CN116132065A - Key determination method, device, computer equipment and storage medium - Google Patents

Key determination method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116132065A
CN116132065A CN202310122494.XA CN202310122494A CN116132065A CN 116132065 A CN116132065 A CN 116132065A CN 202310122494 A CN202310122494 A CN 202310122494A CN 116132065 A CN116132065 A CN 116132065A
Authority
CN
China
Prior art keywords
key
characteristic value
data
encrypted
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310122494.XA
Other languages
Chinese (zh)
Inventor
曹文阳
杨斌
谭艳锋
刘喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kingdee Deeking Cloud Computing Co ltd
Original Assignee
Kingdee Deeking Cloud Computing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kingdee Deeking Cloud Computing Co ltd filed Critical Kingdee Deeking Cloud Computing Co ltd
Priority to CN202310122494.XA priority Critical patent/CN116132065A/en
Publication of CN116132065A publication Critical patent/CN116132065A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to a key determination method, apparatus, computer device, storage medium and computer program product. The method comprises the following steps: acquiring a key determination request; transmitting the key determination request to a key center; acquiring an encryption data key and an encryption master key fed back by the key center based on the key determination request; and obtaining a user characteristic value and an operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key. By adopting the method, the security of acquiring the secret key can be improved.

Description

Key determination method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of computer technology, and in particular, to a key determining method, apparatus, computer device, storage medium, and computer program product.
Background
With the development of computer technology, encryption technology has emerged, which is to change original information data by a specific algorithm, so that even if an unauthorized user obtains encrypted information, the unauthorized user cannot know the content of the information due to the unknown decryption method.
In the traditional technology, the information data to be encrypted is encrypted by using a fixed key so as to ensure the security of the information data to be encrypted, but the fixed key has the risk of easy exposure and has lower security.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a key determination method, apparatus, computer device, computer-readable storage medium, and computer program product that can improve key security.
In a first aspect, the present application provides a key determination method. The method comprises the following steps:
acquiring a key determination request;
transmitting the key determination request to a key center;
acquiring an encryption data key and an encryption master key fed back by the key center based on the key determination request;
and obtaining a user characteristic value and an operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key.
In one embodiment, the encrypting the encrypted data key based on the user feature value and the operating system feature value to obtain a target data key, and encrypting the encrypted master key to obtain a target master key includes:
Fusing the user characteristic value and the operating system characteristic value to obtain an initial characteristic value;
carrying out hash algorithm encryption and scrambling treatment on the initial characteristic value to obtain a target characteristic value;
obtaining a preservation key based on the target characteristic value;
encrypting the encrypted data key based on the saved key to obtain a target data key, and encrypting the encrypted master key based on the saved key to obtain a target master key.
In one embodiment, the performing hash algorithm encryption and scrambling on the initial feature value to obtain a target feature value includes:
acquiring statistics times;
encrypting the initial characteristic value by a hash algorithm to obtain an intermediate characteristic value;
performing scrambling treatment on the intermediate characteristic values based on a preset mode to obtain reference characteristic values;
updating the statistics times to obtain updated statistics times, and comparing the updated statistics times with an encryption times threshold;
and if the updated statistical number is smaller than the encryption number threshold, taking the reference characteristic value as an initial characteristic value, and returning to execute the step of encrypting the initial characteristic value by the hash algorithm to obtain an intermediate characteristic value until the updated statistical number is equal to the encryption number threshold to obtain a target characteristic value.
In one embodiment, the get key determination request includes:
acquiring an initial key determination request and a sending key;
and encrypting the initial key determination request based on the sending key to obtain a key determination request.
In one embodiment, the key determination method further comprises:
acquiring a target confusion factor and a target random number corresponding to the user characteristic value and the operating system characteristic value;
constructing a target linear regression function based on the target random number;
calculating the target linear regression function according to the first data of each bit in the target data key based on the first data and the target confusion factor to obtain a data parameter set corresponding to the first data;
calculating the target linear regression function according to the second data of each bit in the master key based on the second data and the target confusion factor to obtain a master parameter set corresponding to the second data;
and storing the plurality of data parameter sets corresponding to the target data key, and storing the plurality of main parameter sets corresponding to the main key.
In one embodiment, applied to a key center, the method comprises:
Acquiring a key determination request sent by a terminal;
generating a data key and a master key based on the key determination request;
encrypting the data key to obtain an encrypted data key, and encrypting the master key to obtain an encrypted master key;
and sending the encrypted data key and the encrypted master key to the terminal to instruct the terminal to generate a target data key according to the user characteristic value, the operating system characteristic value and the encrypted data key, and generate a target master key according to the user characteristic value, the operating system characteristic value and the encrypted master key.
In one embodiment, said encrypting the data key to obtain an encrypted data key, and encrypting the master key to obtain an encrypted master key comprises:
encrypting the data key based on the master key to obtain an encrypted data key;
performing confusion processing on the encrypted data key to obtain a confusion data key;
and encrypting the master key based on the confusion data key to obtain an encrypted master key.
In one embodiment, said obfuscating the encrypted data key to obtain an obfuscated data key includes:
scrambling the encrypted data key to obtain an initial confusion key;
Encrypting the initial confusion key based on a preset encryption mode to obtain an intermediate confusion key;
and determining the intermediate confusion key with the preset digits as a confusion data key.
In one embodiment, the generating the data key and the master key based on the key determination request includes:
acquiring a sending key, decrypting the key determination request based on the sending key, and obtaining an initial key determination request;
and obtaining the user identifier corresponding to the initial key determination request, and generating a data key and a master key corresponding to the user identifier.
In one embodiment, said transmitting said encrypted data key and said encrypted master key to said terminal comprises:
generating response information based on the encrypted data key and the encrypted master key;
acquiring a response key, and encrypting the response information based on the response key to obtain encrypted response information;
and sending the encryption response information to the terminal.
