CN116662941A - Information encryption method, device, computer equipment and storage medium - Google Patents
Information encryption method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116662941A CN116662941A CN202310946137.5A CN202310946137A CN116662941A CN 116662941 A CN116662941 A CN 116662941A CN 202310946137 A CN202310946137 A CN 202310946137A CN 116662941 A CN116662941 A CN 116662941A
- Authority
- CN
- China
- Prior art keywords
- encryption
- information
- virtual machine
- decryption
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 141
- 230000008569 process Effects 0.000 claims abstract description 53
- 238000004590 computer program Methods 0.000 claims abstract description 34
- 230000006870 function Effects 0.000 claims description 226
- 238000012546 transfer Methods 0.000 claims description 58
- 238000012795 verification Methods 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 16
- 238000013507 mapping Methods 0.000 claims description 13
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 230000006854 communication Effects 0.000 description 14
- 238000004891 communication Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 7
- 238000013459 approach Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013478 data encryption standard Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 230000004927 fusion Effects 0.000 description 3
- 230000008676 import Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000003384 imaging method Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The present application relates to an information encryption method, apparatus, computer device, storage medium and computer program product. The method comprises the following steps: for a service function to be executed, acquiring a service function code of the service function and plaintext information to be encrypted, which is matched with the service function; determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is used to implement a target encryption algorithm; acquiring an encryption key, and compiling the encryption key, an encryption source code and a service function code into a virtual encryption program which can be identified by a virtual machine based on a preset virtual machine instruction set; and running a virtual encryption program through the virtual machine to execute an encryption process on the plaintext information to obtain ciphertext information corresponding to the plaintext information. By adopting the method, the data security can be improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to an information encryption method, an information encryption apparatus, a computer device, a storage medium, and a computer program product.
Background
How to protect the key security is one of the key issues of long-term discussion of mobile security. The white-box encryption algorithm is used for protecting the secret key under the white-box attack environment, encrypting and decrypting the secret key, and preventing an attacker from forcefully cracking by using the computing power.
In the conventional white-box encryption algorithm, the key is hidden in the lookup table, and the execution process of the cryptographic algorithm is realized through the lookup table. However, this approach still requires the look-up table to be stored, and it is very easy for an attacker to locate the position of the look-up table by a reverse approach, thereby conducting a security attack.
Disclosure of Invention
In view of the foregoing, it is desirable to provide an information encryption method, apparatus, computer device, computer-readable storage medium, and computer program product that can improve the security of information encryption.
In one aspect, the present application provides an information encryption method. The method comprises the following steps:
for a service function to be executed, acquiring a service function code of the service function and plaintext information to be encrypted, which is matched with the service function;
determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is configured to implement the target encryption algorithm;
Acquiring an encryption key, and compiling the encryption key, the encryption source code and the service function code into a virtual encryption program which can be identified by a virtual machine based on a preset virtual machine instruction set;
and running the virtual encryption program through the virtual machine to execute an encryption process on the plaintext information to obtain ciphertext information corresponding to the plaintext information.
On the other hand, the application also provides an information encryption device. The device comprises:
the acquisition module is used for acquiring service function codes of the service functions and plaintext information to be encrypted, which is matched with the service functions, for the service functions to be executed;
the selecting module is used for determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is configured to implement the target encryption algorithm;
the compiling module is used for acquiring the encryption key and compiling the encryption key, the encryption source code and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set;
and the operation module is used for operating the virtual encryption program through the virtual machine so as to execute an encryption process on the plaintext information and obtain ciphertext information corresponding to the plaintext information.
On the other hand, the application also provides computer equipment. The computer device comprises a memory storing a computer program and a processor implementing the steps of the information encryption method described above when the processor executes the computer program.
In another aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the information encryption method described above.
In another aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the information encryption method described above.
The information encryption method, the device, the computer equipment, the storage medium and the computer program product are characterized in that for the service function to be executed, the encryption key, the encryption source code and the service function code are compiled into a virtual encryption program which can be identified by a virtual machine based on a preset virtual machine instruction set by acquiring the service function code of the service function, plaintext information which is matched with the service function and is to be encrypted and the encryption source code of the determined target encryption algorithm, and the encryption algorithm and the encryption key are recompiled to realize the fusion and confusion of the encryption algorithm and the key, and the key information is hidden in the virtual encryption program and cannot be cracked, so that the security of the key is ensured; furthermore, by running the virtual encryption program through the virtual machine, the encryption process of the plaintext information can be implemented so as to obtain ciphertext information corresponding to the plaintext information, even if an attacker obtains the running code of the virtual encryption program, the attacker cannot know the specific meaning, the attacker cannot analyze the key information from the running code, and the data security is greatly ensured.
On the other hand, the application also provides an information decryption method. The method comprises the following steps:
under the condition that a decryption request is received, ciphertext information to be decrypted, which is pointed by the decryption request, is obtained;
determining a target decryption algorithm matched with a target encryption algorithm applied to the ciphertext information, and acquiring a decryption source code of the target decryption algorithm;
determining a decryption key matched with an encryption key applied to the ciphertext information, and determining a service function code corresponding to a service function to which the decryption request is directed;
compiling the decryption key, the decryption source code and the service function code into a virtual decryption program identifiable by a virtual machine based on a preset virtual machine instruction set;
and running the virtual decryption program through the virtual machine to execute a decryption process on the ciphertext information, so as to obtain plaintext information corresponding to the ciphertext information.
On the other hand, the application also provides an information decryption device. The device comprises:
the acquisition module is used for acquiring ciphertext information to be decrypted pointed by the decryption request under the condition of receiving the decryption request;
the determining module is used for determining a target decryption algorithm matched with a target encryption algorithm applied to the ciphertext information and acquiring a decryption source code of the target decryption algorithm;
The determining module is further configured to determine a decryption key that matches the encryption key applied to the ciphertext information, and determine a service function code corresponding to a service function to which the decryption request is directed;
the compiling module is used for compiling the decryption key, the decryption source code and the service function code into a virtual decryption program which can be identified by the virtual machine based on a preset virtual machine instruction set;
and the operation module is used for operating the virtual decryption program through the virtual machine so as to execute a decryption process on the ciphertext information, and obtaining plaintext information corresponding to the ciphertext information.
On the other hand, the application also provides computer equipment. The computer device comprises a memory storing a computer program and a processor implementing the steps of the above information decryption method when executing the computer program.
In another aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the information decryption method described above.
In another aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when being executed by a processor, implements the steps of the above-described information decryption method.
The information decryption method, the information decryption device, the computer equipment, the storage medium and the computer program product realize the decryption process of specific information by acquiring ciphertext information to be decrypted pointed by a decryption request under the condition of receiving the decryption request; determining a target decryption algorithm matched with a target encryption algorithm applied to ciphertext information, acquiring a decryption source code of the target decryption algorithm, determining a decryption key matched with an encryption key applied to the ciphertext information, and determining a service function code corresponding to a service function pointed by a decryption request, so that the decryption key, the decryption source code and the service function code are compiled into a virtual decryption program identifiable by a virtual machine based on a preset virtual machine instruction set, and the decryption algorithm and the key are fused and confused through recompilation, so that the key information is hidden in the virtual decryption program and cannot be decrypted, and the security of the key is ensured; furthermore, the virtual decryption program is operated through the virtual machine, so that the decryption process of the ciphertext information can be realized, plaintext information corresponding to the ciphertext information is obtained, and the safety of data in the transmission process is ensured.
Drawings
FIG. 1 is a diagram of an application environment for an information encryption method in some embodiments;
FIG. 2A is a diagram of an application environment for an information encryption method in some embodiments;
FIG. 2B is a diagram of an application environment of an information encryption method according to other embodiments;
FIG. 3 is an application environment diagram of an information encryption method in further embodiments;
FIG. 4 is a flow chart of an information encryption method in some embodiments;
FIG. 5 is a schematic diagram of intermediate code compiled in some embodiments;
FIG. 6 is a schematic diagram of a virtual machine compiler compiling intermediate code in some embodiments;
FIG. 7 is a schematic diagram of a framework of an information encryption method in some embodiments;
FIG. 8 is a security analysis schematic of a potential attacking node in some embodiments;
FIG. 9 is a schematic diagram of an improved information encryption method based on white-box cryptography in some embodiments;
FIG. 10 is a flow chart of a method of decrypting information in some embodiments;
FIG. 11 is a block diagram of an information encryption device in some embodiments;
FIG. 12 is a block diagram of an information decryption device in some embodiments;
fig. 13 is an internal block diagram of a computer device in some embodiments.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The white-box cryptographic technology is widely applied to various application scenes, such as terminal data security, data transmission security, internet of things equipment data security and the like. The traditional white-box cryptographic technology divides each round of operation of a cryptographic algorithm into small modules, carries out confusion processing on each small module, and converts all possible inputs and outputs of each module into a lookup table, so that an attacker cannot analyze and obtain a secret key from the lookup table. In the application scene of the mobile terminal, the terminal runs in a white box attack environment, the application can be debugged and packet-grabbing analyzed, and the key during the running of the application and the key stored in the application are easily and reversely acquired.
In view of the above, the embodiment of the application provides an information encryption method based on a white-box cryptography, which is to realize the fusion and confusion of an encryption algorithm and a secret key through recompilation, wherein the secret key information is hidden in a virtual encryption program and cannot be cracked, so that the security of the secret key is ensured; furthermore, by running the virtual encryption program through the virtual machine, the encryption process of the plaintext information can be implemented so as to obtain ciphertext information corresponding to the plaintext information, even if an attacker obtains the running code of the virtual encryption program, the attacker cannot know the specific meaning, the attacker cannot analyze the key information from the running code, and the data security is greatly ensured.
The white-box encryption method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 is connected to the server 104 for communication. The terminal 102 and the server 104 may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on the cloud or other servers. For the service function to be executed, the terminal 102 or the server 104 acquires a service function code of the service function and plaintext information to be encrypted that is matched with the service function, determines a target encryption algorithm, acquires an encryption source code of the target encryption algorithm, and acquires an encryption key. Then, the terminal 102 or the server 104 compiles the encryption key, the encryption source code and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set, and runs the virtual encryption program through the virtual machine to execute an encryption process on the plaintext information, so as to obtain ciphertext information corresponding to the plaintext information. After obtaining the ciphertext information, the terminal 102 may upload the ciphertext information to the server 104, or transmit the ciphertext information to another terminal.
Illustratively, when the embodiment of the present application is applied to a scene such as file transfer, social session, or live broadcast, as shown in fig. 2A, after the terminal 102 encrypts plaintext information such as an image, audio, document, etc., the obtained ciphertext information is sent to the server 104, and is distributed to one or more terminals 102' by the server 104. Alternatively, as shown in fig. 2B, after encrypting plaintext information such as an image, audio, document, etc., the terminal 102 directly transmits the obtained ciphertext information end-to-end to another terminal 102'.
For example, when the embodiment of the present application is applied in a scenario such as transaction, payment, etc., as shown in fig. 3, the terminal 102 may encrypt plaintext information such as an account password, and transmit the obtained ciphertext information to the server 104, so that the server 104 performs identity verification on a user account corresponding to the terminal 102, and performs operations such as transaction or deduction on the user account after the identity verification is passed.
The terminal may be, but not limited to, one or more of various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices, portable wearable devices, etc., and the internet of things devices may be one or more of smart speakers, smart televisions, smart air conditioners, or smart vehicle devices, etc. The portable wearable device may be one or more of a smart watch, a smart bracelet, or a headset device, etc. Illustratively, the terminal is an IoT (Internet of Things ) device.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs (Content Delivery Network, content delivery networks), basic cloud computing services such as big data and artificial intelligent platforms, and the like.
Among them, the content distribution network technology is a method of distributing content from a central server to an edge server near a user, thereby realizing distributed near access of the content. The content distribution network technology effectively improves the service quality of content access and supports large-scale concurrent access capability.
In some embodiments, the terminal may have APP (Application) applications loaded thereon, including one or more of applications pre-deployed in an operating system, applications that traditionally need to be installed separately, and applet applications that can be used without downloading an installation, such as a browser client or a web page client. The terminal can determine plaintext information to be encrypted through an application program, and execute an encryption process by running a virtual machine configured locally, so that ciphertext information is obtained.
In some embodiments, as shown in fig. 4, an information encryption method is provided, which may be applied to a terminal or a server, or may be cooperatively performed by the terminal and the server. The following describes an example of application of the method to a terminal, the method comprising the steps of:
step S402, for the service function to be executed, acquiring the service function code of the service function and the plaintext information to be encrypted, which is matched with the service function.
A service function refers to a terminal achieving a specific encryption purpose by performing a series of operation procedures, including but not limited to one or more of a local service function or a networking service function, etc. The local service function refers to a service function that the terminal encrypts data in a local storage space by means of an application program, such as encrypting an image in an album, encrypting a document in a folder, and the like. The application program can be one or more of application programs preloaded by the terminal, such as an album, a document folder, and the like. The application may also be one or more of an application downloaded and installed by the terminal from the internet, such as a social application (e.g., instant messaging application, etc.), or an application supporting transaction functions, etc. The networking service function refers to a service function of encrypting transmitted data, such as encrypting data in a chat session, encrypting uploaded/downloaded data, encrypting transmitted data, or the like, when a terminal accesses the internet or establishes a communication connection with other terminals. By way of example, the business functions are, for example, business functions of the transaction type, including one or more of payment, refill, or transfer, among others.
Due to the difference in service functions, the objects encrypted by implementing the service functions are also different. The data type of the plaintext information to be encrypted includes, but is not limited to, one or more of account information, a document, an image, or audio, etc. Wherein the account information includes, but is not limited to, one or more of account name, account id, or account password, etc. In the above example, for example, in the case where the service function is to encrypt data in the local storage space, the plaintext information to be encrypted that matches the service function is the data in the local storage space.
When the specific bottom layer is realized, the service function is realized by executing the service function code by the terminal. Business function code refers to program code for implementing business functions, which is typically written when a developer develops an operating system or application program of a terminal.
For example, when the service function is to encrypt the locally stored image, the operation flow to be executed by the terminal is, for example, sequentially: when detecting that the user selects the image, providing an option of encrypting the image; detecting whether the user triggers the option; when the user is detected to trigger the option, an encryption process is performed on the image.
For another example, when the business function encrypts account information in a scenario of payment to a merchant, the operation flow to be executed by the terminal is, for example, sequentially: after detecting that the user inputs the password, taking the account id of the user and the input password as plaintext information to be encrypted, and executing an encryption process on the plaintext information. The operation flow executed to realize the service function is written in advance as a piece of code, and when the terminal executes the piece of code, the service function of encrypting the locally stored image is realized.
Thus, in some embodiments, for a service function to be executed, the terminal obtains a service function code of the service function and plaintext information to be encrypted that matches the service function, including: for a service function to be executed, the terminal determines an application program for realizing the service function and acquires a program code of the application program; the business function code of the business function is extracted from the program code of the application program. And the terminal acquires plaintext information to be encrypted, which is matched with the service function, through the application program. The terminal may extract plaintext information to be encrypted, which matches the service function, from the local storage space by a corresponding application program, depending on the service function to be executed.
Step S404, determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is used to implement a target encryption algorithm.
The encryption algorithm refers to a step of encrypting plaintext information to generate ciphertext information. Accordingly, the step of decrypting ciphertext information to generate plaintext information is referred to as a decryption algorithm. The encryption algorithm and the decryption algorithm are collectively referred to as a cryptographic algorithm. Encryption and decryption algorithms include, but are not limited to, symmetric cryptographic algorithms, fee-symmetric cryptographic algorithms, and the like. The white-box cryptographic technique is usually a symmetric cryptographic algorithm, and comprises a static white-box technique formed by combining the cryptographic algorithm with a specific key and performing encryption and decryption processes by transmitting the original key into a pre-generated white-box library.
Illustratively, the encryption algorithm provided by the embodiments of the present application includes, but is not limited to, one or more of AES (Advanced Encryption Standard ), SMS4 (a block cipher algorithm), DES (DataEncryption Standard ), or the like.
The encryption algorithm can be preconfigured in the terminal so as to be used by the terminal when the terminal needs to execute the encryption and decryption functions. In an actual application scenario, different service functions may need to be matched with different encryption algorithms to achieve corresponding service purposes, or different application programs may also use different encryption algorithms.
To this end, in some embodiments, the terminal determines a target encryption algorithm comprising: and acquiring the equipment identifier of the current equipment, and selecting a target encryption algorithm matched with the current equipment from a plurality of encryption algorithms according to the equipment identifier. Specifically, the terminal is configured with a device identifier for distinguishing the current device from other terminals at the time of shipment. Different terminals may be configured with different encryption algorithms. Therefore, the terminal acquires the equipment identifier of the current equipment, and determines a target encryption algorithm matched with the current equipment according to the corresponding encryption algorithm preset by the equipment identifier.
In other embodiments, the terminal determines a target encryption algorithm, further comprising: a target encryption algorithm is selected from a plurality of encryption algorithms that matches the traffic function. Specifically, the terminal selects an encryption algorithm matching the service function from a plurality of encryption algorithms as a target encryption algorithm according to the service function to be executed. For example, in a scene that the terminal uploads an image to the server, an encryption function of the image is realized through an RSA cryptographic algorithm; in another example, in a scenario that the terminal shares the image to other terminals, an encryption function for the image is realized through an AES cryptographic algorithm, and so on.
In still other embodiments, the terminal determines a target encryption algorithm, further comprising: and responding to the triggering operation of the business function control in the application program, and selecting a target encryption algorithm matched with the application program from a plurality of encryption algorithms. Specifically, the terminal determines an application program for realizing the service function according to the service function to be executed, and selects an encryption algorithm matched with the application program from a plurality of encryption algorithms as a target encryption algorithm. For example, AES cryptographic algorithm is used in realizing the encryption function for an image, RSA cryptographic algorithm is used in realizing the encryption function for account information, and so on.
In still other embodiments, the terminal determines a target encryption algorithm, further comprising: the target encryption algorithm is randomly selected from a plurality of encryption algorithms. Specifically, the terminal may randomly select a target encryption algorithm from among a plurality of encryption algorithms each time the encryption process is performed, thereby further improving encryption security.
Therefore, the target encryption algorithm is selected from a plurality of encryption algorithms in different modes, so that the encryption process can be changed according to actual requirements, the encryption process is more flexible, and the method has stronger adaptability and expansibility.
Similar to the business functions, at a specific underlying implementation level, the algorithm steps of the encryption algorithm are integrated into a piece of code that can be executed by the terminal, called source code. In order to distinguish from the decryption process, the source code of the target encryption algorithm used in the encryption process is referred to as an encryption source code. The source code of the target decryption algorithm used in the decryption process is accordingly referred to as the decryption source code. The target encryption algorithm and the target decryption algorithm are matched algorithms, for example, the target encryption algorithm and the target decryption algorithm are both AES cryptographic algorithms.
Thus, after determining the target encryption algorithm, the terminal acquires the encryption source code of the target encryption algorithm to implement an encryption process of the plaintext information based on the encryption source code.
In some embodiments, the terminal obtains an encrypted source code of a target encryption algorithm, comprising: the encryption source code of the target encryption algorithm is extracted from the encryption source codes of the encryption algorithms stored in the local storage space.
In other embodiments, the terminal obtains an encrypted source code of a target encryption algorithm, comprising: according to the determined target encryption algorithm, a source code acquisition request is sent to a server; the source code acquisition request carries identification information of a target encryption algorithm, wherein the identification information is used for indicating the specific encryption algorithm of the target encryption algorithm; and obtaining the encrypted source code by the receiving server based on the source code of the target encryption algorithm returned by the source code obtaining request.
Step S406, the encryption key is obtained, and the encryption key, the encryption source code and the service function code are compiled into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set.
After determining the encryption algorithm, the terminal also needs to determine a key to perform a specific encryption step according to the key and the encryption algorithm to realize the encryption process of the plaintext information. For purposes of illustration, the key used in the encryption process is referred to as the encryption key. Accordingly, the key used in the decryption process is referred to as a decryption key.
The encryption and decryption keys are divided into symmetric keys and asymmetric keys. In the case where the cryptographic algorithm used is a symmetric cryptographic algorithm, the encryption key and the decryption key are the same. In the case where the cryptographic algorithm used is an asymmetric cryptographic algorithm, the encryption key and the decryption key are matched, for example, the encryption key is a public key, the decryption key is a private key, or the like.
In some embodiments, the step of the terminal obtaining the encryption key may be: the encryption key is randomly generated by a key generator. In some scenarios, such as where the terminal is an IoT device, an edge computing device, etc., or where the on-board resources of the terminal are limited, etc., the encryption key may be a pre-generated encryption key that is bound to the terminal. For example, the terminal is preconfigured with an encryption key at the time of shipment.
The key of the white-box cryptographic technology is how to fuse and confuse the cryptographic algorithm and the key, so that even if an attacker realizes the control of the white-box cryptographic system, the attacker can not obtain the original key information. As stated earlier, conventional encryption techniques typically convert a key to a look-up table, thereby making the key difficult to crack. However, this approach is complicated, inconvenient to maintain, and security still needs to be improved because the look-up table needs to be stored in the storage space, and an attacker can locate the look-up table by a reverse approach to perform security attack.
Therefore, in the embodiment of the application, after the target encryption algorithm and the encryption key are determined, the terminal compiles the encryption key, the encryption source code and the service function code into the virtual encryption program which can be identified by the virtual machine based on the preset virtual machine instruction set, and the encryption algorithm and the key are fused and confused by recompilation, so that an attacker cannot know the specific meaning and cannot analyze the key information from the virtual encryption program even if the attacker acquires the running code of the virtual encryption program, and the data safety is greatly ensured.
In some embodiments, the terminal compiles the encryption key, the encryption source code and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set, including: the terminal integrates the encryption source code and the service function code, fuses the encryption key into the integrated code, compiles the code fused with the encryption key into a virtual encryption program identifiable by the virtual machine according to a preset virtual machine instruction set, and allows the virtual machine to run the virtual encryption program, so that the encryption of plaintext information is realized. Therefore, the key information is hidden in the virtual encryption program and cannot be cracked, so that the security of the key is ensured.
In step S408, the virtual encryption program is run by the virtual machine to perform an encryption process on the plaintext information, so as to obtain ciphertext information corresponding to the plaintext information.
Wherein, the Virtual Machine (Virtual Machine) is configured in the terminal, and the function of the physical computer can be provided by software simulation of a complete computer system with complete hardware system function and operating in a completely isolated environment.
The ciphertext information is plaintext information represented in a specific form. The ciphertext information may be in the same type of representation as the plaintext information, e.g., the plaintext information and the ciphertext information are both an image, the plaintext information is an unencrypted image, and the ciphertext information is an encrypted image. Ciphertext information may also be represented in a different type than plaintext information, e.g., plaintext information is an image and ciphertext information is a string of characters. Illustratively, in a payment scenario, the plaintext information may be account information of the user, and the ciphertext information may be a bar code, a two-dimensional code, or the like.
Specifically, the terminal loads the virtual encryption program generated by compiling into a virtual processor of the virtual machine, and the virtual processor runs the virtual encryption program, so that the algorithm step of the target encryption algorithm is executed based on the encryption key, and the plaintext information is encrypted.
In the information encryption method, for the service function to be executed, by acquiring the service function code of the service function, plaintext information to be encrypted, which is matched with the service function, and the encryption source code of the determined target encryption algorithm, compiling the encryption key, the encryption source code and the service function code into a virtual encryption program which can be identified by a virtual machine based on a preset virtual machine instruction set, and recompilating to realize the fusion and confusion of the encryption algorithm and the key, wherein the key information is hidden in the virtual encryption program and cannot be cracked, so that the security of the key is ensured; furthermore, by running the virtual encryption program through the virtual machine, the encryption process of the plaintext information can be implemented so as to obtain ciphertext information corresponding to the plaintext information, even if an attacker obtains the running code of the virtual encryption program, the attacker cannot know the specific meaning, the attacker cannot analyze the key information from the running code, and the data security is greatly ensured.
In some embodiments, the terminal obtains a service function code of a service function and plaintext information to be encrypted, which is matched with the service function, including: responding to the triggering operation of the business function control in the application program, determining the business function corresponding to the business function control, and acquiring the business function code of the business function; determining an acquisition mode of plaintext information to be encrypted according to a service function; and acquiring plaintext information to be encrypted, which is matched with the service function, according to the acquisition mode.
The terminal is provided with various applications, such as an application that can browse files such as images, audio, documents, etc., or an application that can be used to interact with other terminals or servers. The user may trigger an application to determine the business function to be performed subsequently. For example, when a file such as a locally stored image, audio, document, etc. needs to be encrypted, the user needs to trigger an application such as an album, a folder, etc. to make the terminal determine the service function to be performed.
Generally, an application program can realize multiple service functions, for example, an album can provide service functions of browsing, viewing, sharing, deleting and the like for a user; as another example, the transaction application may provide business functions for the user to collect money, pay, view balances, and the like. On visual presentation of an application, the different business functions are typically presented in the form of controls to provide interface portals that trigger the corresponding business functions, referred to as business function controls.
Therefore, the terminal detects the operation of the user, and when detecting that the user triggers the service function control of the application program, the terminal responds to the triggering operation of the service function control in the application program to determine the service function corresponding to the service function control. Furthermore, the terminal can obtain the service function codes of the service functions. For example, the terminal finds a code segment corresponding to the triggered service function from the program codes corresponding to the application program, thereby extracting the service function code of the service function.
Therefore, the terminal can determine the acquisition mode of the plaintext information to be encrypted according to the service function. The manner of acquiring the plaintext information refers to acquiring the plaintext information from a local storage space of the terminal, acquiring the plaintext information from a network, or the like. Taking plaintext information as an image and executing a service function of encrypting the image as an example, the image can be stored in a local storage space or a cloud server. Furthermore, the terminal can acquire the plaintext information to be encrypted, which is matched with the service function, according to the acquisition mode.
Taking the above example as an example, the terminal obtains plaintext information to be encrypted, which is matched with the service function, in an obtaining manner, for example, as follows: acquiring a storage path of an image, and extracting in a local storage space according to the storage path; or sending an acquisition request to the server to receive the image returned by the server.
In the above example, the service function is determined by responding to the triggering operation of the service function control in the application program, and the corresponding service function code and the plaintext information to be encrypted are obtained according to the determined service function, so that the method can adapt to various different application programs and realize various service functions, has no limitation on the encrypted object, and has strong expansibility.
In some embodiments, the terminal compiles the encryption key, the encryption source code and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set, including: compiling an encryption key, an encryption code and a service function code based on a system instruction set matched with an operating system of the current equipment to obtain an intermediate code composed of system instructions preset in the system instruction set; and converting and compiling the intermediate codes into virtual encryption programs which can be identified by the virtual machine based on a mapping relation between a preset virtual machine instruction set and a system instruction set.
Different terminals are configured with different operating systems, and code languages of bottom codes for constructing various operation flows of the operating systems are different. The code language includes, but is not limited to, one of the C/C++ language, the Python language, or the Java language, among others. Different code languages are preset with different forms of system instruction sets. For example, also for "output" instructions, different code languages may be expressed by one or a combination of different keywords and strings, etc.
Therefore, the terminal compiles the encryption key, the encryption code and the service function code based on a system instruction set matched with the operating system of the current device to obtain an intermediate code composed of system instructions preset in the system instruction set. The intermediate code may be run directly by the terminal.
For example, as shown in fig. 5, for a target encryption algorithm selected from a plurality of encryption algorithms such as SM4, AES, SM2, etc., the terminal combines an encryption source code, an encryption key, and a service function code of the target encryption algorithm to form an intermediate code composed of system instructions preset in a system instruction set. As shown in fig. 6, a virtual machine compiler is configured in the terminal, and the intermediate code is compiled by the virtual machine compiler, so that the intermediate code is converted and compiled into a virtual encryption program identifiable by the virtual machine, thereby realizing the encryption process of the plaintext information.
In order to encrypt the plaintext information, in the embodiment of the present application, a virtual machine instruction set is preset, where the virtual machine instruction set is a non-general instruction set, for example, an instruction set specifically developed for a specific application program, and the like. Each virtual machine instruction in the preset virtual machine instruction set can correspond to a system instruction in the system instruction set. Therefore, the terminal can convert and compile the intermediate codes into virtual encryption programs which can be identified by the virtual machine based on the preset mapping relation between the virtual machine instruction set and the system instruction set.
In the above embodiment, the encryption algorithm is rewritten through the virtual machine instruction and loaded into the virtual machine to run, and since an attacker cannot learn the virtual machine instruction set, the encryption algorithm flow and intermediate data of the virtual encryption program running in the virtual machine cannot be ascertained, so that the security of the data is greatly ensured.
In some embodiments, based on a mapping relationship between a preset virtual machine instruction set and a system instruction set, translating and compiling the intermediate code into a virtual encryption program identifiable by the virtual machine includes: determining virtual machine instructions corresponding to a plurality of system instructions included in the intermediate code from a virtual machine instruction set based on a mapping relation between the preset virtual machine instruction set and the system instruction set; and performing conversion compiling on the intermediate code based on virtual machine instructions corresponding to the system instructions, and generating a virtual encryption program identifiable by the virtual machine.
Specifically, the terminal determines, based on a mapping relationship between a preset virtual machine instruction set and a system instruction set, which system instruction each virtual machine instruction in the virtual machine instruction set corresponds to, or may determine which virtual machine instruction each of a plurality of system instructions included in the intermediate code corresponds to.
Further, the terminal may determine, from the virtual machine instruction set, a virtual machine instruction corresponding to each of the plurality of system instructions included in the intermediate code, and perform translation and compilation on the intermediate code based on the determined virtual machine instruction corresponding to each of the plurality of system instructions, thereby generating a virtual encryption program identifiable by the virtual machine. For example, for the intermediate code "print a", the terminal determines the virtual machine instruction "abcd" corresponding to the system instruction "print" therein, so that the intermediate code can be converted and compiled into the virtual encryption code "abcd a", and further a virtual encryption program identifiable by the virtual machine can be generated.
In the embodiment, the encryption algorithm is rewritten through the virtual machine instruction, so that the encryption algorithm flow and intermediate data are difficult to be detected by an attacker, and the data security is greatly ensured. In addition, the encryption algorithm is compiled based on the preset virtual machine instruction set, so that the encryption algorithm of any active code and any key information can be supported, and the expansibility is strong.
In some embodiments, the intermediate code further includes an execution parameter. The execution parameters refer to data type parameters of the configuration required when the code is run, such as specific numbers in the encryption algorithm related to the encryption formula, or specific data from the database referenced, etc. Illustratively, the system instruction is used to instruct performing an operation or call on the execution parameter.
Accordingly, based on the virtual machine instruction corresponding to each of the plurality of system instructions, translating and compiling the intermediate code to generate a virtual encryption program identifiable by the virtual machine, including: for each of a plurality of system instructions included in the intermediate code, replacing the targeted system instruction with a virtual machine instruction corresponding to the targeted system instruction to translate the plurality of system instructions included in the intermediate code; and generating a virtual encryption program which can be identified by the virtual machine based on the plurality of virtual machine instructions and the execution parameters obtained after the conversion.
Specifically, for each of a plurality of system instructions included in the intermediate code, the terminal replaces the targeted system instruction with a virtual machine instruction corresponding to the targeted system instruction. And, for the execution parameters, the terminal may keep the execution parameters unchanged, or convert the execution parameters according to a preset mapping relationship.
For example, for the intermediate code "# import" abcd "", the terminal determines the virtual machine instruction "xyz" corresponding to the system instruction "# import" ", directly replaces the original system instruction" # import "by the virtual machine instruction" xyz "# and keeps the execution parameter" abcd "unchanged. Therefore, the terminal can convert and compile the intermediate code into a virtual encryption code 'xyz [ abcd ]' based on the virtual machine instruction and the execution parameter obtained after conversion, and further generate a virtual encryption program identifiable by the virtual machine.
In the above embodiment, the encryption algorithm is rewritten through the virtual machine instruction, so that the code formed by the specific instruction set is converted into the code which is originally universal, and the code is difficult to be cracked by an attacker. Moreover, the white box encryption is executed by generating the virtual encryption program which can be identified by the virtual machine, so that the risk of the attack of the tested channel is avoided, and the security is high.
In some embodiments, the terminal executes a virtual encryption program through a virtual machine to perform an encryption process on plaintext information to obtain ciphertext information corresponding to the plaintext information, including: loading a virtual encryption program into a virtual processor of a virtual machine, and operating the virtual encryption program by the virtual processor to encrypt plaintext information to obtain ciphertext information corresponding to the plaintext information; the ciphertext information is stored in a virtual memory of the virtual machine.
Wherein one or more of a virtual processor (VCPU), a virtual memory (Vmem), a virtual register (Vreg), and the like are provided in the virtual machine. The virtual processor is used for running a virtual encryption program, the virtual memory is used for storing ciphertext information obtained by encrypting plaintext information, and the virtual register is used for temporarily storing data and operation results which participate in encryption operation.
After the virtual encryption program is compiled, the terminal can run the virtual encryption program through the virtual machine to execute the process of encrypting the plaintext information to obtain the ciphertext information.
Intermediate results and the like generated in the process of running the virtual encryption program by the virtual processor are temporarily stored in the virtual register, and finally obtained encryption results, namely ciphertext information corresponding to the plaintext information, are stored in the virtual memory.
In the above embodiment, the virtual encryption program is run through the virtual machine, so that the encryption process can be performed on the plaintext information to obtain the ciphertext information corresponding to the plaintext information, and since the attacker cannot obtain the instruction set of the virtual machine, the virtual encryption program is difficult to crack, so that the data security is ensured.
As stated earlier, in some embodiments, the plaintext information to be encrypted includes at least one of a transmission file to be transmitted and authentication information of a resource transfer party in a resource transfer operation. The transmission file includes at least one of video, audio, document, and picture. For example, in the interaction scene of the terminal and other terminals or the interaction scene of the terminal and the server, the transmission file is stored at one end in a plaintext form, and is transmitted to the other end in a ciphertext form after being encrypted, so that the security of the transmission file in the communication process can be ensured, and an attacker is prevented from acquiring the original data in a communication interception mode or the like.
In another example, in the resource transfer scenario, the terminal may perform resource transfer as a resource transfer direction to the resource receiver. For example, the terminal makes a payment to a merchant as a payment party, or the terminal makes a transfer to another terminal as a transaction initiation party, or the like.
In a resource transfer scenario, it is often necessary to authenticate the resource transfer party to ensure the security of the resource transfer operation. The terminal takes the authentication information of the resource transfer party as plaintext information to be encrypted, encrypts the plaintext information to obtain ciphertext information, and provides the ciphertext information for identity verification, so that the data security of the resource transfer party is ensured. Wherein the authentication information of the resource transferor includes at least one of account token information and time stamp information. The account token information is issued in advance by the server and matches with account information that the resource transferor logs in to the application. For example, the account token information is a temporary password issued by the server, and the temporary password is updated according to a preset time interval, so that dynamic password protection is realized to strengthen security. The time stamp information is used for recording the operation time of the resource transfer operation, so that the server can compare the account token information issued to the terminal with the recorded account token information generated in a history according to the operation time of the resource transfer operation, and identity verification is performed.
For this reason, in some embodiments, when the plaintext information is authentication information of the resource transfer party in the resource transfer operation, the ciphertext information is encrypted authentication information obtained by encrypting the authentication information of the resource transfer party in the resource transfer operation. Illustratively, the authentication information is account information of a payer in a payment operation, and the encrypted authentication information is encrypted account information, such as a payment two-dimensional code.
For this reason, the information encryption method provided by the embodiment of the application further includes: sending the encrypted authentication information to a server; the transmitted encrypted authentication information is used for triggering the server to carry out identity verification according to the account token information and the timestamp information, and executing resource transfer operation under the condition that the identity verification result represents that the identity verification passes; and receiving an execution result of the resource transfer operation.
The terminal can send the encryption authentication information to the server in an online or offline mode. When the terminal sends the encrypted authentication information to the server in an online manner, a real-time communication connection can be established with the server, and the encrypted authentication information is sent to the server in real time. After the server performs identity verification according to the account token information and the timestamp information, the server performs resource transfer operation under the condition that the identity verification result represents that the identity verification passes. For example, the server applies for a deduction process from the user account and transfers the amount of the corresponding deduction to a merchant account associated with the merchant if the user account information is correct.
In some embodiments, the server compares the account token information and the timestamp information sent by the terminal with the account token information which is recorded by the server and is generated by history, and identity verification is performed through consistency comparison. When the account token information issued to the terminal by the server at a certain moment is consistent with the account token information with the timestamp information uploaded by the subsequent terminal, the server can determine that the authentication passes. Furthermore, the server can execute the resource transfer operation under the condition that the authentication result represents that the authentication passes.
When the terminal sends the encrypted authentication information to the server in an offline mode, the terminal can acquire the encrypted authentication information through a resource receiver in resource transfer operation because of offline, and the resource receiver sends the encrypted authentication information to the server for identity verification by the server.
Whether in an online mode or an offline mode, the terminal may receive an execution result of the resource transfer operation, where the execution result includes, but is not limited to, success of resource transfer, failure of the execution result, and the like.
In the above embodiment, the encrypted authentication information is sent to the server for the server to perform identity verification, so that the user can realize convenient and rapid resource transfer operation through the terminal, and the security of the resource transfer operation is high.
In some embodiments, the terminal sends the encrypted authentication information to the server, comprising: and calling the display device to display the encryption authentication information so that a reading device of a resource receiving party in the resource transfer operation can read the encryption authentication and send the encryption authentication information to the server.
Illustratively, when the terminal is a wearable or portable IoT device (e.g., a watch, a bracelet, etc.), the terminal displays the encrypted authentication information by invoking a display screen, such as displaying a barcode or a two-dimensional code. A merchant, which is a resource receiving party in the resource transfer operation, reads a bar code or a two-dimensional code through a reading device (e.g., a code scanner, etc.), thereby transmitting the bar code or the two-dimensional code to a server. And the server performs authentication on the resource transfer party according to the bar code or the two-dimensional code, and performs deduction operation and the like on the resource transfer party under the condition that the authentication passes.
In the above example, the terminal displays the encrypted authentication information to the resource receiver, and the resource receiver sends the encrypted authentication information to the server, so that there is no limitation on whether the terminal and the server establish real-time communication; in other words, the terminal can realize resource transfer in an offline state, so that portability and application flexibility are improved.
In some examples, a flow framework of the information encryption method provided by the embodiment of the present application may be shown in fig. 7. Taking the source code of the encryption algorithm as C++ source code as an example for explanation, the terminal compiles the service function code, the C++ source code and the encryption key through a pre-configured compiler to obtain a virtual encryption program which is formed by a plurality of virtual machine instructions and can be identified by the virtual machine, and the virtual encryption program is operated through the virtual machine to realize the encryption process.
Under such a flow framework, as shown in fig. 8, on one hand, an attacker cannot learn the mapping relationship between the virtual machine instruction and the system instruction in the virtual machine instruction set, and thus cannot crack the virtual machine instruction because the attacker cannot learn the preset virtual machine instruction set. On the other hand, because the virtual encryption program runs in the virtual machine, an attacker cannot intercept intermediate nodes and data in the running process in a breakpoint debugging mode and the like, and cannot break the virtual encryption program in a reverse mode.
As shown in fig. 9, based on the architecture of the white-box cryptography, the inventive concept of the information encryption method provided by the embodiment of the present application is that, for plaintext information to be encrypted, a terminal compiles an encryption algorithm such as SM4, SM2, or AES into a virtual encryption program, and then the virtual encryption program is executed by a virtual machine configured in the terminal. For example, the virtual encryption program is run by a virtual processor VCPU in the virtual machine, intermediate data and results in the running process are temporarily stored in a virtual register Vreg, and the final encryption result, i.e., ciphertext information, is stored in a virtual memory Vmem. Thus, the terminal can extract ciphertext information from the virtual memory Vmem of the virtual machine.
The embodiment of the application also provides an application scene, which applies the information encryption method. Specifically, the application of the information encryption method in the application scenario is as follows: and for the payment function to be executed, the terminal acquires the payment function code of the payment function and account information to be encrypted, which is matched with the payment function. Wherein the account information includes, but is not limited to, one or more of an account id, an account password, and the like. The terminal determines a target encryption algorithm, acquires an encryption source code of the target encryption algorithm, and acquires an encryption key. And compiling the encryption key, the encryption source code and the payment function code into a virtual encryption program which can be identified by the virtual machine based on a preset virtual machine instruction set, loading the virtual encryption program into the virtual machine, and running the virtual encryption program by the virtual machine to execute an encryption process on account information to obtain ciphertext information corresponding to the account information. The ciphertext information is, for example, a bar code or a two-dimensional code for payment.
Of course, the application scenario of the information encryption method provided by the embodiment of the application is not limited to this, and the application scenario of the information encryption method provided by the embodiment of the application can also be applied to other application scenarios, such as a chat session scenario, a local file encryption and decryption scenario, a transmission file encryption and decryption scenario, a file encryption and decryption scenario in a portable storage medium (such as a USB flash disk, etc.), and the like.
In a specific example, the information encryption method provided by the embodiment of the application includes: for the service function to be executed, the terminal responds to the triggering operation of the service function control in the application program, determines the service function corresponding to the service function control, and acquires the service function code of the service function. And the terminal determines the acquisition mode of the plaintext information to be encrypted according to the service function, and acquires the plaintext information to be encrypted matched with the service function according to the acquisition mode.
On the other hand, the terminal determines a target encryption algorithm and acquires an encryption source code of the target encryption algorithm. The terminal randomly generates an encryption key through a key generator, compiles the encryption key, the encryption code and the service function code based on a system instruction set matched with an operating system of the current device to obtain an intermediate code composed of system instructions preset in the system instruction set, and determines virtual machine instructions corresponding to the system instructions contained in the intermediate code from the virtual machine instruction set based on a mapping relation between the preset virtual machine instruction set and the system instruction set. The terminal replaces the aimed system instruction by the virtual machine instruction corresponding to the aimed system instruction aiming at each of a plurality of system instructions included in the intermediate code so as to convert the plurality of system instructions included in the intermediate code, and accordingly a virtual encryption program identifiable by the virtual machine is generated based on the plurality of virtual machine instructions and execution parameters obtained after conversion.
Furthermore, the terminal loads the virtual encryption program into a virtual processor of the virtual machine, and the virtual processor runs the virtual encryption program to encrypt the plaintext information to obtain ciphertext information corresponding to the plaintext information; the ciphertext information is stored in a virtual memory of the virtual machine.
It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an information decryption method. In some embodiments, as shown in fig. 10, the method may be applied to a terminal or a server, or may be performed cooperatively by the terminal and the server. The following describes an example of application of the method to a terminal, the method comprising the steps of:
In step S1002, in the case of receiving the decryption request, ciphertext information to be decrypted, to which the decryption request is directed, is obtained.
The decryption request is used for indicating the terminal to decrypt the acquired ciphertext information to be decrypted. In some embodiments, the terminal obtains the decryption request by responding to a triggering operation of a service function control in the application program; alternatively, the terminal receives a decryption request issued by the server by establishing a communication connection with the server, and so on. Specifically, under the condition that a decryption request is received, the terminal analyzes according to the obtained decryption request, and determines ciphertext information to be decrypted, which is pointed by the decryption request.
For example, when the terminal detects that a user selects one encrypted image in the album, providing an option of decrypting the encrypted image through a service function control, and detecting whether the user triggers the option; when the terminal detects that the user triggers the option, determining that a decryption request for decrypting the encrypted image is received; the encrypted image is the ciphertext information to be decrypted.
Step S1004, determining a target decryption algorithm matched with the target encryption algorithm applied to the ciphertext information, and acquiring a decryption source code of the target decryption algorithm.
As stated above, the encryption algorithm provided by the embodiment of the present application includes, but is not limited to, one or more of AES, SMS4, DES, and the like. The target decryption algorithm is accordingly a cryptographic algorithm that matches the encryption algorithm, e.g. the algorithm steps used for the process in the encryption algorithm, etc.
The decryption algorithm can be preconfigured in the terminal so as to be used by the terminal when the terminal needs to execute the encryption and decryption functions. In an actual application scenario, different service functions may need to be matched with different decryption algorithms to achieve the corresponding service purposes, or different application programs may also use different decryption algorithms.
To this end, in some embodiments, the terminal obtains a device identification of the current device and selects a target decryption algorithm from a plurality of decryption algorithms that matches the current device based on the device identification. In other embodiments, the terminal selects a target decryption algorithm from a plurality of decryption algorithms that matches the service function to which the decryption request is directed. Specifically, the terminal selects a decryption algorithm matching the service function from a plurality of decryption algorithms as a target decryption algorithm according to the service function to be executed. For example, under the scene that the terminal uploads the image to the server, the decryption function of the image is realized through RSA cryptographic algorithm; in another example, in a scenario that the terminal shares the image to other terminals, a decryption function for the image is realized through an AES cryptographic algorithm, and so on. In still other embodiments, the terminal selects a target decryption algorithm from a plurality of decryption algorithms that matches the application in response to a triggering operation of a business function control in the application. In still other embodiments, the terminal randomly selects the target decryption algorithm from a plurality of decryption algorithms.
In some embodiments, the terminal obtaining the decryption source code of the target decryption algorithm comprises: the decryption source code of the target decryption algorithm is extracted from the decryption source codes of the decryption algorithms stored in the local storage space.
In other embodiments, the terminal obtains a decryption source code of a target decryption algorithm, comprising: according to the determined target decryption algorithm, a source code acquisition request is sent to a server; the source code acquisition request carries identification information of a target decryption algorithm, wherein the identification information is used for indicating the specific decryption algorithm of the target decryption algorithm; and obtaining the decryption source code by the receiving server based on the source code of the target decryption algorithm returned by the source code obtaining request.
In step S1006, a decryption key that matches the encryption key applied to the ciphertext information is determined, and a service function code that corresponds to the service function to which the decryption request is directed is determined.
After determining the decryption algorithm, the terminal also needs to determine a key to execute a specific decryption step according to the key and the decryption algorithm to realize the decryption process of the plaintext information. The key applied to the uncovering process is called a decryption key, corresponding to the encryption process.
In some embodiments, a decryption key that matches an encryption key applied to ciphertext information refers to the decryption key being the same as the encryption key. The terminal can determine a decryption key that matches the encryption key applied to the ciphertext information by extracting the historically generated encryption key from the local storage space.
In other embodiments, a decryption key that matches the encryption key applied to the ciphertext information refers to the encryption key being a public key and the decryption key being a private key. Similarly, the terminal extracts a decryption key matching the encryption key in the local storage space.
The decryption request is directed to a corresponding service function that decrypts data in the local storage space, such as decrypting an image in an album, decrypting a document in a folder, and the like. As another example, the decryption request refers to a service function that decrypts the transmitted data, such as decrypting data in a chat session, decrypting uploaded/downloaded data, decrypting transmitted data, or the like.
Therefore, the terminal points to the corresponding service function according to the decryption request, and obtains the service function code corresponding to the service function. In some embodiments, the terminal determines a service function code corresponding to a service function to which the decryption request is directed, including: the terminal determines an application program for realizing the service function and acquires a program code of the application program; the business function code of the business function is extracted from the program code of the application program.
Step S1008, based on the preset virtual machine instruction set, compiles the decryption key, the decryption source code and the service function code into a virtual decryption program identifiable by the virtual machine.
Specifically, the terminal compiles the decryption key, the decryption source code and the service function code into a virtual decryption program which can be identified by the virtual machine based on a preset virtual machine instruction set, and the decryption algorithm and the key are fused and confused by recompilation, so that an attacker cannot know the specific meaning and analyze the key information from the virtual decryption program even if the attacker acquires the running code of the virtual decryption program, and the data safety is greatly ensured.
In some embodiments, the terminal compiles the decryption key, the decryption source code and the service function code into a virtual decryption program identifiable by the virtual machine based on a preset virtual machine instruction set, including: the terminal integrates the decryption source code and the service function code, fuses the decryption key into the integrated code, compiles the code fused with the decryption key into a virtual decryption program identifiable by the virtual machine according to a preset virtual machine instruction set, and allows the virtual machine to run the virtual decryption program, so that the plaintext information is decrypted. Therefore, the key information is hidden in the virtual decryption program and cannot be decrypted, so that the security of the key is ensured.
In step S1010, a virtual decryption program is run by the virtual machine to perform a decryption process on the ciphertext information, so as to obtain plaintext information corresponding to the ciphertext information.
Specifically, the terminal loads the virtual decryption program generated by compiling into a virtual processor of the virtual machine, and the virtual processor runs the virtual decryption program, so that the algorithm step of the target decryption algorithm is executed based on the decryption key, and the ciphertext information is decrypted, and plaintext information corresponding to the ciphertext information is obtained.
According to the information decryption method, under the condition that a decryption request is received, the decryption process of specific information is realized by acquiring ciphertext information to be decrypted pointed by the decryption request; determining a target decryption algorithm matched with a target encryption algorithm applied to ciphertext information, acquiring a decryption source code of the target decryption algorithm, determining a decryption key matched with an encryption key applied to the ciphertext information, and determining a service function code corresponding to a service function pointed by a decryption request, so that the decryption key, the decryption source code and the service function code are compiled into a virtual decryption program identifiable by a virtual machine based on a preset virtual machine instruction set, and the decryption algorithm and the key are fused and confused through recompilation, so that the key information is hidden in the virtual decryption program and cannot be decrypted, and the security of the key is ensured; furthermore, the virtual decryption program is operated through the virtual machine, so that the decryption process of the ciphertext information can be realized, plaintext information corresponding to the ciphertext information is obtained, and the safety of data in the transmission process is ensured.
The embodiment of the application also provides an application scene, which applies the information decryption method. Specifically, the application of the information decryption method in the application scenario is as follows: and under the condition that the decryption request is received, the terminal acquires ciphertext information to be decrypted, which is pointed by the decryption request. The ciphertext information is, for example, a bar code or a two-dimensional code for payment. On the one hand, the terminal determines a target decryption algorithm matched with a target encryption algorithm applied to the ciphertext information and acquires a decryption source code of the target decryption algorithm, and on the other hand, the terminal determines a decryption key matched with an encryption key applied to the ciphertext information and determines a service function code corresponding to a service function to which the decryption request is directed. The terminal compiles the decryption key, the decryption source code and the service function code into a virtual decryption program which can be identified by the virtual machine based on a preset virtual machine instruction set, and the virtual decryption program is operated by the virtual machine to execute a decryption process on the ciphertext information, so that plaintext information corresponding to the ciphertext information is obtained. The plain text information is, for example, account information for payment, or the like. Wherein the account information includes, but is not limited to, one or more of an account id, an account password, and the like.
Of course, the application scenario of the information decryption method provided by the embodiment of the application is not limited to this, and the application scenario of the information decryption method provided by the embodiment of the application can also be applied to other application scenarios, such as a chat session scenario, a local file encryption and decryption scenario, a transmission file encryption and decryption scenario, a file encryption and decryption scenario in a portable storage medium (such as a USB flash disk, etc.), and the like.
Based on the same inventive concept, the embodiment of the application also provides an information encryption device for realizing the above related information encryption method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the information encryption device provided below may refer to the limitation of the information encryption method hereinabove, and will not be repeated herein.
In some embodiments, as shown in fig. 11, there is provided an information encryption apparatus 1100 including: an acquisition module 1101, a selection module 1102, a compiling module 1103 and a running module 1104, wherein:
the obtaining module 1101 is configured to obtain, for a service function to be executed, a service function code of the service function and plaintext information to be encrypted that is matched with the service function.
A selection module 1102, configured to determine a target encryption algorithm, and obtain an encryption source code of the target encryption algorithm; the encryption source code, when executed, is used to implement a target encryption algorithm.
The compiling module 1103 is configured to obtain the encryption key, and compile the encryption key, the encryption source code, and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set.
The operation module 1104 is configured to operate a virtual encryption program through a virtual machine to perform an encryption process on the plaintext information, so as to obtain ciphertext information corresponding to the plaintext information.
In some embodiments, the obtaining module is further configured to determine a service function corresponding to the service function control in response to a triggering operation of the service function control in the application program, and obtain a service function code of the service function; determining an acquisition mode of plaintext information to be encrypted according to a service function; and acquiring plaintext information to be encrypted, which is matched with the service function, according to the acquisition mode.
In some embodiments, the selecting module is further configured to obtain a device identifier of the current device, and select, according to the device identifier, a target encryption algorithm that matches the current device from a plurality of encryption algorithms; or the selecting module is also used for selecting a target encryption algorithm matched with the service function from a plurality of encryption algorithms; or the selection module is also used for responding to the triggering operation of the business function control in the application program and selecting a target encryption algorithm matched with the application program from a plurality of encryption algorithms; alternatively, the selection module is further configured to randomly select the target encryption algorithm from a plurality of encryption algorithms.
In some embodiments, the compiling module is further configured to compile the encryption key, the encryption code, and the service function code based on a system instruction set that matches with an operating system of the current device, to obtain an intermediate code composed of system instructions preset in the system instruction set; and converting and compiling the intermediate codes into virtual encryption programs which can be identified by the virtual machine based on a mapping relation between a preset virtual machine instruction set and a system instruction set.
In some embodiments, the compiling module is further configured to determine, from the virtual machine instruction set, virtual machine instructions corresponding to each of a plurality of system instructions included in the intermediate code, based on a mapping relationship between a preset virtual machine instruction set and a system instruction set; and performing conversion compiling on the intermediate code based on virtual machine instructions corresponding to the system instructions, and generating a virtual encryption program identifiable by the virtual machine.
In some embodiments, the intermediate code further includes an execution parameter; the compiling module is further used for replacing the aimed system instruction by a virtual machine instruction corresponding to the aimed system instruction for each of a plurality of system instructions included in the intermediate code so as to convert the plurality of system instructions included in the intermediate code; and generating a virtual encryption program which can be identified by the virtual machine based on the plurality of virtual machine instructions and the execution parameters obtained after the conversion.
In some embodiments, the operation module is further configured to load a virtual encryption program into a virtual processor of the virtual machine, and the virtual processor operates the virtual encryption program to encrypt plaintext information to obtain ciphertext information corresponding to the plaintext information; the ciphertext information is stored in a virtual memory of the virtual machine.
In some embodiments, the plaintext information to be encrypted includes at least one of a transmission file to be transmitted and authentication information of a resource transfer party in a resource transfer operation; the transmission file at least comprises one of video, audio, document and picture; the authentication information of the resource transfer party at least comprises one of account token information and timestamp information; the account token information is issued in advance by the server and is matched with the account information of the resource transfer party logging in to the application program; the time stamp information is used to record the operation time of the resource transfer operation.
In some embodiments, when the plaintext information is authentication information of a resource transfer party in the resource transfer operation, the ciphertext information is encrypted authentication information obtained by encrypting the authentication information of the resource transfer party in the resource transfer operation; the information encryption device further comprises a transmission module for transmitting the encrypted authentication information to the server. The sent encrypted authentication information is used for triggering the server to perform identity verification according to the account token information and the timestamp information so as to determine the correctness of the account information of the resource transfer party logging in the application program. The transmission module is also used for executing the resource transfer operation under the condition that the authentication result returned by the server is received and the authentication result represents that the authentication passes.
In some embodiments, the transmission module is further configured to invoke the display device to display the encrypted authentication information, so that the reader device of the resource receiver in the resource transfer operation reads the encrypted authentication, and sends the encrypted authentication information to the server.
Each of the modules in the information encryption apparatus described above may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
Based on the same inventive concept, the embodiment of the application also provides an information decryption device for realizing the above-mentioned related information decryption method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation of one or more embodiments of the information decryption device provided below may refer to the limitation of the information decryption method hereinabove, and will not be repeated here.
In some embodiments, as shown in fig. 12, there is provided an information decryption apparatus 1200 including: an acquisition module 1201, a determination module 1202, a compilation module 1203, and a run module 1204, wherein:
And the obtaining module 1201 is configured to obtain ciphertext information to be decrypted pointed by the decryption request when the decryption request is received.
A determining module 1202, configured to determine a target decryption algorithm that matches a target encryption algorithm applied to ciphertext information, and obtain a decryption source code of the target decryption algorithm.
The determining module 1202 is further configured to determine a decryption key that matches the encryption key applied to the ciphertext information, and determine a service function code corresponding to the service function to which the decryption request is directed.
The compiling module 1203 is configured to compile the decryption key, the decryption source code and the service function code into a virtual decryption program identifiable by the virtual machine based on a preset virtual machine instruction set.
And the operation module 1204 is used for operating the virtual decryption program through the virtual machine to execute the decryption process on the ciphertext information, so as to obtain plaintext information corresponding to the ciphertext information.
Each of the modules in the above information decryption apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In some embodiments, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 13. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an information encryption method. Alternatively, the computer program is executed by a processor to implement an information decryption method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 13 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In some embodiments, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In some embodiments, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In some embodiments, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric RandomAccess Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can take many forms, such as static Random access memory (Static Random Access Memory, SRAM) or Dynamic Random access memory (Dynamic Random AccessMemory, DRAM), among others. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (16)
1. An information encryption method, characterized in that the method comprises:
for a service function to be executed, acquiring a service function code of the service function and plaintext information to be encrypted, which is matched with the service function;
determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is configured to implement the target encryption algorithm;
Acquiring an encryption key, and compiling the encryption key, the encryption source code and the service function code into a virtual encryption program which can be identified by a virtual machine based on a preset virtual machine instruction set;
and running the virtual encryption program through the virtual machine to execute an encryption process on the plaintext information to obtain ciphertext information corresponding to the plaintext information.
2. The method according to claim 1, wherein the obtaining the service function code of the service function and plaintext information to be encrypted that matches the service function comprises:
responding to the triggering operation of a business function control in an application program, determining a business function corresponding to the business function control, and acquiring a business function code of the business function;
determining the acquisition mode of plaintext information to be encrypted according to the service function;
and acquiring plaintext information to be encrypted, which is matched with the service function, according to the acquisition mode.
3. The method of claim 1, wherein the determining the target encryption algorithm comprises at least one of:
acquiring a device identifier of a current device, and selecting a target encryption algorithm matched with the current device from a plurality of encryption algorithms according to the device identifier;
Selecting a target encryption algorithm matched with the service function from a plurality of encryption algorithms;
responding to the triggering operation of a business function control in an application program, and selecting a target encryption algorithm matched with the application program from a plurality of encryption algorithms; or alternatively
The target encryption algorithm is randomly selected from a plurality of encryption algorithms.
4. The method of claim 1, wherein compiling the encryption key, the encryption source code, and the business function code into virtual encryption programs recognizable by a virtual machine based on a preset virtual machine instruction set, comprises:
compiling the encryption key, the encryption code and the service function code based on a system instruction set matched with an operating system of the current equipment to obtain an intermediate code composed of system instructions preset in the system instruction set;
and converting and compiling the intermediate code into a virtual encryption program which can be identified by a virtual machine based on a mapping relation between a preset virtual machine instruction set and the system instruction set.
5. The method of claim 4, wherein translating and compiling the intermediate code into a virtual encryption program recognizable by a virtual machine based on a mapping relationship between a preset virtual machine instruction set and the system instruction set, comprises:
Determining virtual machine instructions corresponding to a plurality of system instructions included in the intermediate code from a virtual machine instruction set based on a mapping relation between the preset virtual machine instruction set and the system instruction set;
and converting and compiling the intermediate code based on virtual machine instructions corresponding to the system instructions, and generating a virtual encryption program identifiable by the virtual machine.
6. The method of claim 5, wherein the intermediate code further comprises an execution parameter; the method for generating the virtual encryption program identifiable by the virtual machine based on the virtual machine instruction corresponding to each of the plurality of system instructions comprises the following steps:
for each of a plurality of system instructions included in the intermediate code, replacing the targeted system instruction with a virtual machine instruction corresponding to the targeted system instruction to translate the plurality of system instructions included in the intermediate code;
and generating a virtual encryption program which can be identified by the virtual machine based on the plurality of virtual machine instructions and the execution parameters obtained after the conversion.
7. The method according to claim 1, wherein the running the virtual encryption program by the virtual machine to perform an encryption process on the plaintext information to obtain ciphertext information corresponding to the plaintext information includes:
Loading the virtual encryption program into a virtual processor of a virtual machine, and running the virtual encryption program by the virtual processor to encrypt the plaintext information to obtain ciphertext information corresponding to the plaintext information; the ciphertext information is stored in a virtual memory of the virtual machine.
8. The method of claim 1, wherein the plaintext information to be encrypted includes at least one of a transmission file to be transmitted and authentication information of a resource transfer party in a resource transfer operation;
the transmission file at least comprises one of video, audio, document and picture;
the authentication information of the resource transfer party at least comprises one of account token information and timestamp information; the account token information is issued in advance by a server and is matched with account information of the resource transfer party logging in to an application program; the time stamp information is used for recording the operation time of the resource transfer operation.
9. The method according to claim 8, wherein when the plaintext information is authentication information of a resource transfer party in a resource transfer operation, the ciphertext information is encrypted authentication information obtained by encrypting the authentication information of the resource transfer party in the resource transfer operation; the method further comprises the steps of:
Sending the encryption authentication information to a server; the sent encrypted authentication information is used for triggering the server to carry out identity verification according to the account token information and the timestamp information, and executing the resource transfer operation under the condition that the identity verification result represents that the identity verification passes;
and receiving an execution result of the resource transfer operation.
10. The method of claim 8, wherein the sending the encrypted authentication information to a server comprises:
and calling a display device to display the encryption authentication information so that a reading device of a resource receiving party in the resource transfer operation can read the encryption authentication, and sending the encryption authentication information to a server.
11. A method of decrypting information, the method comprising:
under the condition that a decryption request is received, ciphertext information to be decrypted, which is pointed by the decryption request, is obtained;
determining a target decryption algorithm matched with a target encryption algorithm applied to the ciphertext information, and acquiring a decryption source code of the target decryption algorithm;
determining a decryption key matched with an encryption key applied to the ciphertext information, and determining a service function code corresponding to a service function to which the decryption request is directed;
Compiling the decryption key, the decryption source code and the service function code into a virtual decryption program identifiable by a virtual machine based on a preset virtual machine instruction set;
and running the virtual decryption program through the virtual machine to execute a decryption process on the ciphertext information, so as to obtain plaintext information corresponding to the ciphertext information.
12. An information encryption apparatus, characterized in that the apparatus comprises:
the acquisition module is used for acquiring service function codes of the service functions and plaintext information to be encrypted, which is matched with the service functions, for the service functions to be executed;
the selecting module is used for determining a target encryption algorithm and acquiring an encryption source code of the target encryption algorithm; the encryption source code, when executed, is configured to implement the target encryption algorithm;
the compiling module is used for acquiring the encryption key and compiling the encryption key, the encryption source code and the service function code into a virtual encryption program identifiable by the virtual machine based on a preset virtual machine instruction set;
and the operation module is used for operating the virtual encryption program through the virtual machine so as to execute an encryption process on the plaintext information and obtain ciphertext information corresponding to the plaintext information.
13. An information decryption apparatus, the apparatus comprising:
the acquisition module is used for acquiring ciphertext information to be decrypted pointed by the decryption request under the condition of receiving the decryption request;
the determining module is used for determining a target decryption algorithm matched with a target encryption algorithm applied to the ciphertext information and acquiring a decryption source code of the target decryption algorithm;
the determining module is further configured to determine a decryption key that matches the encryption key applied to the ciphertext information, and determine a service function code corresponding to a service function to which the decryption request is directed;
the compiling module is used for compiling the decryption key, the decryption source code and the service function code into a virtual decryption program which can be identified by the virtual machine based on a preset virtual machine instruction set;
and the operation module is used for operating the virtual decryption program through the virtual machine so as to execute a decryption process on the ciphertext information, and obtaining plaintext information corresponding to the ciphertext information.
14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 11 when the computer program is executed.
15. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 11.
16. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310946137.5A CN116662941B (en) | 2023-07-31 | 2023-07-31 | Information encryption method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310946137.5A CN116662941B (en) | 2023-07-31 | 2023-07-31 | Information encryption method, device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116662941A true CN116662941A (en) | 2023-08-29 |
| CN116662941B CN116662941B (en) | 2023-12-26 |
Family
ID=87710158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310946137.5A Active CN116662941B (en) | 2023-07-31 | 2023-07-31 | Information encryption method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116662941B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846564A (en) * | 2023-08-30 | 2023-10-03 | 北京格尔国信科技有限公司 | Signature verification method, system, terminal and storage medium supporting multiple algorithms |
| CN117435200A (en) * | 2023-12-21 | 2024-01-23 | 粤港澳大湾区数字经济研究院(福田) | Homomorphic encryption service code translation method, device, equipment and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392154A (en) * | 2014-11-10 | 2015-03-04 | 北京深思数盾科技有限公司 | Encryption method |
| US20160261592A1 (en) * | 2013-10-08 | 2016-09-08 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and device for the secure authentication and execution of programs |
| CN107579962A (en) * | 2017-08-24 | 2018-01-12 | 中积有限公司 | A kind of method and device of source code encryption and decryption |
| CN110069905A (en) * | 2019-04-26 | 2019-07-30 | 深圳智慧园区信息技术有限公司 | A kind of device and method of Springboot program encryption and decryption |
| CN110750799A (en) * | 2019-09-30 | 2020-02-04 | 北京智明星通科技股份有限公司 | Information encryption method and device, electronic equipment and computer readable storage medium |
| CN111177749A (en) * | 2019-12-18 | 2020-05-19 | 深圳市金蝶天燕云计算股份有限公司 | Encrypted source code file processing method and device, computer equipment and storage medium |
| CN111756717A (en) * | 2014-10-16 | 2020-10-09 | 阿里巴巴集团控股有限公司 | Information processing method and device |
| CN116257867A (en) * | 2023-02-10 | 2023-06-13 | 中银金融科技有限公司 | Secret key encryption method and device |
-
2023
- 2023-07-31 CN CN202310946137.5A patent/CN116662941B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160261592A1 (en) * | 2013-10-08 | 2016-09-08 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and device for the secure authentication and execution of programs |
| CN111756717A (en) * | 2014-10-16 | 2020-10-09 | 阿里巴巴集团控股有限公司 | Information processing method and device |
| CN104392154A (en) * | 2014-11-10 | 2015-03-04 | 北京深思数盾科技有限公司 | Encryption method |
| CN107579962A (en) * | 2017-08-24 | 2018-01-12 | 中积有限公司 | A kind of method and device of source code encryption and decryption |
| CN110069905A (en) * | 2019-04-26 | 2019-07-30 | 深圳智慧园区信息技术有限公司 | A kind of device and method of Springboot program encryption and decryption |
| CN110750799A (en) * | 2019-09-30 | 2020-02-04 | 北京智明星通科技股份有限公司 | Information encryption method and device, electronic equipment and computer readable storage medium |
| CN111177749A (en) * | 2019-12-18 | 2020-05-19 | 深圳市金蝶天燕云计算股份有限公司 | Encrypted source code file processing method and device, computer equipment and storage medium |
| CN116257867A (en) * | 2023-02-10 | 2023-06-13 | 中银金融科技有限公司 | Secret key encryption method and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116846564A (en) * | 2023-08-30 | 2023-10-03 | 北京格尔国信科技有限公司 | Signature verification method, system, terminal and storage medium supporting multiple algorithms |
| CN116846564B (en) * | 2023-08-30 | 2024-02-02 | 北京格尔国信科技有限公司 | Signature verification method, system, terminal and storage medium supporting multiple algorithms |
| CN117435200A (en) * | 2023-12-21 | 2024-01-23 | 粤港澳大湾区数字经济研究院(福田) | Homomorphic encryption service code translation method, device, equipment and readable storage medium |
| CN117435200B (en) * | 2023-12-21 | 2024-04-16 | 粤港澳大湾区数字经济研究院(福田) | Homomorphic encryption service code translation method, device, equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116662941B (en) | 2023-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112019332B (en) | Encryption and decryption method based on micro-service, API gateway system and equipment | |
| CN116662941B (en) | Information encryption method, device, computer equipment and storage medium | |
| US9413754B2 (en) | Authenticator device facilitating file security | |
| CN109471844A (en) | File sharing method, device, computer equipment and storage medium | |
| CN109829269A (en) | Method, apparatus and system based on E-seal authenticating electronic documents | |
| CN113572743B (en) | Data encryption and decryption methods and devices, computer equipment and storage medium | |
| CN113553572B (en) | Resource information acquisition method, device, computer equipment and storage medium | |
| CN111538977A (en) | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server | |
| CN117240625B (en) | Tamper-resistant data processing method and device and electronic equipment | |
| US20210248245A1 (en) | Calculation device, calculation method, calculation program and calculation system | |
| CN109120576B (en) | Data sharing method and device, computer equipment and storage medium | |
| CN116455572B (en) | Data encryption method, device and equipment | |
| CN111031352A (en) | Audio and video encryption method, security processing method, device and storage medium | |
| CN107729345B (en) | Website data processing method and device, website data processing platform and storage medium | |
| CN115941279A (en) | Encryption and decryption method, system and equipment for user identification in data | |
| WO2019019675A1 (en) | Simulated website login method and apparatus, server end and readable storage medium | |
| CN114692121A (en) | Information acquisition method and related product | |
| CN109711207B (en) | Data encryption method and device | |
| CN115688059A (en) | Image data processing method and device, electronic equipment and storage medium | |
| CN110071908B (en) | Terminal binding method and device, computer equipment and storage medium | |
| CN114124440A (en) | Secure transmission method, device, computer equipment and storage medium | |
| US20160063264A1 (en) | Method for securing a plurality of contents in mobile environment, and a security file using the same | |
| CN110516468A (en) | A kind of method and apparatus of virutal machine memory snapshot encryption | |
| JP2015070498A (en) | Key exchange system, key exchange device, key exchange method and program | |
| KR101511451B1 (en) | Method of encryption to keyboard input information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40091082 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |