the judgment result is abnormal or wrong, determining the abnormal or wrong heterogeneous redundant executive body of the password; and judging whether the abnormal or wrong code heterogeneous redundant executive bodies are continuously kept in the code heterogeneous redundant executive body pool or not according to the tolerance parameter, if not, marking the abnormal or wrong state of the code heterogeneous redundant executive bodies as unavailable, and updating the state of the code heterogeneous redundant executive body pool. That is, if there is a case that the cryptographic operation results are inconsistent, it is determined that there is an abnormal or wrong cryptographic heterogeneous redundant execution block, for example, when there are two identical cryptographic operation results in the above three cryptographic heterogeneous redundant execution blocks, it may be determined that another cryptographic heterogeneous redundant execution block with a different cryptographic operation result is an abnormal or wrong execution block, after the abnormal or wrong cryptographic heterogeneous redundant execution block is identified, it is determined whether to keep the cryptographic heterogeneous redundant execution block in the heterogeneous execution block pool according to the pre-configured tolerance parameter, if not, the state of the abnormal or wrong cryptographic heterogeneous redundant execution block is further marked as unavailable, and then the state of the cryptographic heterogeneous redundant execution block pool is updated, that is, the abnormal or wrong cryptographic heterogeneous redundant execution block is removed from the cryptographic heterogeneous redundant execution block pool, so as to ensure that all the cryptographic heterogeneous execution blocks are normally available when the heterogeneous redundancy execution blocks in the cryptographic redundant execution block pool are randomly selected next time.
It can be seen that, in the embodiment of the present application, target key data to be subjected to cryptographic operation is first obtained, then a plurality of cryptographic heterogeneous redundant executives are randomly selected from a pool of cryptographic heterogeneous redundant executives created in advance to obtain a cryptographic heterogeneous redundant executives set, then the target key data is respectively distributed to the plurality of cryptographic heterogeneous redundant executives in the cryptographic heterogeneous redundant executives set so as to perform cryptographic operation on the target key data to obtain a plurality of cryptographic operation results, the plurality of cryptographic operation results are arbitrated through an arbitration mechanism to obtain an arbitration result, and the cryptographic operation result that the arbitration result is successful is output. The embodiment of the application integrates the idea of mimicry defense in the process of cryptographic operation, randomly selects a plurality of heterogeneous executors to perform cryptographic operation, obtains a unique and correct cryptographic operation result through a arbitration mechanism, can improve the security of key data, performs confidentiality protection on the key data, prevents data tampering, actively copes with various unknown threats in a network space, and has high robustness.
In the password application method of the present application, a system framework adopted may specifically refer to fig. 2, where the system framework adopts a mimicry defense technology, and may specifically include, logically from bottom to top: the system comprises a password support layer, a password service layer, a mimicry service layer, a password interface layer, a password application layer and a password management layer.
The password support layer comprises a domestic password machine, a non-domestic password machine, a software password module and an encryption card, and a password heterogeneous redundant execution body pool is formed together to provide password support capability for upper-layer application; the function of the password service layer is also provided by a password heterogeneous redundant executive body module, and each password heterogeneous redundant executive body has the functions of key storage, key diffusion, encryption and decryption operation and Hash operation and provides confidentiality and integrity protection for key data and the like of a password application system; the cryptographic application middleware in fig. 2 provides capabilities of a mimicry defense service layer and a cryptographic interface layer, which take cryptographic operation scheduling, cryptographic operation arbitration, and negative feedback control of a heterogeneous redundant executor of a cipher as a core, and provides a set of simple and uniform cryptographic service interfaces for implementation of an upper cryptographic support layer and a service system, so that the difficulty in transforming the cryptographic application can be effectively reduced; in addition, the service system at the password application layer uses the password interface to complete the protection of protocol secure communication, data secure storage, access control and the like; the key of the cipher support layer comes from the cipher management layer, and the key management system is responsible for generating, distributing and updating the key. It should be noted that, because the service system is simplified through the cryptographic middleware and the cryptographic service interfaces of the cryptographic heterogeneous redundant executors are unified, and the mimicry defense process is hidden, the service system realizes the unaware cryptographic application.
Fig. 3 is a flowchart of a specific password application method disclosed in the embodiment of the present application. Referring to fig. 3, the password application method includes:
step S21: and acquiring target key data to be subjected to cryptographic operation, and randomly generating a random number of a preset byte.