In a second aspect, the present application further provides a key determining apparatus. The device comprises:
the first acquisition module is used for acquiring the key determination request;
the sending module is used for sending the key determining request to a key center;
The receiving module is used for acquiring the encryption data key and the encryption master key which are fed back by the key center based on the key determination request;
the determining module is used for obtaining the user characteristic value and the operating system characteristic value corresponding to the key determining request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key.
In a second aspect, the present application also provides another key determining apparatus. The device comprises:
the second acquisition module is used for acquiring a key determination request sent by the terminal;
a generation module for generating a data key and a master key based on the key determination request;
the encryption module is used for encrypting the data key to obtain an encrypted data key and encrypting the master key to obtain an encrypted master key;
and the transmission module is used for sending the encrypted data key and the encrypted master key to the terminal so as to instruct the terminal to generate a target data key according to the user characteristic value, the operating system characteristic value and the encrypted data key and generate a target master key according to the user characteristic value, the operating system characteristic value and the encrypted master key.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:
acquiring a key determination request;
transmitting the key determination request to a key center;
acquiring an encryption data key and an encryption master key fed back by the key center based on the key determination request;
and obtaining a user characteristic value and an operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring a key determination request;
transmitting the key determination request to a key center;
acquiring an encryption data key and an encryption master key fed back by the key center based on the key determination request;
And obtaining a user characteristic value and an operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key.
The key determining method, the device, the computer equipment, the storage medium and the computer program product acquire a key determining request, send the key determining request to a key center, acquire a user characteristic value and an operating system characteristic value corresponding to the key determining request based on an encrypted data key and an encrypted master key fed back by the key determining request, encrypt the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypt the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key. The encrypted data key and the encrypted master key are acquired from the key center through the key determination request, the data key is protected by the encrypted data key, the master key is protected by the encrypted master key, the safety performance of the data key and the master key is improved, then the encrypted data key and the encrypted master key are encrypted through the user characteristic value and the operating system characteristic value, the user characteristic value and the operating system characteristic value are directly acquired, the risk that the user characteristic value and the operating system characteristic value are exposed in the transmission process is avoided, the data key and the master key are encrypted again based on the user characteristic value and the operating system characteristic value, and the safety performance of the data key and the master key is further improved.
Drawings
FIG. 1 is a diagram of an application environment for a key determination method in one embodiment;
FIG. 2 is a flow diagram of a method of key determination in one embodiment;
FIG. 3 is a flow diagram of the target data key and target master key determination steps in one embodiment;
FIG. 4 is a flow chart of a target feature value determination step in one embodiment;
FIG. 5 is a flow diagram of a target data key and target master key segment preservation method in one embodiment;
FIG. 6 is a flow chart of a method for determining a key center corresponding to a key in one embodiment;
FIG. 7 is a diagram of five-fold protection of keys in one embodiment;
FIG. 8 is a flow diagram of key five-fold protection in one embodiment;
FIG. 9 is a flow diagram of a confusion algorithm in one embodiment;
FIG. 10 is a flow diagram of user feature value and operating system feature value encryption in one embodiment;
FIG. 11 is a block diagram showing a configuration of a terminal-corresponding key determining apparatus in one embodiment;
FIG. 12 is a block diagram showing a configuration of a key center corresponding key determining apparatus in one embodiment;
fig. 13 is an internal structural view of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
The key determining method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. Both the terminal and the server may be used separately to perform the key determination method provided in the embodiments of the present application. The terminal and the server may also cooperate to perform the key determination method provided in the embodiments of the present application. For example, the terminal obtains a key determination request, sends the key determination request to a key center, obtains a user characteristic value and an operating system characteristic value corresponding to the key determination request based on an encrypted data key and an encrypted master key fed back by the key determination request, encrypts the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypts the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a key determining method is provided, which is applicable to a computer device, and the computer device may be a terminal or a server, and is executed by the terminal or the server, and may also be implemented through interaction between the terminal and the server. The embodiment is described by taking the application of the method to the terminal as an example, and the method includes steps 202 to 208.
Step 202, a key determination request is obtained.
The key determination request refers to an instruction that the terminal sends to the key center and is used for acquiring a key from the key center. It is understood that a key acquisition request or a key update request, etc.
Illustratively, the terminal obtains a key determination request.
In one embodiment, the terminal obtains a key determination request based on a preset time interval, the key determination request being sent to a key center, and a key for updating is obtained from the key center. For example, the target terminal encrypts the data information to be encrypted using the key, updates the key of the data information to be encrypted every other week, and generates a key determination request every other week.
In one embodiment, when the terminal is started to use, a key determination request is generated, the key determination request is sent to a key center, and a key for encrypting data information to be encrypted is obtained from the key center. For example, when a POS (Point of sales) machine is started up for use, a key determination request is generated and sent to a key center.
Step 204, a key determination request is sent to a key center.
The key center is also called a key management center, is an important component in public key infrastructure, and is responsible for providing key services such as key generation, storage, backup, update, recovery, inquiry and the like for the terminal.
Illustratively, the terminal sends a key determination request to the key center.
In step 206, the obtaining key center determines the encrypted data key and the encrypted master key that are fed back by the request based on the key.
The key is a parameter, which is input in an algorithm for converting plaintext into ciphertext or converting ciphertext into plaintext. The keys may be divided into a data key and a master key. The data key is also called a working key, and is used for encrypting data information to be encrypted or decrypting encrypted data information. The master key is used for encrypting and protecting the data key or verifying whether the data key is legal or not, and the master key is divided into plaintext and ciphertext. The encrypted data key refers to a data key subjected to encryption processing. The encrypted master key refers to a master key subjected to encryption processing.
Illustratively, the key center receives the key determination request, generates an encrypted data key and an encrypted master key, and then transmits the encrypted data key and the encrypted master key to the terminal, which acquires the encrypted data key and the encrypted master key.
