WO2019134241A1 - Method for acquiring dynamic key, device, terminal apparatus, and storage medium - Google Patents

Method for acquiring dynamic key, device, terminal apparatus, and storage medium Download PDF

Info

Publication number
WO2019134241A1
WO2019134241A1 PCT/CN2018/077474 CN2018077474W WO2019134241A1 WO 2019134241 A1 WO2019134241 A1 WO 2019134241A1 CN 2018077474 W CN2018077474 W CN 2018077474W WO 2019134241 A1 WO2019134241 A1 WO 2019134241A1
Authority
WO
WIPO (PCT)
Prior art keywords
time
dynamic key
variable factor
configuration file
random seed
Prior art date
Application number
PCT/CN2018/077474
Other languages
French (fr)
Chinese (zh)
Inventor
黄飞
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019134241A1 publication Critical patent/WO2019134241A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the present application relates to the field of data encryption, and in particular, to a method, an apparatus, a terminal device, and a storage medium for acquiring a dynamic key.
  • the traditional encryption mechanism generally uses an encryption machine for encryption or a software program for encryption.
  • the encryption is performed by the encryption machine, although the key acquired by the encryption machine is not easily leaked, the key acquisition time is too long due to the large amount of calculation.
  • software programs for encryption although the efficiency of software encryption is high, since the acquired key is fixed, it will cause a big security risk when the key is leaked, causing different degrees of loss and greatly reducing. The security of the data.
  • the embodiment of the present invention provides a method, an apparatus, a terminal device, and a storage medium for acquiring a dynamic key, so as to solve the problem that the traditional encryption mechanism is time-consuming or low in security.
  • an embodiment of the present application provides a method for acquiring a dynamic key, including the following steps performed by a server:
  • the dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  • the embodiment of the present application provides a device for acquiring a dynamic key, including a server, where the server includes:
  • a configuration file obtaining module configured to acquire a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained by the encryption machine;
  • the encryption machine decryption module is configured to invoke the encryption machine to decrypt the encrypted ciphertext, and obtain the decrypted random seed and the reference time;
  • variable factor acquisition module configured to acquire a variable factor based on the update time and the reference time
  • the dynamic key acquisition module is configured to process the random seed and the variable factor by using a dynamic key generation algorithm, obtain a dynamic key, and send the dynamic key to the client.
  • the embodiment of the present application provides a method for acquiring a dynamic key, which includes the following steps performed by a client:
  • the embodiment of the present application provides a dynamic key obtaining apparatus, including a client, where the client includes:
  • a random seed and reference time acquisition module for acquiring a random seed and a reference time using a seed generation tool
  • An encrypted ciphertext obtaining module configured to invoke an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext
  • a configuration file obtaining module configured to acquire a configuration file based on the encrypted ciphertext and an update time, and send the configuration file to a server;
  • a dynamic key receiving module configured to receive the dynamic key generated by the server based on the configuration file.
  • an embodiment of the present application provides a terminal device, including a memory, a processor, and computer readable instructions stored in the memory and executable on the processor.
  • the processor executes the computer readable instructions, the following steps are implemented:
  • the dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  • an embodiment of the present application provides a terminal device, including a memory, a processor, and computer readable instructions stored in the memory and executable on the processor, where the processor executes the computer The following steps are implemented when reading the instruction:
  • the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores computer readable instructions, and when the computer readable instructions are executed by the processor, the following steps are implemented:
  • the dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  • an embodiment of the present application provides a computer readable medium storing computer readable instructions, where the computer readable instructions are executed by a processor to implement the following steps:
  • the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to the random seed and the reference time. Encryption is performed to obtain encrypted ciphertext, which increases the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved.
  • the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time, so that the server obtains the variable factor based on the update time and the reference time. So that the server uses the dynamic key generation algorithm to process the random seed and the variable factor to obtain the dynamic key, which improves the key acquisition efficiency and the security of the key.
  • FIG. 1 is a flowchart of a method for acquiring a dynamic key provided in Embodiment 1.
  • FIG. 2 is a specific schematic diagram of step S16 of FIG. 1.
  • FIG. 3 is a specific schematic diagram of step S17 of FIG. 1.
  • Embodiment 4 is a schematic diagram of an apparatus for acquiring a dynamic key provided in Embodiment 2.
  • FIG. 5 is a schematic diagram of a terminal device provided in Embodiment 4.
  • the method for obtaining the dynamic key provided by the application includes the steps of generating a configuration file on the client and generating a dynamic key on the server, which effectively solves the problem that the current traditional encryption mechanism has time-consuming or low security.
  • the client performs the following steps to implement the configuration file generation process:
  • the server performs the following steps to implement the dynamic key generation process:
  • the dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  • FIG. 1 is a flow chart showing a method of acquiring a dynamic key in this embodiment. As shown in FIG. 1 , the method for acquiring the dynamic key includes the following steps:
  • S11 The client uses a seed generation tool to obtain a random seed and a reference time.
  • the seed generation tool is an executable program document pre-written by the developer.
  • a random seed is a string of strings randomly generated by the client using a seed generation tool. Since the random seed is randomly generated, the random seed is not easily leaked, and the safety is improved.
  • the base time is the system time generated by the seed generation tool.
  • the client is a terminal with a seed generation tool installed, including but not limited to computers, tablets, and smartphones.
  • the reference time generated by the seed generation tool on the client specifically converting the acquired system time to the value of milliseconds as the reference time, is advantageous for calculation.
  • the system time can be obtained by using the Long.parseLong (encryptedDate) method, and then the millisecond value of the system time is obtained by using the System.currentTimeMillis (current time) method.
  • S12 The client invokes the encryption machine to encrypt the random seed and the reference time to obtain the encrypted ciphertext.
  • the encryption machine is a domestically-developed host encryption device that has been authenticated and approved by the national commercial password authority.
  • the key of the encryption machine is not easy to be leaked, and it is mostly used in financial institutions to ensure the case of financial business.
  • the encrypted ciphertext is a string of characters obtained by encrypting with an encryption machine.
  • the client invokes the encryption machine to encrypt the random seed and the reference time respectively, and forms a character string obtained by encrypting the random seed (hereinafter referred to as the first character string) and a string encrypted by the reference time (hereinafter referred to as the second String) to obtain the encrypted ciphertext based on the first string and the second character.
  • the client invokes the encryption machine connected thereto to generate a key pair (public key and private key) by using a public key encryption algorithm, and encrypts the random seed and the reference time by using the public key in the key pair, and
  • the key pair is stored in a password management system in the encryption machine.
  • the public key encryption algorithm refers to the use of different keys (ie, public and private keys) for encryption and decryption, and the "private key” is not known to others, and the "public key” can be made public. The two must be paired. The data encrypted with the public key must be decrypted with the corresponding private key. The technical security is high, so that the key is not easily leaked.
  • the public key encryption algorithm used by the encryption machine includes, but is not limited to, an RSA encryption algorithm.
  • RSA encryption algorithm is currently the most influential and most commonly used public key encryption algorithm. It can resist most of the password attacks known so far, and has high security.
  • public key encryption and private key decryption are adopted. .
  • the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server.
  • the update time represents the number of time steps, that is, how long it takes to generate a new key.
  • the update time is pre-configured and stored in the configuration file, ultimately guaranteeing when the key update changes.
  • the configuration file is the file that the client obtains based on the update time and the encrypted ciphertext. This configuration file can be written by the developer based on the Java language using the Notepad tool. It can be understood that the configuration file includes a character string obtained after encrypting the random seed (ie, the first character string), a character string obtained by encrypting the reference time (ie, the second character string), and an update time.
  • the client obtains a configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server can generate a key according to the configuration file.
  • the update time in this embodiment is X days, and the specific value of the parameter X is determined by the developer depending on the project situation.
  • the encrypted ciphertext sent back by the encryption machine and the update time preset by the client are written into the configuration file, and the configuration file is sent to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple. Improve the efficiency of getting dynamic keys.
  • S14 The server acquires a configuration file sent by the client, where the configuration file includes the encrypted ciphertext and the update time obtained by the encryption machine.
  • the server acquires a configuration file sent by the client, where the configuration file includes an encrypted ciphertext obtained by the encryption machine (including a character string obtained by encrypting the seed (ie, the first character string) and a character obtained by encrypting the reference time. String (ie the second string)) and update time.
  • the server provides support for generating a dynamic key by acquiring a configuration file.
  • S15 The server invokes the encryption machine to decrypt the encrypted ciphertext, and obtains the decrypted random seed and the reference time.
  • the server invokes an encryption machine connected to the server to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random neutron and the reference time.
  • the encryption machine is an encryption machine connected to the client for generating an encrypted ciphertext. It can be understood that the encryption algorithm used by the encryption machine is decrypted with the private key generated by the RSA algorithm stored in the client calling the encryption machine to obtain the decrypted random seed and the reference time, and the decrypted random seed and the reference are obtained. Time is stored in the server's memory to provide support for subsequent generation of dynamic keys.
  • the server since the key pair generated by the client calling the encryption machine is stored in the password management system in the encryption machine, the server directly invokes the private key in the key pair stored in the encryption machine when the server invokes the encryption machine. To avoid the problem of not being able to decrypt the encrypted ciphertext to get random seed and reference time.
  • S16 The server acquires a variable factor based on the update time and the reference time.
  • variable factor is a calculation parameter in the dynamic encryption algorithm.
  • the server acquires the current time and the preset update time, calls the reference time stored in the server memory, and calculates the current time, the update time, and the reference time by using a variable factor calculation formula to obtain the variable factor.
  • Subsequent dynamic key generation algorithms are used to generate dynamic key provisioning support.
  • S17 The server processes the random seed and the variable factor by using a dynamic key generation algorithm, obtains a dynamic key, and sends the dynamic key to the client.
  • the dynamic key generation algorithm refers to an algorithm for regenerating a key with the occurrence of an event (a key is used or a certain time lapse, etc.), and has the advantages of high efficiency, simplicity, and high security.
  • a dynamic key is a key obtained by processing a random seed and a variable factor using a dynamic key generation algorithm.
  • the dynamic key generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client, so that the client uses the generated dynamic key to perform certain specific information. encrypt and decode).
  • the dynamic key generation algorithm is used to process the random seed and the variable factor to obtain a dynamic key, which improves the key acquisition efficiency and the security of the key.
  • S18 The client receives a dynamic key generated by the configuration file sent by the server.
  • the client receives the dynamic key generated by the configuration file sent by the server, and uses the dynamic key to encrypt (decrypt) certain specific information, for example, when the user dynamically logs in to the system, using the dynamic key to log in.
  • the dynamic key is a key obtained by performing steps S14-S17.
  • the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to encrypt the random seed and the reference time, obtain the encrypted ciphertext, and increase the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved.
  • the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time, so that the server obtains the variable factor based on the update time and the reference time. So that the server uses the dynamic key generation algorithm to process the random seed and the variable factor to obtain the dynamic key, which improves the key acquisition efficiency and the security of the key.
  • the dynamic key is sent to the client, and the message digest is processed by the TOTP algorithm to obtain a dynamic key, which improves the efficiency of dynamic key acquisition.
  • step S16 the server acquires a variable factor based on the update time and the reference time, and specifically includes the following steps:
  • S161 The server determines the interval time based on the current time and the reference time.
  • the interval time is a parameter obtained by calculating the variable factor obtained by subtracting the reference time from the current time.
  • the current time is the millisecond value obtained by the server using the current time acquisition method.