In this embodiment, plaintext data to be subjected to cryptographic operation is first obtained to obtain target key data, and then a random number of a preset byte is randomly generated. For example, when the key operation scheduling module in fig. 2 receives input plaintext data, a set of 16-byte random numbers is generated.
Step S22: randomly selecting a plurality of password heterogeneous redundant executives from a pre-established password heterogeneous redundant executant pool to obtain a password heterogeneous redundant executant set; the heterogeneous redundant execution body of the password comprises a server password machine, an encryption card and a software password module, and the heterogeneous redundant execution body of the password has the functions of key storage, key diffusion, encryption and decryption operation and Hash operation.
In a specific implementation manner, after target key data to be subjected to cryptographic operation is obtained and a random number of a preset byte is randomly generated, three cryptographic heterogeneous redundancy executors, such as a domestic cryptographic engine, a non-domestic cryptographic engine, a software cryptographic module and an encryption card, are randomly selected from the domestic cryptographic engine, the non-domestic cryptographic engine, the software cryptographic module and the encryption card in fig. 2, and then the three selected cryptographic heterogeneous redundancy executors form a cryptographic heterogeneous redundancy execution set.
Step S23: and respectively distributing the target key data and the random number to a plurality of the heterogeneous redundant executives in the heterogeneous redundant executives of the passwords to disperse the main key in the heterogeneous redundant executives of the passwords by taking the random number as a key dispersion factor so as to obtain an encryption key and a target vector.
In a specific embodiment, after a plurality of cryptographic heterogeneous redundant executables are randomly selected from a pre-created cryptographic heterogeneous redundant executables pool to obtain a cryptographic heterogeneous redundant executables set, the target key data and the random number are respectively distributed to the plurality of cryptographic heterogeneous redundant executables in the cryptographic heterogeneous redundant executables set by using a key operation scheduling module in fig. 2, and then the main key in the cryptographic heterogeneous redundant executables is dispersed by using the random number as a key dispersion factor to obtain an encryption key and a target vector.
Step S24: and respectively filling the length of the target key data into integral multiple of the preset bytes through a plurality of code heterogeneous redundancy executors in the code heterogeneous redundancy execution body set to obtain filled data, and performing encryption operation on the filled data by using the encryption key, the target vector and a preset encryption algorithm to obtain a plurality of encryption results.
In this embodiment, after the random number is used as a key dispersion factor to disperse the master key in the heterogeneous redundancy executors of the cipher to obtain an encryption key and a target vector, further, the length of the target key data is respectively filled to be an integer multiple of the preset byte by a plurality of heterogeneous redundancy executors of the cipher to obtain filled data, and then the filled data is encrypted by using the encryption key, the target vector and a preset encryption algorithm to obtain a plurality of corresponding encryption results. Wherein the encryption algorithm includes, but is not limited to, a symmetric encryption algorithm and an asymmetric encryption algorithm. For example, after a plurality of heterogeneous redundancy executors use a key dispersion factor to disperse a master key to obtain an encryption key and a vector IV1 of the current encryption, a padding mode of pkcs #7 is used to pad an integer multiple of the length of target key data, so as to obtain padded data, and then the padded data is encrypted by using the encryption key and the vector IV1 and adopting an SM4 algorithm, so as to obtain a corresponding encryption result.
Step S25: and respectively carrying out decryption operation on the ciphertext data through the plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of decryption results.
In a specific embodiment, after the encryption key, the target vector, and a preset encryption algorithm are used to perform an encryption operation on the padded data to obtain a plurality of encryption results, the key dispersion factor and the encryption results are randomly delivered to three or more available heterogeneous redundant executors of the cipher for decryption operation through a cryptographic operation scheduling module in fig. 2. Specifically, the heterogeneous redundancy execution of the cipher firstly uses the key dispersion factor to disperse the master key to obtain the decryption key and the vector IV2 for decryption at this time, and then uses the decryption key and the vector IV2 to decrypt the encrypted result by using the SM4 algorithm to obtain the corresponding decryption result.
Step S26: and performing hash operation on the encryption result and the decryption result respectively through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of hash values.
Further, the received encryption result and the decryption result are randomly delivered to three or more available heterogeneous redundant executors of the cipher by the cipher operation scheduling module in fig. 2, then the hash value of the operation result of each heterogeneous redundant executer of the cipher is calculated by the cipher operation arbitration module, and then the multi-mode arbitration is performed by comparing the consistency of the hash values.
