CN117527238A

CN117527238A - Key generation method, device, electronic equipment and storage medium

Info

Publication number: CN117527238A
Application number: CN202410004042.6A
Authority: CN
Inventors: 李雪梅; 文严; 黄怡晰; 徐志华; 高斌
Original assignee: Chengdu New Hope Finance Information Co Ltd
Current assignee: Chengdu New Hope Finance Information Co Ltd
Priority date: 2024-01-03
Filing date: 2024-01-03
Publication date: 2024-02-06
Anticipated expiration: 2044-01-03
Also published as: CN117527238B

Abstract

The application provides a key generation method, a device, electronic equipment and a storage medium. Relates to the technical field of information security. The method comprises the following steps: generating a corresponding false message according to the size of the message of the request to be sent; the fake message comprises first time attribute information; generating a first real-time network feature based on the first time attribute information; a key is generated based on the first real-time network characteristic. The apparatus is for performing the above method. In the technical scheme of the embodiment of the application, the key is generated in real time and is related to the time attribute information which dynamically changes, so that the risk of key leakage is reduced, and the safety of encrypted data is improved.

Description

Key generation method, device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a method and apparatus for generating a key, an electronic device, and a storage medium.

Background

In information security, a key is an important resource that directly relates to the security and integrity of data. If the key is compromised, it may cause the data to be compromised, tampered with or used maliciously. Thus, ensuring the security of the key is a basis and premise for maintaining information security. In the prior art, the key is generally stored in an encrypted manner, and when encryption or decryption is needed, the corresponding key is obtained to encrypt and decrypt data. However, with the endless layering of attack modes, the secret key is easy to leak, so that the security of the data is threatened.

Disclosure of Invention

An object of the embodiments of the present application is to provide a method, an apparatus, an electronic device, and a storage medium for generating a key in real time according to parameters such as real-time network characteristics, so as to reduce risk of key leakage and improve security of encrypted data.

In a first aspect, an embodiment of the present application provides a key generation method, where the method is applied to a requester; the method comprises the following steps: generating a corresponding false message according to the size of the message of the request to be sent; the fake message comprises first time attribute information; generating a first real-time network feature based on the first time attribute information; a key is generated based on the first real-time network characteristic.

In the embodiment of the application, before the server sends the request to be sent, a key is required to be generated first to encrypt the request to be sent. And generating a first real-time network characteristic by using the first time attribute information of the false message corresponding to the request to be sent, so as to generate a secret key based on the first real-time network characteristic. Because of certain difference between the size and the sending time of different requests to be sent, the corresponding generated fake messages are different, and the first time attribute information is also different, so that the keys generated by different requests are different. And because the time is dynamically changed, the key generated based on the first real-time network characteristic reduces the risk of key leakage and improves the security of encrypted data.

In some embodiments, the first time attribute information includes a transmission time; generating a key from the first real-time network feature, comprising: determining a first time period to which the fake message belongs according to the sending time; generating a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic; the physical machine features are used to characterize the physical machines corresponding to the requesting party and/or the serving party.

In this embodiment of the present application, the parameters for generating the key include the first time period and the physical machine characteristic in addition to the first real-time network characteristic. The first real-time network feature and the first time period can be regarded as time features, and the physical machine feature can be regarded as space features, so that the real-time generated secret key combines time, space and other factors. Therefore, the scheme of the application reduces the risk of key leakage and improves the difficulty of key cracking and the safety of encrypted data.

In some embodiments, the physical machine characteristics include a requester MAC address and a server MAC address; generating a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic, comprising: generating a first available network feature based on the first real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for characterizing initial network characteristics of the requesting party and the service party; splicing the first available network characteristics, the first time period, the requester MAC address and the server MAC address to generate a first splicing character string; and encrypting the first spliced character string to generate a secret key.

In the embodiment of the application, the requester and the server interact, so that the server can correctly decrypt the encryption request sent by the requester, the physical machine feature of the generated key comprises the requester MAC address and the server MAC address, and the MAC address is fixed, so that the stability of the parameter of the generated key is reflected on one hand, and the relevance of the two interacting parties is reflected on the other hand. In addition, a first available network characteristic is generated based on the first real-time network characteristic and the sensitivity coefficient, and the influence of unstable factors of a network channel in the false message sending process is reduced, so that a stable available network characteristic is obtained. And finally, generating a character string based on the splicing of each parameter, and encrypting to generate a key, thereby improving the security of the key.

In some embodiments, after generating the key from the first real-time network feature; the method further comprises the steps of: encrypting a request to be sent by using a secret key to generate an encryption request; the encryption request is sent to the server so that the server processes the encryption request.

After the key is generated, the request to be sent is encrypted by the key, so that the encrypted request is obtained, and the security of the request to be sent is improved.

In some embodiments, after generating the encryption request, the method further comprises: and destroying the secret key.

After the encryption request is generated, the key is destroyed, and when a new request needs to be sent, the key is regenerated again, so that even if the key of the last request is revealed, the encryption request initiated at present cannot be decrypted. Therefore, the key cracking difficulty and the security of the encrypted data are improved while the key leakage risk is reduced.

