WO2009155813A1 - Method for storing encrypted data in client and system thereof - Google Patents

Method for storing encrypted data in client and system thereof Download PDF

Info

Publication number
WO2009155813A1
WO2009155813A1 PCT/CN2009/071883 CN2009071883W WO2009155813A1 WO 2009155813 A1 WO2009155813 A1 WO 2009155813A1 CN 2009071883 W CN2009071883 W CN 2009071883W WO 2009155813 A1 WO2009155813 A1 WO 2009155813A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
server
encrypted
password
data
Prior art date
Application number
PCT/CN2009/071883
Other languages
French (fr)
Chinese (zh)
Inventor
陈启祥
陈定佳
傅建兵
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2009155813A1 publication Critical patent/WO2009155813A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the present invention relates to the field of communication networks, and in particular, to a method and system for storing encrypted data on a client. Background of the invention
  • the client provides the "remember password” function of the login account.
  • the user uses the "remember password” function when logging in for the first time, and the remember password ticket corresponding to the login account and the login password is saved on the client.
  • the user logs in again on the same client, he only needs to provide the login account, and the client will directly read the corresponding remember password ticket according to the login account and log in to the account.
  • FIG. 1 a flow chart of a method for saving encrypted data on a client in the prior art. The method includes the following steps:
  • Step 101 The user enters a login account and a login password on a client login interface, and selects the "remember password” function;
  • Step 102 The client hashes the password of the login password or the password obtained by hashing the login password as a password password ticket according to the login account and the login password provided by the user, and saves the password ticket.
  • the login account is input, and the client extracts the password for the password corresponding to the login account according to the login account provided by the client, and transmits the password to the server.
  • the server verifies whether the received password ticket and the saved login password information are received. Match, if yes, think that the login password is correct, allow the user to log in directly; if no, return the login password error message, the client prompts the user to re-enter the login password.
  • the login password information saved by the server may be the plain text of the login password or the password hash corresponding to the plaintext of the login password. If the server saves the password of the login password, first calculate the corresponding password hash according to the plaintext of the login password, and then verify whether the calculated password hash is the same as the received password hash; if the server saves the password hash , directly verify that the password hash stored by itself is the same as the received password hash.
  • the above method for saving the remember password ticket on the client directly saves the login password plaintext or password hash as a remember password ticket to the local client.
  • the technical problem to be solved by the present invention is to provide a method and system for storing encrypted data on a client to enhance the security of storing encrypted data on the client.
  • the present invention provides a method for storing encrypted data on a client, the method comprising: the server authenticating a login password of the client, and transmitting the encrypted object including the current time information of the server to the client; The client encrypts the login password and the encrypted object to generate encrypted data; the client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
  • the present invention also provides a system for storing encrypted data on a client, including a client and The server, the client encrypts the login password and the encrypted object sent by the server, generates encrypted data, and stores the login password verified by the server and the encrypted data generated by the corresponding encrypted object; the server, the login to the client The password is verified, and the encrypted object including the current time information on the server side is sent to the client.
  • the present invention has the following advantages:
  • the encrypted data stored in the client is encrypted by using the hash data obtained by hashing the login password as a key, and encrypting the encrypted object returned by the server including the current time.
  • the encrypted data is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, only the hash data related to the login password as the key is obtained based on the encrypted data. The possibility is very small, ensuring the security of storing encrypted data.
  • only the cryptographic hash is used as the cryptographic ticket, which greatly enhances the security of storing encrypted data on the client.
  • the server returns an encrypted object including the current time, and the current time is a time when the client first performs password saving. Even if another person can successfully log in according to the encrypted data stored on the client, the server compares the time when the first password is saved in the encrypted object with the time of the login, when the password is saved for the first time and the time of the login. When the interval is too large, the server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. Therefore, even if another person can successfully log in according to the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically canceled within a certain period of time. BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a flow chart of a method for storing encrypted data on a client in the prior art
  • FIG. 2 is a flowchart of a method for saving encrypted data at a client according to the present invention
  • 3 is a flow chart of a first scheme for saving encrypted data on a client according to the present invention
  • FIG. 4 is a second schematic flowchart of a method for storing encrypted data on a client according to the present invention
  • FIG. 5 is a third schematic flowchart of a method for storing encrypted data on a client according to the present invention.
  • FIG. 6 is a flowchart of a method for storing encrypted data on a client according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a method for saving encrypted data on a client according to a first embodiment of the present invention
  • Figure 8 is a flow chart showing the automatic registration of the method of storing encrypted data on the client side according to the first embodiment of the present invention
  • FIG. 9 is a flow chart of a method for storing encrypted data on a client according to a second embodiment of the present invention.
  • FIG. 10 is a flowchart of implementing automatic login by storing a method of encrypting data on a client according to a second embodiment of the present invention.
  • FIG. 11 is a system diagram of storing encrypted data on a client according to a first embodiment of the present invention
  • FIG. 12 is a system diagram for storing encrypted data on a client according to a second embodiment of the present invention. Mode for carrying out the invention
  • FIG. 2 is a flow chart of a method for storing encrypted data on a client according to the present invention. As shown in FIG. 2, the method includes:
  • Step 21 The server verifies the login password of the client, and sends the encrypted object including the current time information of the server side to the client.
  • Step 22 The client encrypts the login password and the encrypted object to generate encrypted data.
  • Step 23 The client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
  • the encrypted data saved by the client in the present invention is generated by the login password and the corresponding encrypted object, wherein the login password verification ensures the validity of the current client, the encrypted object including the server side time information is difficult to be The third party obtains that the encrypted data is difficult to be cracked or falsified. Therefore, the application of the present invention can enhance the security of storing encrypted data on the client.
  • FIG. 3 is a flowchart of a first scheme for saving encrypted data on a client according to the present invention. As shown in Figure 3, the process includes:
  • Step 310 The server sends an encrypted object including the current time information of the server side to the client according to the request of the client.
  • Step 320 The client encrypts the login password and the encrypted object, generates encrypted data, and sends the generated encrypted data to the server.
  • Step 330 The server verifies the encrypted data. If the verification succeeds, the server sends an indication of the login password verification, and the client saves the login password verified by the verification and the encrypted data generated by the corresponding encryption object.
  • FIG. 4 is a flowchart of a second method for storing encrypted data on a client according to the present invention. As shown in FIG. 4, the process includes:
  • Step 410 The server will include the current time letter of the server side according to the request of the client.
  • the encrypted object is sent to the client.
  • Step 420 The client sends the login password information to the server, and receives the verification result returned by the server.
  • the login password information in this step can be either a login password or a function such as a login password.
  • Step 430 The client encrypts the login password and the encrypted object that are verified by the authentication, generates encrypted data, and saves the data.
  • FIG. 5 is a flowchart of a third method for storing encrypted data on a client according to the present invention. As shown in FIG. 5, the process includes:
  • Step 510 The client sends the login password information to the server.
  • the login password information in this step is the same as the login password information in step 420.
  • Step 520 The server returns the verification result and the force including the current time on the server side to the client. Secret object.
  • Step 530 The client encrypts the authentication password and the corresponding encrypted object, and generates encrypted data and saves it.
  • FIG. 6 a flow chart of a method for storing encrypted data on a client according to an embodiment of the present invention is shown.
  • Step 1111 The client sends a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
  • Step 1112 The client performs at least one hash on the login password, generates hash data corresponding to the login password, and encrypts the encrypted object including the current time as a key to generate encrypted data.
  • Step 1113 The client saves the encrypted data.
  • FIG. 7 a method for storing encrypted data on a client according to a first embodiment of the present invention Flow chart.
  • Step 201 The user inputs a login account and a login password on the client login interface, and selects a "remember password” function;
  • Step 202 The client sends a login request including a user login account and a login password to the server, and receives an encrypted object returned by the server and includes the current time information.
  • the current time is the time of the server side when the user saves the user login password for the first time. For the same client, the time is unique.
  • Step 203 The client selects a hash algorithm, and performs at least one hash of the login password provided by the user, and obtains hash data corresponding to the login password as a key.
  • the hashing algorithm is a one-way function that receives the plaintext of the password and converts the character string representing the plaintext of the password into a hashed data that cannot be used to reconstruct the original plaintext, that is, the password hash.
  • the login password provided by the user may be directly hashed to generate a password hash as a key.
  • the present invention can also calculate the cryptographic hash by using a preset operation function f to obtain hash data related to the cryptographic hash as a key.
  • the hash data associated with the cryptographic hash f (cryptographic hash)
  • f is a preset arithmetic function and can be set as needed.
  • f may be N (N is an integer not less than 1) sub-hash for the cryptographic hash, and generally N is 2, 3 or 4, and the hash data is obtained as a key;
  • the cryptographic hash is hashed N times, and then the corresponding confusing data is added to the obtained hash data according to a preset rule to obtain new hash data as a key;
  • the corresponding obfuscated data is added according to a preset rule, and then N hashes are performed to obtain new hash data as a key.
  • each hash can Using the same hashing algorithm, different hashing algorithms can also be used to enhance the complexity of the hashed data as a key and to enhance the difficulty of being deciphered.
  • Step 204 The client uses a preset encryption algorithm to encrypt the encrypted object by using the hash data as a key, and generates encrypted data, which is stored as a remember password ticket and stored in the client.
  • the encryption algorithm is a specific formula and rule for specifying a transformation method between plaintext and ciphertext. Take the commonly used data encryption standard data encryption algorithm (DES: Data Encryption Standard) as an example to illustrate the process of encrypting with encryption algorithm.
  • DES Data Encryption Standard
  • the DES is an algorithm for encrypting binary data, and includes three parameters: a key (Key), a data plaintext (Data), and a mode selection (Mode).
  • the Key is 8 bytes and a total of 64 bits, which is the working key of the DES algorithm;
  • Data is also 8 bytes and 64 bits, which is the data plaintext to be encrypted or decrypted;
  • Mode DES working mode including Encrypt or decrypt.
  • the Data is encrypted by the Key, and the data plaintext to be encrypted is subjected to 16 rounds of iteration, product transformation, compression transformation, etc., to generate Data encrypted data (64 bits) as the output result of the DES. .
  • the same key is used to decrypt the cryptographic data, and the plaintext of the data in clear form is reproduced.
  • the encryption object is data to be encrypted
  • the hash data is used as a key
  • the mode is encryption.
  • the DES algorithm is used to encrypt the encrypted object, and the generated encrypted data is saved as a remember password ticket on the client.
  • the remember password ticket stored in the client is the encrypted object including the current time returned by the server using the hash data obtained by hashing the login password as a key. Encrypted.
  • the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket.
  • the possibility of hashing data information is very small, ensuring the security of remembering password tickets on the client.
  • only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of remembering the password ticket on the client side.
  • the hash data as a key may be calculated by using a preset function f to calculate a cryptographic hash, even if the remember password ticket is deciphered to obtain an encrypted object, It is impossible to know the specific definition of the function f, and it is also difficult to obtain the password plaintext by back-checking the hash data.
  • the client in the embodiment of the present invention may be software of a client, a web application triggered by a web (web), a wireless application of a mobile terminal, or the like.
  • the method according to the embodiment of the present invention is applicable to fields such as instant messaging, mail, and games.
  • FIG. 8 there is shown a flow chart for implementing automatic login by storing the encrypted data on the client side according to the first embodiment of the present invention.
  • Step 301 The user logs in again at the client, and the client extracts the corresponding remember password ticket, that is, encrypted data, according to the login account provided by the user, and sends an automatic login that includes the remember password ticket and the login account. Request to the server;
  • Step 302 The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database, as a decrypted key.
  • Step 306 If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 202, correspondingly, in step 302, the cryptographic hash is set according to the operation function f preset in step 202. Performing an operation to generate hash data as a decrypted key; Step 303: The server decrypts the remember password ticket received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 304; if the decryption fails, proceed to step 306;
  • Step 304 The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 305; otherwise, proceeds to step 306;
  • the encryption object is the time on the server side when the client first saves the information about the user login password, which is simply referred to as the password storage time.
  • the determining whether to remember whether the password ticket is valid specifically includes the following steps.
  • Step 304a determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304b; step 304b: determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval. If yes, it indicates that the remember password ticket has been saved in the local client for a long time without login, and the remember password ticket has expired. 306, otherwise proceeds to step 305;
  • the length of the maximum allowable time interval can be specifically set as needed, typically one month.
  • Step 305 The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 306 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • the method for saving encrypted data on the client in the embodiment of the present invention uses the password storage time as an encryption object, even if others can successfully decrypt or successfully log in according to the encrypted data stored in the client.
  • the server compares the password save time in the encrypted object with the current server time. When the time interval between the password save time and the current server time is too large, the memory password ticket has been saved on the client for a long time without login.
  • the server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. So even if others can decrypt the success or the root According to the successful registration of the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically cancelled within a certain period of time.
  • the encrypted object in the first embodiment of the present invention may further include a server receiving a password saving renewal request time and a server receiving a password saving renewal request number, which are respectively referred to as renewal time and continuation. Number of periods.
  • step 201 when the user selects the "remember password” function, the method further includes: setting the validity period of the "remember password” function.
  • the password is saved on the client for a certain period of time, that is, the validity period, such as one week, one month, four months, or one year.
  • the client prompts the user to select the "remember password” expiration date or automatically generate a default expiration date.
  • the validity period is the validity period of the current remember password ticket.
  • the client automatically performs a "remember password” function renewal operation, and the client issues a password save renewal request with the current remember password ticket.
  • the server After the server successfully decrypts the remember password ticket to obtain the encrypted object, the server automatically updates the renewal time in the encrypted object to the current time, and adds the number of renewals to 1, and then The newly generated encrypted object is encrypted, a new remember password ticket is returned to the client, the client saves the new remember password ticket, and a new expiration date is set for the new remember password ticket.
  • the client when the client logs in to the client within three days or one week before the expiration of the validity period of the remember password ticket, the client automatically performs a renewal operation of the "remember password" function for the user. If during this period, the user has not logged in at the client, after the expiration date, the remember password ticket expires, the client no longer saves the user's remember password ticket. The next time the user logs in, they need to enter the login account and login password again.
  • the renewal time in the encrypted object is the renewal time, and the number of renewals is increased by one. For example: When a user logs in to an MSN account on January 1, 2008 at 13:33:45, he chooses to use the "remember password” function. It is assumed that the validity period of the password ticket is one month by default.
  • the early renewal time is one week before the expiration, at some time after January 24, 2008, assuming that it is 14:34:36 on January 25, 2008, the user logs in at the client, and the client automatically performs the user for the user.
  • step 304 the judgment determines whether the password ticket is remembered.
  • Validation specifically includes the following steps:
  • Step 304A determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304B;
  • Step 304B determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval, if yes, indicating that the remember password ticket has been saved in the local client for a long time without login, proceed to step 304C, otherwise proceed to step 305;
  • the length of the maximum allowable time interval can be specifically set as needed, typically one month.
  • Step 304C When the renewal time is 0 or the time interval between the renewal time and the current time is within a preset maximum allowable time interval, the client is notified to perform the renewal operation; otherwise, the renewal is not allowed. Operation, that the remember password ticket is invalid, proceeds to step 306; Step 305: The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 306 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • step 304C when the server notifies the client to perform the renewal operation, the client sends a password save renewal request containing the current remember password ticket to the server, and the server decrypts the remember password ticket successfully to obtain the encrypted object.
  • the renewal time in the encrypted object is automatically updated to the current time information, and the number of renewals is incremented by 1, and then the newly generated encrypted object is encrypted, and a new remember password ticket is returned to the The client saves the new remember password ticket. Therefore, for each of the updated password notes, the renewal time is different, which is the time of the most recent renewal operation.
  • step 304C before the server notifies the client to perform the renewal operation, it may further determine whether the number of renewals has exceeded a preset maximum number of allowed renewals. If yes, the renewal operation is no longer performed, and the server directly Notify the client to prompt the user to enter the password again.
  • the server may further determine a time interval between the renewal time and the generation time. If the time interval exceeds a preset maximum allowable time interval, the renewal operation is no longer performed, and the server directly notifies. The client prompts the user to enter the password again.
  • the encrypted object is the password storage time, the renewal time, and the number of renewals
  • the strength of the server for verification is further enhanced, and the security of the password is enhanced.
  • the remember password ticket is deciphered and the login is implemented, if it is not renewed, it cannot be used for too long, which reduces the loss of password theft.
  • the server information may further include: a format version number, obfuscated data, and other data to further increase the complexity of the encrypted object and enhance the security of the encrypted data storage.
  • the setting of the encryption object can be flexibly set according to specific needs.
  • the server verifies the remember password ticket and judges whether the remember password ticket is valid, the server notifies the client to refuse the automatic login, and prompts the user to input the login again, as long as any one of the encrypted objects does not satisfy the verification condition. password.
  • the second embodiment of the present invention is different from the first embodiment in that: after encrypting the encrypted object by using the hash data, the password data obtained by the first encryption is secondarily encrypted by using the local information of the client, thereby Generate a remember password ticket, save it on the client, further increase the complexity of remembering the password ticket, and improve the security of saving encrypted data on the client.
  • FIG. 9 a flowchart of a method for saving encrypted data on a client according to a second embodiment of the present invention is shown.
  • Step 401 The user inputs a login account and a login password on the client login interface, and selects the "remember password” function;
  • Step 402 The client sends a login request including a user login account and a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
  • Step 403 The client selects a hash algorithm, hashes the login password provided by the user, and obtains hash data corresponding to the login password as a key.
  • Step 404 The client uses a preset encryption algorithm, uses the hash data as a key, encrypts the encrypted object once, obtains an encrypted data, and then uses the client local information as a key, The primary encrypted data is subjected to secondary encryption to obtain secondary encrypted data, which is stored as a remember password ticket and stored in the client.
  • the client local information may be machine information inherent to the local client itself, or may be local network related information or locally generated data.
  • the machine information inherent to the client itself may be the physical (MAC) of the client network card. Address, serial number of the first hard disk of the client, etc.
  • the local network related information may be a client's IP address, a gateway address, a subnet mask, and the like.
  • the locally randomly generated data may be data randomly generated by a local client, and used in conjunction with the inherent machine information or local network related information of the client according to a preset rule, which is used to enhance the key. Complexity, to enhance the difficulty of being deciphered.
  • the use of the client local information as a key is to enhance the difficulty of decrypting the key.
  • the client randomly selects the relevant information, composes the key according to certain rules, and encrypts the encrypted object. It is difficult for others to obtain the above key by technical means. Therefore, even if the encryption algorithm is known, it is still difficult to decipher the encryption. Object, steal password.
  • the client's own machine information is used as the client's local information, because this part of the information is fixed, and can be blocked by the administrator to make it impossible for outsiders to know, further enhancing the security of password storage.
  • the information about the local network may be fixed or may be arbitrarily changed. For example, if the local network uses the method of automatically obtaining an IP address, the IP address of the client may be different each time. This further enhances the security of password storage.
  • the encrypted object may be encrypted and twice encrypted by the same encryption algorithm, or different encryption algorithms may be used for the two encryptions to further enhance the security of password storage. Sex.
  • the method for storing encrypted data on the client side uses the client local information as a key to perform secondary encryption on the encrypted object, and generates the encrypted data as a password cryptographic note, and stores it in the client.
  • the client local information as the secondary encryption key may be preset according to the needs of the client, by the local client's own machine information, local network related information, and locally randomly generated data.
  • the rules are randomly combined to generate, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, the key cannot be learned. The components and definitions, it is difficult to get the key to decipher the password, therefore, the method of saving the encrypted data on the client has high security.
  • FIG. 10 there is shown a flow chart for implementing automatic login by storing a method of encrypting data on a client side according to a second embodiment of the present invention.
  • Step 501 The user logs in again at the client, and the client extracts the corresponding remember password ticket locally according to the login account provided by the user, and decrypts the remember password ticket according to the local information of the client, to obtain the Encrypting the data once, and transmitting the automatic login request information including the primary encrypted data and the login account to the server;
  • the server decrypts the remember password ticket using the algorithm corresponding to the secondary encryption algorithm in step 404.
  • Step 502 The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database as a key.
  • step 502 If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 402, correspondingly, in step 502, the cryptographic hash data is set according to the operation function preset in step 402. f performs an operation to generate hash data as a decrypted key; Step 503: The server decrypts the encrypted data received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 504; if the decryption fails, proceed to step 506;
  • the server decrypts the remember password ticket using an algorithm corresponding to the one-time encryption algorithm in step 404.
  • Step 504 The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 505; otherwise, proceeds to step 506;
  • the encryption object is the time on the server side when the client saves the user login password for the first time, and is simply referred to as a password storage time.
  • the specific process of determining whether the cipher ticket is valid is the same as step 304 of the first embodiment of the present invention.
  • Step 505 The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 506 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • the encrypted object in the second embodiment of the present invention may further include a renewal time and a number of renewals, and the server verifies the renewal time and the number of renewals with the first embodiment.
  • the verification process is the same.
  • the server information may further include: a format version number, obfuscated data, and other data to increase the complexity of generating the remember password ticket.
  • the present invention also provides a system for storing encrypted data on a client.
  • FIG. 11 a system diagram for storing encrypted data on a client according to a first embodiment of the present invention is shown.
  • the system includes a client 61 and a server 62, wherein the client 61 includes: an encrypted object receiving module 610, configured to receive a force including the current time returned by the server. Secret object.
  • the login password hashing module 611 is configured to hash the login password at least once to generate hash data.
  • the hash data encryption module 612 is configured to encrypt the encrypted object generated by the encrypted object generating module 610 by using the hash data generated by the login password hashing module 611 as a key according to a preset encryption algorithm.
  • the generated encrypted data is sent to the storage module 613 as a remember password ticket.
  • the storage module 613 is configured to save the remember password ticket, that is, the encrypted data, sent by the hash data encryption module 612.
  • the login password hashing module 611 in the embodiment of the present invention may directly hash the login password provided by the user, generate a password hash, and use the preset as a key.
  • the arithmetic function f calculates the cryptographic hash to obtain hash data related to the cryptographic hash as a key. Even if someone knows the hashing algorithm, it is difficult to get the key to decipher the password because it cannot know how the function f is defined.
  • the remember password ticket stored in the storage module 613 is the hash data obtained by hashing the login password as a key, and the encryption returned by the server with the current time.
  • the object is encrypted.
  • the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket.
  • the possibility of hashing data information is very small, ensuring the security of saving passwords.
  • only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of storing encrypted data on the client.
  • FIG. 12 a system diagram for storing encrypted data on a client according to a second embodiment of the present invention is shown.
  • the system for storing encrypted data on the client according to the first embodiment and the second embodiment of the present invention is different in that the client in the second embodiment further includes a local information encryption module 614.
  • the local information encryption module 614 is configured to encrypt the encrypted data output by the hash data encryption module 612 by using a preset encryption algorithm, using the client local information as a key, generate a remember password ticket, and send Go to the storage module 613.
  • the storage module 613 is configured to save the remember password ticket sent by the local information encryption module.
  • the client local information may be machine information inherent to the local client itself, or It is related to local network information or locally generated data.
  • the client local information encryption module 614 uses the client local information as a key, and the client local information may be localized by the local client according to the needs of the client.
  • the network related information and the locally randomly generated data are randomly combined and generated according to a preset rule, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, it is difficult to obtain the key because the key component and the definition manner cannot be obtained.
  • the key is used to decipher the password, so the system for storing the encrypted data on the client has high security.

Abstract

A method for storing encrypted data in client is provided by the present invention. The following steps are included in the method: a server authenticates a login password from a client, and transmits an encryption object with the current time of the server side to the client; the client encrypts the login password and the encryption object to generate encrypted data; the client stores the encrypted data generated by the validated login password and the corresponding encryption object. A system for storing encrypted data in client is also provided by the present invention. The method and system for storing encrypted data in client provided by the present invention enhance the security of storing encrypted data in client.

Description

一种在客户端保存加密数据的方法及系统  Method and system for storing encrypted data on client
技术领域 Technical field
本发明涉及通讯网络领域, 特别是涉及一种在客户端保存加密数据 的方法及系统。 发明背景  The present invention relates to the field of communication networks, and in particular, to a method and system for storing encrypted data on a client. Background of the invention
一般情况下, 用户在客户端使用服务器提供的有权限要求的软件或 应用程序时, 通常会要求用户输入相应的登录账号和登录密码, 以防止 非法用户使用。 为方便用户登录, 客户端提供登录账号的 "记住密码" 功能。 用户在第一次登录时使用 "记住密码" 功能, 与登录账号和登录 密码相对应的记住密码票据保存在客户端。 当用户在同一客户端再次登 录时, 只需提供登录账号, 该客户端就会依据该登录账号直接读出相应 的记住密码票据, 登陆账户。  In general, when the user uses the software or application provided by the server with the permission, the user usually needs to input the corresponding login account and login password to prevent illegal users from using it. To facilitate user login, the client provides the "remember password" function of the login account. The user uses the "remember password" function when logging in for the first time, and the remember password ticket corresponding to the login account and the login password is saved on the client. When the user logs in again on the same client, he only needs to provide the login account, and the client will directly read the corresponding remember password ticket according to the login account and log in to the account.
参见图 1 , 为现有技术中在客户端保存加密数据的方法流程图。 所 述方法包括以下步骤:  Referring to FIG. 1 , a flow chart of a method for saving encrypted data on a client in the prior art. The method includes the following steps:
步骤 101 : 用户在某客户端登录界面输入登录账号和登录密码, 并 选择 "记住密码" 功能;  Step 101: The user enters a login account and a login password on a client login interface, and selects the "remember password" function;
步骤 102: 客户端根据用户提供的登录账号和登录密码, 将所述登 录密码的明文或是由所述登录密码的明文散列得到的密码散列作为记 住密码票据, 并保存。  Step 102: The client hashes the password of the login password or the password obtained by hashing the login password as a password password ticket according to the login account and the login password provided by the user, and saves the password ticket.
当用户再次在所述客户端登录时, 输入登录账号, 客户端根据用户 提供的登录账号, 提取出该登录账号对应的记住密码票据, 传递给服务 器。  When the user logs in again at the client, the login account is input, and the client extracts the password for the password corresponding to the login account according to the login account provided by the client, and transmits the password to the server.
服务器校验接收到的记住密码票据与自身保存的登录密码信息是否 相符, 如果是, 认为登录密码正确, 允许用户直接登录; 如果否, 返回 登录密码错误信息, 客户端提示用户重新输入登录密码。 The server verifies whether the received password ticket and the saved login password information are received. Match, if yes, think that the login password is correct, allow the user to log in directly; if no, return the login password error message, the client prompts the user to re-enter the login password.
服务器保存的登录密码信息可以是登录密码的明文, 也可以是与登 录密码明文相对应的密码散列。 若服务器保存的是登录密码明文, 则首 先根据登录密码明文计算出相应的密码散列, 再校验计算得到的密码散 列与接收到的密码散列是否相同; 若服务器保存的是密码散列, 则直接 校验自身保存的密码散列与接收到的密码散列是否相同。  The login password information saved by the server may be the plain text of the login password or the password hash corresponding to the plaintext of the login password. If the server saves the password of the login password, first calculate the corresponding password hash according to the plaintext of the login password, and then verify whether the calculated password hash is the same as the received password hash; if the server saves the password hash , directly verify that the password hash stored by itself is the same as the received password hash.
上述在客户端保存记住密码票据的方法, 直接将登录密码明文或密 码散列作为记住密码票据保存在本地客户端。  The above method for saving the remember password ticket on the client directly saves the login password plaintext or password hash as a remember password ticket to the local client.
很显然, 这种做法是非常不安全的。 如果用户在公共场合的客户端 上使用 "记住密码" 功能后忘记取消所述功能, 生成的记住密码票据将 保存在客户端, 很容易被他人获取。 当所述记住密码票据是登录密码明 文时, 直接导致登录密码被盗; 当所述记住密码票据是密码散列时, 只 要知道密码散列的计算方法, 就可以根据密码散列由散列结果数据库反 查出登录密码的明文, 导致登录密码被盗。 发明内容  Obviously, this approach is very unsafe. If the user forgets to cancel the function after using the "remember password" function on the client in public, the generated remember password ticket will be saved on the client and can be easily obtained by others. When the remember password ticket is the login password plaintext, the login password is directly stolen; when the remember password ticket is a password hash, as long as the password hash calculation method is known, the hash may be hashed according to the password. The column result database reverses the plaintext of the login password, causing the login password to be stolen. Summary of the invention
本发明所要解决的技术问题是提供一种在客户端保存加密数据的方 法及系统, 以增强在客户端保存加密数据的安全性。  The technical problem to be solved by the present invention is to provide a method and system for storing encrypted data on a client to enhance the security of storing encrypted data on the client.
为解决上述技术问题, 本发明提供了一种在客户端保存加密数据的 方法, 所述方法包括: 服务器对客户端的登录密码进行验证, 将包括服 务器侧当前时间信息的加密对象发给客户端; 客户端对所述登录密码和 所述加密对象进行加密, 生成加密数据; 所述客户端保存由验证通过的 登录密码和相应的加密对象生成的加密数据。  In order to solve the above technical problem, the present invention provides a method for storing encrypted data on a client, the method comprising: the server authenticating a login password of the client, and transmitting the encrypted object including the current time information of the server to the client; The client encrypts the login password and the encrypted object to generate encrypted data; the client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
本发明还提供了一种在客户端保存加密数据的系统, 包括客户端和 服务器, 所述客户端, 对登录密码和服务器发来的加密对象进行加密, 生成加密数据, 保存由服务器验证通过的登录密码和相应的加密对象生 成的加密数据; 所述服务器, 对客户端的登录密码进行验证, 将包括服 务器侧当前时间信息的加密对象发给客户端。 The present invention also provides a system for storing encrypted data on a client, including a client and The server, the client encrypts the login password and the encrypted object sent by the server, generates encrypted data, and stores the login password verified by the server and the encrypted data generated by the corresponding encrypted object; the server, the login to the client The password is verified, and the encrypted object including the current time information on the server side is sent to the client.
与现有技术相比, 本发明具有以下优点:  Compared with the prior art, the present invention has the following advantages:
釆用本发明实施例所述方法, 保存在客户端的加密数据, 是釆用对 登录密码散列得到的散列数据作为密钥, 对服务器返回的包括当前时间 的加密对象加密得到的。 当所述加密数据被获取, 即使知道釆用的加密 算法, 由于很难获得关于被加密对象的信息, 因此, 仅仅根据所述加密 数据来获得作为密钥的与登录密码相关的散列数据的可能性非常小, 保 障保存加密数据的安全性。 相较于现有技术中仅仅使用密码散列作为记 住密码票据, 大大增强了在客户端保存加密数据的安全性。  In the method described in the embodiment of the present invention, the encrypted data stored in the client is encrypted by using the hash data obtained by hashing the login password as a key, and encrypting the encrypted object returned by the server including the current time. When the encrypted data is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, only the hash data related to the login password as the key is obtained based on the encrypted data. The possibility is very small, ensuring the security of storing encrypted data. Compared with the prior art, only the cryptographic hash is used as the cryptographic ticket, which greatly enhances the security of storing encrypted data on the client.
同时, 本发明实施例所述方法中, 所述服务器返回的包括当前时间 的加密对象, 所述当前时间即为在所述客户端首次进行密码保存的时 间。 即使他人能够根据保存在客户端的加密数据登录成功, 服务器会将 加密对象中的首次进行密码保存的时间与此次的登录时间进行比较, 当 首次进行密码保存的时间与此次登录时间之间的间隔过大时, 服务器会 通知客户端拒绝对所述账号进行自动登录, 提示用户重新输入登录密 码。 因此, 即使他人能够根据保存在客户端的加密数据登录成功, 也无 法长期使用所述账号, 在一定期限内, 所述账号的自动登录功能将自动 取消。 附图简要说明  In the method of the embodiment of the present invention, the server returns an encrypted object including the current time, and the current time is a time when the client first performs password saving. Even if another person can successfully log in according to the encrypted data stored on the client, the server compares the time when the first password is saved in the encrypted object with the time of the login, when the password is saved for the first time and the time of the login. When the interval is too large, the server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. Therefore, even if another person can successfully log in according to the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically canceled within a certain period of time. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为现有技术中在客户端保存加密数据的方法流程图; 图 2是本发明提供的在客户端保存加密数据的方法流程图; 图 3 是本发明提供的在客户端保存加密数据方法的第一方案流程 图; 1 is a flow chart of a method for storing encrypted data on a client in the prior art; FIG. 2 is a flowchart of a method for saving encrypted data at a client according to the present invention; 3 is a flow chart of a first scheme for saving encrypted data on a client according to the present invention;
图 4是本发明提供的在客户端保存加密数据方法的第二方案流程 图;  4 is a second schematic flowchart of a method for storing encrypted data on a client according to the present invention;
图 5 是本发明提供的在客户端保存加密数据方法的第三方案流程 图;  FIG. 5 is a third schematic flowchart of a method for storing encrypted data on a client according to the present invention; FIG.
图 6为本发明实施例所述在客户端保存加密数据的方法流程图; 图 7 为本发明第一实施例所述在客户端保存加密数据的方法流程 图;  6 is a flowchart of a method for storing encrypted data on a client according to an embodiment of the present invention; FIG. 7 is a flowchart of a method for saving encrypted data on a client according to a first embodiment of the present invention;
图 8为釆用本发明第一实施例所述在客户端保存加密数据的方法实 现自动登录的流程图;  Figure 8 is a flow chart showing the automatic registration of the method of storing encrypted data on the client side according to the first embodiment of the present invention;
图 9 为本发明第二实施例所述在客户端保存加密数据的方法流程 图;  9 is a flow chart of a method for storing encrypted data on a client according to a second embodiment of the present invention;
图 10为釆用本发明第二实施例所述在客户端保存加密数据的方法 实现自动登录的流程图;  FIG. 10 is a flowchart of implementing automatic login by storing a method of encrypting data on a client according to a second embodiment of the present invention; FIG.
图 11为本发明第一实施例所述在客户端保存加密数据的系统图; 图 12为本发明第二实施例所述在客户端保存加密数据的系统图。 实施本发明的方式  FIG. 11 is a system diagram of storing encrypted data on a client according to a first embodiment of the present invention; FIG. 12 is a system diagram for storing encrypted data on a client according to a second embodiment of the present invention. Mode for carrying out the invention
为使本发明的上述目的、 特征和优点能够更加明显易懂, 下面结合 附图和具体实施方式对本发明作进一步详细的说明。  The present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.
图 2是本发明提供的在客户端保存加密数据的方法流程图, 如图 2 所示, 该方法包括:  2 is a flow chart of a method for storing encrypted data on a client according to the present invention. As shown in FIG. 2, the method includes:
步骤 21 , 服务器对客户端的登录密码进行验证, 将包括服务器侧当 前时间信息的加密对象发给客户端。 步骤 22, 客户端对所述登录密码和所述加密对象进行加密, 生成加 密数据。 Step 21: The server verifies the login password of the client, and sends the encrypted object including the current time information of the server side to the client. Step 22: The client encrypts the login password and the encrypted object to generate encrypted data.
步骤 23 , 所述客户端保存由验证通过的登录密码和相应的加密对象 生成的加密数据。  Step 23: The client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
由于本发明中客户端保存的加密数据是由验证通过的登录密码和相 应的加密对象生成的, 其中, 登录密码验证通过保证了当前客户端的合 法性, 包括服务器侧时间信息的加密对象很难被第三方获得, 保证了加 密数据难以被破解或篡改, 因此, 应用本发明能够增强在客户端保存加 密数据的安全性。  Because the encrypted data saved by the client in the present invention is generated by the login password and the corresponding encrypted object, wherein the login password verification ensures the validity of the current client, the encrypted object including the server side time information is difficult to be The third party obtains that the encrypted data is difficult to be cracked or falsified. Therefore, the application of the present invention can enhance the security of storing encrypted data on the client.
至于具体如何验证客户端登录密码、 所述加密对象除了包括服务器 侧当前时间信息外还包括哪些信息、 验证客户端登录密码和返回加密对 象的具体顺序这些具体的技术细节, 可以釆用多种方案实现, 任何一种 方案并不构成对本发明的限制, 下面对相应的技术方案分别举例说明: 参见图 3 , 图 3是本发明提供的在客户端保存加密数据方法的第一 方案流程图, 如图 3所示, 该流程包括:  As for the specific technical details of how to verify the client login password, including the information including the server-side current time information, the verification client login password, and the specific order of returning the encrypted object, various schemes can be used. The implementation of the present invention does not constitute a limitation of the present invention. The following is a description of the corresponding technical solutions. Referring to FIG. 3, FIG. 3 is a flowchart of a first scheme for saving encrypted data on a client according to the present invention. As shown in Figure 3, the process includes:
步骤 310: 服务器根据客户端的请求, 将包括服务器侧当前时间信 息的加密对象发给客户端。  Step 310: The server sends an encrypted object including the current time information of the server side to the client according to the request of the client.
步骤 320: 客户端对登录密码和所述加密对象进行加密, 生成加密 数据, 将生成的加密数据发给服务器。  Step 320: The client encrypts the login password and the encrypted object, generates encrypted data, and sends the generated encrypted data to the server.
步骤 330: 服务器对所述加密数据进行验证, 如果验证通过, 则向 客户端发送登录密码验证通过的指示, 所述客户端保存由验证通过的登 录密码和相应的加密对象生成的加密数据。  Step 330: The server verifies the encrypted data. If the verification succeeds, the server sends an indication of the login password verification, and the client saves the login password verified by the verification and the encrypted data generated by the corresponding encryption object.
参见图 4, 图 4是本发明提供的在客户端保存加密数据方法的第二 方案流程图, 如图 4所示, 该流程包括:  Referring to FIG. 4, FIG. 4 is a flowchart of a second method for storing encrypted data on a client according to the present invention. As shown in FIG. 4, the process includes:
步骤 410: 服务器根据客户端的请求, 将包括服务器侧当前时间信 息的加密对象发给客户端。 Step 410: The server will include the current time letter of the server side according to the request of the client. The encrypted object is sent to the client.
步骤 420: 客户端发送登录密码信息给服务器, 接收所述服务器返 回的验证结果。  Step 420: The client sends the login password information to the server, and receives the verification result returned by the server.
本步骤中的登录密码信息可以就是登录密码, 也可以是登录密码的 函数等相关信息。  The login password information in this step can be either a login password or a function such as a login password.
步骤 430: 客户端对验证通过的登录密码和所述加密对象进行加密, 生成加密数据并保存。  Step 430: The client encrypts the login password and the encrypted object that are verified by the authentication, generates encrypted data, and saves the data.
参见图 5 , 图 5是本发明提供的在客户端保存加密数据方法的第三 方案流程图, 如图 5所示, 该流程包括:  Referring to FIG. 5, FIG. 5 is a flowchart of a third method for storing encrypted data on a client according to the present invention. As shown in FIG. 5, the process includes:
步骤 510: 客户端发送登录密码信息给服务器。  Step 510: The client sends the login password information to the server.
本步骤中的登录密码信息同步骤 420中的登录密码信息。  The login password information in this step is the same as the login password information in step 420.
步骤 520: 服务器向客户端返回验证结果和包括服务器侧当前时间 的力。密对象。  Step 520: The server returns the verification result and the force including the current time on the server side to the client. Secret object.
步骤 530: 客户端对验证通过的登录密码和相应的加密对象进行加 密, 生成加密数据并保存。  Step 530: The client encrypts the authentication password and the corresponding encrypted object, and generates encrypted data and saves it.
下面以方案三为例, 对本发明各种可能的技术细节进行详细介绍: 参见图 6, 为本发明实施例所述在客户端保存加密数据的方法流程 图。  The following is a detailed description of various possible technical details of the present invention by taking the scheme 3 as an example. Referring to FIG. 6, a flow chart of a method for storing encrypted data on a client according to an embodiment of the present invention is shown.
步骤 1111 : 客户端发送登录密码给服务器, 接收所述服务器返回的 包括当前时间的加密对象;  Step 1111: The client sends a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
步骤 1112: 所述客户端对所述登录密码进行至少一次散列, 生成与 登录密码对应的散列数据, 作为密钥, 对所述包括当前时间的加密对象 加密, 生成加密数据;  Step 1112: The client performs at least one hash on the login password, generates hash data corresponding to the login password, and encrypts the encrypted object including the current time as a key to generate encrypted data.
步骤 1113: 所述客户端保存加密数据。  Step 1113: The client saves the encrypted data.
参见图 7, 为本发明第一实施例所述在客户端保存加密数据的方法 流程图。 Referring to FIG. 7, a method for storing encrypted data on a client according to a first embodiment of the present invention Flow chart.
步骤 201 : 用户在客户端登录界面输入登录账号和登录密码, 并选 择 "记住密码" 功能;  Step 201: The user inputs a login account and a login password on the client login interface, and selects a "remember password" function;
步骤 202: 客户端发送包括用户登录账号和登录密码的登录请求给 服务器, 接收服务器返回的含有当前时间信息的加密对象;  Step 202: The client sends a login request including a user login account and a login password to the server, and receives an encrypted object returned by the server and includes the current time information.
所述当前时间, 即为用户在所述客户端第一次保存所述用户登录密 码时服务器侧的时间。 对同一客户端, 所述时间是唯一的。  The current time is the time of the server side when the user saves the user login password for the first time. For the same client, the time is unique.
步骤 203: 客户端选择散列算法, 对用户提供的登录密码进行至少 一次散列, 得到与登录密码对应的散列数据, 作为密钥;  Step 203: The client selects a hash algorithm, and performs at least one hash of the login password provided by the user, and obtains hash data corresponding to the login password as a key.
所述散列算法是单向函数, 接收密码的明文, 将表述密码明文的字 符串, 转换成一段无法用来重建原始明文的散列数据, 即密码散列。  The hashing algorithm is a one-way function that receives the plaintext of the password and converts the character string representing the plaintext of the password into a hashed data that cannot be used to reconstruct the original plaintext, that is, the password hash.
本发明实施例所述方法中, 可以直接对用户提供的登录密码进行散 列, 生成密码散列, 作为密钥。  In the method of the embodiment of the present invention, the login password provided by the user may be directly hashed to generate a password hash as a key.
为了增强登录密码保存的安全性, 本发明还可以釆用预先设定的运 算函数 f对密码散列进行计算, 得到与密码散列相关的散列数据, 作为 密钥。  In order to enhance the security of the login password preservation, the present invention can also calculate the cryptographic hash by using a preset operation function f to obtain hash data related to the cryptographic hash as a key.
所述与密码散列相关的散列数据 = f (密码散列 )  The hash data associated with the cryptographic hash = f (cryptographic hash)
f为预先设定的运算函数, 可以根据需要具体设定。 f可以是对所述 密码散列再进行 N ( N为不小于 1的整数)次散列, 一般选择 N为 2、 3 或 4, 得到散列数据, 作为密钥; 也可以是先对所述密码散列进行 N次 散列, 然后在得到的散列数据中按预先设定的规则加入相应的混淆数 据, 得到新的散列数据, 作为密钥; 也可以是先在所述密码散列中按预 先设定的规则加入相应的混淆数据, 再进行 N次散列, 得到新的散列数 据, 作为密钥。  f is a preset arithmetic function and can be set as needed. f may be N (N is an integer not less than 1) sub-hash for the cryptographic hash, and generally N is 2, 3 or 4, and the hash data is obtained as a key; The cryptographic hash is hashed N times, and then the corresponding confusing data is added to the obtained hash data according to a preset rule to obtain new hash data as a key; In the column, the corresponding obfuscated data is added according to a preset rule, and then N hashes are performed to obtain new hash data as a key.
在函数 f中, 为了进一步加强安全性, 对 N次散列, 每次散列可以 釆用相同的散列算法, 也可以釆用不同的散列算法, 以增强作为密钥的 散列数据的复杂度, 加强被破译的难度。 In function f, to further enhance security, for N hashes, each hash can Using the same hashing algorithm, different hashing algorithms can also be used to enhance the complexity of the hashed data as a key and to enhance the difficulty of being deciphered.
步骤 204: 客户端釆用预先设定的加密算法, 用所述散列数据作为 密钥, 对所述加密对象进行加密, 生成加密数据, 作为记住密码票据, 保存在客户端。  Step 204: The client uses a preset encryption algorithm to encrypt the encrypted object by using the hash data as a key, and generates encrypted data, which is stored as a remember password ticket and stored in the client.
所述加密算法是一些特定的公式和法则, 用于规定明文和密文之间 的变换方法。 以常用的数据加密标准数据加密算法 ( DES : Data Encryption Standard )为例来说明釆用加密算法进行加密的过程。  The encryption algorithm is a specific formula and rule for specifying a transformation method between plaintext and ciphertext. Take the commonly used data encryption standard data encryption algorithm (DES: Data Encryption Standard) as an example to illustrate the process of encrypting with encryption algorithm.
所述 DES是一种对二进制数据进行加密的算法, 包括三个参数: 密 钥 (Key )、 数据明文(Data )和模式选择( Mode )。 其中所述 Key为 8 个字节共 64位, 是 DES算法的工作密钥; Data也为 8个字节 64位, 是要被加密或被解密的数据明文; Mode位 DES的工作模式, 包括加密 或解密。  The DES is an algorithm for encrypting binary data, and includes three parameters: a key (Key), a data plaintext (Data), and a mode selection (Mode). The Key is 8 bytes and a total of 64 bits, which is the working key of the DES algorithm; Data is also 8 bytes and 64 bits, which is the data plaintext to be encrypted or decrypted; Mode DES working mode, including Encrypt or decrypt.
当所述 Mode为加密时, 用 Key对 Data进行加密,要加密的数据明 文经过 16轮的叠代、 乘积变换、 压缩变换等编码过程, 生成 Data的加 密数据( 64位)作为 DES的输出结果。 在解密过程中, 釆用同样的 Key 对密码数据进行解密, 再现明码形式的数据明文。  When the Mode is encrypted, the Data is encrypted by the Key, and the data plaintext to be encrypted is subjected to 16 rounds of iteration, product transformation, compression transformation, etc., to generate Data encrypted data (64 bits) as the output result of the DES. . During the decryption process, the same key is used to decrypt the cryptographic data, and the plaintext of the data in clear form is reproduced.
本发明实施例所述方法中, 所述加密对象即为要加密的 Data, 用所 述散列数据作为 Key, Mode为加密。 釆用 DES算法对所述加密对象进 行加密运算, 生成的加密数据作为记住密码票据保存在客户端。  In the method of the embodiment of the present invention, the encryption object is data to be encrypted, and the hash data is used as a key, and the mode is encryption. The DES algorithm is used to encrypt the encrypted object, and the generated encrypted data is saved as a remember password ticket on the client.
釆用本发明实施例所述方法, 保存在客户端的记住密码票据, 即加 密数据, 是釆用对登录密码散列得到的散列数据作为密钥, 对服务器返 回的包括当前时间的加密对象加密得到的。 当所述记住密码票据被获 取, 即使知道釆用的加密算法, 由于很难获得关于被加密对象的信息, 因此, 仅仅根据所述记住密码票据来获得作为密钥的与登录密码相关的 散列数据信息的可能性非常小, 保障在客户端保存记住密码票据的安全 性。 相较于现有技术中仅仅使用密码散列作为记住密码票据, 大大增强 了在客户端保存记住密码票据安全性。 Using the method described in the embodiment of the present invention, the remember password ticket stored in the client, that is, the encrypted data, is the encrypted object including the current time returned by the server using the hash data obtained by hashing the login password as a key. Encrypted. When the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket. The possibility of hashing data information is very small, ensuring the security of remembering password tickets on the client. Compared with the prior art, only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of remembering the password ticket on the client side.
本发明实施例所述方法中, 所述作为密钥的散列数据可以通过预先 设定的函数 f对密码散列进行计算得到,即使所述记住密码票据被破译, 得到加密对象, 但是由于无法获悉函数 f的具体定义方式, 也很难通过 反查散列数据获得密码明文。  In the method of the embodiment of the present invention, the hash data as a key may be calculated by using a preset function f to calculate a cryptographic hash, even if the remember password ticket is deciphered to obtain an encrypted object, It is impossible to know the specific definition of the function f, and it is also difficult to obtain the password plaintext by back-checking the hash data.
本发明实施例中所述客户端可以是客户端的软件、 万维网 (web ) 触发的网页应用、 移动终端类的无线应用等。 本发明实施例所述方法适 用于即时通信、 邮件以及游戏等领域。  The client in the embodiment of the present invention may be software of a client, a web application triggered by a web (web), a wireless application of a mobile terminal, or the like. The method according to the embodiment of the present invention is applicable to fields such as instant messaging, mail, and games.
参见图 8, 为釆用本发明第一实施例所述在客户端保存加密数据的 方法实现自动登录的流程图。  Referring to Figure 8, there is shown a flow chart for implementing automatic login by storing the encrypted data on the client side according to the first embodiment of the present invention.
步骤 301 : 用户再次在所述客户端登录, 客户端根据用户提供的登 录账号, 从本地提取出对应的记住密码票据, 即加密数据, 发送含有所 述记住密码票据和登录账号的自动登录请求给服务器;  Step 301: The user logs in again at the client, and the client extracts the corresponding remember password ticket, that is, encrypted data, according to the login account provided by the user, and sends an automatic login that includes the remember password ticket and the login account. Request to the server;
步骤 302: 服务器接收到所述自动登录请求信息, 从数据库中提取 出与所述登录账号对应的密码散列数据, 作为解密的密钥;  Step 302: The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database, as a decrypted key.
如果步骤 202中是由密码散列根据函数 f运算得到的散列数据作为 密钥的, 则相应地, 步骤 302中, 对所述密码散列按照步骤 202中所述 预先设定的运算函数 f进行运算, 生成散列数据, 作为解密的密钥; 步骤 303: 服务器用所述散列数据对接收自客户端的记住密码票据 进行解密, 如果解密成功, 证明客户端密码正确, 得到加密对象, 进入 步骤 304; 如果解密失败, 进入步骤 306;  If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 202, correspondingly, in step 302, the cryptographic hash is set according to the operation function f preset in step 202. Performing an operation to generate hash data as a decrypted key; Step 303: The server decrypts the remember password ticket received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 304; if the decryption fails, proceed to step 306;
服务器釆用与步骤 204中相同的加密算法对所述记住密码票据进行 解密。 步骤 304: 服务器对解密后得到的所述加密对象进行检查, 判断所 述记住密码票据是否有效,如果所述记住密码票据有效, 进入步骤 305; 否则, 进入步骤 306; The server decrypts the remember password ticket using the same encryption algorithm as in step 204. Step 304: The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 305; otherwise, proceeds to step 306;
所述加密对象为在所述客户端第一次保存所述用户登录密码相关信 息时服务器侧的时间, 简称为密码保存时间。  The encryption object is the time on the server side when the client first saves the information about the user login password, which is simply referred to as the password storage time.
所述判断记住密码票据是否有效具体包括以下步骤。  The determining whether to remember whether the password ticket is valid specifically includes the following steps.
步骤 304a: 判断所述密码保存时间是否晚于服务器当前时间, 如果 是, 说明所述记住密码票据无效, 进入步骤 306; 否则, 进入步骤 304b; 步骤 304b: 判断所述密码保存时间与所述服务器当前时间之间的时 间间隔是否超过预设的最大允许时间间隔, 如果是, 说明所述记住密码 票据已经在本地客户端保存了很久没有登录, 所述记住密码票据已经失 效, 进入步骤 306, 否则进入步骤 305;  Step 304a: determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304b; step 304b: determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval. If yes, it indicates that the remember password ticket has been saved in the local client for a long time without login, and the remember password ticket has expired. 306, otherwise proceeds to step 305;
所述最大允许时间间隔的长度可以根据需要具体设定, 一般为一个 月。  The length of the maximum allowable time interval can be specifically set as needed, typically one month.
步骤 305: 服务器通知所述客户端允许用户自动登录, 自动登录流 程结束。  Step 305: The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
步骤 306: 服务器通知所述客户端提示用户再次输入密码, 自动登 录流程结束。  Step 306: The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
由上述自动登录过程可知, 本发明实施例所述在客户端保存加密数 据的方法, 釆用所述密码保存时间作为加密对象, 即使他人能够解密成 功或是根据保存在客户端的加密数据登录成功, 服务器会将加密对象中 的密码保存时间与服务器当前时间进行比较, 当密码保存时间与服务器 当前时间之间的时间间隔过大时, 说明所述记住密码票据已经在客户端 保存了很久没有登录, 服务器会通知客户端拒绝对所述账号进行自动登 录, 提示用户重新输入登录密码。 因此, 即使他人能够解密成功或是根 据保存在客户端的加密数据登录成功, 也无法长期使用所述账号, 在一 定期限内, 所述账号的自动登录功能将自动取消。 According to the automatic login process, the method for saving encrypted data on the client in the embodiment of the present invention uses the password storage time as an encryption object, even if others can successfully decrypt or successfully log in according to the encrypted data stored in the client. The server compares the password save time in the encrypted object with the current server time. When the time interval between the password save time and the current server time is too large, the memory password ticket has been saved on the client for a long time without login. The server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. So even if others can decrypt the success or the root According to the successful registration of the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically cancelled within a certain period of time.
为了进一步增强密码保存的安全性, 本发明第一实施例中所述加密 对象还可以进一步包括服务器接收密码保存续期请求时间和服务器接 收密码保存续期请求次数, 分别简称为续期时间和续期次数。  In order to further enhance the security of the password storage, the encrypted object in the first embodiment of the present invention may further include a server receiving a password saving renewal request time and a server receiving a password saving renewal request number, which are respectively referred to as renewal time and continuation. Number of periods.
在步骤 201中, 当用户选择 "记住密码" 功能时, 进一步包括: 设 置 "记住密码" 功能的有效期。  In step 201, when the user selects the "remember password" function, the method further includes: setting the validity period of the "remember password" function.
一般在客户端保存密码的时间是有一定期限的, 即有效期, 比如一 周、 一个月、 四个月或一年。 在用户选择 "记住密码" 功能时, 客户端 提示用户选择 "记住密码" 的有效期或是自动生成默认的有效期。 所述 有效期即为当前记住密码票据的有效期。  Generally, the password is saved on the client for a certain period of time, that is, the validity period, such as one week, one month, four months, or one year. When the user selects the "remember password" function, the client prompts the user to select the "remember password" expiration date or automatically generate a default expiration date. The validity period is the validity period of the current remember password ticket.
在所述记住密码票据的有效期内, 当用户在本地客户端登录时, 客 户端会自动进行 "记住密码" 功能续期操作, 客户端发出含有当前记住 密码票据的密码保存续期请求给所述服务器, 服务器对所述记住密码票 据解密成功得到所述加密对象后, 会自动更新所述加密对象中的续期时 间为当前时间, 并将所述续期次数加 1 , 然后对新生成的加密对象进行 加密, 返回一个新的记住密码票据给所述客户端, 客户端保存新的记住 密码票据, 并为所述新的记住密码票据设置新的有效期。  During the validity period of the remember password ticket, when the user logs in to the local client, the client automatically performs a "remember password" function renewal operation, and the client issues a password save renewal request with the current remember password ticket. After the server successfully decrypts the remember password ticket to obtain the encrypted object, the server automatically updates the renewal time in the encrypted object to the current time, and adds the number of renewals to 1, and then The newly generated encrypted object is encrypted, a new remember password ticket is returned to the client, the client saves the new remember password ticket, and a new expiration date is set for the new remember password ticket.
一般情况下, 当客户在所述记住密码票据有效期到期前三天或是一 周内登录所述客户端时, 客户端会自动为所述用户进行 "记住密码" 功 能的续期操作。 如果在此期间, 用户一直没有在所述客户端登录, 当超 过所述有效期后, 所述记住密码票据失效, 客户端不再保存所述用户的 记住密码票据。 用户下次登录时, 需要再次输入登录账号和登录密码。  In general, when the client logs in to the client within three days or one week before the expiration of the validity period of the remember password ticket, the client automatically performs a renewal operation of the "remember password" function for the user. If during this period, the user has not logged in at the client, after the expiration date, the remember password ticket expires, the client no longer saves the user's remember password ticket. The next time the user logs in, they need to enter the login account and login password again.
当用户在所述客户端第一次选择 "记住密码" 时, 所述续期时间为 0, 所述续期次数也为 0。 每次所述客户端进行续期操作时, 服务器更新 所述加密对象中的续期时间为本次续期时间 , 并对所述续期次数加 1。 例如: 某用户在 2008年 1月 1 日 13:33:45在某客户端登录 MSN账 号时, 选择使用 "记住密码" 功能, 假定记住密码票据的有效期默认为 一个月, 则此时, 所述加密对象为: 生成时间 = 2008/01/01 13:33:45; 续 期时间 = 0; 续期次数 = 0。 假设提前续期时间为到期前一周, 则在 2008 年 1月 24日后某时间,假设为 2008年 1月 25日 14:34:36, 用户在所述 客户端登录, 客户端自动为用户进行续期操作, 更新所述加密对象为: 生成时间 = 2008/01/01 13:33:45; 续期时间 = 2008/01/25 14:34:36; 续期 次数 = 1。 如果用户在 2008年 2月 1 日 13:33:45前没有在所述客户端登 录, 则 2008年 2月 1 日 13:33:45起, 所述客户端不再保存所述用户的 记住密码票据。 When the user selects "remember password" for the first time at the client, the renewal time is 0, and the number of renewals is also 0. Server update each time the client performs a renewal operation The renewal time in the encrypted object is the renewal time, and the number of renewals is increased by one. For example: When a user logs in to an MSN account on January 1, 2008 at 13:33:45, he chooses to use the "remember password" function. It is assumed that the validity period of the password ticket is one month by default. The encryption object is: generation time = 2008/01/01 13:33:45; renewal time = 0; number of renewals = 0. Assuming that the early renewal time is one week before the expiration, at some time after January 24, 2008, assuming that it is 14:34:36 on January 25, 2008, the user logs in at the client, and the client automatically performs the user for the user. The renewal operation updates the encrypted object to: generation time = 2008/01/01 13:33:45; renewal time = 2008/01/25 14:34:36; number of renewals = 1. If the user does not log in to the client before 13:33:45 on February 1, 2008, the client no longer saves the user's remember from 13:33:45 on February 1, 2008. Password ticket.
对于釆用密码保存时间、 续期时间和续期次数作为加密对象的在客 户端保存加密数据的方法, 当用户在客户端自动登录时, 所述步骤 304 中, 所述判断记住密码票据是否有效具体包括以下步骤:  For the method of saving the encrypted data on the client by using the password save time, the renewal time, and the number of renewals as the encryption object, when the user automatically logs in at the client, in step 304, the judgment determines whether the password ticket is remembered. Validation specifically includes the following steps:
步骤 304A: 判断所述密码保存时间是否晚于服务器当前时间,如果 是,说明所述记住密码票据无效, 进入步骤 306; 否则, 进入步骤 304B; 步骤 304B:判断所述密码保存时间与所述服务器当前时间之间的时 间间隔是否超过预设的最大允许时间间隔, 如果是, 说明所述记住密码 票据已经在本地客户端保存了很久没有登录,进入步骤 304C, 否则进入 步骤 305;  Step 304A: determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304B; Step 304B: determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval, if yes, indicating that the remember password ticket has been saved in the local client for a long time without login, proceed to step 304C, otherwise proceed to step 305;
所述最大允许时间间隔的长度可以根据需要具体设定, 一般为一个 月。  The length of the maximum allowable time interval can be specifically set as needed, typically one month.
步骤 304C:当所述续期时间为 0或所述续期时间与当前时间之间的 时间间隔在预设的最大允许时间间隔内, 通知客户端进行续期操作; 否 则, 不允许进行续期操作, 认为所述记住密码票据失效, 进入步骤 306; 步骤 305: 服务器通知所述客户端允许用户自动登录, 自动登录流 程结束。 Step 304C: When the renewal time is 0 or the time interval between the renewal time and the current time is within a preset maximum allowable time interval, the client is notified to perform the renewal operation; otherwise, the renewal is not allowed. Operation, that the remember password ticket is invalid, proceeds to step 306; Step 305: The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
步骤 306: 服务器通知所述客户端提示用户再次输入密码, 自动登 录流程结束。  Step 306: The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
步骤 304C 中所述服务器通知客户端进行续期操作时, 客户端发送 含有当前记住密码票据的密码保存续期请求给所述服务器, 服务器对所 述记住密码票据解密成功得到所述加密对象后, 会自动更新所述加密对 象中的续期时间为当前时间信息, 并对所述续期次数加 1 , 然后对新生 成的加密对象进行加密, 返回一个新的记住密码票据给所述客户端, 所 述客户端对所述新的记住密码票据进行保存。 因此, 对于每次更新后的 所述记住密码票据, 其续期时间是不相同的, 均为最近一次续期操作的 时间。  In step 304C, when the server notifies the client to perform the renewal operation, the client sends a password save renewal request containing the current remember password ticket to the server, and the server decrypts the remember password ticket successfully to obtain the encrypted object. After that, the renewal time in the encrypted object is automatically updated to the current time information, and the number of renewals is incremented by 1, and then the newly generated encrypted object is encrypted, and a new remember password ticket is returned to the The client saves the new remember password ticket. Therefore, for each of the updated password notes, the renewal time is different, which is the time of the most recent renewal operation.
在步骤 304C 中, 所述服务器通知客户端进行续期操作前, 还可以 进一步判断所述续期次数是否已经超过预设的最大允许续期次数, 如果 是,不再进行续期操作,服务器直接通知客户端提示用户再次输入密码。  In step 304C, before the server notifies the client to perform the renewal operation, it may further determine whether the number of renewals has exceeded a preset maximum number of allowed renewals. If yes, the renewal operation is no longer performed, and the server directly Notify the client to prompt the user to enter the password again.
在步骤 304C 中, 服务器还可以进一步判断所述续期时间与所述生 成时间之间的时间间隔, 如果所述时间间隔超过预设的最大允许时间间 隔,不再进行续期操作,服务器直接通知客户端提示用户再次输入密码。  In step 304C, the server may further determine a time interval between the renewal time and the generation time. If the time interval exceeds a preset maximum allowable time interval, the renewal operation is no longer performed, and the server directly notifies. The client prompts the user to enter the password again.
由上述自动登录过程可知, 当所述加密对象为密码保存时间、 续期 时间和续期次数时, 将进一步加强服务器进行验证的强度, 增强密码的 安全性。 在实际运用中, 即使所述记住密码票据被破译了, 而且实现了 登录, 如果不续期的话,也不能使用太长时间, 降低了密码被盗的损失。  According to the above automatic login process, when the encrypted object is the password storage time, the renewal time, and the number of renewals, the strength of the server for verification is further enhanced, and the security of the password is enhanced. In actual use, even if the remember password ticket is deciphered and the login is implemented, if it is not renewed, it cannot be used for too long, which reduces the loss of password theft.
为了增强加密数据保存的可靠性, 所述服务器信息还可以进一步包 括: 格式版本号、 混淆数据以及其他数据, 以进一步增加加密对象的复 杂度, 增强加密数据保存的安全性。 本发明实施例所述方法中, 加密对象的设定可以根据具体需要灵活 设置。 当服务器对记住密码票据进行验证, 判断所述记住密码票据是否 有效时, 只要所述加密对象中任一项不满足验证条件, 服务器都会通知 客户端拒绝用户自动登录,提示用户再次输入登录密码。通过所述方法, 大大加强服务器验证的可靠性和灵活性, 增强客户端保存加密数据的安 全性。 In order to enhance the reliability of the encrypted data storage, the server information may further include: a format version number, obfuscated data, and other data to further increase the complexity of the encrypted object and enhance the security of the encrypted data storage. In the method of the embodiment of the present invention, the setting of the encryption object can be flexibly set according to specific needs. When the server verifies the remember password ticket and judges whether the remember password ticket is valid, the server notifies the client to refuse the automatic login, and prompts the user to input the login again, as long as any one of the encrypted objects does not satisfy the verification condition. password. Through the method, the reliability and flexibility of the server verification are greatly enhanced, and the security of the client to save the encrypted data is enhanced.
本发明第二实施例与第一实施例的区别在于: 用所述散列数据对加 密对象进行加密后, 再用客户端本地信息对第一次加密后得到的密码数 据进行二次加密, 从而生成记住密码票据, 保存在客户端, 进一步增加 记住密码票据的复杂度, 提高在客户端保存加密数据的安全性。  The second embodiment of the present invention is different from the first embodiment in that: after encrypting the encrypted object by using the hash data, the password data obtained by the first encryption is secondarily encrypted by using the local information of the client, thereby Generate a remember password ticket, save it on the client, further increase the complexity of remembering the password ticket, and improve the security of saving encrypted data on the client.
参照图 9, 为本发明第二实施例所述在客户端保存加密数据的方法 流程图。  Referring to FIG. 9, a flowchart of a method for saving encrypted data on a client according to a second embodiment of the present invention is shown.
步骤 401 : 用户在客户端登录界面输入登录账号和登录密码, 并选 择 "记住密码" 功能;  Step 401: The user inputs a login account and a login password on the client login interface, and selects the "remember password" function;
步骤 402: 客户端发送含有用户登录账号和登录密码的登录请求给 服务器, 接收服务器返回的包括当前时间的加密对象;  Step 402: The client sends a login request including a user login account and a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
步骤 403: 客户端选择散列算法, 对用户提供的登录密码进行散列, 得到与登录密码对应的散列数据, 作为密钥;  Step 403: The client selects a hash algorithm, hashes the login password provided by the user, and obtains hash data corresponding to the login password as a key.
步骤 404: 客户端釆用预先设定的加密算法, 用所述散列数据作为 密钥, 对所述加密对象进行一次加密, 得到一次加密数据, 再釆用客户 端本地信息作为密钥, 对所述一次加密数据进行二次加密, 得到二次加 密数据, 作为记住密码票据, 保存在客户端。  Step 404: The client uses a preset encryption algorithm, uses the hash data as a key, encrypts the encrypted object once, obtains an encrypted data, and then uses the client local information as a key, The primary encrypted data is subjected to secondary encryption to obtain secondary encrypted data, which is stored as a remember password ticket and stored in the client.
所述客户端本地信息可以是本地客户端自身固有的机器信息, 也可 以是本地网络相关信息或是本地随机生成数据等。  The client local information may be machine information inherent to the local client itself, or may be local network related information or locally generated data.
所述客户端自身固有的机器信息可以是客户端网卡的物理( MAC ) 地址、 客户端首个硬盘的序列号等。 所述本地网络相关信息可以是客户 端的 IP地址、 网关地址、 子网掩码等。 所述本地随机生成数据可以是在 本地客户端随机生成的数据, 按照预先设定的规则, 与客户端自身固有 的机器信息或本地网络相关信息一起使用, 起混淆作用, 用以增强密钥 的复杂度, 加强被破译的难度。 The machine information inherent to the client itself may be the physical (MAC) of the client network card. Address, serial number of the first hard disk of the client, etc. The local network related information may be a client's IP address, a gateway address, a subnet mask, and the like. The locally randomly generated data may be data randomly generated by a local client, and used in conjunction with the inherent machine information or local network related information of the client according to a preset rule, which is used to enhance the key. Complexity, to enhance the difficulty of being deciphered.
釆用所述客户端本地信息作为密钥是为了增强密钥被破译的难度。 根据需要, 客户端随机选择这些相关信息, 按照一定的规则组成密钥, 对加密对象进行加密, 别人很难通过技术手段得到上述密钥, 因此, 即 使加密算法被获知, 仍很难破译得到加密对象, 盗取密码。  The use of the client local information as a key is to enhance the difficulty of decrypting the key. According to the need, the client randomly selects the relevant information, composes the key according to certain rules, and encrypts the encrypted object. It is difficult for others to obtain the above key by technical means. Therefore, even if the encryption algorithm is known, it is still difficult to decipher the encryption. Object, steal password.
一般多釆用客户端自身固有的机器信息作为客户端本地信息, 因为 这部分信息是固定不变的, 而且可以通过管理员锁定让外人无法获知, 进一步增强密码保存的安全性。 相应地, 所述本地网络相关信息可能是 固定不变的,也可能是随意变动的,例如本地网络釆用自动获取 IP地址 的方式, 则所述客户端的 IP地址可能每次都不相同。这样可以进一步增 强了密码保存的安全性。  In general, the client's own machine information is used as the client's local information, because this part of the information is fixed, and can be blocked by the administrator to make it impossible for outsiders to know, further enhancing the security of password storage. Correspondingly, the information about the local network may be fixed or may be arbitrarily changed. For example, if the local network uses the method of automatically obtaining an IP address, the IP address of the client may be different each time. This further enhances the security of password storage.
本发明实施例所述方法中, 可以釆用相同的加密算法对所述加密对 象进行一次加密和二次加密, 也可以对两次加密分别釆用不同的加密算 法, 以进一步增强密码保存的安全性。  In the method of the embodiment of the present invention, the encrypted object may be encrypted and twice encrypted by the same encryption algorithm, or different encryption algorithms may be used for the two encryptions to further enhance the security of password storage. Sex.
本发明第二实施例所述在客户端保存加密数据的方法, 釆用客户端 本地信息作为密钥, 对加密对象进行二次加密, 将生成加密数据作为记 住密码票据, 保存在客户端。  In the second embodiment of the present invention, the method for storing encrypted data on the client side uses the client local information as a key to perform secondary encryption on the encrypted object, and generates the encrypted data as a password cryptographic note, and stores it in the client.
本发明实施例所述方法中, 所述作为二次加密密钥的客户端本地信 息可以根据客户端的需要由本地客户端自身固有的机器信息、 本地网络 相关信息和本地随机生成数据按照预先设定的规则随意组合生成, 增强 了密钥的保密性, 即使有人获知了加密算法, 但是由于无法获悉密钥的 组成部分和定义方式, ^艮难得到密钥以破译密码, 因此, 所述在客户端 保存加密数据的方法具有很高的安全性。 In the method of the embodiment of the present invention, the client local information as the secondary encryption key may be preset according to the needs of the client, by the local client's own machine information, local network related information, and locally randomly generated data. The rules are randomly combined to generate, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, the key cannot be learned. The components and definitions, it is difficult to get the key to decipher the password, therefore, the method of saving the encrypted data on the client has high security.
参见图 10,为釆用本发明第二实施例所述在客户端保存加密数据的 方法实现自动登录的流程图。  Referring to Fig. 10, there is shown a flow chart for implementing automatic login by storing a method of encrypting data on a client side according to a second embodiment of the present invention.
步骤 501 : 用户再次在所述客户端登录, 客户端根据用户提供的登 录账号, 从本地提取出对应的记住密码票据, 根据客户端本地信息对所 述记住密码票据进行解密, 得到所述一次加密数据, 将含有所述一次加 密数据和登录账号的自动登录请求信息传递给服务器;  Step 501: The user logs in again at the client, and the client extracts the corresponding remember password ticket locally according to the login account provided by the user, and decrypts the remember password ticket according to the local information of the client, to obtain the Encrypting the data once, and transmitting the automatic login request information including the primary encrypted data and the login account to the server;
服务器釆用与步骤 404中二次加密算法相应算法对所述记住密码票 据进行解密。  The server decrypts the remember password ticket using the algorithm corresponding to the secondary encryption algorithm in step 404.
步骤 502: 服务器接收到所述自动登录请求信息, 从数据库中提取 出与所述登录账号对应的密码散列数据, 作为密钥;  Step 502: The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database as a key.
如果步骤 402中是由密码散列根据函数 f运算得到的散列数据作为 密钥的, 则相应地, 步骤 502中, 对所述密码散列数据按照步骤 402中 所述预先设定的运算函数 f进行运算, 生成散列数据,作为解密的密钥; 步骤 503: 服务器用所述散列数据对接收自客户端的一次加密数据 进行解密, 如果解密成功, 证明客户端密码正确, 得到加密对象, 进入 步骤 504; 如果解密失败, 进入步骤 506;  If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 402, correspondingly, in step 502, the cryptographic hash data is set according to the operation function preset in step 402. f performs an operation to generate hash data as a decrypted key; Step 503: The server decrypts the encrypted data received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 504; if the decryption fails, proceed to step 506;
服务器釆用与步骤 404中一次加密算法相应算法对所述记住密码票 据进行解密。  The server decrypts the remember password ticket using an algorithm corresponding to the one-time encryption algorithm in step 404.
步骤 504: 服务器对解密后得到的所述加密对象进行检查, 判断所 述记住密码票据是否有效,如果所述记住密码票据有效, 进入步骤 505; 否则, 进入步骤 506;  Step 504: The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 505; otherwise, proceeds to step 506;
所述加密对象为在所述客户端第一次保存所述用户登录密码时服务 器侧的时间, 简称为密码保存时间。 所述判断记住密码票据是否有效的具体过程与本发明实施例一所述 步骤 304相同。 The encryption object is the time on the server side when the client saves the user login password for the first time, and is simply referred to as a password storage time. The specific process of determining whether the cipher ticket is valid is the same as step 304 of the first embodiment of the present invention.
步骤 505: 服务器通知所述客户端允许用户自动登录, 自动登录流 程结束。  Step 505: The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
步骤 506: 服务器通知所述客户端提示用户再次输入密码, 自动登 录流程结束。  Step 506: The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
为了增强密码保存的可靠性, 本发明第二实施例中所述加密对象也 可以进一步包括续期时间和续期次数, 所述服务器对续期时间和续期次 数的验证过程与第一实施例所述验证过程相同。  In order to enhance the reliability of the password storage, the encrypted object in the second embodiment of the present invention may further include a renewal time and a number of renewals, and the server verifies the renewal time and the number of renewals with the first embodiment. The verification process is the same.
为了增强加密数据保存的可靠性, 所述服务器信息还可以进一步包 括: 格式版本号、 混淆数据以及其他数据, 以增加生成记住密码票据的 复杂度。  In order to enhance the reliability of the encrypted data storage, the server information may further include: a format version number, obfuscated data, and other data to increase the complexity of generating the remember password ticket.
基于上述在客户端保存加密数据的方法, 本发明还提供一种在客户 端保存加密数据的系统。  Based on the above method of storing encrypted data on a client, the present invention also provides a system for storing encrypted data on a client.
参见图 11 , 为本发明第一实施例所述在客户端保存加密数据的系统 图。  Referring to FIG. 11, a system diagram for storing encrypted data on a client according to a first embodiment of the present invention is shown.
所述系统包括客户端 61和服务器 62, 其中, 客户端 61包括: 加密对象接收模块 610, 用于接收所述服务器返回的包括当前时间 的力。密对象。  The system includes a client 61 and a server 62, wherein the client 61 includes: an encrypted object receiving module 610, configured to receive a force including the current time returned by the server. Secret object.
登录密码散列模块 611 , 用于对所述登录密码至少一次散列, 生成 散列数据。  The login password hashing module 611 is configured to hash the login password at least once to generate hash data.
散列数据加密模块 612, 用于按照预先设定的加密算法, 利用所述 登录密码散列模块 611生成的散列数据作为密钥, 对所述加密对象生成 模块 610生成的加密对象加密, 将生成的加密数据作为记住密码票据发 送到存储模块 613。 存储模块 613 , 用于保存所述散列数据加密模块 612发送的记住密 码票据, 即加密数据。 The hash data encryption module 612 is configured to encrypt the encrypted object generated by the encrypted object generating module 610 by using the hash data generated by the login password hashing module 611 as a key according to a preset encryption algorithm. The generated encrypted data is sent to the storage module 613 as a remember password ticket. The storage module 613 is configured to save the remember password ticket, that is, the encrypted data, sent by the hash data encryption module 612.
为了增强密码保存的可靠性, 本发明实施例所述登录密码散列模块 611 , 可以直接对用户提供的登录密码进行散列, 生成密码散列, 作为 密钥, 也可以釆用预先设定的运算函数 f对密码散列进行计算, 得到与 密码散列相关的散列数据, 作为密钥。 即使有人获知了散列算法, 但是 由于无法获悉函数 f的定义方式, 艮难得到密钥以破译密码。  In order to enhance the reliability of the password storage, the login password hashing module 611 in the embodiment of the present invention may directly hash the login password provided by the user, generate a password hash, and use the preset as a key. The arithmetic function f calculates the cryptographic hash to obtain hash data related to the cryptographic hash as a key. Even if someone knows the hashing algorithm, it is difficult to get the key to decipher the password because it cannot know how the function f is defined.
釆用本发明实施例所述系统, 存储模块 613保存的记住密码票据, 即加密数据, 是釆用对登录密码散列得到的散列数据作为密钥, 对服务 器返回的含有当前时间的加密对象加密得到的。 当所述记住密码票据被 获取, 即使知道釆用的加密算法, 由于很难获得关于被加密对象的信息, 因此, 仅仅根据所述记住密码票据来获得作为密钥的与登录密码相关的 散列数据信息的可能性非常小, 保障保存密码的安全性。 相较于现有技 术中仅仅使用密码散列作为记住密码票据, 大大增强了在客户端保存加 密数据的安全性。  In the system according to the embodiment of the present invention, the remember password ticket stored in the storage module 613, that is, the encrypted data, is the hash data obtained by hashing the login password as a key, and the encryption returned by the server with the current time. The object is encrypted. When the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket. The possibility of hashing data information is very small, ensuring the security of saving passwords. Compared with the prior art, only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of storing encrypted data on the client.
参见图 12,为本发明第二实施例所述在客户端保存加密数据的系统 图。  Referring to FIG. 12, a system diagram for storing encrypted data on a client according to a second embodiment of the present invention is shown.
本发明第一实施例和第二实施例所述在客户端保存加密数据的系统 的区别在于:第二实施例所述客户端进一步包括本地信息加密模块 614。  The system for storing encrypted data on the client according to the first embodiment and the second embodiment of the present invention is different in that the client in the second embodiment further includes a local information encryption module 614.
所述本地信息加密模块 614, 用于釆用预先设定的加密算法, 利用 客户端本地信息作为密钥, 对所述散列数据加密模块 612输出的加密数 据加密, 生成记住密码票据, 发送到存储模块 613。  The local information encryption module 614 is configured to encrypt the encrypted data output by the hash data encryption module 612 by using a preset encryption algorithm, using the client local information as a key, generate a remember password ticket, and send Go to the storage module 613.
相应地, 所述存储模块 613 , 用于保存所述本地信息加密模块发送 的记住密码票据。  Correspondingly, the storage module 613 is configured to save the remember password ticket sent by the local information encryption module.
所述客户端本地信息可以是本地客户端自身固有的机器信息, 也可 以是本地网络相关信息或是本地随机生成数据等。 The client local information may be machine information inherent to the local client itself, or It is related to local network information or locally generated data.
本发明实施例所述系统中, 所述客户端本地信息加密模块 614釆用 客户端本地信息作为密钥, 所述客户端本地信息可以根据客户端的需要 由本地客户端自身固有的机器信息、 本地网络相关信息和本地随机生成 数据按照预先设定的规则随意组合生成, 增强了密钥的保密性, 即使有 人获知了加密算法, 但是由于无法获悉密钥的组成部分和定义方式, 艮 难得到密钥以破译密码, 因此, 所述在客户端保存加密数据的系统具有 很高的安全性。  In the system of the embodiment of the present invention, the client local information encryption module 614 uses the client local information as a key, and the client local information may be localized by the local client according to the needs of the client. The network related information and the locally randomly generated data are randomly combined and generated according to a preset rule, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, it is difficult to obtain the key because the key component and the definition manner cannot be obtained. The key is used to decipher the password, so the system for storing the encrypted data on the client has high security.
以上对本发明所提供的一种在客户端保存加密数据的方法及系统, 行了阐述, 以上实施例的说明只是用于帮助理解本发明的方法及其核心 思想; 同时, 对于本领域的一般技术人员, 依据本发明的思想, 在具体 实施方式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应 理解为对本发明的限制。  The foregoing provides a method and system for storing encrypted data on a client, and the description of the above embodiments is only for helping to understand the method and core idea of the present invention. Meanwhile, for the general technology in the field In the following, the description of the present invention is not limited to the scope of the present invention.

Claims

权利要求书 Claim
1、一种在客户端保存加密数据的方法,其特征在于,所述方法包括: 服务器对客户端的登录密码进行验证, 将包括服务器侧当前时间信 息的加密对象发给客户端;  A method for storing encrypted data on a client, the method comprising: the server authenticating a login password of the client, and transmitting the encrypted object including the current time information of the server to the client;
客户端对所述登录密码和所述加密对象进行加密, 生成加密数据; 所述客户端保存由验证通过的登录密码和相应的加密对象生成的加 密数据。  The client encrypts the login password and the encrypted object to generate encrypted data; the client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
2、 如权利要求 1所述的方法, 其特征在于,  2. The method of claim 1 wherein:
所述服务器对客户端的登录密码进行验证, 将包括服务器侧当前时 间信息的加密对象发给客户端, 客户端对所述登录密码和所述加密对象 进行加密, 生成加密数据包括:  The server verifies the login password of the client, and sends the encrypted object including the current time information of the server to the client. The client encrypts the login password and the encrypted object, and the generated encrypted data includes:
服务器根据客户端的请求将包括服务器侧当前时间信息的加密对象 发给客户端;  The server sends an encrypted object including the current time information of the server side to the client according to the request of the client;
客户端对登录密码和所述加密对象进行加密, 生成加密数据, 将生 成的加密数据发给服务器;  The client encrypts the login password and the encrypted object, generates encrypted data, and sends the generated encrypted data to the server;
服务器对所述加密数据进行验证, 如果验证通过, 则向客户端发送 登录密码验证通过的指示。  The server verifies the encrypted data, and if the verification passes, sends an indication to the client that the login password is verified.
3、 如权利要求 1所述的方法, 其特征在于,  3. The method of claim 1 wherein:
所述服务器对客户端的登录密码进行验证, 将包括服务器侧当前时 间信息的加密对象发给客户端, 客户端对所述登录密码和所述加密对象 进行加密, 生成加密数据包括:  The server verifies the login password of the client, and sends the encrypted object including the current time information of the server to the client. The client encrypts the login password and the encrypted object, and the generated encrypted data includes:
服务器根据客户端的请求将包括服务器侧当前时间信息的加密对象 发给客户端;  The server sends an encrypted object including the current time information of the server side to the client according to the request of the client;
客户端发送登录密码信息给服务器, 接收所述服务器返回的验证结 果; 客户端对验证通过的登录密码和所述加密对象进行加密, 生成加密 数据。 The client sends the login password information to the server, and receives the verification result returned by the server; The client encrypts the login password passed by the verification and the encrypted object to generate encrypted data.
4、 如权利要求 1所述的方法, 其特征在于,  4. The method of claim 1 wherein:
所述服务器对客户端的登录密码进行验证, 将包括服务器侧当前时 间信息的加密对象发给客户端包括:  The server verifies the login password of the client, and sends the encrypted object including the current time information of the server side to the client, including:
客户端发送登录密码信息给服务器, 接收所述服务器返回的验证结 果和包括当前时间的加密对象。  The client sends the login password information to the server, and receives the verification result returned by the server and the encrypted object including the current time.
5、 如权利要求 1至 4任一权项所述的方法, 其特征在于, 所述客户端对所述登录密码和所述加密对象进行加密包括: 所述客户端对所述登录密码至少一次散列, 生成散列数据, 利用所 述散列数据对所述加密对象加密。  The method according to any one of claims 1 to 4, wherein the encrypting the login password and the encrypted object by the client comprises: the client accessing the login password at least once Hashing, generating hash data, and encrypting the encrypted object with the hash data.
6、根据权利要求 5所述的方法, 其特征在于, 利用所述散列数据对 所述加密对象加密具体为:  The method according to claim 5, wherein the encrypting the encrypted object by using the hash data is specifically:
在所述散列数据中加入混淆数据, 利用加入混淆数据后的散列数据 对所述加密对象加密。  The obfuscated data is added to the hash data, and the encrypted object is encrypted by the hash data added with the obfuscated data.
7、根据权利要求 5所述的方法, 其特征在于, 利用所述散列数据对 所述加密对象加密后进一步包括:  The method according to claim 5, wherein the encrypting the encrypted object by using the hash data further comprises:
利用客户端本地信息对所述加密对象二次加密。  The encrypted object is secondarily encrypted using client local information.
8、根据权利要求 7所述的方法, 其特征在于, 所述客户端本地信息 为客户端网卡物理地址、客户端硬盘序列号、 和 /或客户端随机生成的数 据。  The method according to claim 7, wherein the client local information is a client NIC physical address, a client hard disk serial number, and/or a data randomly generated by the client.
9、 根据权利要求 5所述的方法, 其特征在于, 进一步包括: 客户端发送含有加密数据的自动登录请求给所述服务器; 所述 Λ良务器解密所述加密数据, 确定所述加密对象中的当前时间未 超过预设的最大允许时间间隔, 返回允许自动登录信息给所述客户端。 9. The method according to claim 5, further comprising: the client transmitting an automatic login request containing the encrypted data to the server; the server decrypting the encrypted data, determining the encrypted object The current time in the middle does not exceed the preset maximum allowable time interval, and returns automatic login information to the client.
10、 根据权利要求 5所述的方法, 其特征在于, 客户端发送登录密 码信息给服务器之后, 进一步包括: 设置密码的保存有效期。 The method according to claim 5, wherein after the client sends the login password information to the server, the method further includes: setting a saving validity period of the password.
11、 根据权利要求 10所述的方法, 其特征在于, 进一步包括: 客户端发送含有加密数据的密码保存续期请求给所述服务器; 所述服务器解密所述加密数据, 更新解密后得到的加密对象, 再对 更新后的加密对象加密, 返回更新后加密数据给所述客户端;  11. The method according to claim 10, further comprising: the client transmitting a password save renewal request containing the encrypted data to the server; the server decrypting the encrypted data, and updating the decrypted encryption The object, and then encrypting the updated encrypted object, and returning the updated encrypted data to the client;
所述服务器延长密码保存有效期。  The server extends the password save validity period.
12、根据权利要求 11所述的方法, 其特征在于, 所述服务器延长密 码保存有效期之前, 进一步包括:  The method according to claim 11, wherein before the server extends the validity period of the password save, the method further includes:
所述服务器确定接收密码保存续期请求次数未超过预设的最大允许 续期次数。  The server determines that the number of times the receiving password save renewal request does not exceed the preset maximum allowed number of renewals.
13、根据权利要求 11所述的方法, 其特征在于, 所述服务器延长密 码保存有效期之前, 进一步包括:  The method according to claim 11, wherein before the server extends the validity period of the password save, the method further includes:
所述服务器确定接收密码保存续期请求时间未超过预设的最大允许 时间间隔。  The server determines that the receiving password save renewal request time does not exceed the preset maximum allowable time interval.
14、根据权利要求 11所述的方法, 其特征在于, 更新解密后得到的 加密对象包括:  The method according to claim 11, wherein the updating the encrypted object obtained after decryption comprises:
服务器在所述加密对象中加设接收密码保存续期请求时间。  The server adds a receiving password save renewal request time to the encrypted object.
15、根据权利要求 14所述的方法, 其特征在于,接收密码保存续期 请求时间为最近接收密码保存续期请求的时间。  The method according to claim 14, wherein the receiving password save renewal request time is the time of receiving the password retention renewal request most recently.
16、根据权利要求 11所述的方法, 其特征在于, 更新解密后得到的 加密对象包括:  The method according to claim 11, wherein the updating the encrypted object obtained after decryption comprises:
服务器在所述加密对象中加设接收密码保存续期请求次数。  The server adds a number of receiving password save renewal requests to the encrypted object.
17、根据权利要求 16所述的方法, 其特征在于, 更新解密后得到的 加密对象包括: 服务器在所述加密对象中加设格式版本号和混淆数据。 The method according to claim 16, wherein the updating the encrypted object obtained after decryption comprises: The server adds a format version number and obfuscated data to the encrypted object.
18、 一种在客户端保存加密数据的系统, 包括客户端和服务器, 其 特征在于,  18. A system for storing encrypted data on a client, comprising a client and a server, wherein:
所述客户端, 对登录密码和服务器发来的加密对象进行加密, 生成 加密数据, 保存由服务器验证通过的登录密码和相应的加密对象生成的 加密数据;  The client encrypts the login password and the encrypted object sent by the server, generates encrypted data, and saves the login password verified by the server and the encrypted data generated by the corresponding encrypted object;
所述服务器, 对客户端的登录密码进行验证, 将包括服务器侧当前 时间信息的加密对象发给客户端。  The server verifies the login password of the client, and sends the encrypted object including the current time information of the server side to the client.
19、 如权利要求 18所述的系统, 其特征在于,  19. The system of claim 18, wherein:
所述客户端,向服务器请求包括服务器侧当前时间信息的加密对象, 对登录密码和所述加密对象进行加密, 生成加密数据, 将生成的加密数 据发给服务器, 接收服务器发来的登录密码验证通过的指示后, 保存所 述加密数据;  The client requests an encryption object including current time information of the server side to the server, encrypts the login password and the encrypted object, generates encrypted data, sends the generated encrypted data to the server, and receives the login password verification sent by the server. After passing the indication, saving the encrypted data;
所述服务器, 根据客户端的请求返回包括服务器侧当前时间信息的 加密对象, 对客户端发来的加密数据进行验证, 如果验证通过, 则向客 户端发送登录密码验证通过的指示。  The server returns an encrypted object including the current time information of the server according to the request of the client, and verifies the encrypted data sent by the client. If the verification succeeds, the client sends an indication that the login password is verified.
20、 如权利要求 18所述的系统, 其特征在于,  20. The system of claim 18, wherein
所述客户端,向服务器请求包括服务器侧当前时间信息的加密对象, 发送登录密码信息给服务器, 接收所述服务器返回的验证结果, 对验证 通过的登录密码和所述加密对象进行加密, 生成加密数据并保存;  The client requests an encryption object including current time information of the server side to the server, sends login password information to the server, receives the verification result returned by the server, encrypts the login password and the encrypted object, and generates encryption. Data and save;
所述服务器, 根据客户端的请求返回包括服务器侧当前时间信息的 加密对象, 对客户端发来的登录密码信息进行验证, 如果验证通过, 则 向客户端发送登录密码验证通过的指示。  The server returns an encrypted object including the current time information of the server according to the request of the client, and verifies the login password information sent by the client. If the verification succeeds, the server sends an indication of the login password verification.
21、 如权利要求 18所述的系统, 其特征在于,  21. The system of claim 18, wherein:
所述客户端, 发送登录密码信息给服务器, 接收所述服务器返回的 验证结果和包括当前时间的加密对象, 对验证通过的登录密码和所述加 密对象进行加密, 生成加密数据并保存; The client sends login password information to the server, and receives the return from the server. Verifying the result and the encrypted object including the current time, encrypting the verified login password and the encrypted object, generating encrypted data and saving;
所述服务器, 接收客户端发来的登录密码信息, 对所述登录密码信 息进行验证, 并将验证结果连同包括服务器侧当前时间信息的加密对象 一起发给所述客户端。  The server receives the login password information sent by the client, verifies the login password information, and sends the verification result to the client together with the encryption object including the current time information of the server side.
22、 如权利要求 18至 21任一权项所述的系统, 其特征在于, 所述客户端包括:  The system according to any one of claims 18 to 21, wherein the client comprises:
加密对象接收模块, 用于发送登录密码信息给服务器, 接收所述服 务器返回的验证结果和包括当前时间的加密对象;  An encryption object receiving module, configured to send login password information to the server, receive the verification result returned by the server, and the encrypted object including the current time;
登录密码散列模块,用于对通过验证的所述登录密码至少一次散列, 生成散列数据;  a login password hashing module, configured to hash the login password that has passed the verification at least once to generate hash data;
散列数据加密模块, 用于利用所述散列数据对所述加密对象加密, 生成加密数据;  a hash data encryption module, configured to encrypt the encrypted object by using the hash data to generate encrypted data;
存储模块, 用于保存所述散列数据加密模块发送的加密数据。  And a storage module, configured to save the encrypted data sent by the hash data encryption module.
23、根据权利要求 22所述的系统, 其特征在于, 所述客户端进一步 包括:  The system according to claim 22, wherein the client further comprises:
本地信息加密模块, 用于利用客户端本地信息对所述散列数据加密 模块输出的加密数据加密;  a local information encryption module, configured to encrypt the encrypted data output by the hash data encryption module by using local information of the client;
所述存储模块, 用于保存所述本地信息加密模块发送的加密数据。  The storage module is configured to save the encrypted data sent by the local information encryption module.
PCT/CN2009/071883 2008-06-27 2009-05-20 Method for storing encrypted data in client and system thereof WO2009155813A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008101275538A CN101309278B (en) 2008-06-27 2008-06-27 Method and system for storing encrypt data on customer
CN200810127553.8 2008-06-27

Publications (1)

Publication Number Publication Date
WO2009155813A1 true WO2009155813A1 (en) 2009-12-30

Family

ID=40125497

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071883 WO2009155813A1 (en) 2008-06-27 2009-05-20 Method for storing encrypted data in client and system thereof

Country Status (2)

Country Link
CN (1) CN101309278B (en)
WO (1) WO2009155813A1 (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309278B (en) * 2008-06-27 2011-07-06 腾讯科技(深圳)有限公司 Method and system for storing encrypt data on customer
CN102055722B (en) * 2009-10-28 2014-01-15 中标软件有限公司 Implementation method for ensuring secure storage of electronic mails
US10102242B2 (en) * 2010-12-21 2018-10-16 Sybase, Inc. Bulk initial download of mobile databases
CN102045170B (en) * 2010-12-28 2013-02-20 北京深思洛克软件技术股份有限公司 Method and system for protecting safety of password
CN102629925B (en) * 2012-03-31 2014-10-15 苏州阔地网络科技有限公司 Method and system for preventing illegal connection
CN102752285B (en) * 2012-06-07 2015-03-18 广东电网公司茂名供电局 Pre-authentification computer system login method based on high collision probability hash function
CN102739404B (en) * 2012-06-29 2016-01-06 浪潮(北京)电子信息产业有限公司 A kind of cipher management method and system
CN103713915A (en) * 2012-09-29 2014-04-09 联想(北京)有限公司 System starting method and electronic equipment
CN103873442B (en) * 2012-12-13 2017-12-12 腾讯科技(深圳)有限公司 The treating method and apparatus of log-on message
CN103188271A (en) * 2013-04-19 2013-07-03 国家电网公司 Secure mail client local data storage and identification methods and devices
CN104135364A (en) * 2013-04-30 2014-11-05 鸿富锦精密工业(深圳)有限公司 Account encryption and decryption system and method
CN104601532B (en) * 2013-10-31 2019-03-15 腾讯科技(深圳)有限公司 A kind of method and device of logon account
CN104883341B (en) * 2014-02-28 2019-01-25 宇龙计算机通信科技(深圳)有限公司 Application management device, terminal and application management method
CN103888457A (en) * 2014-03-19 2014-06-25 深信服网络科技(深圳)有限公司 Method and system for improving login security
CN105812329B (en) * 2014-12-31 2018-07-20 中国科学院沈阳自动化研究所 For the mobile security encryption method in complicated production management system
CN105491030A (en) * 2015-11-27 2016-04-13 韦昱灵 Website user password encryption and verification method
CN105376261B (en) * 2015-12-21 2020-01-14 Tcl集团股份有限公司 Encryption method and system for instant messaging message
CN105610811B (en) * 2015-12-24 2019-06-25 中国建设银行股份有限公司 Authentication method and its relevant equipment and system
CN106127061A (en) * 2016-06-22 2016-11-16 杨越 Computer Cryptography Security ensures computational methods
CN106650351B (en) * 2016-10-31 2018-12-04 维沃移动通信有限公司 A kind of operation method and mobile terminal of application program
CN108259165A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 Inventory's grain cognizance code encryption and decryption approaches and device
CN108234458A (en) * 2017-12-21 2018-06-29 广东汇泰龙科技有限公司 Method, the system of encryption storage and the decryption extraction of a kind of cloud lock cipher
CN109787760B (en) * 2019-01-23 2021-10-08 哈尔滨工业大学 Optimized secret key security enhancement method and device based on H1 type hash function family
CN112543241B (en) * 2020-10-22 2023-05-30 重庆恢恢信息技术有限公司 Construction site safety image data mining method by using block chain
CN112506647A (en) * 2020-11-19 2021-03-16 杭州电魂网络科技股份有限公司 Method, system, device and storage medium for load balancing of stateful servers
CN113542256B (en) * 2021-07-12 2023-08-22 苏州达家迎信息技术有限公司 Method, device, equipment and storage medium for updating login credentials in client
CN113872979B (en) * 2021-09-29 2023-11-24 北京高途云集教育科技有限公司 Login authentication method, login authentication device, electronic equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN1567294A (en) * 2003-06-14 2005-01-19 华为技术有限公司 User certification method
US20060037064A1 (en) * 2004-08-12 2006-02-16 International Business Machines Corporation System, method and program to filter out login attempts by unauthorized entities
CN101309278A (en) * 2008-06-27 2008-11-19 腾讯科技(深圳)有限公司 Method and system for storing encrypt data on customer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (en) * 2002-11-20 2004-06-16 Securely processing client credentials used for web-based access to resources
CN1567294A (en) * 2003-06-14 2005-01-19 华为技术有限公司 User certification method
US20060037064A1 (en) * 2004-08-12 2006-02-16 International Business Machines Corporation System, method and program to filter out login attempts by unauthorized entities
CN101309278A (en) * 2008-06-27 2008-11-19 腾讯科技(深圳)有限公司 Method and system for storing encrypt data on customer

Also Published As

Publication number Publication date
CN101309278B (en) 2011-07-06
CN101309278A (en) 2008-11-19

Similar Documents

Publication Publication Date Title
WO2009155813A1 (en) Method for storing encrypted data in client and system thereof
US6959394B1 (en) Splitting knowledge of a password
US5418854A (en) Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
EP1374474B1 (en) Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys
EP1500226B1 (en) System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients
US6950523B1 (en) Secure storage of private keys
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
US8775794B2 (en) System and method for end to end encryption
JP4105339B2 (en) Method and password protocol for establishing a key using air communication and password
CN108650210A (en) A kind of Verification System and method
WO2017185913A1 (en) Method for improving wireless local area network authentication mechanism
JP2009529832A (en) Undiscoverable, ie secure data communication using black data
JPH05344117A (en) Opposite party certifying/ciphered key distributing system
JP2004030611A (en) Method for changing communication password by remote control
CN101272616A (en) Safety access method of wireless metropolitan area network
CA2913444A1 (en) System and method for user authentication
WO2008031301A1 (en) A method for the point to point online identity authenticaiton
JP2001186122A (en) Authentication system and authentication method
JPH10340255A (en) System for authenticating network user
WO2006026925A1 (en) A method for setting the authentication key
CN115865520B (en) Authentication and access control method with privacy protection in mobile cloud service environment
JP3690237B2 (en) Authentication method, recording medium, authentication system, terminal device, and authentication recording medium creation device
CN115632797A (en) Safety identity verification method based on zero-knowledge proof
CN111586685B (en) Anonymous roaming authentication method based on lattices
JP3078666B2 (en) Mutual authentication / encryption key distribution method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/05/2011)

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/05/2011)