In one embodiment, the terminal acquires an encrypted data key and a master key fed back by a key center based on a key determination request, and the encrypted data key performs encryption processing based on the master key.
Step 208, obtaining the user characteristic value and the operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key.
Wherein the user characteristic value refers to information for characterizing the user characteristic. Such as user identification, user name, etc. The operating system feature value refers to information for characterizing the terminal feature. For example, MAC (Media Access Control Address, local area network address, refer to the address of each terminal location), IP (Internet Protocol Address, internet protocol address, refer to one logical address corresponding to each terminal), and the like. The target data key is a data key obtained after the encrypted data key is subjected to encryption processing again. The target master key is a master key obtained by performing encryption processing on the encrypted master key again.
The terminal obtains a user characteristic value and an operating system characteristic value, encrypts the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypts the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key.
In one embodiment, the terminal obtains a user characteristic value and an operating system characteristic value, and then encrypts the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain the target data key. Or the terminal acquires the user characteristic value and the operating system characteristic value, and encrypts the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key.
In the key determination method, the encrypted data key and the encrypted master key are acquired from the key center through the key determination request, the encrypted data key protects the data key, the encrypted master key protects the master key, the safety performance of the data key and the master key is improved, then the encrypted data key and the encrypted master key are encrypted through the user characteristic value and the operating system characteristic value, the user characteristic value and the operating system characteristic value are directly acquired, the risk that the user characteristic value and the operating system characteristic value are exposed in the transmission process is avoided, the data key and the master key are encrypted again based on the user characteristic value and the operating system characteristic value, and the safety performance of the data key and the master key is further improved.
In one embodiment, as shown in fig. 3, encrypting the encrypted data key based on the user feature value and the operating system feature value to obtain the target data key, encrypting the encrypted master key based on the user feature value and the operating system feature value, and obtaining the target master key includes:
step 302, fusing the user characteristic value and the operating system characteristic value to obtain an initial characteristic value.
The fusion refers to a process of processing two or more data to obtain one data. For example, two or more data are subjected to processing such as splicing, adding, or multiplying. The initial characteristic value refers to data obtained by fusing the user characteristic value and the operating system characteristic value.
The terminal fuses the user characteristic value and the operating system characteristic value to obtain an initial characteristic value corresponding to the user characteristic value and the operating system characteristic value.
In one embodiment, the terminal splices the user characteristic value and the operating system characteristic value to obtain a spliced characteristic value, and then sorts the spliced characteristic value according to a preset rule to obtain an initial characteristic value.
And step 304, carrying out hash algorithm encryption and scrambling processing on the initial characteristic value to obtain a target characteristic value.
The hash algorithm encryption refers to a process of calculating data with any length by using a hash function to obtain data with a fixed length. For example, MD5 (Message-Digest Algorithm 5) is a widely used hash function that can be used to generate a 128-bit, 16-byte hash value. The scrambling process refers to a process of exchanging positions of data in data. The target feature value refers to data obtained after the initial feature value is subjected to a hash algorithm and scrambling.
The terminal encrypts the initial characteristic value by a hash algorithm to obtain a hash characteristic value, and then scrambles the hash characteristic value to obtain a target characteristic value.
Step 306, based on the target feature value, a save key is obtained.
The save key is a key for encrypting the encrypted data key and the encrypted master key.
The terminal obtains preset bit number data of the target characteristic value, and takes the preset bit number data as a storage key.
Step 308, encrypt the encrypted data key based on the save key to obtain the target data key, encrypt the encrypted master key based on the save key to obtain the target master key.
Illustratively, the terminal encrypts the encrypted data key using the save key to obtain the target data key, and encrypts the encrypted master key using the save key to obtain the target master key.
In this embodiment, the encrypted data key and the encrypted master key are encrypted by the user feature value and the operating system feature value, so that the user feature value and the operating system feature value are directly obtained, the risk that the user feature value and the operating system feature value are exposed in the transmission process is avoided, the data key and the master key are encrypted again based on the user feature value and the operating system feature value, and the security performance of the data key and the master key is further improved.
In one embodiment, as shown in fig. 4, performing hash algorithm encryption and scrambling on the initial feature value to obtain a target feature value includes:
step 402, a statistics is obtained.
Wherein, the statistics times refer to initial statistics times. It is understood that the number of statistics obtained is zero.
Illustratively, the terminal obtains the statistics.
And step 404, encrypting the initial characteristic value by a hash algorithm to obtain an intermediate characteristic value.
The intermediate characteristic value refers to data obtained by calculating an initial characteristic value by using a hash algorithm.
The terminal calculates the initial characteristic value by using a hash algorithm to obtain an intermediate characteristic value corresponding to the initial characteristic value.
Step 406, performing scrambling processing on the intermediate characteristic value based on a preset mode to obtain a reference characteristic value.
The preset mode refers to a preset disturbing rule. For example, each bit of data of the intermediate eigenvalue is shifted forward by one bit, and the first bit of data of the intermediate eigenvalue is shifted to the last bit.
The terminal performs scrambling processing on the intermediate characteristic values in a preset mode to obtain corresponding reference characteristic values.
Step 408, updating the statistics to obtain updated statistics, and comparing the updated statistics with the encryption threshold.
The encryption frequency threshold value refers to a threshold value of the encryption frequency. It is understood that the number of encryption times is set.
Illustratively, after the terminal performs step 406, the statistics are added by 1 to obtain updated statistics, and then the updated statistics are compared with the encryption count threshold.
And step 410, if the updated statistics is smaller than the encryption threshold, taking the reference characteristic value as an initial characteristic value, and returning to execute the step of encrypting the initial characteristic value by a hash algorithm to obtain an intermediate characteristic value until the updated statistics is equal to the encryption threshold, so as to obtain a target characteristic value.
