WO2021109817A1 - Key update method, data decryption method, and digital signature authentication method - Google Patents

Key update method, data decryption method, and digital signature authentication method Download PDF

Info

Publication number
WO2021109817A1
WO2021109817A1 PCT/CN2020/128165 CN2020128165W WO2021109817A1 WO 2021109817 A1 WO2021109817 A1 WO 2021109817A1 CN 2020128165 W CN2020128165 W CN 2020128165W WO 2021109817 A1 WO2021109817 A1 WO 2021109817A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
processing
processing times
count
digital signature
Prior art date
Application number
PCT/CN2020/128165
Other languages
French (fr)
Chinese (zh)
Inventor
方习文
潘适然
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021109817A1 publication Critical patent/WO2021109817A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the one-way mapping processing steps include: using a hash algorithm for processing.
  • the processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and combining the spliced The result of is used as the input of the hash algorithm.
  • the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
  • a possible implementation manner is that the judging whether the digital signature can be verified according to the comparison result includes: judging whether the first processing times are equal to the The second number of processing times; if yes, use the locally stored second key pair as the first key pair.
  • the first processing module is specifically configured to use a hash algorithm to process the reference value for the second number of processing times.
  • the first processing module includes: a splicing sub-module for splicing the input of the first processing module with the local identifier;
  • the first setting sub-module is used to use the spliced result as the input of the hash algorithm.
  • the first key is a key in an asymmetric key pair.
  • both parties of the data transmission do not want the transmitted data to be obtained by a third party. It is convenient for the transmission to encrypt the data using encryption technology.
  • FIG. 4 is a schematic flowchart of a method for updating a key provided by an embodiment of the application. As shown in Figure 4, the method includes:
  • the first key is generated from the reference value after the one-way mapping process of the first processing times.
  • One-way mapping refers to an irreversible mapping. For example, A gets B through one-way mapping, but B cannot be reduced to A. Therefore, after the one-way mapping process for the first number of times of processing is performed on the reference value, the first key can be obtained, but the first key cannot be restored.
  • the second possible implementation is that when the data transmission party registers with the cloud server, the cloud server generates a corresponding reference value according to the hardware information of the data transmission party, and the reference value is stored on the cloud server.
  • the cloud server sends the reference value to the data transmission party in a safe manner, avoiding the data transmission party to directly store the reference value.
  • the third possible implementation is that the user manually enters the user password as the reference value to avoid the data transmission party directly storing the reference value.
  • the data transmission party does not store the reference value, and each time the reference value needs to be used, the reference value is generated by accessing the cloud server or prompting the user to enter the user password.
  • Step S103 Perform one-way mapping processing for the second number of processing times on the reference value to generate a second key.
  • the second processing times are less than the first processing times.
  • Step S104 Replace the first key with the second key.
  • the sender and receiver of the data transmission need to be synchronized to realize the key update.
  • the existing key update method usually one party of the data transmission completes the key update, and then the updated key is sent to the other party of the data transmission to complete the key synchronization.
  • the updated key is transmitted to the other party of data transmission, there may be a risk of data loss or tampering, and it is necessary to rely on a trusted third party to verify the updated key.
  • the second processing times and the first processing times are first compared.
  • the second processing times are greater than or equal to the first processing times, it indicates that the second key sent by the data transmission partner is an old key, and the second key does not need to be authenticated, and there is no need to update the locally stored first key.
  • the method for updating the key includes: receiving a key update instruction.
  • the first key is generated from the reference value after the one-way mapping process of the first processing times.
  • a one-way mapping process of the second number of processing times is performed on the reference value to generate a second key.
  • the second processing times are less than the first processing times.
  • the update of the key is realized, and the old key can be deduced in one direction from the current key.
  • There is no need to store the old key which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key.
  • After receiving the new key sent by the data transmission partner there is no need for a third party to verify the legality of the new key.
  • a possible implementation manner is that the difference between the first processing number and the second processing number is one.
  • the first processing times and the second processing times are respectively the processing times corresponding to the first key before the update and the second key after the update in a key update process, and the first key before the update It is one version different from the updated second key. Therefore, when the difference between the first processing times and the second processing times is one, the first processing times can be used to identify the version of the first key, and the second processing times can be used to identify the version of the first key. Identifies the version of the second key.
  • the first key is generated from the reference value through 6 hash operations.
  • the hash value obtained is the same as the second
  • the keys are exactly the same, and one more hash operation is performed to get the first key. Therefore, the second key can generate the first key after one hash operation.
  • the data transmission party can directly generate the first key based on the second key.
  • the data transmission party cannot directly generate the second key based on the first key.
  • the hash algorithm in the embodiment of the present application may be any known hash algorithm such as SHA-256 and SHA-512, which is not limited in the embodiment of the present application.
  • the local identifier is the unique identifier of the data transmission party, and it always remains unchanged. That is, in each one-way mapping process, the input of the one-way mapping process is spliced with the local identifier, and then the spliced result is input to the hash algorithm for hash operation.
  • the local identification may use the hardware identification of the data transmission party, or may use the application identification of the software application for data transmission, or may also use an artificially set identification, which is not limited in the embodiment of the present application.
  • the input of each hash operation is the result of the splicing of the input of the previous hash operation and the fixed identifier, which enhances the complexity of the hash algorithm and further improves the security of the generated key.
  • the sender and receiver of data transmission use a set of key pairs.
  • both the private key and the public key in the key pair need to be updated.
  • a possible implementation is to use the first key as the private key, and the third key matching the first key as the public key, and the first key and the third key are composed of Asymmetric key pair.
  • the first key and the third key are composed of Asymmetric key pair.
  • Another possible implementation is to use the first key as the public key, and the third key matching the first key as the private key, and the first key and the third key form an asymmetric key pair.
  • the first key and the third key form an asymmetric key pair.
  • Fig. 5a is a schematic diagram of a method for generating a symmetric key provided by an embodiment of the application.
  • Fig. 5b is a schematic diagram of another method for generating a symmetric key provided by an embodiment of the application.
  • MK in the figure represents the reference value.
  • Key -1 is used to represent MK.
  • m can be obtained.
  • One version of the key namely Key 0 ⁇ Key m .
  • the output of the previous hash operation is spliced with the local identification APPTAG, and then the spliced result is hashed.
  • the reference value MK is spliced with the local identification APPTAG, and the spliced result (Key -1
  • the Key 0 and the local identification APPTAG are spliced together, and then the spliced result (Key 0
  • m versions of keys can be obtained respectively, namely Key 0 to Key m .
  • the way of realizing the key update is the same as the process in Figure 5a, and will not be repeated here.
  • Fig. 6a is a schematic diagram of an asymmetric key generation method based on a large integer factorization problem provided by an embodiment of the application.
  • Fig. 6b is a schematic diagram of another method for generating an asymmetric key based on a large integer factorization problem provided by an embodiment of the application.
  • RSA encryption technology has the common characteristics of asymmetric encryption technology, that is, through a set of keys including public and private keys. To complete data encryption and decryption.
  • ciphertext original text d modn to encrypt the original text
  • original text cipher text e modn to decrypt the cipher text
  • the specified part of the large number n 0 in the RSA encryption algorithm is generated, and the entire large number n 0 is further generated.
  • the generated large number n 0 is the product of two large prime numbers p 0 and q 0 , and then a random number e 0 that is relatively prime to (p 0 -1)*(q 0 -1) is randomly generated.
  • 65537 can also be directly used as the random number e 0 .
  • the generated large number n 1 is the product of two large prime numbers p 1 and q 1 , and then randomly generates a random number e 1 that is relatively prime to (p 1 -1)*(q 1 -1).
  • the aforementioned method can be used to determine a unique value from the possible values of n, e, and d, which will not be repeated here.
  • the reference value MK and the local identification APPTAG are spliced, and the spliced structure is hashed once, and then the (n-1) modulo operation is added and one is added to obtain the privacy in the ECDSA encryption algorithm.
  • the key d 0 where n is the public prime number agreed in advance.
  • G is the public elliptic curve base point agreed in advance
  • n is the order of G.
  • the reference value MK is spliced with the local identification APPTAG, and the spliced structure is hashed once, then the (n-1) modulo operation is added and one is added to obtain the privacy in the ECDSA encryption algorithm.
  • the key d 0 where n is the public prime number agreed in advance.
  • G is the public elliptic curve base point agreed in advance
  • n is the order of G.
  • FIG. 9 is a schematic flowchart of a data decryption method proposed in an embodiment of the present application. As shown in Figure 9, the method includes:
  • the magnitude relationship between the first processing times and the second processing times determines the old and new relationship between the key version corresponding to the encrypted data and the key version used by the receiver.
  • the first processing number is less than the second processing number. Based on the foregoing description, it can be known that when the first processing number is less than the second processing number, it means that the key corresponding to the received encrypted data is greater than the encryption key being used by the receiver. If the key is new, the recipient cannot derive the key corresponding to the encrypted data through the key in use, and is sure that the encrypted data cannot be decrypted.
  • the receiver can derive the key corresponding to the encrypted data through the key being used.
  • a one-way mapping process of a third number of processing times may be performed on the locally stored second key to generate the first key corresponding to the encrypted data.
  • the third processing times is the difference between the first processing times and the second processing times.
  • Step S203 if yes, determine the first key corresponding to the first processing times.
  • the first key can be generated from the reference value after the one-way mapping processing of the first number of processing times.
  • the first key can be generated by the second key, or the second key can be directly used as the first key. I won't repeat them here.
  • the obtaining module 420 is configured to obtain the first key and the reference value stored locally.
  • the second processing times are less than the first processing times.
  • the electronic device after receiving the second key sent by the data transmission partner and the corresponding second processing times, first compares the second processing times and the first processing times.
  • the second number of processing times is less than the first number of processing times
  • one-way mapping processing of the third number of processing times can be performed on the second key, and the processed result can be verified with the first key stored locally in a fixed field. If passed, the locally stored first key is replaced with the second key.
  • the third processing number is the difference between the first processing number and the second processing number.
  • a possible implementation manner is that the difference between the first processing number and the second processing number is one.
  • the first processing times and the second processing times are respectively the processing times corresponding to the first key before the update and the second key after the update in a key update process, and the first key before the update It is one version different from the updated second key. Therefore, when the difference between the first processing times and the second processing times is one, the first processing times can be used to identify the version of the first key, and the second processing times can be used to identify the version of the first key. Identifies the version of the second key.
  • the reference value is hashed for the first number of processing times (for example, 6 times) to generate the corresponding hash value as the first key.
  • the first key is generated from the reference value through 6 hash operations.
  • the hash value obtained is the same as the second
  • the keys are exactly the same, and one more hash operation is performed to get the first key. Therefore, the second key can generate the first key after one hash operation.
  • the data transmission party can directly generate the first key based on the second key.
  • the data transmission party cannot directly generate the second key based on the first key.
  • the input of each hash operation is the result of the splicing of the input of the previous hash operation and the fixed identifier, which enhances the complexity of the hash algorithm and further improves the security of the generated key.
  • Step S201 Receive the encrypted data and the first processing count, and compare the first processing count with the locally stored second processing count.
  • the relationship between the first processing times and the second processing times determines the old and new relationship between the key version corresponding to the encrypted data and the key version used by the receiver.
  • the method of updating the key is usually used to ensure the security of data transmission. If the recipient is an illegal third party, without obtaining the new version of the key, the old key cannot be used to decrypt the encrypted data, ensuring the security of data transmission.
  • first processing times are equal to the second processing times. It can be understood that when the first processing times are equal to the second processing times, it means that the key version corresponding to the encrypted data is the same as the version of the second key being used by the recipient. Directly use the locally stored second key as the first key corresponding to the encrypted data to decrypt the encrypted data.
  • Step S203 if yes, determine the first key corresponding to the first processing times.
  • the first key is not stored, and only the second key is still stored locally. If the encrypted data corresponding to the first key is still received in the future, the first key is still generated by the locally stored second key to decrypt the encrypted data.
  • Step S301 Receive the digital signature and the first processing count, and compare the first processing count with the locally stored second processing count.
  • the receiver uses the receiver's private key to decrypt the ciphertext encrypted by the receiver's public key. If the decryption is successful, the encrypted transmission of the data is completed.
  • the receiver uses the sender's public key to decrypt the ciphertext encrypted by the sender's private key, and the verification of the sender's digital signature is completed if the decryption is successful.
  • Step S302 According to the comparison result, it is judged whether the digital signature can be verified.
  • the key pair corresponding to the encrypted data needs to be compared with the version of the key pair used by the recipient. Accordingly, in the verification process of the digital signature, the key pair corresponding to the digital signature needs to be compared with the receiving party.
  • the version of the key pair used by the party That is, the number of processing times corresponding to the key pair used by the digital signature, and the number of processing times corresponding to the key pair being used by the receiver.
  • first processing count is equal to the second processing count. It can be understood that when the first processing count is equal to the second processing count, it means that the key version corresponding to the digital signature is the same as the version of the second key pair being used by the receiver.
  • the locally stored second key pair can be directly used as the first key pair corresponding to the digital signature to verify the digital signature.
  • Step S303 if yes, determine the first key pair corresponding to the first processing times.
  • the first key pair is an asymmetric key pair
  • the first key pair includes the first key
  • the first key may be generated from a reference value after one-way mapping processing for the first number of processing times.
  • the first key pair provided in the embodiment of the present application is an asymmetric key pair.
  • Step S304 Use the first key pair to verify the digital signature.
  • the first key pair is not saved, and only the second key pair is still stored locally. . If the digital signature corresponding to the first key pair is received in the future, the first key pair is still generated by the locally stored second key pair to verify the digital signature.
  • the electronic device proposed in the embodiment of the present application receives the digital signature and the first processing count when verifying the digital signature, and compares the first processing count with the locally stored second processing count. According to the comparison result, it is judged whether the digital signature can be verified. If yes, determine the first key pair corresponding to the first processing times. Wherein, the first key pair is an asymmetric key pair, and the first key pair includes the first key. The digital signature is verified using the first key pair. As a result, it is realized that only the updated key pair needs to be stored locally, and when the digital signature corresponding to the old key pair is received, the updated key pair is used to generate the old key pair, and then the old key pair is used The digital signature is verified.
  • the step of performing one-way mapping processing by the electronic device in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
  • FIG. 19 is a schematic structural diagram of a computer-readable storage medium proposed in an embodiment of this application.
  • the embodiments of the present application also propose a computer-readable storage medium, as shown in FIG. 19, the computer-readable storage medium stores a computer program, and when it runs on a computer, the computer executes The key update method in the foregoing embodiment.
  • At least one of a, b, and c can represent: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, and c can be single, or There can be more than one.
  • any function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory; hereinafter referred to as ROM), random access memory (Random Access Memory; hereinafter referred to as RAM), magnetic disks or optical disks, etc.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disks or optical disks etc.

Abstract

Embodiments of the present application provide a key update method, a data decryption method, and a digital signature authentication method. In the methods, a first key is generated by performing, according to a first-processing count, one-way mapping processing operations on a reference value, a second key is generated by performing, according to a second-processing count, one-way mapping processing operations on the reference value, the second-processing count being less than the first-processing count, wherein the first key is stored locally and used as a primary key, and upon receiving a key update instruction, one-way mapping processing operations are performed on the locally stored reference value according to the second-processing count to generate the second key, and the second key is used as a new primary key, thereby completing an update of the primary key. If information encrypted or signed by the first key is received, the first key is obtained simply by performing one-way mapping processing on the second key, and then the first key is used for decryption or signature authentication. In this way, the invention realizes a key update, and enables one-way derivation of an old key from a current key.

Description

密钥的更新方法、数据解密方法、数字签名的验证方法Key update method, data decryption method, digital signature verification method
本申请要求于2019年12月03日提交中国专利局、申请号为201911221985.X、申请名称为“密钥的更新方法、数据解密方法、数字签名的验证方法”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of a Chinese patent application filed with the Chinese Patent Office, the application number is 201911221985.X, and the application name is "Key Update Method, Data Decryption Method, and Digital Signature Verification Method" on December 3, 2019. The entire content is incorporated into this application by reference.
技术领域Technical field
本申请涉及信息安全技术领域,特别涉及一种密钥的更新方法、数据解密方法、数字签名的验证方法。This application relates to the field of information security technology, in particular to a method for updating a key, a method for decrypting data, and a method for verifying digital signatures.
背景技术Background technique
为了防止数据在传输过程中被第三方获取,通常采用加密技术对数据进行加密,以实现对数据的保护。加密技术包括两个重要因素:加密算法和密钥,加密算法使用密钥对要保护的数据进行处理,得到加密数据。In order to prevent data from being acquired by a third party during transmission, encryption technology is usually used to encrypt the data to protect the data. Encryption technology includes two important factors: encryption algorithm and key. The encryption algorithm uses the key to process the data to be protected to obtain encrypted data.
将加密数据进行传输,能够避免第三方直接获取要保护的数据。但是,由于密钥存在泄露或者到期等各种情况,需要对密钥进行适时更新。Transmitting encrypted data can prevent third parties from directly obtaining the data to be protected. However, due to various situations such as leakage or expiration of the key, it is necessary to update the key in a timely manner.
相关技术中,对密钥进行更新后,需要将旧密钥进行存储,以防接收到旧密钥加密的数据,无法进行解密。因此,数据传输方需要对所有的旧密钥进行管理,一方面占用数据传输方的硬件资源,另一方面一旦数据传输方存储的旧密钥丢失,无法根据当前密钥进行恢复,则无法对旧密钥加密的数据进行解密。In related technologies, after the key is updated, the old key needs to be stored to prevent the data encrypted by the old key from being received and cannot be decrypted. Therefore, the data transmission party needs to manage all the old keys. On the one hand, it occupies the hardware resources of the data transmission party. On the other hand, once the old key stored by the data transmission party is lost, it cannot be restored based on the current key. The data encrypted by the old key is decrypted.
发明内容Summary of the invention
本申请提供了一种密钥的更新方法、数据解密方法、数字签名的验证方法,以实现对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。无需对旧密钥进行存储,节省了数据传输方的资源,并且不用担心旧密钥出现丢失,无法通过旧密钥推导出当前密钥。This application provides a method for updating a key, a method for decrypting data, and a method for verifying a digital signature, so as to update the key and be able to deduce the old key in one direction based on the current key. There is no need to store the old key, which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key.
第一方面,本申请提供了一种密钥的更新方法,所述方法包括:接收密钥更新指令;获取本地存储的第一密钥和基准值;其中,所述第一密钥由所述基准值,经过所述第一处理次数的单向映射处理后生成;对所述基准值进行第二处理次数的所述单向映射处理,以生成第二密钥;其中,所述第二处理次数小于所述第一处理次数;将所述第一密钥替换为所述第二密钥。由此,实现了对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。无需对旧密钥进行存储,节省了数据传输方的资源,并且不用担心旧密钥出现丢失,无法通过旧密钥推导出当前密钥。在接收到数据传输对方发送的新密钥后,也无需第三方对新密钥进行合法性验证。In the first aspect, the present application provides a method for updating a key, the method includes: receiving a key update instruction; obtaining a first key and a reference value stored locally; wherein the first key is assigned by the The reference value is generated after the one-way mapping processing of the first processing times; the one-way mapping processing of the second processing times is performed on the reference value to generate a second key; wherein, the second processing The number of times is less than the first processing number; the first key is replaced with the second key. As a result, the update of the key is realized, and the old key can be deduced in one direction from the current key. There is no need to store the old key, which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key. After receiving the new key sent by the data transmission partner, there is no need for a third party to verify the legality of the new key.
在上述密钥的更新方法中,为了便于密钥的版本号与单向映射处理次数相对应,一种可能的实现方式是,所述第一处理次数和所述第二处理次数的差值为一。In the above-mentioned key update method, in order to facilitate the correspondence between the version number of the key and the number of one-way mapping processing times, a possible implementation manner is that the difference between the first processing times and the second processing times is One.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述单向映射处 理的步骤包括:使用哈希算法进行处理。In order to ensure the uniqueness of the one-way mapping processing result, a possible implementation manner is that the one-way mapping processing steps include: using a hash algorithm for processing.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述使用哈希算法进行处理包括:将所述单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and combining the spliced The result of is used as the input of the hash algorithm.
为了让本申请实施例所提供的密钥的更新方法能够用于非对称加密技术,一种可能的实现方式是,所述第一密钥为非对称密钥对中的一个密钥。In order to enable the key update method provided in the embodiment of the present application to be used in asymmetric encryption technology, a possible implementation manner is that the first key is a key in an asymmetric key pair.
为了避免基准值出现存储风险,一种可能的实现方式是,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, a possible implementation is that the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
第二方面,本申请提供了一种数据解密方法,所述方法包括:接收加密数据和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;根据比较结果,判断是否能够对所述加密数据进行解密;如果是,则确定所述第一处理次数对应的第一密钥;使用所述第一密钥对所述加密数据进行解密。由此,实现了只需在本地存储更新后的密钥,当收到旧密钥对应的加密数据时,使用更新后的密钥生成旧密钥,再使用旧密钥对加密数据进行解密。In a second aspect, this application provides a data decryption method. The method includes: receiving encrypted data and a first processing count, and comparing the first processing count with a locally stored second processing count; and according to the comparison result , Determine whether the encrypted data can be decrypted; if so, determine the first key corresponding to the first processing times; use the first key to decrypt the encrypted data. Thus, it is realized that only the updated key is stored locally, when the encrypted data corresponding to the old key is received, the updated key is used to generate the old key, and the old key is used to decrypt the encrypted data.
在上述的数据解密方法中,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:判断所述第一处理次数是否小于所述第二处理次数;如果是,则确定不能对所述加密数据进行解密。In the above data decryption method, in order to compare the first processing times and the second processing times, one possible implementation is that the judging whether the encrypted data can be decrypted according to the comparison result includes: judging the Whether the first processing number is less than the second processing number; if so, it is determined that the encrypted data cannot be decrypted.
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:判断所述第一处理次数是否等于所述第二处理次数;如果是,则将本地存储的第二密钥作为所述第一密钥。In order to compare the first processing times and the second processing times, a possible implementation manner is that, according to the comparison result, determining whether the encrypted data can be decrypted includes: determining whether the first processing times are equal to the The second number of processing times; if yes, use the locally stored second key as the first key.
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:判断所述第一处理次数是否大于所述第二处理次数;如果是,则对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值。In order to compare the first processing times and the second processing times, one possible implementation manner is that, according to the comparison result, determining whether the encrypted data can be decrypted includes: determining whether the first processing times are greater than the The second number of processing times; if it is, a one-way mapping process of the third number of processing times is performed on the locally stored second key to generate the first key; wherein, the third number of processing times is the first The difference between the number of processing times and the second number of processing times.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述单向映射处理的步骤包括:使用哈希算法进行处理。In order to ensure the uniqueness of the one-way mapping processing result, one possible implementation manner is that the steps of the one-way mapping processing include: using a hash algorithm for processing.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述使用哈希算法进行处理包括:将所述单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and combining the spliced The result of is used as the input of the hash algorithm.
为了让本申请实施例所提供的终端能够进行非对称加密/解密,一种可能的实现方式是,所述第一密钥为非对称密钥对中的一个密钥。In order to enable the terminal provided by the embodiment of the present application to perform asymmetric encryption/decryption, a possible implementation manner is that the first key is a key in an asymmetric key pair.
为了避免基准值出现存储风险,一种可能的实现方式是,所述第一密钥与基准值相关,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, one possible implementation is that the first key is related to the reference value, and the reference value is obtained from the hardware area of the device, issued by the cloud server, and input by the outside world. One way to obtain.
第三方面,本申请提供了一种数字签名的验证方法,所述方法包括:接收数字签名和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;根据比较结果,判断是否能够对所述数字签名进行验证;如果是,则确定所述第一处理 次数对应的第一密钥对;其中,所述第一密钥对为非对称密钥对,所述第一密钥对包括第一密钥;使用所述第一密钥对对所述数字签名进行验证。由此,实现了只需在本地存储更新后的密钥对,当收到旧密钥对对应的数字签名时,使用更新后的密钥对生成旧密钥对,再使用旧密钥对对数字签名进行验证。In a third aspect, the present application provides a digital signature verification method, the method includes: receiving a digital signature and a first processing count, and comparing the first processing count with a locally stored second processing count; According to the comparison result, it is judged whether the digital signature can be verified; if so, the first key pair corresponding to the first processing times is determined; wherein, the first key pair is an asymmetric key pair, so The first key pair includes a first key; the first key pair is used to verify the digital signature. As a result, it is realized that only the updated key pair needs to be stored locally, and when the digital signature corresponding to the old key pair is received, the updated key pair is used to generate the old key pair, and then the old key pair is used The digital signature is verified.
在上述的数字签名的验证方法中,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:判断所述第一处理次数是否小于所述第二处理次数;如果是,则确定不能对所述数字签名进行验证。In the above-mentioned digital signature verification method, in order to compare the first processing times and the second processing times, a possible implementation manner is that the judging whether the digital signature can be verified according to the comparison result includes: judging Whether the first processing times are less than the second processing times; if so, it is determined that the digital signature cannot be verified.
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:判断所述第一处理次数是否等于所述第二处理次数;如果是,则将本地存储的第二密钥对作为所述第一密钥对。In order to compare the first processing times and the second processing times, a possible implementation manner is that the judging whether the digital signature can be verified according to the comparison result includes: judging whether the first processing times are equal to the The second number of processing times; if yes, use the locally stored second key pair as the first key pair.
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:判断所述第一处理次数是否大于所述第二处理次数;如果是,则对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值;根据所述第一密钥,生成所述第一密钥对。In order to compare the first processing times and the second processing times, one possible implementation manner is that the judging whether the digital signature can be verified according to the comparison result includes: judging whether the first processing times are greater than the The second number of processing times; if it is, a one-way mapping process of the third number of processing times is performed on the second key in the locally stored second key pair to generate the first key; wherein, the third The processing times are the difference between the first processing times and the second processing times; the first key pair is generated according to the first key.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述单向映射处理的步骤包括:使用哈希算法进行处理。In order to ensure the uniqueness of the one-way mapping processing result, one possible implementation manner is that the steps of the one-way mapping processing include: using a hash algorithm for processing.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述使用哈希算法进行处理包括:将所述单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and combining the spliced The result of is used as the input of the hash algorithm.
为了避免基准值出现存储风险,一种可能的实现方式是,所述第一密钥与基准值相关,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, one possible implementation is that the first key is related to the reference value, and the reference value is obtained from the hardware area of the device, issued by the cloud server, and input by the outside world. One way to obtain.
第四方面,本申请提供了一种终端,来实现前述的密钥的更新方法。所述终端包括:第一接收模块,用于接收密钥更新指令;获取模块,用于获取本地存储的第一密钥和基准值;其中,所述第一密钥由所述基准值,经过所述第一处理次数的单向映射处理后生成;第一处理模块,用于对所述基准值进行第二处理次数的所述单向映射处理,以生成第二密钥;其中,所述第二处理次数小于所述第一处理次数;替换模块,用于将所述第一密钥替换为所述第二密钥。In the fourth aspect, this application provides a terminal to implement the aforementioned key update method. The terminal includes: a first receiving module, configured to receive a key update instruction; an acquiring module, configured to acquire a first key and a reference value stored locally; wherein the first key is determined by the reference value The one-way mapping process of the first number of processing times is generated; a first processing module is configured to perform the one-way mapping process of the second number of processing times on the reference value to generate a second key; wherein, the The second processing times are less than the first processing times; the replacement module is configured to replace the first key with the second key.
在上述终端中,为了便于密钥的版本号与单向映射处理次数相对应,一种可能的实现方式是,所述第一处理次数和所述第二处理次数的差值为一。In the foregoing terminal, in order to facilitate the correspondence between the version number of the key and the number of one-way mapping processing times, a possible implementation manner is that the difference between the first processing number and the second processing number is one.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述第一处理模块具体用于使用哈希算法对所述基准值进行第二处理次数的处理。In order to ensure the uniqueness of the unidirectional mapping processing result, a possible implementation manner is that the first processing module is specifically configured to use a hash algorithm to process the reference value for the second number of processing times.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述第一处理模块包括:拼接子模块,用于将所述第一处理模块的输入与本地标识进行拼接;第一设置子模块,用于将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, a possible implementation manner is that the first processing module includes: a splicing sub-module for splicing the input of the first processing module with the local identifier; The first setting sub-module is used to use the spliced result as the input of the hash algorithm.
为了让本申请实施例所提供的密钥的更新方法能够用于非对称加密技术,一种可能的实现方式是,所述第一密钥为非对称密钥对中的一个密钥。In order to enable the key update method provided in the embodiment of the present application to be used in asymmetric encryption technology, a possible implementation manner is that the first key is a key in an asymmetric key pair.
为了避免基准值出现存储风险,一种可能的实现方式是,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, a possible implementation is that the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
第五方面,本申请提供了一种终端,来实现前述的数据解密方法。所述终端包括:第二接收模块,用于接收加密数据和第一处理次数;第一比较模块,用于将所述第一处理次数与本地存储的第二处理次数进行比较;第一判断模块,用于根据比较结果,判断是否能够对所述加密数据进行解密;第一确定模块,用于当所述第一判断模块确定能够对所述加密数据进行解密时,确定所述第一处理次数对应的第一密钥;解密模块,用于使用所述第一密钥对所述加密数据进行解密。In the fifth aspect, this application provides a terminal to implement the aforementioned data decryption method. The terminal includes: a second receiving module for receiving encrypted data and a first processing count; a first comparing module for comparing the first processing count with a locally stored second processing count; a first judging module , Used to determine whether the encrypted data can be decrypted according to the comparison result; a first determining module, used to determine the first processing times when the first determining module determines that the encrypted data can be decrypted Corresponding first key; a decryption module for decrypting the encrypted data using the first key.
在上述的终端中,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第一判断模块,包括:第一判断子模块,用于判断所述第一处理次数是否小于所述第二处理次数;第一确定子模块,用于当所述第一判断子模块确定所述第一处理次数小于所述第二处理次数时,确定不能对所述加密数据进行解密。In the above terminal, in order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module includes: a first judgment sub-module for judging the first processing times Whether it is less than the second processing times; a first determining sub-module for determining that the encrypted data cannot be decrypted when the first determining sub-module determines that the first processing times are less than the second processing times .
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第一判断模块,包括:第二判断子模块,用于判断所述第一处理次数是否等于所述第二处理次数;第二设置子模块,用于当所述第二判断子模块确定所述第一处理次数等于所述第二处理次数时,将本地存储的第二密钥作为所述第一密钥。In order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module includes: a second judgment sub-module for judging whether the first processing times are equal to the second processing times. Processing times; a second setting submodule, for when the second judgment submodule determines that the first processing times are equal to the second processing times, use a locally stored second key as the first key .
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第一判断模块,包括:第三判断子模块,用于判断所述第一处理次数是否大于所述第二处理次数;第一处理子模块,用于当所述第三判断子模块确定所述第一处理次数大于所述第二处理次数时,对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值。In order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module includes: a third judgment sub-module for judging whether the first processing times are greater than the second processing times. Processing times; the first processing sub-module, when the third judging sub-module determines that the first processing times are greater than the second processing times, perform a third processing times order on the locally stored second key Mapping processing to generate the first key; wherein the third processing number is the difference between the first processing number and the second processing number.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述第一处理子模块具体用于使用哈希算法对所述基准值进行第三处理次数的处理。In order to ensure the uniqueness of the unidirectional mapping processing result, a possible implementation manner is that the first processing submodule is specifically configured to use a hash algorithm to process the reference value for a third number of processing times.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述第一处理子模块,包括:第一拼接单元,用于将所述单向映射处理的输入与本地标识进行拼接;第一设置单元,用于将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, a possible implementation is that the first processing submodule includes: a first splicing unit for combining the input of the one-way mapping process with the local identifier Perform splicing; the first setting unit is used to use the spliced result as the input of the hash algorithm.
为了让本申请实施例所提供的终端能够进行非对称加密/解密,一种可能的实现方式是,所述第一密钥为非对称密钥对中的一个密钥。In order to enable the terminal provided by the embodiment of the present application to perform asymmetric encryption/decryption, a possible implementation manner is that the first key is a key in an asymmetric key pair.
为了避免基准值出现存储风险,一种可能的实现方式是,所述第一密钥与基准值相关,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, one possible implementation is that the first key is related to the reference value, and the reference value is obtained from the hardware area of the device, issued by the cloud server, and input by the outside world. One way to obtain.
第六方面,本申请提供了一种终端,来实现前述的数字签名的验证方法。所述终端包括:第三接收模块,用于接收数字签名和第一处理次数;第二比较模块,用于将所述第一处理次数与本地存储的第二处理次数进行比较;第二判断模块,用于根据比较结果,判断是否能够对所述数字签名进行验证;第二确定模块,用于当所述第二判断模块确定能够对所述数字签名进行验证时,确定所述第一处理次数对应的第一密钥对;其中,所述第一密钥对为非对称密钥对,所述第一密钥对包括第一密钥;验证模块,用于使用所述第一密钥对对所述数字签名进行验证。In the sixth aspect, this application provides a terminal to implement the aforementioned digital signature verification method. The terminal includes: a third receiving module for receiving a digital signature and a first processing count; a second comparing module for comparing the first processing count with a locally stored second processing count; and a second judging module , For determining whether the digital signature can be verified according to the comparison result; a second determining module, for determining the first processing times when the second determining module determines that the digital signature can be verified Corresponding first key pair; wherein, the first key pair is an asymmetric key pair, and the first key pair includes a first key; the verification module is configured to use the first key pair The digital signature is verified.
在上述的终端中,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第二判断模块,包括:第四判断子模块,用于判断所述第一处理次数是否小于所述第二处理次数;第二确定子模块,用于当所述第四判断子模块确定所述第一处理次数小于所述第二处理次数时,确定不能对所述数字签名进行验证。In the above-mentioned terminal, in order to compare the first processing times and the second processing times, one possible implementation is that the second judgment module includes: a fourth judgment sub-module for judging the first processing times Whether it is less than the second processing times; a second determining sub-module for determining that the digital signature cannot be verified when the fourth determining sub-module determines that the first processing times are less than the second processing times .
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第二判断模块,包括:第五判断子模块,用于判断所述第一处理次数是否等于所述第二处理次数;第三设置子模块,用于当所述第五判断子模块确定所述第一处理次数等于所述第二处理次数时,将本地存储的第二密钥对作为所述第一密钥对。In order to compare the first processing times and the second processing times, a possible implementation is that the second judgment module includes: a fifth judgment sub-module for judging whether the first processing times are equal to the second processing times. Processing times; the third setting submodule is used for when the fifth judgment submodule determines that the first processing times are equal to the second processing times, use the locally stored second key pair as the first secret Key pair.
为了比较第一处理次数和第二处理次数,一种可能的实现方式是,所述第二判断模块,包括:第六判断子模块,用于判断所述第一处理次数是否大于所述第二处理次数;第二处理子模块,用于当所述第六判断子模块确定所述第一处理次数大于所述第二处理次数时,对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值;生成子模块,用于根据所述第一密钥,生成所述第一密钥对。In order to compare the first processing times and the second processing times, one possible implementation is that the second judgment module includes: a sixth judgment sub-module for judging whether the first processing times are greater than the second processing times. Processing times; a second processing sub-module for determining the second key in the locally stored second key pair when the sixth judging sub-module determines that the first processing times are greater than the second processing times Perform a one-way mapping process of a third number of processing times to generate the first key; wherein, the third number of processing times is the difference between the first number of processing times and the second number of processing times; a generation sub-module, It is used to generate the first key pair according to the first key.
为了确保单向映射处理结果的唯一性,一种可能的实现方式是,所述第二处理子模块具体用于使用哈希算法对所述基准值进行第三处理次数的处理。In order to ensure the uniqueness of the one-way mapping processing result, a possible implementation manner is that the second processing submodule is specifically configured to use a hash algorithm to process the reference value for a third number of processing times.
为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,所述第二处理子模块,包括:第二拼接单元,用于将所述单向映射处理的输入与本地标识进行拼接;第二设置单元,用于将拼接后的结果作为所述哈希算法的输入。In order to enhance the reliability of the key in the embodiment of the present application, a possible implementation is that the second processing submodule includes: a second splicing unit for combining the input of the one-way mapping process with the local identifier Perform splicing; the second setting unit is used to use the spliced result as the input of the hash algorithm.
为了避免基准值出现存储风险,一种可能的实现方式是,所述第一密钥与基准值相关,所述基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。In order to avoid the storage risk of the reference value, one possible implementation is that the first key is related to the reference value, and the reference value is obtained from the hardware area of the device, issued by the cloud server, and input by the outside world. One way to obtain.
第七方面,本申请提供一种电子设备,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,使得电子设备执行如第一方面、第二方面或第三方面所述的方法。In a seventh aspect, the present application provides an electronic device, including: a memory, a processor, and a computer program stored in the memory and capable of running on the processor. When the processor executes the computer program, the electronic device executes such as The method of the first, second, or third aspect.
第八方面,本申请提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如第一方面、第二方面或第三方面所述的方法。In an eighth aspect, this application provides a computer-readable storage medium in which a computer program is stored, and when it runs on a computer, the computer can execute the first, second, or third aspect The method described.
附图说明Description of the drawings
图1为对称加密技术的示意图;Figure 1 is a schematic diagram of symmetric encryption technology;
图2为非对称加密技术的示意图;Figure 2 is a schematic diagram of asymmetric encryption technology;
图3为数字签名的验证方法示意图;Figure 3 is a schematic diagram of a digital signature verification method;
图4为本申请实施例所提供的一种密钥的更新方法的流程示意图;4 is a schematic flowchart of a method for updating a key provided by an embodiment of the application;
图5a为本申请实施例所提供的一种对称密钥的生成方法的示意图;FIG. 5a is a schematic diagram of a method for generating a symmetric key provided by an embodiment of this application;
图5b为本申请实施例所提供的另一种对称密钥的生成方法的示意图;FIG. 5b is a schematic diagram of another method for generating a symmetric key provided by an embodiment of the application;
图6a为本申请实施例所提供的一种基于大整数分解难题的非对称密钥的生成方法的示意图;FIG. 6a is a schematic diagram of an asymmetric key generation method based on a large integer factorization problem provided by an embodiment of the application;
图6b为本申请实施例所提供的另一种基于大整数分解难题的非对称密钥的生成方法的示意图;FIG. 6b is a schematic diagram of another asymmetric key generation method based on a large integer factorization problem provided by an embodiment of the application;
图7a为本申请实施例所提供的一种基于整数上离散对数难题的非对称密钥的生成方法的示意图;FIG. 7a is a schematic diagram of an asymmetric key generation method based on the discrete logarithm problem on integers according to an embodiment of the application;
图7b为本申请实施例所提供的另一种基于整数上离散对数难题的非对称密钥的生成方法的示意图;FIG. 7b is a schematic diagram of another asymmetric key generation method based on the discrete logarithm problem on integers according to an embodiment of the application;
图7c为本申请实施例所提供的又一种基于整数上离散对数难题的非对称密钥的生成方法的示意图;FIG. 7c is a schematic diagram of yet another method for generating an asymmetric key based on the discrete logarithm problem on integers according to an embodiment of the application;
图7d为本申请实施例所提供的再一种基于整数上离散对数难题的非对称密钥的生成方法的示意图;FIG. 7d is a schematic diagram of yet another method for generating an asymmetric key based on the discrete logarithm problem on integers according to an embodiment of the application;
图8a为本申请实施例所提供的一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图;FIG. 8a is a schematic diagram of an asymmetric key generation method based on the elliptic curve discrete logarithm problem provided by an embodiment of the application;
图8b为本申请实施例所提供的另一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图;8b is a schematic diagram of another asymmetric key generation method based on the elliptic curve discrete logarithm problem provided by an embodiment of the application;
图8c为本申请实施例所提供的又一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图;Fig. 8c is a schematic diagram of yet another method for generating an asymmetric key based on the elliptic curve discrete logarithm problem provided by an embodiment of the application;
图8d为本申请实施例所提供的再一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图;8d is a schematic diagram of yet another method for generating an asymmetric key based on the elliptic curve discrete logarithm problem provided by an embodiment of the application;
图9为本申请实施例所提出的一种数据解密方法的流程示意图;FIG. 9 is a schematic flowchart of a data decryption method proposed in an embodiment of this application;
图10为本申请实施例所提出的一种数字签名的验证方法的流程示意图;FIG. 10 is a schematic flowchart of a digital signature verification method proposed by an embodiment of the application;
图11a为本申请实施例所提供的终端应用生成不同版本密钥的结构示意图;FIG. 11a is a schematic diagram of the structure of generating keys of different versions of a terminal application provided by an embodiment of the application; FIG.
图11b为本申请实施例所提供的密钥生成模块生成不同版本密钥的流程示意图;FIG. 11b is a schematic diagram of a flow of generating keys of different versions by the key generation module provided in an embodiment of the application;
图12a为本申请实施例所提供的终端应用生成更新后的密钥的结构示意图;FIG. 12a is a schematic diagram of the structure of a terminal application that generates an updated key according to an embodiment of the application; FIG.
图12b为本申请实施例所提供的密钥生成模块生成更新后的密钥的流程示意图;FIG. 12b is a schematic diagram of the process of generating an updated key by the key generation module provided by an embodiment of the application; FIG.
图13为本申请实施例所提供的终端应用进行加密解密/数字签名验证的结构示意图;FIG. 13 is a schematic structural diagram of a terminal application provided by an embodiment of the application for encryption, decryption/digital signature verification;
图14为本申请实施例所提供的家居设备进行密钥校验的结构示意图;FIG. 14 is a schematic structural diagram of a home device provided by an embodiment of the application for key verification;
图15为本申请实施例所提供的一种终端的结构示意图;FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment of this application;
图16为本申请实施例所提出的另一种终端的结构示意图;FIG. 16 is a schematic structural diagram of another terminal proposed in an embodiment of this application;
图17为本申请实施例所提出的又一种终端的结构示意图;FIG. 17 is a schematic structural diagram of another terminal according to an embodiment of the application;
图18为本申请实施例所提供的电子设备的结构示意图;以及FIG. 18 is a schematic structural diagram of an electronic device provided by an embodiment of the application; and
图19为本申请实施例所提出的计算机可读存储介质的结构示意图。FIG. 19 is a schematic structural diagram of a computer-readable storage medium proposed in an embodiment of this application.
具体实施方式Detailed ways
下面详细描述本申请的实施例,所述实施例的示例在附图中示出,其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的,旨在用于解释本申请技术方案,而不能理解为对本申请的限制。The embodiments of the present application are described in detail below. Examples of the embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals indicate the same or similar elements or elements with the same or similar functions. The embodiments described below with reference to the accompanying drawings are exemplary, and are intended to explain the technical solutions of the present application, and should not be understood as a limitation to the present application.
下面参考附图描述本申请实施例的密钥的更新方法、数据解密方法、数字签名的验证方法,以及终端、计算机可读存储介质。The following describes the key update method, data decryption method, digital signature verification method, terminal, and computer-readable storage medium of the embodiments of the present application with reference to the accompanying drawings.
为了清楚地说明本申请实施例所提供的密钥的更新方法、数据解密方法、数字签名的验证方法,首先对加密技术和数字签名验证技术进行说明。In order to clearly explain the key update method, data decryption method, and digital signature verification method provided in the embodiments of the present application, first, the encryption technology and the digital signature verification technology are described.
在数据从发送方传输到接收方的过程中,数据传输双方不希望被传输的数据被第三方获取,发送方便使用加密技术对数据进行加密。In the process of data transmission from the sender to the receiver, both parties of the data transmission do not want the transmitted data to be obtained by a third party. It is convenient for the transmission to encrypt the data using encryption technology.
在加密过程中,将要传输的数据称为原文,对原文进行加密,即可得到密文,密文通常为乱码的形式。将密文在公开信道上进行传输,即便第三方拦截了信息,也只能得到密文,无法获取原文。In the encryption process, the data to be transmitted is called the original text, and the original text is encrypted to obtain the cipher text. The cipher text is usually in the form of garbled codes. If the ciphertext is transmitted on an open channel, even if a third party intercepts the information, only the ciphertext can be obtained, but the original text cannot be obtained.
发送方使用加密技术对原文进行加密,将密文发送给接收方。相应地,接收方收到密文后,需要对密文进行解密,即可将密文还原为原文,从而实现将数据从发送方加密传输至接收方。The sender uses encryption technology to encrypt the original text and sends the cipher text to the receiver. Correspondingly, after receiving the ciphertext, the receiver needs to decrypt the ciphertext to restore the ciphertext to the original text, so as to realize the encrypted transmission of data from the sender to the receiver.
加密技术包括两个重要因素:加密算法和密钥,加密算法将原文与密钥进行运算,即可得到密文。对于数据传输的双方,为了避免加密方法被第三方破解,通常采用更新密钥的方式来更新加密方法。换句话说,数据传输的双方始终使用相同的加密算法,而采用不同的密钥对原文进行加密,使得第三方无法对加密方法进行破解,从而保证数据传输的安全。Encryption technology includes two important factors: encryption algorithm and key. The encryption algorithm calculates the original text and the key to get the ciphertext. For both parties of data transmission, in order to prevent the encryption method from being cracked by a third party, the encryption method is usually updated by updating the key. In other words, both parties of data transmission always use the same encryption algorithm, and use different keys to encrypt the original text, making it impossible for a third party to crack the encryption method, thereby ensuring the security of data transmission.
相关技术中,加密技术可以分为两类,一类是对称加密技术,一类是非对称加密技术。Among related technologies, encryption technologies can be divided into two categories, one is symmetric encryption technology, and the other is asymmetric encryption technology.
图1为对称加密技术的示意图。如图1所示,在对称加密技术中,数据加密和解密时使用的密钥相同,也就是说,发送方在加密时,接收方在解密时使用相同的密钥。一旦密钥被第三方获知,即可使用该密钥对截获的密文进行解密,加密技术即被破解。因此,对称加密技术中,密钥只能由发送方和接收方获知,不同的发送方和接收方在数据传输过程中会使用不同的密钥。Figure 1 is a schematic diagram of symmetric encryption technology. As shown in Figure 1, in symmetric encryption technology, the keys used for data encryption and decryption are the same, that is, the sender uses the same key for encryption and the receiver uses the same key for decryption. Once the key is known by a third party, the key can be used to decrypt the intercepted ciphertext, and the encryption technology is cracked. Therefore, in symmetric encryption technology, the key can only be known by the sender and receiver, and different senders and receivers will use different keys during data transmission.
图2为非对称加密技术的示意图。如图2所示,在非对称加密技术中,使用一组密钥对完成数据加密和解密,一组密钥包括公钥和私钥。公钥由接收方向公众公开,发送方在与接收方进行数据传输时,使用接收方公开的公钥,对原文进行加密。接收方收到密文后,使用与公钥对应的私钥对密文进行解密。对于接收方来说,使用一组密钥对即可实现与多个发送方之间的数据传输加密。Figure 2 is a schematic diagram of asymmetric encryption technology. As shown in Figure 2, in the asymmetric encryption technology, a set of key pairs are used to complete data encryption and decryption. A set of keys includes a public key and a private key. The public key is disclosed by the recipient to the public, and the sender uses the public key disclosed by the recipient to encrypt the original text when transmitting data with the recipient. After receiving the ciphertext, the receiver uses the private key corresponding to the public key to decrypt the ciphertext. For the receiver, a set of key pairs can be used to encrypt data transmission with multiple senders.
需要说明的是,与对称加密技术不同的是,非对称加密技术中,公钥和私钥形成一组密钥对,公钥和私钥不同,且无法根据公钥确定对应的私钥。It should be noted that, unlike symmetric encryption technology, in asymmetric encryption technology, a public key and a private key form a set of key pairs. The public key and the private key are different, and the corresponding private key cannot be determined based on the public key.
此外,与对称加密技术相似的是,非对称加密技术中,使用公钥进行加密,可以使用对应的私钥进行解密,若使用私钥进行加密,则也可以使用对应的公钥进行解密。也就是说,一组密钥对中,公钥和私钥的区分不在于用于加密还是解密,而是在于是否向公众公开,向公众公开的即被称为公钥,不能被他人知悉的被称为私钥。In addition, similar to symmetric encryption technology, in asymmetric encryption technology, the public key is used for encryption, and the corresponding private key can be used for decryption. If the private key is used for encryption, the corresponding public key can also be used for decryption. In other words, in a set of key pairs, the distinction between a public key and a private key does not lie in whether it is used for encryption or decryption, but whether it is disclosed to the public. The public key is called the public key and cannot be known by others. It is called a private key.
图3为数字签名的验证方法示意图。如图3所示,基于非对称加密技术的上述特征,非对称加密技术还可用于数字签名的验证,即发送方使用私钥对原文进行数字签名,接收方使用公钥对数字签名进行验证。具体来说,数字签名的方式为使用私钥对原文进行加密,验证的方式为使用公钥对密文进行解密,若解密后的内容与原文相同,即可确认发送方的身份。Figure 3 is a schematic diagram of a digital signature verification method. As shown in Figure 3, based on the above features of asymmetric encryption technology, asymmetric encryption technology can also be used for digital signature verification, that is, the sender uses the private key to digitally sign the original text, and the receiver uses the public key to verify the digital signature. Specifically, the method of digital signature is to use a private key to encrypt the original text, and the method of verification is to use a public key to decrypt the cipher text. If the decrypted content is the same as the original, the identity of the sender can be confirmed.
进一步地,为了便于接收方判断解密后的内容是否与原文相同,一种可能的实现方式是,发送方将原文的信息摘要与密文一起发送给接收方。其中,原文的信息摘要由原文经过哈希函数处理后生成,哈希函数是一种能够将任意长度的原文压缩到某一 固定长度的消息摘要的函数,具有难以逆向的特点。也就是说,无论原文的长度是多少,经过哈希函数处理后,都会生成固定长度的消息摘要,并且通过该消息摘要无法还原出原文的内容。相应地,若原文的内容存在区别,哪怕是细微的差别,生成的消息摘要也不相同。Further, in order to facilitate the receiver to determine whether the decrypted content is the same as the original text, a possible implementation manner is that the sender sends the information abstract of the original text together with the ciphertext to the receiver. Among them, the information digest of the original text is generated after the original text is processed by a hash function. The hash function is a function that can compress any length of the original text to a fixed-length message digest, which is difficult to reverse. In other words, regardless of the length of the original text, after the hash function is processed, a fixed-length message digest will be generated, and the content of the original text cannot be restored through the message digest. Correspondingly, if there is a difference in the content of the original text, even if it is a subtle difference, the message digest generated will be different.
因此,接收方在使用公钥对密文进行解密后,对解密后的内容使用哈希函数进行处理,生成解密后的内容的消息摘要,再与接收到的原文的信息摘要进行比较。若二者完全相同,则可以确定解密后的内容与原文相同,从而实现对发送方的身份的确认。Therefore, after the receiver uses the public key to decrypt the ciphertext, the decrypted content is processed using a hash function to generate a message digest of the decrypted content, which is then compared with the received message digest of the original text. If the two are exactly the same, it can be determined that the decrypted content is the same as the original, so as to confirm the identity of the sender.
基于前述对对称加密技术和非对称加密技术的说明,可以知道,对称加密技术中的密钥一旦被第三方获知,对称加密技术即被破解。非对称加密技术中的私钥一旦被第三方获知,非对称加密技术即被破解。因此,防止第三方获取密钥和私钥是加密技术中的关键,而定期更新密钥或者密钥对成为提升加密技术可靠性的重要手段。Based on the foregoing description of symmetric encryption technology and asymmetric encryption technology, it can be known that once the key in the symmetric encryption technology is known by a third party, the symmetric encryption technology will be cracked. Once the private key in the asymmetric encryption technology is known by a third party, the asymmetric encryption technology is cracked. Therefore, preventing third parties from obtaining keys and private keys is the key to encryption technology, and regular updating of keys or key pairs has become an important means to improve the reliability of encryption technology.
可以理解,密钥或者密钥对的更新,需要发送方和接收方同步进行,若一方使用了更新后的密钥,另一方使用了旧密钥,则无法实现数据传输。It can be understood that the update of the key or the key pair requires the sender and the receiver to perform synchronously. If one party uses the updated key and the other party uses the old key, data transmission cannot be realized.
现有技术中,采用了不同的方案解决上述问题,下面对现有的技术方案进行说明和分析。In the prior art, different solutions are adopted to solve the above-mentioned problems, and the existing technical solutions are described and analyzed below.
第一种方案,数据传输方在完成密钥的更新后,将旧密钥进行存储,并且使用密钥版本号对不同版本的旧密钥进行管理。一旦发现对方使用旧密钥进行数据传输加密或者数字签名,则使用对应版本的密钥进行解密或者数字签名的验证。In the first scheme, the data transmission party stores the old key after completing the key update, and uses the key version number to manage the old keys of different versions. Once it is found that the other party uses the old key for data transmission encryption or digital signature, the corresponding version of the key is used for decryption or digital signature verification.
对于第一种方案,数据传输方虽然能够快速获取旧密钥,但是需要不断存储和管理旧密钥,随着密钥更新次数的增加,旧密钥的数量逐渐增大,存储和管理旧密钥需要消耗大量的资源,尤其在密钥频繁更新时,旧密钥的数量增长更为迅速。此外,一旦数据传输方丢失了存储的旧密钥,无法进行恢复,也就无法使用旧密钥。For the first scheme, although the data transmission party can quickly obtain the old key, it needs to continuously store and manage the old key. As the number of key updates increases, the number of old keys gradually increases, and the old key is stored and managed. The key needs to consume a lot of resources, especially when the key is frequently updated, the number of old keys grows more rapidly. In addition, once the data transmission party loses the stored old key and cannot be restored, the old key cannot be used.
第二种方案,数据传输双方预先同步存储大量不同版本的密钥,并且使用密钥版本号对不同版本的密钥进行管理。在密钥更新时,数据传输方确定更新后的密钥版本,即可从本地获取对应版本的密钥。一旦发现对方使用旧密钥进行数据传输加密或者数字签名,则使用对应版本的密钥进行解密或者数字签名的验证。In the second scheme, the two parties of the data transmission synchronously store a large number of keys of different versions in advance, and use the key version number to manage the keys of different versions. When the key is updated, the data transmission party determines the updated key version and can obtain the corresponding version of the key locally. Once it is found that the other party uses the old key for data transmission encryption or digital signature, the corresponding version of the key is used for decryption or digital signature verification.
对于第二种方案,虽然能够确保密钥更新时的完整性,无需对更新后的密钥完整性进行校验,但是数据传输双方需要一直存储和管理数量庞大的不同版本的密钥,消耗大量的资源。此外,和第一种方案相类似,一旦数据传输方丢失了存储的密钥,无法进行恢复,也就无法使用密钥。For the second scheme, although the integrity of the key can be ensured when the key is updated, there is no need to verify the integrity of the updated key, but both parties of the data transmission need to store and manage a large number of different versions of the key, which consumes a lot of Resources. In addition, similar to the first scheme, once the data transmission party loses the stored key and cannot be restored, the key cannot be used.
第三种方案,数据传输方存储主密钥,并基于主密钥生成不同版本的密钥,也就是说,数据传输方可以根据版本号,基于主密钥生成版本号对应的密钥。具体可以将主密钥和版本号进行函数运算,生成对应的密钥。In the third scheme, the data transmission party stores the master key and generates keys of different versions based on the master key. That is, the data transmission party can generate the key corresponding to the version number based on the version number based on the master key. Specifically, the master key and the version number can be subjected to a function operation to generate the corresponding key.
对于第三种方案,数据传输方无需存储和管理大量的密钥,但是不同版本之间的密钥没有联系,无法根据更新后的密钥单向推导出旧密钥,需要基于主密钥生成旧密钥。For the third scheme, the data transmission party does not need to store and manage a large number of keys, but the keys between different versions are not connected, and the old keys cannot be derived one-way from the updated keys. It needs to be generated based on the master key. Old key.
基于上述对现有的技术方案的说明和分析,可以知道,现有技术中,在完成密钥的更新后,需要采用存储旧密钥的方式,或者基于主密钥重新生成旧密钥的方式,来获取旧密钥。Based on the above description and analysis of the existing technical solutions, it can be known that in the prior art, after the key update is completed, it is necessary to store the old key or regenerate the old key based on the master key. To get the old key.
为了解决上述问题,本申请实施例提出了一种密钥的更新方法,在收到旧密钥加密或者数字签名的信息时,对当前密钥进行单向映射处理后,即可得到该旧密钥,进而使用该旧密钥进行解密或者签名验证。既能够实现对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。In order to solve the above problem, the embodiment of the present application proposes a key update method. When receiving the information encrypted by the old key or digitally signed, the current key is subjected to a one-way mapping process to obtain the old key. Key, and then use the old key for decryption or signature verification. Both can realize the update of the key, and can deduce the old key one-way according to the current key.
图4为本申请实施例所提供的一种密钥的更新方法的流程示意图。如图4所示,该方法包括:FIG. 4 is a schematic flowchart of a method for updating a key provided by an embodiment of the application. As shown in Figure 4, the method includes:
步骤S101,接收密钥更新指令。Step S101: Receive a key update instruction.
基于前述对加密技术的说明,可以知道,密钥在使用过程中,可以采用定期更新的方式进行更新,也可以在发现密钥泄露或者有泄露的风险时进行更新,以保证密钥的安全。Based on the foregoing description of the encryption technology, it can be known that the key can be updated periodically during use, or it can be updated when the key is found to be leaked or there is a risk of leakage to ensure the security of the key.
步骤S102,获取本地存储的第一密钥和基准值。Step S102: Obtain a first key and a reference value stored locally.
其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。单向映射是指不可逆的映射,比如说A经过单向映射得到B,却无法将B还原为A。因此,对基准值进行第一处理次数的单向映射处理后,能够得到第一密钥,却无法对第一密钥进行还原。Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. One-way mapping refers to an irreversible mapping. For example, A gets B through one-way mapping, but B cannot be reduced to A. Therefore, after the one-way mapping process for the first number of times of processing is performed on the reference value, the first key can be obtained, but the first key cannot be restored.
需要说明的是,本申请实施例中的密钥的更新方法在数据传输方存储当前正在使用的密钥,即第一密钥。It should be noted that, in the method for updating the key in the embodiment of the present application, the key currently in use, that is, the first key, is stored on the data transmission party.
可以理解,由于本申请实施例中的数据传输方的各个版本的密钥都是基于基准值生成的,为了确保生成的密钥不同,不同数据传输方的基准值不能相同。此外,为了防止密钥泄露,用于生成密钥的基准值也应当保密。It can be understood that since the keys of each version of the data transmission party in the embodiment of the present application are generated based on the reference value, in order to ensure that the generated keys are different, the reference value of different data transmission parties cannot be the same. In addition, in order to prevent the key from leaking, the reference value used to generate the key should also be kept secret.
第一种可能的实现方式是,数据传输方使用自身的硬件密钥作为基准值,硬件密钥存储在数据传输方的硬件区域,安全可靠。The first possible implementation is that the data transmission party uses its own hardware key as the reference value, and the hardware key is stored in the hardware area of the data transmission party, which is safe and reliable.
第二种可能的实现方式是,数据传输方在云服务器进行注册时,云服务器根据数据传输方的硬件信息生成对应的基准值,基准值存储在云服务器上。云服务器将基准值以安全方式下发给数据传输方,避免数据传输方直接存储基准值。The second possible implementation is that when the data transmission party registers with the cloud server, the cloud server generates a corresponding reference value according to the hardware information of the data transmission party, and the reference value is stored on the cloud server. The cloud server sends the reference value to the data transmission party in a safe manner, avoiding the data transmission party to directly store the reference value.
第三种可能的实现方式是,由用户手动输入用户密码作为基准值,避免数据传输方直接存储基准值。The third possible implementation is that the user manually enters the user password as the reference value to avoid the data transmission party directly storing the reference value.
在上述第二种和第三种可能的实现方式中,数据传输方不对基准值进行存储,每次需要使用基准值时,通过访问云服务器或者提示用户输入用户密码的方式生成基准值。In the above-mentioned second and third possible implementation manners, the data transmission party does not store the reference value, and each time the reference value needs to be used, the reference value is generated by accessing the cloud server or prompting the user to enter the user password.
步骤S103,对基准值进行第二处理次数的单向映射处理,以生成第二密钥。Step S103: Perform one-way mapping processing for the second number of processing times on the reference value to generate a second key.
其中,第二处理次数小于第一处理次数。Wherein, the second processing times are less than the first processing times.
可以理解,第二密钥即为更新后的密钥,本申请实施例所提供的密钥的更新方法中,生成第一密钥和生成第二密钥的方式类似,都是对基准值进行多次单向映射处理,但是第二密钥对应的第二处理次数小于第一密钥的第一处理次数。基于前述对单向映射的说明可以知道,对第二密钥进行预设次数的单向映射,可以得到第一密钥,但是无法根据第一密钥,生成第二密钥。It can be understood that the second key is the updated key. In the key update method provided in the embodiment of this application, the method of generating the first key is similar to that of generating the second key, both of which are based on the reference value. Multiple one-way mapping processing, but the second processing times corresponding to the second key are less than the first processing times of the first key. Based on the foregoing description of the one-way mapping, it can be known that by performing a preset number of one-way mappings on the second key, the first key can be obtained, but the second key cannot be generated based on the first key.
也就是说,本申请实施例能够根据更新后的密钥,生成更新前的密钥,而无法根据更新前的密钥,生成更新后的密钥。可以防止第三方根据已经泄露的旧密钥推导出 更新后的密钥。That is to say, the embodiment of the present application can generate the key before the update based on the key after the update, but cannot generate the key after the update based on the key before the update. It can prevent a third party from deriving the updated key based on the leaked old key.
步骤S104,将第一密钥替换为第二密钥。Step S104: Replace the first key with the second key.
可以理解,在生成更新后的密钥后,需要将当前密钥进行替换,以完成密钥的更新,并且无需对旧密钥进行存储。It can be understood that after the updated key is generated, the current key needs to be replaced to complete the key update, and there is no need to store the old key.
此外,由于在数据传输过程中,需要数据传输的发送方和接收方同步实现密钥的更新。在现有的密钥更新方法中,通常由数据传输的一方完成密钥的更新,再将更新后的密钥发送给数据传输的另一方,以完成密钥的同步。但是更新后的密钥传输至数据传输的另一方时,可能出现数据丢失或者被篡改的风险,需要依赖可信第三方对更新后的密钥进行校验。In addition, in the process of data transmission, the sender and receiver of the data transmission need to be synchronized to realize the key update. In the existing key update method, usually one party of the data transmission completes the key update, and then the updated key is sent to the other party of the data transmission to complete the key synchronization. However, when the updated key is transmitted to the other party of data transmission, there may be a risk of data loss or tampering, and it is necessary to rely on a trusted third party to verify the updated key.
而本申请实施例所提供的密钥的更新方法,在接收到数据传输对方发送的第二密钥以及对应的第二处理次数后,首先比较第二处理次数和第一处理次数的大小。In the method for updating the key provided by the embodiment of the present application, after receiving the second key sent by the data transmission partner and the corresponding second processing times, the second processing times and the first processing times are first compared.
若第二处理次数大于或者等于第一处理次数,说明数据传输对方发送的第二密钥是旧密钥,无需对第二密钥进行认证,并且无需对本地存储的第一密钥进行更新。If the second processing times are greater than or equal to the first processing times, it indicates that the second key sent by the data transmission partner is an old key, and the second key does not need to be authenticated, and there is no need to update the locally stored first key.
若第二处理次数小于第一处理次数,可以对第二密钥进行第三处理次数的单向映射处理,将处理后的结果与本地存储的第一密钥进行固定字段的校验,校验通过则将本地存储的第一密钥替换为第二密钥。其中,第三处理处理次数为第一处理次数和第二处理次数的差值。If the second number of processing times is less than the first number of processing times, one-way mapping processing of the third number of processing times can be performed on the second key, and the processed result can be verified with the first key stored locally in a fixed field. If passed, the locally stored first key is replaced with the second key. Wherein, the third processing number is the difference between the first processing number and the second processing number.
综上所述,本申请实施例所提供的密钥的更新方法,包括:接收密钥更新指令。获取本地存储的第一密钥和基准值。其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。对基准值进行第二处理次数的单向映射处理,以生成第二密钥。其中,第二处理次数小于第一处理次数。将第一密钥替换为第二密钥。由此,实现了对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。无需对旧密钥进行存储,节省了数据传输方的资源,并且不用担心旧密钥出现丢失,无法通过旧密钥推导出当前密钥。在接收到数据传输对方发送的新密钥后,也无需第三方对新密钥进行合法性验证。In summary, the method for updating the key provided by the embodiment of the present application includes: receiving a key update instruction. Obtain the first key and reference value stored locally. Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. A one-way mapping process of the second number of processing times is performed on the reference value to generate a second key. Wherein, the second processing times are less than the first processing times. Replace the first key with the second key. As a result, the update of the key is realized, and the old key can be deduced in one direction from the current key. There is no need to store the old key, which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key. After receiving the new key sent by the data transmission partner, there is no need for a third party to verify the legality of the new key.
进一步地,为了便于密钥的版本号与单向映射处理次数相对应,一种可能的实现方式是,第一处理次数和第二处理次数的差值为一。可以理解,第一处理次数和第二处理次数分别是一次密钥更新过程中,更新前的第一密钥和更新后的第二密钥所对应的处理次数,而更新前的第一密钥和更新后的第二密钥相差一个版本,因此当第一处理次数和第二处理次数的差值为一时,可以使用第一处理次数来标识第一密钥的版本,使用第二处理次数来标识第二密钥的版本。Further, in order to facilitate the correspondence between the version number of the key and the number of one-way mapping processing times, a possible implementation manner is that the difference between the first processing number and the second processing number is one. It can be understood that the first processing times and the second processing times are respectively the processing times corresponding to the first key before the update and the second key after the update in a key update process, and the first key before the update It is one version different from the updated second key. Therefore, when the difference between the first processing times and the second processing times is one, the first processing times can be used to identify the version of the first key, and the second processing times can be used to identify the version of the first key. Identifies the version of the second key.
需要注意的是,第二处理次数小于第一处理次数,因此更新后的第二密钥的版本标识在数值上小于更新前的第一密钥的版本标识。也就是说,生成的密钥越新,所对应的处理次数越小,版本标识数值也越小。It should be noted that the second processing times are less than the first processing times, so the version identifier of the updated second key is numerically smaller than the version identifier of the first key before the update. In other words, the newer the generated key, the smaller the corresponding processing times, and the smaller the version identification value.
此外,本申请实施例中的单向映射处理的步骤可以包括使用哈希算法进行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the one-way mapping processing steps in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
在第一密钥生成的过程中,对基准值进行第一处理次数(比如6次)的哈希运算,生成对应的哈希值,作为第一密钥。In the process of generating the first key, the reference value is hashed for the first number of processing times (for example, 6 times) to generate the corresponding hash value as the first key.
在对第一密钥进行更新时,对基准值进行第二处理次数(比如5次)的哈希运算, 生成对应的哈希值,作为第二密钥,使用第二密钥替换第一密钥,即可完成对第一密钥的更新。When the first key is updated, the reference value is hashed for the second number of processing times (for example, 5 times) to generate the corresponding hash value, as the second key, replace the first key with the second key Key to complete the update of the first key.
可以理解,第一密钥是由基准值经过6次哈希运算生成的,在生成第一密钥的过程中,当基准值进行了5次哈希运算后,得到的哈希值与第二密钥完全相同,再进行1次哈希运算,才得到第一密钥。因此,第二密钥经过1次哈希运算,即可生成第一密钥。在完成对第一密钥的更新后,数据传输方基于第二密钥,可以直接生成第一密钥。相反的,由于哈希算法的难以逆向的特点,数据传输方基于第一密钥,无法直接生成第二密钥。It can be understood that the first key is generated from the reference value through 6 hash operations. In the process of generating the first key, when the reference value is hashed 5 times, the hash value obtained is the same as the second The keys are exactly the same, and one more hash operation is performed to get the first key. Therefore, the second key can generate the first key after one hash operation. After completing the update of the first key, the data transmission party can directly generate the first key based on the second key. On the contrary, due to the difficult-to-reverse characteristic of the hash algorithm, the data transmission party cannot directly generate the second key based on the first key.
需要特别说明的是,本申请实施例中的哈希算法可以是SHA-256,SHA-512等任一种已知的哈希算法,本申请实施例对此不做限定。It should be particularly noted that the hash algorithm in the embodiment of the present application may be any known hash algorithm such as SHA-256 and SHA-512, which is not limited in the embodiment of the present application.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,前述使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the foregoing processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identification, and then splicing The result is used as the input of the hash algorithm.
其中,本地标识是数据传输方的唯一标识,始终保持不变。也就是说,在每一次单向映射处理过程中,先将单向映射处理的输入与本地标识进行拼接,再将拼接后的结果输入哈希算法进行哈希运算。具体地,本地标识可以采用数据传输方的硬件标识,也可以使用进行数据传输的软件应用的应用标识,还可以使用人为设置的标识,本申请实施例对此不做限定。Among them, the local identifier is the unique identifier of the data transmission party, and it always remains unchanged. That is, in each one-way mapping process, the input of the one-way mapping process is spliced with the local identifier, and then the spliced result is input to the hash algorithm for hash operation. Specifically, the local identification may use the hardware identification of the data transmission party, or may use the application identification of the software application for data transmission, or may also use an artificially set identification, which is not limited in the embodiment of the present application.
从而,使得每一次哈希运算的输入为,上一次哈希运算的输入与固定标识拼接后的结果,增强了哈希算法的复杂度,进而提升了生成密钥的安全性。Therefore, the input of each hash operation is the result of the splicing of the input of the previous hash operation and the fixed identifier, which enhances the complexity of the hash algorithm and further improves the security of the generated key.
基于前述相关技术的说明,可以知道,在对称加密技术中,数据传输的发送方和接收方使用相同的密钥,在密钥更新时,只需要将更新前的第一密钥替换为更新后的第二密钥。Based on the foregoing description of related technologies, it can be known that in symmetric encryption technology, the sender and receiver of data transmission use the same key. When the key is updated, it is only necessary to replace the first key before the update with the one after the update. The second key.
而在非对称密钥技术中,数据传输的发送方和接收方使用一组密钥对,在进行密钥更新时,密钥对中的私钥和公钥都需要进行更新。In asymmetric key technology, the sender and receiver of data transmission use a set of key pairs. When the key is updated, both the private key and the public key in the key pair need to be updated.
在本申请实施例中,一种可能的实现方式是,将第一密钥作为私钥,将与第一密钥匹配的第三密钥作为公钥,第一密钥与第三密钥组成非对称密钥对。在生成该非对称密钥对时,对基准值进行第一处理次数的单向映射,生成第一密钥,再由第一密钥计算后生成第三密钥,从而生成该非对称密钥对。In the embodiment of this application, a possible implementation is to use the first key as the private key, and the third key matching the first key as the public key, and the first key and the third key are composed of Asymmetric key pair. When generating the asymmetric key pair, perform a one-way mapping of the first processing times on the reference value to generate the first key, and then generate the third key after calculation from the first key, thereby generating the asymmetric key Correct.
另一种可能的实现方式是,将第一密钥作为公钥,将与第一密钥匹配的第三密钥作为私钥,第一密钥与第三密钥组成非对称密钥对。在生成该非对称密钥对时,对基准值进行第一处理次数的单向映射,生成第一密钥,再由第一密钥计算后生成第三密钥,从而生成该非对称密钥对。Another possible implementation is to use the first key as the public key, and the third key matching the first key as the private key, and the first key and the third key form an asymmetric key pair. When generating the asymmetric key pair, perform a one-way mapping of the first processing times on the reference value to generate the first key, and then generate the third key after calculation from the first key, thereby generating the asymmetric key Correct.
为了更加清楚地说明本申请实施例所提供的密钥的更新方法,下面进行举例说明。In order to more clearly illustrate the method for updating the key provided in the embodiment of the present application, an example is given below.
图5a为本申请实施例所提供的一种对称密钥的生成方法的示意图。图5b为本申请实施例所提供的另一种对称密钥的生成方法的示意图。如图5a所示,图中MK代表基准值,为了便于对密钥版本进行统一标识,使用Key -1来表示MK,对基准值分别进行1~m次的哈希运算后,可以分别得到m个版本的密钥,即Key 0~Key m。在密钥使用过程中,首先使用Key m作为密钥,使用Key m-1对Key m进行替换,实现对密钥的一次 更新。依次类推,直到使用Key 0对Key 1进行替换。 Fig. 5a is a schematic diagram of a method for generating a symmetric key provided by an embodiment of the application. Fig. 5b is a schematic diagram of another method for generating a symmetric key provided by an embodiment of the application. As shown in Figure 5a, MK in the figure represents the reference value. In order to facilitate the unified identification of the key version, Key -1 is used to represent MK. After the reference value is hashed 1 to m times, respectively, m can be obtained. One version of the key, namely Key 0 ~ Key m . In the process of using the key, first use Key m as the key, and replace Key m with Key m-1 to realize an update to the key. And so on, until Key 0 is used to replace Key 1.
与此相类似地,如图5b所示,在进行每一次哈希运算之前,将上一次哈希运算的输出与本地标识APPTAG进行拼接,再对拼接后的结果进行哈希运算。具体来说,将基准值MK与本地标识APPTAG进行拼接,再对拼接后的结果(Key -1|APPTAG)进行哈希运算,得到Key 0。将Key 0与本地标识APPTAG进行拼接,再对拼接后的结果(Key 0|APPTAG)进行哈希运算,得到Key 1。依次类推,可以分别得到m个版本的密钥,即Key 0~Key m。在密钥使用过程中,实现密钥更新的方式与图5a中的过程相同,此处不再赘述。 Similarly, as shown in FIG. 5b, before each hash operation is performed, the output of the previous hash operation is spliced with the local identification APPTAG, and then the spliced result is hashed. Specifically, the reference value MK is spliced with the local identification APPTAG, and the spliced result (Key -1 |APPTAG) is hashed to obtain Key 0 . The Key 0 and the local identification APPTAG are spliced together, and then the spliced result (Key 0 |APPTAG) is hashed to obtain Key 1 . By analogy, m versions of keys can be obtained respectively, namely Key 0 to Key m . In the process of using the key, the way of realizing the key update is the same as the process in Figure 5a, and will not be repeated here.
图6a为本申请实施例所提供的一种基于大整数分解难题的非对称密钥的生成方法的示意图。图6b为本申请实施例所提供的另一种基于大整数分解难题的非对称密钥的生成方法的示意图。Fig. 6a is a schematic diagram of an asymmetric key generation method based on a large integer factorization problem provided by an embodiment of the application. Fig. 6b is a schematic diagram of another method for generating an asymmetric key based on a large integer factorization problem provided by an embodiment of the application.
需要首先说明的是,基于大整数分解难题的非对称加密技术,又被称为RSA加密技术,RSA加密技术具有非对称加密技术的共同特点,即通过包括公钥和私钥的一组密钥对来完成数据加密和解密。What needs to be explained first is that the asymmetric encryption technology based on the decomposition of large integers is also known as RSA encryption technology. RSA encryption technology has the common characteristics of asymmetric encryption technology, that is, through a set of keys including public and private keys. To complete data encryption and decryption.
此外,RSA加密技术主要依赖于大数的质因数分解难题来保证加密技术的可靠。具体来说,已知两个大质数的乘积,无法直接对该乘积进行质因数分解,得到对应的两个大质数,从而确保了加密技术的可靠。In addition, RSA encryption technology mainly relies on the problem of prime factor decomposition of large numbers to ensure the reliability of encryption technology. Specifically, given the product of two large prime numbers, it is impossible to directly perform prime factor decomposition on the product to obtain the corresponding two large prime numbers, thereby ensuring the reliability of the encryption technology.
RSA加密算法的原理如下,首先选择两个大质数p和q,计算出p*q的数值以及(p-1)*(q-1)的数值,生成与(p-1)*(q-1)互质的随机数e。The principle of the RSA encryption algorithm is as follows. First, select two large prime numbers p and q, calculate the value of p*q and the value of (p-1)*(q-1), and generate and (p-1)*(q- 1) A relatively prime random number e.
根据公式:(d*e)mod(p-1)*(q-1)=1,计算d的可能数值,需要说明的是,符合上述公式的d的可能数值有多个,取其中任一个作为d的数值皆可。将(e,n)作为RSA加密算法的公钥,将(d,n)作为RSA加密算法的私钥,即可生成RSA加密算法的一组密钥对。可以理解,由于对n的质因数分解的困难,因此在获知公钥(e,n)的前提下,无法根据n的数值计算生成p和q的数值,也就无法确定(p-1)*(q-1)的数值大小,从而无法确定d的数值大小。换句话说,无法根据公钥(e,n)确定私钥(d,n)。According to the formula: (d*e)mod(p-1)*(q-1)=1, calculate the possible value of d. It should be noted that there are multiple possible values of d that meet the above formula, and any one of them Any value as d is acceptable. Using (e, n) as the public key of the RSA encryption algorithm and (d, n) as the private key of the RSA encryption algorithm, a set of key pairs of the RSA encryption algorithm can be generated. It can be understood that due to the difficulty of decomposing the prime factor of n, under the premise of knowing the public key (e, n), the value of p and q cannot be calculated based on the value of n, so it is impossible to determine (p-1)* The value of (q-1), so the value of d cannot be determined. In other words, the private key (d, n) cannot be determined from the public key (e, n).
加密时,使用公式:密文=原文 emodn,对原文进行加密,在解密时,使用公式:原文=密文 dmodn,对密文进行解密。具体的解密算法原理是:密文 dmodn=(原文 emodn) dmodn=原文 edmodn=原文 (p-1)*(q-1)+1modn=原文,从而保证了使用私钥能够对公钥加密的密文进行解密。 When encrypting, use the formula: ciphertext = original text e modn to encrypt the original text, and when decrypting, use the formula: original text = cipher text d modn to decrypt the cipher text. The specific decryption algorithm principle is: ciphertext d modn=(original e modn) d modn=original ed modn=original (p-1)*(q-1)+1 modn=original, thus ensuring that the private key can be used to The ciphertext encrypted by the public key is decrypted.
数字签名时,使用公式:密文=原文 dmodn,对原文进行加密,在验证数字签名时,使用公式:原文=密文 emodn,对密文进行解密。具体的数字签名验证的原理与解密算法原理相类似,此处不再赘述。 When digitally signing, use the formula: ciphertext = original text d modn to encrypt the original text, and when verifying the digital signature, use the formula: original text = cipher text e modn to decrypt the cipher text. The principle of the specific digital signature verification is similar to the principle of the decryption algorithm, and will not be repeated here.
如图6a所示,对基准值MK进行一次哈希运算后,生成RSA加密算法中的大数n 0的指定部分,并进一步生成整个大数n 0,基于前述对RSA加密算法的说明,可以知道,生成的大数n 0为两个大质数p 0和q 0的乘积,进而随机生成与(p 0-1)*(q 0-1)互质的随机数e 0。为了节省计算资源,也可将65537直接作为随机数e 0。根据公式:(d 0*e 0)mod(p 0-1)*(q 0-1)=1,计算d 0的数值。将(e 0,n 0)作为公钥,将(d 0,n 0)作为私钥,生成一组密钥对。 As shown in Figure 6a, after a hash operation is performed on the reference value MK, the specified part of the large number n 0 in the RSA encryption algorithm is generated, and the entire large number n 0 is further generated. Based on the foregoing description of the RSA encryption algorithm, you can It is known that the generated large number n 0 is the product of two large prime numbers p 0 and q 0 , and then a random number e 0 that is relatively prime to (p 0 -1)*(q 0 -1) is randomly generated. In order to save computing resources, 65537 can also be directly used as the random number e 0 . According to the formula: (d 0 *e 0 )mod(p 0 -1)*(q 0 -1)=1, the value of d 0 is calculated. Use (e 0 , n 0 ) as the public key and (d 0 , n 0 ) as the private key to generate a set of key pairs.
对n 0进行一次哈希运算后,生成RSA加密算法中的大数n 1的指定部分,并进一步生成整个大数n 1,生成的大数n 1为两个大质数p 1和q 1的乘积,进而随机生成与(p 1-1)*(q 1-1)互质的随机数e 1。为了节省计算资源,也可将65537直接作为随机数e 1。根据公式:(d 1*e 1)mod(p 1-1)*(q 1-1)=1,计算d 1的数值。将(e 1,n 1)作为公钥,将(d 1,n 1)作为私钥,生成一组密钥对。 After performing a hash operation on n 0 , generate the specified part of the large number n 1 in the RSA encryption algorithm, and further generate the entire large number n 1 , the generated large number n 1 is the two large prime numbers p 1 and q 1 Multiply the product, and then randomly generate a random number e 1 that is relatively prime to (p 1 -1)*(q 1 -1). In order to save computing resources, 65537 can also be directly used as the random number e 1 . According to the formula: (d 1 *e 1 )mod(p 1 -1)*(q 1 -1)=1, the value of d 1 is calculated. Using (e 1 , n 1 ) as the public key and (d 1 , n 1 ) as the private key, a set of key pairs are generated.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(e m,n m),(d m,n m)作为密钥对,使用(e m-1,n m-1),(d m-1,n m-1)对(e m,n m),(d m,n m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(e 0,n 0),(d 0,n 0)对(e 1,n 1),(d 1,n 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (e m , n m ), (d m , n m ) as the key pair, use (e m-1 , n m-1 ), (d m-1 , n m -1) (e m, n m), (d m, n m) is replaced, the key update realize pair. By analogy, until (e 0 , n 0 ), (d 0 , n 0 ) is used to replace (e 1 , n 1 ), (d 1 , n 1 ).
需要说明的是,在上述密钥对的生成过程中,每一次单向映射处理中生成的e,n,d的数值不唯一。比如在对基准值MK进行一次哈希运算后,生成RSA加密算法中的大数n 0的指定部分,并进一步生成整个大数n 0,使得大数n 0为两个大质数p 0和q 0的乘积,满足条件的大数n 0不唯一。再比如,与(p 0-1)*(q 0-1)互质的随机数e 0也具有多种可能的数值,符合公式(d 0*e 0)mod(p 0-1)*(q 0-1)=1要求的d 0的数值也有多种。 It should be noted that in the above-mentioned key pair generation process, the values of e, n, and d generated in each one-way mapping process are not unique. For example, after performing a hash operation on the reference value MK, the specified part of the large number n 0 in the RSA encryption algorithm is generated, and the entire large number n 0 is further generated, so that the large number n 0 is two large prime numbers p 0 and q The product of 0 , the large number n 0 that meets the condition is not unique. For another example, the random number e 0 that is relatively prime to (p 0 -1)*(q 0 -1) also has a variety of possible values, which conforms to the formula (d 0 *e 0 )mod(p 0 -1)*( There are also various values of d 0 required for q 0 -1)=1.
可以理解,若每一次单向映射处理后生成的密钥对的数值不唯一,就无法将单向映射处理次数与不同版本的密钥一一对应,也就无法对当前密钥进行单向映射处理后,生成旧密钥。It is understandable that if the value of the key pair generated after each one-way mapping process is not unique, the number of one-way mapping processes cannot be one-to-one correspondence with keys of different versions, and the current key cannot be one-way mapped. After processing, the old key is generated.
为了让每一次单向映射处理后生成的密钥对有确切的数值,可以按照一定规则对n,e,d的可能数值进行选取,从而确定唯一的数值。在大数n的数值确定过程中,选择按照一定规则搜索到的第一个大数,在对随机数e的选取过程中,需要按照一定规则,保证对新密钥对进行哈希运算之后,能够分解得到旧密钥,在对d的数值进行确定时,可以选取符合公式的最小数值作为d的数值。从而,使得每一次单向映射处理后,n,e,d的数值大小唯一。In order to make the key pair generated after each one-way mapping process have an exact value, the possible values of n, e, and d can be selected according to certain rules to determine the unique value. In the process of determining the value of the large number n, the first large number searched according to certain rules is selected. In the selection process of the random number e, certain rules need to be followed to ensure that the new key pair is hashed. The old key can be decomposed, and when the value of d is determined, the smallest value that conforms to the formula can be selected as the value of d. Therefore, after each one-way mapping process, the numerical value of n, e, and d is unique.
如图6b所示,将基准值MK与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,生成RSA加密算法中的大数n 0的指定部分,并进一步生成整个大数n 0,基于前述对RSA加密算法的说明,可以知道,生成的大数n 0为两个大质数p 0和q 0的乘积,进而随机生成与(p 0-1)*(q 0-1)互质的随机数e 0。为了节省计算资源,也可将65537直接作为随机数e 0。根据公式(d 0*e 0)mod(p 0-1)*(q 0-1)=1,计算d 0的数值。将n 0作为公钥,将d 0作为私钥,生成一组密钥对。 As shown in Figure 6b, the reference value MK is spliced with the local identification APPTAG, and after a hash operation is performed on the spliced result, the specified part of the large number n 0 in the RSA encryption algorithm is generated, and the entire large number n is further generated. 0 , based on the foregoing description of the RSA encryption algorithm, it can be known that the generated large number n 0 is the product of two large prime numbers p 0 and q 0 , and then randomly generated and (p 0 -1)*(q 0 -1) A relatively prime random number e 0 . In order to save computing resources, 65537 can also be directly used as the random number e 0 . According to the formula (d 0 *e 0 )mod(p 0 -1)*(q 0 -1)=1, the value of d 0 is calculated. Use n 0 as the public key and d 0 as the private key to generate a set of key pairs.
将n 0与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,生成RSA加密算法中的大数n 1的指定部分,并进一步生成整个大数n 1,生成的大数n 1为两个大质数p 1和q 1的乘积,进而随机生成与(p 1-1)*(q 1-1)互质的随机数e 1。为了节省计算资源,也可将65537直接作为随机数e 1。根据公式:(d 1*e 1)mod(p 1-1)*(q 1-1)=1,计算d 1的数值。将n 1作为公钥,将d 1作为私钥,生成一组密钥对。 Splice n 0 with the local identification APPTAG, and perform a hash operation on the spliced result to generate the specified part of the large number n 1 in the RSA encryption algorithm, and further generate the entire large number n 1 , the generated large number n 1 is the product of two large prime numbers p 1 and q 1 , and then randomly generates a random number e 1 that is relatively prime to (p 1 -1)*(q 1 -1). In order to save computing resources, 65537 can also be directly used as the random number e 1 . According to the formula: (d 1 *e 1 )mod(p 1 -1)*(q 1 -1)=1, the value of d 1 is calculated. Use n 1 as the public key and d 1 as the private key to generate a set of key pairs.
依次类推,经过m次运算后,生成m组密钥对。By analogy, after m operations, m groups of key pairs are generated.
为了让每一次单向映射处理后生成的密钥对有确切的数值,可以采用前述方法从n,e,d的可能数值中确定唯一的数值,此处不再赘述。In order to ensure that the key pair generated after each one-way mapping process has an exact value, the aforementioned method can be used to determine a unique value from the possible values of n, e, and d, which will not be repeated here.
在密钥使用过程中,实现密钥更新的方式与图6a中的过程相同,此处不再赘述。In the process of using the key, the way of realizing the key update is the same as the process in Fig. 6a, and will not be repeated here.
图7a为本申请实施例所提供的一种基于整数上离散对数难题的非对称密钥的生成方法的示意图。图7b为本申请实施例所提供的另一种基于整数上离散对数难题的非对称密钥的生成方法的示意图。图7c为本申请实施例所提供的又一种基于整数上离散对数难题的非对称密钥的生成方法的示意图。图7d为本申请实施例所提供的再一种基于整数上离散对数难题的非对称密钥的生成方法的示意图。FIG. 7a is a schematic diagram of an asymmetric key generation method based on a discrete logarithm problem on integers provided by an embodiment of the application. Fig. 7b is a schematic diagram of another asymmetric key generation method based on the discrete logarithm problem on integers provided by an embodiment of the application. FIG. 7c is a schematic diagram of another asymmetric key generation method based on the discrete logarithm problem on integers provided by an embodiment of the application. FIG. 7d is a schematic diagram of yet another method for generating an asymmetric key based on the discrete logarithm problem on integers provided by an embodiment of the application.
需要首先说明的是,基于整数上离散对数难题的非对称加密技术,又被称为DSA加密技术,和前述RSA加密技术不同的是,DSA加密技术主要依赖于整数上离散对数难题来保证加密技术的可靠,并且DSA加密算法虽然具有包括公钥z和私钥d的密钥对,但是属于单向加密算法,也就是不能通过私钥将公钥加密后生成的密文恢复成原文,因此只适用于数字签名的验证,而不适用于数据加密。It needs to be explained first that the asymmetric encryption technology based on the discrete logarithm problem on integers is also known as DSA encryption technology. Unlike the aforementioned RSA encryption technology, DSA encryption technology mainly relies on the discrete logarithm problem on integers to ensure The encryption technology is reliable, and although the DSA encryption algorithm has a key pair including a public key z and a private key d, it is a one-way encryption algorithm, that is, the ciphertext generated after the public key is encrypted cannot be restored to the original text by the private key. Therefore, it is only suitable for the verification of digital signatures, not for data encryption.
如图7a所示,对基准值MK进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 0,其中,q为提前约定好的公开质数。根据公式:z 0=g^d 0modp,计算公钥z 0,生成一组密钥对。其中,p为提前约定好的公开质数,g为约定有限域上的一个生成元,q为g的阶。 As shown in Figure 7a, after a hash operation is performed on the reference value MK, the modulo operation of (q-1) is added and one is added to obtain the private key d 0 in the DSA encryption algorithm, where q is agreed in advance Public prime numbers. According to the formula: z 0 =g^d 0 modp, calculate the public key z 0 to generate a set of key pairs. Among them, p is the public prime number agreed in advance, g is a generator on the agreed finite field, and q is the order of g.
对d 0进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 1。根据公式:z 1=g^d 1modp,计算公钥z 1,生成一组密钥对。 After performing a hash operation on d 0 , then add one after modulo (q-1) to obtain the private key d 1 in the DSA encryption algorithm. According to the formula: z 1 =g^d 1 modp, calculate the public key z 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,z m)作为密钥对,使用(d m-1,z m-1)对(d m,z m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,z 0)对(d 1,z 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , z m ) as the key pair, and use (d m-1 , z m-1 ) to replace (d m , z m ) to realize the key pair Update once. And so on, until (d 0 , z 0 ) is used to replace (d 1 , z 1 ).
如图7b所示,将基准值MK与本地标识APPTAG进行拼接,对拼接后的结构进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 0,其中,q为提前约定好的公开质数。根据公式:z 0=g^d 0modp,计算公钥z 0,生成一组密钥对。其中,p为提前约定好的公开质数,g为约定有限域上的一个生成元,q为g的阶。 As shown in Figure 7b, the reference value MK is spliced with the local identification APPTAG, and the spliced structure is hashed once, and then the (q-1) modulo operation is added and one is added to obtain the privacy in the DSA encryption algorithm. The key d 0 , where q is the public prime number agreed in advance. According to the formula: z 0 =g^d 0 modp, calculate the public key z 0 to generate a set of key pairs. Among them, p is the public prime number agreed in advance, g is a generator on the agreed finite field, and q is the order of g.
将d 0与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 1。根据公式:z 1=g^d 1modp,计算公钥z 1,生成一组密钥对。 Splicing d 0 with the local identification APPTAG, performing a hash operation on the spliced result, and then modulo (q-1) and adding one to obtain the private key d 1 in the DSA encryption algorithm. According to the formula: z 1 =g^d 1 modp, calculate the public key z 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,z m)作为密钥对,使用(d m-1,z m-1)对(d m,z m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,z 0)对(d 1,z 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , z m ) as the key pair, and use (d m-1 , z m-1 ) to replace (d m , z m ) to realize the key pair Update once. And so on, until (d 0 , z 0 ) is used to replace (d 1 , z 1 ).
如图7c所示,对基准值MK进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 0,其中,q为提前约定好的公开质数。根据公式:z 0=g^d 0modp,计算公钥z 0,生成一组密钥对。其中,p为提前约定好的公开质数,g为约定有限域上的一个生成元,q为g的阶。 As shown in Figure 7c, after a hash operation is performed on the reference value MK, the modulo operation of (q-1) is added and one is added to obtain the private key d 0 in the DSA encryption algorithm, where q is agreed in advance Public prime numbers. According to the formula: z 0 =g^d 0 modp, calculate the public key z 0 to generate a set of key pairs. Among them, p is the public prime number agreed in advance, g is a generator on the agreed finite field, and q is the order of g.
对z 0进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 1。根据公式:z 1=g^d 1modp,计算公钥z 1,生成一组密钥对。 After performing a hash operation on z 0 , then add one after modulo (q-1) to obtain the private key d 1 in the DSA encryption algorithm. According to the formula: z 1 =g^d 1 modp, calculate the public key z 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,z m)作为密钥对,使用(d m-1,z m-1)对(d m,z m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,z 0)对(d 1,z 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , z m ) as the key pair, and use (d m-1 , z m-1 ) to replace (d m , z m ) to realize the key pair Update once. And so on, until (d 0 , z 0 ) is used to replace (d 1 , z 1 ).
如图7d所示,将基准值MK与本地标识APPTAG进行拼接,对拼接后的结构进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 0,其中,q为提前约定好的公开质数。根据公式:z 0=g^d 0modp,计算公钥z 0,生成一组密钥对。其中,p为提前约定好的公开质数,g为约定有限域上的一个生成元,q为g的阶。 As shown in Figure 7d, the reference value MK and the local identification APPTAG are spliced, and the spliced structure is hashed once, and then the modulus of (q-1) is added and one is added to obtain the privacy in the DSA encryption algorithm. The key d 0 , where q is the public prime number agreed in advance. According to the formula: z 0 =g^d 0 modp, calculate the public key z 0 to generate a set of key pairs. Among them, p is the public prime number agreed in advance, g is a generator on the agreed finite field, and q is the order of g.
将z 0与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,再对(q-1)求模运算后加一,得到DSA加密算法中的私钥d 1。根据公式:z 1=g^d 1modp,计算公钥z 1,生成一组密钥对。 Splicing z 0 with the local identification APPTAG, performing a hash operation on the spliced result, and then modulo (q-1) and adding one to obtain the private key d 1 in the DSA encryption algorithm. According to the formula: z 1 =g^d 1 modp, calculate the public key z 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,z m)作为密钥对,使用(d m-1,z m-1)对(d m,z m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,z 0)对(d 1,z 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , z m ) as the key pair, and use (d m-1 , z m-1 ) to replace (d m , z m ) to realize the key pair Update once. And so on, until (d 0 , z 0 ) is used to replace (d 1 , z 1 ).
图8a为本申请实施例所提供的一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图。图8b为本申请实施例所提供的另一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图。图8c为本申请实施例所提供的又一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图。图8d为本申请实施例所提供的再一种基于椭圆曲线离散对数难题的非对称密钥的生成方法的示意图。FIG. 8a is a schematic diagram of an asymmetric key generation method based on the elliptic curve discrete logarithm problem provided by an embodiment of the application. Fig. 8b is a schematic diagram of another asymmetric key generation method based on the elliptic curve discrete logarithm problem provided by an embodiment of the application. FIG. 8c is a schematic diagram of yet another method for generating an asymmetric key based on the elliptic curve discrete logarithm problem provided by an embodiment of the application. FIG. 8d is a schematic diagram of yet another method for generating an asymmetric key based on the elliptic curve discrete logarithm problem provided by an embodiment of the application.
需要首先说明的是,基于椭圆曲线离散对数难题的非对称加密技术,又被称为ECDSA加密技术,和前述RSA加密技术不同的是,ECDSA加密技术主要依赖于椭圆曲线离散对数难题来保证加密技术的可靠,并且ECDSA加密算法虽然具有包括公钥Q和私钥d的密钥对,但是属于单向加密算法,也就是不能通过私钥将公钥加密后生成的密文恢复成原文,因此只适用于数字签名的验证,而不适用于数据加密。What needs to be explained first is that the asymmetric encryption technology based on the elliptic curve discrete logarithm problem is also called ECDSA encryption technology. Unlike the aforementioned RSA encryption technology, the ECDSA encryption technology mainly relies on the elliptic curve discrete logarithm problem to ensure The encryption technology is reliable, and although the ECDSA encryption algorithm has a key pair including the public key Q and the private key d, it is a one-way encryption algorithm, that is, the ciphertext generated after the public key is encrypted cannot be restored to the original text by the private key. Therefore, it is only suitable for the verification of digital signatures, not for data encryption.
如图8a所示,对基准值MK进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 0,其中,n为提前约定好的公开质数。根据公式:Q 0=d 0G计算公钥Q 0,生成一组密钥对。其中,G为提前约定好的公开椭圆曲线基点,n为G的阶。 As shown in Figure 8a, after a hash operation is performed on the reference value MK, the modulo operation of (n-1) is added and one is added to obtain the private key d 0 in the ECDSA encryption algorithm, where n is agreed in advance Public prime numbers. According to the formula: Q 0 =d 0 G, the public key Q 0 is calculated to generate a set of key pairs. Among them, G is the public elliptic curve base point agreed in advance, and n is the order of G.
对d 0进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 1。根据公式:Q 1=d 1G,计算公钥Q 1,生成一组密钥对。 After performing a hash operation on d 0 , then add one after modulo (n-1) to obtain the private key d 1 in the ECDSA encryption algorithm. According to the formula: Q 1 =d 1 G, calculate the public key Q 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,Q m)作为密钥对,使用(d m-1,Q m-1)对(d m,Q m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,Q 0)对(d 1,Q 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , Q m ) as the key pair, and use (d m-1 , Q m-1 ) to replace (d m , Q m ) to realize the key pair Update once. And so on, until (d 0 , Q 0 ) is used to replace (d 1 , Q 1 ).
如图8b所示,将基准值MK与本地标识APPTAG进行拼接,对拼接后的结构进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 0,其中,n为提前约定好的公开质数。根据公式:Q 0=d 0G,计算公钥Q 0,生成一组密钥对。其中,G为提前约定好的公开椭圆曲线基点,n为G的阶。 As shown in Figure 8b, the reference value MK and the local identification APPTAG are spliced, and the spliced structure is hashed once, and then the (n-1) modulo operation is added and one is added to obtain the privacy in the ECDSA encryption algorithm. The key d 0 , where n is the public prime number agreed in advance. According to the formula: Q 0 =d 0 G, calculate the public key Q 0 to generate a set of key pairs. Among them, G is the public elliptic curve base point agreed in advance, and n is the order of G.
将d 0与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 1。根据公式:Q 1=d 1G,计算公钥Q 1,生成一组密钥对。 Splicing d 0 with the local identification APPTAG, performing a hash operation on the spliced result, and then modulo (n-1) and adding one to obtain the private key d 1 in the ECDSA encryption algorithm. According to the formula: Q 1 =d 1 G, calculate the public key Q 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,Q m)作为密钥对,使用(d m-1,Q m-1)对(d m,Q m)进行替换,实现对密钥对的一次 更新。依次类推,直到使用(d 0,Q 0)对(d 1,Q 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , Q m ) as the key pair, and use (d m-1 , Q m-1 ) to replace (d m , Q m ) to realize the key pair Update once. And so on, until (d 0 , Q 0 ) is used to replace (d 1 , Q 1 ).
如图8c所示,对基准值MK进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 0,其中,n为提前约定好的公开质数。根据公式:Q 0=d 0G,计算公钥Q 0,生成一组密钥对。其中,G为提前约定好的公开椭圆曲线基点,n为G的阶。 As shown in Figure 8c, after a hash operation is performed on the reference value MK, the modulo operation of (n-1) is added and one is added to obtain the private key d 0 in the ECDSA encryption algorithm, where n is agreed in advance Public prime numbers. According to the formula: Q 0 =d 0 G, calculate the public key Q 0 to generate a set of key pairs. Among them, G is the public elliptic curve base point agreed in advance, and n is the order of G.
对Q 0进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 1。根据公式:Q 1=d 1G,计算公钥Q 1,生成一组密钥对。 After performing a hash operation on Q 0 , and then modulo (n-1) and adding one to it, the private key d 1 in the ECDSA encryption algorithm is obtained. According to the formula: Q 1 =d 1 G, calculate the public key Q 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,Q m)作为密钥对,使用(d m-1,Q m-1)对(d m,Q m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,Q 0)对(d 1,Q 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , Q m ) as the key pair, and use (d m-1 , Q m-1 ) to replace (d m , Q m ) to realize the key pair Update once. And so on, until (d 0 , Q 0 ) is used to replace (d 1 , Q 1 ).
如图7d所示,将基准值MK与本地标识APPTAG进行拼接,对拼接后的结构进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 0,其中,n为提前约定好的公开质数。根据公式:Q 0=d 0G,计算公钥Q 0,生成一组密钥对。其中,G为提前约定好的公开椭圆曲线基点,n为G的阶。 As shown in Figure 7d, the reference value MK is spliced with the local identification APPTAG, and the spliced structure is hashed once, then the (n-1) modulo operation is added and one is added to obtain the privacy in the ECDSA encryption algorithm. The key d 0 , where n is the public prime number agreed in advance. According to the formula: Q 0 =d 0 G, calculate the public key Q 0 to generate a set of key pairs. Among them, G is the public elliptic curve base point agreed in advance, and n is the order of G.
将Q 0与本地标识APPTAG进行拼接,对拼接后的结果进行一次哈希运算后,再对(n-1)求模运算后加一,得到ECDSA加密算法中的私钥d 1。根据公式:Q 1=d 1G,计算公钥Q 1,生成一组密钥对。 The Q 0 and the local identification APPTAG are spliced together, and the spliced result is subjected to a hash operation, and then the modulus operation of (n-1) is added and one is added to obtain the private key d 1 in the ECDSA encryption algorithm. According to the formula: Q 1 =d 1 G, calculate the public key Q 1 to generate a set of key pairs.
依次类推,经过m次处理后,生成m组密钥对。在密钥使用过程中,首先使用(d m,z m)作为密钥对,使用(d m-1,z m-1)对(d m,z m)进行替换,实现对密钥对的一次更新。依次类推,直到使用(d 0,z 0)对(d 1,z 1)进行替换。 By analogy, after m processing, m groups of key pairs are generated. In the process of using the key, first use (d m , z m ) as the key pair, and use (d m-1 , z m-1 ) to replace (d m , z m ) to realize the key pair Update once. And so on, until (d 0 , z 0 ) is used to replace (d 1 , z 1 ).
上述对对称密钥的生成方法和非对称密钥的生成方法的举例说明,仅作为对本申请所提出的密钥的更新方法的举例,不作为对本申请实施例的限制。The foregoing examples of the method for generating symmetric keys and the method for generating asymmetric keys are only examples of the method for updating the key proposed in this application, and not as a limitation to the embodiments of this application.
基于前述对本申请实施例所提出的密钥的更新方法的实施例的说明,可以知道,本申请实施例所提出的不同版本的密钥,是由基准值经过不同处理次数的单向映射处理后生成的,并且更新前的第一密钥对应的第一处理次数大于更新后的第二密钥对应的第二处理次数。因此,通过对更新后的第二密钥进行若干次处理次数的单向映射处理,可以得到更新前的第一密钥。Based on the foregoing description of the embodiment of the key update method proposed in the embodiment of this application, it can be known that the different versions of the key proposed in the embodiment of this application are processed by one-way mapping with different processing times from the reference value. The first processing times corresponding to the first key generated and before the update are greater than the second processing times corresponding to the second key after the update. Therefore, the first key before the update can be obtained by performing one-way mapping processing several times on the updated second key.
对于上述不同版本的密钥之间的单向推导关系,在数据传输过程中,接收方可以在接收到加密数据或者数字签名后,根据加密数据对应的处理次数或者数字签名对应的处理次数,生成对应的密钥,对加密数据或者数字签名进行处理。For the one-way derivation relationship between the above different versions of keys, in the data transmission process, the receiver can generate the encrypted data or digital signature according to the number of processing times corresponding to the encrypted data or the number of processing times corresponding to the digital signature after receiving the encrypted data or digital signature. The corresponding key is used to process the encrypted data or digital signature.
在数据解密过程中,本申请实施例提出了一种数据解密方法,图9为本申请实施例所提出的一种数据解密方法的流程示意图。如图9所示,该方法包括:In the process of data decryption, an embodiment of the present application proposes a data decryption method. FIG. 9 is a schematic flowchart of a data decryption method proposed in an embodiment of the present application. As shown in Figure 9, the method includes:
步骤S201,接收加密数据和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。Step S201: Receive the encrypted data and the first processing count, and compare the first processing count with the locally stored second processing count.
需要说明的是,对于本申请实施例所提供的密钥的更新方法,在实际使用过程中,可能存在数据传输的双方没有及时同步密钥版本的情况。也就是说,作为数据传输的接收方,接收到的加密数据对应的密钥的版本与接收方正在使用的密钥的版本可能出现三种情况。一种可能的情况是,接收到的加密数据对应的密钥比接收方正在使用的密钥新,另一种可能的情况是,接收到的加密数据对应的密钥和接收方正在使用的密 钥版本相同,又一种可能的情况是,接收到的加密数据对应的密钥比接收方正在使用的密钥旧。It should be noted that, for the method for updating the key provided in the embodiment of the present application, in actual use, there may be situations in which the two parties of the data transmission do not synchronize the key version in time. That is to say, as the receiver of data transmission, there may be three situations between the version of the key corresponding to the received encrypted data and the version of the key being used by the receiver. One possible situation is that the key corresponding to the received encrypted data is newer than the key being used by the recipient. Another possible situation is that the key corresponding to the received encrypted data is the same as the key being used by the recipient. The key version is the same. Another possible situation is that the key corresponding to the received encrypted data is older than the key being used by the receiver.
可以理解,本申请实施例中不同版本的密钥是由基准值经过不同处理次数的单向映射处理后生成的,因此密钥的版本与处理次数一一对应。数据传输的发送方为了让接收方确定解密数据对应的密钥版本,将加密数据对应的第一处理次数与加密数据一起发送给接收方。接收方在收到加密数据和第一处理次数后,将第一处理次数和本地存储的第二处理次数进行比较。其中,本地存储的第二处理次数为接收方正在使用的密钥对应的处理次数。It can be understood that the different versions of the keys in the embodiment of the present application are generated after the reference value has undergone one-way mapping processing with different processing times, so the version of the key corresponds to the processing times in a one-to-one manner. In order for the receiver to determine the key version corresponding to the decrypted data, the sender of the data transmission sends the first processing times corresponding to the encrypted data to the receiver together with the encrypted data. After receiving the encrypted data and the first processing count, the receiver compares the first processing count with the locally stored second processing count. Wherein, the second processing times stored locally is the processing times corresponding to the key being used by the receiver.
步骤S202,根据比较结果,判断是否能够对加密数据进行解密。Step S202: Determine whether the encrypted data can be decrypted according to the comparison result.
可以理解,第一处理次数和第二处理次数的大小关系决定了加密数据对应的密钥版本与接收方使用的密钥版本的新旧关系。It can be understood that the magnitude relationship between the first processing times and the second processing times determines the old and new relationship between the key version corresponding to the encrypted data and the key version used by the receiver.
对于上述的三种可能的情况,相应地,第一处理次数可能小于第二处理次数,也可能等于第二处理次数,还可能大于第二处理次数。For the above three possible situations, correspondingly, the first processing times may be less than the second processing times, may also be equal to the second processing times, or may be greater than the second processing times.
具体地,判断第一处理次数是否小于第二处理次数,基于前述说明可以知道,当第一处理次数小于第二处理次数时,说明接收到的加密数据对应的密钥比接收方正在使用的密钥新,接收方无法通过正在使用的密钥,推导加密数据对应的密钥,确定不能对加密数据进行解密。Specifically, it is determined whether the first processing number is less than the second processing number. Based on the foregoing description, it can be known that when the first processing number is less than the second processing number, it means that the key corresponding to the received encrypted data is greater than the encryption key being used by the receiver. If the key is new, the recipient cannot derive the key corresponding to the encrypted data through the key in use, and is sure that the encrypted data cannot be decrypted.
需要特别说明的是,在密钥更新过程中,为了防止旧密钥被不法第三方获取,通常采用更新密钥的方式来确保数据传输的安全。若接收方属于不法第三方,在没有获得新版密钥的情况下,无法使用旧密钥来对加密数据进行解密,保证了数据传输的安全。It should be noted that in the key update process, in order to prevent the old key from being obtained by illegal third parties, the method of updating the key is usually used to ensure the security of data transmission. If the recipient is an illegal third party, without obtaining the new version of the key, the old key cannot be used to decrypt the encrypted data, ensuring the security of data transmission.
判断第一处理次数是否等于第二处理次数,可以理解,当第一处理次数等于第二处理次数时,说明加密数据对应的密钥版本与接收方正在使用的第二密钥的版本相同,可直接使用本地存储的第二密钥作为加密数据对应的第一密钥,对加密数据进行解密。Determine whether the first processing times are equal to the second processing times. It can be understood that when the first processing times are equal to the second processing times, it means that the key version corresponding to the encrypted data is the same as the version of the second key being used by the recipient. Directly use the locally stored second key as the first key corresponding to the encrypted data to decrypt the encrypted data.
判断第一处理次数是否大于第二处理次数,基于前述说明可以知道,当第一处理次数大于第二处理次数时,说明接收到的加密数据对应的密钥比接收方正在使用的密钥旧,接收方能够通过正在使用的密钥,推导加密数据对应的密钥。具体可以对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成加密数据对应的第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。Determine whether the first processing times are greater than the second processing times. Based on the foregoing description, it can be known that when the first processing times are greater than the second processing times, it means that the key corresponding to the received encrypted data is older than the key being used by the recipient. The receiver can derive the key corresponding to the encrypted data through the key being used. Specifically, a one-way mapping process of a third number of processing times may be performed on the locally stored second key to generate the first key corresponding to the encrypted data. Wherein, the third processing times is the difference between the first processing times and the second processing times.
可以理解,第一密钥由基准值经过第一处理次数的单向映射处理后生成,第二密钥由基准值经过第二处理次数的单向映射处理后生成。因此,先对基准值进行第二处理次数的单向映射处理,可以生成第二密钥,再对第二密钥进行第三处理次数的单向映射处理,可以生成第一密钥。It can be understood that the first key is generated after the reference value undergoes one-way mapping processing for the first number of processing times, and the second key is generated after the reference value undergoes one-way mapping processing for the second number of processing times. Therefore, by first performing the one-way mapping processing for the second number of processing times on the reference value, the second key can be generated, and then performing the one-way mapping processing for the third number of processing times on the second key to generate the first key.
步骤S203,如果是,则确定第一处理次数对应的第一密钥。Step S203, if yes, determine the first key corresponding to the first processing times.
其中,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key can be generated from the reference value after the one-way mapping processing of the first number of processing times.
可以理解,在上述的三种情况中,当第一处理次数大于或者等于第二处理次数时,可以通过第二密钥生成第一密钥,或者直接将第二密钥作为第一密钥,此处不再赘述。It can be understood that in the above three cases, when the first processing times are greater than or equal to the second processing times, the first key can be generated by the second key, or the second key can be directly used as the first key. I won't repeat them here.
步骤S204,使用第一密钥对加密数据进行解密。Step S204: Use the first key to decrypt the encrypted data.
需要特别说明的是,当第一处理次数大于第二处理次数时,在使用第一密钥对加 密数据进行解密后,不对第一密钥进行保存,本地依然只存储第二密钥。若以后还接收到第一密钥对应的加密数据,依然通过本地存储的第二密钥生成第一密钥,来对加密数据进行解密。It should be particularly noted that when the first processing times are greater than the second processing times, after the encrypted data is decrypted using the first key, the first key is not stored, and only the second key is still stored locally. If the encrypted data corresponding to the first key is still received in the future, the first key is still generated by the locally stored second key to decrypt the encrypted data.
综上所述,本申请实施例所提出的数据解密方法,包括:接收加密数据和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对加密数据进行解密,如果是,则确定第一处理次数对应的第一密钥。使用第一密钥对加密数据进行解密。由此,实现了只需在本地存储更新后的密钥,当收到旧密钥对应的加密数据时,使用更新后的密钥生成旧密钥,再使用旧密钥对加密数据进行解密。In summary, the data decryption method proposed in the embodiment of the present application includes: receiving encrypted data and a first processing count, and comparing the first processing count with a locally stored second processing count. According to the comparison result, it is determined whether the encrypted data can be decrypted, and if so, the first key corresponding to the first processing times is determined. Use the first key to decrypt the encrypted data. Thus, it is realized that only the updated key is stored locally, when the encrypted data corresponding to the old key is received, the updated key is used to generate the old key, and the old key is used to decrypt the encrypted data.
此外,本申请实施例中的单向映射处理的步骤可以包括使用哈希算法进行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the one-way mapping processing steps in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,前述使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, a possible implementation is that the foregoing processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and combining the spliced The result is used as the input of the hash algorithm.
可以理解,在对称加密技术和非对称加密技术中,分别使用密钥和密钥对来实现加密和解密。基于前述对非对称加密技术的说明,可以知道,当数据传输双方使用非对称加密技术时,第一密钥为非对称密钥对中的一个密钥。It can be understood that in symmetric encryption technology and asymmetric encryption technology, keys and key pairs are used to implement encryption and decryption, respectively. Based on the foregoing description of the asymmetric encryption technology, it can be known that when the data transmission parties use the asymmetric encryption technology, the first key is one of the asymmetric key pairs.
需要特别说明的是,前述对密钥的更新方法的实施例的解释说明,也适用于本申请实施例的数据解密方法,本申请实施例对此不再赘述。It should be particularly noted that the foregoing explanation of the embodiment of the key update method is also applicable to the data decryption method of the embodiment of the present application, which will not be repeated in the embodiment of the present application.
在数字签名的验证过程中,本申请实施例提出了一种数字签名的验证方法,图10为本申请实施例所提出的一种数字签名的验证方法的流程示意图。如图10所示,该方法包括:In the verification process of the digital signature, an embodiment of the application proposes a method for verifying a digital signature. FIG. 10 is a schematic flowchart of a method for verifying a digital signature proposed by an embodiment of the application. As shown in Figure 10, the method includes:
步骤S301,接收数字签名和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。Step S301: Receive the digital signature and the first processing count, and compare the first processing count with the locally stored second processing count.
基于前述对加密技术的说明,可以知道,对于数字签名的验证过程来说,对称加密技术无法适用,也就是说,只有非对称加密技术才能用于数字签名的验证。Based on the foregoing description of encryption technology, it can be known that for the verification process of digital signatures, symmetric encryption technology is not applicable, that is, only asymmetric encryption technology can be used for digital signature verification.
和前述的数据解密过程相反,在数据解密过程中,接收方使用接收方的私钥对接收方的公钥加密后的密文进行解密,解密成功则完成数据的加密传输。而在数字签名的验证过程中,接收方使用发送方的公钥对发送方的私钥加密后的密文进行解密,解密成功则完成对发送方的数字签名的验证。Contrary to the aforementioned data decryption process, in the data decryption process, the receiver uses the receiver's private key to decrypt the ciphertext encrypted by the receiver's public key. If the decryption is successful, the encrypted transmission of the data is completed. In the digital signature verification process, the receiver uses the sender's public key to decrypt the ciphertext encrypted by the sender's private key, and the verification of the sender's digital signature is completed if the decryption is successful.
步骤S302,根据比较结果,判断是否能够对数字签名进行验证。Step S302: According to the comparison result, it is judged whether the digital signature can be verified.
可以理解,在解密过程中需要首先比较加密数据对应的密钥对与接收方使用的密钥对的版本,相应地,在数字签名的验证过程中首先需要比较数字签名对应的密钥对与接收方使用的密钥对的版本。即数字签名使用的密钥对对应的处理次数,与接收方正在使用的密钥对对应的处理次数的大小。It can be understood that in the decryption process, the key pair corresponding to the encrypted data needs to be compared with the version of the key pair used by the recipient. Accordingly, in the verification process of the digital signature, the key pair corresponding to the digital signature needs to be compared with the receiving party. The version of the key pair used by the party. That is, the number of processing times corresponding to the key pair used by the digital signature, and the number of processing times corresponding to the key pair being used by the receiver.
具体地,判断第一处理次数是否小于第二处理次数,基于前述说明可以知道,当第一处理次数小于第二处理次数时,说明接收到的数字签名对应的密钥对比接收方正在使用的密钥对新,接收方无法通过正在使用的密钥对,推导数字签名对应的密钥对,确定不能对数字签名进行验证。Specifically, it is determined whether the first processing number is less than the second processing number. Based on the foregoing description, it can be known that when the first processing number is less than the second processing number, it indicates that the key corresponding to the received digital signature is compared with the encryption key being used by the recipient. The key pair is new, and the receiver cannot derive the key pair corresponding to the digital signature through the key pair in use, and it is determined that the digital signature cannot be verified.
判断第一处理次数是否等于第二处理次数,可以理解,当第一处理次数等于第二处理次数时,说明数字签名对应的密钥版本与接收方正在使用的第二密钥对的版本相同,可直接使用本地存储的第二密钥对作为数字签名对应的第一密钥对,对数字签名进行验证。Determine whether the first processing count is equal to the second processing count. It can be understood that when the first processing count is equal to the second processing count, it means that the key version corresponding to the digital signature is the same as the version of the second key pair being used by the receiver. The locally stored second key pair can be directly used as the first key pair corresponding to the digital signature to verify the digital signature.
判断第一处理次数是否大于第二处理次数,基于前述说明可以知道,当第一处理次数大于第二处理次数时,说明接收到的数字签名对应的密钥对比接收方正在使用的密钥对旧,接收方能够通过正在使用的密钥对,推导数字签名对应的密钥对。具体可以对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。根据第一密钥,生成第一密钥对。Determine whether the first processing times are greater than the second processing times. Based on the foregoing description, it can be known that when the first processing times are greater than the second processing times, it means that the key corresponding to the received digital signature is compared with the key pair being used by the recipient. , The receiver can derive the key pair corresponding to the digital signature through the key pair being used. Specifically, the second key in the locally stored second key pair may be subjected to one-way mapping processing for the third number of times to generate the first key. Wherein, the third processing times is the difference between the first processing times and the second processing times. According to the first key, a first key pair is generated.
可以理解,第一密钥由基准值经过第一处理次数的单向映射处理后生成,第二密钥由基准值经过第二处理次数的单向映射处理后生成。因此,先对基准值进行第二处理次数的单向映射处理,可以生成第二密钥,再对第二密钥进行第三处理次数的单向映射处理,可以生成第一密钥。It can be understood that the first key is generated after the reference value undergoes one-way mapping processing for the first number of processing times, and the second key is generated after the reference value undergoes one-way mapping processing for the second number of processing times. Therefore, by first performing the one-way mapping processing for the second number of processing times on the reference value, the second key can be generated, and then performing the one-way mapping processing for the third number of processing times on the second key to generate the first key.
步骤S303,如果是,则确定第一处理次数对应的第一密钥对。Step S303, if yes, determine the first key pair corresponding to the first processing times.
其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key pair is an asymmetric key pair, the first key pair includes the first key, and the first key may be generated from a reference value after one-way mapping processing for the first number of processing times.
基于前述的说明可以知道,只有非对称加密技术才能用于数字签名的验证,因此本申请实施例所提供的第一密钥对为非对称密钥对。Based on the foregoing description, it can be known that only asymmetric encryption technology can be used for digital signature verification. Therefore, the first key pair provided in the embodiment of the present application is an asymmetric key pair.
步骤S304,使用第一密钥对对数字签名进行验证。Step S304: Use the first key pair to verify the digital signature.
需要特别说明的是,当第一处理次数大于第二处理次数时,在使用第一密钥对对数字签名进行验证后,不对第一密钥对进行保存,本地依然只存储第二密钥对。若以后还接收到第一密钥对对应的数字签名,依然通过本地存储的第二密钥对生成第一密钥对,来对数字签名进行验证。It should be noted that when the first processing times are greater than the second processing times, after the first key pair is used to verify the digital signature, the first key pair is not saved, and only the second key pair is still stored locally. . If the digital signature corresponding to the first key pair is received in the future, the first key pair is still generated by the locally stored second key pair to verify the digital signature.
综上所述,本申请实施例所提出的数字签名的验证方法,包括:接收数字签名和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对数字签名进行验证。如果是,则确定第一处理次数对应的第一密钥对。其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥。使用第一密钥对对数字签名进行验证。由此,实现了只需在本地存储更新后的密钥对,当收到旧密钥对对应的数字签名时,使用更新后的密钥对生成旧密钥对,再使用旧密钥对对数字签名进行验证。In summary, the digital signature verification method proposed in the embodiment of the present application includes: receiving a digital signature and a first processing count, and comparing the first processing count with a locally stored second processing count. According to the comparison result, it is judged whether the digital signature can be verified. If yes, determine the first key pair corresponding to the first processing times. Wherein, the first key pair is an asymmetric key pair, and the first key pair includes the first key. The digital signature is verified using the first key pair. As a result, it is realized that only the updated key pair needs to be stored locally, and when the digital signature corresponding to the old key pair is received, the updated key pair is used to generate the old key pair, and then the old key pair is used The digital signature is verified.
此外,本申请实施例中的单向映射处理的步骤可以包括使用哈希算法进行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the one-way mapping processing steps in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
进一步地,为了增强本申请实施例中密钥对的可靠性,一种可能的实现方式是,前述使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key pair in the embodiment of the present application, one possible implementation is that the foregoing processing using a hash algorithm includes: splicing the input of the one-way mapping process with the local identifier, and splicing The latter result is used as the input of the hash algorithm.
需要特别说明的是,前述对密钥的更新方法的实施例的解释说明,也适用于本申请实施例的数据解密方法,本申请实施例对此不再赘述。It should be particularly noted that the foregoing explanation of the embodiment of the key update method is also applicable to the data decryption method of the embodiment of the present application, which will not be repeated in the embodiment of the present application.
为了清楚地说明本申请实施例所提供的密钥的更新方法、数据解密方法、数字签 名的验证方法,下面进行举例说明。In order to clearly illustrate the key update method, data decryption method, and digital signature verification method provided by the embodiments of the present application, examples are described below.
在IOT分布式场景中,手机等终端上的应用(如家居应用)和其他设备(如家居设备)初始绑定时,要向设备传输应用密钥对。在发送消息(如指令传输)时,可以使用私钥对会话进行数字签名,使得其通信对端认证会话密钥的合法性。当终端应用因各种原因(如定期更新)需要更新密钥对时,已绑定的所有设备需要重新认证其新密钥的合法性。In the IOT distributed scenario, when an application on a terminal such as a mobile phone (such as a home application) and other devices (such as a home device) are initially bound, an application key pair must be transmitted to the device. When sending a message (such as command transmission), the private key can be used to digitally sign the session, so that the communication peer can verify the validity of the session key. When the terminal application needs to update the key pair for various reasons (such as regular update), all the devices that have been bound need to re-authenticate the validity of their new keys.
对于已经建立过初始信任的终端及其他设备,终端应用可以使用本申请实施例所提供的密钥的更新方法进行密钥更新,且更新后的密钥可兼容所有旧版本的密钥进行的数字签名。数据传输对端也可以基于已经认证过的旧版本密钥,在不需要重新进行绑定的情况下认证终端应用的新密钥。For terminals and other devices that have established initial trust, the terminal application can use the key update method provided by the embodiments of this application to update the key, and the updated key can be compatible with all old versions of the key. signature. The data transmission peer can also authenticate the new key applied by the terminal without re-binding based on the old version key that has been authenticated.
图11a为本申请实施例所提供的终端应用生成不同版本密钥的结构示意图。图11b为本申请实施例所提供的密钥生成模块生成不同版本密钥的流程示意图。图12a为本申请实施例所提供的终端应用生成更新后的密钥的结构示意图。图12b为本申请实施例所提供的密钥生成模块生成更新后的密钥的流程示意图。图13为本申请实施例所提供的终端应用进行加密解密/数字签名验证的结构示意图。图14为本申请实施例所提供的家居设备进行密钥校验的结构示意图。具体实现方式如下:FIG. 11a is a schematic diagram of the structure of generating keys of different versions of a terminal application provided by an embodiment of the application. Fig. 11b is a schematic diagram of the process of generating keys of different versions by the key generation module provided in an embodiment of the application. Fig. 12a is a schematic diagram of the structure of a terminal application that generates an updated key according to an embodiment of the application. Fig. 12b is a schematic diagram of a process of generating an updated key by the key generation module provided by an embodiment of the application. FIG. 13 is a schematic structural diagram of a terminal application provided by an embodiment of the application for encryption, decryption/digital signature verification. FIG. 14 is a schematic diagram of the structure of the home device provided by an embodiment of the application for key verification. The specific implementation is as follows:
(1)如图11a和图11b所示,终端应用首先请求密钥生成模块生成版本密钥对(以RSA密钥对为例),生成一系列的版本密钥,并获取版本密钥对(n 100,d 100)与版本号100,即首先启用版本号为100的密钥对。 (1) As shown in Figure 11a and Figure 11b, the terminal application first requests the key generation module to generate a version key pair (taking RSA key pair as an example), generates a series of version keys, and obtains the version key pair ( n 100 , d 100 ) and version number 100, that is, the key pair with version number 100 is first enabled.
(2)终端应用与家居设备进行初始绑定,家居设备获取并认证公钥n 100及版本号100,家居设备使用n 100验证终端应用的签名。 (2) The terminal application is initially bound with the home device, the home device obtains and authenticates the public key n 100 and the version number 100, and the home device uses n 100 to verify the signature of the terminal application.
(3)如图12a和图12b所示,当终端应用定期更新密钥对时,将更新后的版本号为99传入密钥生成模块,并获取更新后的密钥对(n 99,d 99)及版本号99。 (3) As shown in Figure 12a and Figure 12b, when the terminal application regularly updates the key pair, the updated version number of 99 is passed to the key generation module, and the updated key pair (n 99 , d 99 ) and version number 99.
(4)如图13所示,对于家居设备使用旧版本密钥n 100加密的数据,终端应用可以基于当前版本密钥n 99生成(n 100,d 100),并解密数据。 (4) As shown in FIG. 13, for the data encrypted by the old version key n 100 for household equipment, the terminal application can generate (n 100 , d 100 ) based on the current version key n 99 and decrypt the data.
(5)如图14所示,终端应用向家居设备发布新版本公钥n 99及版本号99时,家居设备可以调用密钥校验模块,计算新版本密钥n 99的单向计算值,并与本地保存的旧版本公钥n 100进行比对,从而认证n 99的完整性。 (5) As shown in Figure 14, when the terminal application releases the new version of the public key n 99 and version number 99 to the household device, the household device can call the key verification module to calculate the one-way calculation value of the new version key n 99. And compare with the old version public key n 100 stored locally to verify the integrity of n 99.
在上述例子中,终端应用在密钥更新后,可以基于新版本秘钥自主推导旧版本密钥,从而兼容旧版本密钥处理的数据,降低了密钥管理的复杂度。In the above example, after the key is updated, the terminal application can independently derive the old version key based on the new version key, so as to be compatible with the data processed by the old version key and reduce the complexity of key management.
家居设备可以不需要与终端应用重新绑定,就可以基于本地存储的旧版本密钥认证新版本密钥的合法性。The household device may not need to re-bind with the terminal application, and can authenticate the legitimacy of the new version key based on the locally stored old version key.
为了实现上述实施例,本申请实施例还提出了一种终端,图15为本申请实施例所提供的一种终端的结构示意图。如图15所示,该终端包括:第一接收模块410,获取模块420,第一处理模块430,替换模块440。In order to implement the foregoing embodiment, an embodiment of the present application also proposes a terminal. FIG. 15 is a schematic structural diagram of a terminal provided by an embodiment of the present application. As shown in FIG. 15, the terminal includes: a first receiving module 410, an obtaining module 420, a first processing module 430, and a replacement module 440.
第一接收模块410,用于接收密钥更新指令。The first receiving module 410 is configured to receive a key update instruction.
获取模块420,用于获取本地存储的第一密钥和基准值。The obtaining module 420 is configured to obtain the first key and the reference value stored locally.
其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times.
第一处理模块430,用于对基准值进行第二处理次数的单向映射处理,以生成第二密 钥。The first processing module 430 is configured to perform one-way mapping processing for the second number of processing times on the reference value to generate a second key.
其中,第二处理次数小于第一处理次数。Wherein, the second processing times are less than the first processing times.
替换模块440,用于将第一密钥替换为第二密钥。The replacement module 440 is used to replace the first key with the second key.
进一步地,为了便于密钥的版本号与单向映射处理次数相对应,一种可能的实现方式是,第一处理次数和第二处理次数的差值为一。Further, in order to facilitate the correspondence between the version number of the key and the number of one-way mapping processing times, a possible implementation manner is that the difference between the first processing number and the second processing number is one.
进一步地,为了确保单向映射处理结果的唯一性,一种可能的实现方式是,第一处理模块430具体用于使用哈希算法对基准值进行第二处理次数的处理。Further, in order to ensure the uniqueness of the unidirectional mapping processing result, a possible implementation manner is that the first processing module 430 is specifically configured to use a hash algorithm to process the reference value for the second number of times.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,第一处理模块430包括:拼接子模块431,用于将第一处理模块430的输入与本地标识进行拼接。第一设置子模块432,用于将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, a possible implementation manner is that the first processing module 430 includes: a splicing sub-module 431, which is used to perform the input of the first processing module 430 with the local identification. Splicing. The first setting sub-module 432 is used to use the spliced result as the input of the hash algorithm.
进一步地,为了让本申请实施例所提供的终端能够用于非对称加密/解密和数字签名的验证,第一密钥为非对称密钥对中的一个密钥。Further, in order to enable the terminal provided by the embodiment of the present application to be used for asymmetric encryption/decryption and digital signature verification, the first key is a key in the asymmetric key pair.
进一步地,为了避免基准值出现存储风险,一种可能的实现方式是,基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。Further, in order to avoid the storage risk of the reference value, a possible implementation manner is that the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
需要说明的是,前述对密钥的更新方法的实施例的解释说明,也适用于本申请实施例的终端,在此不再赘述。It should be noted that the foregoing explanation of the embodiment of the method for updating the key is also applicable to the terminal of the embodiment of the present application, and will not be repeated here.
综上所述,本申请实施例所提供的终端。在进行密钥的更新时,接收密钥更新指令。获取本地存储的第一密钥和基准值。其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。对基准值进行第二处理次数的单向映射处理,以生成第二密钥。其中,第二处理次数小于第一处理次数。将第一密钥替换为第二密钥。由此,实现了对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。无需对旧密钥进行存储,节省了数据传输方的资源,并且不用担心旧密钥出现丢失,无法通过旧密钥推导出当前密钥。在接收到数据传输对方发送的新密钥后,也无需第三方对新密钥进行合法性验证。In summary, the terminal provided in the embodiment of the present application. When the key is updated, the key update instruction is received. Obtain the first key and reference value stored locally. Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. A one-way mapping process of the second number of processing times is performed on the reference value to generate a second key. Wherein, the second processing times are less than the first processing times. Replace the first key with the second key. As a result, the update of the key is realized, and the old key can be deduced in one direction from the current key. There is no need to store the old key, which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key. After receiving the new key sent by the data transmission partner, there is no need for a third party to verify the legality of the new key.
为了实现上述实施例,本申请实施例还提出了另一种终端,图16为本申请实施例所提出的另一种终端的结构示意图。如图16所示,该终端包括:第二接收模块510,第一比较模块520,第一判断模块530,第一确定模块540,解密模块550。In order to implement the foregoing embodiment, the embodiment of the present application also proposes another terminal. FIG. 16 is a schematic structural diagram of another terminal proposed in the embodiment of the present application. As shown in FIG. 16, the terminal includes: a second receiving module 510, a first comparing module 520, a first determining module 530, a first determining module 540, and a decrypting module 550.
第二接收模块510,用于接收加密数据和第一处理次数。The second receiving module 510 is configured to receive encrypted data and the first processing times.
第一比较模块520,用于将第一处理次数与本地存储的第二处理次数进行比较。The first comparison module 520 is configured to compare the first processing count with the locally stored second processing count.
第一判断模块530,用于根据比较结果,判断是否能够对加密数据进行解密。The first judgment module 530 is configured to judge whether the encrypted data can be decrypted according to the comparison result.
第一确定模块540,用于当第一判断模块530确定能够对加密数据进行解密时,确定第一处理次数对应的第一密钥。The first determining module 540 is configured to determine the first key corresponding to the first processing times when the first determining module 530 determines that the encrypted data can be decrypted.
其中,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key can be generated from the reference value after the one-way mapping processing of the first number of processing times.
解密模块550,用于使用第一密钥对加密数据进行解密。The decryption module 550 is used to decrypt the encrypted data using the first key.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第一判断模块530,包括:第一判断子模块531,用于判断第一处理次数是否小于第二处理次数。第一确定子模块532,用于当第一判断子模块531确定第一处理次数小于第二处理次数时,确定不能对加密数据进行解密。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module 530 includes: a first judgment sub-module 531 for judging whether the first processing times are less than the second processing times. frequency. The first determining sub-module 532 is configured to determine that the encrypted data cannot be decrypted when the first determining sub-module 531 determines that the first processing number is less than the second processing number.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第 一判断模块530,包括:第二判断子模块533,用于判断第一处理次数是否等于第二处理次数。第二设置子模块534,用于当第二判断子模块533确定第一处理次数等于第二处理次数时,将本地存储的第二密钥作为第一密钥。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module 530 includes: a second judgment sub-module 533 for judging whether the first processing times are equal to the second processing times. frequency. The second setting submodule 534 is configured to use the locally stored second key as the first key when the second judgment submodule 533 determines that the first processing number is equal to the second processing number.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第一判断模块530,包括:第三判断子模块535,用于判断第一处理次数是否大于第二处理次数。第一处理子模块536,用于当第三判断子模块535确定第一处理次数大于第二处理次数时,对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the first judgment module 530 includes: a third judgment sub-module 535 for judging whether the first processing times are greater than the second processing times frequency. The first processing sub-module 536 is configured to, when the third determining sub-module 535 determines that the first processing times are greater than the second processing times, perform one-way mapping processing for the third processing times on the locally stored second key to generate the first One key. Wherein, the third processing times is the difference between the first processing times and the second processing times.
进一步地,为了确保单向映射处理结果的唯一性,一种可能的实现方式是,第一处理子模块536具体用于使用哈希算法对基准值进行第三处理次数的处理。Further, in order to ensure the uniqueness of the one-way mapping processing result, a possible implementation manner is that the first processing sub-module 536 is specifically configured to use a hash algorithm to process the reference value for the third number of times.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,第一处理子模块536,包括:第一拼接单元536a,用于将单向映射处理的输入与本地标识进行拼接。第一设置单元536b,用于将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, a possible implementation is that the first processing sub-module 536 includes: a first splicing unit 536a, which is used to combine the input of one-way mapping processing with the local The logo is spliced. The first setting unit 536b is used to use the spliced result as the input of the hash algorithm.
进一步地,为了让本申请实施例所提供的终端能够进行非对称加密/解密,一种可能的实现方式是,第一密钥为非对称密钥对中的一个密钥。Further, in order to enable the terminal provided in the embodiment of the present application to perform asymmetric encryption/decryption, a possible implementation manner is that the first key is a key in the asymmetric key pair.
进一步地,为了避免基准值出现存储风险,一种可能的实现方式是,基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。Further, in order to avoid the storage risk of the reference value, one possible implementation is that the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
需要说明的是,前述对数据解密方法的实施例的解释说明,也适用于本申请实施例的终端,在此不再赘述。It should be noted that the foregoing explanation of the embodiment of the data decryption method is also applicable to the terminal of the embodiment of the present application, and will not be repeated here.
综上所述,本申请实施例所提出的终端。在进行数据解密时,接收加密数据和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对加密数据进行解密,如果是,则确定第一处理次数对应的第一密钥。其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。使用第一密钥对加密数据进行解密。由此,实现了只需在本地存储更新后的密钥,当收到旧密钥对应的加密数据时,使用更新后的密钥生成旧密钥,再使用旧密钥对加密数据进行解密。In summary, the terminal proposed in the embodiment of the present application. During data decryption, the encrypted data and the first processing count are received, and the first processing count is compared with the locally stored second processing count. According to the comparison result, it is determined whether the encrypted data can be decrypted, and if so, the first key corresponding to the first processing times is determined. Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. Use the first key to decrypt the encrypted data. Thus, it is realized that only the updated key is stored locally, when the encrypted data corresponding to the old key is received, the updated key is used to generate the old key, and the old key is used to decrypt the encrypted data.
为了实现上述实施例,本申请实施例还提出了又一种终端,图17为本申请实施例所提出的又一种终端的结构示意图。如图17所示,该终端包括:第三接收模块610,第二比较模块620,第二判断模块630,第二确定模块640,验证模块650。In order to implement the foregoing embodiment, the embodiment of the present application also proposes another terminal. FIG. 17 is a schematic structural diagram of another terminal proposed in the embodiment of the application. As shown in FIG. 17, the terminal includes: a third receiving module 610, a second comparing module 620, a second determining module 630, a second determining module 640, and a verification module 650.
第三接收模块610,用于接收数字签名和第一处理次数。The third receiving module 610 is configured to receive the digital signature and the first processing times.
第二比较模块620,用于将第一处理次数与本地存储的第二处理次数进行比较。The second comparison module 620 is configured to compare the first processing count with the locally stored second processing count.
第二判断模块630,用于根据比较结果,判断是否能够对数字签名进行验证。The second judgment module 630 is used for judging whether the digital signature can be verified according to the comparison result.
第二确定模块640,用于当第二判断模块630确定能够对数字签名进行验证时,确定第一处理次数对应的第一密钥对。The second determining module 640 is configured to determine the first key pair corresponding to the first processing times when the second determining module 630 determines that the digital signature can be verified.
其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key pair is an asymmetric key pair, the first key pair includes the first key, and the first key may be generated from a reference value after one-way mapping processing for the first number of processing times.
验证模块650,用于使用第一密钥对对数字签名进行验证。The verification module 650 is configured to use the first key pair to verify the digital signature.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第二判断模块630,包括:第四判断子模块631,用于判断第一处理次数是否小于第二处理次数。第二确定子模块632,用于当第四判断子模块631确定第一处理次数小于第 二处理次数时,确定不能对数字签名进行验证。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the second judgment module 630 includes: a fourth judgment sub-module 631 for judging whether the first processing times are less than the second processing times frequency. The second determining sub-module 632 is configured to determine that the digital signature cannot be verified when the fourth determining sub-module 631 determines that the first processing number is less than the second processing number.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第二判断模块630,包括:第五判断子模块633,用于判断第一处理次数是否等于第二处理次数。第三设置子模块634,用于当第五判断子模块633确定第一处理次数等于第二处理次数时,将本地存储的第二密钥对作为第一密钥对。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the second judgment module 630 includes: a fifth judgment sub-module 633 for judging whether the first processing times are equal to the second processing times. frequency. The third setting submodule 634 is configured to use the locally stored second key pair as the first key pair when the fifth judgment submodule 633 determines that the first processing count is equal to the second processing count.
进一步地,为了比较第一处理次数和第二处理次数,一种可能的实现方式是,第二判断模块630,包括:第六判断子模块635,用于判断第一处理次数是否大于第二处理次数。第二处理子模块636,用于当第六判断子模块635确定第一处理次数大于第二处理次数时,对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。生成子模块637,用于根据第一密钥,生成第一密钥对。Further, in order to compare the first processing times and the second processing times, one possible implementation is that the second judgment module 630 includes: a sixth judgment sub-module 635 for judging whether the first processing times are greater than the second processing times frequency. The second processing sub-module 636 is configured to perform a third processing number order on the second key in the locally stored second key pair when the sixth judgment sub-module 635 determines that the first processing number is greater than the second processing number. To map processing to generate the first key. Wherein, the third processing times is the difference between the first processing times and the second processing times. The generation sub-module 637 is configured to generate a first key pair according to the first key.
进一步地,为了确保单向映射处理结果的唯一性,一种可能的实现方式是,第二处理子模块636具体用于使用哈希算法对基准值进行第三处理次数的处理。Further, in order to ensure the uniqueness of the unidirectional mapping processing result, a possible implementation manner is that the second processing submodule 636 is specifically configured to use a hash algorithm to process the reference value for the third number of processing times.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,第二处理子模块636,包括:第二拼接单元636a,用于将单向映射处理的输入与本地标识进行拼接。第二设置单元636b,用于将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, a possible implementation is that the second processing sub-module 636 includes a second splicing unit 636a, which is used to combine the input of one-way mapping processing with the local The logo is spliced. The second setting unit 636b is used to use the spliced result as the input of the hash algorithm.
进一步地,为了避免基准值出现存储风险,一种可能的实现方式是,基准值通过从设备硬件区域中获取,由云服务器下发,由外界输入中任一种方式获取。Further, in order to avoid the storage risk of the reference value, one possible implementation is that the reference value is obtained from the hardware area of the device, issued by the cloud server, and obtained by any method of external input.
需要说明的是,前述对数字签名的验证方法的实施例的解释说明,也适用于本申请实施例的终端,在此不再赘述。It should be noted that the foregoing explanations of the embodiments of the digital signature verification method are also applicable to the terminals of the embodiments of the present application, and will not be repeated here.
综上所述,本申请实施例所提出的终端。在进行数字签名的验证时,接收数字签名和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对数字签名进行验证。如果是,则确定第一处理次数对应的第一密钥对。其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。使用第一密钥对对数字签名进行验证。由此,实现了只需在本地存储更新后的密钥对,当收到旧密钥对对应的数字签名时,使用更新后的密钥对生成旧密钥对,再使用旧密钥对对数字签名进行验证。In summary, the terminal proposed in the embodiment of the present application. When verifying the digital signature, the digital signature and the first processing count are received, and the first processing count is compared with the locally stored second processing count. According to the comparison result, it is judged whether the digital signature can be verified. If yes, determine the first key pair corresponding to the first processing times. Wherein, the first key pair is an asymmetric key pair, the first key pair includes the first key, and the first key is generated from the reference value after the one-way mapping process of the first number of processing times. The digital signature is verified using the first key pair. As a result, it is realized that only the updated key pair needs to be stored locally, and when the digital signature corresponding to the old key pair is received, the updated key pair is used to generate the old key pair, and then the old key pair is used The digital signature is verified.
图18为本申请实施例所提供的电子设备的结构示意图。FIG. 18 is a schematic structural diagram of an electronic device provided by an embodiment of the application.
为了实现上述实施例,本申请实施例还提出了一种电子设备,如图18所示,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:In order to implement the above-mentioned embodiment, the embodiment of the present application also proposes an electronic device, as shown in FIG. 18, comprising: a memory, a processor, and a computer program stored in the memory and running on the processor. The processor When executing the computer program, perform the following steps:
步骤S101,接收密钥更新指令。Step S101: Receive a key update instruction.
基于前述对加密技术的说明,可以知道,密钥在使用过程中,可以采用定期更新的方式进行更新,也可以在发现密钥泄露或者有泄露的风险时进行更新,以保证密钥的安全。Based on the foregoing description of the encryption technology, it can be known that the key can be updated periodically during use, or it can be updated when the key is found to be leaked or there is a risk of leakage to ensure the security of the key.
步骤S102,获取本地存储的第一密钥和基准值。Step S102: Obtain a first key and a reference value stored locally.
其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。单向映射是指不可逆的映射,比如说A经过单向映射得到B,却无法将B还原为A。因此,对基准值进行第一处理次数的单向映射处理后,能够得到第一密钥,却无法对第一密钥 进行还原。Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. One-way mapping refers to an irreversible mapping. For example, A gets B through one-way mapping, but B cannot be reduced to A. Therefore, after the one-way mapping process for the first number of times of processing is performed on the reference value, the first key can be obtained, but the first key cannot be restored.
需要说明的是,本申请实施例中的密钥的更新方法在数据传输方存储当前正在使用的密钥,即第一密钥。It should be noted that, in the method for updating the key in the embodiment of the present application, the key currently in use, that is, the first key, is stored on the data transmission party.
可以理解,由于本申请实施例中的数据传输方的各个版本的密钥都是基于基准值生成的,为了确保生成的密钥不同,不同数据传输方的基准值不能相同。此外,为了防止密钥泄露,用于生成密钥的基准值也应当保密。It can be understood that since the keys of each version of the data transmission party in the embodiment of the present application are generated based on the reference value, in order to ensure that the generated keys are different, the reference value of different data transmission parties cannot be the same. In addition, in order to prevent the key from leaking, the reference value used to generate the key should also be kept secret.
第一种可能的实现方式是,数据传输方使用自身的硬件密钥作为基准值,硬件密钥存储在数据传输方的硬件区域,安全可靠。The first possible implementation is that the data transmission party uses its own hardware key as the reference value, and the hardware key is stored in the hardware area of the data transmission party, which is safe and reliable.
第二种可能的实现方式是,数据传输方在云服务器进行注册时,云服务器根据数据传输方的硬件信息生成对应的基准值,基准值存储在云服务器上。云服务器将基准值以安全方式下发给数据传输方,避免数据传输方直接存储基准值。The second possible implementation is that when the data transmission party registers with the cloud server, the cloud server generates a corresponding reference value according to the hardware information of the data transmission party, and the reference value is stored on the cloud server. The cloud server sends the reference value to the data transmission party in a safe manner, avoiding the data transmission party to directly store the reference value.
第三种可能的实现方式是,由用户手动输入用户密码作为基准值,避免数据传输方直接存储基准值。The third possible implementation is that the user manually enters the user password as the reference value to avoid the data transmission party directly storing the reference value.
在上述第二种和第三种可能的实现方式中,数据传输方不对基准值进行存储,每次需要使用基准值时,通过访问云服务器或者提示用户输入用户密码的方式生成基准值。In the above-mentioned second and third possible implementation manners, the data transmission party does not store the reference value, and each time the reference value needs to be used, the reference value is generated by accessing the cloud server or prompting the user to enter the user password.
步骤S103,对基准值进行第二处理次数的单向映射处理,以生成第二密钥。Step S103: Perform one-way mapping processing for the second number of processing times on the reference value to generate a second key.
其中,第二处理次数小于第一处理次数。Wherein, the second processing times are less than the first processing times.
可以理解,第二密钥即为更新后的密钥,本申请实施例所提供的密钥的更新方法中,生成第一密钥和生成第二密钥的方式类似,都是对基准值进行多次单向映射处理,但是第二密钥对应的第二处理次数小于第一密钥的第一处理次数。基于前述对单向映射的说明可以知道,对第二密钥进行预设次数的单向映射,可以得到第一密钥,但是无法根据第一密钥,生成第二密钥。It can be understood that the second key is the updated key. In the key update method provided in the embodiment of this application, the method of generating the first key is similar to that of generating the second key, both of which are based on the reference value. Multiple one-way mapping processing, but the second processing times corresponding to the second key are less than the first processing times of the first key. Based on the foregoing description of the one-way mapping, it can be known that by performing a preset number of one-way mappings on the second key, the first key can be obtained, but the second key cannot be generated based on the first key.
也就是说,本申请实施例能够根据更新后的密钥,生成更新前的密钥,而无法根据更新前的密钥,生成更新后的密钥。可以防止第三方根据已经泄露的旧密钥推导出更新后的密钥。That is to say, the embodiment of the present application can generate the key before the update based on the key after the update, but cannot generate the key after the update based on the key before the update. It can prevent a third party from deriving the updated key based on the leaked old key.
步骤S104,将第一密钥替换为第二密钥。Step S104: Replace the first key with the second key.
可以理解,在生成更新后的密钥后,需要将当前密钥进行替换,以完成密钥的更新,并且无需对旧密钥进行存储。It can be understood that after the updated key is generated, the current key needs to be replaced to complete the key update, and there is no need to store the old key.
此外,由于在数据传输过程中,需要数据传输的发送方和接收方同步实现密钥的更新。在现有的密钥更新方法中,通常由数据传输的一方完成密钥的更新,再将更新后的密钥发送给数据传输的另一方,以完成密钥的同步。但是更新后的密钥传输至数据传输的另一方时,可能出现数据丢失或者被篡改的风险,需要依赖可信第三方对更新后的密钥进行校验。In addition, in the process of data transmission, the sender and receiver of the data transmission need to be synchronized to realize the key update. In the existing key update method, usually one party of the data transmission completes the key update, and then the updated key is sent to the other party of the data transmission to complete the key synchronization. However, when the updated key is transmitted to the other party of data transmission, there may be a risk of data loss or tampering, and it is necessary to rely on a trusted third party to verify the updated key.
而本申请实施例所提供的电子设备,在接收到数据传输对方发送的第二密钥以及对应的第二处理次数后,首先比较第二处理次数和第一处理次数的大小。However, the electronic device provided in the embodiment of the present application, after receiving the second key sent by the data transmission partner and the corresponding second processing times, first compares the second processing times and the first processing times.
若第二处理次数大于或者等于第一处理次数,说明数据传输对方发送的第二密钥是旧密钥,无需对第二密钥进行认证,并且无需对本地存储的第一密钥进行更新。If the second processing times are greater than or equal to the first processing times, it indicates that the second key sent by the data transmission partner is an old key, and the second key does not need to be authenticated, and there is no need to update the locally stored first key.
若第二处理次数小于第一处理次数,可以对第二密钥进行第三处理次数的单向映 射处理,将处理后的结果与本地存储的第一密钥进行固定字段的校验,校验通过则将本地存储的第一密钥替换为第二密钥。其中,第三处理处理次数为第一处理次数和第二处理次数的差值。If the second number of processing times is less than the first number of processing times, one-way mapping processing of the third number of processing times can be performed on the second key, and the processed result can be verified with the first key stored locally in a fixed field. If passed, the locally stored first key is replaced with the second key. Wherein, the third processing number is the difference between the first processing number and the second processing number.
综上所述,本申请实施例所提供的电子设备,在进行密钥进行时,接收密钥更新指令。获取本地存储的第一密钥和基准值。其中,第一密钥由基准值,经过第一处理次数的单向映射处理后生成。对基准值进行第二处理次数的单向映射处理,以生成第二密钥。其中,第二处理次数小于第一处理次数。将第一密钥替换为第二密钥。由此,实现了对密钥的更新,并且能够根据当前密钥单向推导出旧密钥。无需对旧密钥进行存储,节省了数据传输方的资源,并且不用担心旧密钥出现丢失,无法通过旧密钥推导出当前密钥。在接收到数据传输对方发送的新密钥后,也无需第三方对新密钥进行合法性验证。In summary, the electronic device provided in the embodiment of the present application receives a key update instruction when performing key processing. Obtain the first key and reference value stored locally. Wherein, the first key is generated from the reference value after the one-way mapping process of the first processing times. A one-way mapping process of the second number of processing times is performed on the reference value to generate a second key. Wherein, the second processing times are less than the first processing times. Replace the first key with the second key. As a result, the update of the key is realized, and the old key can be deduced in one direction from the current key. There is no need to store the old key, which saves the resources of the data transmission party, and there is no need to worry about the loss of the old key, and the current key cannot be derived from the old key. After receiving the new key sent by the data transmission partner, there is no need for a third party to verify the legality of the new key.
进一步地,为了便于密钥的版本号与单向映射处理次数相对应,一种可能的实现方式是,第一处理次数和第二处理次数的差值为一。可以理解,第一处理次数和第二处理次数分别是一次密钥更新过程中,更新前的第一密钥和更新后的第二密钥所对应的处理次数,而更新前的第一密钥和更新后的第二密钥相差一个版本,因此当第一处理次数和第二处理次数的差值为一时,可以使用第一处理次数来标识第一密钥的版本,使用第二处理次数来标识第二密钥的版本。Further, in order to facilitate the correspondence between the version number of the key and the number of one-way mapping processing times, a possible implementation manner is that the difference between the first processing number and the second processing number is one. It can be understood that the first processing times and the second processing times are respectively the processing times corresponding to the first key before the update and the second key after the update in a key update process, and the first key before the update It is one version different from the updated second key. Therefore, when the difference between the first processing times and the second processing times is one, the first processing times can be used to identify the version of the first key, and the second processing times can be used to identify the version of the first key. Identifies the version of the second key.
需要注意的是,第二处理次数小于第一处理次数,因此更新后的第二密钥的版本标识在数值上小于更新前的第一密钥的版本标识。也就是说,生成的密钥越新,所对应的处理次数越小,版本标识数值也越小。It should be noted that the second processing times are less than the first processing times, so the version identifier of the updated second key is numerically smaller than the version identifier of the first key before the update. In other words, the newer the generated key, the smaller the corresponding processing times, and the smaller the version identification value.
此外,本申请实施例中电子设备进行单向映射处理的步骤可以包括使用哈希算法进行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the step of performing one-way mapping processing by the electronic device in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
在第一密钥生成的过程中,对基准值进行第一处理次数(比如6次)的哈希运算,生成对应的哈希值,作为第一密钥。In the process of generating the first key, the reference value is hashed for the first number of processing times (for example, 6 times) to generate the corresponding hash value as the first key.
在对第一密钥进行更新时,对基准值进行第二处理次数(比如5次)的哈希运算,生成对应的哈希值,作为第二密钥,使用第二密钥替换第一密钥,即可完成对第一密钥的更新。When the first key is updated, the reference value is hashed for the second number of times (for example, 5 times) to generate the corresponding hash value, as the second key, replace the first key with the second key Key to complete the update of the first key.
可以理解,第一密钥是由基准值经过6次哈希运算生成的,在生成第一密钥的过程中,当基准值进行了5次哈希运算后,得到的哈希值与第二密钥完全相同,再进行1次哈希运算,才得到第一密钥。因此,第二密钥经过1次哈希运算,即可生成第一密钥。在完成对第一密钥的更新后,数据传输方基于第二密钥,可以直接生成第一密钥。相反的,由于哈希算法的难以逆向的特点,数据传输方基于第一密钥,无法直接生成第二密钥。It can be understood that the first key is generated from the reference value through 6 hash operations. In the process of generating the first key, when the reference value is hashed 5 times, the hash value obtained is the same as the second The keys are exactly the same, and one more hash operation is performed to get the first key. Therefore, the second key can generate the first key after one hash operation. After completing the update of the first key, the data transmission party can directly generate the first key based on the second key. On the contrary, due to the difficult-to-reverse characteristic of the hash algorithm, the data transmission party cannot directly generate the second key based on the first key.
需要特别说明的是,本申请实施例中的哈希算法可以是SHA-256,SHA-512等任一种已知的哈希算法,本申请实施例对此不做限定。It should be particularly noted that the hash algorithm in the embodiment of the present application may be any known hash algorithm such as SHA-256 and SHA-512, which is not limited in the embodiment of the present application.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,电子设备使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the electronic device uses a hash algorithm to process including: splicing the input of one-way mapping processing with the local identifier, and splicing The latter result is used as the input of the hash algorithm.
其中,本地标识是数据传输方的唯一标识,始终保持不变。也就是说,在每一次 单向映射处理过程中,先将单向映射处理的输入与本地标识进行拼接,再将拼接后的结果输入哈希算法进行哈希运算。具体地,本地标识可以采用数据传输方的硬件标识,也可以使用进行数据传输的软件应用的应用标识,还可以使用人为设置的标识,本申请实施例对此不做限定。Among them, the local identifier is the unique identifier of the data transmission party, and it always remains unchanged. In other words, in each one-way mapping process, the input of the one-way mapping process is spliced with the local identifier, and then the spliced result is input to the hash algorithm for hash operation. Specifically, the local identification may use the hardware identification of the data transmission party, or may use the application identification of the software application for data transmission, or may also use an artificially set identification, which is not limited in the embodiment of the present application.
从而,使得每一次哈希运算的输入为,上一次哈希运算的输入与固定标识拼接后的结果,增强了哈希算法的复杂度,进而提升了生成密钥的安全性。Therefore, the input of each hash operation is the result of the splicing of the input of the previous hash operation and the fixed identifier, which enhances the complexity of the hash algorithm and further improves the security of the generated key.
基于前述相关技术的说明,可以知道,在对称加密技术中,数据传输的发送方和接收方使用相同的密钥,在密钥更新时,只需要将更新前的第一密钥替换为更新后的第二密钥。Based on the foregoing description of related technologies, it can be known that in symmetric encryption technology, the sender and receiver of data transmission use the same key. When the key is updated, it is only necessary to replace the first key before the update with the one after the update. The second key.
而在非对称密钥技术中,数据传输的发送方和接收方使用一组密钥对,在进行密钥更新时,密钥对中的私钥和公钥都需要进行更新。In asymmetric key technology, the sender and receiver of data transmission use a set of key pairs. When the key is updated, both the private key and the public key in the key pair need to be updated.
在本申请实施例中,一种可能的实现方式是,将第一密钥作为私钥,将与第一密钥匹配的第三密钥作为公钥,第一密钥与第三密钥组成非对称密钥对。在生成该非对称密钥对时,对基准值进行第一处理次数的单向映射,生成第一密钥,再由第一密钥计算后生成第三密钥,从而生成该非对称密钥对。In the embodiment of this application, a possible implementation is to use the first key as the private key, and the third key matching the first key as the public key, and the first key and the third key are composed of Asymmetric key pair. When generating the asymmetric key pair, perform a one-way mapping of the first processing times on the reference value to generate the first key, and then generate the third key after calculation from the first key, thereby generating the asymmetric key Correct.
另一种可能的实现方式是,将第一密钥作为公钥,将与第一密钥匹配的第三密钥作为私钥,第一密钥与第三密钥组成非对称密钥对。在生成该非对称密钥对时,对基准值进行第一处理次数的单向映射,生成第一密钥,再由第一密钥计算后生成第三密钥,从而生成该非对称密钥对。Another possible implementation is to use the first key as the public key, and the third key matching the first key as the private key, and the first key and the third key form an asymmetric key pair. When generating the asymmetric key pair, perform a one-way mapping of the first processing times on the reference value to generate the first key, and then generate the third key after calculation from the first key, thereby generating the asymmetric key Correct.
为了实现上述实施例,本申请实施例还提出了一种电子设备,如图18所示,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:In order to implement the above-mentioned embodiment, the embodiment of the present application also proposes an electronic device, as shown in FIG. 18, comprising: a memory, a processor, and a computer program stored in the memory and running on the processor. The processor When executing the computer program, perform the following steps:
步骤S201,接收加密数据和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。Step S201: Receive the encrypted data and the first processing count, and compare the first processing count with the locally stored second processing count.
需要说明的是,对于前述本申请实施例所提供的电子设备,在实际使用过程中,可能存在数据传输的双方没有及时同步密钥版本的情况。也就是说,作为数据传输的接收方,接收到的加密数据对应的密钥的版本与接收方正在使用的密钥的版本可能出现三种情况。一种可能的情况是,接收到的加密数据对应的密钥比接收方正在使用的密钥新,另一种可能的情况是,接收到的加密数据对应的密钥和接收方正在使用的密钥版本相同,又一种可能的情况是,接收到的加密数据对应的密钥比接收方正在使用的密钥旧。It should be noted that, for the electronic device provided in the foregoing embodiment of the present application, in actual use, there may be situations in which the two parties of the data transmission fail to synchronize the key version in time. That is to say, as the receiver of data transmission, there may be three situations between the version of the key corresponding to the received encrypted data and the version of the key being used by the receiver. One possible situation is that the key corresponding to the received encrypted data is newer than the key being used by the recipient. Another possible situation is that the key corresponding to the received encrypted data is the same as the key being used by the recipient. The key version is the same. Another possible situation is that the key corresponding to the received encrypted data is older than the key being used by the receiver.
可以理解,本申请实施例中不同版本的密钥是由基准值经过不同处理次数的单向映射处理后生成的,因此密钥的版本与处理次数一一对应。数据传输的发送方为了让接收方确定解密数据对应的密钥版本,将加密数据对应的第一处理次数与加密数据一起发送给接收方。接收方在收到加密数据和第一处理次数后,将第一处理次数和本地存储的第二处理次数进行比较。其中,本地存储的第二处理次数为接收方正在使用的密钥对应的处理次数。It can be understood that the different versions of the keys in the embodiment of the present application are generated after the reference value has undergone one-way mapping processing with different processing times, so the version of the key corresponds to the processing times in a one-to-one manner. In order for the receiver to determine the key version corresponding to the decrypted data, the sender of the data transmission sends the first processing times corresponding to the encrypted data to the receiver together with the encrypted data. After receiving the encrypted data and the first processing count, the receiver compares the first processing count with the locally stored second processing count. Wherein, the second processing times stored locally is the processing times corresponding to the key being used by the receiver.
步骤S202,根据比较结果,判断是否能够对加密数据进行解密。Step S202: Determine whether the encrypted data can be decrypted according to the comparison result.
可以理解,第一处理次数和第二处理次数的大小关系决定了加密数据对应的密钥 版本与接收方使用的密钥版本的新旧关系。It can be understood that the relationship between the first processing times and the second processing times determines the old and new relationship between the key version corresponding to the encrypted data and the key version used by the receiver.
对于上述的三种可能的情况,相应地,第一处理次数可能小于第二处理次数,也可能等于第二处理次数,还可能大于第二处理次数。For the above three possible situations, correspondingly, the first processing times may be less than the second processing times, may also be equal to the second processing times, or may be greater than the second processing times.
具体地,判断第一处理次数是否小于第二处理次数,基于前述说明可以知道,当第一处理次数小于第二处理次数时,说明接收到的加密数据对应的密钥比接收方正在使用的密钥新,接收方无法通过正在使用的密钥,推导加密数据对应的密钥,确定不能对加密数据进行解密。Specifically, it is determined whether the first processing number is less than the second processing number. Based on the foregoing description, it can be known that when the first processing number is less than the second processing number, it means that the key corresponding to the received encrypted data is greater than the encryption key being used by the receiver. If the key is new, the recipient cannot derive the key corresponding to the encrypted data through the key in use, and is sure that the encrypted data cannot be decrypted.
需要特别说明的是,在密钥更新过程中,为了防止旧密钥被不法第三方获取,通常采用更新密钥的方式来确保数据传输的安全。若接收方属于不法第三方,在没有获得新版密钥的情况下,无法使用旧密钥来对加密数据进行解密,保证了数据传输的安全。It should be noted that in the key update process, in order to prevent the old key from being obtained by illegal third parties, the method of updating the key is usually used to ensure the security of data transmission. If the recipient is an illegal third party, without obtaining the new version of the key, the old key cannot be used to decrypt the encrypted data, ensuring the security of data transmission.
判断第一处理次数是否等于第二处理次数,可以理解,当第一处理次数等于第二处理次数时,说明加密数据对应的密钥版本与接收方正在使用的第二密钥的版本相同,可直接使用本地存储的第二密钥作为加密数据对应的第一密钥,对加密数据进行解密。Determine whether the first processing times are equal to the second processing times. It can be understood that when the first processing times are equal to the second processing times, it means that the key version corresponding to the encrypted data is the same as the version of the second key being used by the recipient. Directly use the locally stored second key as the first key corresponding to the encrypted data to decrypt the encrypted data.
判断第一处理次数是否大于第二处理次数,基于前述说明可以知道,当第一处理次数大于第二处理次数时,说明接收到的加密数据对应的密钥比接收方正在使用的密钥旧,接收方能够通过正在使用的密钥,推导加密数据对应的密钥。具体可以对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成加密数据对应的第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。Determine whether the first processing times are greater than the second processing times. Based on the foregoing description, it can be known that when the first processing times are greater than the second processing times, it means that the key corresponding to the received encrypted data is older than the key being used by the recipient. The receiver can derive the key corresponding to the encrypted data through the key being used. Specifically, a one-way mapping process of a third number of processing times may be performed on the locally stored second key to generate the first key corresponding to the encrypted data. Wherein, the third processing times is the difference between the first processing times and the second processing times.
可以理解,第一密钥由基准值经过第一处理次数的单向映射处理后生成,第二密钥由基准值经过第二处理次数的单向映射处理后生成。因此,先对基准值进行第二处理次数的单向映射处理,可以生成第二密钥,再对第二密钥进行第三处理次数的单向映射处理,可以生成第一密钥。It can be understood that the first key is generated after the reference value undergoes one-way mapping processing for the first number of processing times, and the second key is generated after the reference value undergoes one-way mapping processing for the second number of processing times. Therefore, by first performing the one-way mapping processing for the second number of processing times on the reference value, the second key can be generated, and then performing the one-way mapping processing for the third number of processing times on the second key to generate the first key.
步骤S203,如果是,则确定第一处理次数对应的第一密钥。Step S203, if yes, determine the first key corresponding to the first processing times.
其中,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key can be generated from the reference value after the one-way mapping processing of the first number of processing times.
可以理解,在上述的三种情况中,当第一处理次数大于或者等于第二处理次数时,可以通过第二密钥生成第一密钥,或者直接将第二密钥作为第一密钥,此处不再赘述。It can be understood that in the above three cases, when the first processing times are greater than or equal to the second processing times, the first key can be generated by the second key, or the second key can be directly used as the first key. I won't repeat them here.
步骤S204,使用第一密钥对加密数据进行解密。Step S204: Use the first key to decrypt the encrypted data.
需要特别说明的是,当第一处理次数大于第二处理次数时,在使用第一密钥对加密数据进行解密后,不对第一密钥进行保存,本地依然只存储第二密钥。若以后还接收到第一密钥对应的加密数据,依然通过本地存储的第二密钥生成第一密钥,来对加密数据进行解密。It should be particularly noted that when the first processing times are greater than the second processing times, after the encrypted data is decrypted using the first key, the first key is not stored, and only the second key is still stored locally. If the encrypted data corresponding to the first key is still received in the future, the first key is still generated by the locally stored second key to decrypt the encrypted data.
综上所述,本申请实施例所提出的电子设备,在进行数据解密时,接收加密数据和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对加密数据进行解密,如果是,则确定第一处理次数对应的第一密钥。使用第一密钥对加密数据进行解密。由此,实现了只需在本地存储更新后的密钥,当收到旧密钥对应的加密数据时,使用更新后的密钥生成旧密钥,再使用旧密钥对加密数据进行解密。In summary, the electronic device proposed in the embodiment of the present application receives encrypted data and the first processing count when decrypting data, and compares the first processing count with the locally stored second processing count. According to the comparison result, it is determined whether the encrypted data can be decrypted, and if so, the first key corresponding to the first processing times is determined. Use the first key to decrypt the encrypted data. Thus, it is realized that only the updated key is stored locally, when the encrypted data corresponding to the old key is received, the updated key is used to generate the old key, and the old key is used to decrypt the encrypted data.
此外,本申请实施例中电子设备的单向映射处理的步骤可以包括使用哈希算法进 行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the step of the one-way mapping processing of the electronic device in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
进一步地,为了增强本申请实施例中密钥的可靠性,一种可能的实现方式是,电子设备使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key in the embodiment of the present application, one possible implementation is that the electronic device uses a hash algorithm to process including: splicing the input of one-way mapping processing with the local identifier, and splicing The latter result is used as the input of the hash algorithm.
可以理解,在对称加密技术和非对称加密技术中,分别使用密钥和密钥对来实现加密和解密。基于前述对非对称加密技术的说明,可以知道,当数据传输双方使用非对称加密技术时,第一密钥为非对称密钥对中的一个密钥。It can be understood that in symmetric encryption technology and asymmetric encryption technology, keys and key pairs are used to implement encryption and decryption, respectively. Based on the foregoing description of the asymmetric encryption technology, it can be known that when the data transmission parties use the asymmetric encryption technology, the first key is one of the asymmetric key pairs.
需要特别说明的是,前述对电子设备进行密钥更新的解释说明,也适用于电子设备进行数据解密,本申请实施例对此不再赘述。It should be particularly noted that the foregoing explanation of key update on an electronic device is also applicable to data decryption performed by an electronic device, which will not be repeated in the embodiment of the present application.
为了实现上述实施例,本申请实施例还提出了一种电子设备,如图18所示,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:In order to implement the above-mentioned embodiment, the embodiment of the present application also proposes an electronic device, as shown in FIG. 18, comprising: a memory, a processor, and a computer program stored in the memory and running on the processor. The processor When executing the computer program, perform the following steps:
步骤S301,接收数字签名和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。Step S301: Receive the digital signature and the first processing count, and compare the first processing count with the locally stored second processing count.
基于前述对加密技术的说明,可以知道,对于数字签名的验证过程来说,对称加密技术无法适用,也就是说,只有非对称加密技术才能用于数字签名的验证。Based on the foregoing description of encryption technology, it can be known that for the verification process of digital signatures, symmetric encryption technology is not applicable, that is, only asymmetric encryption technology can be used for digital signature verification.
和前述的数据解密过程相反,在数据解密过程中,接收方使用接收方的私钥对接收方的公钥加密后的密文进行解密,解密成功则完成数据的加密传输。而在数字签名的验证过程中,接收方使用发送方的公钥对发送方的私钥加密后的密文进行解密,解密成功则完成对发送方的数字签名的验证。Contrary to the aforementioned data decryption process, in the data decryption process, the receiver uses the receiver's private key to decrypt the ciphertext encrypted by the receiver's public key. If the decryption is successful, the encrypted transmission of the data is completed. In the digital signature verification process, the receiver uses the sender's public key to decrypt the ciphertext encrypted by the sender's private key, and the verification of the sender's digital signature is completed if the decryption is successful.
步骤S302,根据比较结果,判断是否能够对数字签名进行验证。Step S302: According to the comparison result, it is judged whether the digital signature can be verified.
可以理解,在解密过程中需要首先比较加密数据对应的密钥对与接收方使用的密钥对的版本,相应地,在数字签名的验证过程中首先需要比较数字签名对应的密钥对与接收方使用的密钥对的版本。即数字签名使用的密钥对对应的处理次数,与接收方正在使用的密钥对对应的处理次数的大小。It can be understood that in the decryption process, the key pair corresponding to the encrypted data needs to be compared with the version of the key pair used by the recipient. Accordingly, in the verification process of the digital signature, the key pair corresponding to the digital signature needs to be compared with the receiving party. The version of the key pair used by the party. That is, the number of processing times corresponding to the key pair used by the digital signature, and the number of processing times corresponding to the key pair being used by the receiver.
具体地,判断第一处理次数是否小于第二处理次数,基于前述说明可以知道,当第一处理次数小于第二处理次数时,说明接收到的数字签名对应的密钥对比接收方正在使用的密钥对新,接收方无法通过正在使用的密钥对,推导数字签名对应的密钥对,确定不能对数字签名进行验证。Specifically, it is determined whether the first processing number is less than the second processing number. Based on the foregoing description, it can be known that when the first processing number is less than the second processing number, it indicates that the key corresponding to the received digital signature is compared with the encryption key being used by the recipient. The key pair is new, and the receiver cannot derive the key pair corresponding to the digital signature through the key pair in use, and it is determined that the digital signature cannot be verified.
判断第一处理次数是否等于第二处理次数,可以理解,当第一处理次数等于第二处理次数时,说明数字签名对应的密钥版本与接收方正在使用的第二密钥对的版本相同,可直接使用本地存储的第二密钥对作为数字签名对应的第一密钥对,对数字签名进行验证。Determine whether the first processing count is equal to the second processing count. It can be understood that when the first processing count is equal to the second processing count, it means that the key version corresponding to the digital signature is the same as the version of the second key pair being used by the receiver. The locally stored second key pair can be directly used as the first key pair corresponding to the digital signature to verify the digital signature.
判断第一处理次数是否大于第二处理次数,基于前述说明可以知道,当第一处理次数大于第二处理次数时,说明接收到的数字签名对应的密钥对比接收方正在使用的密钥对旧,接收方能够通过正在使用的密钥对,推导数字签名对应的密钥对。具体可以对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成第一密钥。其中,第三处理次数为第一处理次数和第二处理次数的差值。根据第一密钥,生成第一密钥对。Determine whether the first processing times are greater than the second processing times. Based on the foregoing description, it can be known that when the first processing times are greater than the second processing times, it means that the key corresponding to the received digital signature is compared with the key pair being used by the recipient. , The receiver can derive the key pair corresponding to the digital signature through the key pair being used. Specifically, the second key in the locally stored second key pair may be subjected to one-way mapping processing for the third number of times to generate the first key. Wherein, the third processing times is the difference between the first processing times and the second processing times. According to the first key, a first key pair is generated.
可以理解,第一密钥由基准值经过第一处理次数的单向映射处理后生成,第二密钥由基准值经过第二处理次数的单向映射处理后生成。因此,先对基准值进行第二处理次数的单向映射处理,可以生成第二密钥,再对第二密钥进行第三处理次数的单向映射处理,可以生成第一密钥。It can be understood that the first key is generated after the reference value undergoes one-way mapping processing for the first number of processing times, and the second key is generated after the reference value undergoes one-way mapping processing for the second number of processing times. Therefore, by first performing the one-way mapping processing for the second number of processing times on the reference value, the second key can be generated, and then performing the one-way mapping processing for the third number of processing times on the second key to generate the first key.
步骤S303,如果是,则确定第一处理次数对应的第一密钥对。Step S303, if yes, determine the first key pair corresponding to the first processing times.
其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥,第一密钥可以由基准值,经过第一处理次数的单向映射处理后生成。Wherein, the first key pair is an asymmetric key pair, the first key pair includes the first key, and the first key may be generated from a reference value after one-way mapping processing for the first number of processing times.
基于前述的说明可以知道,只有非对称加密技术才能用于数字签名的验证,因此本申请实施例所提供的第一密钥对为非对称密钥对。Based on the foregoing description, it can be known that only asymmetric encryption technology can be used for digital signature verification. Therefore, the first key pair provided in the embodiment of the present application is an asymmetric key pair.
步骤S304,使用第一密钥对对数字签名进行验证。Step S304: Use the first key pair to verify the digital signature.
需要特别说明的是,当第一处理次数大于第二处理次数时,在使用第一密钥对对数字签名进行验证后,不对第一密钥对进行保存,本地依然只存储第二密钥对。若以后还接收到第一密钥对对应的数字签名,依然通过本地存储的第二密钥对生成第一密钥对,来对数字签名进行验证。It should be noted that when the first processing times are greater than the second processing times, after the first key pair is used to verify the digital signature, the first key pair is not saved, and only the second key pair is still stored locally. . If the digital signature corresponding to the first key pair is received in the future, the first key pair is still generated by the locally stored second key pair to verify the digital signature.
综上所述,本申请实施例所提出的电子设备,在进行数字签名的验证时,接收数字签名和第一处理次数,并将第一处理次数与本地存储的第二处理次数进行比较。根据比较结果,判断是否能够对数字签名进行验证。如果是,则确定第一处理次数对应的第一密钥对。其中,第一密钥对为非对称密钥对,第一密钥对包括第一密钥。使用第一密钥对对数字签名进行验证。由此,实现了只需在本地存储更新后的密钥对,当收到旧密钥对对应的数字签名时,使用更新后的密钥对生成旧密钥对,再使用旧密钥对对数字签名进行验证。In summary, the electronic device proposed in the embodiment of the present application receives the digital signature and the first processing count when verifying the digital signature, and compares the first processing count with the locally stored second processing count. According to the comparison result, it is judged whether the digital signature can be verified. If yes, determine the first key pair corresponding to the first processing times. Wherein, the first key pair is an asymmetric key pair, and the first key pair includes the first key. The digital signature is verified using the first key pair. As a result, it is realized that only the updated key pair needs to be stored locally, and when the digital signature corresponding to the old key pair is received, the updated key pair is used to generate the old key pair, and then the old key pair is used The digital signature is verified.
此外,本申请实施例中电子设备进行单向映射处理的步骤可以包括使用哈希算法进行处理,哈希算法通过对输入内容进行哈希运算,生成唯一对应的哈希值。In addition, the step of performing one-way mapping processing by the electronic device in the embodiment of the present application may include using a hash algorithm for processing, and the hash algorithm generates a unique corresponding hash value by performing a hash operation on the input content.
进一步地,为了增强本申请实施例中密钥对的可靠性,一种可能的实现方式是,电子设备使用哈希算法进行处理包括:将单向映射处理的输入与本地标识进行拼接,并将拼接后的结果作为哈希算法的输入。Further, in order to enhance the reliability of the key pair in the embodiments of the present application, a possible implementation manner is that the electronic device uses a hash algorithm to process including: concatenating the input of the one-way mapping process with the local identification, and combining The spliced result is used as the input of the hash algorithm.
需要特别说明的是,前述对电子设备进行密钥更新的解释说明,也适用于电子设备进行数据解密,本申请实施例对此不再赘述。It should be particularly noted that the foregoing explanation of key update on an electronic device is also applicable to data decryption performed by an electronic device, which will not be repeated in the embodiment of the present application.
图19为本申请实施例所提出的计算机可读存储介质的结构示意图。FIG. 19 is a schematic structural diagram of a computer-readable storage medium proposed in an embodiment of this application.
为了实现上述实施例,本申请实施例还提出了一种计算机可读存储介质,如图19所示,该计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行前述实施例中的密钥的更新方法。In order to implement the above-mentioned embodiments, the embodiments of the present application also propose a computer-readable storage medium, as shown in FIG. 19, the computer-readable storage medium stores a computer program, and when it runs on a computer, the computer executes The key update method in the foregoing embodiment.
为了实现上述实施例,本申请实施例还提出了一种计算机可读存储介质,如图19所示,该计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行前述实施例中的数据解密方法。In order to implement the above-mentioned embodiments, the embodiments of the present application also propose a computer-readable storage medium, as shown in FIG. 19, the computer-readable storage medium stores a computer program, and when it runs on a computer, the computer executes The data decryption method in the foregoing embodiment.
为了实现上述实施例,本申请实施例还提出了一种计算机可读存储介质,如图19所示,该计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行前述实施例中的数字签名的验证方法。In order to implement the above-mentioned embodiments, the embodiments of the present application also propose a computer-readable storage medium, as shown in FIG. 19, the computer-readable storage medium stores a computer program, and when it runs on a computer, the computer executes The verification method of the digital signature in the foregoing embodiment.
本申请实施例中,“至少一个”是指一个或者多个,“多个”是指两个或两个以 上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示单独存在A、同时存在A和B、单独存在B的情况。其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项”及其类似表达,是指的这些项中的任意组合,包括单项或复数项的任意组合。例如,a,b和c中的至少一项可以表示:a,b,c,a和b,a和c,b和c或a和b和c,其中a,b,c可以是单个,也可以是多个。In the embodiments of the present application, "at least one" refers to one or more, and "multiple" refers to two or more than two. "And/or" describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. Among them, A and B can be singular or plural. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. "The following at least one item" and similar expressions refer to any combination of these items, including any combination of single items or plural items. For example, at least one of a, b, and c can represent: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, and c can be single, or There can be more than one.
本领域普通技术人员可以意识到,本文中公开的实施例中描述的各单元及算法步骤,能够以电子硬件、计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps described in the embodiments disclosed herein can be implemented by a combination of electronic hardware, computer software, and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,任一功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory;以下简称:ROM)、随机存取存储器(Random Access Memory;以下简称:RAM)、磁碟或者光盘等各种可以存储程序代码的介质。In the several embodiments provided in this application, if any function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory; hereinafter referred to as ROM), random access memory (Random Access Memory; hereinafter referred to as RAM), magnetic disks or optical disks, etc. A medium that can store program codes.
以上所述,仅为本申请的具体实施方式,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application. Any person skilled in the art can easily conceive of changes or substitutions within the technical scope disclosed in this application, and they should all be covered by the protection scope of this application. The protection scope of this application shall be subject to the protection scope of the claims.

Claims (36)

  1. 一种密钥的更新方法,其特征在于,包括:A method for updating a key, which is characterized in that it includes:
    接收密钥更新指令;Receive key update instructions;
    获取本地存储的第一密钥和基准值;其中,所述第一密钥由所述基准值,经过所述第一处理次数的单向映射处理后生成;Acquiring a first key and a reference value stored locally; wherein, the first key is generated from the reference value after one-way mapping processing of the first number of processing times;
    对所述基准值进行第二处理次数的所述单向映射处理,以生成第二密钥;其中,所述第二处理次数小于所述第一处理次数;Performing the one-way mapping process for the second number of processing times on the reference value to generate a second key; wherein the second number of processing times is less than the first number of processing times;
    将所述第一密钥替换为所述第二密钥。Replace the first key with the second key.
  2. 根据权利要求1所述的方法,其特征在于,所述第一处理次数和所述第二处理次数的差值为一。The method according to claim 1, wherein the difference between the first processing number and the second processing number is one.
  3. 根据权利要求1所述的方法,其特征在于,所述单向映射处理的步骤包括:The method according to claim 1, wherein the step of one-way mapping processing comprises:
    使用哈希算法进行处理。Use a hash algorithm for processing.
  4. 一种数据解密方法,其特征在于,包括:A method for data decryption, characterized in that it comprises:
    接收加密数据和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;Receiving encrypted data and a first processing count, and comparing the first processing count with a locally stored second processing count;
    根据比较结果,判断是否能够对所述加密数据进行解密;According to the comparison result, determine whether the encrypted data can be decrypted;
    如果是,则确定所述第一处理次数对应的第一密钥;If yes, determine the first key corresponding to the first number of processing times;
    使用所述第一密钥对所述加密数据进行解密。Use the first key to decrypt the encrypted data.
  5. 根据权利要求4所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:The method according to claim 4, wherein the judging whether the encrypted data can be decrypted according to the comparison result comprises:
    判断所述第一处理次数是否小于所述第二处理次数;Judging whether the first processing count is less than the second processing count;
    如果是,则确定不能对所述加密数据进行解密。If it is, it is determined that the encrypted data cannot be decrypted.
  6. 根据权利要求4所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:The method according to claim 4, wherein the judging whether the encrypted data can be decrypted according to the comparison result comprises:
    判断所述第一处理次数是否等于所述第二处理次数;Judging whether the first processing count is equal to the second processing count;
    如果是,则将本地存储的第二密钥作为所述第一密钥。If so, use the locally stored second key as the first key.
  7. 根据权利要求4所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述加密数据进行解密,包括:The method according to claim 4, wherein the judging whether the encrypted data can be decrypted according to the comparison result comprises:
    判断所述第一处理次数是否大于所述第二处理次数;Judging whether the first processing count is greater than the second processing count;
    如果是,则对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值。If so, perform a one-way mapping process of a third number of processing times on the locally stored second key to generate the first key; wherein, the third number of processing times is the first number of processing times and the number of The difference between the second processing times.
  8. 一种数字签名的验证方法,其特征在于,包括:A method for verifying digital signature, which is characterized in that it comprises:
    接收数字签名和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;Receiving a digital signature and a first processing count, and comparing the first processing count with a locally stored second processing count;
    根据比较结果,判断是否能够对所述数字签名进行验证;According to the comparison result, determine whether the digital signature can be verified;
    如果是,则确定所述第一处理次数对应的第一密钥对;其中,所述第一密钥对为非对称密钥对,所述第一密钥对包括第一密钥;If yes, determine the first key pair corresponding to the first number of times of processing; wherein, the first key pair is an asymmetric key pair, and the first key pair includes the first key;
    使用所述第一密钥对对所述数字签名进行验证。The digital signature is verified using the first key pair.
  9. 根据权利要求8所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:8. The method according to claim 8, wherein the judging whether the digital signature can be verified according to the comparison result comprises:
    判断所述第一处理次数是否小于所述第二处理次数;Judging whether the first processing count is less than the second processing count;
    如果是,则确定不能对所述数字签名进行验证。If it is, it is determined that the digital signature cannot be verified.
  10. 根据权利要求8所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:8. The method according to claim 8, wherein the judging whether the digital signature can be verified according to the comparison result comprises:
    判断所述第一处理次数是否等于所述第二处理次数;Judging whether the first processing count is equal to the second processing count;
    如果是,则将本地存储的第二密钥对作为所述第一密钥对。If so, use the locally stored second key pair as the first key pair.
  11. 根据权利要求8所述的方法,其特征在于,所述根据比较结果,判断是否能够对所述数字签名进行验证,包括:8. The method according to claim 8, wherein the judging whether the digital signature can be verified according to the comparison result comprises:
    判断所述第一处理次数是否大于所述第二处理次数;Judging whether the first processing count is greater than the second processing count;
    如果是,则对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值;If yes, perform a one-way mapping process of the third number of processing times on the second key in the locally stored second key pair to generate the first key; wherein, the third number of processing times is the The difference between the first processing times and the second processing times;
    根据所述第一密钥,生成所述第一密钥对。According to the first key, the first key pair is generated.
  12. 一种终端,其特征在于,包括:A terminal, characterized in that it comprises:
    第一接收模块,用于接收密钥更新指令;The first receiving module is configured to receive a key update instruction;
    获取模块,用于获取本地存储的第一密钥和基准值;其中,所述第一密钥由所述基准值,经过所述第一处理次数的单向映射处理后生成;An obtaining module, configured to obtain a locally stored first key and a reference value; wherein the first key is generated from the reference value after the one-way mapping process of the first processing times;
    第一处理模块,用于对所述基准值进行第二处理次数的所述单向映射处理,以生成第二密钥;其中,所述第二处理次数小于所述第一处理次数;The first processing module is configured to perform the one-way mapping processing for a second number of processing times on the reference value to generate a second key; wherein the second number of processing times is less than the first number of processing times;
    替换模块,用于将所述第一密钥替换为所述第二密钥。The replacement module is used to replace the first key with the second key.
  13. 根据权利要求12所述的终端,其特征在于,所述第一处理次数和所述第二处理次数的差值为一。The terminal according to claim 12, wherein the difference between the first processing number and the second processing number is one.
  14. 根据权利要求12所述的终端,其特征在于,所述第一处理模块具体用于使用哈希算法对所述基准值进行第二处理次数的处理。The terminal according to claim 12, wherein the first processing module is specifically configured to use a hash algorithm to process the reference value for a second number of times.
  15. 一种终端,其特征在于,包括:A terminal, characterized in that it comprises:
    第二接收模块,用于接收加密数据和第一处理次数;The second receiving module is configured to receive encrypted data and the first processing times;
    第一比较模块,用于将所述第一处理次数与本地存储的第二处理次数进行比较;A first comparison module, configured to compare the first processing count with a locally stored second processing count;
    第一判断模块,用于根据比较结果,判断是否能够对所述加密数据进行解密;The first judgment module is used to judge whether the encrypted data can be decrypted according to the comparison result;
    第一确定模块,用于当所述第一判断模块确定能够对所述加密数据进行解密时,确定所述第一处理次数对应的第一密钥;A first determining module, configured to determine the first key corresponding to the first processing count when the first determining module determines that the encrypted data can be decrypted;
    解密模块,用于使用所述第一密钥对所述加密数据进行解密。The decryption module is configured to use the first key to decrypt the encrypted data.
  16. 根据权利要求15所述的终端,其特征在于,所述第一判断模块,包括:The terminal according to claim 15, wherein the first judgment module comprises:
    第一判断子模块,用于判断所述第一处理次数是否小于所述第二处理次数;The first judging sub-module is used to judge whether the first processing times are less than the second processing times;
    第一确定子模块,用于当所述第一判断子模块确定所述第一处理次数小于所述第二处理次数时,确定不能对所述加密数据进行解密。The first determining submodule is configured to determine that the encrypted data cannot be decrypted when the first determining submodule determines that the first processing number is less than the second processing number.
  17. 根据权利要求15所述的终端,其特征在于,所述第一判断模块,包括:The terminal according to claim 15, wherein the first judgment module comprises:
    第二判断子模块,用于判断所述第一处理次数是否等于所述第二处理次数;The second judgment sub-module is used to judge whether the first processing times are equal to the second processing times;
    第二设置子模块,用于当所述第二判断子模块确定所述第一处理次数等于所述第二处理次数时,将本地存储的第二密钥作为所述第一密钥。The second setting submodule is configured to use a locally stored second key as the first key when the second judgment submodule determines that the first processing count is equal to the second processing count.
  18. 根据权利要求15所述的终端,其特征在于,所述第一判断模块,包括:The terminal according to claim 15, wherein the first judgment module comprises:
    第三判断子模块,用于判断所述第一处理次数是否大于所述第二处理次数;The third judging sub-module is used to judge whether the first processing times are greater than the second processing times;
    第一处理子模块,用于当所述第三判断子模块确定所述第一处理次数大于所述第二处理次数时,对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值。The first processing submodule is configured to perform unidirectional mapping processing for the third processing times on the locally stored second key when the third judging submodule determines that the first processing times are greater than the second processing times , To generate the first key; wherein the third processing times are the difference between the first processing times and the second processing times.
  19. 一种终端,其特征在于,包括:A terminal, characterized in that it comprises:
    第三接收模块,用于接收数字签名和第一处理次数;The third receiving module is used to receive the digital signature and the first processing times;
    第二比较模块,用于将所述第一处理次数与本地存储的第二处理次数进行比较;A second comparison module, configured to compare the first processing count with a locally stored second processing count;
    第二判断模块,用于根据比较结果,判断是否能够对所述数字签名进行验证;The second judgment module is used to judge whether the digital signature can be verified according to the comparison result;
    第二确定模块,用于当所述第二判断模块确定能够对所述数字签名进行验证时,确定所述第一处理次数对应的第一密钥对;其中,所述第一密钥对为非对称密钥对,所述第一密钥对包括第一密钥;The second determining module is configured to determine the first key pair corresponding to the first processing times when the second determining module determines that the digital signature can be verified; wherein, the first key pair is An asymmetric key pair, where the first key pair includes a first key;
    验证模块,用于使用所述第一密钥对对所述数字签名进行验证。The verification module is configured to use the first key pair to verify the digital signature.
  20. 根据权利要求19所述的终端,其特征在于,所述第二判断模块,包括:The terminal according to claim 19, wherein the second judgment module comprises:
    第四判断子模块,用于判断所述第一处理次数是否小于所述第二处理次数;The fourth judging sub-module is used to judge whether the first processing times are less than the second processing times;
    第二确定子模块,用于当所述第四判断子模块确定所述第一处理次数小于所述第二处理次数时,确定不能对所述数字签名进行验证。The second determining submodule is configured to determine that the digital signature cannot be verified when the fourth determining submodule determines that the first processing count is less than the second processing count.
  21. 根据权利要求19所述的终端,其特征在于,所述第二判断模块,包括:The terminal according to claim 19, wherein the second judgment module comprises:
    第五判断子模块,用于判断所述第一处理次数是否等于所述第二处理次数;A fifth judging sub-module, configured to judge whether the first processing times are equal to the second processing times;
    第三设置子模块,用于当所述第五判断子模块确定所述第一处理次数等于所述第二处理次数时,将本地存储的第二密钥对作为所述第一密钥对。The third setting submodule is configured to use a locally stored second key pair as the first key pair when the fifth judgment submodule determines that the first processing count is equal to the second processing count.
  22. 根据权利要求19所述的终端,其特征在于,所述第二判断模块,包括:The terminal according to claim 19, wherein the second judgment module comprises:
    第六判断子模块,用于判断所述第一处理次数是否大于所述第二处理次数;The sixth judgment sub-module is used to judge whether the first processing times are greater than the second processing times;
    第二处理子模块,用于当所述第六判断子模块确定所述第一处理次数大于所述第二处理次数时,对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值;The second processing submodule is configured to perform a third operation on the second key in the locally stored second key pair when the sixth judgment submodule determines that the first processing times are greater than the second processing times. One-way mapping processing of processing times to generate the first key; wherein, the third processing times is the difference between the first processing times and the second processing times;
    生成子模块,用于根据所述第一密钥,生成所述第一密钥对。A generating submodule is used to generate the first key pair according to the first key.
  23. 一种电子设备,其特征在于,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:An electronic device, characterized by comprising: a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the following steps are performed:
    接收密钥更新指令;Receive key update instructions;
    获取本地存储的第一密钥和基准值;其中,所述第一密钥由所述基准值,经过所述第一处理次数的单向映射处理后生成;Acquiring a first key and a reference value stored locally; wherein, the first key is generated from the reference value after one-way mapping processing of the first number of processing times;
    对所述基准值进行第二处理次数的所述单向映射处理,以生成第二密钥;其中,所述第二处理次数小于所述第一处理次数;Performing the one-way mapping process for the second number of processing times on the reference value to generate a second key; wherein the second number of processing times is less than the first number of processing times;
    将所述第一密钥替换为所述第二密钥。Replace the first key with the second key.
  24. 如权利要求23所述的电子设备,其特征在于,所述第一处理次数和所述第二处理次数的差值为一。The electronic device according to claim 23, wherein the difference between the first processing number and the second processing number is one.
  25. 如权利要求23所述的电子设备,其特征在于,所述电子设备进行单向映射处理的步骤包括:The electronic device according to claim 23, wherein the step of performing one-way mapping processing by the electronic device comprises:
    使用哈希算法进行处理。Use a hash algorithm for processing.
  26. 一种电子设备,其特征在于,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:An electronic device, characterized by comprising: a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the following steps are performed:
    接收加密数据和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;Receiving encrypted data and a first processing count, and comparing the first processing count with a locally stored second processing count;
    根据比较结果,判断是否能够对所述加密数据进行解密;According to the comparison result, determine whether the encrypted data can be decrypted;
    如果是,则确定所述第一处理次数对应的第一密钥;If yes, determine the first key corresponding to the first number of processing times;
    使用所述第一密钥对所述加密数据进行解密。Use the first key to decrypt the encrypted data.
  27. 如权利要求26所述的电子设备,其特征在于,所述电子设备根据比较结果,判断是否能够对所述加密数据进行解密,具体包括以下步骤:The electronic device according to claim 26, wherein the electronic device determines whether the encrypted data can be decrypted according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否小于所述第二处理次数;Judging whether the first processing count is less than the second processing count;
    如果是,则确定不能对所述加密数据进行解密。If it is, it is determined that the encrypted data cannot be decrypted.
  28. 如权利要求26所述的电子设备,其特征在于,所述电子设备根据比较结果,判断是否能够对所述加密数据进行解密,具体包括以下步骤:The electronic device according to claim 26, wherein the electronic device determines whether the encrypted data can be decrypted according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否等于所述第二处理次数;Judging whether the first processing count is equal to the second processing count;
    如果是,则将本地存储的第二密钥作为所述第一密钥。If so, use the locally stored second key as the first key.
  29. 如权利要求26所述的电子设备,其特征在于,所述电子设备根据比较结果,判断是否能够对所述加密数据进行解密,具体包括以下步骤:The electronic device according to claim 26, wherein the electronic device determines whether the encrypted data can be decrypted according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否大于所述第二处理次数;Judging whether the first processing count is greater than the second processing count;
    如果是,则对本地存储的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值。If so, perform a one-way mapping process of a third number of processing times on the locally stored second key to generate the first key; wherein, the third number of processing times is the first number of processing times and the number of The difference between the second processing times.
  30. 一种电子设备,其特征在于,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时,执行以下步骤:An electronic device, characterized by comprising: a memory, a processor, and a computer program stored in the memory and capable of running on the processor. When the processor executes the computer program, the following steps are executed:
    接收数字签名和第一处理次数,并将所述第一处理次数与本地存储的第二处理次数进行比较;Receiving a digital signature and a first processing count, and comparing the first processing count with a locally stored second processing count;
    根据比较结果,判断是否能够对所述数字签名进行验证;According to the comparison result, determine whether the digital signature can be verified;
    如果是,则确定所述第一处理次数对应的第一密钥对;其中,所述第一密钥对为非对称密钥对,所述第一密钥对包括第一密钥;If yes, determine the first key pair corresponding to the first number of times of processing; wherein, the first key pair is an asymmetric key pair, and the first key pair includes the first key;
    使用所述第一密钥对对所述数字签名进行验证。The digital signature is verified using the first key pair.
  31. 如权利要求30所述的电子设备,其特征在于,所述电子设备根据比较结果,判断是否能够对所述数字签名进行验证,具体包括以下步骤:The electronic device according to claim 30, wherein the electronic device determines whether the digital signature can be verified according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否小于所述第二处理次数;Judging whether the first processing count is less than the second processing count;
    如果是,则确定不能对所述数字签名进行验证。If it is, it is determined that the digital signature cannot be verified.
  32. 如权利要求30所述的电子设备,其特征在于,所述电子设备根据比较结果, 判断是否能够对所述数字签名进行验证,具体包括以下步骤:The electronic device of claim 30, wherein the electronic device determines whether the digital signature can be verified according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否等于所述第二处理次数;Judging whether the first processing count is equal to the second processing count;
    如果是,则将本地存储的第二密钥对作为所述第一密钥对。If so, use the locally stored second key pair as the first key pair.
  33. 如权利要求30所述的电子设备,其特征在于,所述电子设备根据比较结果,判断是否能够对所述数字签名进行验证,具体包括以下步骤:The electronic device of claim 30, wherein the electronic device determines whether the digital signature can be verified according to the comparison result, which specifically includes the following steps:
    判断所述第一处理次数是否大于所述第二处理次数;Judging whether the first processing count is greater than the second processing count;
    如果是,则对本地存储的第二密钥对中的第二密钥进行第三处理次数的单向映射处理,以生成所述第一密钥;其中,所述第三处理次数为所述第一处理次数和所述第二处理次数的差值;If yes, perform a one-way mapping process of the third number of processing times on the second key in the locally stored second key pair to generate the first key; wherein, the third number of processing times is the The difference between the first processing times and the second processing times;
    根据所述第一密钥,生成所述第一密钥对。According to the first key, the first key pair is generated.
  34. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求1-3任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which when running on a computer, causes the computer to execute the method according to any one of claims 1-3.
  35. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求4-7任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which when running on a computer, causes the computer to execute the method according to any one of claims 4-7.
  36. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求8-11任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which when running on a computer, causes the computer to execute the method according to any one of claims 8-11.
PCT/CN2020/128165 2019-12-03 2020-11-11 Key update method, data decryption method, and digital signature authentication method WO2021109817A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911221985.XA CN112910627B (en) 2019-12-03 2019-12-03 Key updating method, data decryption method and digital signature verification method
CN201911221985.X 2019-12-03

Publications (1)

Publication Number Publication Date
WO2021109817A1 true WO2021109817A1 (en) 2021-06-10

Family

ID=76104712

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/128165 WO2021109817A1 (en) 2019-12-03 2020-11-11 Key update method, data decryption method, and digital signature authentication method

Country Status (2)

Country Link
CN (1) CN112910627B (en)
WO (1) WO2021109817A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257373A (en) * 2021-11-12 2022-03-29 中国南方电网有限责任公司 Mixed encryption system key storage management method, system, computer equipment and medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114095159B (en) * 2021-11-11 2023-10-31 北京三快在线科技有限公司 Encryption communication method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180351746A1 (en) * 2017-05-31 2018-12-06 Samsung Sds Co., Ltd. System and method for communication between devices
CN110276613A (en) * 2019-06-20 2019-09-24 卓尔智联(武汉)研究院有限公司 Data processing equipment, method and computer readable storage medium based on block chain
CN110493272A (en) * 2019-09-25 2019-11-22 北京风信科技有限公司 Use the communication means and communication system of multiple key

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217175B (en) * 2014-09-05 2018-04-20 北京邮电大学 A kind of data read-write method and device
JP2016116134A (en) * 2014-12-16 2016-06-23 パナソニックIpマネジメント株式会社 Signature verification device, signature generation device, signature processing system, signature verification method, and signature generation method
KR102468390B1 (en) * 2017-05-31 2022-11-18 삼성에스디에스 주식회사 Method for managing token and server for executing the same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180351746A1 (en) * 2017-05-31 2018-12-06 Samsung Sds Co., Ltd. System and method for communication between devices
CN110276613A (en) * 2019-06-20 2019-09-24 卓尔智联(武汉)研究院有限公司 Data processing equipment, method and computer readable storage medium based on block chain
CN110493272A (en) * 2019-09-25 2019-11-22 北京风信科技有限公司 Use the communication means and communication system of multiple key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SUN, BO ET AL.: "Network authentication and password update program based on elliptic curve cryptography and symmetric key", APPLICATION RESEARCH OF COMPUTERS, vol. 33, no. 10, 2 November 2016 (2016-11-02), pages 3094 - 3098, XP055818467 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114257373A (en) * 2021-11-12 2022-03-29 中国南方电网有限责任公司 Mixed encryption system key storage management method, system, computer equipment and medium

Also Published As

Publication number Publication date
CN112910627A (en) 2021-06-04
CN112910627B (en) 2023-02-10

Similar Documents

Publication Publication Date Title
CN109559122B (en) Block chain data transmission method and block chain data transmission system
CN112367175B (en) Implicit certificate key generation method based on SM2 digital signature
JP3872107B2 (en) Encryption key recovery system
US10057071B2 (en) Component for connecting to a data bus, and methods for implementing a cryptographic functionality in such a component
US11683170B2 (en) Implicit RSA certificates
US8285989B2 (en) Establishing a secured communication session
CN110048849B (en) Multi-layer protection session key negotiation method
EP0661845B1 (en) System and method for message authentication in a non-malleable public-key cryptosystem
CN109361520B (en) Internet of things equipment dynamic encryption method based on login serial number
CN113626802B (en) Login verification system and method for equipment password
CN111934884B (en) Certificate management method and device
CN113612610B (en) Session key negotiation method
CN112637836A (en) Data processing method and device, electronic equipment and storage medium
WO2021109817A1 (en) Key update method, data decryption method, and digital signature authentication method
JP2019537349A (en) Composite digital signature
CN112565205B (en) Credible authentication and measurement method, server, terminal and readable storage medium
US20220417015A1 (en) Key update method and related apparatus
WO2023124958A1 (en) Key update method, server, client and storage medium
CN107395627B (en) Lightweight authentication protocol based on one-way function
CN115473655B (en) Terminal authentication method, device and storage medium for access network
WO2023116266A1 (en) Communication encryption method, system, and device
CN111131311A (en) Data transmission method based on block chain and block chain link point
CN114553566A (en) Data encryption method, device, equipment and storage medium
CN112437436A (en) Identity authentication method and device
TWI761243B (en) Encryption system and encryption method for group instant massaging

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20896858

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20896858

Country of ref document: EP

Kind code of ref document: A1