Step S27: and if the hash values calculated by the heterogeneous redundant executors of the passwords are the same, outputting the encryption result.
Specifically, if the calculated hash values in fig. 2 are uniform, it indicates that each of the heterogeneous redundancy executors is normal, and the cryptographic operation arbitration module outputs the operation result of any one of the heterogeneous redundancy executors.
Step S28: if the hash values calculated by the heterogeneous redundant executors of the passwords are not identical, counting the number of the identical values in the hash values to obtain a counted number, and judging whether the maximum value of the counted number is larger than a preset number or not.
In this embodiment, if the hash values calculated by the heterogeneous redundant executors of the password are partially identical, which indicates that the heterogeneous redundant executors of the password are abnormal, the number of the same values in the hash values is further counted to obtain a corresponding counted number, and then it is determined whether the maximum value of the counted number is greater than a preset number.
Step S29: and if the maximum value of the statistical quantity is greater than the preset quantity, outputting the encryption result corresponding to the maximum value of the statistical quantity.
In this embodiment, if the maximum value of the statistical number is greater than the preset number, it indicates that most of the heterogeneous redundancy executors in the heterogeneous redundancy executors set are correct, and at this time, the encryption result corresponding to the maximum value of the statistical number may be directly output, that is, the encryption result calculated by the normal heterogeneous redundancy executors is output.
Further, if the hash values are partially consistent, it indicates that there is an exception in some cryptographic heterogeneous redundant executors, and at this time, the cryptographic operation arbitration module in fig. 2 may submit the cryptographic heterogeneous redundant executors with the exception to the negative feedback processor for handling. In addition, if the hash values are all different, it indicates that each heterogeneous executor has an exception, and the cryptographic operation fails.
Therefore, the password application scheme provided by the application adopts a mimicry defense technology, a plurality of password heterogeneous redundancy executors are randomly and dynamically selected to perform password operation, and a unique and correct password operation result is obtained through a judgment mechanism, so that a service system can still calculate and obtain a correct password operation result after a certain password machine is attacked, the problems that the password application result is not trusted and cannot be found after the password machine is attacked are solved, and meanwhile, the service system realizes the unaware password application.
In a specific embodiment, referring to fig. 4, fig. 4 shows a specific cryptographic application mimicry defense framework, which specifically includes: the method comprises the steps of adopting functionally equivalent but different software, hardware, operating systems and the like to realize various password heterogeneous redundancy executors, forming a password heterogeneous redundancy execution body pool by using a home-made server password machine, a non-home-made server password machine, an encryption card, a software password module and the like, dynamically and randomly selecting partial password heterogeneous redundancy execution bodies from the password heterogeneous execution body pool to form a password heterogeneous redundancy execution body set, then distributing input plaintext data to each password heterogeneous redundancy execution body in the password heterogeneous redundancy execution body set to execute by an input agent, finally arbitrating a password operation result obtained by calculation of each password heterogeneous redundancy execution body by a voter, and outputting the arbitrated approximately correct encryption result.
Each of the heterogeneous redundant executors in fig. 4 has the capabilities of key storage, key diffusion, symmetric cryptographic operation and hash operation; the password operation scheduling module is deployed on an application system server, has encryption, decryption and Hash operation interfaces, can generate random numbers as password operation factors, and is also responsible for randomly selecting a preset number of available password heterogeneous redundant executors in a password heterogeneous redundant execution body pool to perform password operation; the password operation arbitration module is responsible for carrying out multi-mode arbitration, voting the password operation result of the password heterogeneous redundancy executive body and outputting most numerical values of the operation result. And the heterogeneous redundant executive body of the password with abnormal or wrong operation result is fed back to the negative feedback controller module; the negative feedback controller module marks the heterogeneous redundant executer in the heterogeneous redundant executer pool as available or not according to the arbitration result of the cryptographic operation arbitration module and synchronizes the state of the heterogeneous redundant executer to the cryptographic operation scheduling module; the key management system is responsible for generating, updating, destroying and the like of keys and distributing the same encryption and decryption keys to the heterogeneous redundancy executors of the password.
Correspondingly, the embodiment of the present application further discloses a password application apparatus, as shown in fig. 5, the apparatus includes:
the key data acquisition module 11 is used for acquiring target key data to be subjected to cryptographic operation;
a random selection module 12, configured to randomly select multiple heterogeneous cryptographic redundancy executors from a pre-created heterogeneous cryptographic redundancy execution entity pool to obtain a heterogeneous cryptographic redundancy execution entity set;
the cryptographic operation module 13 is configured to distribute the target key data to a plurality of cryptographic heterogeneous redundant executors in the cryptographic heterogeneous redundant executors set respectively, so as to perform cryptographic operation on the target key data to obtain a plurality of cryptographic operation results;
the arbitrating and outputting module 14 is configured to arbitrate the multiple cryptographic operation results by using an arbitration mechanism to obtain an arbitrated result, and output the arbitrated result as the successful cryptographic operation result.
For the specific work flow of each module, reference may be made to corresponding content disclosed in the foregoing embodiments, and details are not repeated here.
It can be seen that, in the embodiment of the present application, target key data to be subjected to cryptographic operation is obtained first, then a plurality of cryptographic heterogeneous redundant executives are randomly selected from a cryptographic heterogeneous redundant executives pool created in advance to obtain a cryptographic heterogeneous redundant executives set, then the target key data is distributed to the plurality of cryptographic heterogeneous redundant executives in the cryptographic heterogeneous redundant executives set respectively, so as to perform cryptographic operation on the target key data to obtain a plurality of cryptographic operation results, then the plurality of cryptographic operation results are arbitrated by a arbitration mechanism to obtain an arbitration result, and the arbitration result is outputted as a successful cryptographic operation result. The embodiment of the application integrates the idea of mimicry defense in the process of cryptographic operation, randomly selects a plurality of heterogeneous executors to perform cryptographic operation, obtains a unique and correct cryptographic operation result through a arbitration mechanism, can improve the security of key data, performs confidentiality protection on the key data, prevents data tampering, actively copes with various unknown threats in a network space, and has high robustness.
In some embodiments, the arbitration and output module 14 may specifically include:
the first quantity counting unit is used for counting the quantity of the same result in the plurality of password operation results to obtain a counting result;
a maximum value obtaining unit, configured to obtain a maximum value in the statistical result;
the first judgment unit is used for judging whether the maximum value is larger than a preset threshold value or not;
a password operation result output unit, configured to output the password operation result corresponding to the maximum value if the maximum value is greater than the preset threshold value;
and the abnormity determining unit is used for determining that the abnormal or wrong password heterogeneous redundancy executors exist in the password heterogeneous redundancy executors pool if the maximum value is not greater than the preset threshold value.
In some specific embodiments, the password application apparatus may further include:
the execution body abnormity determining unit is used for determining the abnormal or wrong code heterogeneous redundancy execution body if the judgment result is abnormal or wrong;
the second judgment unit is used for judging whether the abnormal or wrong code heterogeneous redundant executive bodies are continuously kept in the code heterogeneous redundant executive body pool or not according to the tolerance parameter;
and the marking and updating unit is used for marking the state of the abnormal or wrong password heterogeneous redundancy executive body as unavailable and updating the state of the password heterogeneous redundancy executive body pool if the abnormal or wrong state of the password heterogeneous redundancy executive body is not available.
In some specific embodiments, the key data obtaining module 11 may specifically include:
the key data acquisition unit is used for acquiring target key data to be subjected to cryptographic operation;
and the random number generating unit is used for randomly generating the random number of the preset byte.
In some specific embodiments, the cryptographic operation module 13 may specifically include:
a data distribution unit, configured to distribute the target key data and the random number to a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors set;
the dispersion unit is used for dispersing the main key in the heterogeneous redundancy execution body of the password by taking the random number as a key dispersion factor to obtain an encryption key and a target vector;
the filling unit is used for respectively filling the length of the target key data into integral multiples of the preset bytes through a plurality of the password heterogeneous redundancy executors in the password heterogeneous redundancy executors to obtain filled data;
the data encryption unit is used for carrying out encryption operation on the filled data by utilizing the encryption key, the target vector and a preset encryption algorithm to obtain a plurality of encryption results;
the data decryption unit is used for respectively decrypting the ciphertext data through the plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of decryption results;
and the Hash operation unit is used for carrying out Hash operation on the encryption result and the decryption result respectively through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of Hash values.
In some embodiments, the arbitration and output module 14 may specifically include:
a first encryption result output unit, configured to output the encryption result if the hash values calculated by the respective heterogeneous redundant execution blocks of the password are the same;
the second quantity counting unit is used for counting the quantity of the same values in the hash values to obtain a counted quantity if the hash values calculated by the heterogeneous redundant executors of the passwords are not identical;
a third judging unit, configured to judge whether a maximum value of the statistical number is greater than a preset number;
and the second encryption result output unit is used for outputting the encryption result corresponding to the maximum value of the statistical quantity if the maximum value of the statistical quantity is greater than the preset quantity.
In some embodiments, the heterogeneous redundant execution entity of the password includes a server crypto engine, an encryption card and a software crypto module, and each of the heterogeneous redundant execution entity of the password includes functions of key storage, key diffusion, encryption and decryption operation and hash operation.
Further, an electronic device is disclosed in the embodiments of the present application, and fig. 6 is a block diagram of an electronic device 20 according to an exemplary embodiment, which should not be construed as limiting the scope of the application.
Fig. 6 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the password application method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol that can be applied to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to acquire external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device on the electronic device 20 and the computer program 222, and may be Windows Server, netware, unix, linux, or the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the password application method disclosed in any of the foregoing embodiments and executed by the electronic device 20.
Further, the present application also discloses a computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the cryptographic application method disclosed above. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the components and steps of the various examples have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The above detailed description is provided for a password application method, apparatus, device and storage medium, and the specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A password application method is applied to a service system and comprises the following steps:
acquiring target key data to be subjected to cryptographic operation;
randomly selecting a plurality of code heterogeneous redundancy executors from a pre-established code heterogeneous redundancy execution entity pool to obtain a code heterogeneous redundancy execution entity set;
distributing the target key data to a plurality of password heterogeneous redundant executors in the password heterogeneous redundant executors respectively to perform password operation on the target key data to obtain a plurality of password operation results;
and judging a plurality of cryptographic operation results through a judging mechanism to obtain a judging result, and outputting the judging result as the successful cryptographic operation result.
2. The method of claim 1, wherein the arbitrating a plurality of the cryptographic operation results by a arbitration mechanism to obtain an arbitrated result, and outputting the arbitrated result as a successful cryptographic operation result comprises:
counting the number of the same results in the plurality of password operation results to obtain a statistical result, and acquiring the maximum value in the statistical result;
and judging whether the maximum value is larger than a preset threshold value, if so, outputting the password operation result corresponding to the maximum value, and otherwise, judging that the abnormal or wrong password heterogeneous redundancy executive bodies exist in the password heterogeneous redundancy executive body pool.
3. The password application method according to claim 2, further comprising:
if the judgment result is abnormal or wrong, determining the abnormal or wrong code heterogeneous redundancy executive body;
and judging whether the abnormal or wrong password heterogeneous redundant executive body is continuously kept in the password heterogeneous redundant executive body pool or not according to the tolerance parameter, if not, marking the state of the abnormal or wrong password heterogeneous redundant executive body as unavailable, and updating the state of the password heterogeneous redundant executive body pool.
4. The method according to claim 3, wherein the obtaining target key data to be subjected to cryptographic operation comprises:
and acquiring target key data to be subjected to cryptographic operation, and randomly generating a random number of a preset byte.
5. The method of claim 4, wherein the distributing the target key data to the plurality of heterogeneous cryptographic redundant executors in the set of heterogeneous cryptographic redundant executors respectively to perform a cryptographic operation on the target key data to obtain a plurality of cryptographic operation results comprises:
respectively distributing the target key data and the random number to a plurality of password heterogeneous redundant executives in the password heterogeneous redundant executives to disperse a main key in the password heterogeneous redundant executives by taking the random number as a key dispersion factor so as to obtain an encryption key and a target vector;
respectively filling the length of the target key data into integral multiple of the preset bytes through a plurality of code heterogeneous redundancy executors in the code heterogeneous redundancy executors to obtain filled data, and carrying out encryption operation on the filled data by using the encryption key, the target vector and a preset encryption algorithm to obtain a plurality of encryption results;
respectively carrying out decryption operation on the ciphertext data through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of decryption results;
and performing hash operation on the encryption result and the decryption result respectively through a plurality of the heterogeneous redundant executors in the heterogeneous redundant executors to obtain a plurality of hash values.