In a second aspect, an embodiment of the present application provides a key generating method, where the method is applied to a server; the method comprises the following steps: receiving a false message sent by a requesting party; the false message is generated by a requester based on the size of the message of the request to be sent; the fake message comprises second time attribute information; generating a second real-time network characteristic based on the second time attribute information; a key is generated based on the second real-time network characteristic.

In this embodiment of the present application, since the requester generates the encryption key in real time to encrypt the request, the service side also needs to generate the decryption key in real time to decrypt the received encryption request. However, in order for the key generated by the server to be a decryption key corresponding to the encryption key of the requesting party, the encryption request can be correctly decrypted, and the parameters of the key generated by the server include the second real-time network characteristic. In this process, since the second real-time network feature is generated according to the second time attribute information of the dummy message sent by the requester, the parameters for generating the key are the same as those of the requester, and the key sent by the requester can be correctly decrypted.

In some embodiments, the second time attribute information includes a time of receipt; generating a key from the second real-time network feature, comprising: determining a second time period to which the fake message belongs according to the receiving time and the second real-time network characteristic; generating a key based on the second real-time network characteristic, the second time period, and the physical machine characteristic; the physical machine features are used to characterize the physical machines corresponding to the requesting party and/or the serving party.

In this embodiment of the present application, the parameters of the server generating the key include the second time period and the physical machine feature in addition to the second real-time network feature. The physical machine characteristics are the same as those of the requester, and the second time period is generated based on the related information of the fake message sent by the requester. In the process, the key is generated in real time, and the parameters for generating the key are the same as those of the requester, so that the correctness and the cracking difficulty of the key are improved.

In some embodiments, determining a second time period to which the dummy message belongs based on the time of receipt and the second real-time network characteristic includes: obtaining a time difference value according to the receiving time and the second real-time network characteristic; and determining a second time period to which the fake message belongs based on the time difference value and a preset period threshold value.

In the embodiment of the application, because the time difference exists between the receiving of the false message by the service side and the sending of the false message by the request side, and in order to enable the generated secret key to be the decryption secret key corresponding to the secret key generated by the request side, the second period needs to be determined based on the second real-time network characteristic and the receiving time, so that the second period and the first period belong to the same period, and the accuracy of generating the secret key is improved.

In some embodiments, the physical machine characteristics include a requester MAC address and a server MAC address; generating a key based on the second real-time network characteristic, the second time period, and the physical machine characteristic, comprising: generating a second available network feature based on the second real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing the initial network characteristics of the requesting party and the service party; splicing the second available network characteristics, the second time period, the requester MAC address and the server MAC address to generate a second splicing character string; and encrypting the second spliced character string to generate a secret key.

In the embodiment of the application, in order to enable the service party to correctly decrypt the encryption request sent by the request party, the physical machine characteristics when the service party generates the key include the MAC address of the request party and the MAC address of the service party so as to correspond to the physical machine characteristic parameters of the key generated by the request party. In addition, a second available network characteristic is generated based on the second real-time network characteristic and the sensitivity coefficient, so that the influence of unstable factors of a network channel in the false message sending process is reduced, and the stable available network characteristic is obtained to correspond to the first available network characteristic of the requesting party. Finally, character strings are generated based on the splicing of the parameters, and the generated keys are encrypted, so that the generated keys are the corresponding keys of the requesting party, and further the encryption request can be decrypted correctly.

In some embodiments, the method further comprises: receiving an encryption request sent by a requester; and decrypting the encrypted request by using the key to obtain a decrypted request.

The embodiment of the application decrypts the encryption request sent by the requester by using the generated key, so that the service party can correctly process the request of the requester.

In a third aspect, an embodiment of the present application provides a key generating apparatus, including: the first generation module is used for generating a corresponding false message according to the size of the message of the request to be sent; the fake message comprises first time attribute information; a second generation module for generating a first real-time network feature based on the first time attribute information; and the third generation module is used for generating a secret key according to the first real-time network characteristics.

In a fourth aspect, embodiments of the present application provide another key generating apparatus, including: the receiving module is used for receiving the false message sent by the requesting party; the false message is generated by a requester based on the size of the message of the request to be sent; the fake message comprises second time attribute information; a fourth generation module for generating a second real-time network feature based on the second time attribute information; and a fifth generation module for generating a key according to the second real-time network feature.

In a fifth aspect, embodiments of the present application provide an electronic device, including: the device comprises a processor, a memory, a storage medium and a bus, wherein the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method steps of the first and second aspects.

In a sixth aspect, embodiments of the present application provide a non-transitory computer readable storage medium comprising: the computer-readable storage medium stores computer instructions that cause the computer to perform the method steps of the first and second aspects.

The beneficial effects of this application are as follows:

according to the embodiment of the application, the first real-time network characteristic is generated by utilizing the first time attribute information of the fake message corresponding to the request to be sent, so that the secret key is generated based on the first real-time network characteristic. Because of certain difference between the size and the sending time of different requests to be sent, the corresponding generated fake messages are different, and the first time attribute information is also different, so that the keys generated by different requests are different. And because the time is dynamically changed, the key generated based on the first real-time network characteristic reduces the risk of key leakage and improves the security of encrypted data.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic flow chart of a key generation method according to an embodiment of the present application;

fig. 2 is a flow chart of another key generation method according to an embodiment of the present application;

FIG. 3 is a timing diagram of interactions between a requestor and a server provided in an embodiment of the present application;

fig. 4 is a schematic structural diagram of a key generating device according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of another key generating device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Embodiments of the technical solutions of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical solutions of the present application, and thus are only examples, and are not intended to limit the scope of protection of the present application.

It is noted that all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description and claims of the present application and in the description of the figures above are intended to cover non-exclusive inclusions.

In the description of the embodiments of the present application, the technical terms "first," "second," etc. are used merely to distinguish between different objects and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated, a particular order or a primary or secondary relationship. In the description of the embodiments of the present application, the meaning of "plurality" is two or more unless explicitly defined otherwise.

In the description of the embodiments of the present application, the term "and/or" is merely an association relationship describing an association object, which means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

In the information security, whether symmetric encryption or asymmetric encryption is adopted, when the secret key is revealed, the encrypted message can be reversely analyzed, and an attacker can decrypt the data by using the secret key to finish the attack. In the SSH tunnel encryption, when the password is leaked or cracked, the SSH tunnel encryption is cracked, and the message can be reversely decrypted. After HTTPS has revealed credentials, the transferred data will become unsecured. It follows that a key is an important resource that directly relates to the security and integrity of data.

However, in the above scenario, when the symmetric encryption algorithm is used to encrypt and decrypt during the interaction between the requester and the server, the key needs to be distributed first, so that the requester and the server obtain the key, and the process of distributing the key has potential safety hazard. Also, the keys distributed to the requesting and serving parties are typically fixed for a period of time. Further, even if asymmetric encryption is used, there are a public key and a private key, but the public key and the private key are fixed for a certain period of time, so if the key is compromised, the data encrypted by the key will not be secure any more.

Based on the above problems, the application provides a key generation method, a device and an electronic device. Before a request is sent by a requester, a corresponding encryption key is generated based on the related information of the fake message corresponding to the request to be sent, so that the request to be sent is encrypted by using the encryption key. The service side generates a corresponding decryption key based on the related information of the fake message sent by the request side so as to decrypt the encryption request by using the decryption key. When a request needs to be sent, an encryption key and a decryption key are respectively generated in real time at the requesting party and the service party, so that the risk of key leakage is reduced, and the safety of encrypted data is improved.

The micro-service or terminal which initiates the request is called a requester, and the micro-service which receives the request, performs certain logic operation and then returns the result is called a service side. The requesting party and the service party communicate in a private network, a public network or a private network, and the request modes are divided into HTTP, HTTPS and the like.

Fig. 1 is a flow chart of a key generation method according to an embodiment of the present application, where the method is applied to a requester; it will be appreciated that the requestor may be a terminal device (which may also be referred to as an electronic device) and a server; the terminal equipment can be a smart phone, a tablet personal computer, a personal digital assistant (PersonalDigitalAssistant, PDA) and the like; the server may be an application server or a Web server. As shown in fig. 1, the method includes:

step S101, a requester generates a corresponding false message according to the size of a message to be sent; the dummy message includes first time attribute information.

In a specific implementation process, the request to be sent refers to an actual message request that the requester needs to send to the server at the current moment.

Because the request to be sent is transmitted in an encrypted manner, the encrypted data is expanded compared with the plaintext data. Therefore, the size of the dummy message generated by the server according to the size of the message of the request to be sent should be the same as the size of the encrypted message of the request to be sent. Therefore, the dummy message refers to a message request with the same size as the message of the encryption request to be sent, but the message content is a random value. Based on the definition of the fake message, even if an attacker intercepts the fake message, the message content of the fake message is meaningless, so that the sent actual request is not affected.

The dummy message may be generated in two ways:

first kind: and generating a false message with the same size but nonsensical content according to the size of the plaintext message of the actual message request, and then encrypting the false message by using a fixed key to obtain the expanded false message. It should be noted that since the fixed key is used to encrypt the fake message, even if the fixed key leaks, the security of the actual message is not affected.

Second kind: the method comprises the steps of calculating the size of an encrypted message after encryption of an actual message request based on an expansion coefficient, and then generating a false message with the same size but meaningless content according to the size of the encrypted message. Note that, in this case, the dummy message does not need to be encrypted. The expansion coefficient refers to the ratio between the size of the encrypted message and the size of the plaintext message, and is typically a fixed interval value.

It should be noted that, how to generate the dummy message specifically may be determined according to the actual situation, which is not specifically limited in this application. It should be noted that the size of the generated dummy message is the same as the size of the corresponding actual message or the difference in size is within a certain range.

The purpose of the false message generation of the requesting party is to simulate the transmission condition of the actual message in the network channel, so that the real-time network characteristics generated based on the related information of the false message are attached to the real-time network characteristics of the actual message.

The first time attribute information comprises a sending time and a response time, wherein the time when the requester initiates the fake message is called the sending time, and the time when the requester receives the response message returned by the service side is called the response time. The data initiated by the requester is called a request message, and the data responded by the server to the requester is called a response message.

After the false message is generated, the requester sends the false message to the service side. It should be noted that, when sending the dummy message, the requester will splice the sending time in the dummy message, so that the server side analyzes the dummy message, knows the sending time of the dummy message sent by the requester, and prepares for generating the decryption key subsequently.

After receiving the false message, the service side returns the false message as a response message to the request side. But the response message returned to the requesting party does not contain the time of the receiving of the false message by the service party, so that only the service party knows the accurate time of receiving the false message, and a foundation is laid for the security of the key generated by the subsequent service party.

In step S102, the requestor generates a first real-time network feature based on the first time attribute information.

In a specific implementation, the requestor generates a first real-time network characteristic based on the transmit time and the response time. After receiving the response message returned by the service party, the requesting party can generate a first real-time network characteristic based on the sending time and the response time. The first real-time network feature is used to characterize the average time taken for a fake message to be sent and responded to in the network channel. Specifically, the transmission time is denoted as T1, the response time is denoted as T3, the first real-time network characteristic is denoted as R1, and r1= (T3-T1)/2. It should be noted that, the response time of the requester to receive the response message is also known only to the requester.

Step S103, the requester generates a key according to the first real-time network feature.

In the implementation process, since the first real-time network feature is related to the first time attribute information, for different requests, the first time attribute information of the corresponding dummy message is different due to the difference of the message sizes and the difference of the sending time. Thus, for different requests, the first real-time network characteristics generated by the requesting party based on the first time attribute information also differ, and thus, after obtaining the first real-time network characteristics, the requesting party can generate a key based on the first real-time network characteristics.

However, it should be noted that, in addition to the requester generating the key according to the first real-time network feature, a manner of generating the key may further include:

mode one: the requester generates a key based on the base key and the first real-time network feature; the basic key is a preset fixed key. The setting of the fixed key can be specifically set according to the actual situation. Specifically, each time a request party sends an actual request, a first real-time network feature is generated according to first time attribute information of a fake message corresponding to the actual request, and then a key is generated according to the first real-time network feature and a basic key.

Mode two: the requestor generates a key based on the first real-time network characteristic and a first time period to which the transmission time of the dummy message belongs. How to obtain the first time period is described in the following embodiments, and is not described herein.

Mode three: the requestor generates a key based on the first real-time network characteristic and the physical machine characteristic. For specific information on the physical machine features, please refer to the following embodiments, which are not described herein.

Mode four: the requestor generates a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic. See the embodiments described below for a process for generating a key based on a first real-time network characteristic, a first time period, and a physical machine characteristic. And will not be described in detail herein.

It should be noted that, in addition to the three manners listed above, the requester may also generate the key based on any combination of the first real-time network feature and the parameters of the base key, the first time period, the physical machine feature, and so on. It should be appreciated that the manner in which the key is generated at the server and the particular values of the parameters used should be the same as the requestor, since the server needs to properly decrypt the encrypted request sent by the requestor.

In a specific implementation process, in order to improve the complexity of key generation and improve the decoding difficulty of the key generation, a requester can obtain a current timestamp of a sent false message by using a code for obtaining the current timestamp, wherein the current timestamp is the sending time of the false message. And then calculating the first time period to which the sent fake message belongs based on a preset period threshold value.

The preset cycle threshold value may be a preset value, for example, 100 ms may be a cycle, 50 ms may be a time cycle, 200 ms may be a time cycle, or the like. Specifically, assuming that the first time period is denoted as P1 and 100 ms is one period, p1=t1/100.

For example, if the system is developed based on java, the requester may obtain the current timestamp of the sending dummy message using system.

After the requester and the service party are determined, the physical machine characteristics are fixed, so that the physical machine characteristics can be used as one of parameters for generating the secret key, the interaction relationship between the service party and the requester is reflected, and the complexity of the secret key can be further improved. The requesting party and the service party have previously stored the physical machine features in respective configuration files or databases. When the key needs to be generated, the requester directly reads and obtains the physical machine characteristics. The physical machine features may be one or more of physical machine MAC address, hard disk serial number, CPU serial number, network card serial number, motherboard serial number, etc.

After obtaining the first real-time network characteristic, the first time period, and the physical machine characteristic, the requesting party may generate a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic.

In some embodiments, the physical machine characteristics include a requester MAC address and a server MAC address; generating a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic, comprising: generating a first available network feature based on the first real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing the initial network characteristics of the requesting party and the service party; splicing the first available network characteristics, the first time period, the requester MAC address and the server MAC address to generate a first splicing character string; and encrypting the first spliced character string to generate a secret key.

In the implementation process, the network transmission has instability because the network channel is easily affected by physical environment (such as temperature) and network quality. The network condition of the false message sent by the requesting party and the network condition of the response message returned by the service party may be different, so that the embodiment of the application reduces the influence level caused by network fluctuation by using the sensitivity coefficient, thereby improving the stability of the generated secret key. The sensitivity coefficient is determined by calculating according to network bandwidth and flow prediction in the initial development joint debugging stage of two systems of the requesting party and the service party. The sensitivity coefficient is thus used to characterize the initial network characteristics of the requesting party and the serving party.

It should be noted that once the interacting server and requestor determine, the sensitivity coefficient will not change. Illustratively, service a interacts with service B and service C, respectively, with the coefficient of sensitivity between service a and service B being a determined value and the coefficient of sensitivity between service a and service C being a determined value. And the service side and the requesting side store the sensitivity coefficients in the respective configuration files or databases in advance, and can directly acquire the sensitivity coefficients when the sensitivity coefficients are needed to be used.

The physical machine characteristics are defined as a requester MAC address and a server MAC address.

The first real-time network characteristic is determined according to the sending time and the response time of the fake message, but due to the network instability factor, the influence level caused by network fluctuation needs to be reduced by using the sensitivity coefficient. Thus, a first available network characteristic is generated based on the first real-time network characteristic and the sensitivity coefficient. Specifically, the first real-time network feature is R1, the sensitive coefficient is denoted as K, and the first available network feature is denoted as RV1, then rv1=r1/K.

After the first available network feature is obtained through calculation, the first available network feature, the first time period, the request party MAC address and the service party MAC address can be spliced to generate a first spliced character string, and the first spliced character string is encrypted.

It should be noted that, encrypting the first concatenation string may be hashing the first concatenation string to generate a fixed-length key. It should be noted that common hash algorithms are MD5 and SHA-1, etc. Which hash algorithm to use in particular can be chosen according to the actual situation. The first spliced character string can be replaced according to a preset replacement rule to generate a secret key. And the preset replacement rules can be set autonomously according to actual conditions.

It should be noted that, when the key is generated, the sensitivity coefficient may also be used as one of the parameters for generating the key. Specifically, the requester performs concatenation based on the first available network feature, the first time period, the requester's MAC address, the server's MAC address and the sensitivity coefficient to generate a new concatenation string, and encrypts the new concatenation string to generate a key.

In some embodiments, after the requestor generates the key based on the first real-time network characteristic, the first time period, and the physical machine characteristic; the method further comprises the steps of: the requester encrypts a request to be sent by using the secret key to generate an encrypted request; the requester sends the encryption request to the service party so that the service party processes the encryption request.

In the implementation process, after the key is generated, the request is conveniently encrypted by the key to be sent, and the encrypted request is sent to the server, so that the server processes the encrypted request.

In some embodiments, after the requester generates the encryption request, the method further comprises: the requester destroys the key.

In the implementation process, the corresponding secret key is generated in real time as each time a request is sent. Therefore, after the request to be sent is encrypted by the key, the key loses the effect, and in order to improve the utilization rate of the storage space of the system and the safety of the key, the key can be destroyed after encryption is finished, so that the risk of leakage of encrypted data caused by leakage of the key is reduced.

When a plurality of requests need to be sent at the same time, the sizes of dummy messages corresponding to different requests are different because the sizes of the messages of the requests are different. In the network transmission process, the small message request has faster sending time and response time than the large message request. Thus, the first real-time network characteristics generated based on the time of transmission and the time of response of the dummy message are different for different requests, so that there is also a difference in the first time period, and thus, the keys generated thereof are also different. If corresponding keys are generated for a plurality of requests at the same time, the corresponding target key can be determined based on the identification of the request, so that the encryption process can be correctly performed.

Fig. 2 is a flow chart of another key generation method provided in the embodiment of the present application, where the method is applied to a server, and the server is a server, specifically, may be an application server or a Web server. As shown in fig. 2, the method includes:

step S201, a service side receives a false message sent by a request side; the false message is generated by a requester based on the size of the message of the request to be sent; the dummy message includes second time attribute information.

In a specific implementation process, the second time attribute information includes a sending time and a receiving time, where the sending time refers to a time when the requester initiates the dummy message, and the receiving time refers to a time when the service side receives the dummy message. After receiving the fake message sent by the requesting party, the service party analyzes the fake message to obtain the spliced sending time in the fake message. Please refer to the above embodiment for generating the dummy message, which is not described herein.

In step S202, the service side generates a second real-time network feature based on the second time attribute information.

In the implementation process, after the server side analyzes and obtains the sending time of the fake message, the second real-time network feature can be generated based on the sending time and the receiving time of the fake message. The second real-time network feature is used for characterizing transmission time of the false message in the network channel when the requester transmits the false message. Specifically, the transmission time is T1, the reception time is T2, and the second real-time network characteristic is R2, so r2=t2-T1.

It should be noted that, according to the above embodiment, the first real-time network characteristic r1= (T3-T1)/2, where T3 is the time when the requester receives the response message, and because the service side immediately returns the dummy message as the response message to the requester after receiving the dummy message, and does not process the dummy message, the (T3-T1) is twice as large as the (T2-T1), and according to the above calculation formula, R1 and R2 are equal.

In step S203, the server generates a key according to the second real-time network feature.

In a specific implementation, after obtaining the second real-time network feature, the server may generate a key based on the second real-time network feature. As can be seen from step S202, the second real-time network characteristic is equal to the first real-time network characteristic, so that the key generated by the server is the decryption key of the key generated by the requester.

It should be noted that, since there are multiple ways of generating the key at the requester, before the requester and the server communicate, the way of generating the key should be negotiated so that the encrypted data can be decrypted correctly. It should be appreciated that if the service side cannot properly decrypt the encryption request sent by the requesting side, the requesting side should regenerate the encryption key to encrypt the request and reinitiate the corresponding encryption request, depending on the current encryption request being an invalid request, and the service side should regenerate the corresponding decryption key to decrypt the encryption request.

In some embodiments, the second time attribute information includes a time of receipt; generating a key from the second real-time network feature, comprising: the server side determines a second time period to which the fake message belongs according to the receiving time and the second real-time network characteristic; the server generates a key based on the second real-time network feature, the second time period and the physical machine feature; the physical machine features are used to characterize the physical machines corresponding to the requesting party and/or the serving party.

In the implementation process, because there is a time difference between the sending time of the requester and the receiving time of the server, in order to make the second time period belong to the same period as the first time period, so that the parameter of the server for generating the secret key is the same as the parameter of the requester for generating the secret key, therefore, the server determines the second time period to which the fake message belongs according to the receiving time and the second real-time network characteristic.

Specifically, assuming that the second time period is denoted as P2 and 100 ms is taken as one period, p2= (T2-R2)/100. It should be noted that r2=t2-T1, and thus p2= (T2-R2)/100= [ T2- (T2-T1) ]/100=t1/100. Thus, p2=p1. It should be noted that the setting of the time period of the service side should be the same as the setting of the time period of the requesting side.

After the server obtains the second real-time network feature and the second time period, the server can generate the secret key by combining the physical machine feature. It should be noted that the physical machine features used by the service party are the same as those used by the requesting party.

In some embodiments, the server determines a second time period to which the dummy message belongs according to the receiving time and the second real-time network characteristic, including: the server side obtains a time difference value according to the receiving time and the second real-time network characteristic; and the server determines a second time period to which the fake message belongs based on the time difference value and a preset period threshold value.

In the implementation process, the server determines the second time period to which the dummy message belongs based on the receiving time and the second real-time network characteristic, and the reason is referred to the above embodiment, and will not be described herein.

In the implementation process, the physical machine features set by the requester are the requester MAC address and the server MAC address, so the physical machine features of the server in generating the key also use the requester MAC address and the server MAC address.

The second real-time network characteristic is determined according to the sending time and the receiving time of the fake message. From the above examples, R1 and R2 are equal. However, it should be noted that R1 and R2 are equal values in an ideal state where no message is occupied by the network channel, and in a practical scenario, the network is always affected by various factors, so that an unstable situation occurs in the network. If the network is unstable, the time for the requester to send the dummy message will be different from the time for the service party to return the dummy message, so that R1 and R2 are unequal. In order to enable the key generated by the server to correctly decrypt the encrypted request sent by the requester, the parameter for generating the key at the server should be the same as the parameter for generating the key at the requester, so the influence level caused by the network fluctuation needs to be reduced by using the sensitivity coefficient so that R1 and R2 are equal. At this point, a second available network characteristic is generated based on the second real-time network characteristic and the sensitivity coefficient. Specifically, the second real-time network feature is R2, the sensitive coefficient is denoted as K, the second available network feature is denoted as RV2, and rv2=r2/K.

Splicing the second available network characteristics, the second time period, the requester MAC address and the server MAC address to generate a second splicing character string; and carrying out encryption processing on the second spliced character string to generate a secret key.

It should be noted that, the process of generating the key by the server based on the second concatenation string is the same as the method and process used when the requester generates the key based on the first string.

As can be seen from the above, the first available network feature RV1 of the requester is the same as the second available network feature RV2 of the service, the first time period P1 of the requester is the same as the second time period P2 of the service, the physical machine features are the same, and the method and process for generating the key are the same, so that the key generated by the service is the same as the key generated by the requester, and therefore the encrypted request sent by the requester can be correctly decrypted.

In the implementation process, after the service side generates the secret key, the service side decrypts the received encryption request so as to logically process the decrypted request.

It should be noted that, if multiple encryption requests are received at the same time, the corresponding target key may be determined based on the identifier of the encryption request, so as to correctly execute the decryption process.

It should be noted that, after the service side completes the decryption operation, the generated key may also be destroyed, so as to reduce the risk of leakage of the encrypted data caused by leakage of the key.

To further understand the interaction process between the requester and the service party, fig. 3 is a timing chart of interaction between the requester and the service party provided in this embodiment of the present application, as shown in fig. 3, the requester sends a dummy message to the service party before the actual request to be sent needs to be sent, the time for sending the dummy message is recorded as T1 (sending time) by the requester, the time for receiving the dummy message is recorded as T2 (receiving time) by the service party, the service party returns a dummy response message to the requester after receiving the dummy message, and the time for receiving the dummy response message is recorded as T3 (response time) by the requester.

After the server and the requester obtain the corresponding time information, the process of generating the key can be executed respectively, and the process of generating the key by both parties is referred to the above embodiments, which are not described herein again. After the requester generates the encryption key, the request to be sent can be encrypted, and the encryption request is sent to the service party. After receiving the encryption request, the service side decrypts the encryption request by using the decryption key to process the decrypted request and sends an actual response message to the request side, thereby completing the whole interaction process.

In the interaction process, the service side needs to return the result of processing the request to the request side, but when the service side processes the decrypted request, because all codes are not sequentially executed, if judgment or for circulation usually exists in the codes, for example, clients with previous loans less than eighteen years old can directly return in a certain if judgment statement; for adult clients this if statement is not triggered and the service performs more operations such as inserting data, querying data, calculating certain values, etc. Therefore, when the service side processes different request messages, the time spent is inconsistent, and in order to enable the request side to receive the processing result of the service side within a reasonable time range, the embodiment of the application enables the processing duration to be consistent through the following measures, so that the processing of the service is accelerated:

Measure 1: and limiting the waiting time of waiting operation in the code. In the process of actually executing the code, the service side often uses some basic software, such as a database (for example, mySQL, postgreSQL, oracle), a message queue (RabbitMQ, kafka, activeMQ), a cache (Redis, memcached, mongoDB), a log (Logstash, fluentd, graylog), a containerization and orchestration (Docker, kubernetes, dockerSwarm), and the like, and when the service side interacts with the basic software, a maximum response duration is set, and when the duration of calling a basic component exceeds the set maximum response duration in the process of processing a certain request, the basic software is defaultly called. It should be noted that, although the time for the base software to receive the request and return is generally in the millisecond level, the situation that the network fluctuation or the base software failure causes no response is not excluded, so that a certain preventive measure needs to be set to cope with the emergency.

Measure 2: and setting waiting time for processing faster messages. In order to mask out the large time difference caused by different request messages, the server side counts the time from each request message to the completion of executing the code logic. Wherein most of the processing time of the request is concentrated in a certain compact interval, for example: 50 ms-500 ms, and a very small number of requests would exceed this interval for a variety of reasons. Thus, 500 milliseconds may be taken as the processing time of the request, and the feedback is performed when the request with faster processing waits until 500 milliseconds.

It should be noted that the processing time of the service side does not affect the encryption and decryption processes of the message by the request side and the service side.

Fig. 4 is a schematic structural diagram of a key generating device according to an embodiment of the present application, as shown in fig. 4, where the device includes: a first generation module 401, a second generation module 402, and a third generation module 403; wherein,

a first generation module 401, configured to generate a corresponding dummy message according to a size of a message of a request to be sent; the fake message comprises first time attribute information; a second generation module 402, configured to generate a first real-time network feature based on the first time attribute information; the fake message comprises the sending time; a third generation module 403 is configured to generate a key according to the first real-time network feature.

On the basis of the above embodiment, the first time attribute information includes a transmission time; the third generating module 403 is specifically configured to: determining a first time period to which the fake message belongs according to the sending time; generating a key based on the first real-time network characteristic, the first time period, and the physical machine characteristic; the physical machine features are used to characterize the physical machines corresponding to the requesting party and/or the serving party.

On the basis of the above embodiment, the physical machine features include a requester MAC address and a server MAC address; the third generating module 403 is specifically configured to: generating a first available network feature based on the first real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing the initial network characteristics of the requesting party and the service party; splicing the first available network characteristics, the first time period, the requester MAC address and the server MAC address to generate a first splicing character string; and encrypting the first spliced character string to generate a secret key.

On the basis of the embodiment, the device further comprises an encryption module, which is used for encrypting the request to be sent by using the secret key and generating an encryption request; the encryption request is sent to the server so that the server processes the encryption request.

On the basis of the embodiment, the device further comprises a destroying module for destroying the secret key.

Fig. 5 is a schematic structural diagram of another key generating device according to an embodiment of the present application, as shown in fig. 5, where the device includes: a receiving module 501, a fourth generating module 502, and a fifth generating module 503; wherein,

a receiving module 501, configured to receive a dummy message sent by a requester; the false message is generated by a requester based on the size of the message of the request to be sent; the fake message comprises second time attribute information; a fourth generating module 502, configured to generate a second real-time network feature based on the second time attribute information; a fifth generating module 503 is configured to generate a key according to the second real-time network feature.

On the basis of the above embodiment, the second time attribute information includes a reception time; the fifth generating module 503 is specifically configured to: determining a second time period to which the fake message belongs according to the receiving time and the second real-time network characteristic; generating a key based on the second real-time network characteristic, the second time period, and the physical machine characteristic; the physical machine features are used to characterize the physical machines corresponding to the requesting party and/or the serving party.

On the basis of the above embodiment, the fifth generating module 503 is specifically configured to: obtaining a time difference value according to the receiving time and the second real-time network characteristic; and determining a second time period to which the fake message belongs based on the time difference value and a preset period threshold value.

On the basis of the above embodiment, the physical machine features include a requester MAC address and a server MAC address; the fifth generating module 503 is specifically configured to: generating a second available network feature based on the second real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing the initial network characteristics of the requesting party and the service party; splicing the second available network characteristics, the second time period, the requester MAC address and the server MAC address to generate a second splicing character string; and encrypting the second spliced character string to generate a secret key.

On the basis of the above embodiment, the apparatus further includes a decryption module, configured to receive an encryption request sent by the requester; and decrypting the encrypted request by using the key to obtain a decrypted request.

Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application, as shown in fig. 6, where the electronic device includes a processor (processor) 601, a memory (memory) 602, and a bus 603; wherein the processor 601 and the memory 602 perform communication with each other via the bus 603. The processor 601 is configured to invoke program instructions in the memory 602 to perform the methods provided by the method embodiments described above.

The processor 601 may be an integrated circuit chip having signal processing capabilities. The processor 601 may be a general-purpose processor, including a central processing unit (CentralProcessingUnit, CPU), a network processor (NetworkProcessor, NP), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the various methods, steps, and logical blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The memory 602 may include, but is not limited to, random access memory (RandomAccessMemory, RAM), read-only memory (ReadOnlyMemory, ROM), programmable read-only memory (programmable read-OnlyMemory, PROM), erasable read-only memory (erasabableread-OnlyMemory, EPROM), electrically erasable read-only memory (electrically erasable programmable read-OnlyMemory, EEPROM), and the like.

The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the method embodiments described above.

The present embodiment provides a non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the methods provided by the above-described method embodiments.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.

The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.

Claims

1. A key generation method, characterized in that the method is applied to a requesting party; the method comprises the following steps:

generating a corresponding false message according to the size of the message of the request to be sent; the fake message comprises first time attribute information;

generating a first real-time network feature based on the first time attribute information;

and generating a secret key according to the first real-time network characteristic.

2. The method of claim 1, wherein the first time attribute information comprises a transmission time; the generating a key according to the first real-time network feature includes:

Determining a first time period to which the fake message belongs according to the sending time;

generating a key based on the first real-time network characteristic, the first time period, and a physical machine characteristic; the physical machine features are used for characterizing the physical machine features corresponding to the requesting party and/or the service party.

3. The method of claim 2, wherein the physical machine characteristics include a requester MAC address and a server MAC address; the generating a key based on the first real-time network characteristic, the first time period, and a physical machine characteristic includes:

generating a first available network feature based on the first real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing initial network characteristics of the requesting party and the service party;

splicing the first available network feature, the first time period, the requester MAC address and the server MAC address to generate a first splicing character string;

and carrying out encryption processing on the first spliced character string to generate the secret key.

4. A method according to any of claims 1-3, characterized in that after generating a key from the first real-time network characteristics; the method further comprises the steps of:

Encrypting the request to be sent by using the key to generate an encryption request;

and sending the encryption request to the service side so that the service side processes the encryption request.

5. The method of claim 4, wherein after generating the encryption request, the method further comprises:

and destroying the secret key.

6. A key generation method, characterized in that the method is applied to a server; the method comprises the following steps:

receiving a false message sent by a requesting party; the false message is generated by the requester based on the message size of the request to be sent; the fake message comprises second time attribute information;

generating a second real-time network feature based on the second time attribute information;

and generating a secret key according to the second real-time network characteristics.

7. The method of claim 6, wherein the second time attribute information comprises a time of receipt; the generating a key according to the second real-time network feature includes:

determining a second time period to which the fake message belongs according to the receiving time and the second real-time network characteristic;

generating a key based on the second real-time network characteristic, the second time period, and a physical machine characteristic; the physical machine features are used for characterizing the features of the physical machines corresponding to the requesting party and/or the service party.

8. The method of claim 7, wherein said determining a second time period to which said dummy message belongs based on said time of receipt and said second real-time network characteristic comprises:

obtaining a time difference value according to the receiving time and the second real-time network characteristic;

and determining a second time period to which the fake message belongs based on the time difference value and a preset period threshold value.

9. The method of claim 7, wherein the physical machine characteristics include a requester MAC address and a server MAC address; the generating a key based on the second real-time network characteristic, the second time period, and a physical machine characteristic includes:

generating a second available network feature based on the second real-time network feature and a preset sensitivity coefficient; the sensitivity coefficient is used for representing initial network characteristics of the requesting party and the service party;

splicing the second available network feature, the second time period, the requester MAC address and the server MAC address to generate a second spliced character string;

and encrypting the second spliced character string to generate the secret key.

10. The method according to any one of claims 6-9, wherein the method further comprises:

Receiving an encryption request sent by the requester;

and decrypting the encrypted request by using the key to obtain a decrypted request.

11. A key generation apparatus, the apparatus comprising:

the first generation module is used for generating a corresponding false message according to the size of the message of the request to be sent; the fake message comprises first time attribute information;

a second generation module for generating a first real-time network feature based on the first time attribute information;

and the third generation module is used for generating a secret key according to the first real-time network characteristics.

12. A key generation apparatus, the apparatus comprising:

the receiving module is used for receiving the false message sent by the requesting party; the false message is generated by the requester based on the message size of the request to be sent; the fake message comprises second time attribute information;

a fourth generation module, configured to generate a second real-time network feature based on the second time attribute information;

and a fifth generation module, configured to generate a key according to the second real-time network feature.

13. An electronic device, comprising: a processor and a memory storing machine-readable instructions executable by the processor to perform the method of any one of claims 1 to 5 and 6 to 10 when executed by the processor.

14. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when run by a processor, performs the method according to any of claims 1 to 5 and 6 to 10.