  • the current time acquisition method includes but is not limited to System.currentTimeMillis(), which is convenient for quickly obtaining the millisecond value of the current time.
  • System.currentTimeMillis() produces a millisecond value of the current time, which is actually the number of milliseconds since 0:00 on January 1, 1970.
  • the server determines the interval based on the current time and the reference time (milliseconds).
  • the interval time and the update time are calculated using a variable factor calculation formula to obtain a variable factor.
  • calculating the variable factor based on the variable factor calculation formula first calculate the quotient of the interval time and the update time, then perform the rounding operation on the quotient value, obtain the rounding value, and then take the product of the rounded value and the update time as Variable factor.
  • the calculation process is simple and convenient, and the dynamic key acquisition efficiency is improved, and then the variable factor calculation formula is used.
  • Interval time and update time are calculated to obtain variable factors, which provide support for generating dynamic keys by using dynamic key generation algorithm.
  • the server determines whether the interval time is greater than the update time, so as to achieve the purpose of automatically updating the dynamic key.
  • the method for generating the dynamic key further includes the following steps:
  • the dynamic key invalidation information is used to remind the client that the dynamic key corresponding to the current time is invalid, and needs to generate a new dynamic key reminding information.
  • the server also obtains the interval time and compares it with the preset update time. If the interval time is greater than the update time, the key failure information is generated, and the key invalidation information is sent to the client, so that the client performs the step.
  • S11-S13 to obtain the updated configuration file, and send the updated configuration file to the server, so that the server generates a new dynamic key based on the updated configuration file, and sends the dynamic key to the client to achieve automatic replacement dynamics.
  • the purpose of the key is to improve security.
  • the updated configuration file includes the updated encrypted ciphertext and the preset update time.
  • the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  • the server continues to perform the step of calculating the interval time and the update time by using the variable factor calculation formula to obtain the variable factor, that is, performing step S162 .
  • the server determines whether the interval time is greater than the update time by using the timing interval. If the interval time is greater than the update time, the key failure information is generated, and the key failure information is sent to the client, so that the client performs the step. S11-S13, to obtain the updated configuration file, and send the updated configuration file to the server, so that the server generates a new dynamic key based on the updated configuration file, and sends the dynamic key to the client to achieve automatic replacement dynamics. The purpose of the key is to improve security. If the interval time is not greater than the update time, the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  • step S17 the server processes the random seed and the variable factor by using a dynamic key generation algorithm to obtain a dynamic key, which specifically includes the following steps:
  • S171 The server processes the random seed and the variable factor by using a one-way hash function to obtain a message digest.
  • Message Digest also known as Digital Digest. It is a fixed-length value that uniquely corresponds to a message or text, and is generated by a one-way hash function acting on the message.
  • the loop parameter, opad is the outer loop parameter.
  • the seed and variable factors are processed by the HMAC-SHA-1 algorithm in the one-way hash function.
  • HMAC-SHA-1 is a keyed hash algorithm constructed from the SHA1 hash function and is used as HMAC (Hash-based message authentication code). This HMAC process mixes the key with the message data, hashes the mixed result using a hash function, mixes the resulting hash value with the key, and then applies the hash function again.
  • the output hash value is 160 bits long.
  • SHA-1 Secure Hash Algorithm, also known as SHS, Secure Hash Standard
  • SHS Secure Hash Standard
  • S1711 Add 0 to the random seed K to create a first string with a sub-length B. Since K (random seed) is randomly generated, the length is not fixed. Therefore, it is necessary to add 0 after the random seed K to create a first character string of length B to ensure the smooth progress of the subsequent calculation process.
  • B is the processing block size.
  • S1712 Perform an exclusive OR operation on the character string of B length generated in step S1711 and the ipad to obtain the second character string.
  • ipad is 0x36363636..., and its length is the same as B (64 bytes).
  • variable factor T Fill the variable factor T into the second string to obtain the third string.
  • the variable factor T may be directly filled after the second character string to obtain the third character string.
  • H is a hash function
  • a hash function refers to mapping a binary string of arbitrary length into a short fixed-length binary string.
  • S1715 Perform an exclusive OR operation on the first character string of the B byte length generated in step S1711 and the opad to obtain the fifth character string.
  • the opad is 0x5c5c5c..., and its length is the same as B.
  • S1717 H is applied to the fourth character string to hash the fourth character string to obtain a message digest (a 20-byte (160 bite) array).
  • the HMAC-SHA-1 algorithm can accept a string of any size and generate a hash sequence of 160 bits (ie, a message digest), so The HMAC-SHA-1 algorithm processes the seed and variable factors to obtain a message digest, which is convenient for calculation and facilitates subsequent generation of dynamic keys.
  • S172 The message digest is processed by using the TOTP algorithm to obtain a dynamic key.
  • Truncate dynamic truncation function
  • the unsigned integer is modulo-operated with the d-th power of 10 to obtain a digital password of the d-bit, that is, the dynamic key.
  • the value of d may be 6 or 8, and should not be too long, so as to facilitate user input when using a dynamic key for encryption (decryption).
  • the resulting message digest (20 bytes) is as follows:
  • hmac_result[0]...hmac_result[19], hmac_result is the message digest).
  • the process of dynamic truncation is to perform a bitwise AND operation on the last byte of the message digest and 0xf to obtain an offset value (the initial value of the dynamic truncation function).
  • the bounce attempt mechanism refers to the decryption of the current time when the decryption is performed by using the generated key (for example, the current time point is 5:13:10s, and the update time is 30s, then at 5:13:40s)
  • the dynamic key has been updated, but the third-party authentication server may receive the updated key due to network delay, resulting in decryption failure.
  • the key is decrypted at the previous point in time to improve the fault tolerance of the algorithm. .
  • the server processes the seed and the variable factor by using a one-way hash function, obtains a fixed-length message digest for convenient calculation, and then processes the message digest by using the TOTP algorithm to obtain a dynamic key and improve the dynamic key. The efficiency of the acquisition.
  • the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to encrypt the random seed and the reference time, obtain the encrypted ciphertext, and increase the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved. After that, the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time.
  • the server determines the interval based on the current time and the reference time to calculate the interval and update time using a variable factor calculation formula to obtain a variable factor to enable the server to perform random seed and variable factors using a one-way hash function. Processing, obtaining a message digest to reduce the amount of calculation; using the TOTP algorithm to process the message digest, obtaining a dynamic key, and improving the efficiency of dynamic key acquisition.
  • the message digest is processed by the TOTP algorithm to obtain a dynamic key, which improves the efficiency of dynamic key acquisition.
  • a retraction attempt mechanism is also added, and when the current time point decryption fails, the key is decrypted by using the key at the previous time point to improve fault tolerance.
  • the server further determines whether the interval time is greater than the update time, so that the server obtains the updated dynamic key based on the updated configuration file sent by the client and performs the steps of S14-S18, so as to automatically replace the dynamic key. purpose.
  • FIG. 4 is a schematic block diagram showing a device for acquiring a dynamic key corresponding to the method for acquiring a dynamic key in the first embodiment.
  • the dynamic key acquisition apparatus includes a server 10 and a client 20.
  • the server includes a configuration file obtaining module 11, an encryption machine decryption module 12, a variable factor acquisition module 13, and a dynamic key acquisition module 14.
  • the client 20 includes the steps of the random seed and reference time acquisition module 21, the encrypted ciphertext acquisition module 22, the configuration file acquisition module 23, and the dynamic key receiving module 24, and the dynamic key acquisition method in the embodiment.
  • the present embodiment will not be described in detail.
  • the server 10 includes a profile acquisition module 11, a encryptor decryption module 12, a variable factor acquisition module 13, and a dynamic key acquisition module 14.
  • the configuration file obtaining module 11 is configured to obtain a configuration file sent by the client, where the configuration file includes the encrypted ciphertext and the update time obtained by the encryption machine.
  • the encryption machine decryption module 12 is configured to invoke the encryption machine to decrypt the encrypted ciphertext, and obtain the decrypted random seed and the reference time.
  • the variable factor acquisition module 13 is configured to acquire a variable factor based on the update time and the reference time.
  • the dynamic key obtaining module 14 is configured to process the random seed and the variable factor by using a dynamic key generation algorithm, obtain a dynamic key, and send the dynamic key to the client.
  • variable factor acquisition module 13 includes an interval time determination unit 131 and a variable factor acquisition unit 132.
  • the interval determining unit 131 is configured to determine the interval time based on the current time and the reference time.
  • the dynamic key acquiring apparatus further includes a key invalidation information acquiring unit 133 and a second variable factor acquiring unit 134.
  • the key invalidation information obtaining unit 133 is configured to generate key invalidation information if the interval time is greater than the update time, and send the key invalidation information to the client.
  • the second variable factor obtaining unit 134 is configured to: if the interval time is not greater than the update time, the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  • the dynamic key acquisition module 14 includes a message digest acquisition unit 141 and a dynamic key acquisition unit 142.
  • the message digest obtaining unit 141 processes the random seed and the variable factor by using a one-way hash function to obtain a message digest.
  • the dynamic key obtaining unit 142 processes the message digest by using the TOTP algorithm to obtain a dynamic key.
  • the client 20 includes a random seed and reference time acquisition module 21, an encrypted ciphertext acquisition module 22, a configuration file acquisition module 23, and a dynamic key receiving module 24.
  • the random seed and reference time acquisition module 21 is configured to acquire a random seed and a reference time using a seed generation tool.
  • the encrypted ciphertext obtaining module 22 is configured to invoke the encryption machine to encrypt the random seed and the reference time to obtain the encrypted ciphertext.
  • the configuration file obtaining module 23 is configured to obtain a configuration file based on the encrypted ciphertext and the update time, and send the configuration file to the server.
  • the dynamic key receiving module 24 is configured to receive a dynamic key generated by the server based on the configuration file.
  • the embodiment provides a computer readable storage medium on which computer readable instructions are stored, and when the computer readable instructions are executed by the processor, the method for acquiring the dynamic key in Embodiment 1 is implemented, in order to avoid duplication. , I won't go into details here.
  • the functions of the modules/units in the apparatus for acquiring the dynamic key in the second embodiment are implemented when the computer readable instructions are executed by the processor. To avoid repetition, details are not described herein again.
  • the computer readable storage medium can include any entity or device capable of carrying the computer readable instruction code, a recording medium, a USB flash drive, a removable hard drive, a magnetic disk, an optical disk, a computer memory, a read only memory (ROM, Read-Only) Memory), random access memory (RAM), electrical carrier signals, telecommunications signals, and software distribution media.
  • FIG. 5 is a schematic diagram of a terminal device according to an embodiment of the present application.
  • the terminal device 50 of this embodiment includes a processor 51, a memory 52, and computer readable instructions 53 stored in the memory 52 and operable on the processor 51.
  • the processor 51 executes the steps of the method for acquiring the dynamic key in the first embodiment, such as steps S11 to S18 shown in FIG. 1, when the computer readable instructions 53 are executed.
  • the processor 51 executes the computer readable instructions 53
  • the functions of each module/unit of the dynamic key acquisition apparatus in Embodiment 2 are implemented, such as the configuration file acquisition module 11 and the encryption machine decryption module 12 shown in FIG.
  • computer readable instructions 53 may be partitioned into one or more modules/units, one or more modules/units being stored in memory 52 and executed by processor 51 to complete the application.
  • the one or more modules/units may be an instruction segment of a series of computer readable instructions 53 capable of performing a particular function, which is used to describe the execution of computer readable instructions 53 in the terminal device 50.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in the present application are a method for acquiring a dynamic key, a device, a terminal apparatus, and a storage medium. The method for acquiring a dynamic key comprises the following steps executable by a server: acquiring a configuration file sent by a client, the configuration file comprising encrypted ciphertext acquired on the basis of an encryptor and a time of update; calling the encryptor to decrypt the encrypted ciphertext, and acquiring a decrypted random seed and a reference time; acquiring a variable factor on the basis of the time of update and the reference time; and processing the random seed and the variable factor by means of a dynamic key generation algorithm, acquiring a dynamic key, and sending the dynamic key to the client. The method for acquiring a dynamic key effectively solves the issues of time wastage and low security of conventional encryption mechanisms.

Description

动态密钥的获取方法、装置、终端设备及存储介质Dynamic key acquisition method, device, terminal device and storage medium
本专利申请以2018年1月8日提交的申请号为201810014135.1,名称为“动态密钥的获取方法、装置、终端设备及存储介质”的中国发明专利申请为基础,并要求其优先权。This patent application is based on the Chinese Patent Application No. 201810014135.1 filed on Jan. 8, 2018, entitled "Dynamic Key Acquisition Method, Apparatus, Terminal Equipment and Storage Medium", and requires priority.
技术领域Technical field
本申请涉及数据加密领域,尤其涉及一种动态密钥的获取方法、装置、终端设备及存储介质。The present application relates to the field of data encryption, and in particular, to a method, an apparatus, a terminal device, and a storage medium for acquiring a dynamic key.
背景技术Background technique
目前,传统的加密机制一般是采用加密机进行加密或采用软件程序进行加密。采用加密机进行加密时,虽然加密机获取的密钥不易泄露,但是由于计算量大,导致密钥获取时间过长。采用软件程序进行加密时,虽然软件加密的效率高,但是由于获取的密钥是固定的,就会导致密钥一旦泄露,就会存在很大的安全隐患,造成不同程度的损失,极大降低数据的安全性。At present, the traditional encryption mechanism generally uses an encryption machine for encryption or a software program for encryption. When the encryption is performed by the encryption machine, although the key acquired by the encryption machine is not easily leaked, the key acquisition time is too long due to the large amount of calculation. When using software programs for encryption, although the efficiency of software encryption is high, since the acquired key is fixed, it will cause a big security risk when the key is leaked, causing different degrees of loss and greatly reducing. The security of the data.
发明内容Summary of the invention
本申请实施例提供一种动态密钥的获取方法、装置、终端设备及存储介质,以解决传统的加密机制存在耗时或安全性低的问题。The embodiment of the present invention provides a method, an apparatus, a terminal device, and a storage medium for acquiring a dynamic key, so as to solve the problem that the traditional encryption mechanism is time-consuming or low in security.
第一方面,本申请实施例提供一种动态密钥的获取方法,包括服务器执行的如下步骤:In a first aspect, an embodiment of the present application provides a method for acquiring a dynamic key, including the following steps performed by a server:
获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
第二方面,本申请实施例提供一种动态密钥的获取装置,包括服务器,服务器包括:In a second aspect, the embodiment of the present application provides a device for acquiring a dynamic key, including a server, where the server includes:
配置文件获取模块,用于获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;a configuration file obtaining module, configured to acquire a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained by the encryption machine;
加密机解密模块,用于调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;The encryption machine decryption module is configured to invoke the encryption machine to decrypt the encrypted ciphertext, and obtain the decrypted random seed and the reference time;
可变因子获取模块,用于基于所述更新时间和所述基准时间,获取可变因子;a variable factor acquisition module, configured to acquire a variable factor based on the update time and the reference time;
动态密钥获取模块,用于采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic key acquisition module is configured to process the random seed and the variable factor by using a dynamic key generation algorithm, obtain a dynamic key, and send the dynamic key to the client.
第三方面,本申请实施例提供一种动态密钥的获取方法,包括客户端执行的如下步骤:In a third aspect, the embodiment of the present application provides a method for acquiring a dynamic key, which includes the following steps performed by a client:
采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
第四方面,本申请实施例提供一种动态密钥的获取装置,包括客户端,客户端包括:In a fourth aspect, the embodiment of the present application provides a dynamic key obtaining apparatus, including a client, where the client includes:
随机种子和基准时间获取模块,用于采用种子生成工具,获取随机种子和基准时间;A random seed and reference time acquisition module for acquiring a random seed and a reference time using a seed generation tool;
加密密文获取模块,用于调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;An encrypted ciphertext obtaining module, configured to invoke an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
配置文件获取模块,用于基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;a configuration file obtaining module, configured to acquire a configuration file based on the encrypted ciphertext and an update time, and send the configuration file to a server;
动态密钥接收模块,用于接收所述服务器发送的基于所述配置文件生成的所述动态密钥。And a dynamic key receiving module, configured to receive the dynamic key generated by the server based on the configuration file.
第五方面,本申请实施例提供一种终端设备,包括存储器、处理器以及存储在存储器中并可在处理器上运行的计算机可读指令,处理器执行计算机可读指令时实现如下步骤:In a fifth aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and computer readable instructions stored in the memory and executable on the processor. When the processor executes the computer readable instructions, the following steps are implemented:
获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
第六方面,本申请实施例提供一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机可读指令,所述处理器执行所述计算机可读指令时实现如下步骤:In a sixth aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and computer readable instructions stored in the memory and executable on the processor, where the processor executes the computer The following steps are implemented when reading the instruction:
采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
第七方面,本申请实施例提供一种计算机可读存储介质,计算机可读存储介质存储有计算机可读指令,计算机可读指令被处理器执行时实现如下步骤:In a seventh aspect, the embodiment of the present application provides a computer readable storage medium, where the computer readable storage medium stores computer readable instructions, and when the computer readable instructions are executed by the processor, the following steps are implemented:
获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
第八方面,本申请实施例提供一种计算机可读介质,所述计算机可读介质存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下步骤:In an eighth aspect, an embodiment of the present application provides a computer readable medium storing computer readable instructions, where the computer readable instructions are executed by a processor to implement the following steps:
采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
本申请实施例提供的动态密钥的获取方法、装置、终端设备和存储介质中,先在客户端采用种子生成工具,获取随机种子和基准时间,以便客户端调用加密机对随机种子和基准时间进行加密,获取加密密文,增加了动态密钥的安全性。然后,客户端基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器,以使服务器自动按照配置文件的配置进行操作,操作简单,提高获取动态密钥的效率。之后,服务器获取客户端发送的配置文件,以便服务器调用加密机对配置文件中的加密密文进行解密,获取解密后的随机种子和基准时间,以便服务器基于更新时间和基准时间,获取可变因子,以使服务器采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,提高了密钥获取效率以及密钥的安全性。In the method, device, terminal device and storage medium for acquiring the dynamic key provided by the embodiment of the present application, the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to the random seed and the reference time. Encryption is performed to obtain encrypted ciphertext, which increases the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved. After that, the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time, so that the server obtains the variable factor based on the update time and the reference time. So that the server uses the dynamic key generation algorithm to process the random seed and the variable factor to obtain the dynamic key, which improves the key acquisition efficiency and the security of the key.
附图说明DRAWINGS
为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例, 对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present application. Other drawings may be obtained from those skilled in the art based on these drawings without paying any inventive labor.
图1是实施例1中提供的动态密钥的获取方法的一流程图。FIG. 1 is a flowchart of a method for acquiring a dynamic key provided in Embodiment 1.
图2是图1中步骤S16的一具体示意图。FIG. 2 is a specific schematic diagram of step S16 of FIG. 1.
图3是图1中步骤S17的一具体示意图。FIG. 3 is a specific schematic diagram of step S17 of FIG. 1.
图4是实施例2中提供的动态密钥的获取装置的一示意图。4 is a schematic diagram of an apparatus for acquiring a dynamic key provided in Embodiment 2.
图5是实施例4中提供的终端设备的一示意图。FIG. 5 is a schematic diagram of a terminal device provided in Embodiment 4.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope are the scope of the present application.
实施例1Example 1
本申请所提供的动态密钥的获取方法包括客户端上生成配置文件和服务器上生成动态密钥的相关步骤,有效解决目前传统的加密机制存在耗时或安全性低的问题。The method for obtaining the dynamic key provided by the application includes the steps of generating a configuration file on the client and generating a dynamic key on the server, which effectively solves the problem that the current traditional encryption mechanism has time-consuming or low security.
具体地,客户端执行以下步骤以实现配置文件的生成过程:Specifically, the client performs the following steps to implement the configuration file generation process:
采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
服务器执行以下步骤以实现动态密钥的生成过程:The server performs the following steps to implement the dynamic key generation process:
获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
图1示出本实施例中动态密钥的获取方法的流程图。如图1所示,该动态密钥的获取方法包括如下步骤:FIG. 1 is a flow chart showing a method of acquiring a dynamic key in this embodiment. As shown in FIG. 1 , the method for acquiring the dynamic key includes the following steps:
S11:客户端采用种子生成工具,获取随机种子和基准时间。S11: The client uses a seed generation tool to obtain a random seed and a reference time.
其中,种子生成工具是由开发人员预先编写好的一个可执行的程序文档。随机种子是在客户端采用种子生成工具随机生成的一串字符串。由于该随机种子是随机生成的,以使随机种子不易泄露,提高安全性。基准时间是采用种子生成工具生成的系统时间。客户端是安装有种子生成工具的终端,包括但不限于电脑、平板和智能手机等。在客户端采用种子生成工具生成的基准时间,具体是将获取的系统时间转换为毫秒的值作为基准时间,利于计算。本实施例中,可以采用Long.parseLong(encryptedDate)方法获取系统时间,然后,采用System.currentTimeMillis(当前时间)方法获取系统时间的的毫秒值。Among them, the seed generation tool is an executable program document pre-written by the developer. A random seed is a string of strings randomly generated by the client using a seed generation tool. Since the random seed is randomly generated, the random seed is not easily leaked, and the safety is improved. The base time is the system time generated by the seed generation tool. The client is a terminal with a seed generation tool installed, including but not limited to computers, tablets, and smartphones. The reference time generated by the seed generation tool on the client, specifically converting the acquired system time to the value of milliseconds as the reference time, is advantageous for calculation. In this embodiment, the system time can be obtained by using the Long.parseLong (encryptedDate) method, and then the millisecond value of the system time is obtained by using the System.currentTimeMillis (current time) method.
S12:客户端调用加密机对随机种子和基准时间进行加密,获取加密密文。S12: The client invokes the encryption machine to encrypt the random seed and the reference time to obtain the encrypted ciphertext.
其中,加密机是通过国家商用密码主管部门鉴定并批准使用的国内自主开发的主机加密设备,加密机的密钥不易泄露,大多用于金融机构,用于保证金融业务的案例。加密密文是采用加密机进行加密所得到的一串字符串。具体地,客户端调用加密机分别对随机种子和基准时间进行加密,形成对随机种子加密后得到的字符串(以下简称第一字符串)和对基准时间加密后的字符串(以下简称第二字符串),以基于第一字符串和第二字符器获取加密密文。本实施例中,客户端调用与其相连的加密机采用公钥加密算法生成密钥对(公钥和私钥),并采用密钥对中的公钥对随机种子和基准时间进行加密,并将密钥对保存在加密机中的密码管理系统中。其中,公钥加密算法是指加密和解密使用不同的密钥(即公钥和私钥),“私钥”就是不能让别人知道的,而“公钥”就可以公开的。这两个必须配对使用,用公钥加密的数据必须使用与其对应的私钥才能解开,技术安全性高,以达到密钥不易泄露的目的。Among them, the encryption machine is a domestically-developed host encryption device that has been authenticated and approved by the national commercial password authority. The key of the encryption machine is not easy to be leaked, and it is mostly used in financial institutions to ensure the case of financial business. The encrypted ciphertext is a string of characters obtained by encrypting with an encryption machine. Specifically, the client invokes the encryption machine to encrypt the random seed and the reference time respectively, and forms a character string obtained by encrypting the random seed (hereinafter referred to as the first character string) and a string encrypted by the reference time (hereinafter referred to as the second String) to obtain the encrypted ciphertext based on the first string and the second character. In this embodiment, the client invokes the encryption machine connected thereto to generate a key pair (public key and private key) by using a public key encryption algorithm, and encrypts the random seed and the reference time by using the public key in the key pair, and The key pair is stored in a password management system in the encryption machine. Among them, the public key encryption algorithm refers to the use of different keys (ie, public and private keys) for encryption and decryption, and the "private key" is not known to others, and the "public key" can be made public. The two must be paired. The data encrypted with the public key must be decrypted with the corresponding private key. The technical security is high, so that the key is not easily leaked.
本实施例中,加密机所采用的公钥加密算法包括但不限于RSA加密算法。其中,RSA加密算法是目前最有影响力和最常用的公钥加密算法,它能够抵抗到目前为止已知的绝大多数密码攻击,安全性高,一般采用公钥加密,私钥解密的方式。In this embodiment, the public key encryption algorithm used by the encryption machine includes, but is not limited to, an RSA encryption algorithm. Among them, RSA encryption algorithm is currently the most influential and most commonly used public key encryption algorithm. It can resist most of the password attacks known so far, and has high security. Generally, public key encryption and private key decryption are adopted. .
S13:客户端基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器。S13: The client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server.
其中,更新时间表示时间步数,也就是多长时间产生一个新的密钥。该更新时间是预先配置好的并存储在配置文件中,最终保证密钥更新变化的时间。配置文件是客户端基于更新时间和加密密文获取的文件。该配置文件可以采用记事本工具由开发人员基于Java语言进行编写获取。可以理解地,该配置文件包括对随机种子加密后得到的字符串(即第一字符串)、对基准时间加密后得到的字符串(即第二字符串)和更新时间。具体地,客户端基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器,以使服务器 能够根据配置文件生成密钥。本实施例中的更新时间为X天,参数X的具体数值由开发人员视项目情况而定。本实施例中,将加密机传回来的加密密文和客户端预先设置的更新时间写入配置文件,并将配置文件发送给服务器,以使服务器自动按照配置文件的配置进行操作,操作简单,提高获取动态密钥的效率。Among them, the update time represents the number of time steps, that is, how long it takes to generate a new key. The update time is pre-configured and stored in the configuration file, ultimately guaranteeing when the key update changes. The configuration file is the file that the client obtains based on the update time and the encrypted ciphertext. This configuration file can be written by the developer based on the Java language using the Notepad tool. It can be understood that the configuration file includes a character string obtained after encrypting the random seed (ie, the first character string), a character string obtained by encrypting the reference time (ie, the second character string), and an update time. Specifically, the client obtains a configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server can generate a key according to the configuration file. The update time in this embodiment is X days, and the specific value of the parameter X is determined by the developer depending on the project situation. In this embodiment, the encrypted ciphertext sent back by the encryption machine and the update time preset by the client are written into the configuration file, and the configuration file is sent to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple. Improve the efficiency of getting dynamic keys.
S14:服务器获取客户端发送的配置文件,配置文件包括基于加密机获取的加密密文和更新时间。S14: The server acquires a configuration file sent by the client, where the configuration file includes the encrypted ciphertext and the update time obtained by the encryption machine.
具体地,服务器获取客户端发送的配置文件,该配置文件包括基于加密机获取的加密密文(包括对种子加密后得到的字符串(即第一字符串)和对基准时间加密后得到的字符串(即第二字符串))和更新时间。本实施例中,服务器通过获取配置文件为后续生成动态密钥提供支持。Specifically, the server acquires a configuration file sent by the client, where the configuration file includes an encrypted ciphertext obtained by the encryption machine (including a character string obtained by encrypting the seed (ie, the first character string) and a character obtained by encrypting the reference time. String (ie the second string)) and update time. In this embodiment, the server provides support for generating a dynamic key by acquiring a configuration file.
S15:服务器调用加密机对加密密文进行解密,获取解密后的随机种子和基准时间。S15: The server invokes the encryption machine to decrypt the encrypted ciphertext, and obtains the decrypted random seed and the reference time.
具体地,服务器调用与服务器相连的加密机对配置文件中的加密密文进行解密,获取解密后的随机中子和基准时间。该加密机是与客户端相连的用于生成加密密文的加密机。可以理解地,加密机采用的加密算法与在客户端调用加密机中存储的采用RSA算法生成的私钥进行解密,以获取解密后的随机种子和基准时间,并将解密后的随机种子和基准时间存储在服务器内存中,为后续生成动态密钥提供支持。本实施例中,由于客户端调用加密机生成的密钥对保存在加密机中的密码管理系统中,因此服务器调用加密机时直接调用保存在加密机中的密钥对中的私钥进行解密,以避免无法对加密密文进行解密,以获取随机种子和基准时间的问题出现。Specifically, the server invokes an encryption machine connected to the server to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random neutron and the reference time. The encryption machine is an encryption machine connected to the client for generating an encrypted ciphertext. It can be understood that the encryption algorithm used by the encryption machine is decrypted with the private key generated by the RSA algorithm stored in the client calling the encryption machine to obtain the decrypted random seed and the reference time, and the decrypted random seed and the reference are obtained. Time is stored in the server's memory to provide support for subsequent generation of dynamic keys. In this embodiment, since the key pair generated by the client calling the encryption machine is stored in the password management system in the encryption machine, the server directly invokes the private key in the key pair stored in the encryption machine when the server invokes the encryption machine. To avoid the problem of not being able to decrypt the encrypted ciphertext to get random seed and reference time.
S16:服务器基于更新时间和基准时间,获取可变因子。S16: The server acquires a variable factor based on the update time and the reference time.
其中,可变因子是动态加密算法中的计算参数。具体地,服务器获取当前时间和预先设置的更新时间,调用存储在服务器内存中的基准时间,并采用可变因子计算公式对当前时间、更新时间和基准时间进行计算,以获取可变因子,为后续采用动态密钥生成算法生成动态密钥提供支持。Among them, the variable factor is a calculation parameter in the dynamic encryption algorithm. Specifically, the server acquires the current time and the preset update time, calls the reference time stored in the server memory, and calculates the current time, the update time, and the reference time by using a variable factor calculation formula to obtain the variable factor. Subsequent dynamic key generation algorithms are used to generate dynamic key provisioning support.
S17:服务器采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,并将动态密钥发送给客户端。S17: The server processes the random seed and the variable factor by using a dynamic key generation algorithm, obtains a dynamic key, and sends the dynamic key to the client.
其中,动态密钥生成算法是指随着某一事件(密钥被使用或一定的时间流逝等)的发生而重新生成密钥的算法,具有高效简单、安全性高的优点。动态密钥是指采用动态密钥生成算法对随机种子和可变因子进行处理后所得到的密钥。具体地,采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,并将动态密钥发送给客户端,以使客 户端采用生成的动态密钥对某些特定信息进行加密(解密)。本实施例中,采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,提高了密钥获取效率以及密钥的安全性。The dynamic key generation algorithm refers to an algorithm for regenerating a key with the occurrence of an event (a key is used or a certain time lapse, etc.), and has the advantages of high efficiency, simplicity, and high security. A dynamic key is a key obtained by processing a random seed and a variable factor using a dynamic key generation algorithm. Specifically, the dynamic key generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client, so that the client uses the generated dynamic key to perform certain specific information. encrypt and decode). In this embodiment, the dynamic key generation algorithm is used to process the random seed and the variable factor to obtain a dynamic key, which improves the key acquisition efficiency and the security of the key.
S18:客户端接收服务器发送的基于配置文件生成的动态密钥。S18: The client receives a dynamic key generated by the configuration file sent by the server.
具体地,客户端接收服务器发送的基于配置文件生成的动态密钥,并采用该动态密钥对某些特定信息进行加密(解密),例如当用户动态登录系统时,采用该动态密钥进行登录。其中,动态密钥是采用执行步骤S14-S17获取的密钥。Specifically, the client receives the dynamic key generated by the configuration file sent by the server, and uses the dynamic key to encrypt (decrypt) certain specific information, for example, when the user dynamically logs in to the system, using the dynamic key to log in. . The dynamic key is a key obtained by performing steps S14-S17.
本实施例中,先在客户端采用种子生成工具,获取随机种子和基准时间,以便客户端调用加密机对随机种子和基准时间进行加密,获取加密密文,增加了动态密钥的安全性。然后,客户端基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器,以使服务器自动按照配置文件的配置进行操作,操作简单,提高获取动态密钥的效率。之后,服务器获取客户端发送的配置文件,以便服务器调用加密机对配置文件中的加密密文进行解密,获取解密后的随机种子和基准时间,以便服务器基于更新时间和基准时间,获取可变因子,以使服务器采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,提高了密钥获取效率以及密钥的安全性。并将动态密钥发送给客户端,采用TOTP算法对消息摘要进行处理,获取动态密钥,提高了动态密钥获取的效率。In this embodiment, the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to encrypt the random seed and the reference time, obtain the encrypted ciphertext, and increase the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved. After that, the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time, so that the server obtains the variable factor based on the update time and the reference time. So that the server uses the dynamic key generation algorithm to process the random seed and the variable factor to obtain the dynamic key, which improves the key acquisition efficiency and the security of the key. The dynamic key is sent to the client, and the message digest is processed by the TOTP algorithm to obtain a dynamic key, which improves the efficiency of dynamic key acquisition.
在一具体实施方式中,如图2所示,步骤S16中,即服务器基于更新时间和基准时间,获取可变因子,具体包括如下步骤:In a specific embodiment, as shown in FIG. 2, in step S16, the server acquires a variable factor based on the update time and the reference time, and specifically includes the following steps:
S161:服务器基于当前时间和基准时间确定间隔时间。S161: The server determines the interval time based on the current time and the reference time.
其中,间隔时间是当前时间减去基准时间所获取的用于计算可变因子的参数。当前时间是服务器采用当前时间获取方法获取的毫秒值,该当前时间获取方法包括但不限于System.currentTimeMillis(),可方便快速获取当前时间的毫秒值。System.currentTimeMillis()产生一个当前时间的毫秒值,这个毫秒值其实就是自1970年1月1日0时起的毫秒数。可以理解地,服务器基于当前时间和基准时间(毫秒)确定间隔时间。间隔时间的计算公式为t=m-n,其中,t表示间隔时间,m表示当前时间(毫秒),n表示基准时间(毫秒)。The interval time is a parameter obtained by calculating the variable factor obtained by subtracting the reference time from the current time. The current time is the millisecond value obtained by the server using the current time acquisition method. The current time acquisition method includes but is not limited to System.currentTimeMillis(), which is convenient for quickly obtaining the millisecond value of the current time. System.currentTimeMillis() produces a millisecond value of the current time, which is actually the number of milliseconds since 0:00 on January 1, 1970. As can be appreciated, the server determines the interval based on the current time and the reference time (milliseconds). The interval time is calculated as t=m-n, where t represents the interval time, m represents the current time (milliseconds), and n represents the reference time (milliseconds).
S162:服务器采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子,可变因子计算公式为可变因子=[t/T]*T,其中,t为间隔时间,T为更新时间,[]为取整运算。S162: The server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor, and the variable factor is calculated as a variable factor=[t/T]*T, where t is the interval time, and T is Update time, [] is a rounding operation.
具体地,采用可变因子计算公式对间隔时间和更新时间进行计算,以获取可变因子。 基于该可变因子计算公式计算可变因子时,先计算间隔时间和更新时间的商值,再对该商值进行取整运算,获取取整值,再将取整值与更新时间的乘积作为可变因子。Specifically, the interval time and the update time are calculated using a variable factor calculation formula to obtain a variable factor. When calculating the variable factor based on the variable factor calculation formula, first calculate the quotient of the interval time and the update time, then perform the rounding operation on the quotient value, obtain the rounding value, and then take the product of the rounded value and the update time as Variable factor.
本实施例中,通过将当前时间转换为毫秒值与基准时间的毫秒值进行计算,以便确定间隔时间,该计算过程简单方便,提高了动态密钥的获取效率,然后采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子,为后续采用动态密钥生成算法生成动态密钥提供支持。In this embodiment, by calculating the current time into a millisecond value and a millisecond value of the reference time to determine the interval time, the calculation process is simple and convenient, and the dynamic key acquisition efficiency is improved, and then the variable factor calculation formula is used. Interval time and update time are calculated to obtain variable factors, which provide support for generating dynamic keys by using dynamic key generation algorithm.
在另一具体实施方式中,在客户端获取服务器发送的动态密钥后,服务器会判断间隔时间是否大于更新时间,以实现自动更新动态密钥的目的。具体地,步骤S16之后,该动态密钥的生成方法还包括如下步骤:In another specific implementation manner, after the client obtains the dynamic key sent by the server, the server determines whether the interval time is greater than the update time, so as to achieve the purpose of automatically updating the dynamic key. Specifically, after the step S16, the method for generating the dynamic key further includes the following steps:
S163:若间隔时间大于更新时间,则生成密钥失效信息,并将密钥失效信息发送给客户端。S163: If the interval time is greater than the update time, generate key invalidation information, and send the key invalidation information to the client.
其中,动态密钥失效信息是用于提醒客户端当前时间对应的动态密钥失效,并需要生成新的动态密钥的提醒信息。具体地,服务器还会获取间隔时间并与预先设置的更新时间进行比较,若间隔时间大于更新时间,则生成密钥失效信息,并将密钥失效信息发送给客户端,以使客户端执行步骤S11-S13,以获取更新后的配置文件,并将更新后的配置文件发送给服务器,以便服务器基于更新后的配置文件,生成新的动态密钥,并发送给客户端,以达到自动更换动态密钥的目的,提高安全性。其中,更新后的配置文件包括更新后的加密密文和预先设置的更新时间。The dynamic key invalidation information is used to remind the client that the dynamic key corresponding to the current time is invalid, and needs to generate a new dynamic key reminding information. Specifically, the server also obtains the interval time and compares it with the preset update time. If the interval time is greater than the update time, the key failure information is generated, and the key invalidation information is sent to the client, so that the client performs the step. S11-S13, to obtain the updated configuration file, and send the updated configuration file to the server, so that the server generates a new dynamic key based on the updated configuration file, and sends the dynamic key to the client to achieve automatic replacement dynamics. The purpose of the key is to improve security. The updated configuration file includes the updated encrypted ciphertext and the preset update time.
S164:若间隔时间不大于更新时间,则执行服务器采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子的步骤。S164: If the interval time is not greater than the update time, the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
具体地,若间隔时间不大于更新时间,则表示无需更换新的密钥,则服务器继续执行采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子的步骤,即执行步骤S162。Specifically, if the interval time is not greater than the update time, it means that the new key does not need to be replaced, and the server continues to perform the step of calculating the interval time and the update time by using the variable factor calculation formula to obtain the variable factor, that is, performing step S162 .
本实施例中,服务器通过定时获取间隔时间判断间隔时间是否大于更新时间,若间隔时间大于更新时间,则生成密钥失效信息,并将密钥失效信息发送给客户端,以使客户端执行步骤S11-S13,以获取更新后的配置文件,并将更新后的配置文件发送给服务器,以便服务器基于更新后的配置文件,生成新的动态密钥,并发送给客户端,以达到自动更换动态密钥的目的,提高安全性。若间隔时间不大于更新时间,则执行服务器采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子的步骤。In this embodiment, the server determines whether the interval time is greater than the update time by using the timing interval. If the interval time is greater than the update time, the key failure information is generated, and the key failure information is sent to the client, so that the client performs the step. S11-S13, to obtain the updated configuration file, and send the updated configuration file to the server, so that the server generates a new dynamic key based on the updated configuration file, and sends the dynamic key to the client to achieve automatic replacement dynamics. The purpose of the key is to improve security. If the interval time is not greater than the update time, the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
在一具体实施方式中,如图3所示,步骤S17中,即服务器采用动态密钥生成算法对 随机种子和可变因子进行处理,获取动态密钥,具体包括如下步骤:In a specific embodiment, as shown in FIG. 3, in step S17, the server processes the random seed and the variable factor by using a dynamic key generation algorithm to obtain a dynamic key, which specifically includes the following steps:
S171:服务器采用单向散列函数对随机种子和可变因子进行处理,获取消息摘要。S171: The server processes the random seed and the variable factor by using a one-way hash function to obtain a message digest.
其中,消息摘要(Message Digest),又称为数字摘要(Digital Digest)。它是一个唯一对应一个消息或文本的固定长度的值,它由一个单向散列函数对消息进行作用而产生。单向散列函数的计算公式为X=(H(K XOR opad,H(K XOR ipad,T)),其中,T为可变因子,K为随机种子,XOR为异或运算,ipad为内部循环参数,opad为外部循环参数。Among them, Message Digest, also known as Digital Digest. It is a fixed-length value that uniquely corresponds to a message or text, and is generated by a one-way hash function acting on the message. The calculation formula of the one-way hash function is X=(H(K XOR opad, H(K XOR ipad, T)), where T is a variable factor, K is a random seed, XOR is an exclusive OR operation, and ipad is internal. The loop parameter, opad is the outer loop parameter.
本实施例中,采用单向散列函数中的HMAC-SHA-1算法对种子和可变因子进行处理。其中,HMAC-SHA-1是从SHA1哈希函数构造的一种键控哈希算法,被用作HMAC(基于哈希的消息验证代码)。此HMAC进程将密钥与消息数据混合,使用哈希函数对混合结果进行哈希计算,将所得哈希值与该密钥混合,然后再次应用哈希函数。输出的哈希值长度为160位。SHA-1(安全哈希算法,也称为SHS、安全哈希标准)是由美国政府发布的一种加密哈希算法。它将从任意长度的字符串生成160位的哈希值。具体地,获取消息摘要的步骤如下:In this embodiment, the seed and variable factors are processed by the HMAC-SHA-1 algorithm in the one-way hash function. Among them, HMAC-SHA-1 is a keyed hash algorithm constructed from the SHA1 hash function and is used as HMAC (Hash-based message authentication code). This HMAC process mixes the key with the message data, hashes the mixed result using a hash function, mixes the resulting hash value with the key, and then applies the hash function again. The output hash value is 160 bits long. SHA-1 (Secure Hash Algorithm, also known as SHS, Secure Hash Standard) is a cryptographic hash algorithm issued by the US government. It will generate a 160-bit hash value from a string of any length. Specifically, the steps to obtain a message digest are as follows:
S1711:随机种子K后面添加0来创建一个子长度为B的第一字符串。由于K(随机种子)是随机生成的,长度不固定,因此,需在随机种子K后面添加0来创建一个子长度为B的第一字符串,以保证后续计算过程的顺利进行。其中,B为处理数据块大小,本实施例中,B的大小为64字节。例如,如果K的字长是20字节,B(处理数据块大小)=64字节,则K后会加入44个零字节0x00。S1711: Add 0 to the random seed K to create a first string with a sub-length B. Since K (random seed) is randomly generated, the length is not fixed. Therefore, it is necessary to add 0 after the random seed K to create a first character string of length B to ensure the smooth progress of the subsequent calculation process. Where B is the processing block size. In this embodiment, the size of B is 64 bytes. For example, if the word length of K is 20 bytes and B (processing block size) = 64 bytes, then 44 zero bytes 0x00 will be added after K.
S1712:将步骤S1711生成的B字长的字符串与ipad做异或运算,获取第二字符串。其中,ipad为0x36363636...,其长度与B(64字节)相同。其中,异或运算也叫半加运算,异或的运算法则为:0 XOR 0=0,1 XOR 0=1,0 XOR 1=1,1 XOR 1=0(即相同为0,不同为1)。S1712: Perform an exclusive OR operation on the character string of B length generated in step S1711 and the ipad to obtain the second character string. Among them, ipad is 0x36363636..., and its length is the same as B (64 bytes). Among them, the XOR operation is also called semi-addition operation, and the XOR algorithm is: 0 XOR 0=0, 1 XOR 0=1, 0 XOR 1=1, 1 XOR 1=0 (that is, the same is 0, the difference is 1 ).
S1713:将可变因子T填充至第二字符串中,获取第三字符串。具体可直接将可变因子T填充在第二字符串之后,以获取第三字符串。S1713: Fill the variable factor T into the second string to obtain the third string. Specifically, the variable factor T may be directly filled after the second character string to obtain the third character string.
S1714:用H作用于第三字符串,获取第四字符串。其中,H为哈希函数,哈希函数是指将任意长度的二进制字符串映射为较短的固定长度的二进制字符串。S1714: Use H to act on the third string to obtain the fourth string. Where H is a hash function, and a hash function refers to mapping a binary string of arbitrary length into a short fixed-length binary string.
S1715:将步骤S1711生成的B字节长度的第一字符串与opad做异或运算,获取第五字符串。其中,opad为0x5c5c5c...,其长度与B相同。S1715: Perform an exclusive OR operation on the first character string of the B byte length generated in step S1711 and the opad to obtain the fifth character string. Among them, the opad is 0x5c5c5c..., and its length is the same as B.
S1716:再将第四字符串填充至第五字符串中。S1716: The fourth string is further filled into the fifth string.
S1717:将H作用于第四字符串即对第四字符串进行哈希运算,获取消息摘要(20字 节(160bite)数组)。S1717: H is applied to the fourth character string to hash the fourth character string to obtain a message digest (a 20-byte (160 bite) array).
本实施例中,由于随机种子是随机生成的,长度不固定,而HMAC-SHA-1算法可以接受任何大小的字符串,并产生长度为160位的哈希序列(即消息摘要),因此采用HMAC-SHA-1算法对种子和可变因子进行处理,获取消息摘要,方便计算,为后续生成动态密钥提供便利。In this embodiment, since the random seed is randomly generated, the length is not fixed, and the HMAC-SHA-1 algorithm can accept a string of any size and generate a hash sequence of 160 bits (ie, a message digest), so The HMAC-SHA-1 algorithm processes the seed and variable factors to obtain a message digest, which is convenient for calculation and facilitates subsequent generation of dynamic keys.
S172:采用TOTP算法对消息摘要进行处理,获取动态密钥。S172: The message digest is processed by using the TOTP algorithm to obtain a dynamic key.
其中,TOTP算法的公式为TOTP(K,T)=Truncate(X)mod 10^d,其中,T为可变因子,K为随机种子,mod为取模符运算,d为动态密钥的长度,X为消息摘要。具体地,由于可变因子T经过哈希运算后得到的第五字符串的长度太长,因此需经过Truncate(动态截短函数)处理,得到一个32位(4字节)的无符号整数,以提高动态密钥的获取效率;然后将该无符号整数与10的d次方进行取模运算得到d位的一个数字口令即动态密钥。本实施例中,d的取值可以为6或8,不宜过长,以达到在使用动态密钥进行加密(解密)时,方便用户输入的目的。The formula of the TOTP algorithm is TOTP(K,T)=Truncate(X)mod 10^d, where T is a variable factor, K is a random seed, mod is a modulus operation, and d is the length of the dynamic key. , X is the message digest. Specifically, since the length of the fifth character string obtained after the hashing of the variable factor T is too long, it needs to be processed by Truncate (dynamic truncation function) to obtain a 32-bit (4 bytes) unsigned integer. To improve the efficiency of obtaining the dynamic key; then, the unsigned integer is modulo-operated with the d-th power of 10 to obtain a digital password of the d-bit, that is, the dynamic key. In this embodiment, the value of d may be 6 or 8, and should not be too long, so as to facilitate user input when using a dynamic key for encryption (decryption).
例如,得到的消息摘要(20字节)如下:For example, the resulting message digest (20 bytes) is as follows:
1f|86|98|69|0e|02|ca|16|61|85|50|ef|7f|19|da|8e|94|5b|55|5a1f|86|98|69|0e|02|ca|16|61|85|50|ef|7f|19|da|8e|94|5b|55|5a
(即hmac_result[0]...hmac_result[19],hmac_result为消息摘要)。则动态截短的处理过程为:将消息摘要的最后一个字节与0xf进行按位与运算,获取offset值(动态截断函数的初始值)。其中,按位与运算的运算规则:0&0=0;0&1=0;1&0=0;1&1=1;即:两位同时为“1”,结果才为“1”,否则为0。其中,最后的字节(第19字节即hmac_result[19])位的16进制值是0x5a(一个字节为8位二进制),则取低4位值是0xa(offset值),offset值是字节10(0xa),则从10字节开始4字节值为0x50ef7f19,TOTP(K,T)=0x50ef7f19mod10^6(或10^8)。(ie hmac_result[0]...hmac_result[19], hmac_result is the message digest). The process of dynamic truncation is to perform a bitwise AND operation on the last byte of the message digest and 0xf to obtain an offset value (the initial value of the dynamic truncation function). Among them, the operation rule of bitwise AND operation: 00&0=0;0&1=0;1&0=0;1&1=1; that is: two bits are "1" at the same time, the result is "1", otherwise it is 0. Among them, the hexadecimal value of the last byte (the 19th byte is hmac_result[19]) bit is 0x5a (one byte is 8-bit binary), then the lower 4-bit value is 0xa (offset value), offset value Is byte 10 (0xa), then the 4-byte value starts from 10 bytes and is 0x50ef7f19, TOTP(K,T)=0x50ef7f19mod10^6 (or 10^8).
本实施例中,由于算法本身存在边界问题,还增加了退回尝试机制,用于当前时间点解密失败时,尝试采用上一时间点的密钥进行解密。具体地,退回尝试机制是指采用生成的密钥进行解密时,如果当前时间的解密失败(例如,当前时间点为5时13分10s,而更新时间为30s,那么在5时13分40s时,该动态密钥已经更新,但是第三方验证服务器有可能因为网络延迟而为接收到更新后的密钥,导致解密失败),就采用上一时间点的密钥进行解密,提高算法的容错性。In this embodiment, due to the boundary problem of the algorithm itself, a retraction attempt mechanism is also added, and when the current time point decryption fails, an attempt is made to decrypt using the key of the previous time point. Specifically, the bounce attempt mechanism refers to the decryption of the current time when the decryption is performed by using the generated key (for example, the current time point is 5:13:10s, and the update time is 30s, then at 5:13:40s) The dynamic key has been updated, but the third-party authentication server may receive the updated key due to network delay, resulting in decryption failure. The key is decrypted at the previous point in time to improve the fault tolerance of the algorithm. .
本实施例中,服务器采用单向散列函数对种子和可变因子进行处理,获取固定长度消息摘要,方便计算,然后采用TOTP算法对消息摘要进行处理,获取动态密钥,提高了动 态密钥获取的效率。In this embodiment, the server processes the seed and the variable factor by using a one-way hash function, obtains a fixed-length message digest for convenient calculation, and then processes the message digest by using the TOTP algorithm to obtain a dynamic key and improve the dynamic key. The efficiency of the acquisition.
本实施例中,先在客户端采用种子生成工具,获取随机种子和基准时间,以便客户端调用加密机对随机种子和基准时间进行加密,获取加密密文,增加了动态密钥的安全性。然后,客户端基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器,以使服务器自动按照配置文件的配置进行操作,操作简单,提高获取动态密钥的效率。之后,服务器获取客户端发送的配置文件,以便服务器调用加密机对配置文件中的加密密文进行解密,获取解密后的随机种子和基准时间。然后服务器基于当前时间和基准时间确定间隔时间,以便采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子,以使服务器采用单向散列函数对随机种子和可变因子进行处理,获取消息摘要,以减少计算量;采用TOTP算法对消息摘要进行处理,获取动态密钥,提高了动态密钥获取的效率。采用TOTP算法对消息摘要进行处理,获取动态密钥,提高了动态密钥获取的效率。并且,由于算法本身存在边界问题,还增加了退回尝试机制,用于当前时间点解密失败时,尝试采用上一时间点的密钥进行解密,以提高容错性。最后,服务器还会通过判断间隔时间是否大于更新时间,以使服务器基于客户端发送的更新后的配置文件并执行S14-S18的步骤,获取更新的动态密钥,以达到自动更换动态密钥的目的。In this embodiment, the seed generation tool is first used on the client to obtain the random seed and the reference time, so that the client invokes the encryption machine to encrypt the random seed and the reference time, obtain the encrypted ciphertext, and increase the security of the dynamic key. Then, the client obtains the configuration file based on the encrypted ciphertext and the update time, and sends the configuration file to the server, so that the server automatically operates according to the configuration of the configuration file, and the operation is simple, and the efficiency of obtaining the dynamic key is improved. After that, the server obtains the configuration file sent by the client, so that the server invokes the encryption machine to decrypt the encrypted ciphertext in the configuration file, and obtains the decrypted random seed and the reference time. The server then determines the interval based on the current time and the reference time to calculate the interval and update time using a variable factor calculation formula to obtain a variable factor to enable the server to perform random seed and variable factors using a one-way hash function. Processing, obtaining a message digest to reduce the amount of calculation; using the TOTP algorithm to process the message digest, obtaining a dynamic key, and improving the efficiency of dynamic key acquisition. The message digest is processed by the TOTP algorithm to obtain a dynamic key, which improves the efficiency of dynamic key acquisition. Moreover, due to the boundary problem of the algorithm itself, a retraction attempt mechanism is also added, and when the current time point decryption fails, the key is decrypted by using the key at the previous time point to improve fault tolerance. Finally, the server further determines whether the interval time is greater than the update time, so that the server obtains the updated dynamic key based on the updated configuration file sent by the client and performs the steps of S14-S18, so as to automatically replace the dynamic key. purpose.
应理解,上述实施例中各步骤的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that the size of the sequence of the steps in the above embodiments does not mean that the order of execution is performed. The order of execution of each process should be determined by its function and internal logic, and should not be construed as limiting the implementation process of the embodiments of the present application.
实施例2Example 2
图4示出与实施例1中动态密钥的获取方法一一对应的动态密钥的获取装置的原理框图。如图4所示,该动态密钥的获取装置包括服务器10和客户端20。其中,服务器包括配置文件获取模块11、加密机解密模块12、可变因子获取模块13、动态密钥获取模块14。客户端20包括随机种子和基准时间获取模块21、加密密文获取模块22、配置文件获取模块23和动态密钥接收模块24的实现功能与实施例中动态密钥的获取方法对应的步骤一一对应,为避免赘述,本实施例不一一详述。FIG. 4 is a schematic block diagram showing a device for acquiring a dynamic key corresponding to the method for acquiring a dynamic key in the first embodiment. As shown in FIG. 4, the dynamic key acquisition apparatus includes a server 10 and a client 20. The server includes a configuration file obtaining module 11, an encryption machine decryption module 12, a variable factor acquisition module 13, and a dynamic key acquisition module 14. The client 20 includes the steps of the random seed and reference time acquisition module 21, the encrypted ciphertext acquisition module 22, the configuration file acquisition module 23, and the dynamic key receiving module 24, and the dynamic key acquisition method in the embodiment. Correspondingly, in order to avoid redundancy, the present embodiment will not be described in detail.
服务器10包括配置文件获取模块11、加密机解密模块12、可变因子获取模块13和动态密钥获取模块14。The server 10 includes a profile acquisition module 11, a encryptor decryption module 12, a variable factor acquisition module 13, and a dynamic key acquisition module 14.
配置文件获取模块11,用于获取客户端发送的配置文件,配置文件包括基于加密机获取的加密密文和更新时间。The configuration file obtaining module 11 is configured to obtain a configuration file sent by the client, where the configuration file includes the encrypted ciphertext and the update time obtained by the encryption machine.
加密机解密模块12,用于调用加密机对加密密文进行解密,获取解密后的随机种子和基准时间。The encryption machine decryption module 12 is configured to invoke the encryption machine to decrypt the encrypted ciphertext, and obtain the decrypted random seed and the reference time.
可变因子获取模块13,用于基于更新时间和基准时间,获取可变因子。The variable factor acquisition module 13 is configured to acquire a variable factor based on the update time and the reference time.
动态密钥获取模块14,用于采用动态密钥生成算法对随机种子和可变因子进行处理,获取动态密钥,并将动态密钥发送给客户端。The dynamic key obtaining module 14 is configured to process the random seed and the variable factor by using a dynamic key generation algorithm, obtain a dynamic key, and send the dynamic key to the client.
优选地,可变因子获取模块13包括间隔时间确定单元131、可变因子获取单元132。Preferably, the variable factor acquisition module 13 includes an interval time determination unit 131 and a variable factor acquisition unit 132.
间隔时间确定单元131,用于基于当前时间和基准时间确定间隔时间。The interval determining unit 131 is configured to determine the interval time based on the current time and the reference time.
第一可变因子获取单元132,用于采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子,可变因子计算公式为可变因子=[t/T]*T,其中,t为间隔时间,T为更新时间,[]为取整运算。The first variable factor obtaining unit 132 is configured to calculate the interval time and the update time by using a variable factor calculation formula to obtain a variable factor, and the variable factor calculation formula is a variable factor=[t/T]*T, wherein , t is the interval time, T is the update time, and [] is the rounding operation.
优选地,该动态密钥的获取装置还包括密钥失效信息获取单元133和第二可变因子获取单元134。Preferably, the dynamic key acquiring apparatus further includes a key invalidation information acquiring unit 133 and a second variable factor acquiring unit 134.
密钥失效信息获取单元133,用于若间隔时间大于更新时间,则生成密钥失效信息,并将密钥失效信息发送给客户端。The key invalidation information obtaining unit 133 is configured to generate key invalidation information if the interval time is greater than the update time, and send the key invalidation information to the client.
第二可变因子获取单元134,用于若间隔时间不大于更新时间,则执行服务器采用可变因子计算公式对间隔时间和更新时间进行计算,获取可变因子的步骤。The second variable factor obtaining unit 134 is configured to: if the interval time is not greater than the update time, the execution server calculates the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
优选地,动态密钥获取模块14包括消息摘要获取单元141和动态密钥获取单元142。Preferably, the dynamic key acquisition module 14 includes a message digest acquisition unit 141 and a dynamic key acquisition unit 142.
消息摘要获取单元141,采用单向散列函数对随机种子和可变因子进行处理,获取消息摘要。The message digest obtaining unit 141 processes the random seed and the variable factor by using a one-way hash function to obtain a message digest.
动态密钥获取单元142,采用TOTP算法对消息摘要进行处理,获取动态密钥。The dynamic key obtaining unit 142 processes the message digest by using the TOTP algorithm to obtain a dynamic key.
客户端20包括随机种子和基准时间获取模块21、加密密文获取模块22、配置文件获取模块23和动态密钥接收模块24。The client 20 includes a random seed and reference time acquisition module 21, an encrypted ciphertext acquisition module 22, a configuration file acquisition module 23, and a dynamic key receiving module 24.
随机种子和基准时间获取模块21,用于采用种子生成工具,获取随机种子和基准时间。The random seed and reference time acquisition module 21 is configured to acquire a random seed and a reference time using a seed generation tool.
加密密文获取模块22,用于调用加密机对随机种子和基准时间进行加密,获取加密密文。The encrypted ciphertext obtaining module 22 is configured to invoke the encryption machine to encrypt the random seed and the reference time to obtain the encrypted ciphertext.
配置文件获取模块23,用于基于加密密文和更新时间,获取配置文件,并将配置文件发送给服务器。The configuration file obtaining module 23 is configured to obtain a configuration file based on the encrypted ciphertext and the update time, and send the configuration file to the server.
动态密钥接收模块24,用于接收服务器发送的基于配置文件生成的动态密钥。The dynamic key receiving module 24 is configured to receive a dynamic key generated by the server based on the configuration file.
实施例3Example 3
本实施例提供一计算机可读存储介质,该计算机可读存储介质上存储有计算机可读指令,该计算机可读指令被处理器执行时实现实施例1中动态密钥的获取方法,为避免重复, 这里不再赘述。或者,该计算机可读指令被处理器执行时实现实施例2中动态密钥的获取装置中各模块/单元的功能,为避免重复,这里不再赘述。The embodiment provides a computer readable storage medium on which computer readable instructions are stored, and when the computer readable instructions are executed by the processor, the method for acquiring the dynamic key in Embodiment 1 is implemented, in order to avoid duplication. , I won't go into details here. Alternatively, the functions of the modules/units in the apparatus for acquiring the dynamic key in the second embodiment are implemented when the computer readable instructions are executed by the processor. To avoid repetition, details are not described herein again.
该计算机可读存储介质可以包括:能够携带所述计算机可读指令代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质等。The computer readable storage medium can include any entity or device capable of carrying the computer readable instruction code, a recording medium, a USB flash drive, a removable hard drive, a magnetic disk, an optical disk, a computer memory, a read only memory (ROM, Read-Only) Memory), random access memory (RAM), electrical carrier signals, telecommunications signals, and software distribution media.
实施例4Example 4
图5是本申请一实施例提供的终端设备的示意图。如图5所示,该实施例的终端设备50包括:处理器51、存储器52以及存储在存储器52中并可在处理器51上运行的计算机可读指令53。处理器51执行计算机可读指令53时实现上述实施例1中动态密钥的获取方法的步骤,例如图1所示的步骤S11至S18。或者,处理器51执行计算机可读指令53时实现实施例2中动态密钥的获取装置各模块/单元的功能,例如图4所示的配置文件获取模块11、加密机解密模块12、可变因子获取模块13和动态密钥获取模块14;或者随机种子和基准时间获取模块21、加密密文获取模块22、配置文件获取模块23和动态密钥接收模块24的功能。FIG. 5 is a schematic diagram of a terminal device according to an embodiment of the present application. As shown in FIG. 5, the terminal device 50 of this embodiment includes a processor 51, a memory 52, and computer readable instructions 53 stored in the memory 52 and operable on the processor 51. The processor 51 executes the steps of the method for acquiring the dynamic key in the first embodiment, such as steps S11 to S18 shown in FIG. 1, when the computer readable instructions 53 are executed. Alternatively, when the processor 51 executes the computer readable instructions 53, the functions of each module/unit of the dynamic key acquisition apparatus in Embodiment 2 are implemented, such as the configuration file acquisition module 11 and the encryption machine decryption module 12 shown in FIG. The functions of the factor acquisition module 13 and the dynamic key acquisition module 14 or the random seed and reference time acquisition module 21, the encrypted ciphertext acquisition module 22, the configuration file acquisition module 23, and the dynamic key receiving module 24.
示例性的,计算机可读指令53可以被分割成一个或多个模块/单元,一个或者多个模块/单元被存储在存储器52中,并由处理器51执行,以完成本申请。一个或多个模块/单元可以是能够完成特定功能的一系列计算机可读指令53的指令段,该指令段用于描述计算机可读指令53在终端设备50中的执行过程。Illustratively, computer readable instructions 53 may be partitioned into one or more modules/units, one or more modules/units being stored in memory 52 and executed by processor 51 to complete the application. The one or more modules/units may be an instruction segment of a series of computer readable instructions 53 capable of performing a particular function, which is used to describe the execution of computer readable instructions 53 in the terminal device 50.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
以上所述实施例仅用以说明本申请的技术方案,而非对其限制。尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。The embodiments described above are only used to explain the technical solutions of the present application, and are not limited thereto. Although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that the technical solutions described in the foregoing embodiments may be modified or equivalently substituted for some of the technical features. Modifications or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and should be included in the scope of the present application.

Claims (20)

  1. 一种动态密钥的获取方法,其特征在于,包括服务器执行的如下步骤:A method for obtaining a dynamic key, comprising the following steps performed by a server:
    获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
    调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
    基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
    采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  2. 如权利要求1所述的动态密钥的获取方法,其特征在于,所述基于所述更新时间和所述基准时间,获取可变因子,包括:The method for obtaining a dynamic key according to claim 1, wherein the obtaining a variable factor based on the update time and the reference time comprises:
    基于当前时间和所述基准时间确定间隔时间;Determining an interval time based on the current time and the reference time;
    采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子,所述可变因子计算公式为可变因子=[t/T]*T,其中,t为所述间隔时间,T为所述更新时间,[]为取整运算。Calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor, and the variable factor is calculated as a variable factor=[t/T]*T, where t is the The interval time, T is the update time, and [] is the rounding operation.
  3. 如权利要求2所述的动态密钥的获取方法,其特征在于,在所述基于当前时间和所述基准时间确定间隔时间的步骤之后,所述动态密钥的获取方法还包括:The method for acquiring a dynamic key according to claim 2, wherein after the step of determining the interval time based on the current time and the reference time, the method for acquiring the dynamic key further comprises:
    若所述间隔时间大于所述更新时间,则生成密钥失效信息,并将所述密钥失效信息发送给所述客户端;If the interval time is greater than the update time, generating key failure information, and sending the key failure information to the client;
    若所述间隔时间不大于所述更新时间,则执行所述采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子的步骤。And if the interval time is not greater than the update time, performing the step of calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  4. 如权利要求1所述的动态密钥的获取方法,其特征在于,所述采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,包括:The method for obtaining a dynamic key according to claim 1, wherein the processing of the random seed and the variable factor by using a dynamic key generation algorithm to obtain a dynamic key comprises:
    采用单向散列函数对所述随机种子和可变因子进行处理,获取消息摘要;Processing the random seed and the variable factor by using a one-way hash function to obtain a message digest;
    采用所述TOTP算法对所述消息摘要进行处理,获取所述动态密钥。The message digest is processed by using the TOTP algorithm to obtain the dynamic key.
  5. 如权利要求4所述的动态密钥的获取方法,其特征在于,所述单向散列函数的公式为X=(H(K XOR opad,H(K XOR ipad,T)),其中,T为所述可变因子,K为所述随机种子,XOR为异或符号,ipad为内部循环参数,opad为外部循环参数;The method for acquiring a dynamic key according to claim 4, wherein the one-way hash function has the formula X=(H(K XOR opad, H(K XOR ipad, T)), wherein, T For the variable factor, K is the random seed, XOR is an exclusive OR symbol, ipad is an internal loop parameter, and opad is an external loop parameter;
    所述TOTP算法的公式为TOTP(K,T)=Truncate(X)mod 10^d,其中,T为所述可变因子,K为所述随机种子,mod为取模运算,d为自定义动态密钥的长度,X为所述消息摘要。The formula of the TOTP algorithm is TOTP(K,T)=Truncate(X)mod 10^d, where T is the variable factor, K is the random seed, mod is a modulo operation, and d is a custom The length of the dynamic key, X is the message digest.
  6. 一种动态密钥的获取方法,其特征在于,包括客户端执行的如下步骤:A method for obtaining a dynamic key, comprising the following steps performed by a client:
    采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
    调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
    基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
    接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
  7. 一种动态密钥的获取装置,其特征在于,包括:A device for acquiring a dynamic key, comprising:
    配置文件获取模块,用于获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;a configuration file obtaining module, configured to acquire a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained by the encryption machine;
    加密机解密模块,用于调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;The encryption machine decryption module is configured to invoke the encryption machine to decrypt the encrypted ciphertext, and obtain the decrypted random seed and the reference time;
    可变因子获取模块,用于基于所述更新时间和所述基准时间,获取可变因子;a variable factor acquisition module, configured to acquire a variable factor based on the update time and the reference time;
    动态密钥获取模块,用于采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic key acquisition module is configured to process the random seed and the variable factor by using a dynamic key generation algorithm, obtain a dynamic key, and send the dynamic key to the client.
  8. 一种动态密钥的获取装置,其特征在于,包括:A device for acquiring a dynamic key, comprising:
    随机种子和基准时间获取模块,用于采用种子生成工具,获取随机种子和基准时间;A random seed and reference time acquisition module for acquiring a random seed and a reference time using a seed generation tool;
    加密密文获取模块,用于调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;An encrypted ciphertext obtaining module, configured to invoke an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
    配置文件获取模块,用于基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;a configuration file obtaining module, configured to acquire a configuration file based on the encrypted ciphertext and an update time, and send the configuration file to a server;
    动态密钥接收模块,用于接收所述服务器发送的基于所述配置文件生成的所述动态密钥。And a dynamic key receiving module, configured to receive the dynamic key generated by the server based on the configuration file.
  9. 一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机可读指令,其特征在于,所述处理器执行所述计算机可读指令时实现如下步骤:A terminal device comprising a memory, a processor, and computer readable instructions stored in the memory and operable on the processor, wherein the processor executes the computer readable instructions as follows step:
    获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
    调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
    基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
    采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  10. 如权利要求9所述的终端设备,其特征在于,所述基于所述更新时间和所述基准时间,获取可变因子,包括:The terminal device according to claim 9, wherein the obtaining a variable factor based on the update time and the reference time comprises:
    基于当前时间和所述基准时间确定间隔时间;Determining an interval time based on the current time and the reference time;
    采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子,所述可变因子计算公式为可变因子=[t/T]*T,其中,t为所述间隔时间,T为所述更新时间,[]为取整运算。Calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor, and the variable factor is calculated as a variable factor=[t/T]*T, where t is the The interval time, T is the update time, and [] is the rounding operation.
  11. 如权利要求10所述的终端设备,其特征在于,在所述基于当前时间和所述基准时间确定间隔时间的步骤之后,所述处理器执行所述计算机可读指令时实现如下步骤还包括:The terminal device according to claim 10, wherein the step of implementing the computer readable instructions by the processor after the step of determining the interval time based on the current time and the reference time further comprises the steps of:
    若所述间隔时间大于所述更新时间,则生成密钥失效信息,并将所述密钥失效信息发送给所述客户端;If the interval time is greater than the update time, generating key failure information, and sending the key failure information to the client;
    若所述间隔时间不大于所述更新时间,则执行所述采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子的步骤。And if the interval time is not greater than the update time, performing the step of calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  12. 如权利要求9所述的终端设备,其特征在于,所述采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,包括:The terminal device according to claim 9, wherein the processing of the random seed and the variable factor by using a dynamic key generation algorithm to obtain a dynamic key comprises:
    采用单向散列函数对所述随机种子和可变因子进行处理,获取消息摘要;Processing the random seed and the variable factor by using a one-way hash function to obtain a message digest;
    采用所述TOTP算法对所述消息摘要进行处理,获取所述动态密钥。The message digest is processed by using the TOTP algorithm to obtain the dynamic key.
  13. 如权利要求12所述的终端设备,其特征在于,所述单向散列函数的公式为X=(H(K XOR opad,H(K XOR ipad,T)),其中,T为所述可变因子,K为所述随机种子,XOR为异或符号,ipad为内部循环参数,opad为外部循环参数;The terminal device according to claim 12, wherein the one-way hash function has the formula X=(H(K XOR opad, H(K XOR ipad, T)), wherein T is the Variable factor, K is the random seed, XOR is an XOR symbol, ipad is an internal loop parameter, and opad is an external loop parameter;
    所述TOTP算法的公式为TOTP(K,T)=Truncate(X)mod 10^d,其中,T为所述可变因子,K为所述随机种子,mod为取模运算,d为自定义动态密钥的长度,X为所述消息摘要。The formula of the TOTP algorithm is TOTP(K,T)=Truncate(X)mod 10^d, where T is the variable factor, K is the random seed, mod is a modulo operation, and d is a custom The length of the dynamic key, X is the message digest.
  14. 一种终端设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机可读指令,其特征在于,所述处理器执行所述计算机可读指令时实现如下步骤:A terminal device comprising a memory, a processor, and computer readable instructions stored in the memory and operable on the processor, wherein the processor executes the computer readable instructions as follows step:
    采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
    调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
    基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
    接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
  15. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可读指令,其 特征在于,所述计算机可读指令被处理器执行时实现如下步骤:A computer readable storage medium storing computer readable instructions, wherein the computer readable instructions, when executed by a processor, implement the following steps:
    获取客户端发送的配置文件,所述配置文件包括基于加密机获取的加密密文和更新时间;Obtaining a configuration file sent by the client, where the configuration file includes an encrypted ciphertext and an update time obtained based on the encryption machine;
    调用所述加密机对所述加密密文进行解密,获取解密后的随机种子和基准时间;Calling the encryption machine to decrypt the encrypted ciphertext, and obtaining the decrypted random seed and the reference time;
    基于所述更新时间和所述基准时间,获取可变因子;Obtaining a variable factor based on the update time and the reference time;
    采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,并将所述动态密钥发送给所述客户端。The dynamic seed generation algorithm is used to process the random seed and the variable factor, obtain a dynamic key, and send the dynamic key to the client.
  16. 如权利要求15所述的计算机可读存储介质,其特征在于,所述基于所述更新时间和所述基准时间,获取可变因子,包括:The computer readable storage medium of claim 15, wherein the obtaining a variable factor based on the update time and the reference time comprises:
    基于当前时间和所述基准时间确定间隔时间;Determining an interval time based on the current time and the reference time;
    采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子,所述可变因子计算公式为可变因子=[t/T]*T,其中,t为所述间隔时间,T为所述更新时间,[]为取整运算。Calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor, and the variable factor is calculated as a variable factor=[t/T]*T, where t is the The interval time, T is the update time, and [] is the rounding operation.
  17. 如权利要求16所述的计算机可读存储介质,其特征在于,在所述基于当前时间和所述基准时间确定间隔时间的步骤之后,所述计算机可读指令被处理器执行时还实现如下步骤:A computer readable storage medium according to claim 16 wherein said computer readable instructions are further executed by said processor after said step of determining an interval based on said current time and said reference time :
    若所述间隔时间大于所述更新时间,则生成密钥失效信息,并将所述密钥失效信息发送给所述客户端;If the interval time is greater than the update time, generating key failure information, and sending the key failure information to the client;
    若所述间隔时间不大于所述更新时间,则执行所述采用可变因子计算公式对所述间隔时间和所述更新时间进行计算,获取可变因子的步骤。And if the interval time is not greater than the update time, performing the step of calculating the interval time and the update time by using a variable factor calculation formula to obtain a variable factor.
  18. 如权利要求15所述的计算机可读存储介质,其特征在于,所述采用动态密钥生成算法对所述随机种子和所述可变因子进行处理,获取动态密钥,包括:The computer readable storage medium according to claim 15, wherein the processing the random seed and the variable factor by using a dynamic key generation algorithm to obtain a dynamic key comprises:
    采用单向散列函数对所述随机种子和可变因子进行处理,获取消息摘要;Processing the random seed and the variable factor by using a one-way hash function to obtain a message digest;
    采用所述TOTP算法对所述消息摘要进行处理,获取所述动态密钥。The message digest is processed by using the TOTP algorithm to obtain the dynamic key.
  19. 如权利要求18所述的计算机可读存储介质,其特征在于,所述单向散列函数的公式为X=(H(K XOR opad,H(K XOR ipad,T)),其中,T为所述可变因子,K为所述随机种子,XOR为异或符号,ipad为内部循环参数,opad为外部循环参数;The computer readable storage medium according to claim 18, wherein the one-way hash function has the formula X = (H (K XOR opad, H (K XOR ipad, T)), wherein T is The variable factor, K is the random seed, XOR is an exclusive OR symbol, ipad is an internal loop parameter, and opad is an external loop parameter;
    所述TOTP算法的公式为TOTP(K,T)=Truncate(X)mod 10^d,其中,T为所述可变因子,K为所述随机种子,mod为取模运算,d为自定义动态密钥的长度,X为所述消息摘要。The formula of the TOTP algorithm is TOTP(K,T)=Truncate(X)mod 10^d, where T is the variable factor, K is the random seed, mod is a modulo operation, and d is a custom The length of the dynamic key, X is the message digest.
  20. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机可读指令,其 特征在于,所述计算机可读指令被处理器执行时实现如下步骤:A computer readable storage medium storing computer readable instructions, wherein the computer readable instructions, when executed by a processor, implement the following steps:
    采用种子生成工具,获取随机种子和基准时间;Use a seed generation tool to obtain random seeds and benchmark time;
    调用加密机对所述随机种子和所述基准时间进行加密,获取加密密文;Invoking an encryption machine to encrypt the random seed and the reference time to obtain an encrypted ciphertext;
    基于所述加密密文和更新时间,获取配置文件,并将所述配置文件发送给服务器;Obtaining a configuration file based on the encrypted ciphertext and an update time, and sending the configuration file to a server;
    接收所述服务器发送的基于所述配置文件生成的所述动态密钥。Receiving the dynamic key generated by the server based on the configuration file.
PCT/CN2018/077474 2018-01-08 2018-02-28 Method for acquiring dynamic key, device, terminal apparatus, and storage medium WO2019134241A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810014135.1A CN108462686B (en) 2018-01-08 2018-01-08 Method and device for acquiring dynamic key, terminal equipment and storage medium
CN201810014135.1 2018-01-08

Publications (1)

Publication Number Publication Date
WO2019134241A1 true WO2019134241A1 (en) 2019-07-11

Family

ID=63220529

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077474 WO2019134241A1 (en) 2018-01-08 2018-02-28 Method for acquiring dynamic key, device, terminal apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN108462686B (en)
WO (1) WO2019134241A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022257411A1 (en) * 2021-06-09 2022-12-15 深圳前海微众银行股份有限公司 Data processing method and apparatus

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110298941A (en) * 2019-05-21 2019-10-01 杭州海兴电力科技股份有限公司 A kind of disposable temporary password generation method of intelligent door lock
CN111064571B (en) * 2020-01-09 2022-04-22 青岛海信移动通信技术股份有限公司 Communication terminal, server and method for dynamically updating pre-shared key
CN114095920A (en) * 2020-07-29 2022-02-25 阿里巴巴集团控股有限公司 Communication method, system, apparatus, device and storage medium
CN111988143B (en) * 2020-08-28 2024-03-01 百度时代网络技术(北京)有限公司 Key updating method, device, equipment and storage medium
CN112287369A (en) * 2020-11-02 2021-01-29 珠海格力电器股份有限公司 Decryption method, decryption device, computer equipment and storage medium
CN113761551A (en) * 2020-11-18 2021-12-07 北京沃东天骏信息技术有限公司 Key generation method, encryption method, decryption method and device
CN114338095A (en) * 2020-12-04 2022-04-12 深圳市安室智能有限公司 Data encryption transmission method and related device, equipment, medium and program product
CN113507363B (en) * 2021-07-08 2023-08-01 中国建设银行股份有限公司 Data processing method, device, electronic equipment and storage medium
CN117040944B (en) * 2023-10-10 2024-04-26 深圳市旗云智能科技有限公司 Remote signal transmission device of wireless Internet of things

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101699820A (en) * 2009-10-30 2010-04-28 北京飞天诚信科技有限公司 Method and device for authenticating dynamic passwords
CN103051460A (en) * 2013-01-29 2013-04-17 赵忠华 Dynamic token system based on inertial technology and encryption method thereof
CN103905195A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 User card authentication method and system based on dynamic password
CN104301109A (en) * 2014-09-24 2015-01-21 飞天诚信科技股份有限公司 Working method of dynamic voice token

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100563391C (en) * 2007-09-03 2009-11-25 华为技术有限公司 The method of mobile communications terminal data protection, system and equipment
CN101783800B (en) * 2010-01-27 2012-12-19 华为终端有限公司 Embedded system safety communication method, device and system
CN103548300B (en) * 2011-07-25 2016-10-19 三菱电机株式会社 encryption device and encryption method
CN103067160B (en) * 2013-01-14 2018-05-15 江苏智联天地科技有限公司 A kind of method and system for the dynamic key production for encrypting SD card
CN104506497B (en) * 2014-12-10 2018-02-27 青岛海信电器股份有限公司 A kind of information issuing method and system
CN107154935B (en) * 2017-04-26 2020-09-11 腾讯科技(深圳)有限公司 Service request method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101699820A (en) * 2009-10-30 2010-04-28 北京飞天诚信科技有限公司 Method and device for authenticating dynamic passwords
CN103905195A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 User card authentication method and system based on dynamic password
CN103051460A (en) * 2013-01-29 2013-04-17 赵忠华 Dynamic token system based on inertial technology and encryption method thereof
CN104301109A (en) * 2014-09-24 2015-01-21 飞天诚信科技股份有限公司 Working method of dynamic voice token

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022257411A1 (en) * 2021-06-09 2022-12-15 深圳前海微众银行股份有限公司 Data processing method and apparatus

Also Published As

Publication number Publication date
CN108462686B (en) 2020-09-04
CN108462686A (en) 2018-08-28

Similar Documents

Publication Publication Date Title
WO2019134241A1 (en) Method for acquiring dynamic key, device, terminal apparatus, and storage medium
US8744076B2 (en) Method and apparatus for encrypting data to facilitate resource savings and tamper detection
US9537657B1 (en) Multipart authenticated encryption
US10439804B2 (en) Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes
US10284372B2 (en) Method and system for secure management of computer applications
US8694467B2 (en) Random number based data integrity verification method and system for distributed cloud storage
US11487908B2 (en) Secure memory
CN107078904B (en) Hybrid cryptographic key derivation
US20040111600A1 (en) Deriving keys used to securely process electronic messages
US20200372183A1 (en) Digitally Signing Software Packages With Hash Values
JP2001514834A (en) Secure deterministic cryptographic key generation system and method
KR20080025121A (en) Generating a secret key from an asymmetric private key
CN110781140B (en) Method, device, computer equipment and storage medium for signing data in blockchain
US20230325516A1 (en) Method for file encryption, terminal, electronic device and computer-readable storage medium
WO2021114850A1 (en) Method and apparatus for encrypting and decrypting and reading and writing messages, computer device, and storage medium
US9367700B2 (en) System and method for establishing a shared secret for communication between different security domains
US20200396054A1 (en) Secure Memory Read
US8832450B2 (en) Methods and apparatus for data hashing based on non-linear operations
Abela et al. Secure Implementation of a Quantum-Future GAKE Protocol
CN108880785B (en) Method, device, terminal and readable medium for detecting C + + virtual table quilt hook
WO2021044465A1 (en) Encrypting device, decrypting device, computer program, encryption method, decryption method, and data structure
US20240056295A1 (en) Verifiable remote resource management for cryptographic devices
Sahi et al. Parallel encryption mode for probabilistic scheme to secure data in the cloud
SIEMENS FIPS 140-2 Security Policy
Paul et al. An introduction to security challenges in user-facing cryptographic software

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18898092

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 13.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18898092

Country of ref document: EP

Kind code of ref document: A1