6. The method of claim 5, wherein the arbitrating the plurality of cryptographic operation results by a arbitration mechanism to obtain an arbitrated result, and outputting the arbitrated result as a successful cryptographic operation result comprises:
if the hash values calculated by the heterogeneous redundant executors of the passwords are the same, outputting the encryption result;
if the hash values calculated by the heterogeneous redundant executors are not identical, counting the number of the identical values in the hash values to obtain a counted number, and judging whether the maximum value of the counted number is greater than a preset number or not;
and if the maximum value of the statistical quantity is greater than the preset quantity, outputting the encryption result corresponding to the maximum value of the statistical quantity.
7. The encryption application method according to any one of claims 1 to 6, wherein the heterogeneous redundant execution entity comprises a server crypto engine, an encryption card and a software crypto module, and each has functions of key storage, key diffusion, encryption and decryption operations and hash operations.
8. A password application apparatus, applied to a service system, comprising:
the key data acquisition module is used for acquiring target key data to be subjected to cryptographic operation;
the random selection module is used for randomly selecting a plurality of password heterogeneous redundant executives from a pre-established password heterogeneous redundant executives pool to obtain a password heterogeneous redundant executives set;
the password operation module is used for respectively distributing the target key data to a plurality of password heterogeneous redundant executors in the password heterogeneous redundant executer set so as to perform password operation on the target key data to obtain a plurality of password operation results;
and the judging and outputting module is used for judging the plurality of password operation results through a judging mechanism to obtain judging results, and outputting the judging results as the successful password operation results.
9. An electronic device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the cryptographic application method of any of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the cryptographic application method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211173019.7A CN115766064A (en) | 2022-09-26 | 2022-09-26 | Password application method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211173019.7A CN115766064A (en) | 2022-09-26 | 2022-09-26 | Password application method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115766064A true CN115766064A (en) | 2023-03-07 |
Family
ID=85351965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211173019.7A Pending CN115766064A (en) | 2022-09-26 | 2022-09-26 | Password application method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766064A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116455560A (en) * | 2023-06-16 | 2023-07-18 | 北京智芯微电子科技有限公司 | Data encryption method, data decryption method, device, equipment and medium |
-
2022
- 2022-09-26 CN CN202211173019.7A patent/CN115766064A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116455560A (en) * | 2023-06-16 | 2023-07-18 | 北京智芯微电子科技有限公司 | Data encryption method, data decryption method, device, equipment and medium |
| CN116455560B (en) * | 2023-06-16 | 2023-08-29 | 北京智芯微电子科技有限公司 | Data encryption method, data decryption method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11665015B2 (en) | Method and control system for controlling and/or monitoring devices | |
| CN111654367B (en) | Method for cryptographic operation and creation of working key, cryptographic service platform and device | |
| JP5100286B2 (en) | Cryptographic module selection device and program | |
| US11615007B2 (en) | Method and control system for controlling and/or monitoring devices | |
| US11025415B2 (en) | Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| US20200293361A1 (en) | Method and distributed database system for computer-aided execution of a program code | |
| US11412047B2 (en) | Method and control system for controlling and/or monitoring devices | |
| CN111740826B (en) | Encryption method, decryption method, device and equipment based on encryption proxy gateway | |
| US10929151B2 (en) | Computer-implemented method for replacing a data string by a placeholder | |
| CN117240625A (en) | Tamper-resistant data processing method and device and electronic equipment | |
| CN115766064A (en) | Password application method, device, equipment and storage medium | |
| US20210065919A1 (en) | Method and control system for controlling and/or monitoring devices | |
| EP3794482B1 (en) | Method for securing an automated system | |
| US20140033318A1 (en) | Apparatus and method for managing usim data using mobile trusted module | |
| CN114329559A (en) | External important data protection system and protection method thereof | |
| EP3200388B1 (en) | User permission check system | |
| WO2023232617A1 (en) | Encryption and decryption of transactions of a distributed ledger | |
| CN114598465A (en) | Data updating method and controller | |
| CN117521097A (en) | Application information operation and maintenance method and device | |
| CN114598464A (en) | Data updating method and controller | |
| CN116488903A (en) | Key management method, device, computer equipment and storage medium | |
| CN117313144A (en) | Sensitive data management method and device, storage medium and electronic equipment | |
| CN118282611A (en) | Symmetrical key generation method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |