WO2020155812A1 - Data storage method and device, and apparatus - Google Patents

Data storage method and device, and apparatus Download PDF

Info

Publication number
WO2020155812A1
WO2020155812A1 PCT/CN2019/120669 CN2019120669W WO2020155812A1 WO 2020155812 A1 WO2020155812 A1 WO 2020155812A1 CN 2019120669 W CN2019120669 W CN 2019120669W WO 2020155812 A1 WO2020155812 A1 WO 2020155812A1
Authority
WO
WIPO (PCT)
Prior art keywords
subkey
master key
data
user
key
Prior art date
Application number
PCT/CN2019/120669
Other languages
French (fr)
Chinese (zh)
Inventor
应鹏飞
殷山
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2020155812A1 publication Critical patent/WO2020155812A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the embodiments of this specification relate to the field of information technology, and in particular to a data storage method, device, and equipment.
  • an embodiment of this specification provides a data storage method, including:
  • an embodiment of this specification provides a decryption method based on the above double-layer encrypted file, including:
  • an embodiment of this specification also provides a data storage device, including:
  • the subkey encryption module obtains a randomly generated subkey, symmetrically encrypts the data to be stored using the subkey, and generates subkey encrypted data;
  • the master key encryption module obtains a master key generated based on user information, and uses the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes user password or user biometric information ;
  • the merging module merges the sub-key encrypted data and the sub-key ciphertext to generate a double-layer encrypted file
  • the storage module stores the double-layer encrypted file.
  • an embodiment of this specification also provides a decryption device based on the aforementioned double-layer encrypted file, including:
  • the determining module determines the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file
  • the master key decryption module obtains the master key authorized by the user, uses the master key to decrypt the subkey ciphertext, and generates a subkey, wherein the master key is generated based on user information;
  • the subkey decryption module uses the generated subkey to decrypt the subkey encrypted data and generates usable decrypted data for the user to use.
  • multiple data is encrypted by the subkey, and the subkey is encrypted by the master key at the same time, so as to merge to form a double-layer encrypted file.
  • Each double-layer encrypted file contains the subkey secret used to decrypt the data.
  • the master key used to decrypt the sub-key ciphertext is stored in the user's hands, forming an independent dual-key encryption method, which reduces the possibility of information leakage and helps protect user privacy.
  • any one of the embodiments of the present specification does not need to achieve all the above-mentioned effects.
  • FIG. 1 is a schematic flowchart of a data storage method provided by an embodiment of this specification
  • Figure 2 is a schematic diagram of an overall architecture involved in an embodiment of the specification
  • FIG. 3 is a schematic flowchart of a method for decrypting a double-layer encrypted file provided by an embodiment of this specification
  • Figure 4 is a schematic structural diagram of a data storage device provided by an embodiment of this specification.
  • FIG. 5 is a schematic structural diagram of a decryption device for double-layer encrypted files provided by an embodiment of this specification
  • Fig. 6 is a schematic structural diagram of a device for configuring the method of the embodiment of this specification.
  • Fig. 1 is a schematic flowchart of a data storage method provided by an embodiment of this specification. As shown in Fig. 1, the process specifically includes the following steps:
  • the data to be stored can be provided by the user immediately; it can also be a file that the user has uploaded and stored in a specified path.
  • the specified path here can include the local path of the user device or The path on the server that connects with the user client.
  • the data may include various forms of data such as audio, video, text, image (such as picture, dynamic picture GIF, etc.).
  • S103 Obtain a randomly generated subkey, use the subkey to symmetrically encrypt the data to be stored, and generate subkey encrypted data.
  • the subkey is a parameter in the preset encryption algorithm.
  • the form of the subkey is a character string. When a symmetric encryption algorithm is used, its length is generally 128 bits or 256 bits.
  • the encryption algorithm is used to convert the data to be stored from plain text to cipher text to generate sub-key encrypted data.
  • the encryption algorithm is a symmetric encryption algorithm. In other words, based on the subkey, the generated subkey can encrypt data and convert it back to the plaintext form of the data to be stored.
  • S105 Obtain a master key generated based on user information, and use the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, where the user information includes a user password or user biometric information.
  • the subkey is also required for subsequent decryption.
  • the subkey is also in a plaintext state. Therefore, the subkey can also be symmetrically encrypted to generate the subkey ciphertext.
  • a preset key derivation function may be used to generate a master key based on user information. Then use the master key to encrypt the subkey to obtain the subkey ciphertext.
  • the master key can be encrypted based on DEs-based UNIX Crypt-function, FreeBSD MD5 crpty, PKCS#5 PBKDF2, GNU SHA-256/512 crypt, Windows NT LAN Manager (NTLM) hash, or Blowfish-based bcrypt.
  • NTLM Windows NT LAN Manager
  • the same master key can be obtained. Therefore, when the master key needs to be used again, the user can directly provide the master key, or the user provides the same user information again, and the preset key derivation function generates the same master key based on the same user information.
  • the master key should have the following properties: it is very unlikely that other users will get the master key. Therefore, in practical applications, it is possible to ensure that it is difficult for other users to obtain the master key by the following methods: the generated master key is held by the user and stored in a path or file that only the user can reach, for example, the generated master key The master key is physically isolated from other data; or, the generated master key is not saved, only the user can reproduce the master key again. At this time, an practicable way is to generate a master key based on unique user information, and it is very unlikely that other users will obtain the user information. For example, the user's account password, or the user's biometric information, etc. The biometric information may include unique biometrics such as fingerprints, voiceprints, iris, etc. In this way, when the master key needs to be used again, the above-mentioned unique biological characteristics can be used as parameters to generate the same master key based on the same KDF function.
  • S107 Combine the sub-key encrypted data and the sub-key cipher text to generate a double-layer encrypted file, and store it.
  • FIG. 2 is a schematic diagram of an overall architecture involved in an embodiment of the specification.
  • the user has stored the ID card information in the form of a double-layer encrypted file through his personal master key.
  • H in the figure represents the file header of the double-layer encrypted file, which is the subkey ciphertext obtained after the main key encrypts the subkey.
  • the file header in addition to the subkey ciphertext, other information may also be included. For example, it may also include the name of the encryption algorithm used when the subkey encrypts the data to be stored for prompting.
  • different encrypted files are encrypted with different subkeys, so the file headers are also different.
  • the user stores the information on a designated cloud disk. In practical applications, it is also feasible to store the information on the user's local device.
  • obtaining a randomly generated subkey includes: randomly obtaining multiple different subkeys for each data to be stored. For example, when users need to store their ID cards, driving licenses, and social files separately. Then every time a file is obtained, a random subkey can be generated based on the system time when the file is obtained. Using different subkeys for different files can further enhance data security.
  • the same master key generated based on user information can also be obtained; the same master key is used to symmetrically encrypt multiple subkeys, and generate Multiple sub-key ciphertexts generated by the same master key encryption, wherein the sub-key ciphertext corresponds to the data to be stored in a one-to-one correspondence.
  • the advantage of using the same master key to encrypt multiple subkeys is that it is convenient for user management. For example, when the user's double-layer encrypted file is stored in the cloud, the user can use a master key to log in, add encrypted files, delete encrypted files, etc., to manage multiple files in the cloud. In addition, users can also use multiple encrypted files by authorizing a master key to a third party.
  • the sub-key encrypted data and the sub-key cipher text can be directly spliced, or one file can be inserted into another file. For example, place the subkey ciphertext at the head, tail, or the middle position of the specified offset of the subkey encrypted data.
  • the format of the double-layer encrypted file can be pre-defined as "file header + file body", in which the file header with a certain length is preset, the subkey ciphertext is placed in the file header, and the file body is placed with the subkey Encrypt data. Therefore, when decryption is needed, the file header can be directly decrypted by the subkey to obtain the subkey ciphertext, which is convenient for decryption and subsequent use.
  • FIG. 3 is a method provided by an embodiment of this specification.
  • the schematic flow diagram of the decryption method for double-layer encrypted files includes:
  • S301 Determine the sub-key encrypted data and the sub-key cipher text contained in the double-layer encrypted file; for example, directly read the sub-key encrypted data and the sub-key cipher text from the file header and file body of the double-layer encrypted file;
  • S305 Use the generated subkey to decrypt the subkey encrypted data, and generate usable decrypted data for the user to use.
  • the master key and subkey can be used directly for symmetric decryption in the embodiments of this specification.
  • the data storage party for example, the cloud storing the data
  • the authorization object of the master key can be the user himself, for example, when the user logs in to the account successfully, the authorization is successful by default.
  • the authorized object of the master key may also be a third party. For example, when a user uses some third-party applications, the third-party application is allowed to use his own master key to perform certain specific authority operations, including query, verification, and so on.
  • a program application APP for data storage methods is provided in the user's local device (which may include a smart phone, a personal computer, a smart tablet, etc.), and the user
  • An account is established on the APP, and the APP creates a master key through the user's login password or the user's biological characteristics (fingerprints, voiceprints, etc.). Therefore, when the user uses the login password or biometrics, the master key is uniquely determined.
  • the user can provide the file he wants to encrypt in the interface provided by the APP by dragging, selecting, and other operations in the interface .
  • the APP randomly generates a subkey for encryption at this time to encrypt the file.
  • the master key encrypts the subkey to obtain the subkey ciphertext, and puts the subkey ciphertext in the head to generate an encrypted double-layer file.
  • the APP can receive instructions from the user to determine the storage location; or, provide corresponding location setting options to store the encrypted double-layer file in the storage location selected by the user in advance.
  • the storage location can be in the user's local device or in the server docking with the APP.
  • the user can authorize the master key to provide the third party with the master key when verification is required, so that the third party can rely on the master key.
  • the key authorization goes to the server to request, and the server decrypts the user's personal information based on the master key, and performs the verification.
  • the user only needs to use a master key to manage multiple data; on the other hand, the user only needs to store personal data in encrypted form on the server, without the need for third parties (in fact, the first The number of three parties is quite large) Provide their own private information to avoid the leakage of their own data by third parties.
  • FIG. 4 is a schematic structural diagram of a data storage device provided by an embodiment of this specification, the device includes:
  • the determining module 401 determines the data to be stored
  • the subkey encryption module 403 obtains a randomly generated subkey, uses the subkey to symmetrically encrypt the data to be stored, and generates subkey encrypted data;
  • the master key encryption module 405 obtains a master key generated based on user information, and uses the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes a user password or user biometric characteristics information;
  • the merging module 407 merges the sub-key encrypted data and the sub-key ciphertext to generate a double-layer encrypted file
  • the storage module 409 stores the double-layer encrypted file.
  • the master key encryption module 405 obtains a master key generated in advance according to user information from a path specified by the user; or, obtains user information, and uses a preset key derivation function to generate a master key based on the user information. key.
  • subkey encryption module 403 randomly obtains multiple different subkeys for each data to be stored.
  • the master key encryption module 405 obtains the same master key generated based on user information; uses the same master key to symmetrically encrypt multiple sub-keys respectively, and generates multiple sub-key secrets generated based on the same master key encryption.
  • the ciphertext of the subkey corresponds to the data to be stored.
  • the merging module 407 uses the subkey ciphertext as a file header, merges the subkey encrypted data, and generates a double-layer encrypted file whose file header does not exceed a preset length.
  • an embodiment of this specification also provides a decryption device for double-layer encrypted files, as shown in FIG. 5, which is a schematic structural diagram of a decryption device for double-layer encrypted files provided by the embodiment of this specification ,include:
  • the determining module 501 determines the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file
  • the master key decryption module 503 obtains a master key authorized by the user, uses the master key to decrypt the subkey ciphertext, and generates a subkey, wherein the master key is generated based on user information;
  • the subkey decryption module 505 uses the generated subkey to decrypt the subkey encrypted data to generate usable decrypted data for the user to use.
  • the embodiment of this specification also provides a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the data shown in FIG. 1 when the program is executed. Storage method.
  • FIG. 6 shows a more specific hardware structure diagram of a computing device provided by an embodiment of this specification.
  • the device may include a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050.
  • the processor 1010, the memory 1020, the input/output interface 1030, and the communication interface 1040 realize the communication connection between each other in the device through the bus 1050.
  • the processor 1010 may be implemented by a general CPU (Central Processing Unit, central processing unit), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc., for execution related Program to realize the technical solutions provided in the embodiments of this specification.
  • CPU Central Processing Unit
  • ASIC Application Specific Integrated Circuit
  • the memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory, random access memory), static storage device, dynamic storage device, etc.
  • the memory 1020 may store an operating system and other application programs. When the technical solutions provided in the embodiments of the present specification are implemented through software or firmware, related program codes are stored in the memory 1020 and called and executed by the processor 1010.
  • the input/output interface 1030 is used to connect an input/output module to realize information input and output.
  • the input/output/module can be configured in the device as a component (not shown in the figure), or can be connected to the device to provide corresponding functions.
  • the input device may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and an output device may include a display, a speaker, a vibrator, an indicator light, and the like.
  • the communication interface 1040 is used to connect a communication module (not shown in the figure) to realize the communication interaction between the device and other devices.
  • the communication module can realize communication through wired means (such as USB, network cable, etc.), or through wireless means (such as mobile network, WIFI, Bluetooth, etc.).
  • the bus 1050 includes a path for transmitting information between various components of the device (for example, the processor 1010, the memory 1020, the input/output interface 1030, and the communication interface 1040).
  • the above device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040, and the bus 1050, in the specific implementation process, the device may also include the equipment necessary for normal operation. Other components.
  • the above-mentioned device may also include only the components necessary to implement the solutions of the embodiments of this specification, and not necessarily include all the components shown in the figures.
  • the embodiment of this specification also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the data storage method shown in FIG. 1 is implemented.
  • Computer-readable media includes permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
  • a typical implementation device is a computer.
  • the specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A console, a tablet computer, a wearable device, or a combination of any of these devices.

Abstract

Disclosed are a data storage method and device, and an apparatus. The method comprises: during data storage, encrypting multiple pieces of data by means of a subkey, and encrypting the subkey by means of a master key, so as to perform merging to form double-layer encrypted files, wherein each double-layer encrypted file contains a subkey ciphertext for data decryption, and the master key for decrypting the subkey ciphertext is kept by a user, thereby achieving an encryption technique employing two independent keys for data storage.

Description

一种数据存储方法、装置及设备Data storage method, device and equipment 技术领域Technical field
本说明书实施例涉及信息技术领域,尤其涉及一种数据存储方法、装置及设备。The embodiments of this specification relate to the field of information technology, and in particular to a data storage method, device, and equipment.
背景技术Background technique
当前的用户数据一般而言,存储于云盘、PC或者手机端等等,用户可以方便地存取或者读取数据。Generally speaking, current user data is stored in a cloud disk, PC or mobile phone, etc., and users can access or read the data conveniently.
用户存储的数据中,很多经常是个人的隐私数据,例如身份信息、社交信息、业务信息等等。在存储数据时,一方面存在黑客的外部威胁,另一方面也有可能企业内部错误操作导致收集的用户隐私数据外泄。每一次数据外泄都有可能关系到用户的隐私,影响到用户的核心利益。Many of the data stored by users are often personal private data, such as identity information, social information, business information, and so on. When storing data, on the one hand, there are external threats from hackers, on the other hand, it is also possible that internal misoperation of the enterprise may cause the leakage of collected user privacy data. Every data leakage may affect the privacy of users and affect the core interests of users.
基于此,需要一种更为安全的数据存储方法。Based on this, a more secure data storage method is needed.
发明内容Summary of the invention
针对现有数据存储发生数据泄露对用户隐私的侵犯问题,为实现更安全的数据存储,保护用户隐私,本说明书实施例提供更为安全的数据存储方案。第一方面,本说明书实施例提供一种数据存储方法,包括:In view of the infringement of user privacy caused by data leakage in existing data storage, in order to achieve safer data storage and protect user privacy, the embodiments of this specification provide a more secure data storage solution. In the first aspect, an embodiment of this specification provides a data storage method, including:
确定待存储数据;Determine the data to be stored;
获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据;Obtaining a randomly generated subkey, symmetrically encrypting the data to be stored using the subkey, and generating subkey encrypted data;
获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息;Obtain a master key generated based on user information, and use the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes a user password or user biometric information;
合并所述子钥加密数据和子钥密文,生成双层加密文件,并存储。Combine the sub-key encrypted data and the sub-key cipher text to generate a double-layer encrypted file and store it.
第二方面,本说明书实施例提供一种基于上述双层加密文件的解密方法,包括:In the second aspect, an embodiment of this specification provides a decryption method based on the above double-layer encrypted file, including:
确定所述双层加密文件中所包含的子钥加密数据和子钥密文;Determining the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file;
获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成;Obtaining a master key authorized by the user, decrypting the subkey ciphertext using the master key, and generating a subkey, wherein the master key is generated based on user information;
使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。Use the generated subkey to decrypt the subkey encrypted data, and generate usable decrypted data for the user to use.
与第一方面的方法相对应的,本说明书实施例还提供一种数据存储装置,包括:Corresponding to the method of the first aspect, an embodiment of this specification also provides a data storage device, including:
确定模块,确定待存储数据;Determine the module to determine the data to be stored;
子密钥加密模块,获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据;The subkey encryption module obtains a randomly generated subkey, symmetrically encrypts the data to be stored using the subkey, and generates subkey encrypted data;
主密钥加密模块,获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息;The master key encryption module obtains a master key generated based on user information, and uses the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes user password or user biometric information ;
合并模块,合并所述子钥加密数据和子钥密文,生成双层加密文件;The merging module merges the sub-key encrypted data and the sub-key ciphertext to generate a double-layer encrypted file;
存储模块,存储所述双层加密文件。The storage module stores the double-layer encrypted file.
与第二方面方法相对应的,本说明书实施例还提供一种基于前述双层加密文件的解密装置,包括:Corresponding to the method of the second aspect, an embodiment of this specification also provides a decryption device based on the aforementioned double-layer encrypted file, including:
确定模块,确定所述双层加密文件中所包含的子钥加密数据和子钥密文;The determining module determines the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file;
主密钥解密模块,获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成;The master key decryption module obtains the master key authorized by the user, uses the master key to decrypt the subkey ciphertext, and generates a subkey, wherein the master key is generated based on user information;
子密钥解密模块,使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。The subkey decryption module uses the generated subkey to decrypt the subkey encrypted data and generates usable decrypted data for the user to use.
在数据存储时,通过子密钥多数据进行加密,同时采用主密钥对子密钥进行加密,从而合并形成双层加密文件,每个双层加密文件中包含有用于解密数据的子钥密文,而用于解密子钥密文的主密钥则保存在用户手中,形成独立双密钥的加密方式,降低了信息泄露的可能,有利于保护用户隐私。During data storage, multiple data is encrypted by the subkey, and the subkey is encrypted by the master key at the same time, so as to merge to form a double-layer encrypted file. Each double-layer encrypted file contains the subkey secret used to decrypt the data. The master key used to decrypt the sub-key ciphertext is stored in the user's hands, forming an independent dual-key encryption method, which reduces the possibility of information leakage and helps protect user privacy.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本说明书实施例。It should be understood that the above general description and the following detailed description are only exemplary and explanatory, and cannot limit the embodiments of this specification.
此外,本说明书实施例中的任一实施例并不需要达到上述的全部效果。In addition, any one of the embodiments of the present specification does not need to achieve all the above-mentioned effects.
附图说明Description of the drawings
为了更清楚地说明本说明书实施例或现有技术中的技术方案,下面将对实施例或现 有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本说明书实施例中记载的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。In order to more clearly explain the technical solutions in the embodiments of this specification or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some of the embodiments described in the embodiments of this specification. For those of ordinary skill in the art, other drawings can be obtained from these drawings.
图1是本说明书实施例提供的一种数据存储方法的流程示意图;FIG. 1 is a schematic flowchart of a data storage method provided by an embodiment of this specification;
图2为本说明书实施例所涉及的一种整体架构示意图;Figure 2 is a schematic diagram of an overall architecture involved in an embodiment of the specification;
图3为本说明书实施例所提供的一种双层加密文件的解密方法的流程示意图;3 is a schematic flowchart of a method for decrypting a double-layer encrypted file provided by an embodiment of this specification;
图4是本说明书实施例提供的一种数据存储装置的结构示意图;Figure 4 is a schematic structural diagram of a data storage device provided by an embodiment of this specification;
图5是本说明书实施例提供的一种双层加密文件的解密装置的结构示意图;FIG. 5 is a schematic structural diagram of a decryption device for double-layer encrypted files provided by an embodiment of this specification;
图6是用于配置本说明书实施例方法的一种设备的结构示意图。Fig. 6 is a schematic structural diagram of a device for configuring the method of the embodiment of this specification.
具体实施方式detailed description
为了使本领域技术人员更好地理解本说明书实施例中的技术方案,下面将结合本说明书实施例中的附图,对本说明书实施例中的技术方案进行详细地描述,显然,所描述的实施例仅仅是本说明书的一部分实施例,而不是全部的实施例。基于本说明书中的实施例,本领域普通技术人员所获得的所有其他实施例,都应当属于保护的范围。In order to enable those skilled in the art to better understand the technical solutions in the embodiments of this specification, the technical solutions in the embodiments of this specification will be described in detail below in conjunction with the drawings in the embodiments of this specification. Obviously, the described implementation The examples are only a part of the embodiments in this specification, not all the embodiments. Based on the embodiments in this specification, all other embodiments obtained by a person of ordinary skill in the art should fall within the scope of protection.
以下结合附图,详细说明本说明书各实施例提供的技术方案。图1是本说明书实施例提供的一种数据存储方法的流程示意图,如图1所示,该流程具体包括如下步骤:The technical solutions provided by the embodiments of this specification will be described in detail below with reference to the drawings. Fig. 1 is a schematic flowchart of a data storage method provided by an embodiment of this specification. As shown in Fig. 1, the process specifically includes the following steps:
S101,确定待存储数据。S101: Determine data to be stored.
在本说明书实施例中,待存储数据可以是由用户即时提供的;也可以是用户已经上传并存储于指定的路径下的文件,此处指定的路径可以包括用户设备本地的路径,也可以是与用户客户端对接的服务端上的路径。所述数据可以包括音频、视频、文本、图像(如图片、动态图片GIF等)等等各种形式的数据。In the embodiments of this specification, the data to be stored can be provided by the user immediately; it can also be a file that the user has uploaded and stored in a specified path. The specified path here can include the local path of the user device or The path on the server that connects with the user client. The data may include various forms of data such as audio, video, text, image (such as picture, dynamic picture GIF, etc.).
S103,获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据。S103: Obtain a randomly generated subkey, use the subkey to symmetrically encrypt the data to be stored, and generate subkey encrypted data.
子密钥是预设加密算法中的一种参数,子密钥的形式为一个字符串,在使用对称加密算法中,其长度一般为128位或者256位。The subkey is a parameter in the preset encryption algorithm. The form of the subkey is a character string. When a symmetric encryption algorithm is used, its length is generally 128 bits or 256 bits.
该加密算法用于将待存储数据由明文转换为密文,生成子钥加密数据,在本说明书实施例中,该加密算法为对称加密算法。换言之,还可以基于该子密钥,将生成的子钥 加密数据,转换回待存储数据的明文形式。The encryption algorithm is used to convert the data to be stored from plain text to cipher text to generate sub-key encrypted data. In the embodiment of this specification, the encryption algorithm is a symmetric encryption algorithm. In other words, based on the subkey, the generated subkey can encrypt data and convert it back to the plaintext form of the data to be stored.
S105,获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息。S105. Obtain a master key generated based on user information, and use the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, where the user information includes a user password or user biometric information.
在前述步骤中,以后解密时还需要用子密钥。而此时的子密钥也是处于明文状态,因此,还可以对子密钥进行对称加密,生成子钥密文。In the foregoing steps, the subkey is also required for subsequent decryption. At this time, the subkey is also in a plaintext state. Therefore, the subkey can also be symmetrically encrypted to generate the subkey ciphertext.
具体而言,可以先采用预设的密钥派生函数(Key derivation function,KDF)基于用户信息生成主密钥。然后再使用主密钥加密所述子密钥得到子钥密文。例如,可以基于DEs-based UNIX Crypt-function、FreeBSD MD5 crpty、PKCS#5 PBKDF2、GNU SHA-256/512 crypt、Windows NT LAN Manager(NTLM)hash或者Blowfish-based bcrypt等算法加密生成主密钥。对于主密钥和子密钥而言,二者均为密钥派生函数生成,所采用的派生函数可以相同,也可以不同。Specifically, a preset key derivation function (KDF) may be used to generate a master key based on user information. Then use the master key to encrypt the subkey to obtain the subkey ciphertext. For example, the master key can be encrypted based on DEs-based UNIX Crypt-function, FreeBSD MD5 crpty, PKCS#5 PBKDF2, GNU SHA-256/512 crypt, Windows NT LAN Manager (NTLM) hash, or Blowfish-based bcrypt. For the master key and the subkey, both are generated by the key derivation function, and the derivation function used can be the same or different.
对于生成主密钥的密钥派生函数而言,在输入的参数相同时,则可以得到相同的主密钥。因此,在需要再次使用主密钥时,可以由用户直接提供该主密钥,或者,用户再次提供同一用户信息,预设的密钥派生函数根据该同一用户信息生成同一主密钥。For the key derivation function that generates the master key, when the input parameters are the same, the same master key can be obtained. Therefore, when the master key needs to be used again, the user can directly provide the master key, or the user provides the same user information again, and the preset key derivation function generates the same master key based on the same user information.
主密钥应具有如下性质:其它用户得到主密钥的可能性很小。因此,在实际应用中,可以通过如下方式来保证其他用户难以得到该主密钥:生成的主密钥由用户执有,并存储在只有该用户可以到达的路径或者文件中,例如,生成的主密钥与其它数据是物理隔绝的;或者,生成的主密钥不进行保存,只需用户可以再次复现该主密钥即可。此时,一种可实施的方式为,基于具有唯一性的用户信息生成主密钥,其它用户获得该用户信息的可能性很小。例如,用户的账号密码,或者用户的生物特征信息等等。所述的生物特征信息可以包括指纹、声纹、虹膜等等具有唯一性的生物特征。在这种方式下,当需要再次使用该主密钥时,则可以将上述具有唯一性的生物特征作为参数,基于同样的KDF函数生成同一主密钥。The master key should have the following properties: it is very unlikely that other users will get the master key. Therefore, in practical applications, it is possible to ensure that it is difficult for other users to obtain the master key by the following methods: the generated master key is held by the user and stored in a path or file that only the user can reach, for example, the generated master key The master key is physically isolated from other data; or, the generated master key is not saved, only the user can reproduce the master key again. At this time, an practicable way is to generate a master key based on unique user information, and it is very unlikely that other users will obtain the user information. For example, the user's account password, or the user's biometric information, etc. The biometric information may include unique biometrics such as fingerprints, voiceprints, iris, etc. In this way, when the master key needs to be used again, the above-mentioned unique biological characteristics can be used as parameters to generate the same master key based on the same KDF function.
进一步地,在使用具有唯一性的用户信息生成主密钥时,还可以加入一些其它变量作为密钥派生函数的参数。例如,加入用于提醒的助记词作为变量,助记词的形式可以是一个字符,或者一个单词等等,在以后需要再次生成主密钥时,获取该助记词以及用户信息生成主密钥。或者,在第一次生成主密钥时,加入随机数作为变量,并且保存该随机数至本地设备。在以后需要再次生成主密钥时,获取该随机数和用户信息生成主密钥。例如,主密钥=KDF(用户密码+随机数+助记词)。Further, when using unique user information to generate the master key, some other variables can be added as parameters of the key derivation function. For example, adding a mnemonic word for reminding as a variable, the form of the mnemonic word can be a character, or a word, etc., when the master key needs to be generated again in the future, the mnemonic word and user information are obtained to generate the master password key. Or, when the master key is generated for the first time, a random number is added as a variable, and the random number is saved to the local device. When the master key needs to be generated again in the future, the random number and user information are obtained to generate the master key. For example, the master key = KDF (user password + random number + mnemonic phrase).
S107,合并所述子钥加密数据和子钥密文,生成双层加密文件,并存储。S107: Combine the sub-key encrypted data and the sub-key cipher text to generate a double-layer encrypted file, and store it.
可以基于预设的合并方式,对子钥加密数据和子钥密文进行诸如拼接、插入等等操作,生成双层加密文件,并存储至用户所指定的位置即可。在双层加密文件中,二者的顺序以及各式也无需限定,只需在获得该加密文件中可以分别得到子钥加密数据和子钥密文即可。如图2所示,图2为本说明书实施例所涉及的一种整体架构示意图。在该示意图中,用户通过自己的个人主密钥将身份证信息以双层加密文件的形式进行了存储。其中,图中的H表示双层加密文件的文件头,该文件头即为主密钥对子密钥加密后得到的子钥密文。以及,在文件头中,除子钥密文以外,还可以包含其它的信息,例如,还可以包含子密钥对待存储数据进行加密时所使用的加密算法的名称,用于提示。图中,不同的加密文件由于采用不同的子密钥进行了加密,因此,各文件头也并不相同。在该示意图中,用户将信息存储至指定云盘,在实际应用中,存储至用户本地设备也是可行的。You can perform operations such as splicing, inserting, etc. on the sub-key encrypted data and the sub-key ciphertext based on the preset merging method to generate a double-layer encrypted file and store it in the location specified by the user. In the double-layer encrypted file, the order and the types of the two do not need to be limited, as long as the sub-key encrypted data and the sub-key cipher text can be obtained in the encrypted file. As shown in FIG. 2, FIG. 2 is a schematic diagram of an overall architecture involved in an embodiment of the specification. In this schematic diagram, the user has stored the ID card information in the form of a double-layer encrypted file through his personal master key. Among them, H in the figure represents the file header of the double-layer encrypted file, which is the subkey ciphertext obtained after the main key encrypts the subkey. And, in the file header, in addition to the subkey ciphertext, other information may also be included. For example, it may also include the name of the encryption algorithm used when the subkey encrypts the data to be stored for prompting. In the figure, different encrypted files are encrypted with different subkeys, so the file headers are also different. In this schematic diagram, the user stores the information on a designated cloud disk. In practical applications, it is also feasible to store the information on the user's local device.
本说明书实施例所提供的方案,在数据存储时,通过子密钥多数据进行加密,同时采用主密钥对子密钥进行加密,从而合并形成双层加密文件,每个双层加密文件中包含有用于解密数据的子钥密文,而用于子钥密文解密的主密钥则保存在用户手中,形成独立双密钥的加密方式,降低了信息泄露的可能,有利于保护用户隐私。In the solution provided by the embodiment of this specification, when data is stored, multiple data is encrypted by the subkey, and the subkey is encrypted by the master key at the same time, so as to combine to form a double-layer encrypted file. Contains the sub-key ciphertext used to decrypt data, and the master key used to decrypt the sub-key ciphertext is stored in the user's hands, forming an independent dual-key encryption method, which reduces the possibility of information leakage and helps protect user privacy .
在一种具体的实施方式下,当所述待存储数据为多个时,获取随机生成的子密钥,包括:对每个待存储数据,分别随机获取不同的多个子密钥。例如,当用户需要分别存储自己的身份证、驾照、社交文件时。则每得到一个文件,就可以基于获取文件的系统时间,生成一个随机子密钥。对不同的文件使用不同的子密钥,可以进一步加强数据的安全性。In a specific implementation, when there are multiple data to be stored, obtaining a randomly generated subkey includes: randomly obtaining multiple different subkeys for each data to be stored. For example, when users need to store their ID cards, driving licenses, and social files separately. Then every time a file is obtained, a random subkey can be generated based on the system time when the file is obtained. Using different subkeys for different files can further enhance data security.
在一种具体的实施方式下,当所述待存储数据为多个时,还可以获取同一基于用户信息生成的主密钥;用所述同一主密钥分别对称加密多个子密钥,生成基于同一主钥加密生成的多个子钥密文,其中,子钥密文和待存储数据一一对应。使用同一主密钥加密多个子密钥的有利之处在于,便于用户管理。例如,当用户的双层加密文件存储在云端时,则用户可以通过一个主密钥实现登录、新增加密文件、删除加密文件等等操作,来管理云端的多个文件。并且,用户还可以通过对第三方授权一个主密钥来实现对多个加密文件的使用。In a specific implementation, when there are multiple data to be stored, the same master key generated based on user information can also be obtained; the same master key is used to symmetrically encrypt multiple subkeys, and generate Multiple sub-key ciphertexts generated by the same master key encryption, wherein the sub-key ciphertext corresponds to the data to be stored in a one-to-one correspondence. The advantage of using the same master key to encrypt multiple subkeys is that it is convenient for user management. For example, when the user's double-layer encrypted file is stored in the cloud, the user can use a master key to log in, add encrypted files, delete encrypted files, etc., to manage multiple files in the cloud. In addition, users can also use multiple encrypted files by authorizing a master key to a third party.
在一种具体的实施方式下,合并文件时,可以将子钥加密数据和子钥密文直接进行拼接,或者将一个文件插入进另一个文件。例如,将子钥密文置于子钥加密数据的头部、 尾部、或者指定偏移量的中间位置等等。在实际应用中,可以预先定义双层加密文件的格式为“文件头+文件体”,其中预设不超过一定长度的文件头,将子钥密文放置文件头中,文件体则放置子钥加密数据。从而,在需要解密的时候,可以对文件头直接进行子钥解密得到子钥密文,方便解密和后续使用。In a specific implementation, when merging files, the sub-key encrypted data and the sub-key cipher text can be directly spliced, or one file can be inserted into another file. For example, place the subkey ciphertext at the head, tail, or the middle position of the specified offset of the subkey encrypted data. In practical applications, the format of the double-layer encrypted file can be pre-defined as "file header + file body", in which the file header with a certain length is preset, the subkey ciphertext is placed in the file header, and the file body is placed with the subkey Encrypt data. Therefore, when decryption is needed, the file header can be directly decrypted by the subkey to obtain the subkey ciphertext, which is convenient for decryption and subsequent use.
在基于上述方式生成双层加密文件之后,在本说明书方案的第二方面,还提供基于上述双层加密文件的解密方法,如图3所示,图3为本说明书实施例所提供的一种双层加密文件的解密方法的流程示意图,包括:After the double-layer encrypted file is generated based on the above-mentioned method, in the second aspect of the solution of this specification, a decryption method based on the above-mentioned double-layer encrypted file is also provided, as shown in FIG. 3, which is a method provided by an embodiment of this specification. The schematic flow diagram of the decryption method for double-layer encrypted files includes:
S301,确定所述双层加密文件中所包含的子钥加密数据和子钥密文;例如,直接从双层加密文件的文件头和文件体中分别读取出子钥加密数据和子钥密文;S301: Determine the sub-key encrypted data and the sub-key cipher text contained in the double-layer encrypted file; for example, directly read the sub-key encrypted data and the sub-key cipher text from the file header and file body of the double-layer encrypted file;
S303,获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成,所述用户信息与生成主密钥的用户信息相同;S303. Obtain a master key authorized by the user, decrypt the subkey ciphertext using the master key, and generate a subkey, where the master key is generated based on user information, and the user information is related to the generated master key The user information is the same;
S305,使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。S305: Use the generated subkey to decrypt the subkey encrypted data, and generate usable decrypted data for the user to use.
由于在加密过程中采用的是对称加密,因此在本说明书实施例中可以直接使用主密钥和子密钥进行对称解密。在这种解密方法中,因为已经默认主密钥是其它用户基本不可能得到的,因此数据存储方(例如,存储数据的云端)在接收到用主密钥时,就可以执行解密。主密钥的授权对象可以是用户自己,例如,在用户登录账号成功时即默认对自己授权成功。主密钥的授权对象也可以是第三方,例如,用户在使用某些第三方应用时,允许该第三方应用使用自己的主密钥进行某些特定的权限操作,包括查询、验证等等。Since symmetric encryption is used in the encryption process, the master key and subkey can be used directly for symmetric decryption in the embodiments of this specification. In this decryption method, because it has been defaulted that the master key is basically impossible for other users to obtain, the data storage party (for example, the cloud storing the data) can perform decryption when receiving the master key. The authorization object of the master key can be the user himself, for example, when the user logs in to the account successfully, the authorization is successful by default. The authorized object of the master key may also be a third party. For example, when a user uses some third-party applications, the third-party application is allowed to use his own master key to perform certain specific authority operations, including query, verification, and so on.
本说明书实施例所提供的方案,可以在如下应用场景中实施:在用户本地设备(可以包括智能手机、个人电脑、智能平板等等)中提供一种用于数据存储方法的程序应用APP,用户在该APP上建立账号,该APP通过用户的登录密码或者用户的生物特征(指纹、声纹等)创建主密钥。从而,该用户使用登录密码或者生物特征时,主密钥被唯一确定,进而,用户可以在APP所提供的界面中,通过在界面中拖拽、选定等操作,提供自己想要加密的文件。APP此时随机生成一个用于加密的子密钥,加密所述文件。同时主密钥加密所述子密钥得到子钥密文,并且将子钥密文置于头部,生成加密双层文件。APP中可以接收用户的指令,确定存储位置;或者,提供相应的位置设定选项,将加密双层文件存储至用户事先选定的存储位置。存储位置可以是在用户本地设备中,也可以 在与该APP对接的服务端中。通过上述方式,用户可以对自己的一些私密信息(例如身份信息、社交信息)得以安全的保存。即使服务端发生了数据外泄,用户的隐私也不会泄露出去。The solutions provided in the embodiments of this specification can be implemented in the following application scenarios: a program application APP for data storage methods is provided in the user's local device (which may include a smart phone, a personal computer, a smart tablet, etc.), and the user An account is established on the APP, and the APP creates a master key through the user's login password or the user's biological characteristics (fingerprints, voiceprints, etc.). Therefore, when the user uses the login password or biometrics, the master key is uniquely determined. Furthermore, the user can provide the file he wants to encrypt in the interface provided by the APP by dragging, selecting, and other operations in the interface . The APP randomly generates a subkey for encryption at this time to encrypt the file. At the same time, the master key encrypts the subkey to obtain the subkey ciphertext, and puts the subkey ciphertext in the head to generate an encrypted double-layer file. The APP can receive instructions from the user to determine the storage location; or, provide corresponding location setting options to store the encrypted double-layer file in the storage location selected by the user in advance. The storage location can be in the user's local device or in the server docking with the APP. Through the above methods, users can safely store some of their private information (such as identity information and social information). Even if data is leaked on the server, the user's privacy will not be leaked.
在上述存储方式下,若第三方需要查询或者验证用户的一些私密信息时,用户可以通过主密钥授权的方式,在需要验证时向第三方提供主密钥,这样,第三方可以凭借该主密钥授权去向服务端请求,由服务端基于主密钥对用户的个人信息进行解密,并执行该验证。这样,一方面用户只需要通过一个主钥就实现了对多个数据的管理;另一方面,用户只需将个人数据以加密的形式存储在服务端,而无需向第三方(实际中,第三方的数量是相当多的)提供自己的隐私信息,避免了第三方对自己数据的泄露。In the above storage method, if a third party needs to query or verify some private information of the user, the user can authorize the master key to provide the third party with the master key when verification is required, so that the third party can rely on the master key. The key authorization goes to the server to request, and the server decrypts the user's personal information based on the master key, and performs the verification. In this way, on the one hand, the user only needs to use a master key to manage multiple data; on the other hand, the user only needs to store personal data in encrypted form on the server, without the need for third parties (in fact, the first The number of three parties is quite large) Provide their own private information to avoid the leakage of their own data by third parties.
与第一方面对应的,本说明书实施例还提供一种数据存储装置,如图4所示,图4是本说明书实施例提供的一种数据存储装置的结构示意图,所述装置包括:Corresponding to the first aspect, an embodiment of this specification also provides a data storage device, as shown in FIG. 4, which is a schematic structural diagram of a data storage device provided by an embodiment of this specification, the device includes:
确定模块401,确定待存储数据;The determining module 401 determines the data to be stored;
子密钥加密模块403,获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据;The subkey encryption module 403 obtains a randomly generated subkey, uses the subkey to symmetrically encrypt the data to be stored, and generates subkey encrypted data;
主密钥加密模块405,获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息;The master key encryption module 405 obtains a master key generated based on user information, and uses the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes a user password or user biometric characteristics information;
合并模块407,合并所述子钥加密数据和子钥密文,生成双层加密文件;The merging module 407 merges the sub-key encrypted data and the sub-key ciphertext to generate a double-layer encrypted file;
存储模块409,存储所述双层加密文件。The storage module 409 stores the double-layer encrypted file.
进一步地,所述主密钥加密模块405,从用户指定的路径获取根据用户信息预先生成的主密钥;或者,获取用户信息,采用预设的密钥派生函数基于所述用户信息生成主密钥。Further, the master key encryption module 405 obtains a master key generated in advance according to user information from a path specified by the user; or, obtains user information, and uses a preset key derivation function to generate a master key based on the user information. key.
进一步地,所述子密钥加密模块403,对每个待存储数据,分别随机获取不同的多个子密钥。Further, the subkey encryption module 403 randomly obtains multiple different subkeys for each data to be stored.
进一步地,所述主密钥加密模块405,获取同一基于用户信息生成的主密钥;采用所述同一主密钥分别对称加密多个子密钥,生成基于同一主钥加密生成的多个子钥密文,其中,子钥密文和待存储数据一一对应。Further, the master key encryption module 405 obtains the same master key generated based on user information; uses the same master key to symmetrically encrypt multiple sub-keys respectively, and generates multiple sub-key secrets generated based on the same master key encryption. The ciphertext of the subkey corresponds to the data to be stored.
进一步地,所述合并模块407,以所述子钥密文作为文件头,合并所述子钥加密数据,生成文件头不超过预设长度的双层加密文件。Further, the merging module 407 uses the subkey ciphertext as a file header, merges the subkey encrypted data, and generates a double-layer encrypted file whose file header does not exceed a preset length.
与第二方面对应的,本说明书实施例还提供一种双层加密文件的解密装置,如图5所示,图5是本说明书实施例提供的一种双层加密文件的解密装置的结构示意图,包括:Corresponding to the second aspect, an embodiment of this specification also provides a decryption device for double-layer encrypted files, as shown in FIG. 5, which is a schematic structural diagram of a decryption device for double-layer encrypted files provided by the embodiment of this specification ,include:
确定模块501,确定所述双层加密文件中所包含的子钥加密数据和子钥密文;The determining module 501 determines the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file;
主密钥解密模块503,获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成;The master key decryption module 503 obtains a master key authorized by the user, uses the master key to decrypt the subkey ciphertext, and generates a subkey, wherein the master key is generated based on user information;
子密钥解密模块505,使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。The subkey decryption module 505 uses the generated subkey to decrypt the subkey encrypted data to generate usable decrypted data for the user to use.
本说明书实施例还提供一种计算机设备,其至少包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,处理器执行所述程序时实现图1所示的数据存储方法。The embodiment of this specification also provides a computer device, which at least includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, wherein the processor implements the data shown in FIG. 1 when the program is executed. Storage method.
图6示出了本说明书实施例所提供的一种更为具体的计算设备硬件结构示意图,该设备可以包括:处理器1010、存储器1020、输入/输出接口1030、通信接口1040和总线1050。其中处理器1010、存储器1020、输入/输出接口1030和通信接口1040通过总线1050实现彼此之间在设备内部的通信连接。FIG. 6 shows a more specific hardware structure diagram of a computing device provided by an embodiment of this specification. The device may include a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. The processor 1010, the memory 1020, the input/output interface 1030, and the communication interface 1040 realize the communication connection between each other in the device through the bus 1050.
处理器1010可以采用通用的CPU(Central Processing Unit,中央处理器)、微处理器、应用专用集成电路(Application Specific Integrated Circuit,ASIC)、或者一个或多个集成电路等方式实现,用于执行相关程序,以实现本说明书实施例所提供的技术方案。The processor 1010 may be implemented by a general CPU (Central Processing Unit, central processing unit), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc., for execution related Program to realize the technical solutions provided in the embodiments of this specification.
存储器1020可以采用ROM(Read Only Memory,只读存储器)、RAM(Random Access Memory,随机存取存储器)、静态存储设备,动态存储设备等形式实现。存储器1020可以存储操作系统和其他应用程序,在通过软件或者固件来实现本说明书实施例所提供的技术方案时,相关的程序代码保存在存储器1020中,并由处理器1010来调用执行。The memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory, random access memory), static storage device, dynamic storage device, etc. The memory 1020 may store an operating system and other application programs. When the technical solutions provided in the embodiments of the present specification are implemented through software or firmware, related program codes are stored in the memory 1020 and called and executed by the processor 1010.
输入/输出接口1030用于连接输入/输出模块,以实现信息输入及输出。输入输出/模块可以作为组件配置在设备中(图中未示出),也可以外接于设备以提供相应功能。其中输入设备可以包括键盘、鼠标、触摸屏、麦克风、各类传感器等,输出设备可以包括显示器、扬声器、振动器、指示灯等。The input/output interface 1030 is used to connect an input/output module to realize information input and output. The input/output/module can be configured in the device as a component (not shown in the figure), or can be connected to the device to provide corresponding functions. The input device may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and an output device may include a display, a speaker, a vibrator, an indicator light, and the like.
通信接口1040用于连接通信模块(图中未示出),以实现本设备与其他设备的通信交互。其中通信模块可以通过有线方式(例如USB、网线等)实现通信,也可以通过无线方式(例如移动网络、WIFI、蓝牙等)实现通信。The communication interface 1040 is used to connect a communication module (not shown in the figure) to realize the communication interaction between the device and other devices. The communication module can realize communication through wired means (such as USB, network cable, etc.), or through wireless means (such as mobile network, WIFI, Bluetooth, etc.).
总线1050包括一通路,在设备的各个组件(例如处理器1010、存储器1020、输入/输出接口1030和通信接口1040)之间传输信息。The bus 1050 includes a path for transmitting information between various components of the device (for example, the processor 1010, the memory 1020, the input/output interface 1030, and the communication interface 1040).
需要说明的是,尽管上述设备仅示出了处理器1010、存储器1020、输入/输出接口1030、通信接口1040以及总线1050,但是在具体实施过程中,该设备还可以包括实现正常运行所必需的其他组件。此外,本领域的技术人员可以理解的是,上述设备中也可以仅包含实现本说明书实施例方案所必需的组件,而不必包含图中所示的全部组件。It should be noted that although the above device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040, and the bus 1050, in the specific implementation process, the device may also include the equipment necessary for normal operation. Other components. In addition, those skilled in the art can understand that the above-mentioned device may also include only the components necessary to implement the solutions of the embodiments of this specification, and not necessarily include all the components shown in the figures.
本说明书实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现图1所示的数据存储方法。The embodiment of this specification also provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the data storage method shown in FIG. 1 is implemented.
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media includes permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本说明书实施例可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本说明书实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本说明书实施例各个实施例或者实施例的某些部分所述的方法。From the description of the foregoing implementation manners, it can be known that those skilled in the art can clearly understand that the embodiments of this specification can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the technical solutions of the embodiments of the present specification can be embodied in the form of software products, which can be stored in storage media, such as ROM/RAM, A magnetic disk, an optical disk, etc., include several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in the various embodiments or some parts of the embodiments of this specification.
上述实施例阐明的系统、方法、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机,计算机的具体形式可以是个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件收发设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任意几种设备的组合。The systems, methods, modules or units explained in the above embodiments may be specifically implemented by computer chips or entities, or implemented by products with certain functions. A typical implementation device is a computer. The specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game control A console, a tablet computer, a wearable device, or a combination of any of these devices.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分 互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于方法实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的方法实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,在实施本说明书实施例方案时可以把各模块的功能在同一个或多个软件和/或硬件中实现。也可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。The various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to each other. Each embodiment focuses on the differences from other embodiments. In particular, as for the method embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant part can refer to the part of the description of the method embodiment. The method embodiments described above are merely illustrative. The modules described as separate components may or may not be physically separated. When implementing the solutions of the embodiments of this specification, the functions of the modules may be in the same Or multiple software and/or hardware implementations. It is also possible to select some or all of the modules according to actual needs to achieve the objectives of the solutions of the embodiments. Those of ordinary skill in the art can understand and implement it without creative work.
以上所述仅是本说明书实施例的具体实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本说明书实施例原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本说明书实施例的保护范围。The above are only specific implementations of the embodiments of this specification. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of the embodiments of this specification, several improvements and modifications can be made. These Improvement and retouching should also be regarded as the protection scope of the embodiments of this specification.

Claims (13)

  1. 一种数据存储方法,包括:A data storage method, including:
    确定待存储数据;Determine the data to be stored;
    获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据;Obtaining a randomly generated subkey, symmetrically encrypting the data to be stored using the subkey, and generating subkey encrypted data;
    获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息;Obtain a master key generated based on user information, and use the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes a user password or user biometric information;
    合并所述子钥加密数据和子钥密文,生成双层加密文件,并存储。Combine the sub-key encrypted data and the sub-key cipher text to generate a double-layer encrypted file and store it.
  2. 如权利要求1所述的方法,获取基于用户信息生成的主密钥,包括:The method of claim 1, obtaining a master key generated based on user information, comprising:
    从用户指定的路径获取根据用户信息预先生成的主密钥;或者,Obtain the master key generated in advance based on user information from the path specified by the user; or,
    获取用户信息,采用预设的密钥派生函数基于所述用户信息生成主密钥。Obtain user information, and use a preset key derivation function to generate a master key based on the user information.
  3. 如权利要求1所述的方法,当所述待存储数据为多个时,获取随机生成的子密钥,包括:The method according to claim 1, when there are multiple data to be stored, obtaining a randomly generated subkey includes:
    对每个待存储数据,分别随机获取不同的多个子密钥。For each data to be stored, multiple different subkeys are randomly obtained.
  4. 如权利要求3所述的方法,获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,包括:The method according to claim 3, obtaining a master key generated based on user information, using the master key to symmetrically encrypt the subkey, and generating a subkey ciphertext, comprising:
    获取同一基于用户信息生成的主密钥;Obtain the same master key generated based on user information;
    采用所述同一主密钥分别对称加密多个子密钥,生成基于同一主钥加密生成的多个子钥密文,其中,子钥密文和待存储数据一一对应。The same master key is used to symmetrically encrypt a plurality of subkeys respectively, and a plurality of subkey ciphertexts generated based on the same master key encryption are generated, wherein the subkey ciphertexts correspond to the data to be stored in a one-to-one correspondence.
  5. 如权利要求1所述的方法,合并所述加密数据和子钥密文,生成双层加密文件,包括:The method of claim 1, combining the encrypted data and the subkey ciphertext to generate a double-layer encrypted file, comprising:
    以所述子钥密文作为文件头,合并所述子钥加密数据,生成文件头不超过预设长度的双层加密文件。Using the sub-key cipher text as a file header, combining the sub-key encrypted data to generate a double-layer encrypted file whose file header does not exceed a preset length.
  6. 一种基于权利要求1至5任一所述的双层加密文件的解密方法,包括:A method for decrypting a double-layer encrypted file based on any one of claims 1 to 5, comprising:
    确定所述双层加密文件中所包含的子钥加密数据和子钥密文;Determining the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file;
    获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成;Obtaining a master key authorized by the user, decrypting the subkey ciphertext using the master key, and generating a subkey, wherein the master key is generated based on user information;
    使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。Use the generated subkey to decrypt the subkey encrypted data, and generate usable decrypted data for the user to use.
  7. 一种数据存储装置,包括:A data storage device includes:
    确定模块,确定待存储数据;Determine the module to determine the data to be stored;
    子密钥加密模块,获取随机生成的子密钥,采用所述子密钥对称加密所述待存储数据,生成子钥加密数据;The subkey encryption module obtains a randomly generated subkey, symmetrically encrypts the data to be stored using the subkey, and generates subkey encrypted data;
    主密钥加密模块,获取基于用户信息生成的主密钥,采用所述主密钥对称加密所述子密钥,生成子钥密文,其中,所述用户信息包括用户密码或者用户生物特征信息;The master key encryption module obtains a master key generated based on user information, and uses the master key to symmetrically encrypt the subkey to generate a subkey ciphertext, wherein the user information includes user password or user biometric information ;
    合并模块,合并所述子钥加密数据和子钥密文,生成双层加密文件;The merging module merges the sub-key encrypted data and the sub-key ciphertext to generate a double-layer encrypted file;
    存储模块,存储所述双层加密文件。The storage module stores the double-layer encrypted file.
  8. 如权利要求7所述的装置,所述主密钥加密模块,从用户指定的路径获取根据用户信息预先生成的主密钥;或者,获取用户信息,采用预设的密钥派生函数基于所述用户信息生成主密钥。7. The device of claim 7, wherein the master key encryption module obtains the master key generated in advance according to user information from a path specified by the user; or, obtains user information, using a preset key derivation function based on the User information generates a master key.
  9. 如权利要求7所述的装置,所述子密钥加密模块,对每个待存储数据,分别随机获取不同的多个子密钥。8. The device according to claim 7, wherein the subkey encryption module randomly obtains a plurality of different subkeys for each data to be stored.
  10. 如权利要求9所述的装置,所述主密钥加密模块,获取同一基于用户信息生成的主密钥;采用所述同一主密钥分别对称加密多个子密钥,生成基于同一主钥加密生成的多个子钥密文,其中,子钥密文和待存储数据一一对应。9. The device according to claim 9, wherein the master key encryption module obtains the same master key generated based on user information; uses the same master key to symmetrically encrypt multiple sub-keys respectively, and generates an encrypted generation based on the same master key The multiple sub-key ciphertexts of, where the sub-key ciphertext corresponds to the data to be stored one-to-one.
  11. 如权利要求7所述的装置,所述合并模块,以所述子钥密文作为文件头,合并所述子钥加密数据,生成文件头不超过预设长度的双层加密文件。7. The device according to claim 7, wherein the merging module uses the subkey ciphertext as a file header, merges the subkey encrypted data, and generates a double-layer encrypted file whose file header does not exceed a preset length.
  12. 一种基于权利要求7至11任一所述的双层加密文件的解密装置,包括:A decryption device based on the double-layer encrypted file according to any one of claims 7 to 11, comprising:
    确定模块,确定所述双层加密文件中所包含的子钥加密数据和子钥密文;The determining module determines the subkey encrypted data and the subkey ciphertext contained in the double-layer encrypted file;
    主密钥解密模块,获取用户授权的主密钥,使用所述主密钥解密所述子钥密文,生成子密钥,其中,所述主密钥基于用户信息生成;The master key decryption module obtains the master key authorized by the user, uses the master key to decrypt the subkey ciphertext, and generates a subkey, wherein the master key is generated based on user information;
    子密钥解密模块,使用所述生成的子密钥解密所述子钥加密数据,生成可用的解密数据,以便用户使用。The subkey decryption module uses the generated subkey to decrypt the subkey encrypted data and generates usable decrypted data for the user to use.
  13. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其中,所述处理器执行所述程序时实现如权利要求1至6任一项所述的方法。A computer device, comprising a memory, a processor, and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program as described in any one of claims 1 to 6 method.
PCT/CN2019/120669 2019-01-31 2019-11-25 Data storage method and device, and apparatus WO2020155812A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910095110.3A CN110032874A (en) 2019-01-31 2019-01-31 A kind of date storage method, device and equipment
CN201910095110.3 2019-01-31

Publications (1)

Publication Number Publication Date
WO2020155812A1 true WO2020155812A1 (en) 2020-08-06

Family

ID=67235504

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/120669 WO2020155812A1 (en) 2019-01-31 2019-11-25 Data storage method and device, and apparatus

Country Status (3)

Country Link
CN (1) CN110032874A (en)
TW (1) TW202031010A (en)
WO (1) WO2020155812A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110032874A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 A kind of date storage method, device and equipment
CN112825095A (en) * 2019-11-20 2021-05-21 北京京东尚科信息技术有限公司 Method, apparatus, electronic device and medium for protecting sensitive information in application
CN111181920A (en) * 2019-12-02 2020-05-19 中国建设银行股份有限公司 Encryption and decryption method and device
CN111628864A (en) * 2020-06-05 2020-09-04 微位(深圳)网络科技有限公司 Method for carrying out secret key safety recovery by using SIM card
CN112613058A (en) * 2020-12-30 2021-04-06 绿盟科技集团股份有限公司 Method and device for retrieving encryption key, electronic equipment and storage medium
CN116383844B (en) * 2023-03-31 2024-02-09 深圳市博通智能技术有限公司 Automatic comprehensive management analysis system, method, medium and equipment based on big data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105245328A (en) * 2015-09-09 2016-01-13 西安电子科技大学 User and file key generation and management method based on third party
CN106529308A (en) * 2015-09-10 2017-03-22 深圳市中兴微电子技术有限公司 Data encryption method and apparatus, and mobile terminal
CN108768638A (en) * 2018-06-01 2018-11-06 北京爱普安信息技术有限公司 A kind of method and device of message encryption
CN108900533A (en) * 2018-08-01 2018-11-27 南京荣链科技有限公司 A kind of shared data method for secret protection, system, terminal and medium
CN110032874A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 A kind of date storage method, device and equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010056541A1 (en) * 2000-05-11 2001-12-27 Natsume Matsuzaki File management apparatus
CN101800811B (en) * 2010-02-02 2012-10-03 中国软件与技术服务股份有限公司 Mobile phone data security protection method
CN104717195A (en) * 2013-12-17 2015-06-17 中国移动通信集团福建有限公司 Service system password management method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105245328A (en) * 2015-09-09 2016-01-13 西安电子科技大学 User and file key generation and management method based on third party
CN106529308A (en) * 2015-09-10 2017-03-22 深圳市中兴微电子技术有限公司 Data encryption method and apparatus, and mobile terminal
CN108768638A (en) * 2018-06-01 2018-11-06 北京爱普安信息技术有限公司 A kind of method and device of message encryption
CN108900533A (en) * 2018-08-01 2018-11-27 南京荣链科技有限公司 A kind of shared data method for secret protection, system, terminal and medium
CN110032874A (en) * 2019-01-31 2019-07-19 阿里巴巴集团控股有限公司 A kind of date storage method, device and equipment

Also Published As

Publication number Publication date
TW202031010A (en) 2020-08-16
CN110032874A (en) 2019-07-19

Similar Documents

Publication Publication Date Title
US11716195B2 (en) Facilitating communications using hybrid cryptography
US10142107B2 (en) Token binding using trust module protected keys
US9813247B2 (en) Authenticator device facilitating file security
WO2020155812A1 (en) Data storage method and device, and apparatus
CN106716914B (en) Secure key management for roaming protected content
CN107113286B (en) Cross-device roaming content erase operation
CN106664202B (en) Method, system and computer readable medium for providing encryption on multiple devices
TWI601405B (en) Method and apparatus for cloud-assisted cryptography
US9465947B2 (en) System and method for encryption and key management in cloud storage
US8509449B2 (en) Key protector for a storage volume using multiple keys
TWI578749B (en) Methods and apparatus for migrating keys
US10187373B1 (en) Hierarchical, deterministic, one-time login tokens
US20180091487A1 (en) Electronic device, server and communication system for securely transmitting information
US10057060B2 (en) Password-based generation and management of secret cryptographic keys
US20120294445A1 (en) Credential storage structure with encrypted password
CN109672521B (en) Security storage system and method based on national encryption engine
US11245527B2 (en) Secure distribution networks
CN110868291B (en) Data encryption transmission method, device, system and storage medium
US20180063105A1 (en) Management of enciphered data sharing
WO2020123926A1 (en) Decentralized computing systems and methods for performing actions using stored private data
KR20220039779A (en) Enhanced security encryption and decryption system
US10785193B2 (en) Security key hopping
US11290277B2 (en) Data processing system
US10699021B2 (en) Method and a device for secure storage of at least one element of digital information, and system comprising such device
US11163892B2 (en) Buffering data until encrypted destination is unlocked

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19912603

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19912603

Country of ref document: EP

Kind code of ref document: A1