CN116611098A - File encryption mobile storage method and system, storage medium and electronic equipment - Google Patents

File encryption mobile storage method and system, storage medium and electronic equipment Download PDF

Info

Publication number
CN116611098A
CN116611098A CN202310889704.8A CN202310889704A CN116611098A CN 116611098 A CN116611098 A CN 116611098A CN 202310889704 A CN202310889704 A CN 202310889704A CN 116611098 A CN116611098 A CN 116611098A
Authority
CN
China
Prior art keywords
key
mobile storage
authentication
storage device
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310889704.8A
Other languages
Chinese (zh)
Other versions
CN116611098B (en
Inventor
何传亮
金闪
周富满
谢孟凯
李倩
学健
林勇
张华民
李秉伦
贾继儒
李方伟
邵明辰
郑晓静
靳海涛
张冰琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dianke Zhixin Technology Co ltd
Original Assignee
Beijing Dianke Zhixin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dianke Zhixin Technology Co ltd filed Critical Beijing Dianke Zhixin Technology Co ltd
Priority to CN202310889704.8A priority Critical patent/CN116611098B/en
Publication of CN116611098A publication Critical patent/CN116611098A/en
Application granted granted Critical
Publication of CN116611098B publication Critical patent/CN116611098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a file encryption mobile storage method and system, a storage medium and electronic equipment, wherein the method comprises the following steps: acquiring first identity information of a user through a mobile storage device, and carrying out first authentication on the user according to the first identity information; after the first authentication is successful, the digital certificate and the first key are read from the mobile storage device, and the digital certificate and the first key are utilized to carry out the second authentication on the user; after the second authentication is successful, the filled service information is received through a preset service system, and a target file is generated according to the service information; and encrypting the target file and storing the target file in a mobile storage device. The method greatly improves the security of the target file generated during the internet online transaction.

Description

File encryption mobile storage method and system, storage medium and electronic equipment
Technical Field
The present invention relates to the field of information and network security, and in particular, to a method and system for encrypting and storing files, a storage medium, and an electronic device.
Background
With the increasing frequency of online transactions such as e-government affairs, online transactions, bidding, power transactions and the like, the security problem of important data such as business data, user information and the like generated in system transactions is increasingly prominent.
In the related art, PKI (public key infrastructure ) technology and digital certificate authentication technology are commonly adopted, a client inserts a USBKEY to input a PIN code to log in an internet online transaction system, and a third party CA (Certification Authority, authentication mechanism) is called to perform user identity authentication, so that a password is easy to crack. Meanwhile, important files filled by the internet online transaction system are basically stored in a computer under a public network, the important files are backed up in stages according to unit requirements, and important information is difficult to ensure not to be leaked during the backup period.
Disclosure of Invention
The present invention aims to solve at least one of the technical problems in the related art to some extent. Therefore, an object of the present invention is to provide a method for encrypting and storing files, which greatly improves the security of internet online transactions and target files generated during transactions.
A second object of the present invention is to propose a computer readable storage medium.
A third object of the present invention is to propose an electronic device.
A fourth object of the present invention is to provide a mobile storage system.
In order to achieve the above object, an embodiment of a first aspect of the present invention provides a method for encrypting a mobile storage file, the method comprising: acquiring first identity information of a user through a mobile storage device, and carrying out first authentication on the user according to the first identity information; after the first authentication is successful, reading a digital certificate and a first key from the mobile storage device, and performing a second authentication on the user by using the digital certificate and the first key; after the second authentication is successful, receiving the filled service information through a preset service system, and generating a target file according to the service information; encrypting the target file and storing the target file in the mobile storage device.
According to the file encryption mobile storage method provided by the embodiment of the invention, the mobile storage device is used for carrying out first authentication on the user, after the first authentication is successful, the use authority of the user corresponding to the digital certificate and the first key is released, and then the second authentication is carried out on the user based on the digital certificate and the first key. After the second authentication is successful, the target file generated by the user filling the service information through the preset service system is encrypted and stored in the mobile storage device, so that the security of the internet online transaction and the target file generated during the transaction is greatly improved.
In addition, the file encryption mobile storage method according to the above embodiment of the present invention may further have the following additional technical features:
according to one embodiment of the present invention, the first identity information includes a fingerprint feature image, and the first authentication of the user according to the first identity information includes: based on a preset fingerprint comparison algorithm, comparing the fingerprint feature image with a pre-registered fingerprint feature template; if the comparison is successful, the first authentication is judged to be successful, otherwise, the first authentication failure information is fed back.
According to one embodiment of the invention, the second authentication of the user using the digital certificate and the first key comprises: invoking a security chip in the mobile storage device to generate a first random number; signing the first random number by using a private key in the first key to generate a signature value; the signature value, the first random number and the digital certificate are sent to a third-party CA mechanism, so that the third-party CA mechanism can check the signature value and the digital certificate by utilizing a public key in the first secret key to generate a second random number, and the first random number is compared with the second random number; if the comparison is passed, the success of the second authentication is judged, otherwise, the second authentication failure information is fed back.
According to one embodiment of the present invention, the preset business system includes at least one of e-government affairs, bidding or power transaction, the target file includes business data and user information, and the method further includes: and carrying out electronic signature on the target file by utilizing an electronic signature, wherein the electronic signature at least comprises one of seal authorization, short message code acquisition, coordinate and keyword PDF-based signature, coordinate and keyword OFD-based signature, seam riding signature and file signature verification interface realization enterprise official seal, contract seal and financial seal.
According to one embodiment of the present invention, encrypting the target file and storing the encrypted target file in the mobile storage device includes: dragging the target file into a file storage area in the mobile storage device; and calling a second key generated by a security chip in the mobile storage device to encrypt the target file so that the target file is stored in the file storage area in a ciphertext mode.
According to one embodiment of the invention, the method further comprises: acquiring first identity information of the user through the mobile storage device, and performing first authentication on the user according to the first identity information; after the first authentication is successful, the digital certificate and the first key are read from the mobile storage device, and the user is authenticated for the second time by using the digital certificate and the first key; after the second authentication is successful, the encrypted target file is dragged out of a file storage area in the mobile storage device; and calling the second key generated by the security chip in the mobile storage device to decrypt the encrypted target file so as to display the target file in a plaintext form.
According to one embodiment of the invention, the method further comprises: encrypting the second key by using a private key in the first key to obtain a ciphertext; the ciphertext and the digital certificate are sent to a third-party CA mechanism through the secure encryption of a server; invoking the third party CA mechanism to decrypt the ciphertext according to the public key in the first key to obtain the second key; and encrypting and storing the second key to a key database by utilizing the third-party CA mechanism.
According to one embodiment of the invention, the method further comprises: calling the third-party CA mechanism to locate a second key stored in the key database according to a key identifier, wherein the key identifier is determined by a private key in the first key; encrypting the second key by using the public key in the first key, and receiving a Base64 code of ciphertext in the second key through a server-side secure encryption channel; and acquiring the second key by using the security chip and a private key in the first key, and recovering the second key to a key backup area.
To achieve the above object, an embodiment of a second aspect of the present invention provides a computer-readable storage medium having a computer program stored thereon, the computer program, when executed by a processor, implementing a file encryption mobile storage method as set forth in the embodiment of the first aspect of the present invention.
To achieve the above objective, an embodiment of a third aspect of the present invention provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the computer program is executed by the processor, the method for encrypting and storing files according to the embodiment of the first aspect of the present invention is implemented.
To achieve the above object, a fourth aspect of the present invention provides a mobile storage system, comprising: a mobile storage device and an electronic apparatus as proposed in the embodiments of the third aspect of the present invention.
Drawings
FIG. 1 is a flow chart of a file encryption mobile storage method according to one embodiment of the invention;
FIG. 2 is a flow chart of a first authentication of a user in accordance with one embodiment of the present invention;
FIG. 3 is a flow chart of a second authentication of a user in accordance with one embodiment of the present invention;
FIG. 4 is a flow chart of encrypting a target file according to one embodiment of the invention;
FIG. 5 is a flow chart of previewing or capturing a target file according to one embodiment of the present invention;
FIG. 6 is a flow diagram of target file encryption and decryption according to one embodiment of the invention;
FIG. 7 is a flow chart of backing up a second key according to one embodiment of the invention;
FIG. 8 is a flow diagram of recovering a backup second key in accordance with one embodiment of the invention;
FIG. 9 is a block diagram of an electronic device according to one embodiment of the invention;
FIG. 10 is a schematic diagram of a mobile storage system according to one embodiment of the invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
The following describes in detail a method, a system, a storage medium, and an electronic device for encrypting and storing files according to embodiments of the present invention with reference to fig. 1 to fig. 10 of the accompanying description and a specific implementation manner.
Fig. 1 is a flowchart of a file encryption mobile storage method according to an embodiment of the present invention. As shown in fig. 1, the file encryption mobile storage method may include:
s101, acquiring first identity information of a user through a mobile storage device, and performing first authentication on the user according to the first identity information;
s102, after the first authentication is successful, reading the digital certificate and the first key from the mobile storage device, and performing second authentication on the user by using the digital certificate and the first key;
s103, after the second authentication is successful, the filled service information is received through a preset service system, and a target file is generated according to the service information;
s104, encrypting the target file and storing the encrypted target file in the mobile storage device.
In order to improve the security of an important file generated in internet online transaction, when the internet online transaction is carried out, the mobile storage device is connected with a device end, such as a computer, for carrying out the internet online transaction, the mobile storage device is used for acquiring first identity information of a user, and the user is authenticated for the first time according to the first identity information. After the first authentication is successful, the use authority of the digital certificate and the first key corresponding to the user is opened. The service system at the equipment end reads the digital certificate and the first key from the mobile storage device and performs second authentication on the user based on the digital certificate and the first key to determine whether to allow the user to log in the service system. After the second authentication is successful, the service system of the equipment end allows the user to log in the service system, receives the service information filled by the user through the preset service system, and generates a target file according to the service information filled by the user. In order to improve the security of the generated target file, the target file is prevented from being leaked, the target file is encrypted, and the encrypted target file is stored in the mobile storage device.
According to the file encryption mobile storage method, the mobile storage device is used for carrying out first authentication on the user, after the first authentication is successful, the use authority of the user corresponding to the digital certificate and the first key is released, and then the second authentication is carried out on the user based on the digital certificate and the first key. After the second authentication is successful, the target file generated by the user filling the service information through the preset service system is encrypted and stored in the mobile storage device, so that the security of the internet online transaction and the target file generated during the transaction is greatly improved.
In one embodiment of the present invention, the preset business system at least includes one of e-government affairs, bidding or power transaction, the target file includes business data and user information, and the file encryption mobile storage method may further include:
and carrying out electronic signature on the target file by utilizing an electronic signature, wherein the electronic signature at least comprises one of seal authorization, short message code acquisition, PDF signature based on coordinates and keywords, OFD signature based on coordinates and keywords, seal riding, and file signature checking interface realization of enterprise official seal, contract seal and financial seal.
Specifically, after the first authentication and the second authentication are successful, the user generates a target file including data or information such as business data and user information through service information filled by an electronic government system, a bidding system, a power transaction system or other preset service systems. After the target file is generated, electronic signatures such as a business official seal, a contract seal, a financial seal and the like can be realized by calling a seal authorization, acquiring a short message code, signing based on coordinates and keywords PDF, signing based on coordinates and keywords OFD, riding a seal and a file signature verification interface to carry out electronic signature on the target file. The electronic signature is used for carrying out electronic signature on the target file, so that the authenticity and the integrity of the business activity and the non-repudiation of a signer can be ensured.
It should be noted that, the electronic signature is performed on the target file by using the electronic signature, so that the electronic signature operation can be converted into the same visual effect as the paper file stamping operation.
In embodiments of the present invention, the first authentication of the user may be a biometric authentication, such as authentication of fingerprint information of the user.
As a specific embodiment, as shown in fig. 2, the first identity information includes a fingerprint feature image, and performing the first authentication on the user according to the first identity information may include:
s201, comparing a fingerprint feature image with a pre-registered fingerprint feature template based on a preset fingerprint comparison algorithm;
s202, if the comparison is successful, the first authentication is judged to be successful, otherwise, the first authentication failure information is fed back.
The fingerprint feature image of the user can be acquired through the sensor module of the mobile storage device for a plurality of times. Based on a preset fingerprint comparison algorithm, the acquired fingerprint feature image is compared with a pre-registered fingerprint feature template. If the comparison is successful, the first authentication is judged to be successful, and the digital certificate and the use authority of the key file corresponding to the fingerprint feature template are opened to the equipment end. If the comparison fails, the first authentication is judged to fail. When the first authentication fails, the first authentication failure information, such as fingerprint verification failure, is fed back.
In one embodiment of the present invention, as shown in fig. 3, the second authentication of the user using the digital certificate and the first key includes:
s301, calling a security chip in a mobile storage device to generate a first random number;
s302, signing the first random number by using a private key in the first secret key to generate a signature value;
s303, the signature value, the first random number and the digital certificate are sent to a third party CA mechanism, so that the third party CA mechanism performs signature verification on the signature value by utilizing a public key in the first secret key, generates a second random number, and compares the first random number with the second random number;
s304, if the comparison is passed, the second authentication is judged to be successful, otherwise, the second authentication failure information is fed back.
In the embodiment of the invention, after the first authentication, that is, after the mobile storage device opens the use authority of the digital certificate and the key file corresponding to the fingerprint feature template to the equipment end, the equipment end performs the second authentication on the user based on the digital certificate and the first key opened by the mobile storage device.
Specifically, when logging in the service system and authenticating the user for the second time, the equipment side calls a security chip in the mobile storage device through the service system to generate a first random number, and calls a private key of a first key in the mobile storage device to sign the first random number to generate a signature value. The equipment end sends the signature value, the first random number and the digital certificate to a third-party CA (certificate authority) through a service system, so that the third-party CA can check the signature value and the digital certificate according to the public key in the first secret key, and a second random number is generated after the signature check passes. The unified cryptographic service platform of the third party CA institution compares the first random number with the second random number. If the comparison is passed, the second authentication is judged to be successful, and the user is allowed to log in the service system. If the comparison is not passed, the second authentication failure is judged, and the user is not allowed to log in the service system. And when the second authentication fails, feeding back second authentication failure information, such as login failure. And when the feedback login fails, the reason of login error can be further prompted to remind the user.
In one embodiment of the present invention, as shown in fig. 4 and 6, encrypting a target file and storing the encrypted target file in a mobile storage device includes:
s401, dragging a target file into a file storage area in a mobile storage device;
s402, a second key generated by a security chip in the mobile storage device is called to encrypt the target file, so that the target file is stored in a file storage area in a ciphertext mode.
Specifically, when the target file is encrypted and stored, the generated target file is dragged into a file storage area in the mobile storage device, and a second key (SM 1) generated by a security chip in the mobile storage device is called to encrypt the target file, so that the target file is stored in the file storage area in a ciphertext mode.
In an embodiment of the invention, the second key may be a symmetric key.
In one embodiment of the present invention, as shown in fig. 5 and 6, the file encryption mobile storage method may further include:
s501, acquiring first identity information of a user through a mobile storage device, and performing first authentication on the user according to the first identity information;
s502, after the first authentication is successful, reading the digital certificate and the first key from the mobile storage device, and performing a second authentication on the user by using the digital certificate and the first key;
s503, after the second authentication is successful, dragging the encrypted target file out of a file storage area in the mobile storage device;
s504, a second key generated by the security chip in the mobile storage device is called to decrypt the encrypted target file, so that the target file is displayed in a plaintext form.
In an embodiment of the present invention, when previewing or acquiring a target file, the target file is dragged out of a file storage area in the mobile storage device and decrypted to preview or acquire the target file.
Specifically, before the target file is dragged out of the file storage area in the mobile storage device, the user needs to be authenticated for the first time and authenticated for the second time, wherein the authentication process of the first authentication and the authentication process of the second authentication are described above, and are not described in detail herein. After the first authentication and the second authentication are successful, the encrypted target file is dragged out of the file storage area in the mobile storage device, and a second key generated by a security chip in the mobile storage device is called to decrypt the encrypted target file, so that the target is dragged out of the file storage area and displayed in a plaintext form or is previewed online.
In the embodiment of the invention, when the first authentication, such as fingerprint authentication, fails more than three times, the mobile storage device cannot perform the first authentication again within a preset time, such as one hour. And after the first authentication is performed for a plurality of times, such as fingerprint authentication, the factory setting is restored and the first identity information, such as the collection of fingerprint feature images, is reset.
In the embodiment of the invention, the first key in the mobile storage device is applied by the mobile storage device to a third party CA organization or a security chip according to the initial key. When the mobile storage device leaves the factory, the initial key is obtained by filling the mobile storage device through a service system by a third-party CA mechanism.
Specifically, when the mobile storage device applies for obtaining the first key from the third party CA mechanism according to the initial key, the mobile storage device sends a digital signature, a serial number and a digital certificate to the third party CA mechanism through a key generation interface called by the service system (wherein the digital signature is obtained by signing the serial number of the mobile storage device by using the digital certificate after the mobile storage device applies for obtaining the digital certificate). And the third-party CA organization verifies the digital signature and the digital certificate by using the public key in the initial key, disperses the serial number into a first key after the verification is passed, and encrypts the first key by using the digital certificate. The encrypted first key is returned to the mobile storage device through the service system. The mobile storage device decrypts the encrypted first key and stores the decrypted first key.
Specifically, when the mobile storage device applies for obtaining the first key from the security chip according to the initial key, the mobile storage device sends the digital signature, the serial number and the digital certificate to the security chip through the key generation interface called by the service system. The security chip verifies the digital signature and the digital certificate by using the public key in the initial key, after the verification is passed, the serial number is dispersed into a first key, and the first key is encrypted by using the digital certificate. The encrypted first key is returned to the mobile storage device through the service system. The mobile storage device decrypts the encrypted first key and stores the decrypted first key.
In an embodiment of the invention, the digital certificates (SM 2, SM 3) in the mobile storage device are applied by the mobile storage device to a third party CA institution. When the mobile storage device applies for the digital certificate to the third-party CA organization, the digital certificate application request P10 file generated by utilizing the private key signature in the initial key. The P10 file is sent to a third party CA organization through a certificate application interface called by the service system, and the third party CA organization uses the public key in the initial key to verify the private key in the P10 file so as to verify the identity of the access user of the service system. And after the verification is passed, issuing the digital certificate, and transmitting the issued digital certificate to the mobile storage device through the service system.
In an embodiment of the invention, the first key serves to protect the second key generated by the security chip in the mobile storage device.
In an embodiment of the invention, the first key may be updated periodically in time.
In an embodiment of the invention, the digital certificate and the first key in the mobile storage device, and the second key generated by the security chip in the mobile storage device, are stored in a key storage area in the mobile storage device. The second secret key is stored in a secret key storage area in the mobile storage device in the form of a secret text, wherein the secret text is obtained by encrypting the second secret key by the first secret key.
In one embodiment of the present invention, as shown in fig. 7, the file encryption mobile storage method may further include:
s601, encrypting a second key by using a private key in the first key to obtain a ciphertext;
s602, the ciphertext and the digital certificate are sent to a third party CA organization through the secure encryption of the server side;
s603, calling a third party CA mechanism to decrypt the ciphertext according to the public key in the first key to obtain a second key;
s604, the second secret key is encrypted and stored in a secret key database by a third party CA organization.
In an embodiment of the invention, to prevent the second key from being lost, the second key is backed up.
Specifically, before the second key is backed up, the user needs to be authenticated for the first time and authenticated for the second time, and after the first authentication and the second authentication are successful, the equipment side encrypts the second key through the private key of the first key in the mobile storage device called by the service system to obtain the encrypted ciphertext of the second key. And the service system sends the ciphertext and the digital certificate to a third-party CA (certificate authority) through the secure encryption of the server side so as to call the third-party CA to decrypt the ciphertext according to the public key in the first key to obtain a second key. And the service system encrypts and stores the second secret key to a secret key database by using a third-party CA mechanism to finish the backup of the second secret key.
In one embodiment of the present invention, as shown in fig. 8, the file encryption mobile storage method may further include:
s701, calling a third-party CA mechanism to locate a second key stored in a key database according to a key identification, wherein the key identification is determined by a private key in the first key;
s702, encrypting a second key by using a public key in the first key, and receiving a Base64 code of a ciphertext in the second key through a server-side secure encryption channel;
s703, acquiring a second key by using the security chip and a private key in the first key, and restoring the second key to the key backup area.
In an embodiment of the invention, when the second key is lost, the backed-up second key is restored.
Specifically, before the backup second key is restored, the user needs to be authenticated for the first time and authenticated for the second time. After the first authentication and the second authentication are successful, the equipment end calls a third party CA (certificate authority) through a service system to determine a key identification according to a private key in the first key, and accurately locates a second key stored in a key database based on the key identification. The equipment side calls a third-party CA mechanism through the service system, so that the third-party CA mechanism encrypts the second key by utilizing the public key of the first key, receives the Base64 code of the ciphertext in the second key through the service side security encryption channel, and calls the mobile storage device security chip and the private key of the first key to acquire the second key after acquiring the Base64 code of the ciphertext in the second key through the service system. After the equipment side obtains the second key through the service system, the second key is restored to the key backup area of the mobile storage device so as to decrypt the relevant encrypted target file.
According to the file encryption mobile storage method, a biological identification technology and a PKI technology are combined into a whole, the second secret key is protected by fingerprint authentication, the verification mode is more convenient, and the identity identification of a system login user is realized; the method that the high-performance security chip is used for symmetrically encrypting and decrypting the target file is adopted, so that the security of the staged storage of the important file filled by the system is ensured; and backing up and recovering the second secret key (symmetric secret key), and solving the problem of difficult management and distribution of the second secret key.
The invention provides a computer readable storage medium.
In this embodiment, a computer program is stored on a computer readable storage medium, and when the computer program is executed by a processor, the file encryption mobile storage method as described above is implemented.
The invention provides an electronic device.
In this embodiment, the electronic device may include a memory, a processor, and a computer program stored in the memory, where the computer program, when executed by the processor, implements the file encryption mobile storage method as described above.
Fig. 9 is a block diagram of an electronic device according to an embodiment of the invention.
As shown in fig. 9, the electronic device 500 includes: a processor 501 and a memory 503. The processor 501 is coupled to a memory 503, such as via a bus 502. Optionally, the electronic device 500 may also include a transceiver 504. It should be noted that, in practical applications, the transceiver 504 is not limited to one, and the structure of the electronic device 500 is not limited to the embodiment of the present invention.
The processor 501 may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logical blocks, modules, and circuits described in connection with the present disclosure. The processor 501 may also be a combination that implements computing functionality, such as a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, and the like.
Bus 502 may include a path to transfer information between the components. Bus 502 may be a PCI (Peripheral Component Interconnect, peripheral component interconnect Standard) bus or an EISA (Extended Industry Standard Architecture ) bus, or the like. The bus 502 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 9, but not only one bus or one type of bus.
The memory 503 is used to store a computer program corresponding to the file encryption mobile storage method of the above-described embodiment of the present invention, which is controlled to be executed by the processor 501. The processor 501 is configured to execute a computer program stored in the memory 503 to implement what is shown in the foregoing method embodiments. The electronic device 500 shown in fig. 9 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
The invention provides a mobile storage system.
FIG. 10 is a schematic diagram of a mobile storage system according to one embodiment of the invention. As shown in fig. 10, the mobile storage system 1000 may include a mobile storage device 400 and an electronic apparatus 500 as described above.
The computer readable storage medium, the electronic equipment and the mobile storage system of the embodiment of the invention greatly improve the security of internet online transactions and target files generated during transactions by using the file encryption mobile storage method.
It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered as a ordered listing of executable instructions for implementing logical functions, and may be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
In the description of the present invention, it should be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", "clockwise", "counterclockwise", "axial", "radial", "circumferential", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings are merely for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the device or element being referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly, through intermediaries, or both, may be in communication with each other or in interaction with each other, unless expressly defined otherwise. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
In the present invention, unless expressly stated or limited otherwise, a first feature "up" or "down" a second feature may be the first and second features in direct contact, or the first and second features in indirect contact via an intervening medium. Moreover, a first feature being "above," "over" and "on" a second feature may be a first feature being directly above or obliquely above the second feature, or simply indicating that the first feature is level higher than the second feature. The first feature being "under", "below" and "beneath" the second feature may be the first feature being directly under or obliquely below the second feature, or simply indicating that the first feature is less level than the second feature.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (11)

1. A method for encrypting and storing files in a mobile manner, the method comprising:
acquiring first identity information of a user through a mobile storage device, and carrying out first authentication on the user according to the first identity information;
after the first authentication is successful, reading a digital certificate and a first key from the mobile storage device, and performing a second authentication on the user by using the digital certificate and the first key;
after the second authentication is successful, receiving the filled service information through a preset service system, and generating a target file according to the service information;
encrypting the target file and storing the target file in the mobile storage device.
2. The file encryption mobile storage method according to claim 1, wherein the first identity information includes a fingerprint feature image, and the first authentication of the user according to the first identity information includes:
based on a preset fingerprint comparison algorithm, comparing the fingerprint feature image with a pre-registered fingerprint feature template;
if the comparison is successful, the first authentication is judged to be successful, otherwise, the first authentication failure information is fed back.
3. The file encryption mobile storage method of claim 1, wherein the second authentication of the user using the digital certificate and the first key comprises:
invoking a security chip in the mobile storage device to generate a first random number;
signing the first random number by using a private key in the first key to generate a signature value;
the signature value, the first random number and the digital certificate are sent to a third-party CA mechanism, so that the third-party CA mechanism can check the signature value and the digital certificate by utilizing a public key in the first secret key to generate a second random number, and the first random number is compared with the second random number;
if the comparison is passed, the success of the second authentication is judged, otherwise, the second authentication failure information is fed back.
4. The file encryption mobile storage method of claim 1, wherein the preset business system comprises at least one of e-government, bidding, or power transaction, the target file comprises business data and user information, the method further comprising:
and carrying out electronic signature on the target file by utilizing an electronic signature, wherein the electronic signature at least comprises one of seal authorization, short message code acquisition, coordinate and keyword PDF-based signature, coordinate and keyword OFD-based signature, seam riding signature and file signature verification interface realization enterprise official seal, contract seal and financial seal.
5. The file encryption mobile storage method according to claim 1, wherein encrypting the target file and storing it in the mobile storage device comprises:
dragging the target file into a file storage area in the mobile storage device;
and calling a second key generated by a security chip in the mobile storage device to encrypt the target file so that the target file is stored in the file storage area in a ciphertext mode.
6. The file encryption mobile storage method of claim 5, wherein the method further comprises:
acquiring first identity information of the user through the mobile storage device, and performing first authentication on the user according to the first identity information;
after the first authentication is successful, the digital certificate and the first key are read from the mobile storage device, and the user is authenticated for the second time by using the digital certificate and the first key;
after the second authentication is successful, the encrypted target file is dragged out of a file storage area in the mobile storage device;
and calling the second key generated by the security chip in the mobile storage device to decrypt the encrypted target file so as to display the target file in a plaintext form.
7. The file encryption mobile storage method of claim 6, wherein the method further comprises:
encrypting the second key by using a private key in the first key to obtain a ciphertext;
the ciphertext and the digital certificate are sent to a third-party CA mechanism through the secure encryption of a server;
invoking the third party CA mechanism to decrypt the ciphertext according to the public key in the first key to obtain the second key;
and encrypting and storing the second key to a key database by utilizing the third-party CA mechanism.
8. The file encryption mobile storage method of claim 7, wherein the method further comprises:
calling the third-party CA mechanism to locate a second key stored in the key database according to a key identifier, wherein the key identifier is determined by a private key in the first key;
encrypting the second key by using the public key in the first key, and receiving a Base64 code of ciphertext in the second key through a server-side secure encryption channel;
and acquiring the second key by using the security chip and a private key in the first key, and recovering the second key to a key backup area.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements a file encryption mobile storage method according to any one of claims 1-8.
10. An electronic device comprising a memory, a processor, the memory having stored thereon a computer program, wherein the computer program, when executed by the processor, implements the file encryption mobile storage method of any one of claims 1-8.
11. A mobile storage system, comprising: a mobile storage device and an electronic apparatus as claimed in claim 10.
CN202310889704.8A 2023-07-19 2023-07-19 File encryption mobile storage method and system, storage medium and electronic equipment Active CN116611098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310889704.8A CN116611098B (en) 2023-07-19 2023-07-19 File encryption mobile storage method and system, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310889704.8A CN116611098B (en) 2023-07-19 2023-07-19 File encryption mobile storage method and system, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN116611098A true CN116611098A (en) 2023-08-18
CN116611098B CN116611098B (en) 2023-10-27

Family

ID=87685724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310889704.8A Active CN116611098B (en) 2023-07-19 2023-07-19 File encryption mobile storage method and system, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN116611098B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110246764A1 (en) * 2010-04-05 2011-10-06 Juan Gamez User authentication system
CN103546421A (en) * 2012-07-10 2014-01-29 河北省电子认证有限公司 Network work communication security and secrecy system on basis of PKI (public key infrastructure) technology and method for implementing network work communication security and secrecy system
CN104660412A (en) * 2014-10-22 2015-05-27 南京泽本信息技术有限公司 Password-less security authentication method and system for mobile equipment
CN110391900A (en) * 2019-07-04 2019-10-29 晋商博创(北京)科技有限公司 Private key processing method, terminal and cipher key center based on SM2 algorithm
CN115086090A (en) * 2022-08-23 2022-09-20 远江盛邦(北京)网络安全科技股份有限公司 Network login authentication method and device based on UKey
US20230224167A1 (en) * 2021-06-15 2023-07-13 Tencent cloud computing (Beijing) Co., Ltd Access control method based on zero-trust security, device, and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110246764A1 (en) * 2010-04-05 2011-10-06 Juan Gamez User authentication system
CN103546421A (en) * 2012-07-10 2014-01-29 河北省电子认证有限公司 Network work communication security and secrecy system on basis of PKI (public key infrastructure) technology and method for implementing network work communication security and secrecy system
CN104660412A (en) * 2014-10-22 2015-05-27 南京泽本信息技术有限公司 Password-less security authentication method and system for mobile equipment
CN110391900A (en) * 2019-07-04 2019-10-29 晋商博创(北京)科技有限公司 Private key processing method, terminal and cipher key center based on SM2 algorithm
US20230224167A1 (en) * 2021-06-15 2023-07-13 Tencent cloud computing (Beijing) Co., Ltd Access control method based on zero-trust security, device, and storage medium
CN115086090A (en) * 2022-08-23 2022-09-20 远江盛邦(北京)网络安全科技股份有限公司 Network login authentication method and device based on UKey

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
VINCENT LOZUPONE等: "Analyze encryption and public key infrastructure (PKI)", 《INTERNATIONAL JOURNAL OF INFORMATION MANAGEMENT》 *
刘邦桂等: "电子政务中身份认证技术的研究与实现", 《软件工程》, vol. 24, no. 11 *
赵永国等: "CA加解密技术在电子招投标中的应用研究", 《现代国企研究》 *

Also Published As

Publication number Publication date
CN116611098B (en) 2023-10-27

Similar Documents

Publication Publication Date Title
CN108768664B (en) Key management method, device, system, storage medium and computer equipment
CN109067801B (en) Identity authentication method, identity authentication device and computer readable medium
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
TWI454111B (en) Techniques for ensuring authentication and integrity of communications
US9992026B2 (en) Electronic biometric (dynamic) signature references enrollment method
US9137017B2 (en) Key recovery mechanism
KR101863953B1 (en) System and method for providing electronic signature service
US8433914B1 (en) Multi-channel transaction signing
US7526649B2 (en) Session key exchange
US20110289318A1 (en) System and Method for Online Digital Signature and Verification
CN112232814B (en) Encryption and decryption methods of payment key, payment authentication method and terminal equipment
CN112632581A (en) User data processing method and device, computer equipment and storage medium
CN105635187B (en) Method and device for generating electronic file with stamp and method and device for authenticating electronic file with stamp
CN109560934B (en) Data tamper-proof method and device, computer equipment and storage medium
CN111460525A (en) Data processing method and device based on block chain and storage medium
US20120124378A1 (en) Method for personal identity authentication utilizing a personal cryptographic device
CN111062059B (en) Method and device for service processing
US9673986B2 (en) Methods and systems for increasing the security of private keys
CN112583588A (en) Communication method and device and readable storage medium
US20150236858A1 (en) Method for Creating a Derived Entity of an Original Data Carrier
CN116611098B (en) File encryption mobile storage method and system, storage medium and electronic equipment
CN111369364A (en) Electronic signature method and device based on super counter
KR101868564B1 (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
CN114238912A (en) Digital certificate processing method and device, computer equipment and storage medium
KR20140050257A (en) Method for inheriting digital information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant