WO2009155813A1 - Procédé pour stocker des données chiffrées dans un client et système associé - Google Patents

Procédé pour stocker des données chiffrées dans un client et système associé Download PDF

Info

Publication number
WO2009155813A1
WO2009155813A1 PCT/CN2009/071883 CN2009071883W WO2009155813A1 WO 2009155813 A1 WO2009155813 A1 WO 2009155813A1 CN 2009071883 W CN2009071883 W CN 2009071883W WO 2009155813 A1 WO2009155813 A1 WO 2009155813A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
server
encrypted
password
data
Prior art date
Application number
PCT/CN2009/071883
Other languages
English (en)
Chinese (zh)
Inventor
陈启祥
陈定佳
傅建兵
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2009155813A1 publication Critical patent/WO2009155813A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the present invention relates to the field of communication networks, and in particular, to a method and system for storing encrypted data on a client. Background of the invention
  • the client provides the "remember password” function of the login account.
  • the user uses the "remember password” function when logging in for the first time, and the remember password ticket corresponding to the login account and the login password is saved on the client.
  • the user logs in again on the same client, he only needs to provide the login account, and the client will directly read the corresponding remember password ticket according to the login account and log in to the account.
  • FIG. 1 a flow chart of a method for saving encrypted data on a client in the prior art. The method includes the following steps:
  • Step 101 The user enters a login account and a login password on a client login interface, and selects the "remember password” function;
  • Step 102 The client hashes the password of the login password or the password obtained by hashing the login password as a password password ticket according to the login account and the login password provided by the user, and saves the password ticket.
  • the login account is input, and the client extracts the password for the password corresponding to the login account according to the login account provided by the client, and transmits the password to the server.
  • the server verifies whether the received password ticket and the saved login password information are received. Match, if yes, think that the login password is correct, allow the user to log in directly; if no, return the login password error message, the client prompts the user to re-enter the login password.
  • the login password information saved by the server may be the plain text of the login password or the password hash corresponding to the plaintext of the login password. If the server saves the password of the login password, first calculate the corresponding password hash according to the plaintext of the login password, and then verify whether the calculated password hash is the same as the received password hash; if the server saves the password hash , directly verify that the password hash stored by itself is the same as the received password hash.
  • the above method for saving the remember password ticket on the client directly saves the login password plaintext or password hash as a remember password ticket to the local client.
  • the technical problem to be solved by the present invention is to provide a method and system for storing encrypted data on a client to enhance the security of storing encrypted data on the client.
  • the present invention provides a method for storing encrypted data on a client, the method comprising: the server authenticating a login password of the client, and transmitting the encrypted object including the current time information of the server to the client; The client encrypts the login password and the encrypted object to generate encrypted data; the client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
  • the present invention also provides a system for storing encrypted data on a client, including a client and The server, the client encrypts the login password and the encrypted object sent by the server, generates encrypted data, and stores the login password verified by the server and the encrypted data generated by the corresponding encrypted object; the server, the login to the client The password is verified, and the encrypted object including the current time information on the server side is sent to the client.
  • the present invention has the following advantages:
  • the encrypted data stored in the client is encrypted by using the hash data obtained by hashing the login password as a key, and encrypting the encrypted object returned by the server including the current time.
  • the encrypted data is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, only the hash data related to the login password as the key is obtained based on the encrypted data. The possibility is very small, ensuring the security of storing encrypted data.
  • only the cryptographic hash is used as the cryptographic ticket, which greatly enhances the security of storing encrypted data on the client.
  • the server returns an encrypted object including the current time, and the current time is a time when the client first performs password saving. Even if another person can successfully log in according to the encrypted data stored on the client, the server compares the time when the first password is saved in the encrypted object with the time of the login, when the password is saved for the first time and the time of the login. When the interval is too large, the server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. Therefore, even if another person can successfully log in according to the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically canceled within a certain period of time. BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a flow chart of a method for storing encrypted data on a client in the prior art
  • FIG. 2 is a flowchart of a method for saving encrypted data at a client according to the present invention
  • 3 is a flow chart of a first scheme for saving encrypted data on a client according to the present invention
  • FIG. 4 is a second schematic flowchart of a method for storing encrypted data on a client according to the present invention
  • FIG. 5 is a third schematic flowchart of a method for storing encrypted data on a client according to the present invention.
  • FIG. 6 is a flowchart of a method for storing encrypted data on a client according to an embodiment of the present invention
  • FIG. 7 is a flowchart of a method for saving encrypted data on a client according to a first embodiment of the present invention
  • Figure 8 is a flow chart showing the automatic registration of the method of storing encrypted data on the client side according to the first embodiment of the present invention
  • FIG. 9 is a flow chart of a method for storing encrypted data on a client according to a second embodiment of the present invention.
  • FIG. 10 is a flowchart of implementing automatic login by storing a method of encrypting data on a client according to a second embodiment of the present invention.
  • FIG. 11 is a system diagram of storing encrypted data on a client according to a first embodiment of the present invention
  • FIG. 12 is a system diagram for storing encrypted data on a client according to a second embodiment of the present invention. Mode for carrying out the invention
  • FIG. 2 is a flow chart of a method for storing encrypted data on a client according to the present invention. As shown in FIG. 2, the method includes:
  • Step 21 The server verifies the login password of the client, and sends the encrypted object including the current time information of the server side to the client.
  • Step 22 The client encrypts the login password and the encrypted object to generate encrypted data.
  • Step 23 The client saves the login password passed by the verification and the encrypted data generated by the corresponding encrypted object.
  • the encrypted data saved by the client in the present invention is generated by the login password and the corresponding encrypted object, wherein the login password verification ensures the validity of the current client, the encrypted object including the server side time information is difficult to be The third party obtains that the encrypted data is difficult to be cracked or falsified. Therefore, the application of the present invention can enhance the security of storing encrypted data on the client.
  • FIG. 3 is a flowchart of a first scheme for saving encrypted data on a client according to the present invention. As shown in Figure 3, the process includes:
  • Step 310 The server sends an encrypted object including the current time information of the server side to the client according to the request of the client.
  • Step 320 The client encrypts the login password and the encrypted object, generates encrypted data, and sends the generated encrypted data to the server.
  • Step 330 The server verifies the encrypted data. If the verification succeeds, the server sends an indication of the login password verification, and the client saves the login password verified by the verification and the encrypted data generated by the corresponding encryption object.
  • FIG. 4 is a flowchart of a second method for storing encrypted data on a client according to the present invention. As shown in FIG. 4, the process includes:
  • Step 410 The server will include the current time letter of the server side according to the request of the client.
  • the encrypted object is sent to the client.
  • Step 420 The client sends the login password information to the server, and receives the verification result returned by the server.
  • the login password information in this step can be either a login password or a function such as a login password.
  • Step 430 The client encrypts the login password and the encrypted object that are verified by the authentication, generates encrypted data, and saves the data.
  • FIG. 5 is a flowchart of a third method for storing encrypted data on a client according to the present invention. As shown in FIG. 5, the process includes:
  • Step 510 The client sends the login password information to the server.
  • the login password information in this step is the same as the login password information in step 420.
  • Step 520 The server returns the verification result and the force including the current time on the server side to the client. Secret object.
  • Step 530 The client encrypts the authentication password and the corresponding encrypted object, and generates encrypted data and saves it.
  • FIG. 6 a flow chart of a method for storing encrypted data on a client according to an embodiment of the present invention is shown.
  • Step 1111 The client sends a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
  • Step 1112 The client performs at least one hash on the login password, generates hash data corresponding to the login password, and encrypts the encrypted object including the current time as a key to generate encrypted data.
  • Step 1113 The client saves the encrypted data.
  • FIG. 7 a method for storing encrypted data on a client according to a first embodiment of the present invention Flow chart.
  • Step 201 The user inputs a login account and a login password on the client login interface, and selects a "remember password” function;
  • Step 202 The client sends a login request including a user login account and a login password to the server, and receives an encrypted object returned by the server and includes the current time information.
  • the current time is the time of the server side when the user saves the user login password for the first time. For the same client, the time is unique.
  • Step 203 The client selects a hash algorithm, and performs at least one hash of the login password provided by the user, and obtains hash data corresponding to the login password as a key.
  • the hashing algorithm is a one-way function that receives the plaintext of the password and converts the character string representing the plaintext of the password into a hashed data that cannot be used to reconstruct the original plaintext, that is, the password hash.
  • the login password provided by the user may be directly hashed to generate a password hash as a key.
  • the present invention can also calculate the cryptographic hash by using a preset operation function f to obtain hash data related to the cryptographic hash as a key.
  • the hash data associated with the cryptographic hash f (cryptographic hash)
  • f is a preset arithmetic function and can be set as needed.
  • f may be N (N is an integer not less than 1) sub-hash for the cryptographic hash, and generally N is 2, 3 or 4, and the hash data is obtained as a key;
  • the cryptographic hash is hashed N times, and then the corresponding confusing data is added to the obtained hash data according to a preset rule to obtain new hash data as a key;
  • the corresponding obfuscated data is added according to a preset rule, and then N hashes are performed to obtain new hash data as a key.
  • each hash can Using the same hashing algorithm, different hashing algorithms can also be used to enhance the complexity of the hashed data as a key and to enhance the difficulty of being deciphered.
  • Step 204 The client uses a preset encryption algorithm to encrypt the encrypted object by using the hash data as a key, and generates encrypted data, which is stored as a remember password ticket and stored in the client.
  • the encryption algorithm is a specific formula and rule for specifying a transformation method between plaintext and ciphertext. Take the commonly used data encryption standard data encryption algorithm (DES: Data Encryption Standard) as an example to illustrate the process of encrypting with encryption algorithm.
  • DES Data Encryption Standard
  • the DES is an algorithm for encrypting binary data, and includes three parameters: a key (Key), a data plaintext (Data), and a mode selection (Mode).
  • the Key is 8 bytes and a total of 64 bits, which is the working key of the DES algorithm;
  • Data is also 8 bytes and 64 bits, which is the data plaintext to be encrypted or decrypted;
  • Mode DES working mode including Encrypt or decrypt.
  • the Data is encrypted by the Key, and the data plaintext to be encrypted is subjected to 16 rounds of iteration, product transformation, compression transformation, etc., to generate Data encrypted data (64 bits) as the output result of the DES. .
  • the same key is used to decrypt the cryptographic data, and the plaintext of the data in clear form is reproduced.
  • the encryption object is data to be encrypted
  • the hash data is used as a key
  • the mode is encryption.
  • the DES algorithm is used to encrypt the encrypted object, and the generated encrypted data is saved as a remember password ticket on the client.
  • the remember password ticket stored in the client is the encrypted object including the current time returned by the server using the hash data obtained by hashing the login password as a key. Encrypted.
  • the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket.
  • the possibility of hashing data information is very small, ensuring the security of remembering password tickets on the client.
  • only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of remembering the password ticket on the client side.
  • the hash data as a key may be calculated by using a preset function f to calculate a cryptographic hash, even if the remember password ticket is deciphered to obtain an encrypted object, It is impossible to know the specific definition of the function f, and it is also difficult to obtain the password plaintext by back-checking the hash data.
  • the client in the embodiment of the present invention may be software of a client, a web application triggered by a web (web), a wireless application of a mobile terminal, or the like.
  • the method according to the embodiment of the present invention is applicable to fields such as instant messaging, mail, and games.
  • FIG. 8 there is shown a flow chart for implementing automatic login by storing the encrypted data on the client side according to the first embodiment of the present invention.
  • Step 301 The user logs in again at the client, and the client extracts the corresponding remember password ticket, that is, encrypted data, according to the login account provided by the user, and sends an automatic login that includes the remember password ticket and the login account. Request to the server;
  • Step 302 The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database, as a decrypted key.
  • Step 306 If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 202, correspondingly, in step 302, the cryptographic hash is set according to the operation function f preset in step 202. Performing an operation to generate hash data as a decrypted key; Step 303: The server decrypts the remember password ticket received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 304; if the decryption fails, proceed to step 306;
  • Step 304 The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 305; otherwise, proceeds to step 306;
  • the encryption object is the time on the server side when the client first saves the information about the user login password, which is simply referred to as the password storage time.
  • the determining whether to remember whether the password ticket is valid specifically includes the following steps.
  • Step 304a determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304b; step 304b: determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval. If yes, it indicates that the remember password ticket has been saved in the local client for a long time without login, and the remember password ticket has expired. 306, otherwise proceeds to step 305;
  • the length of the maximum allowable time interval can be specifically set as needed, typically one month.
  • Step 305 The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 306 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • the method for saving encrypted data on the client in the embodiment of the present invention uses the password storage time as an encryption object, even if others can successfully decrypt or successfully log in according to the encrypted data stored in the client.
  • the server compares the password save time in the encrypted object with the current server time. When the time interval between the password save time and the current server time is too large, the memory password ticket has been saved on the client for a long time without login.
  • the server notifies the client to refuse to automatically log in to the account, prompting the user to re-enter the login password. So even if others can decrypt the success or the root According to the successful registration of the encrypted data stored in the client, the account cannot be used for a long time, and the automatic login function of the account will be automatically cancelled within a certain period of time.
  • the encrypted object in the first embodiment of the present invention may further include a server receiving a password saving renewal request time and a server receiving a password saving renewal request number, which are respectively referred to as renewal time and continuation. Number of periods.
  • step 201 when the user selects the "remember password” function, the method further includes: setting the validity period of the "remember password” function.
  • the password is saved on the client for a certain period of time, that is, the validity period, such as one week, one month, four months, or one year.
  • the client prompts the user to select the "remember password” expiration date or automatically generate a default expiration date.
  • the validity period is the validity period of the current remember password ticket.
  • the client automatically performs a "remember password” function renewal operation, and the client issues a password save renewal request with the current remember password ticket.
  • the server After the server successfully decrypts the remember password ticket to obtain the encrypted object, the server automatically updates the renewal time in the encrypted object to the current time, and adds the number of renewals to 1, and then The newly generated encrypted object is encrypted, a new remember password ticket is returned to the client, the client saves the new remember password ticket, and a new expiration date is set for the new remember password ticket.
  • the client when the client logs in to the client within three days or one week before the expiration of the validity period of the remember password ticket, the client automatically performs a renewal operation of the "remember password" function for the user. If during this period, the user has not logged in at the client, after the expiration date, the remember password ticket expires, the client no longer saves the user's remember password ticket. The next time the user logs in, they need to enter the login account and login password again.
  • the renewal time in the encrypted object is the renewal time, and the number of renewals is increased by one. For example: When a user logs in to an MSN account on January 1, 2008 at 13:33:45, he chooses to use the "remember password” function. It is assumed that the validity period of the password ticket is one month by default.
  • the early renewal time is one week before the expiration, at some time after January 24, 2008, assuming that it is 14:34:36 on January 25, 2008, the user logs in at the client, and the client automatically performs the user for the user.
  • step 304 the judgment determines whether the password ticket is remembered.
  • Validation specifically includes the following steps:
  • Step 304A determining whether the password saving time is later than the current time of the server, if yes, indicating that the remembering password ticket is invalid, proceeding to step 306; otherwise, proceeding to step 304B;
  • Step 304B determining the password saving time and the Whether the time interval between the current time of the server exceeds the preset maximum allowable time interval, if yes, indicating that the remember password ticket has been saved in the local client for a long time without login, proceed to step 304C, otherwise proceed to step 305;
  • the length of the maximum allowable time interval can be specifically set as needed, typically one month.
  • Step 304C When the renewal time is 0 or the time interval between the renewal time and the current time is within a preset maximum allowable time interval, the client is notified to perform the renewal operation; otherwise, the renewal is not allowed. Operation, that the remember password ticket is invalid, proceeds to step 306; Step 305: The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 306 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • step 304C when the server notifies the client to perform the renewal operation, the client sends a password save renewal request containing the current remember password ticket to the server, and the server decrypts the remember password ticket successfully to obtain the encrypted object.
  • the renewal time in the encrypted object is automatically updated to the current time information, and the number of renewals is incremented by 1, and then the newly generated encrypted object is encrypted, and a new remember password ticket is returned to the The client saves the new remember password ticket. Therefore, for each of the updated password notes, the renewal time is different, which is the time of the most recent renewal operation.
  • step 304C before the server notifies the client to perform the renewal operation, it may further determine whether the number of renewals has exceeded a preset maximum number of allowed renewals. If yes, the renewal operation is no longer performed, and the server directly Notify the client to prompt the user to enter the password again.
  • the server may further determine a time interval between the renewal time and the generation time. If the time interval exceeds a preset maximum allowable time interval, the renewal operation is no longer performed, and the server directly notifies. The client prompts the user to enter the password again.
  • the encrypted object is the password storage time, the renewal time, and the number of renewals
  • the strength of the server for verification is further enhanced, and the security of the password is enhanced.
  • the remember password ticket is deciphered and the login is implemented, if it is not renewed, it cannot be used for too long, which reduces the loss of password theft.
  • the server information may further include: a format version number, obfuscated data, and other data to further increase the complexity of the encrypted object and enhance the security of the encrypted data storage.
  • the setting of the encryption object can be flexibly set according to specific needs.
  • the server verifies the remember password ticket and judges whether the remember password ticket is valid, the server notifies the client to refuse the automatic login, and prompts the user to input the login again, as long as any one of the encrypted objects does not satisfy the verification condition. password.
  • the second embodiment of the present invention is different from the first embodiment in that: after encrypting the encrypted object by using the hash data, the password data obtained by the first encryption is secondarily encrypted by using the local information of the client, thereby Generate a remember password ticket, save it on the client, further increase the complexity of remembering the password ticket, and improve the security of saving encrypted data on the client.
  • FIG. 9 a flowchart of a method for saving encrypted data on a client according to a second embodiment of the present invention is shown.
  • Step 401 The user inputs a login account and a login password on the client login interface, and selects the "remember password” function;
  • Step 402 The client sends a login request including a user login account and a login password to the server, and receives an encrypted object that is returned by the server and includes the current time.
  • Step 403 The client selects a hash algorithm, hashes the login password provided by the user, and obtains hash data corresponding to the login password as a key.
  • Step 404 The client uses a preset encryption algorithm, uses the hash data as a key, encrypts the encrypted object once, obtains an encrypted data, and then uses the client local information as a key, The primary encrypted data is subjected to secondary encryption to obtain secondary encrypted data, which is stored as a remember password ticket and stored in the client.
  • the client local information may be machine information inherent to the local client itself, or may be local network related information or locally generated data.
  • the machine information inherent to the client itself may be the physical (MAC) of the client network card. Address, serial number of the first hard disk of the client, etc.
  • the local network related information may be a client's IP address, a gateway address, a subnet mask, and the like.
  • the locally randomly generated data may be data randomly generated by a local client, and used in conjunction with the inherent machine information or local network related information of the client according to a preset rule, which is used to enhance the key. Complexity, to enhance the difficulty of being deciphered.
  • the use of the client local information as a key is to enhance the difficulty of decrypting the key.
  • the client randomly selects the relevant information, composes the key according to certain rules, and encrypts the encrypted object. It is difficult for others to obtain the above key by technical means. Therefore, even if the encryption algorithm is known, it is still difficult to decipher the encryption. Object, steal password.
  • the client's own machine information is used as the client's local information, because this part of the information is fixed, and can be blocked by the administrator to make it impossible for outsiders to know, further enhancing the security of password storage.
  • the information about the local network may be fixed or may be arbitrarily changed. For example, if the local network uses the method of automatically obtaining an IP address, the IP address of the client may be different each time. This further enhances the security of password storage.
  • the encrypted object may be encrypted and twice encrypted by the same encryption algorithm, or different encryption algorithms may be used for the two encryptions to further enhance the security of password storage. Sex.
  • the method for storing encrypted data on the client side uses the client local information as a key to perform secondary encryption on the encrypted object, and generates the encrypted data as a password cryptographic note, and stores it in the client.
  • the client local information as the secondary encryption key may be preset according to the needs of the client, by the local client's own machine information, local network related information, and locally randomly generated data.
  • the rules are randomly combined to generate, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, the key cannot be learned. The components and definitions, it is difficult to get the key to decipher the password, therefore, the method of saving the encrypted data on the client has high security.
  • FIG. 10 there is shown a flow chart for implementing automatic login by storing a method of encrypting data on a client side according to a second embodiment of the present invention.
  • Step 501 The user logs in again at the client, and the client extracts the corresponding remember password ticket locally according to the login account provided by the user, and decrypts the remember password ticket according to the local information of the client, to obtain the Encrypting the data once, and transmitting the automatic login request information including the primary encrypted data and the login account to the server;
  • the server decrypts the remember password ticket using the algorithm corresponding to the secondary encryption algorithm in step 404.
  • Step 502 The server receives the automatic login request information, and extracts password hash data corresponding to the login account from the database as a key.
  • step 502 If the hash data obtained by the cryptographic hashing according to the function f is used as the key in step 402, correspondingly, in step 502, the cryptographic hash data is set according to the operation function preset in step 402. f performs an operation to generate hash data as a decrypted key; Step 503: The server decrypts the encrypted data received from the client by using the hash data, and if the decryption is successful, the client password is proved to be correct, and the encrypted object is obtained. Proceed to step 504; if the decryption fails, proceed to step 506;
  • the server decrypts the remember password ticket using an algorithm corresponding to the one-time encryption algorithm in step 404.
  • Step 504 The server checks the encrypted object obtained after decryption, determines whether the remember password ticket is valid, if the remember password ticket is valid, proceeds to step 505; otherwise, proceeds to step 506;
  • the encryption object is the time on the server side when the client saves the user login password for the first time, and is simply referred to as a password storage time.
  • the specific process of determining whether the cipher ticket is valid is the same as step 304 of the first embodiment of the present invention.
  • Step 505 The server notifies the client that the user is allowed to log in automatically, and the automatic login process ends.
  • Step 506 The server notifies the client to prompt the user to input the password again, and the automatic login process ends.
  • the encrypted object in the second embodiment of the present invention may further include a renewal time and a number of renewals, and the server verifies the renewal time and the number of renewals with the first embodiment.
  • the verification process is the same.
  • the server information may further include: a format version number, obfuscated data, and other data to increase the complexity of generating the remember password ticket.
  • the present invention also provides a system for storing encrypted data on a client.
  • FIG. 11 a system diagram for storing encrypted data on a client according to a first embodiment of the present invention is shown.
  • the system includes a client 61 and a server 62, wherein the client 61 includes: an encrypted object receiving module 610, configured to receive a force including the current time returned by the server. Secret object.
  • the login password hashing module 611 is configured to hash the login password at least once to generate hash data.
  • the hash data encryption module 612 is configured to encrypt the encrypted object generated by the encrypted object generating module 610 by using the hash data generated by the login password hashing module 611 as a key according to a preset encryption algorithm.
  • the generated encrypted data is sent to the storage module 613 as a remember password ticket.
  • the storage module 613 is configured to save the remember password ticket, that is, the encrypted data, sent by the hash data encryption module 612.
  • the login password hashing module 611 in the embodiment of the present invention may directly hash the login password provided by the user, generate a password hash, and use the preset as a key.
  • the arithmetic function f calculates the cryptographic hash to obtain hash data related to the cryptographic hash as a key. Even if someone knows the hashing algorithm, it is difficult to get the key to decipher the password because it cannot know how the function f is defined.
  • the remember password ticket stored in the storage module 613 is the hash data obtained by hashing the login password as a key, and the encryption returned by the server with the current time.
  • the object is encrypted.
  • the remember password ticket is acquired, even if it is known that the encryption algorithm is used, since it is difficult to obtain information about the encrypted object, the login password is obtained only as a key according to the remember password ticket.
  • the possibility of hashing data information is very small, ensuring the security of saving passwords.
  • only the cryptographic hash is used as the remember password ticket, which greatly enhances the security of storing encrypted data on the client.
  • FIG. 12 a system diagram for storing encrypted data on a client according to a second embodiment of the present invention is shown.
  • the system for storing encrypted data on the client according to the first embodiment and the second embodiment of the present invention is different in that the client in the second embodiment further includes a local information encryption module 614.
  • the local information encryption module 614 is configured to encrypt the encrypted data output by the hash data encryption module 612 by using a preset encryption algorithm, using the client local information as a key, generate a remember password ticket, and send Go to the storage module 613.
  • the storage module 613 is configured to save the remember password ticket sent by the local information encryption module.
  • the client local information may be machine information inherent to the local client itself, or It is related to local network information or locally generated data.
  • the client local information encryption module 614 uses the client local information as a key, and the client local information may be localized by the local client according to the needs of the client.
  • the network related information and the locally randomly generated data are randomly combined and generated according to a preset rule, which enhances the confidentiality of the key. Even if someone knows the encryption algorithm, it is difficult to obtain the key because the key component and the definition manner cannot be obtained.
  • the key is used to decipher the password, so the system for storing the encrypted data on the client has high security.

Abstract

La présente invention concerne un procédé permettant de stocker des données chiffrées dans un client. Le procédé comprend les étapes suivantes : un serveur authentifie un mot de passe d'accès provenant d'un client et transmet au client un objet de chiffrement avec l'heure actuelle du côté serveur ; le client chiffre le mot de passe d'accès et l'objet de chiffrement afin de générer des données chiffrées ; le client stocke les données chiffrées générées par le mot de passe d'accès valide et l'objet de chiffrement correspondant. L'invention concerne également un système destiné à stocker des données chiffrées dans un client. Le procédé et système permettant de stocker des données chiffrées dans un client de l'invention permet d'augmenter la sécurité de stockage de données chiffrées dans un client.
PCT/CN2009/071883 2008-06-27 2009-05-20 Procédé pour stocker des données chiffrées dans un client et système associé WO2009155813A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008101275538A CN101309278B (zh) 2008-06-27 2008-06-27 一种在客户端保存加密数据的方法及系统
CN200810127553.8 2008-06-27

Publications (1)

Publication Number Publication Date
WO2009155813A1 true WO2009155813A1 (fr) 2009-12-30

Family

ID=40125497

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071883 WO2009155813A1 (fr) 2008-06-27 2009-05-20 Procédé pour stocker des données chiffrées dans un client et système associé

Country Status (2)

Country Link
CN (1) CN101309278B (fr)
WO (1) WO2009155813A1 (fr)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309278B (zh) * 2008-06-27 2011-07-06 腾讯科技(深圳)有限公司 一种在客户端保存加密数据的方法及系统
CN102055722B (zh) * 2009-10-28 2014-01-15 中标软件有限公司 一种保证电子邮件安全存储的实现方法
US10102242B2 (en) * 2010-12-21 2018-10-16 Sybase, Inc. Bulk initial download of mobile databases
CN102045170B (zh) * 2010-12-28 2013-02-20 北京深思洛克软件技术股份有限公司 一种实现口令安全保护的方法及系统
CN102629925B (zh) * 2012-03-31 2014-10-15 苏州阔地网络科技有限公司 一种防止非法连接的方法及系统
CN102752285B (zh) * 2012-06-07 2015-03-18 广东电网公司茂名供电局 基于高碰撞概率散列函数预先验证的计算机系统登录方法
CN102739404B (zh) * 2012-06-29 2016-01-06 浪潮(北京)电子信息产业有限公司 一种密码管理方法和系统
CN103713915A (zh) * 2012-09-29 2014-04-09 联想(北京)有限公司 系统启动方法和电子设备
CN103873442B (zh) * 2012-12-13 2017-12-12 腾讯科技(深圳)有限公司 登录信息的处理方法和装置
CN103188271A (zh) * 2013-04-19 2013-07-03 国家电网公司 一种安全的邮件客户端本地数据存储、识别方法和装置
CN104135364A (zh) * 2013-04-30 2014-11-05 鸿富锦精密工业(深圳)有限公司 帐号加解密系统及方法
CN104601532B (zh) * 2013-10-31 2019-03-15 腾讯科技(深圳)有限公司 一种登录账户的方法及装置
CN104883341B (zh) * 2014-02-28 2019-01-25 宇龙计算机通信科技(深圳)有限公司 应用管理装置、终端及应用管理方法
CN103888457A (zh) * 2014-03-19 2014-06-25 深信服网络科技(深圳)有限公司 一种提高登录安全性的方法及系统
CN105812329B (zh) * 2014-12-31 2018-07-20 中国科学院沈阳自动化研究所 用于复杂生产管理系统中的移动安全加密方法
CN105491030A (zh) * 2015-11-27 2016-04-13 韦昱灵 一种网站用户密码加密和验证方法
CN105376261B (zh) * 2015-12-21 2020-01-14 Tcl集团股份有限公司 一种用于即时通讯消息的加密方法及系统
CN105610811B (zh) * 2015-12-24 2019-06-25 中国建设银行股份有限公司 认证方法及其相关的设备和系统
CN106127061A (zh) * 2016-06-22 2016-11-16 杨越 计算机密码安全保障计算方法
CN106650351B (zh) * 2016-10-31 2018-12-04 维沃移动通信有限公司 一种应用程序的运行方法及移动终端
CN108259165A (zh) * 2016-12-29 2018-07-06 航天信息股份有限公司 库存粮食识别代码加密和解密方法及装置
CN108234458A (zh) * 2017-12-21 2018-06-29 广东汇泰龙科技有限公司 一种云锁密码的加密储存及解密提取的方法、系统
CN109787760B (zh) * 2019-01-23 2021-10-08 哈尔滨工业大学 一种优化的基于h1类哈希函数族的密钥保密增强方法及装置
CN112543241B (zh) * 2020-10-22 2023-05-30 重庆恢恢信息技术有限公司 一种利用区块链进行建筑工地安全图像数据挖掘方法
CN112506647A (zh) * 2020-11-19 2021-03-16 杭州电魂网络科技股份有限公司 有状态服务器负载均衡的方法、系统、装置和存储介质
CN113542256B (zh) * 2021-07-12 2023-08-22 苏州达家迎信息技术有限公司 客户端中登录凭证的更新方法、装置、设备及存储介质
CN113872979B (zh) * 2021-09-29 2023-11-24 北京高途云集教育科技有限公司 登录认证的方法、装置、电子设备和计算机可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (zh) * 2002-11-20 2004-06-16 安全地处理被用于基于web的资源访问的客户证书
CN1567294A (zh) * 2003-06-14 2005-01-19 华为技术有限公司 一种对用户进行认证的方法
US20060037064A1 (en) * 2004-08-12 2006-02-16 International Business Machines Corporation System, method and program to filter out login attempts by unauthorized entities
CN101309278A (zh) * 2008-06-27 2008-11-19 腾讯科技(深圳)有限公司 一种在客户端保存加密数据的方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1505309A (zh) * 2002-11-20 2004-06-16 安全地处理被用于基于web的资源访问的客户证书
CN1567294A (zh) * 2003-06-14 2005-01-19 华为技术有限公司 一种对用户进行认证的方法
US20060037064A1 (en) * 2004-08-12 2006-02-16 International Business Machines Corporation System, method and program to filter out login attempts by unauthorized entities
CN101309278A (zh) * 2008-06-27 2008-11-19 腾讯科技(深圳)有限公司 一种在客户端保存加密数据的方法及系统

Also Published As

Publication number Publication date
CN101309278A (zh) 2008-11-19
CN101309278B (zh) 2011-07-06

Similar Documents

Publication Publication Date Title
WO2009155813A1 (fr) Procédé pour stocker des données chiffrées dans un client et système associé
US6959394B1 (en) Splitting knowledge of a password
US5418854A (en) Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
EP1374474B1 (fr) Procede et appareil de stockage de cles cryptographiques par lesquels des serveurs de cles sont authentifies par la possession et la distribution protegee de cles stockees
EP1500226B1 (fr) Systeme et procede de stockage et recuperation d'un secret cryptographique parmi un ensemble clients agrees d'un reseau
US6950523B1 (en) Secure storage of private keys
JP4617763B2 (ja) 機器認証システム、機器認証サーバ、端末機器、機器認証方法、および機器認証プログラム
US8775794B2 (en) System and method for end to end encryption
JP4105339B2 (ja) 空中通信とパスワードを用いてキーを確立するための方法およびパスワードプロトコル
CN108650210A (zh) 一种认证系统和方法
WO2017185913A1 (fr) Procédé d'amélioration du mécanisme d'authentification d'un réseau local sans fil
JP2009529832A (ja) 発見不可能、即ち、ブラック・データを使用するセキュアなデータ通信
JPH05344117A (ja) 相手認証/暗号鍵配送方式
JP2004030611A (ja) 通信パスワードをリモートで変更するための方法
CN101272616A (zh) 一种无线城域网的安全接入方法
CA2913444A1 (fr) Systeme et procede d'authentification d'utilisateur
WO2008031301A1 (fr) Procédé d'authentification d'identité en ligne point à point
JP2001186122A (ja) 認証システム及び認証方法
JPH10340255A (ja) ネットワーク利用者認証方式
WO2006026925A1 (fr) Procede d'etablissement de la cle d'authentification
CN115865520B (zh) 移动云服务环境中具有隐私保护的认证和访问控制方法
JP3690237B2 (ja) 認証方法、記録媒体、認証システム、端末装置、及び認証用記録媒体作成装置
CN115632797A (zh) 一种基于零知识证明的安全身份验证方法
CN111586685B (zh) 一种基于格的匿名漫游认证方法
JP3078666B2 (ja) 相互認証/暗号鍵配送方式

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 09768738

Country of ref document: EP

Kind code of ref document: A1

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/05/2011)

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/05/2011)