CN116318996A

CN116318996A - Verification method and device for encrypted data, electronic equipment and storage medium

Info

Publication number: CN116318996A
Application number: CN202310272002.5A
Authority: CN
Inventors: 韩维; 潘葛桐
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-03-20
Filing date: 2023-03-20
Publication date: 2023-06-23

Abstract

The invention discloses a verification method and a device thereof for encrypted data, electronic equipment and a storage medium, and relates to the field of information security, wherein the verification method comprises the following steps: receiving first encrypted data, a first encryption key, a first interference parameter, second encrypted data, a second encryption key and a second interference parameter which are sent by a payment component client, decrypting the first encryption key and the second encryption key by adopting a private key to obtain the first key and the second key respectively, decrypting the second encrypted data by adopting the second key and the second interference parameter to obtain second data, and verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result. The invention solves the technical problem of lower security caused by the fact that the integrity verification of the encrypted data cannot be carried out in the related technology.

Description

Verification method and device for encrypted data, electronic equipment and storage medium

Technical Field

The present invention relates to the field of information security, and in particular, to a method and apparatus for verifying encrypted data, an electronic device, and a storage medium.

Background

Currently, encryption algorithms in bar code payment system network requests of financial institutions are mainly divided into national encryption algorithms and non-national encryption algorithms. The national cryptographic algorithm is a pre-determined domestic cryptographic algorithm and mainly comprises the following steps: algorithms SM1, SM2, SM3, SM4, etc. The non-national cryptographic algorithm includes: symmetric encryption algorithms (e.g., AES, DES, 3DES, etc. algorithms) and asymmetric encryption algorithms (e.g., RSA, DSA, etc. algorithms).

However, encryption using a non-national encryption algorithm in a barcode payment system is slow, resulting in lower work efficiency. Although the national encryption algorithm has high safety coefficient, the use of the national encryption algorithm in the bar code payment system cannot carry out integrity verification on the encrypted data, so that the safety is lower.

In view of the above problems, no effective solution has been proposed at present.

Disclosure of Invention

The embodiment of the invention provides a verification method and device for encrypted data, electronic equipment and a storage medium, which at least solve the technical problem that the security is low because the integrity of the encrypted data cannot be verified in the related technology.

According to an aspect of the embodiment of the present invention, there is provided a method for verifying encrypted data, applied to a payment member server, where the payment member server stores a private key of a preset encryption algorithm in advance, including: receiving first encryption data, a first encryption key, a first interference parameter, second encryption data, a second encryption key and a second interference parameter which are sent by a payment component client; decrypting the first encryption key and the second encryption key by adopting the private key to respectively obtain a first key and a second key; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; and verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result.

Optionally, before receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter sent by the payment component client, the method further includes: the payment component client generates the first key and the first interference parameter used by a first encryption strategy, wherein the payment component client stores a public key of the preset encryption algorithm in advance; the payment component client encrypts received service data by adopting the first secret key and the first interference parameter to obtain first encrypted data, wherein the service data is data sent by a payment system server; the payment component client encrypts the first key by adopting the public key to obtain the first encryption key.

Optionally, before receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter sent by the payment component client, the method further includes: the payment component client generates the second key and the second interference parameter for use by a second encryption policy; the payment component client encrypts the received service data by adopting the second secret key and the second interference parameter to obtain second encrypted data; and the payment component client encrypts the second key by adopting a pre-stored public key to obtain the second encryption key.

Optionally, decrypting the first encryption key and the second encryption key by using the private key to obtain a first key and a second key respectively, including: determining the private key type of the private key, and loading a preset encryptor corresponding to the private key type; and decrypting the first encryption key and the second encryption key by adopting the preset encryption machine to obtain the first key and the second key respectively.

Optionally, the step of verifying the second data based on the first key, the first interference parameter and the first encrypted data includes: based on a first encryption strategy, encrypting the second data by adopting the first key and the first interference parameter to obtain third encrypted data; comparing the first encrypted data with the third encrypted data to obtain a comparison result; and determining that the second data passes verification when the comparison result indicates that the first encrypted data is consistent with the third encrypted data.

Optionally, after verifying the second data, obtaining a verification result, the method further includes: processing the second data to obtain processed data under the condition that the verification result indicates that verification is passed; generating a third interference parameter used by the first encryption strategy and a fourth interference parameter used by the second encryption strategy; encrypting the processing data by adopting the third interference parameter and the first key to obtain first encrypted processing data; encrypting the processing data by adopting the fourth interference parameter and the second key to obtain second encrypted processing data; and sending the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data to the payment component client.

Optionally, after sending the third interference parameter, the fourth interference parameter, the first encryption processing data, and the second encryption processing data to the payment member client, further comprising: the payment component client decrypts the second encryption processing data by adopting the second secret key and the fourth interference parameter to obtain return data; the payment component client verifies the return data based on the first key, the third interference parameter and the first encryption processing data, and returns the return data to the payment system client for display if verification is passed.

According to another aspect of the embodiment of the present invention, there is also provided a method for verifying encrypted data, applied to a payment member client, where the payment member client stores a public key of a preset encryption algorithm in advance, including: generating a first key and a first interference parameter used by a first encryption strategy, and generating a second key and a second interference parameter used by a second encryption strategy; encrypting the service data sent by the payment system server by adopting the first secret key and the first interference parameter to obtain first encrypted data, and encrypting the service data by adopting the second secret key and the second interference parameter to obtain second encrypted data; encrypting the first key and the second key by adopting the public key to respectively obtain the first encryption key and the second encryption key; the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter are sent to a payment component client, wherein the payment component client adopts a prestored private key of the preset encryption algorithm to decrypt the first encryption key and the second encryption key to obtain a first key and a second key respectively; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment component client; decrypting the encrypted processing data to obtain return data, and returning the return data to the payment system client for display under the condition that the return data passes verification.

According to another aspect of the embodiment of the present invention, there is also provided an encrypted data verification device applied to a payment member server, where the payment member server stores a private key of a preset encryption algorithm in advance, including: the receiving unit is used for receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter which are sent by the payment component client; the first decryption unit is used for decrypting the first encryption key and the second encryption key by adopting the private key to respectively obtain a first key and a second key; a second decryption unit, configured to decrypt the second encrypted data using the second key and the second interference parameter, to obtain second data; and the verification unit is used for verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result.

Optionally, the verification device further includes: the first generation module is used for generating a first key used by a first encryption strategy and a first interference parameter by the payment component client before receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter sent by the payment component client, wherein the public key of the preset encryption algorithm is prestored by the payment component client; the first encryption module is used for encrypting the received service data by the payment component client side through the first secret key and the first interference parameter to obtain first encrypted data, wherein the service data is data sent by a payment system server side; and the second encryption module is used for encrypting the first key by the payment component client side by adopting the public key to obtain the first encryption key.

Optionally, the verification device further includes: the second generation module is used for generating the second key and the second interference parameter used by the second encryption strategy by the payment component client before receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter sent by the payment component client; the third encryption module is used for encrypting the received service data by the payment component client side through the second secret key and the second interference parameter to obtain second encrypted data; and the fourth encryption module is used for encrypting the second key by the payment component client by adopting a prestored public key to obtain the second encryption key.

Optionally, the first decryption unit includes: the first determining module is used for determining the private key type of the private key and loading a preset encryptor corresponding to the private key type; and the first decryption module is used for decrypting the first encryption key and the second encryption key by adopting the preset encryption machine to obtain the first key and the second key respectively.

Optionally, the verification unit includes: the fifth encryption module is used for encrypting the second data by adopting the first key and the first interference parameter based on the first encryption strategy to obtain third encrypted data; the first comparison module is used for comparing the first encrypted data with the third encrypted data to obtain a comparison result; and the second determining module is used for determining that the second data passes verification under the condition that the comparison result indicates that the first encrypted data is consistent with the third encrypted data.

Optionally, the verification device further includes: the first processing module is used for processing the second data to obtain processed data under the condition that the verification result indicates that the verification is passed after the second data is verified to obtain a verification result; the third generation module is used for generating a third interference parameter used by the first encryption strategy and a fourth interference parameter used by the second encryption strategy; the sixth encryption module is used for encrypting the processing data by adopting the third interference parameter and the first key to obtain first encrypted processing data; a seventh encryption module, configured to encrypt the processing data using the fourth interference parameter and the second key, to obtain second encrypted processing data; and the first sending module is used for sending the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data to the payment component client.

Optionally, the verification device further includes: the second decryption module is configured to decrypt the second encrypted processing data by using the second key and the fourth interference parameter after the third interference parameter, the fourth interference parameter, the first encrypted processing data and the second encrypted processing data are sent to the payment component client, so as to obtain return data; and the first verification module is used for verifying the return data by the payment member client based on the first key, the third interference parameter and the first encryption processing data, and returning the return data to the payment system client for display under the condition that the verification is passed.

According to another aspect of the embodiment of the present invention, there is also provided an authentication device for encrypted data, applied to a payment member client, where the payment member client stores a public key of a preset encryption algorithm in advance, including: the generating unit is used for generating a first key and a first interference parameter used by the first encryption strategy and generating a second key and a second interference parameter used by the second encryption strategy; the first encryption unit is used for encrypting the service data sent by the payment system server by adopting the first key and the first interference parameter to obtain first encrypted data, and encrypting the service data by adopting the second key and the second interference parameter to obtain second encrypted data; the second encryption unit is used for encrypting the first key and the second key by adopting the public key to respectively obtain the first encryption key and the second encryption key; a sending unit, configured to send the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter to a payment component client, where the payment component client decrypts the first encryption key and the second encryption key by using a prestored private key of the preset encryption algorithm, to obtain a first key and a second key respectively; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment component client; and the third decryption unit is used for decrypting the encrypted processing data to obtain return data, and returning the return data to the payment system client for display under the condition that the return data passes verification.

According to another aspect of the embodiment of the present invention, there is also provided a computer readable storage medium, where the computer readable storage medium includes a stored computer program, and when the computer program runs, the device where the computer readable storage medium is controlled to execute the above-mentioned method for verifying encrypted data.

According to another aspect of the embodiments of the present invention, there is also provided an electronic device including one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the above-described method for verifying encrypted data.

In the present disclosure, first encrypted data, a first encryption key, a first interference parameter, second encrypted data, a second encryption key, and a second interference parameter sent by a payment component client are received, the first encryption key and the second encryption key are decrypted by using a private key to obtain the first key and the second key, the second encrypted data is decrypted by using the second key and the second interference parameter to obtain second data, and the second data is verified based on the first key, the first interference parameter, and the first encrypted data to obtain a verification result. In the disclosure, the payment component server may first receive the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter sent by the payment component client, then decrypt the first encrypted key and the second encrypted key by using the prestored private key to obtain the first key and the second key, and then decrypt the second encrypted data by using the second key and the second interference parameter to obtain the second data, and then verify the second data according to the first key, the first interference parameter and the first encrypted data, thereby realizing the integrity verification of the encrypted data, improving the security of the data, and further solving the technical problem that the encrypted data cannot be subjected to the integrity verification in the related art, resulting in lower security.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:

FIG. 1 is a flow chart of an alternative method of verifying encrypted data according to an embodiment of the invention;

FIG. 2 is a flow chart of another alternative method of verifying encrypted data according to an embodiment of the invention;

FIG. 3 is a schematic diagram of a data confidentiality and integrity verification process in an alternative barcode payment system in accordance with an embodiment of the present invention;

FIG. 4 is a schematic diagram of an alternative authentication device for encrypted data according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an alternate verification device for encrypted data in accordance with an embodiment of the invention;

fig. 6 is a block diagram of a hardware structure of an electronic device (or mobile device) for an authentication method of encrypted data according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

To facilitate an understanding of the invention by those skilled in the art, some terms or nouns involved in the various embodiments of the invention are explained below:

barcode payment: is a quick and safe on-site payment solution provided for off-line entity merchants. The POS machine (namely the sales terminal) is not required to be installed, and the cashing can be initiated to the user by directly scanning the bar code or the two-dimensional code on the user terminal through the existing cashing system or the mobile terminal.

MAC (Message Authentication Codes) algorithm: i.e. a Hash function with a secret key, the Hash value of the message is controlled by the secret key known only to both parties of the communication.

SM1 algorithm: is a symmetric encryption algorithm.

SM2 algorithm: is an asymmetric encryption algorithm.

SM3 algorithm: i.e. message digest, is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, etc.

SM4 algorithm: i.e. the packet data algorithm of the wireless local area network standard.

Symmetric encryption algorithm: it means that encryption and decryption use the same key and are reversible (i.e., decryptable).

AES (Advanced Encryption Standard) algorithm: is an advanced encryption standard in cryptography, and adopts a symmetrical block cipher system, and the minimum support of the key length is 128.

DES (Data Encryption Standard) algorithm: is a symmetric cryptosystem in the cryptosystem.

3DES (Triple Data Encryption Algorithm) algorithm: is a mode of DES algorithm.

Asymmetric encryption algorithm: it means that encryption and decryption use different keys (public and private), so asymmetric encryption, also called public key encryption, is reversible (i.e. can be decrypted).

RSA algorithm: is an encryption algorithm based on the fact of number theory: multiplying two large primes is easy, but it is extremely difficult to factor the product thereof, so the product can be disclosed as an encryption key.

DSA (Digital Signature Algorithm) algorithm: is a variation of the signature algorithm.

It should be noted that, the method and the device for verifying encrypted data in the present disclosure may be used in the information security field under the condition of verifying the encrypted data, and may also be used in any field other than the information security field under the condition of verifying the encrypted data, and the application field of the method and the device for verifying the encrypted data in the present disclosure is not limited.

It should be noted that, related information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present disclosure are information and data authorized by a user or sufficiently authorized by each party, and the collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions, and be provided with corresponding operation entries for the user to select authorization or rejection. For example, an interface is provided between the system and the relevant user or institution, before acquiring the relevant information, the system needs to send an acquisition request to the user or institution through the interface, and acquire the relevant information after receiving the consent information fed back by the user or institution.

The following embodiments of the present invention are applicable to various systems/applications/devices for authenticating encrypted data. The invention can be applied to the scene of network data confidentiality and integrity verification in bar code payment, can encrypt and decrypt network request data in a bar code payment system of a financial institution, further optimizes the data confidentiality and integrity on the basis of a national encryption algorithm, and effectively improves the security of the data.

The present invention will be described in detail with reference to the following examples.

Example 1

According to an embodiment of the present invention, there is provided an embodiment of a method of verifying encrypted data, it being noted that the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that herein.

Fig. 1 is a flowchart of an alternative method of verifying encrypted data according to an embodiment of the present invention, as shown in fig. 1, the method including the steps of:

step S101, receiving first encrypted data, a first encryption key, a first interference parameter, second encrypted data, a second encryption key, and a second interference parameter sent by a payment component client.

Step S102, decrypting the first encryption key and the second encryption key by adopting the private key to obtain the first key and the second key respectively.

Step S103, decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data.

Step S104, based on the first key, the first interference parameter and the first encrypted data, the second data is verified, and a verification result is obtained.

Through the steps, the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter which are sent by the payment component client can be received, the first encrypted key and the second encrypted key are decrypted by adopting the private key to obtain the first key and the second key respectively, the second encrypted data is decrypted by adopting the second key and the second interference parameter to obtain the second data, and the second data is verified based on the first key, the first interference parameter and the first encrypted data to obtain a verification result. In the embodiment of the invention, the payment component server side can firstly receive the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter sent by the payment component client side, then adopts the prestored private key to decrypt the first encrypted key and the second encrypted key so as to obtain the first key and the second key, and then adopts the second key and the second interference parameter to decrypt the second encrypted data so as to obtain the second data, and then verifies the second data according to the first key, the first interference parameter and the first encrypted data, thereby realizing the integrity verification of the encrypted data, improving the safety of the data, and further solving the technical problem that the encrypted data cannot be subjected to the integrity verification in the related technology, so that the safety is lower.

Embodiments of the present invention will be described in detail with reference to the following steps. The following steps may be applied to a payment means server, which stores a private key of a preset encryption algorithm (e.g., SM2 algorithm) in advance.

In the embodiment of the invention, the public key of the preset encryption algorithm can be pre-embedded in the payment component client and the payment system client, the private key of the preset encryption algorithm can be pre-stored in the payment component server and the payment system server, and the private key ciphertext can be stored in an HSM (Hierarchical Storage Management ) mode.

Optionally, before receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter sent by the payment component client, the method further includes: the payment component client generates a first key and a first interference parameter used by a first encryption strategy, wherein the payment component client stores a public key of a preset encryption algorithm in advance; the payment component client encrypts received service data by adopting a first secret key and a first interference parameter to obtain first encrypted data, wherein the service data is data sent by a payment system server; the payment component client encrypts the first key by using the public key to obtain a first encryption key.

In another alternative embodiment, before receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter sent by the payment component client, the method further includes: the payment component client generates a second key used by the second encryption policy and a second interference parameter; the payment component client encrypts the received service data by adopting the second secret key and the second interference parameter to obtain second encrypted data; the payment component client encrypts the second key by adopting a prestored public key to obtain a second encryption key.

In the embodiment of the invention, the data confidentiality and integrity protection of the payment component client can be performed first, specifically: the payment component client may use a random number to generate a first key makKey (e.g., a working key of the SM4 algorithm) that needs to be used by the first encryption policy (e.g., a MAC algorithm), and use a random number to generate an interference factor iv1 (i.e., a first interference parameter) that needs to be used by the first encryption policy (i.e., the first key and the first interference parameter that are used by the payment component client to generate the first encryption policy), where the payment component client stores a public key of a preset encryption algorithm in advance. Then, the payment component client may use the generated makKey and iv1 to perform a first encryption policy process on the service plaintext data tranData (i.e. service data, which is a number sent by the payment system server), to generate result data ebdp_hsmpac (i.e. first encrypted data) (i.e. the payment component client encrypts the received service data by using the first key and the first interference parameter to obtain the first encrypted data). The payment component client may encrypt the makKey with a public key to obtain a ciphertext ebdp_encryptmak (i.e., a first encryption key) (i.e., the payment component client encrypts the first key with the public key to obtain the first encryption key). The payment component client may employ a random number to generate a second encryption policy (e.g. SM4 algorithm) and encrypt a second key dekKey (e.g. SM4 working key) and an interference factor iv2 (i.e. second interference parameter), and use the dekKey, iv2 to encrypt the service plaintext data tranData by using the second encryption policy (SM 4 algorithm) to obtain a service data ciphertext ebdp_k1encryptData (i.e. second encrypted data) (i.e. the payment component client employs the second key and the second interference parameter to encrypt the received service data to obtain the second encrypted data). The payment component client encrypts the secret ebdp_encryptdek (i.e., the second encryption key) with respect to the dekKey by using the public key (i.e., the payment component client encrypts the second key with the pre-stored public key to obtain the second encryption key). The ebdp_k encryptData, ebdp _ encryptDEK, ebdp _ encryptMAK, iv1, iv2, ebdp_hsmmacs are then passed to the payment component server via the https protocol (i.e. hypertext transfer security protocol).

In the embodiment of the present invention, if the first encryption policy adopts the MAC algorithm, the data to be sent to the payment component server may be formed MACELEMEMENT BLOCK (that is, the MAB, which is an encrypted hash value) from the message type to the 63 domain, and the MAB may be xored every 8 bytes (regardless of the character format in the data), and if the last 8 bytes are less than 8 bytes, "0X00" is added to complete data encryption.

In the embodiment of the invention, the payment component server may receive the first encrypted data ebdp_hsmmac, the first encrypted key ebdp_encryptmak, the first interference parameter iv1, the second encrypted data ebdp_k1encryptData, the second encrypted key ebdp_encryptdeg, and the second interference parameter iv2 sent by the payment component client, and then perform integrity verification according to the data.

Optionally, decrypting the first encryption key and the second encryption key by using the private key to obtain the first key and the second key respectively, including: determining a private key type of a private key, and loading a preset encryptor corresponding to the private key type; and decrypting the first encryption key and the second encryption key by adopting a preset encryption machine to obtain the first key and the second key respectively.

In the embodiment of the present invention, the payment component server may decrypt the first encryption key and the second encryption key by using the stored private key, to obtain the first key and the second key respectively (that is, decrypt ebdp_encryptdeg by using the private key to obtain the dekKey, decrypt encryptdeg by using the private key to obtain the makKey), and temporarily store the makKey in the memory for subsequent use, specifically: the key type may be selected (i.e., the private key type of the private key is determined) first, then a preset encryptor corresponding to the private key type is loaded, and the encrypted keys (i.e., the first encryption key and the second encryption key) are imported into the preset encryptor for decryption, so as to obtain the first key and the second key (i.e., the preset encryptor is adopted to decrypt the first encryption key and the second encryption key, so as to obtain the first key and the second key, respectively).

In the embodiment of the invention, the payment component server may decrypt the second encrypted data by using the second key and the second interference parameter to obtain the second data (that is, decrypt the service data ciphertext ebdp_k1encryptData by using the dekKey and iv2 through the second encryption policy to obtain the service plaintext data tranData).

Optionally, the step of verifying the second data based on the first key, the first interference parameter and the first encrypted data comprises: based on the first encryption strategy, encrypting the second data by adopting the first key and the first interference parameter to obtain third encrypted data; comparing the first encrypted data with the third encrypted data to obtain a comparison result; and determining that the verification of the second data is passed in the case that the comparison result indicates that the first encrypted data is consistent with the third encrypted data.

In the embodiment of the present invention, the payment component server may verify confidentiality and integrity of the second data according to the first key, the first interference parameter and the first encrypted data to obtain a verification result (i.e. verify tranData integrity by using makKey, iv1 and ebdp_hsmpac information), specifically: the verification may be performed in a manner of regenerating the first encrypted data, the first encryption policy is invoked to regenerate the MAC, whether the MAC is consistent with the sent first encrypted data is compared, if so, the verification is passed (i.e., the second data is encrypted by using the first key and the first interference parameter according to the first encryption policy to obtain third encrypted data, then the first encrypted data and the third encrypted data are compared to obtain a comparison result, if the comparison result indicates that the first encrypted data is consistent with the third encrypted data, the verification of the second data is determined to be passed), otherwise, the verification is not passed.

Optionally, after verifying the second data, obtaining a verification result, the method further includes: processing the second data to obtain processed data when the verification result indicates that the verification is passed; generating a third interference parameter used by the first encryption strategy and a fourth interference parameter used by the second encryption strategy; encrypting the processed data by adopting the third interference parameter and the first key to obtain first encrypted processed data; encrypting the processed data by adopting the fourth interference parameter and the second key to obtain second encrypted processed data; the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data are sent to the payment component client.

In the embodiment of the invention, if the verification result indicates that the verification is passed, the payment component server side can process the second data to obtain the processed data. The payment component server may then use the random number to generate the interference factor iv3 (i.e., the third interference parameter) used by the first encryption policy, and use the random number to generate the interference factor iv4 (i.e., the fourth interference parameter) used by the second encryption policy. And then, performing first encryption policy processing on data plaintext responserData (i.e. processing data) to be returned by using a makKey (i.e. a first key) and iv3 (i.e. a third interference parameter) stored in a memory of a payment component server side, and generating ebdp_responsenHsm MAC (i.e. first encryption processing data). And performing second encryption policy processing on the data plaintext response data to be returned by using a dekKey (namely a second key) and iv4 (namely a fourth interference parameter) stored in a memory of a payment component server to obtain a service data ciphertext_encryptingresponse data (namely second encryption processing data). The ebdp_ responseHsmMAC, ebdp _ encryptResponseData, iv3, iv4 is then synchronously returned to the payment means client (i.e. the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data are sent to the payment means client).

Optionally, after sending the third interference parameter, the fourth interference parameter, the first encryption processing data, and the second encryption processing data to the payment member client, further comprising: the payment component client decrypts the second encrypted processing data by adopting the second secret key and the fourth interference parameter to obtain return data; the payment component client verifies the return data based on the first key, the third interference parameter and the first encryption processing data, and returns the return data to the payment system client for display under the condition that the verification is passed.

In the embodiment of the invention, the payment component client can decrypt the service data ciphertext ebdp_encryptdresposensiata to obtain responseData (i.e. return data) by using the dekKey and iv4 (i.e. the payment component client adopts the second key and the fourth interference parameter to decrypt the second encrypted processing data to obtain the return data). The payment component client can then verify the integrity of the responseData (i.e., the payment component client verifies the returned data based on the first key, the third interference parameter, and the first encryption processing data) using the makKey, iv3, and ebdp_responsehsm mac information. If the verification is passed, the return data can be returned to the payment system client for presentation.

In the embodiment, the network request data in the bar code payment system of the financial institution can be encrypted and decrypted, the confidentiality and integrity of the data are further optimized on the basis of a national encryption algorithm, and the safety of the data is effectively improved.

Example two

There is also provided, in accordance with an embodiment of the present invention, an embodiment of a method of verifying encrypted data, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than what is shown or described herein.

Fig. 2 is a flow chart of another alternative method of verifying encrypted data according to an embodiment of the invention, as shown in fig. 2, the method comprising the steps of:

step S201, generating a first key and a first interference parameter used by the first encryption policy, and generating a second key and a second interference parameter used by the second encryption policy.

Step S202, the service data sent by the payment system server side is encrypted by adopting a first secret key and a first interference parameter to obtain first encrypted data, and the service data is encrypted by adopting a second secret key and a second interference parameter to obtain second encrypted data.

In step S203, the first key and the second key are encrypted by using the public key, so as to obtain the first encryption key and the second encryption key, respectively.

Step S204, the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter are sent to a payment component client, wherein the payment component client adopts a prestored private key of a preset encryption algorithm to decrypt the first encryption key and the second encryption key to respectively obtain the first key and the second key; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; and verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment member client.

Step S205, the encrypted processing data is decrypted to obtain the return data, and the return data is returned to the payment system client for display under the condition that the return data is verified.

Through the steps, the first key and the first interference parameter used by the first encryption strategy can be generated, the second key and the second interference parameter used by the second encryption strategy are generated, the first key and the first interference parameter are adopted to encrypt service data sent by the payment system server to obtain first encrypted data, the second key and the second interference parameter are adopted to encrypt the service data to obtain second encrypted data, the first key and the second key are adopted to encrypt the first key and the second key to respectively obtain the first encryption key and the second encryption key, the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key and the second interference parameter are sent to the payment component client, the encrypted processing data is decrypted to obtain return data, and the return data is returned to the payment system client for display under the condition that the return data passes verification. In the embodiment of the invention, the payment component client can firstly generate the first key, the first interference parameter and the second key and the second interference parameter used by the first encryption strategy, encrypt the service data sent by the payment system server by adopting the first key and the first interference parameter to obtain the first encrypted data, encrypt the service data by adopting the second key and the second interference parameter to obtain the second encrypted data, encrypt the first key and the second key by adopting the prestored public key to obtain the first encrypted key and the second encrypted key, send the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter to the payment component client, so that the payment component server verifies the integrity of the encrypted data, verifies the decrypted data, returns the encrypted processed data, decrypts the returned data, verifies the integrity of the returned data, and realizes the verification of the integrity of the encrypted data, improves the safety of the encrypted data, and further solves the problem that the safety of the encrypted data cannot be verified by adopting the technology.

Embodiments of the present invention will be described in detail with reference to the following steps. The following steps may be applied to a payment means client, which stores a public key of a preset encryption algorithm (e.g., SM2 algorithm) in advance.

In the embodiment of the invention, the payment component client can adopt a random number to generate a first key makKey (such as a working key of an SM4 algorithm) needed by a first encryption strategy (such as a MAC algorithm), adopt a random number to generate an interference factor iv1 (namely a first interference parameter) needed by the first encryption strategy, and adopt a random number to generate a second key dekKey (such as an SM4 working key) and an interference factor iv2 (namely a second interference parameter) used by a second encryption strategy (such as an SM4 algorithm) for encryption.

In the embodiment of the present invention, the payment component client may use the generated makKey and iv1 to perform a first encryption policy process for service plaintext data tranData (i.e. service data, which is a number sent by the payment system server), and generate result data ebdp_hsmMAC (i.e. first encryption data). And performing second encryption strategy (SM 4 algorithm) encryption on the service plaintext data tranData by using the dekKey and the dekKey iv2 to obtain service data ciphertext ebdp_K1encryptData (namely second encrypted data).

In the embodiment of the invention, the payment component client can adopt a public key to encrypt the makKey to obtain the ciphertext ebdp_encryptmak (namely, a first encryption key), and use the public key to encrypt the dekKey to obtain the ciphertext ebdp_encryptdek (namely, a second encryption key) (namely, adopt the public key to encrypt the first key and the second key to respectively obtain the first encryption key and the second encryption key).

In the embodiment of the present invention, the payment component client may transmit ebdp_k encryptData, ebdp _ encryptDEK, ebdp _ encryptMAK, iv1, iv2, ebdp_hsmmac to the payment component server (i.e. send the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key, and the second interference parameter to the payment component client) through https protocol (i.e. hypertext transfer security protocol). The payment component server may decrypt the first encryption key and the second encryption key using the stored private key to obtain the first key and the second key (i.e., decrypt ebdp_encryptdeg to obtain the dekKey using the private key, decrypt encryptdeg to obtain the makKey using the private key), and temporarily store the first key and the second key in the memory for subsequent use. The payment component server may then decrypt the second encrypted data using the second key and the second interference parameter to obtain second data (i.e., decrypt the service data ciphertext ebdp_k1encryptData using the second encryption policy to obtain service plaintext data tranData), and verify confidentiality and integrity of the second data according to the first key, the first interference parameter, and the first encrypted data to obtain a verification result (i.e., verify tranData integrity using the makKey, iv1, and ebdp_hsmmac information). If the verification result indicates that the verification is passed, the payment component server may process the second data to obtain processed data, and then the payment component server may generate an interference factor iv3 (i.e., a third interference parameter) used by the first encryption policy using a random number, and generate an interference factor iv4 (i.e., a fourth interference parameter) used by the second encryption policy using a random number. And then, performing first encryption policy processing on data plaintext responserData (i.e. processing data) to be returned by using a makKey (i.e. a first key) and iv3 (i.e. a third interference parameter) stored in a memory of a payment component server side, and generating ebdp_responsenHsm MAC (i.e. first encryption processing data). And performing second encryption policy processing on the data plaintext response data to be returned by using a dekKey (namely a second key) and iv4 (namely a fourth interference parameter) stored in a memory of a payment component server to obtain a service data ciphertext_encryptingresponse data (namely second encryption processing data). The ebdp responseHsmMAC, ebdp encryptResponseData, iv, iv4 is then synchronously returned to the payment member client (i.e. and the encrypted processing data is returned to the payment member client).

In the embodiment of the invention, the payment component client can decrypt the service data ciphertext ebdp_encryptdresposensiata to obtain the responseData (namely, return data) by using the dekKey and iv4 (namely, decrypt the encrypted processing data to obtain the return data). The payment component client can then verify the integrity of the responseData using the makKey, iv3 and ebdp_responsehsm mac information, and if the verification passes, return data can be returned to the payment system client for presentation (i.e. in the case of verification of return data passed, return data is returned to the payment system client for presentation).

The following detailed description is directed to alternative embodiments.

FIG. 3 is a schematic diagram of a data confidentiality and integrity verification process in an alternative barcode payment system according to an embodiment of the present invention, as shown in FIG. 3, comprising: the interaction flow among the modules is as follows:

(1) The method comprises the steps that a client terminal starts a payment system, a payment system client terminal carries out parameter loading, a payment system server terminal reads parameters, after the main interface of the payment system client terminal is loaded, the client terminal carries out code scanning, the payment system client terminal initializes a payment component, a preset SM2 public key is transmitted, parameter information is transmitted to the payment component for component initialization, and service data tranData is transmitted to the payment component client terminal for integrity verification after the payment component initialization is completed.

(2) The payment component client randomly generates an SM4 working key makKey used by MAC, randomly generates an interference factor iv1 used by MAC, uses makKey, iv1 to perform MAC processing on service plaintext data tranData, generates MAC data ebdp_hsmMAC, encrypts the makKey by using an SM2 public key to obtain ciphertext ebdp_encryptmak, then randomly generates an SM4 working key dekKey used by encryption, randomly generates an interference factor iv2 used by SM4 encryption, encrypts the tranData by using the dekKey to obtain service data ciphertext ebdp_K1encryptdata, and encrypts the dekKey by using an SM2 public key to obtain ciphertext ebdp_encryptdak. Thereafter, the ebdp_k encryptData, ebdp _ encryptDEK, ebdp _ encryptMAK, iv1, iv2, ebdp_hsmmacs are delivered to the payment means server.

(3) The payment component server decrypts the ebdp_encryptdeg by using the SM2 private key to obtain an SM4 working key dekKey, temporarily stores the SM4 working key dekKey in a memory, decrypts the service data ciphertext ebdp_K1encryptData by using the dekKey and iv2 in an SM4 mode to obtain tranData, decrypts the ebdp_encryptmak by using the SM2 private key to obtain an SM4 working key makKey, stores the SM4 working key makKey in the memory, and verifies the integrity of the tranData by using the makKey, iv1 and ebdp_hsmMAC information. And then carrying out service processing, randomly generating an interference factor iv3 used for SM4 encryption, carrying out MAC processing on a service data plaintext responseData by using an SM4 working key makKey stored in a memory, generating an ebdp_responseHsm MAC, randomly generating an interference factor iv4 used for SM4 encryption, carrying out SM4 encryption processing on a responseData by using an SM4 working key dekKey stored in the memory, and iv4 to obtain a service data ciphertext ebdp_encrypteResponseData. Thereafter, the ebdp_ responseHsmMAC, ebdp _ encryptResponseData, iv3, iv4 is passed to the payment member client.

(4) The payment component client decrypts the service data ciphertext ebdp_encryptdresposensiata by using the dekKey and iv4 to obtain responsedrata, verifies the integrity of the responsedrata by using the makKey, iv3 and ebdp_responsehsm MAC information, and sends the responsedrata information to the payment component for parameter analysis after the integrity verification is passed.

(5) After the payment component is analyzed, the analysis result is sent to the payment system client for page display.

The following describes in detail another embodiment.

Example III

The verification device for encrypted data provided in this embodiment includes a plurality of implementation units, each of which corresponds to each implementation step in the first embodiment.

Fig. 4 is a schematic diagram of an alternative verification device for encrypting data according to an embodiment of the present invention, as shown in fig. 4, the verification device may include: a receiving unit 40, a first decryption unit 41, a second decryption unit 42, a verification unit 43, wherein,

a receiving unit 40, configured to receive the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter sent by the payment component client;

a first decryption unit 41, configured to decrypt the first encryption key and the second encryption key by using the private key, to obtain the first key and the second key, respectively;

a second decryption unit 42, configured to decrypt the second encrypted data using the second key and the second interference parameter, to obtain second data;

the verification unit 43 is configured to verify the second data based on the first key, the first interference parameter and the first encrypted data, and obtain a verification result.

In the verification device, the receiving unit 40 may receive the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key, and the second interference parameter sent by the payment component client, the first decrypting unit 41 may decrypt the first encrypted key and the second encrypted key to obtain the first key and the second key, the second decrypting unit 42 may decrypt the second encrypted data to obtain the second data, and the verifying unit 43 may verify the second data based on the first key, the first interference parameter, and the first encrypted data to obtain the verification result. In the embodiment of the invention, the payment component server side can firstly receive the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter sent by the payment component client side, then adopts the prestored private key to decrypt the first encrypted key and the second encrypted key so as to obtain the first key and the second key, and then adopts the second key and the second interference parameter to decrypt the second encrypted data so as to obtain the second data, and then verifies the second data according to the first key, the first interference parameter and the first encrypted data, thereby realizing the integrity verification of the encrypted data, improving the safety of the data, and further solving the technical problem that the encrypted data cannot be subjected to the integrity verification in the related technology, so that the safety is lower.

Optionally, the verification device further includes: the first generation module is used for generating a first key used by a first encryption strategy and a first interference parameter by the payment component client before receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter sent by the payment component client, wherein the payment component client stores a public key of a preset encryption algorithm in advance; the first encryption module is used for encrypting the received service data by the payment component client side by adopting a first secret key and a first interference parameter to obtain first encrypted data, wherein the service data is data sent by the payment system server side; and the second encryption module is used for encrypting the first key by the payment component client side by adopting the public key to obtain the first encryption key.

Optionally, the verification device further includes: the second generation module is used for generating a second key and a second interference parameter used by the second encryption strategy by the payment component client before receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter sent by the payment component client; the third encryption module is used for encrypting the received service data by the payment component client side by adopting the second secret key and the second interference parameter to obtain second encrypted data; and the fourth encryption module is used for encrypting the second key by the payment component client by adopting the prestored public key to obtain the second encryption key.

Optionally, the first decryption unit includes: the first determining module is used for determining the private key type of the private key and loading a preset encryptor corresponding to the private key type; the first decryption module is used for decrypting the first encryption key and the second encryption key by adopting a preset encryption machine to respectively obtain the first key and the second key.

Optionally, the verification unit includes: the fifth encryption module is used for encrypting the second data by adopting the first key and the first interference parameter based on the first encryption strategy to obtain third encrypted data; the first comparison module is used for comparing the first encrypted data with the third encrypted data to obtain a comparison result; and the second determining module is used for determining that the verification of the second data is passed when the comparison result indicates that the first encrypted data is consistent with the third encrypted data.

Optionally, the verification device further includes: the first processing module is used for processing the second data to obtain processed data under the condition that the verification result indicates that the verification is passed after the second data is verified to obtain a verification result; the third generation module is used for generating a third interference parameter used by the first encryption strategy and a fourth interference parameter used by the second encryption strategy; the sixth encryption module is used for encrypting the processed data by adopting the third interference parameter and the first key to obtain first encrypted processed data; the seventh encryption module is used for encrypting the data by adopting the fourth interference parameter and the second key to obtain second encrypted data; and the first sending module is used for sending the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data to the payment component client.

Optionally, the verification device further includes: the second decryption module is used for decrypting the second encryption processing data by adopting the second secret key and the fourth interference parameter after the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data are sent to the payment component client side, so as to obtain return data; and the first verification module is used for verifying the return data by the payment component client based on the first key, the third interference parameter and the first encryption processing data, and returning the return data to the payment system client for display under the condition that the verification is passed.

The above-mentioned authentication apparatus may further include a processor and a memory, and the above-mentioned receiving unit 40, the first decrypting unit 41, the second decrypting unit 42, the authentication unit 43, and the like are stored in the memory as program units, and the processor executes the above-mentioned program units stored in the memory to realize the corresponding functions.

The processor includes a kernel, and the kernel fetches a corresponding program unit from the memory. The kernel may set one or more kernel parameters to verify the second data based on the first key, the first interference parameter and the first encrypted data by adjusting the kernel parameters, to obtain a verification result.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), which includes at least one memory chip.

The present application also provides a computer program product adapted to perform, when executed on a data processing device, a program initialized with the method steps of: receiving first encrypted data, a first encryption key, a first interference parameter, second encrypted data, a second encryption key and a second interference parameter which are sent by a payment component client, decrypting the first encryption key and the second encryption key by adopting a private key to obtain the first key and the second key respectively, decrypting the second encrypted data by adopting the second key and the second interference parameter to obtain second data, and verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result.

Example IV

The other verification device for encrypted data provided in the present embodiment includes a plurality of implementation units, each of which corresponds to each implementation step in the second embodiment.

Fig. 5 is a schematic diagram of another alternative verification apparatus for encrypting data according to an embodiment of the present invention, which may include, as shown in fig. 5: a generation unit 50, a first encryption unit 51, a second encryption unit 52, a transmission unit 53, a third decryption unit 54, wherein,

a generating unit 50, configured to generate a first key and a first interference parameter used by a first encryption policy, and generate a second key and a second interference parameter used by a second encryption policy;

the first encryption unit 51 is configured to encrypt the service data sent by the payment system server with a first key and a first interference parameter to obtain first encrypted data, and encrypt the service data with a second key and a second interference parameter to obtain second encrypted data;

a second encryption unit 52, configured to encrypt the first key and the second key with public keys, to obtain a first encryption key and a second encryption key, respectively;

a sending unit 53, configured to send the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key, and the second interference parameter to a payment component client, where the payment component client uses a pre-stored private key of a preset encryption algorithm to decrypt the first encrypted key and the second encrypted key to obtain the first key and the second key respectively; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment member client;

And the third decryption unit 54 is configured to decrypt the encrypted processing data to obtain return data, and return the return data to the payment system client for display if the return data passes verification.

In the verification device, the generation unit 50 may generate the first key and the first interference parameter used by the first encryption policy, generate the second key and the second interference parameter used by the second encryption policy, encrypt the service data sent by the payment system server with the first key and the first interference parameter by the first encryption unit 51 to obtain first encrypted data, encrypt the service data with the second key and the second interference parameter to obtain second encrypted data, encrypt the first key and the second key with the public key by the second encryption unit 52 to obtain the first encrypted key and the second encrypted key respectively, send the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter to the payment member client by the sending unit 53, decrypt the encrypted processed data by the third decryption unit 54 to obtain return data, and return the return data to the payment system client for display if the return data passes verification. In the embodiment of the invention, the payment component client can firstly generate the first key, the first interference parameter and the second key and the second interference parameter used by the first encryption strategy, encrypt the service data sent by the payment system server by adopting the first key and the first interference parameter to obtain the first encrypted data, encrypt the service data by adopting the second key and the second interference parameter to obtain the second encrypted data, encrypt the first key and the second key by adopting the prestored public key to obtain the first encrypted key and the second encrypted key, send the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter to the payment component client, so that the payment component server verifies the integrity of the encrypted data, verifies the decrypted data, returns the encrypted processed data, decrypts the returned data, verifies the integrity of the returned data, and realizes the verification of the integrity of the encrypted data, improves the safety of the encrypted data, and further solves the problem that the safety of the encrypted data cannot be verified by adopting the technology.

The above-described authentication apparatus may further include a processor and a memory, and the above-described generating unit 50, the first encrypting unit 51, the second encrypting unit 52, the transmitting unit 53, the third decrypting unit 54, and the like are stored in the memory as program units, and the processor executes the above-described program units stored in the memory to realize the corresponding functions.

The processor includes a kernel, and the kernel fetches a corresponding program unit from the memory. The kernel can set one or more than one, the encrypted processing data is decrypted by adjusting the kernel parameters to obtain the return data, and the return data is returned to the payment system client for display under the condition that the return data is verified.

The present application also provides a computer program product adapted to perform, when executed on a data processing device, a program initialized with the method steps of: generating a first key and a first interference parameter used by a first encryption strategy, generating a second key and a second interference parameter used by a second encryption strategy, encrypting service data sent by a payment system server by adopting the first key and the first interference parameter to obtain first encrypted data, encrypting the service data by adopting the second key and the second interference parameter to obtain second encrypted data, encrypting the first key and the second key by adopting a public key to respectively obtain the first encrypted key and the second encrypted key, sending the first encrypted data, the first encrypted key, the first interference parameter, the second encrypted data, the second encrypted key and the second interference parameter to a payment component client, decrypting the encrypted processing data to obtain return data, and returning the return data to the payment system client for display under the condition that the return data passes verification.

According to another aspect of the embodiment of the present invention, there is also provided a computer readable storage medium, including a stored computer program, where the computer program is executed to control a device in which the computer readable storage medium is located to perform the above-described method for verifying encrypted data.

Fig. 6 is a block diagram of a hardware structure of an electronic device (or mobile device) for an authentication method of encrypted data according to an embodiment of the present invention. As shown in fig. 6, the electronic device may include one or more processors 602 (shown in fig. 6 as 602a, 602b, … …,602 n) (the processor 602 may include, but is not limited to, a microprocessor MCU, a programmable logic device FPGA, etc.) and a memory 604 for storing data. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a keyboard, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 6 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the electronic device may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims

1. The verification method of the encrypted data is characterized by being applied to a payment component server, wherein the payment component server stores a private key of a preset encryption algorithm in advance and comprises the following steps:

receiving first encryption data, a first encryption key, a first interference parameter, second encryption data, a second encryption key and a second interference parameter which are sent by a payment component client;

decrypting the first encryption key and the second encryption key by adopting the private key to respectively obtain a first key and a second key;

decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data;

and verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result.

2. The authentication method of claim 1, further comprising, prior to receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, the second interference parameter sent by the payment component client:

The payment component client generates the first key and the first interference parameter used by a first encryption strategy, wherein the payment component client stores a public key of the preset encryption algorithm in advance;

the payment component client encrypts received service data by adopting the first secret key and the first interference parameter to obtain first encrypted data, wherein the service data is data sent by a payment system server;

the payment component client encrypts the first key by adopting the public key to obtain the first encryption key.

3. The authentication method of claim 1, further comprising, prior to receiving the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, the second interference parameter sent by the payment component client:

the payment component client generates the second key and the second interference parameter for use by a second encryption policy;

the payment component client encrypts the received service data by adopting the second secret key and the second interference parameter to obtain second encrypted data;

And the payment component client encrypts the second key by adopting a pre-stored public key to obtain the second encryption key.

4. The authentication method according to claim 1, wherein decrypting the first encryption key and the second encryption key using the private key, respectively, results in a first key and a second key, comprising:

determining the private key type of the private key, and loading a preset encryptor corresponding to the private key type;

and decrypting the first encryption key and the second encryption key by adopting the preset encryption machine to obtain the first key and the second key respectively.

5. The authentication method according to claim 1, characterized in that the step of authenticating the second data based on the first key, the first interference parameter and the first encrypted data comprises:

based on a first encryption strategy, encrypting the second data by adopting the first key and the first interference parameter to obtain third encrypted data;

comparing the first encrypted data with the third encrypted data to obtain a comparison result;

and determining that the second data passes verification when the comparison result indicates that the first encrypted data is consistent with the third encrypted data.

6. The authentication method according to claim 1, further comprising, after the second data is authenticated, after obtaining an authentication result:

processing the second data to obtain processed data under the condition that the verification result indicates that verification is passed;

generating a third interference parameter used by the first encryption strategy and a fourth interference parameter used by the second encryption strategy;

encrypting the processing data by adopting the third interference parameter and the first key to obtain first encrypted processing data;

encrypting the processing data by adopting the fourth interference parameter and the second key to obtain second encrypted processing data;

and sending the third interference parameter, the fourth interference parameter, the first encryption processing data and the second encryption processing data to the payment component client.

7. The authentication method according to claim 6, further comprising, after transmitting the third interference parameter, the fourth interference parameter, the first encryption processing data, and the second encryption processing data to the payment means client:

the payment component client decrypts the second encryption processing data by adopting the second secret key and the fourth interference parameter to obtain return data;

The payment component client verifies the return data based on the first key, the third interference parameter and the first encryption processing data, and returns the return data to the payment system client for display if verification is passed.

8. The verification method of the encrypted data is characterized by being applied to a payment component client, wherein the payment component client stores a public key of a preset encryption algorithm in advance and comprises the following steps:

generating a first key and a first interference parameter used by a first encryption strategy, and generating a second key and a second interference parameter used by a second encryption strategy;

encrypting the service data sent by the payment system server by adopting the first secret key and the first interference parameter to obtain first encrypted data, and encrypting the service data by adopting the second secret key and the second interference parameter to obtain second encrypted data;

encrypting the first key and the second key by adopting the public key to respectively obtain the first encryption key and the second encryption key;

the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter are sent to a payment component client, wherein the payment component client adopts a prestored private key of the preset encryption algorithm to decrypt the first encryption key and the second encryption key to obtain a first key and a second key respectively; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment component client;

Decrypting the encrypted processing data to obtain return data, and returning the return data to the payment system client for display under the condition that the return data passes verification.

9. The verification device of the encrypted data is characterized by being applied to a payment component server, wherein the payment component server stores a private key of a preset encryption algorithm in advance and comprises:

the receiving unit is used for receiving the first encryption data, the first encryption key, the first interference parameter, the second encryption data, the second encryption key and the second interference parameter which are sent by the payment component client;

the first decryption unit is used for decrypting the first encryption key and the second encryption key by adopting the private key to respectively obtain a first key and a second key;

a second decryption unit, configured to decrypt the second encrypted data using the second key and the second interference parameter, to obtain second data;

and the verification unit is used for verifying the second data based on the first key, the first interference parameter and the first encrypted data to obtain a verification result.

10. An authentication apparatus for encrypted data, characterized by being applied to a payment means client, the payment means client having stored in advance a public key of a preset encryption algorithm, comprising:

The generating unit is used for generating a first key and a first interference parameter used by the first encryption strategy and generating a second key and a second interference parameter used by the second encryption strategy;

the first encryption unit is used for encrypting the service data sent by the payment system server by adopting the first key and the first interference parameter to obtain first encrypted data, and encrypting the service data by adopting the second key and the second interference parameter to obtain second encrypted data;

the second encryption unit is used for encrypting the first key and the second key by adopting the public key to respectively obtain the first encryption key and the second encryption key;

a sending unit, configured to send the first encrypted data, the first encryption key, the first interference parameter, the second encrypted data, the second encryption key, and the second interference parameter to a payment component client, where the payment component client decrypts the first encryption key and the second encryption key by using a prestored private key of the preset encryption algorithm, to obtain a first key and a second key respectively; decrypting the second encrypted data by adopting the second secret key and the second interference parameter to obtain second data; verifying the second data based on the first key, the first interference parameter and the first encrypted data, processing the second data to obtain processed data under the condition that verification is passed, and returning the encrypted processed data to the payment component client;

And the third decryption unit is used for decrypting the encrypted processing data to obtain return data, and returning the return data to the payment system client for display under the condition that the return data passes verification.

11. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program, when run, controls a device in which the computer readable storage medium is located to perform the method of verifying encrypted data according to any one of claims 1 to 8.

12. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of verifying encrypted data of any of claims 1-8.