The terminal compares the updated statistics with the encryption frequency threshold, and if the updated statistics is smaller than the encryption frequency threshold, the terminal returns to execute the steps 404, 406 and 408 with the reference feature value as the initial feature value until the updated statistics is equal to the encryption frequency threshold, so as to obtain the target feature value.
In this embodiment, the hash algorithm encryption and scrambling are performed on the initial feature value to obtain the target feature value, which can be understood as performing encryption on the initial feature value, so that the target feature value is prevented from being directly obtained through the user feature value and the operating system feature value, and the security of the target feature value is improved.
In one embodiment, obtaining the key determination request includes:
acquiring an initial key determination request and a sending key; and encrypting the initial key determination request based on the sending key to obtain the key determination request.
The initial key determination request refers to a key determination request generated by the terminal. It is understood that the encryption processing is not performed for the key determination request. The initial key determination request includes, but is not limited to, a user identification. The transmission key refers to a key that encrypts the initial key determination request. The sending key may be a key stored by the terminal and the key center, the terminal encrypts the initial key determination request by using the sending key, and the key center decrypts the key determination request by using the sending key to obtain the initial key determination request.
The terminal generates an initial key determination request, and then acquires a transmission key, and encrypts the initial key determination request using the transmission key to obtain the key determination request.
In this embodiment, the terminal encrypts the initial key determination request to be transmitted, so that the security of the transmission of the key determination request between the terminal and the key center is improved, and the key determination request is prevented from being exposed in the transmission process.
In one embodiment, as shown in fig. 5, the key determining method further includes:
step 502, obtaining a target confusion factor and a target random number corresponding to the user characteristic value and the operating system characteristic value.
Wherein the target confusion factor refers to a parameter that determines the number of parameter sets to which one data corresponds. For example, the target confusion factor is 5, the number of parameter sets corresponding to data with a multiple of 5 in the key is determined to be 2 according to the target confusion factor, and the number of parameter sets corresponding to data with a multiple other than 5 in the key is determined to be 1. The target random number refers to a value added to a linear regression equation to affect key segment security.
In one embodiment, the terminal fuses the user characteristic value and the operating system characteristic value to obtain a target characteristic value, the target characteristic value is subjected to hash encryption operation to obtain a first character string, the first character string is subjected to 64-bit encoding to obtain a second character string, ascending order is performed based on values corresponding to all characters in the second character string to obtain a target character string, the value corresponding to the first character in the target character string is used as a target random number, and the value corresponding to a forward character in the middle position in the target character string is used as a target confusion factor, wherein the forward character refers to one character before the character in the middle position.
The terminal obtains a user characteristic value and an operating system characteristic value, and obtains a target confusion factor and a target random number corresponding to the user characteristic value and the operating system characteristic value based on the user characteristic value and the operating system characteristic value.
Step 504, constructing a target linear regression function based on the target random number.
The target linear regression function refers to a linear regression function containing target random numbers. The construction of the target linear regression function requires participation of target random numbers, and can be set according to actual requirements. For example, if the parameter set in the actual demand needs to include 4 parameter values, the target linear regression function includes 4 parameters, and the target linear regression function may be set to m=a×x+b×y+c×d+n, where a, b, c, d is 4 parameters in the parameter set, n is a target random number, and m may be a one-bit value in the target data key or a one-bit value in the target master key.
The terminal obtains a linear regression function, and brings the target random number into the linear regression function to obtain a target linear regression function.
Step 506, for each bit of the first data in the target data key, calculating the target linear regression function based on the first data and the target confusion factor, to obtain a data parameter set corresponding to the first data.
The first data refers to a numerical value corresponding to one-bit letter in the target data key, or one-bit number. For example, the target data key is U2h1U2hlbmcwMDc, the value corresponding to U of the first bit is the first data, and 2 of the second bit is the first data. The data parameter set is a set formed by calculating a target linear regression function based on the first data and the target confusion factor, and the obtained parameter value corresponding to the parameter in the target linear regression function. For example, the target linear regression function is m=a×x+b×y+c×d+n, where a, b, c, d is 4 parameters, and the calculated set of parameter values corresponding to a, b, c, d are data parameter sets.
In one embodiment, the terminal obtains current first data corresponding to a current character in the target data key and a current bit number corresponding to the current first data, brings the current first data into a target linear regression function, brings randomly generated coefficients into the target linear regression function to obtain a linear regression equation set, solves the linear regression equation set to obtain parameter values corresponding to each parameter, and forms the parameter values into a current parameter set. Judging whether the current digit is an integer multiple of a target confusion factor, if the current digit is not the integer multiple of the target confusion factor, determining that the current first data corresponds to a parameter set, and taking the current parameter set as a data parameter set corresponding to the current first data; if the current digit is an integer multiple of the target confusion factor, a random parameter set is randomly generated, and the current parameter set and the random parameter set are used as data parameter sets corresponding to the current first data.
For each bit of first data in the target data key, the terminal calculates a target linear regression function based on the first data and the target confusion factor to obtain a data parameter set corresponding to the first data.
Step 508, for each second data in the master key, calculating the target linear regression function based on the second data and the target confusion factor, to obtain a master parameter set corresponding to the second data.
The second data refers to a numerical value corresponding to one-digit letter in the master key, or one-digit number. The main parameter set is a set formed by calculating the target linear regression function based on the second data and the target confusion factor, and the obtained parameter value corresponding to the parameter in the target linear regression function.
The terminal calculates a target linear regression function according to the second data of each bit in the master key based on the second data and the target confusion factor to obtain a master parameter set corresponding to the second data.
Step 510, storing the plurality of data parameter sets corresponding to the target data key, and storing the plurality of master parameter sets corresponding to the master key.
The terminal stores the plurality of data parameter sets corresponding to the target data key, and stores the plurality of main parameter sets corresponding to the main key.
In one embodiment, the terminal stores the target data key and the target master key in segments respectively, the terminal divides the target data key into multiple groups of data keys, stores each group of data keys in a storage address, divides the target master key into multiple groups of master keys, and stores each group of master keys in a storage address, wherein the storage address may include a registry, a configuration file, and the like. For example, the key is 32-bit data, the 32-bit data may be divided into 4 groups of 8-bit data, and each group of 8-bit data may be stored at an address.
In this embodiment, the segment storage of the target data key is realized by storing the data parameter set corresponding to the first data of each bit in the target data key, and the segment storage of the target master key is realized by storing the data parameter set corresponding to the first data of each bit in the master key, so that the exposure of the stored target data key and the target master key is avoided, and the security performance of the target data key and the target master key is further improved.
In one embodiment, as shown in fig. 6, a key determining method applied to a key center includes:
step 602, obtaining a key determination request sent by a terminal.
The terminal refers to an object for acquiring and using a key. For example, ERP (Enterprise Resource Planning ) systems, POS machines, etc. require devices that use keys.
Illustratively, the key center obtains a key determination request sent by the terminal.
Step 604, a data key and a master key are generated based on the key determination request.
Illustratively, the key center generates a data key and a master key corresponding to the user identification based on the user identification in the key determination request.
Step 606, encrypt the data key to obtain an encrypted data key, and encrypt the master key to obtain an encrypted master key.
Illustratively, the key center encrypts the data key to obtain an encrypted data key corresponding to the data key, and encrypts the master key to obtain an encrypted master key corresponding to the master key.
In one embodiment, the key center encrypts the data key based on the master key to obtain an encrypted data key corresponding to the data key, and encrypts the master key based on the fixed key to obtain an encrypted master key corresponding to the master key.
Step 608, the encrypted data key and the encrypted master key are sent to the terminal to instruct the terminal to generate a target data key according to the user characteristic value, the operating system characteristic value and the encrypted data key, and to generate a target master key according to the user characteristic value, the operating system characteristic value and the encrypted master key.
Illustratively, the key center transmits the encrypted data key and the encrypted master key to the terminal, which obtains the encrypted data key and the encrypted master key.
In one embodiment, the key center generates response information based on the encrypted data key and the encrypted master key, and transmits the response information to the terminal.
In this embodiment, the key center generates the data key and the master key based on the key determination request, then encrypts the data key and the master key to obtain the corresponding encrypted data key and encrypted master key, and encrypts and protects the data key and the master key through the encryption, so that the security performance of the data key and the master key is improved, the encrypted data key and the encrypted master key are sent to the terminal, the exposure of the data key and the master key in the transmission process is avoided, and the security performance of the data key and the master key is further improved.
In one embodiment, encrypting the data key to obtain an encrypted data key, and encrypting the master key to obtain an encrypted master key comprises:
encrypting the data key based on the master key to obtain an encrypted data key; performing confusion processing on the encrypted data key to obtain a confusion data key; and encrypting the master key based on the obfuscated data key to obtain an encrypted master key.
The confusion processing refers to calculation processing of an encrypted data key by using a confusion algorithm. The confusion processing includes, but is not limited to, scrambling processing, hash encryption processing, lowercase to uppercase processing, and the like. The confusion process can be set according to actual requirements. The obfuscated data key refers to a key obtained by performing obfuscation processing on the encrypted data key.
Illustratively, the key center encrypts the data key based on the master key to obtain an encrypted data key, then performs confusion processing on the encrypted data key to obtain a confused data key, and then encrypts the master key based on the confused data key to obtain an encrypted master key.
In this embodiment, the data key is encrypted by using the master key, so that the security performance of the data key is improved, the encrypted data key is subjected to confusion processing to obtain a confused data key, the master key is encrypted by using the confusion key, the security performance of the master key is improved, the master key is encrypted by using the confusion key, another key is not required to be additionally stored, the risk of key exposure is reduced, and the security performance of the encrypted data key and the encrypted master key is further improved.
In one embodiment, obfuscating the encrypted data key to obtain an obfuscated data key includes:
scrambling the encrypted data key to obtain an initial confusion key; encrypting the initial confusion key based on a preset encryption mode to obtain an intermediate confusion key; and determining the intermediate confusion key with the preset bit number as a confusion data key.
The preset encryption mode refers to a preset encryption algorithm. The preset encryption mode includes, but is not limited to, hash encryption, lowercase character to uppercase character encryption, base64 encryption (Base 64 is a method for representing binary data based on 64 printable characters), and other encryption methods. The preset encryption mode can be set according to actual requirements. The preset number of bits refers to a preset number of bits. For example, the preset number of bits is from 1 st bit to 32 nd bit data. The obfuscated data key refers to a key that encrypts a master key.
The key center performs scrambling processing on the encrypted data key to obtain an initial confusion key, encrypts the initial confusion key based on a preset encryption mode to obtain an intermediate confusion key, and obtains the intermediate confusion key with a preset number of bits as the confusion data key.
In this embodiment, the encrypted data key is subjected to confusion processing to obtain a confused data key, and the master key is encrypted by using the confused key, so that another key is not required to be additionally stored, the risk of key exposure is reduced, and the security performance of encrypting the master key is further improved.
In one embodiment, generating the data key and the master key based on the key determination request includes:
acquiring a sending key, decrypting the key determination request based on the sending key to obtain an initial key determination request; and obtaining the user identification corresponding to the initial key determination request, and generating a data key and a master key corresponding to the user identification.
The user identification refers to a character string corresponding to the user one by one. The user identification may be the name of the terminal.
Illustratively, the key center obtains the transmission key, decrypts the key determination request based on the transmission key, obtains the initial key determination request, obtains the user identification from the initial key determination request, and then generates the data key and the master key corresponding to the user identification.
In this embodiment, the key center decrypts the key determination request based on the sending key to obtain the user identifier corresponding to the initial key determination request, generates the data key and the master key corresponding to the user identifier, encrypts the key determination request transmitted between the terminal and the key center, reduces the risk of exposure of the initial key determination request, and improves the security performance of transmission of the key determination request.
In one embodiment, sending the encrypted data key and the encrypted master key to the terminal includes:
generating response information based on the encrypted data key and the encrypted master key; acquiring a response key, and encrypting response information based on the response key to obtain encrypted response information; and sending the encryption response information to the terminal.
The response information refers to feedback information generated by the key center based on the key determination request. The response information includes, but is not limited to, an encrypted data key and an encrypted master key. The response key refers to a key that encrypts response information. It is understood that the key center encrypts the response information using the response key, and the terminal decrypts the encrypted response information using the response key. The encrypted response information refers to response information obtained after encrypting the response information.
Illustratively, the key center generates response information based on the encrypted data key and the encrypted master key, then acquires the response key, encrypts the response information based on the response key to obtain encrypted response information, and then transmits the encrypted response information to the terminal.
In this embodiment, the key center encrypts the response information sent to the terminal, and sends the encrypted response information to the terminal, so that the risk of exposing the response information is reduced, and the security of transmitting the response information between the key center and the terminal is improved.
In an exemplary embodiment, the terminal acquires the key from the key center, and the process of storing the acquired key includes five protections as shown in fig. 7, wherein one of the protections is that the terminal encrypts the initial key determination request, so that the security performance of the transmission of the key determination request between the terminal and the key center is improved; the double protection is that the key center encrypts the data key by using the master key, so that the safety performance of the data key is improved; the triple protection is that the key center encrypts the main key by using the encrypted data key, so that the safety performance of the main key is improved, and the response information generated based on the encrypted data key and the encrypted main key is encrypted, so that the safety performance of the transmission of the response information between the key center and the terminal is improved; the quadruple protection is that after the terminal obtains the encrypted data key and the encrypted master key, the encrypted data key and the encrypted master key are encrypted again, so that the safety performance of the data key and the master key is further improved; the five-fold protection is to store the target data key and the target master key in a segmented way, so that the security performance in the storage process of the data key and the master key is improved.
The terminal acquires the key from the key center, and the flowchart of saving the acquired key is shown in fig. 8, the terminal acquires the initial key determination request and the transmission key, encrypts the initial key determination request using the transmission key to obtain the key determination request, and then transmits the key determination request to the key center. The key center obtains a key determination request, then obtains a transmission key, decrypts the key determination request by using the transmission key to obtain an initial key determination request, obtains a user identifier from the initial key determination request, generates a data key and a master key corresponding to the identifier, encrypts the data key by using the master key to obtain an encrypted data key, and carries out confusion processing on the encrypted data key by using the key center, as shown in fig. 9, obtains a confusion key, encrypts the master key by using the confusion key to obtain an encrypted master key, generates response information corresponding to the key determination request according to the encrypted data key and the encrypted master key, then obtains a response key, encrypts the response information by using the response key to obtain encrypted response information, and then sends the encrypted response information to the terminal.
The terminal receives the encryption response information, then obtains a response key, decrypts the encryption response information by using the response key to obtain an encryption data key and an encryption master key corresponding to the user identifier, obtains a user characteristic value and an operating system characteristic value, processes the user characteristic value and the operating system characteristic value as shown in fig. 10 to generate a storage key, encrypts the encryption data key by using the storage key to obtain a target data key, encrypts the encryption master key by using the storage key to obtain a target master key, and then respectively stores the target data key and the target master key in a segmented mode.
When the terminal needs to encrypt data to be encrypted by using a data key, the terminal acquires a target data key and a target master key, then acquires a user characteristic value and an operating system characteristic value, generates a storage key according to the user characteristic value and the operating system characteristic value, decrypts the target data key and the target master key by using the storage key to obtain a corresponding encrypted data key and an encrypted master key, carries out confusion processing on the encrypted data key to obtain a mixed data key, decrypts the encrypted master key by using the mixed data key to obtain the master key, decrypts the encrypted data key by using the master key to obtain the data key, and encrypts the data to be encrypted by using the data key to obtain the encrypted data corresponding to the data to be encrypted.
In the key determination method, a key determination request is acquired, the key determination request is sent to a key center, the key center acquires a user characteristic value and an operating system characteristic value corresponding to the key determination request based on an encrypted data key and an encrypted master key fed back by the key determination request, encrypts the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypts the encrypted master key to obtain the target master key. The encrypted data key and the encrypted master key are acquired from the key center through the key determination request, the data key is protected by the encrypted data key, the master key is protected by the encrypted master key, the safety performance of the data key and the master key is improved, then the encrypted data key and the encrypted master key are encrypted through the user characteristic value and the operating system characteristic value, the user characteristic value and the operating system characteristic value are directly acquired, the risk that the user characteristic value and the operating system characteristic value are exposed in the transmission process is avoided, the storage keys are generated based on the user characteristic value and the operating system characteristic value, the storage keys corresponding to different user characteristic values and the operating system characteristic value are different, the storage keys are not needed to be stored locally, the safety of the storage keys is improved, the data key and the master key are encrypted again by using the storage keys, and the safety performance of the data key and the master key is further improved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiments of the present application also provide two key determining apparatuses for implementing the above-mentioned key determining method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the key determining device or devices provided below may refer to the limitation of the key determining method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 11, there is provided a key determining apparatus including: a first acquisition module 1102, a transmission module 1104, a reception module 1106, and a determination module 1108, wherein:
a first obtaining module 1102 is configured to obtain a key determination request.
A sending module 1104, configured to send the key determination request to a key center.
A receiving module 1106, configured to obtain the encrypted data key and the encrypted master key fed back by the key center based on the key determination request.
A determining module 1108, configured to obtain a user feature value and an operating system feature value corresponding to the key determining request, encrypt the encrypted data key based on the user feature value and the operating system feature value to obtain a target data key, and encrypt the encrypted master key with the user feature value and the operating system feature value to obtain the target master key.
In one embodiment, the determining module 1108 is further configured to: fusing the user characteristic value and the operating system characteristic value to obtain an initial characteristic value; carrying out hash algorithm encryption and scrambling treatment on the initial characteristic value to obtain a target characteristic value; obtaining a preservation key based on the target characteristic value; encrypting the encrypted data key based on the saved key to obtain a target data key, and encrypting the encrypted master key based on the saved key to obtain a target master key.
In one embodiment, the determining module 1108 is further configured to: acquiring statistics times; encrypting the initial characteristic value by a hash algorithm to obtain an intermediate characteristic value; performing scrambling treatment on the intermediate characteristic values based on a preset mode to obtain reference characteristic values; updating the statistics times to obtain updated statistics times, and comparing the updated statistics times with an encryption times threshold; and if the updated statistical number is smaller than the encryption number threshold, taking the reference characteristic value as an initial characteristic value, and returning to execute the step of encrypting the initial characteristic value by the hash algorithm to obtain an intermediate characteristic value until the updated statistical number is equal to the encryption number threshold to obtain a target characteristic value.
In one embodiment, the first acquisition module 1102 is further configured to: acquiring an initial key determination request and a sending key; and encrypting the initial key determination request based on the sending key to obtain a key determination request.
In one embodiment, the key determination device further comprises a saving module for: acquiring a target confusion factor and a target random number corresponding to the user characteristic value and the operating system characteristic value; constructing a target linear regression function based on the target random number; calculating a target linear regression function based on the first data and a target confusion factor aiming at each bit of first data in the target data key to obtain a data parameter set corresponding to the first data; calculating a target linear regression function according to the second data of each bit in the master key based on the second data and the target confusion factor to obtain a master parameter set corresponding to the second data; and storing a plurality of data parameter sets corresponding to the target data key and storing a plurality of main parameter sets corresponding to the main key.
In one embodiment, as shown in fig. 12, there is provided a key determining apparatus including: a second acquisition module 1202, a generation module 1204, an encryption module 1206, and a transmission module 1208, wherein:
a second obtaining module 1202, configured to obtain a key determination request sent by the terminal.
A generating module 1204, configured to generate a data key and a master key based on the key determination request.
The encryption module 1206 is configured to encrypt the data key to obtain an encrypted data key, and encrypt the master key to obtain an encrypted master key.
A transmission module 1208, configured to send the encrypted data key and the encrypted master key to the terminal, so as to instruct the terminal to generate a target data key according to a user feature value, an operating system feature value, and the encrypted data key, and generate a target master key according to the user feature value, the operating system feature value, and the encrypted master key.
In one embodiment, the encryption module 1206 is further to: encrypting the data key based on the master key to obtain an encrypted data key; performing confusion processing on the encrypted data key to obtain a confusion data key; and encrypting the master key based on the confusion data key to obtain an encrypted master key.
In one embodiment, the encryption module 1206 is further to: scrambling the encrypted data key to obtain an initial confusion key; encrypting the initial confusion key based on a preset encryption mode to obtain an intermediate confusion key; and determining the intermediate confusion key with the preset digits as a confusion data key.
In one embodiment, the generating module 1204 is further configured to: acquiring a sending key, decrypting the key determination request based on the sending key, and obtaining an initial key determination request; and obtaining the user identifier corresponding to the initial key determination request, and generating a data key and a master key corresponding to the user identifier.
In one embodiment, the transmission module 1208 is further configured to: generating response information based on the encrypted data key and the encrypted master key; acquiring a response key, and encrypting the response information based on the response key to obtain encrypted response information; and sending the encryption response information to the terminal.
The respective modules in the above-described key determination apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 13. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a key determination method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 13 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the computer device to which the present application applies, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims (14)

1. A method of key determination, the method comprising:
acquiring a key determination request;
transmitting the key determination request to a key center;
acquiring an encryption data key and an encryption master key fed back by the key center based on the key determination request;
and obtaining a user characteristic value and an operating system characteristic value corresponding to the key determination request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key.
2. The method of claim 1, wherein encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain a target master key comprises:
fusing the user characteristic value and the operating system characteristic value to obtain an initial characteristic value;
carrying out hash algorithm encryption and scrambling treatment on the initial characteristic value to obtain a target characteristic value;
obtaining a preservation key based on the target characteristic value;
encrypting the encrypted data key based on the saved key to obtain a target data key, and encrypting the encrypted master key based on the saved key to obtain a target master key.
3. The method of claim 2, wherein the performing hash algorithm encryption and scrambling on the initial feature value to obtain a target feature value comprises:
acquiring statistics times;
encrypting the initial characteristic value by a hash algorithm to obtain an intermediate characteristic value;
performing scrambling treatment on the intermediate characteristic values based on a preset mode to obtain reference characteristic values;
Updating the statistics times to obtain updated statistics times, and comparing the updated statistics times with an encryption times threshold;
and if the updated statistical number is smaller than the encryption number threshold, taking the reference characteristic value as an initial characteristic value, and returning to execute the step of encrypting the initial characteristic value by the hash algorithm to obtain an intermediate characteristic value until the updated statistical number is equal to the encryption number threshold to obtain a target characteristic value.
4. The method of claim 1, wherein the get key determination request comprises:
acquiring an initial key determination request and a sending key;
and encrypting the initial key determination request based on the sending key to obtain a key determination request.
5. The method of claim 1, wherein the key determination method further comprises:
acquiring a target confusion factor and a target random number corresponding to the user characteristic value and the operating system characteristic value;
constructing a target linear regression function based on the target random number;
calculating the target linear regression function according to the first data of each bit in the target data key based on the first data and the target confusion factor to obtain a data parameter set corresponding to the first data;
Calculating the target linear regression function according to the second data of each bit in the master key based on the second data and the target confusion factor to obtain a master parameter set corresponding to the second data;
and storing the plurality of data parameter sets corresponding to the target data key, and storing the plurality of main parameter sets corresponding to the main key.
6. A key determination method, applied to a key center, the method comprising:
acquiring a key determination request sent by a terminal;
generating a data key and a master key based on the key determination request;
encrypting the data key to obtain an encrypted data key, and encrypting the master key to obtain an encrypted master key;
and sending the encrypted data key and the encrypted master key to the terminal to instruct the terminal to generate a target data key according to the user characteristic value, the operating system characteristic value and the encrypted data key, and generate a target master key according to the user characteristic value, the operating system characteristic value and the encrypted master key.
7. The method of claim 6, wherein encrypting the data key to obtain an encrypted data key and encrypting the master key to obtain an encrypted master key comprises:
Encrypting the data key based on the master key to obtain an encrypted data key;
performing confusion processing on the encrypted data key to obtain a confusion data key;
and encrypting the master key based on the confusion data key to obtain an encrypted master key.
8. The method of claim 7, wherein obfuscating the encrypted data key to obtain an obfuscated data key comprises:
scrambling the encrypted data key to obtain an initial confusion key;
encrypting the initial confusion key based on a preset encryption mode to obtain an intermediate confusion key;
and determining the intermediate confusion key with the preset digits as a confusion data key.
9. The method of claim 6, wherein generating a data key and a master key based on the key determination request comprises:
acquiring a sending key, decrypting the key determination request based on the sending key, and obtaining an initial key determination request;
and obtaining the user identifier corresponding to the initial key determination request, and generating a data key and a master key corresponding to the user identifier.
10. The method of claim 6, wherein the sending the encrypted data key and the encrypted master key to the terminal comprises:
generating response information based on the encrypted data key and the encrypted master key;
acquiring a response key, and encrypting the response information based on the response key to obtain encrypted response information;
and sending the encryption response information to the terminal.
11. A key determining apparatus, the apparatus comprising:
the first acquisition module is used for acquiring the key determination request;
the sending module is used for sending the key determining request to a key center;
the receiving module is used for acquiring the encryption data key and the encryption master key which are fed back by the key center based on the key determination request;
the determining module is used for obtaining the user characteristic value and the operating system characteristic value corresponding to the key determining request, encrypting the encrypted data key based on the user characteristic value and the operating system characteristic value to obtain a target data key, and encrypting the encrypted master key based on the user characteristic value and the operating system characteristic value to obtain the target master key.
12. A key determining apparatus, for use in a key center, the apparatus comprising:
the second acquisition module is used for acquiring a key determination request sent by the terminal;
a generation module for generating a data key and a master key based on the key determination request;
the encryption module is used for encrypting the data key to obtain an encrypted data key and encrypting the master key to obtain an encrypted master key;
and the transmission module is used for sending the encrypted data key and the encrypted master key to the terminal so as to instruct the terminal to generate a target data key according to the user characteristic value, the operating system characteristic value and the encrypted data key and generate a target master key according to the user characteristic value, the operating system characteristic value and the encrypted master key.
13. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 10 when the computer program is executed.
14. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 10.
CN202310122494.XA 2023-02-02 2023-02-02 Key determination method, device, computer equipment and storage medium Pending CN116132065A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310122494.XA CN116132065A (en) 2023-02-02 2023-02-02 Key determination method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310122494.XA CN116132065A (en) 2023-02-02 2023-02-02 Key determination method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116132065A true CN116132065A (en) 2023-05-16

Family

ID=86300849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310122494.XA Pending CN116132065A (en) 2023-02-02 2023-02-02 Key determination method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116132065A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278325A (en) * 2023-11-17 2023-12-22 临沂大学 Computer network big data safety protection method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278325A (en) * 2023-11-17 2023-12-22 临沂大学 Computer network big data safety protection method and system
CN117278325B (en) * 2023-11-17 2024-01-26 临沂大学 Computer network big data safety protection method and system

Similar Documents

Publication Publication Date Title
KR102432299B1 (en) Systems and methods for encryption and decryption based on quantum key distribution
US9602273B2 (en) Implementing key scheduling for white-box DES implementation
US9584315B2 (en) Order-preserving encryption system, encryption device, decryption device, encryption method, decryption method, and programs thereof
CN111866018B (en) Data information encryption transmission method and device, computer equipment and storage medium
CN109474616B (en) Multi-platform data sharing method and device and computer readable storage medium
CN108491184A (en) Entropy source acquisition method, computer equipment and the storage medium of randomizer
WO2018017168A2 (en) System and method for encryption and decryption based on quantum key distribution
WO2021129470A1 (en) Polynomial-based system and method for fully homomorphic encryption of binary data
CN100561396C (en) Revise the method for digital rights object and used electronic equipment thereof
CN114785556B (en) Encryption communication method, device, computer equipment and storage medium
US11128455B2 (en) Data encryption method and system using device authentication key
WO2021098152A1 (en) Blockchain-based data processing method, device, and computer apparatus
CN111404892B (en) Data supervision method and device and server
CN114443718A (en) Data query method and system
CN116132065A (en) Key determination method, device, computer equipment and storage medium
CN114491637A (en) Data query method and device, computer equipment and storage medium
Patil et al. Pixel co-ordinate-based secret image sharing scheme with constant size shadow images
CN116049802B (en) Application single sign-on method, system, computer equipment and storage medium
CN114553556B (en) Data encryption method, device, computer equipment and storage medium
CN114398656A (en) File encryption method, file decryption method, file encryption device, file decryption device, computer equipment and storage medium
KR20170107818A (en) Data sharing system and method based on attributed re-encryption
CN117176351B (en) Data transmission processing method, system, computer equipment and storage medium
US20240187209A1 (en) Data encryption and decryption using screens and lfsr-generated logic blocks
CN114817970B (en) Data analysis method and system based on data source protection and related equipment
CN116112268A (en) Data processing method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination