WO2023051337A1 - Data processing method and apparatus, and device and storage medium - Google Patents

Data processing method and apparatus, and device and storage medium Download PDF

Info

Publication number
WO2023051337A1
WO2023051337A1 PCT/CN2022/120112 CN2022120112W WO2023051337A1 WO 2023051337 A1 WO2023051337 A1 WO 2023051337A1 CN 2022120112 W CN2022120112 W CN 2022120112W WO 2023051337 A1 WO2023051337 A1 WO 2023051337A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
user
factor
user password
encrypted data
Prior art date
Application number
PCT/CN2022/120112
Other languages
French (fr)
Chinese (zh)
Inventor
李宗波
张卓韬
杨永帮
邬秋元
陈晓丹
张涛
宋超
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2023051337A1 publication Critical patent/WO2023051337A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Definitions

  • This application relates to the technical field of data processing, involving but not limited to data processing methods, devices, equipment and storage media.
  • the first scheme is to encrypt and decrypt the text through the built-in random password of the device;
  • the second scheme is to encrypt and decrypt the text through the user password.
  • the first solution on the one hand, the user cannot participate in the encryption and decryption process; on the other hand, the organization that provides the encryption and decryption has the ability to decrypt the text, and the security is low.
  • the second scheme although the user can participate in the encryption and decryption process, the security of encrypting and decrypting the text through the user password is relatively low.
  • the present application provides a data processing method, device, equipment, and storage medium.
  • the solution can not only enable users to participate in the encryption or decryption process, but also has high security.
  • the present application provides a data processing method, the method is applied to a first device, and the method includes:
  • the predicted user ID is the same as the actual user ID, it is determined that the verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, the first user password
  • the encrypted data includes an encrypted first user password factor
  • the target object is encrypted or decrypted by the first password.
  • the present application provides a data processing device, the device is deployed in the first device; the device includes:
  • the prediction unit is configured to decrypt the user identification data based on the received first user password to obtain a predicted user identification
  • An obtaining unit configured to obtain an actual user identifier associated with the first user password
  • the decryption unit is configured to determine that the verification of the first user password is successful if the predicted user ID is the same as the actual user ID, decrypt the first encrypted data based on the first user password, and obtain the first user password factor , the first encrypted data includes an encrypted first user password factor;
  • a generating unit configured to generate a first password based at least on the first user password factor
  • a processing unit configured to encrypt or decrypt the target object by using the first password.
  • the present application also provides an electronic device, including: a memory and a processor, the memory stores a computer program that can run on the processor, and the processor implements the above data processing method when executing the program.
  • the present application also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the above data processing method is realized.
  • the data processing method, device, device, and storage medium provided in this application include: decrypting the user identification data based on the received first user password to obtain a predicted user identification; obtaining the actual user identification associated with the first user password; if If the predicted user ID is the same as the actual user ID, it is determined that the verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, and the first encrypted
  • the data includes an encrypted first user password factor; a first password is generated based at least on the first user password factor; and a target object is encrypted or decrypted by the first password.
  • the first password is obtained based on the user password, which can ensure that the user participates in the encryption or decryption process.
  • the scheme does not encrypt or decrypt the target object through the first user password, but based on the first user password.
  • the user password factor obtained by the password determines the first password, and the target object is encrypted or decrypted by the first password, which increases the difficulty of cracking the first password and further improves security;
  • the user ID is verified against the actual user ID; it is not directly based on the password. Therefore, this solution does not need to store the user password, which reduces the channels for user password leakage and further improves security.
  • FIG. 1 is an optional structural schematic diagram of a data processing system provided in an embodiment of the present application
  • FIG. 2 is an optional schematic structural diagram of a data processing system provided in an embodiment of the present application
  • Fig. 3 is an optional schematic flow chart of the data processing method provided by the embodiment of the present application.
  • FIG. 4 is an optional schematic flowchart of a data processing method provided in an embodiment of the present application.
  • FIG. 5 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application.
  • FIG. 6 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application.
  • FIG. 7 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application.
  • FIG. 8 is an optional structural schematic diagram of a data processing device provided in an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of an optional electronic device provided in an embodiment of the present application.
  • first ⁇ second ⁇ third is used as an example to distinguish different objects, and does not represent a specific order for the objects, and does not have a limitation on the sequence. It can be understood that “first ⁇ second ⁇ third” can be interchanged in a specific order or sequential order if allowed, so that the embodiments of the application described here can be used in a manner other than what is illustrated or described here implemented sequentially.
  • An object may refer to various types of data, for example, text data, video data, audio data, or picture data.
  • the target object refers to the object to be encrypted or decrypted in this application.
  • Embodiments of the present application may provide a data processing method, device, device, and storage medium.
  • the data processing method can be implemented by a data processing device, and each functional entity in the data processing device can be implemented by hardware resources of an electronic device (such as a first device), such as computing resources such as a processor, and communication resources (such as for supporting the implementation of Communication in various ways such as optical cable and cellular) is realized collaboratively.
  • an electronic device such as a first device
  • computing resources such as a processor
  • communication resources such as for supporting the implementation of Communication in various ways such as optical cable and cellular
  • the data processing method provided in the embodiment of the present application is applied to a data processing system, and the data processing system includes a first device.
  • the first device decrypts the user identification data based on the received first user password to obtain a predicted user identification; obtain an actual user identification associated with the first user password; if the predicted user identification is the same as the actual user identification, determine The verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, and the first encrypted data includes the encrypted first user password factor; at least based on the The first user password factor generates a first password; the target object is encrypted or decrypted by the first password.
  • the data processing system may further include a second device and/or a third device.
  • the second device can communicate with the first device, for example, the second device can back up the first user password factor;
  • the third device can communicate with the first device, for example, the third device can receive the first user password and send it to the first device The received first user password is forwarded.
  • the structure of the data processing system 10 may be as shown in FIG. 1 , including: a first device 101 and a third device 102; the first device 101 and the third device 102 may communicate.
  • the first device 101 may communicate directly with the third device 102; or, the first device 101 may also communicate with the third device 102 through an application server.
  • data processing system 10 may also include application server 103 .
  • the third device 102 runs the target service (for example, a managed storage service), the third device 102 communicates with the server 103 through an application programming interface (Application Programming Interface, API) interface provided by the target service, and the server 103 communicates with the first device 101.
  • API Application Programming Interface
  • the first device 101 is configured to receive various data sent by the third device 102, and process and store the received data.
  • the first device 101 may be used to receive the object sent by the third device 102, and store the object after encryption; or may also be used to decrypt the encrypted object and then send it to the third device 102.
  • the first device 101 may be a fixed storage device such as a memory, a hard disk, or a floppy disk, or the first device 101 may also be a removable storage device such as a mobile hard disk, or the first device 101 may also be a cloud storage device.
  • the third device 102 is configured to send objects to the first device 101, or to receive objects sent by the first device.
  • the third device 102 may include a mobile terminal device (such as a mobile phone, a tablet computer, etc.), or a non-mobile terminal device (such as a desktop computer, etc.).
  • the structure of the data processing system 10 may be as shown in FIG. 2 , including: a first device 101 , a third device 102 and a second device 104 .
  • the second device 104 can communicate with the first device 101 and the third device 102 .
  • the second device 104 which may also be referred to as a third-party trusted certificate service agency device, is used to receive and store the data sent by the first device 101 or the third device 102 (for example, the encrypted second user password factor may be stored), and store the data After processing, it is sent to the first device 101 or the third device 102.
  • the embodiment of the present application provides a data processing method, which is applied to a data processing device; wherein, the data processing device can be deployed in the first device 101 in FIG. 1 or FIG. 2 .
  • the data processing process provided by the embodiment of the present application will be described.
  • Fig. 3 shows a schematic flowchart of an optional data processing method, the data processing method provided in the embodiment of the present application is used to encrypt or decrypt each object; wherein, the processing process for each object is similar, now Take the target object as an example to describe the process in detail.
  • the data processing method may include but not limited to S301 to S305 shown in FIG. 3 .
  • the first device decrypts user identification data based on the received first user password to obtain a predicted user identification.
  • the first device receives the first user password, and decrypts the user identification data based on the first user password to obtain a predicted user identification.
  • the first device For the first device to receive the first user password, in a possible implementation manner, the first device receives a first operation of the user, and receives the first user password input by the user based on the first operation.
  • the third device receives the user's first operation, and receives the first user password input by the user based on the first operation, and the third device sends the received first user password to the first device, The first device receives the first user password sent by the third device.
  • the first device For the first device to decrypt the user identification data based on the first user password to obtain the predicted user identification, it may be implemented as follows: the first device invokes the first decryption algorithm, and decrypts the user identification through the first user password or the system password obtained based on the first user password data to get the predicted user ID.
  • the system password is a system-specific password corresponding to the first user password.
  • the first device may also obtain user identification data based on the first user.
  • the embodiment of the present application does not uniquely limit the timing of obtaining the user identification data, which can be configured according to timing requirements.
  • the first device creates the user identification (Identity document, ID) of the first user for the first user, and invokes the first encryption algorithm to encrypt the first user's ID through the first user password or the system password obtained based on the first user password.
  • User ID get the user ID data.
  • the user ID of the first user is used to uniquely point to the first user.
  • the embodiment of the present application does not limit the expression form of the first user ID, which can be configured according to actual needs.
  • the first user identifier may be a combination of a group of numbers, or a combination of letters, or a combination of numbers and letters, and so on.
  • the embodiment of the present application does not specifically limit the algorithm for creating the user identifier of the first user.
  • the algorithm for creating the user ID of the first user may include a random algorithm or a hash algorithm and the like.
  • the encryption password of the first encryption algorithm and the decryption password of the first decryption algorithm should be consistent.
  • the corresponding encryption password of the first encryption algorithm is the first user password
  • the decryption password of the first decryption algorithm is the system password
  • the first decryption algorithm is the encryption password.
  • the first device obtains an actual user identifier associated with the first user password.
  • the first device Based on the input first user password, uses the same method as the first device obtains the user identification data based on the first user to regenerate the user identification as the actual user identification associated with the first user password.
  • the first device decrypts the first encrypted data based on the first user password to obtain a first user password factor .
  • the first encrypted data includes the encrypted first user password factor.
  • the first encrypted data can be the data after the first user password factor is encrypted, or the first encrypted data can also be after the first user password factor is packaged into a file (such as a folder or a compressed file, etc.), and the file Encrypted data.
  • a file such as a folder or a compressed file, etc.
  • the first user password factor is used to obtain the password for encrypting or decrypting the target object.
  • the embodiment of the present application does not limit the expression form of the first user password factor, which can be configured according to actual needs.
  • the first user password factor may be a group of random numbers, or the first user password factor may be a combination of a group of random numbers and letters, and so on.
  • S303 may be implemented as: the first device judges whether the predicted user ID is the same as the actual user ID, and if the predicted user ID is the same as the actual user ID, then it is determined that the first user password verification is successful, and the first device invokes the second decryption algorithm based on the first A decryption password is obtained from a user password, and the first encrypted data is decrypted by the decryption password to obtain the first user password factor; if the predicted user ID is not the same as the actual user ID, it is determined that the verification of the first user password fails, and the process ends.
  • the embodiment of the present application does not uniquely limit the type of the second decryption algorithm, which can be configured according to actual requirements.
  • the second decryption algorithm may include: a wireless local area network standard packet data algorithm (SM4 decryption algorithm).
  • the second decryption algorithm may include the SM4DNCRYPT(D, P) algorithm, where D represents a decryption object, and P represents a decryption password. It can be understood that D includes the first encrypted data; P includes the first user password or a system password generated based on the first user password.
  • the second decryption algorithm may include: an asymmetric encryption algorithm (SM2 algorithm).
  • SM2 algorithm asymmetric encryption algorithm
  • the data processing method provided in the embodiment of the present application may further include a registration process.
  • the registration process for the first user may include: the first device receiving the first user password, creating the first user for the first user password, creating a first user password factor for the first user, and encrypting the first user password based on the first user password factor to obtain the first encrypted data.
  • the embodiment of the present application does not uniquely limit the algorithm for creating the first user password factor.
  • the algorithm for creating the first user password factor may include a random algorithm, or a hash algorithm, and the like.
  • the embodiment of the present application also makes no unique limitation on the second encryption algorithm for encrypting the first user password factor.
  • the second encryption algorithm may include: a wireless local area network standard packet data algorithm (SM4 encryption algorithm).
  • SM4 encryption algorithm may include the SM4ENCRYPT(S,P) algorithm.
  • the second encryption algorithm may include: an Advanced Encryption Standard (Advanced Encryption Standard, AES) algorithm.
  • AES Advanced Encryption Standard
  • the second encryption algorithm should correspond to the second decryption algorithm.
  • the second decryption algorithm is the SM4DECRYPT(D, P) algorithm
  • the corresponding second encryption algorithm in the registration process is the SM4ENCRYPT(S, P) algorithm, where S represents the encryption object and P represents the encryption password.
  • S includes the first user password factor
  • P includes the first user password or a system password generated based on the first user password.
  • the encryption password of the second encryption algorithm should be consistent with the decryption password of the second decryption algorithm.
  • the encryption password of the second decryption algorithm is also the first user password
  • the encryption password of the second encryption algorithm is also the system password
  • the received first user password is not stored, in other words, the first user password is destroyed immediately after use. In this way, the probability of leakage of the first user's password can be reduced and the security can be improved.
  • the first device generates a first password based at least on the first user password factor.
  • the first device uses a first password generation algorithm to generate the first password according to a first user password factor.
  • the first device uses a first password generation algorithm to generate the first password according to the first user password factor and the object password factor for the target object.
  • the embodiment of the present application does not limit the algorithm type of the first password generation algorithm, which can be configured according to actual requirements.
  • the first password generation algorithm may include: a hash algorithm, or a message digest (Message Digest algorithm 5, MD5) algorithm, a secure hash (Secure Hash Algorithm, SHA) algorithm.
  • a hash algorithm or a message digest (Message Digest algorithm 5, MD5) algorithm, a secure hash (Secure Hash Algorithm, SHA) algorithm.
  • the first password generation algorithm may include: a hash algorithm and a random generation password algorithm (such as GENPSW algorithm), or an MD5 algorithm and a random generation password algorithm, or an SHA algorithm and a random generation password algorithm.
  • the first device encrypts or decrypts the target object by using the first password.
  • the target object may include a target object to be encrypted and a target object to be decrypted, wherein the target object to be encrypted may also be called a first target object, and the target object to be decrypted may also be called a second target object.
  • S305 may be implemented as: the first device invokes a third encryption algorithm, and encrypts the first target object by using the first password.
  • S305 may be implemented as: the first device invokes a third decryption algorithm, and decrypts the second target object by using the first password.
  • the embodiment of this application does not limit the algorithm types of the third encryption algorithm and the third decryption algorithm, which can be configured according to actual needs.
  • the third encryption algorithm may include the SM4 encryption algorithm, or the SM2 encryption algorithm;
  • the third decryption algorithm may include the SM4 decryption algorithm, or the SM2 decryption algorithm.
  • the third decryption algorithm should correspond to the second encryption algorithm.
  • the third encryption algorithm is the SM4ENCRYPT algorithm
  • the third decryption algorithm is SM4DECRYPT.
  • the data processing solution provided by the embodiment of the present application includes: decrypting the user identification data based on the received first user password to obtain a predicted user identification; obtaining the actual user identification associated with the first user password; if the predicted user identification is consistent with the If the actual user IDs are the same, it is determined that the first user password verification is successful, and the first encrypted data is decrypted based on the first user password to obtain the first user password factor.
  • the first encrypted data includes the encrypted first A user password factor; generating a first password based at least on the first user password factor; encrypting or decrypting a target object by using the first password. In this way, first, the first password is obtained based on the user password, which can ensure that the user participates in the encryption or decryption process.
  • the scheme does not encrypt or decrypt the target object through the first user password, but based on the first user password.
  • the user password factor obtained by the password determines the first password, and the target object is encrypted or decrypted by the first password, which increases the difficulty of cracking the first password and further improves security;
  • the user ID is verified against the actual user ID; it is not directly based on the password. Therefore, this solution does not need to store the user password, which reduces the channels for user password leakage and further improves security.
  • the data processing process provided by the embodiment of the present application may not store the first user password, that is, each stage of data processing (encryption or decryption, etc.) requires the user to input the first user password, and the first device The first user password is received, and operations such as encryption or decryption are performed based on the first user password. In this way, the possibility of the first user password being stolen or the device storing the first user password illegally decrypting the file during the process of storing the first user password can be avoided, thereby further improving data security.
  • Embodiment A decrypting the first encrypted data through the first user password
  • Embodiment B the first encrypted data is decrypted using the system password generated by the first user password.
  • the system password is a system-specific password corresponding to the first user password.
  • Embodiment A may include: the first device invokes the second decryption algorithm, decrypts the first encrypted data through the first user password, and obtains the first user password factor.
  • the first user password factor S1 can be obtained by the following formula (1).
  • S1 represents the first user password factor
  • D1 represents the first encrypted data
  • SM4ENCRYPT represents the SM4 decryption algorithm (the first decryption algorithm)
  • P0 represents the first user password.
  • Embodiment B may include but not limited to the following S3021 and S3022.
  • the first device generates a system password corresponding to the first user password based on the first user password.
  • the first device uses the second password generation algorithm to generate a system password corresponding to the first user password according to the first user password.
  • the implementation of this application does not limit the algorithm type of the second password generation algorithm, which can be configured according to actual needs.
  • the second password generation algorithm may be the same as the first password generation algorithm, or may be different from the first password generation algorithm.
  • the system password P1 can be obtained by the following formula (2).
  • P1 represents the system password
  • GEMPSW represents the random generation password algorithm
  • SM3 represents the salted hash algorithm
  • SALT0 represents the salt value
  • P0 represents the first user password
  • GEMPSW and SM3 constitute the second password generation algorithm.
  • the first device decrypts the first encrypted data by using the system password to obtain the first user password factor.
  • the first device invokes the second decryption algorithm, and decrypts the first encrypted data through the system password to obtain the first user password factor.
  • the first user password factor can be obtained by the following formula (3).
  • S1 represents the first user password factor
  • SM4ENCRYPT represents the SM4 decryption algorithm
  • D1 represents the first encrypted data
  • P1 represents the system password.
  • the process for the first device to obtain the first encrypted data may include but not limited to the following implementation manner A1 or implementation manner B1.
  • Embodiment A1 corresponds to Embodiment A, and the first encrypted data is obtained by encrypting the first user password;
  • Embodiment B1 corresponds to embodiment B, and the first encrypted data is obtained by encrypting the system password generated by the first user password.
  • Embodiment A1 may include: the first device invokes the second encryption algorithm, encrypts the first user password factor through the first user password, and obtains the first encrypted data.
  • the first encrypted data can be obtained by the following formula (4).
  • D1 represents the first encrypted data
  • SM4ENCRYPT represents the SM4 encryption algorithm (second encryption algorithm)
  • S1 represents the first user password factor
  • P0 represents the first user password.
  • Embodiment B1 may include: the first device uses the second password generation algorithm to generate a system password corresponding to the first user password according to the first user password; then the first device invokes the second encryption algorithm to encrypt the first user password through the system password password factor to obtain the first encrypted data.
  • the system password P1 can be obtained by the following formula (2)
  • the first encrypted data D1 can be obtained by the following formula (5).
  • D1 represents the first encrypted data
  • SM4ENCRYPT represents the SM4 encryption algorithm
  • S1 represents the first user password factor
  • P1 represents the system password corresponding to the first user password.
  • the first user password factor is not encrypted by the first user password, but the first user password factor is encrypted by the system password generated by the first user password, which realizes multi-layer encryption and is more secure.
  • the implementation mode B has higher security, and the implementation of the implementation mode A is simpler.
  • Embodiment A2 generating the first password based on the first user password factor
  • Embodiment B2 generating the first password based on the first user password factor and the object password factor for the target object.
  • Implementation manner A2 may include: the first device generates the first password according to the first user password factor by using a first password generation algorithm.
  • the first password generation algorithm may include a hash algorithm and a random password generation algorithm.
  • Embodiment A2 may be implemented as follows: After the first device obtains a hash value through a hash algorithm for the first user password factor, it uses a random password generation algorithm to truncate the first 128 bits of the hash value as the first password.
  • the first password P3 can be obtained by formula (6).
  • P3 represents the first password
  • GENPSW represents the random password generation algorithm
  • SM3 represents the hash algorithm
  • S1 represents the first user password factor
  • SM3(S1) represents the first user password factor through the hash algorithm to obtain the hash value.
  • the data processing method provided by the embodiment of this application may further include S306 as shown in FIG. 4 .
  • the first device obtains an object encryption factor for the target object.
  • the object encryption factor is an object-specific encryption factor, or an object-level encryption factor.
  • the object encryption factor for the target object is referred to as the object encryption factor for short below.
  • implementation manner B2 may include: the first device generates the first password according to the first user password factor and the object password factor by using the first password generation algorithm.
  • the first password generation algorithm may include a salted hash algorithm and a random password generation algorithm.
  • the first device may combine the first user password factor and the object password factor to obtain a hash value through a salted hash algorithm, and use a random password generation algorithm to truncate the first 128 bits of the hash value as the first password.
  • the first password P3 can also be obtained through formula (7).
  • P3 represents the first password
  • GENPSW represents the random password generation algorithm
  • SM3 represents the salted hash algorithm
  • S1 represents the first user password factor
  • S2 represents the object password factor
  • SALT0 represents the salt value
  • SM3(S1+S2+SALT0) Indicates that the first user password factor and the object password factor are combined to obtain a hash value through a salted hash algorithm.
  • This process may include but not limited to the following implementation mode A3 or implementation mode B3.
  • Embodiment A3 For the encryption process, the first device creates an object encryption factor for the target object.
  • Embodiment B3 For the decryption process, the first device decrypts the second encrypted data to obtain the object encryption factor.
  • Implementation manner A3 may include: the first device creates an object encryption factor for the target object as the object encryption factor for the target object.
  • an algorithm for creating an object password factor may include a random algorithm, or a hash algorithm, and the like.
  • the algorithm for creating the object password factor can be the same as the algorithm for creating the first user password factor, or it can be different from the algorithm for creating the first user password factor.
  • the first device may encrypt and store the object encryption factor.
  • the first device generates a second password for the target object, and the first device encrypts a password factor of the object based on the second password to obtain second encrypted data and save the second encrypted data.
  • Encrypting the object password factor by the first device based on the second password may include: the first device calls the fourth encryption algorithm, and encrypts the object password factor by the second password; or, the first device generates a third password based on the second password, and uses the third password to encrypt the object password factor; The cryptographic factor of the cryptographic object.
  • Implementation manner B3 may include: the first device decrypts the second encrypted data based on the second password to obtain the object password factor.
  • the first device invokes the fourth decryption algorithm to decrypt the second encrypted data by using the second password to obtain the target password factor.
  • the first device invokes the fourth decryption algorithm to decrypt the second encrypted data through the third password to obtain the object password factor.
  • Embodiment B2 Next, the process of generating the first password based on the first user password factor and the object password factor for the target object in Embodiment B2 will be described, which may specifically include but not limited to S3031 to S3033 shown in FIG. 5 .
  • the first device assembles the sum of the first user factor and the object password factor into a password string.
  • the first device performs salted hash calculation on the password string to obtain a password hash value.
  • the first device truncates the first W digits of the hash value of the password to generate the first password.
  • W may be 128 in one example.
  • the first device truncates the first W bits of the hash value of the password through the GEMPSW algorithm to generate the first password.
  • the data processing method provided in the embodiment of the present application can also modify the user password of the first user.
  • the modification process of the user password will be described by taking the modification of the first user password to the second user password as an example.
  • This process may include but not limited to S307 to S309 shown in FIG. 6 .
  • the first device acquires the second user password factor when receiving the second user password.
  • the contents of the first user password factor and the second user password factor are the same.
  • the first device encrypts the second user password factor based on the received second user password to obtain third encrypted data.
  • S308 can refer to the specific description of obtaining the first encrypted data in the registration process, and details will not be repeated here.
  • the first device updates the first encrypted data based on the third encrypted data.
  • the first device updates the first encrypted data to the third encrypted data.
  • a one-time password (One Time Password, OTP) verification may be performed first.
  • the first device also receives and stores the first mobile phone number for the first user.
  • the first device performs OTP verification based on the first mobile phone number, and if the verification is successful, execute S307, and if the verification fails, then end.
  • the first device sends the fourth encrypted data to the second device or the third device.
  • S3071 may be implemented as: the first device sends the fourth encrypted data to the second device.
  • S3071 may be implemented as: the first device sends the fourth encrypted data to the third device.
  • the data processing method provided in the embodiment of the present application further includes a process of generating fourth encrypted data.
  • the process for the first device to generate the fourth encrypted data may include but not limited to S3070 and S3070A.
  • the first device receives the first public key for the second device.
  • the second device generates a set of public-private key pairs (the first public key and the first private key), the second device sends the first public key to the first device, and the first device receives the first public key for the second device.
  • the first device may also generate a set of public-private key pairs (the second public key and the second private key), the first device sends the second public key to the second device, and the second device receives the second public key.
  • the first device may also generate a set of public-private key pairs (the second public key and the second private key), the first device sends the second public key to the second device, and the second device receives the second public key.
  • the first device encrypts the first user password factor using the first public key to obtain fourth encrypted data.
  • the second device receives the fourth encrypted data, and uses the first private key to decrypt the fourth encrypted data to obtain a second user password factor.
  • the third device receives the fourth encrypted data, and uses the first private key to decrypt the fourth encrypted data under the trusted execution environment (Trusted Execution Environment, TEE), to obtain the second user password factor.
  • TEE Trusted Execution Environment
  • the second device before performing S3072B, the second device sends the first private key to the third device, and the first device sends the second public key to the third device.
  • the second device encrypts the second user password factor with the second public key to obtain fifth encrypted data.
  • the third device encrypts the second user password factor with the second public key to obtain fifth encrypted data.
  • the second device sends the fifth encrypted data to the first device.
  • the third device sends the fifth encrypted data to the first device.
  • the first device receives fifth encrypted data.
  • the first device receives fifth encrypted data sent by the second device.
  • the first device receives fifth encrypted data sent by the third device.
  • the first device obtains the second user password factor by decrypting the fifth encrypted data with respect to the second private key corresponding to the second public key.
  • public key encryption algorithms may include, but are not limited to: SM2 public key encryption algorithm, Ron Rivest, Adi Shamir, Leonard Adleman (RSA) Public key encryption algorithm
  • private key decryption algorithm may include but not limited to: SM2 private key decryption algorithm, RSA private key decryption algorithm.
  • the first device stores the encrypted first user password factor, but the first device itself does not have the ability to decrypt, and the communication data between the first device and the second device is encrypted, so this method obtains the second user password factor , higher security.
  • SM2 algorithm refers to the elliptic curve public key cryptography algorithm, which is an asymmetric encryption algorithm.
  • SM3 algorithm Refers to the cryptographic hash function standard, which is a hash algorithm.
  • SM4 algorithm Refers to the block cipher standard, which is a domestic symmetric encryption algorithm.
  • the first solution is to encrypt or decrypt the file through the built-in random password of the device; the second solution is to directly encrypt or decrypt the file through the user password.
  • the above-mentioned first scheme cannot allow the user password to participate in the encryption process.
  • the organization that provides encryption or decryption has the ability to decrypt the text, so the security is low.
  • the above-mentioned second solution can make the user password directly participate in the file encryption process. If the implementation needs to store the user's independent password, its security also depends on the password storage solution. If this method does not need to store the user password and directly uploads the encrypted file through the client after encryption, to a certain extent, it can be relatively safe, and the file storage organization cannot "guard and steal". But it affects its usability. If the user password is lost, the encrypted content will not be restored, and it will not be able to provide functions similar to independent password modification.
  • a third-party trusted certificate authority (without commercial conflict of interest) is introduced as a TEE certificate service provider.
  • the mobile terminal In the scenario of using the mobile terminal, it supports device replacement while using the TEE feature, and is compatible with the mobile terminal (equivalent to the third device, which can also be called terminal device) and the non-mobile terminal (equivalent to the second device, which can also be called authentication) device) shared key scenario.
  • SM3(X) use SM3 to calculate the hash value of X
  • the SM2 algorithm uses the public key (PUK) to encrypt S;
  • the SM2 algorithm uses the private key (PRK) to decrypt D.
  • the data processing method provided by the embodiment of the present application may include, but not limited to, a registration process, a password verification process, an encryption process, a decryption process, a password modification process, and a mobile device replacement process.
  • the system When a user registers on the first device to use the file hosting service system (hereinafter referred to as the system), it is necessary to set the user's independent password P0 (equivalent to the first user's password) and the user's mobile phone number for OTP authentication.
  • P0 Equivalent to the first user's password
  • S1 Equivalent to the first user password factor
  • the system will use the user's independent password P0 to pass the salt hash algorithm (SM3 algorithm) and truncate the first 128 bits ( bit) to generate the system password P1.
  • SM3 algorithm salt hash algorithm
  • Use the SM4 algorithm to encrypt S1 to the ciphertext D1 (equivalent to the first encrypted data) through P1.
  • P1 can be obtained by the above formula (2)
  • D1 can be obtained by the above formula (5).
  • the system will generate a public-private key pair ⁇ PUK0, PRK0> (PUK0 is the public key of the system, and PRK0 is the private key of the system) (equivalent to the second public key and the second private key), and the user
  • the information (including mobile phone number and PUK0) is sent to a third-party certificate authority for registration (equivalent to the second device or authentication device), and the third-party certificate authority is responsible for registration and generates a user-level public-private key pair ⁇ PUK1, PRK1> (PUK1 is a third-party
  • the public key of the certificate authority, PRK1 is the private key of the third-party certificate authority) (equivalent to the first public key and the first private key)).
  • the third-party certificate authority issues PUK1 to the system, and the system uses the SM2 algorithm to encrypt S1 through PUK1 to obtain ciphertext D2 (equivalent to the fourth encrypted data).
  • the third-party certificate authority injects PRK1 and PUK0 into the user TEE; for non-TEE scenarios, no injection is required.
  • D2 is equivalent to the backup of user factor S1 in this system, but the password used for decryption is stored in the third-party certificate authority and TEE environment, so as to ensure that the system cannot directly decrypt D2 to restore the password factor S1.
  • the user's independent password P0 is not recorded in the whole process and will be destroyed when it is used up.
  • use SM4 to encrypt the user ID through P1 to obtain ciphertext D3 (equivalent to user identification data), and store D1, D2, D3, PRK0, and PUK1.
  • D2 can be obtained by formula (8)
  • D3 can be obtained by formula (9).
  • D2 represents the obtained ciphertext
  • SM2ENCRYPT represents the SM2 encryption algorithm
  • S1 represents the user-level random password factor
  • PUK1 represents the public key of the third-party certificate authority.
  • D3 represents the obtained ciphertext
  • SM4ENCRYPT represents the SM4 encryption algorithm
  • ID represents the user identification
  • P1 represents the system password.
  • the verification password process may include:
  • All subsequent encryption or decryption related methods require the user to pass in an independent password P0 (this operation can be completed by other front-end systems, and the user only needs to enter it once and cache it to the server).
  • the system obtains P1 through P0, decrypts (SM4) D3 to the plaintext string S according to P1, and checks whether S is equal to the user ID. If they are equal, the verification is considered successful, and if they are not equal, the verification fails.
  • P1 can be obtained by formula (2)
  • ID' can be obtained by formula (10).
  • ID' represents the predicted user ID
  • SM4DECRYPT represents the SM4 decryption algorithm
  • D3 represents the ciphertext
  • SALT0 represents the salt value
  • P1 represents the system password.
  • the encryption process can include:
  • the user uploads the file to be encrypted F0 (equivalent to the target object) and the user's independent password P0.
  • the system On the premise that the user's password is correct, the system generates a file-level password factor S2 (equivalent to the object password factor) and The corresponding file password P2 (equivalent to the second password).
  • the system restores P1 to P0, uses P1 to decrypt D1 to restore the user factor S1, assembles a new character string S3 through S1+S2, and truncates the first 128 bits of S3 through the salt hash algorithm (SM3 algorithm) to obtain the password P3 (equivalent to The first password), use the SM4 algorithm to encrypt F0 (equivalent to the first target object) through P3 to obtain the encrypted file F1; calculate the password P2 through the SM3 algorithm to intercept the first 128 bits to obtain the password P4, use SM4 encryption to obtain the ciphertext D4 through P4 encryption S2 (equivalent to the second encrypted data), this system records F1, P2 and D4.
  • SM3 algorithm salt hash algorithm
  • P1 can be obtained by formula (2)
  • S1 can be obtained by formula (3)
  • S3 can be obtained by formula (11)
  • P3 can be obtained by formula (12)
  • F1 can be obtained by formula (13)
  • P4 can be obtained by Equation (14) gets the password
  • D4 can be obtained by Equation (15).
  • S3 represents a new character string
  • SALT1 represents a salt value
  • S1 represents a user-level random password factor
  • S2 represents a file-level password factor.
  • P3 represents the obtained password
  • GENPSW represents the random password generation algorithm
  • SM3 represents the salted hash algorithm
  • S3 represents the new character string.
  • F1 represents the encrypted file
  • SM4ENCRYPT represents the SM4 encryption algorithm
  • F0 represents the file to be encrypted
  • P3 represents the encrypted password.
  • P4 represents the obtained password
  • GENPSW represents the random password generation algorithm
  • SM3 represents the salted hash algorithm
  • SALT2 represents the salt value
  • P2 represents the file password.
  • D4 represents the obtained file
  • SM4ENCRYPT represents the SM4 encryption algorithm
  • S2 represents the password factor at the file level
  • P4 represents the encryption password.
  • the decryption process can include:
  • the user specifies the file ID to be obtained and the independent password P0.
  • the system recovers P1 from P0, and uses P1 to decrypt D1 to recover the user factor S1.
  • the system restores the password P4 through the password P2, and decrypts D2 through P4 to obtain the factor S2.
  • the system assembles the password P3 through S1 and S2 in the same way as the encryption process. Use P3 to decrypt the encrypted file F1 (equivalent to the second target object) and restore the original file F0 for use by the user.
  • P1 can be obtained by formula (2)
  • S1 can be obtained by formula (3)
  • P4 can be obtained by formula (14)
  • S2 can be obtained by formula (16)
  • S3 can be obtained by formula (11)
  • P3 can be obtained by Formula (12) is obtained
  • F0 can be obtained by formula (17).
  • S2 represents the password factor at the file level
  • SM4DECRYPT represents the SM4 decryption algorithm
  • D4 represents the encrypted ciphertext of S2
  • P4 represents the encrypted password.
  • F0 represents the original file after decryption
  • SM4DECRYPT represents the SM4 decryption algorithm
  • F1 represents the encrypted ciphertext of F0
  • P3 represents the decryption password.
  • the password change process can include:
  • OTP SMS verification is required. After passing the verification and confirming that the verification is successful, get the new password P0' input by the user, and send D2 to the third-party trusted certificate authority.
  • the third-party trusted certificate authority uses PRK1 to decrypt D2 to obtain S1, and the third-party trusted certificate authority uses PUK0
  • the encrypted S1 is sent back to the system (to ensure the security of the transmission process).
  • Scenario initiated by mobile TEE without OTP verification, use PRK1 in TEE to decrypt D2 to get S1, use PUK0 to encrypt S1 and send it back to the system.
  • the system receives the returned file, and uses PRK0 to decrypt it to get S1, generates P1' in the same way as the registration process, and uses P1' to encrypt S1 to get a new ciphertext D1', and replaces D1 with D1'.
  • the new password P0' (equivalent to the second user password) can be used to encrypt and decrypt later, and indirectly participate in the encryption process through the user password, which supports password replacement while taking into account usability, and password replacement does not require re-encryption or decryption.
  • the stored files (F1) greatly save the performance overhead compared with the traditional solution.
  • S1 can be obtained by formula (18)
  • S1_ENCRYPTED can be obtained by formula (19)
  • S1 can be obtained by formula (20)
  • P1' can be obtained by formula (21).
  • S1 represents the user-level random password factor
  • SM2DECRYPT represents the SM2 decryption algorithm
  • D2 represents the encrypted ciphertext of S1
  • PRK1 represents the private key of the third-party trusted certificate authority.
  • S1_ENCRYPTED SM2ENCRYPT(S1, PUK0) formula (19);
  • S1_ENCRYPTED represents the obtained ciphertext
  • SM2DECRYPT represents the SM2 encryption algorithm
  • S1 represents the user-level random password factor
  • PUK0 represents the public key of the system.
  • S1 can be obtained by formula (20)
  • P1' can be obtained by formula (21)
  • D1' can be obtained by formula (22).
  • S1 SM2DECRYPT(S1_ENCRYPTED, PRK0) formula (20);
  • S1 represents the user-level random password factor
  • SM2DECRYPT represents the SM2 decryption algorithm
  • S1_ENCRYPTED represents the encrypted ciphertext of S1
  • PRK0 represents the private key of the system.
  • P1' represents the updated system password
  • GENPSW represents the random password generation algorithm
  • SM3 represents the salted hash algorithm
  • SALT0 represents the salt value
  • P0' represents the modified user password.
  • D1' represents the obtained ciphertext
  • SM4ENCRYPT represents the SM4 encryption algorithm
  • S1 represents the user-level random password factor
  • P1' represents the updated system password.
  • the mobile device replacement process can include:
  • the third-party trusted certificate authority is notified to re-inject PRK1 and PUK0 into the TEE of the trusted mobile device.
  • this system provides an open (Open) API method through the use of third-party applications distributed by this system and the dynamic password refresh mechanism for authentication.
  • the scenario used by the mobile terminal also relies on an intermediate service to access this system using the same mechanism .
  • the original device needs to be invalidated, and then go through the registration process to regenerate a new public-private key pair ⁇ PUK1', PRK1'>, and update D2 in this system to D2', and inject the new PRK1' and PUK0 into new device.
  • the salt value of the salted hash is maintained in this system and cannot be directly restored externally.
  • the salt value can be the same or different in different processes.
  • the data processing device 80 includes: a predicting unit 801 , an obtaining unit 802 (also referred to as the first obtaining unit 802 for ease of distinction), a decrypting unit 803 , a generating unit 804 and a processing unit 805 . in:
  • the prediction unit 801 is configured to decrypt the user identification data based on the received first user password to obtain a predicted user identification
  • An obtaining unit 802 configured to obtain an actual user identifier associated with the first user password
  • the decryption unit 803 is configured to determine that the verification of the first user password is successful if the predicted user ID is the same as the actual user ID, and decrypt the first encrypted data based on the first user password to obtain the first user password factor, the first encrypted data includes an encrypted first user password factor;
  • a generating unit 804 configured to generate a first password based at least on the first user password factor
  • the processing unit 805 is configured to encrypt or decrypt the target object by using the first password.
  • the decryption unit 803 is further configured to:
  • the system password is a system-specific password corresponding to the first user password; decrypt the first encryption by using the system password data to obtain the first user password factor.
  • the data processing device 80 further includes a second obtaining unit.
  • an obtaining unit configured to obtain an object encryption factor for the target object
  • the generating unit 804 is configured to generate the first password based on the first user password factor and the object password factor.
  • the obtaining unit is further configured to: decrypt the second encrypted data based on the second password to obtain the object encryption factor, and the second encrypted data includes the encrypted object encryption factor.
  • generating unit 804 is further configured to:
  • the data processing device 80 further includes a password modification unit.
  • the password modification unit is configured as:
  • the data processing device 80 also includes a communication unit.
  • Communication unit configured as:
  • the password modification unit is also configured to:
  • the data processing device includes each included unit, which can be realized by a processor in an electronic device; of course, it can also be realized by a specific logic circuit; in the process of implementation, the processor It can be a central processing unit (CPU, Central Processing Unit), a microprocessor (MPU, Micro Processor Unit), a digital signal processor (DSP, Digital Signal Processor) or a field programmable gate array (FPGA, Field-Programmable Gate Array) wait.
  • CPU Central Processing Unit
  • MPU Micro Processor Unit
  • DSP Digital Signal Processor
  • FPGA Field-Programmable Gate Array
  • the above-mentioned data processing method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium.
  • the computer software products are stored in a storage medium and include several instructions to make A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: various media that can store program codes such as U disk, mobile hard disk, read-only memory (Read Only Memory, ROM), magnetic disk or optical disk.
  • embodiments of the present application are not limited to any specific combination of hardware and software.
  • an embodiment of the present application provides an electronic device, including a memory and a processor, the memory stores a computer program that can run on the processor, and the processor implements the above implementation when executing the program The steps in the data processing method provided in the example.
  • the electronic device 90 may be the above-mentioned first device. As shown in FIG. 9 , the electronic device 90 includes: a processor 901 , at least one communication bus 902 , a user interface 903 , at least one external communication interface 904 and a memory 905 . Wherein, the communication bus 902 is configured to realize connection and communication among these components. Wherein, the user interface 903 may include a display screen, and the external communication interface 904 may include a standard wired interface and a wireless interface.
  • the memory 905 is configured to store instructions and applications executable by the processor 901, and can also cache data to be processed or processed by the processor 901 and various modules in the electronic device (for example, image data, audio data, voice communication data and video data) Communication data), which can be realized by flash memory (FLASH) or random access memory (Random Access Memory, RAM).
  • the embodiments of the present application provide a storage medium, that is, a computer-readable storage medium, on which a computer program is stored.
  • a storage medium that is, a computer-readable storage medium, on which a computer program is stored.
  • the disclosed devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division.
  • the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units; they may be located in one place or distributed to multiple network units; Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application can be integrated into one processing unit, or each unit can be used as a single unit, or two or more units can be integrated into one unit; the above-mentioned integration
  • the unit can be realized in the form of hardware or in the form of hardware plus software functional unit.
  • the above-mentioned integrated units of the present application are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium.
  • the computer software products are stored in a storage medium and include several instructions to make A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes various media capable of storing program codes such as removable storage devices, ROMs, magnetic disks or optical disks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A data processing method and apparatus, and a device and a storage medium, wherein the method is applied to a first device. The method comprises: decrypting user identifier data on the basis of a received first user password, so as to obtain a predicted user identifier; obtaining an actual user identifier associated with the first user password; if the predicted user identifier is the same as the actual user identifier, determining that the first user password is successfully checked, and decrypting first encrypted data on the basis of the first user password, so as to obtain a first user password factor, wherein the first encrypted data comprises the encrypted first user password factor; generating a first password at least on the basis of the first user password factor; and encrypting or decrypting a target object by means of the first password. Not only can a user participate in an encryption or decryption process, but a relatively high level of security can also be provided.

Description

数据处理方法、装置、设备及存储介质Data processing method, device, equipment and storage medium
相关申请的交叉引用Cross References to Related Applications
本申请基于申请号为202111163126.7、申请日为2021年09月30日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本申请。This application is based on a Chinese patent application with application number 202111163126.7 and a filing date of September 30, 2021, and claims the priority of this Chinese patent application. The entire content of this Chinese patent application is hereby incorporated into this application by reference.
技术领域technical field
本申请涉及数据处理技术领域,涉及但不限于数据处理方法、装置、设备及存储介质。This application relates to the technical field of data processing, involving but not limited to data processing methods, devices, equipment and storage media.
背景技术Background technique
随着存储技术的不断发展,如何提高存储的安全性显得尤为重要。目前,主要通过加密存储提高存储的安全性。With the continuous development of storage technology, how to improve storage security is particularly important. At present, the security of storage is mainly improved through encrypted storage.
在加密存储过程中,包括加密与解密过程。对于加密与解密过程,第一种方案是通过设备的内置随机密码对文本进行加密和解密;第二种方案是通过用户密码对文本进行加密和解密。对于第一种方案,一方面,用户无法参与加解密过程;另一方面,提供加解密的机构有解密文本的能力,安全性较低。对于第二种方案,虽然用户可以参与加解密过程,但是,通过用户密码对文本进行加解密,安全性较低。In the encryption storage process, including encryption and decryption process. For the encryption and decryption process, the first scheme is to encrypt and decrypt the text through the built-in random password of the device; the second scheme is to encrypt and decrypt the text through the user password. For the first solution, on the one hand, the user cannot participate in the encryption and decryption process; on the other hand, the organization that provides the encryption and decryption has the ability to decrypt the text, and the security is low. For the second scheme, although the user can participate in the encryption and decryption process, the security of encrypting and decrypting the text through the user password is relatively low.
发明内容Contents of the invention
本申请提供一种数据处理方法及装置、设备、存储介质,该方案既可以实现用户参与加密或解密过程,还具有较高的安全性。The present application provides a data processing method, device, equipment, and storage medium. The solution can not only enable users to participate in the encryption or decryption process, but also has high security.
本申请的技术方案是这样实现的:The technical scheme of the present application is realized like this:
本申请提供了一种数据处理方法,所述方法应用于第一设备,所述方法包括:The present application provides a data processing method, the method is applied to a first device, and the method includes:
基于接收的第一用户密码解密用户标识数据,得到预测用户标识;Decrypting the user identification data based on the received first user password to obtain a predicted user identification;
获得与所述第一用户密码关联的实际用户标识;obtaining an actual user identification associated with said first user password;
若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;If the predicted user ID is the same as the actual user ID, it is determined that the verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, the first user password The encrypted data includes an encrypted first user password factor;
至少基于所述第一用户密码因子,生成第一密码;generating a first password based at least on said first user password factor;
通过所述第一密码对目标对象进行加密或解密。The target object is encrypted or decrypted by the first password.
本申请提供了一种数据处理装置,所述装置部署于第一设备;所述装置包括:The present application provides a data processing device, the device is deployed in the first device; the device includes:
预测单元,配置为基于接收的第一用户密码解密用户标识数据,得到预测用户标识;The prediction unit is configured to decrypt the user identification data based on the received first user password to obtain a predicted user identification;
获得单元,配置为获得与所述第一用户密码关联的实际用户标识;An obtaining unit configured to obtain an actual user identifier associated with the first user password;
解密单元,配置为若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;The decryption unit is configured to determine that the verification of the first user password is successful if the predicted user ID is the same as the actual user ID, decrypt the first encrypted data based on the first user password, and obtain the first user password factor , the first encrypted data includes an encrypted first user password factor;
生成单元,配置为至少基于所述第一用户密码因子,生成第一密码;a generating unit configured to generate a first password based at least on the first user password factor;
处理单元,配置为通过所述第一密码对目标对象进行加密或解密。A processing unit configured to encrypt or decrypt the target object by using the first password.
本申请还提供了一种电子设备,包括:存储器和处理器,所述存储器存储有可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述数据处理方法。The present application also provides an electronic device, including: a memory and a processor, the memory stores a computer program that can run on the processor, and the processor implements the above data processing method when executing the program.
本申请还提供了一种存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述数据处理方法。The present application also provides a storage medium on which a computer program is stored, and when the computer program is executed by a processor, the above data processing method is realized.
本申请所提供的数据处理方法、装置、设备及存储介质,包括:基于接收的第一用户密码解密用户标识数据,得到预测用户标识;获得与所述第一用户密码关联的实际用户标识;若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;至少基于所述第一用户密码因子,生成第一密码;通过所述第一密码对目标对象进行加密或解密。这样,第一点,第一密码是基于用户密码得到的,可以保证用户参与加密或解密的过程,第二点,该方案不是通过第一用户密码加密或解密目标对象,而是基于第一用户密码得到的用户密码因子确定第一密码,通过第一密码加密或解密目标对象,增大了破解第一密码的难度,进一步提高了安全性;第三点,该方案在校验时,基于预测用户标识与实际用户标识进行校验;而非直接基于密码进行校验,所以,该方案不需要存储用户密码,减少了用户密码泄漏的渠道,进一步提高了安全性。The data processing method, device, device, and storage medium provided in this application include: decrypting the user identification data based on the received first user password to obtain a predicted user identification; obtaining the actual user identification associated with the first user password; if If the predicted user ID is the same as the actual user ID, it is determined that the verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, and the first encrypted The data includes an encrypted first user password factor; a first password is generated based at least on the first user password factor; and a target object is encrypted or decrypted by the first password. In this way, first, the first password is obtained based on the user password, which can ensure that the user participates in the encryption or decryption process. Second, the scheme does not encrypt or decrypt the target object through the first user password, but based on the first user password. The user password factor obtained by the password determines the first password, and the target object is encrypted or decrypted by the first password, which increases the difficulty of cracking the first password and further improves security; The user ID is verified against the actual user ID; it is not directly based on the password. Therefore, this solution does not need to store the user password, which reduces the channels for user password leakage and further improves security.
附图说明Description of drawings
图1为本申请实施例提供的数据处理系统的一种可选的结构示意图;FIG. 1 is an optional structural schematic diagram of a data processing system provided in an embodiment of the present application;
图2为本申请实施例提供的数据处理系统的一种可选的结构示意图;FIG. 2 is an optional schematic structural diagram of a data processing system provided in an embodiment of the present application;
图3为本申请实施例提供的数据处理方法的一种可选的流程示意图Fig. 3 is an optional schematic flow chart of the data processing method provided by the embodiment of the present application
图4为本申请实施例提供的数据处理方法的一种可选的流程示意图;FIG. 4 is an optional schematic flowchart of a data processing method provided in an embodiment of the present application;
图5为本申请实施例提供的数据处理方法一种可选的流程示意图;FIG. 5 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application;
图6为本申请实施例提供的数据处理方法一种可选的流程示意图;FIG. 6 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application;
图7为本申请实施例提供的数据处理方法一种可选的流程示意图;FIG. 7 is a schematic flowchart of an optional data processing method provided in the embodiment of the present application;
图8为本申请实施例提供的数据处理装置的一种可选的结构示意图;FIG. 8 is an optional structural schematic diagram of a data processing device provided in an embodiment of the present application;
图9为本申请实施例提供的电子设备的一种可选的结构示意图。FIG. 9 is a schematic structural diagram of an optional electronic device provided in an embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附 图,对申请的具体技术方案做进一步详细描述。以下实施例用于说明本申请,但不用来限制本申请的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the application clearer, the specific technical solutions of the application will be further described in detail below in conjunction with the drawings in the embodiments of the application. The following examples are used to illustrate the present application, but not to limit the scope of the present application.
在以下的描述中,涉及到“一些实施例”,其描述了所有可能实施例的子集,但是可以理解,“一些实施例”可以是所有可能实施例的相同子集或不同子集,并且可以在不冲突的情况下相互结合。In the following description, references to "some embodiments" describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or a different subset of all possible embodiments, and Can be combined with each other without conflict.
在以下的描述中,所涉及的术语“第一\第二\第三”仅是为例区别不同的对象,不代表针对对象的特定排序,不具有先后顺序的限定。可以理解地,“第一\第二\第三”在允许的情况下可以互换特定的顺序或先后次序,以使这里描述的本申请实施例能够以除了在这里图示或描述的以外的顺序实施。In the following description, the term "first\second\third" is used as an example to distinguish different objects, and does not represent a specific order for the objects, and does not have a limitation on the sequence. It can be understood that "first\second\third" can be interchanged in a specific order or sequential order if allowed, so that the embodiments of the application described here can be used in a manner other than what is illustrated or described here implemented sequentially.
除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本申请实施例的目的,不是旨在限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of the present application, and are not intended to limit the present application.
为了便于理解,对本申请中的部分技术术语进行解释。For ease of understanding, some technical terms in this application are explained.
对象,可以指各种类型的数据,例如,文本数据、视频数据、音频数据或者图片数据等。An object may refer to various types of data, for example, text data, video data, audio data, or picture data.
目标对象,指本申请中的待加密或者待解密的对象。The target object refers to the object to be encrypted or decrypted in this application.
本申请实施例可提供数据处理方法及装置、设备和存储介质。实际应用中,数据处理方法可由数据处理装置实现,数据处理装置中的各功能实体可以由电子设备(如第一设备)的硬件资源,如处理器等计算资源、通信资源(如用于支持实现光缆、蜂窝等各种方式通信)协同实现。Embodiments of the present application may provide a data processing method, device, device, and storage medium. In practical applications, the data processing method can be implemented by a data processing device, and each functional entity in the data processing device can be implemented by hardware resources of an electronic device (such as a first device), such as computing resources such as a processor, and communication resources (such as for supporting the implementation of Communication in various ways such as optical cable and cellular) is realized collaboratively.
本申请实施例提供的数据处理方法应用于数据处理系统,数据处理系统包括第一设备。第一设备基于接收的第一用户密码解密用户标识数据,得到预测用户标识;获得与所述第一用户密码关联的实际用户标识;若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;至少基于所述第一用户密码因子,生成第一密码;通过所述第一密码对目标对象进行加密或解密。The data processing method provided in the embodiment of the present application is applied to a data processing system, and the data processing system includes a first device. The first device decrypts the user identification data based on the received first user password to obtain a predicted user identification; obtain an actual user identification associated with the first user password; if the predicted user identification is the same as the actual user identification, determine The verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, and the first encrypted data includes the encrypted first user password factor; at least based on the The first user password factor generates a first password; the target object is encrypted or decrypted by the first password.
在一示例中,数据处理系统还可以包括第二设备和/或第三设备。第二设备可以与第一设备通信,例如,第二设备可以备份第一用户密码因子;第三设备可以与第一设备通信,例如,第三设备可以接收第一用户密码,并向第一设备转发该接收到的第一用户密码。In an example, the data processing system may further include a second device and/or a third device. The second device can communicate with the first device, for example, the second device can back up the first user password factor; the third device can communicate with the first device, for example, the third device can receive the first user password and send it to the first device The received first user password is forwarded.
作为一示例,数据处理系统10的结构可如图1所示,包括:第一设备101、第三设备102;第一设备101与第三设备102之间可以通信。As an example, the structure of the data processing system 10 may be as shown in FIG. 1 , including: a first device 101 and a third device 102; the first device 101 and the third device 102 may communicate.
第一设备101可以与第三设备102直接进行通信;或者,第一设备101还可以通过应用服务器与第三设备102进行通信。例如,数据处理系统10还可以包括应用服务器103。第三设备102上运行目标服务(例如为托管存储服务),第三设备102通过目标服务提供的应用程序接口(Application Programming Interface,API)接口与服务器103通信,服务器103与第一设备101通信。The first device 101 may communicate directly with the third device 102; or, the first device 101 may also communicate with the third device 102 through an application server. For example, data processing system 10 may also include application server 103 . The third device 102 runs the target service (for example, a managed storage service), the third device 102 communicates with the server 103 through an application programming interface (Application Programming Interface, API) interface provided by the target service, and the server 103 communicates with the first device 101.
第一设备101,用于接收第三设备102发送的各种数据,并处理与存储接收的数据。在 本申请的实施例中,第一设备101可以用于接收第三设备102发送的对象,并对该对象加密后存储;或者还可以用于对加密对象进行解密后发送给第三设备102。第一设备101可以为存储器、硬盘、软盘等固定存储设备,或者第一设备101也可以为移动硬盘等可移动存储设备,或者第一设备101也可以为云存储设备。The first device 101 is configured to receive various data sent by the third device 102, and process and store the received data. In the embodiment of the present application, the first device 101 may be used to receive the object sent by the third device 102, and store the object after encryption; or may also be used to decrypt the encrypted object and then send it to the third device 102. The first device 101 may be a fixed storage device such as a memory, a hard disk, or a floppy disk, or the first device 101 may also be a removable storage device such as a mobile hard disk, or the first device 101 may also be a cloud storage device.
第三设备102,用于向第一设备101发送各对象,或者还用于接收第一设备发送的各对象。第三设备102可以包括移动终端设备(例如手机、平板电脑等),或者非移动终端设备(例如台式电脑等)。The third device 102 is configured to send objects to the first device 101, or to receive objects sent by the first device. The third device 102 may include a mobile terminal device (such as a mobile phone, a tablet computer, etc.), or a non-mobile terminal device (such as a desktop computer, etc.).
作为另一示例,数据处理系统10的结构可如图2所示,包括:第一设备101、第三设备102和第二设备104。第二设备104可以与第一设备101、第三设备102通信。As another example, the structure of the data processing system 10 may be as shown in FIG. 2 , including: a first device 101 , a third device 102 and a second device 104 . The second device 104 can communicate with the first device 101 and the third device 102 .
第二设备104,也可以称为第三方可信证书服务机构设备,用于接收存储第一设备101或者第三设备102发送的数据(例如可以存储加密的第二用户密码因子),并将数据处理后发送至第一设备101或者第三设备102。The second device 104, which may also be referred to as a third-party trusted certificate service agency device, is used to receive and store the data sent by the first device 101 or the third device 102 (for example, the encrypted second user password factor may be stored), and store the data After processing, it is sent to the first device 101 or the third device 102.
下面,结合图1或图2所示的数据处理系统的示意图,对本申请实施例提供的数据处理方法及装置、设备和存储介质的各实施例进行说明。Below, with reference to the schematic diagram of the data processing system shown in FIG. 1 or FIG. 2 , various embodiments of the data processing method, device, device, and storage medium provided by the embodiments of the present application will be described.
第一方面,本申请实施例提供一种数据处理方法,该方法应用于数据处理装置;其中,该数据处理装置可以部署于图1或图2中的第一设备101。下面,对本申请实施例提供的数据处理过程进行说明。In a first aspect, the embodiment of the present application provides a data processing method, which is applied to a data processing device; wherein, the data processing device can be deployed in the first device 101 in FIG. 1 or FIG. 2 . Next, the data processing process provided by the embodiment of the present application will be described.
图3示意了一种可选的一种数据处理方法的流程示意图,本申请实施例提供的数据处理方法,用于对各对象进行加密或解密;其中,对于每个对象的处理过程类似,现以目标对象为例,对该过程进行详细说明。该数据处理方法可以包括但不限于图3所示的S301至S305。Fig. 3 shows a schematic flowchart of an optional data processing method, the data processing method provided in the embodiment of the present application is used to encrypt or decrypt each object; wherein, the processing process for each object is similar, now Take the target object as an example to describe the process in detail. The data processing method may include but not limited to S301 to S305 shown in FIG. 3 .
S301、第一设备基于接收的第一用户密码解密用户标识数据,得到预测用户标识。S301. The first device decrypts user identification data based on the received first user password to obtain a predicted user identification.
具体的,第一设备接收第一用户密码,并基于第一用户密码解密用户标识数据,得到预测用户标识。Specifically, the first device receives the first user password, and decrypts the user identification data based on the first user password to obtain a predicted user identification.
对于第一设备接收第一用户密码,在一种可能的实施方式中,第一设备接收用户的第一操作,并基于第一操作接收用户输入的第一用户密码。For the first device to receive the first user password, in a possible implementation manner, the first device receives a first operation of the user, and receives the first user password input by the user based on the first operation.
在另一种可能的实施方式中,第三设备接收用户的第一操作,并基于第一操作接收用户输入的第一用密码,第三设备将接收的第一用户密码发送至第一设备,第一设备接收第三设备发送的第一用户密码。In another possible implementation manner, the third device receives the user's first operation, and receives the first user password input by the user based on the first operation, and the third device sends the received first user password to the first device, The first device receives the first user password sent by the third device.
对于第一设备基于第一用户密码解密用户标识数据,得到预测用户标识,可以实施为:第一设备调用第一解密算法,通过第一用户密码或基于第一用户密码得到的系统密码解密用户标识数据,得到预测用户标识。For the first device to decrypt the user identification data based on the first user password to obtain the predicted user identification, it may be implemented as follows: the first device invokes the first decryption algorithm, and decrypts the user identification through the first user password or the system password obtained based on the first user password data to get the predicted user ID.
其中,系统密码为与第一用户密码对应的针对系统的密码。Wherein, the system password is a system-specific password corresponding to the first user password.
可选的,在解密得到预测用户之前,第一设备还可以基于第一用户得到用户标识数据。Optionally, before decrypting to obtain the predicted user, the first device may also obtain user identification data based on the first user.
本申请实施例对得到用户标识数据的时机不做唯一限定,可以根据时机需求进行配置。The embodiment of the present application does not uniquely limit the timing of obtaining the user identification data, which can be configured according to timing requirements.
第一设备针对第一用户,创建第一用户的用户标识(Identity document,ID),并调用第一加密算法,通过第一用户密码或基于第一用户密码得到的系统密码,加密第一用户的用户 标识,得到用户标识数据。The first device creates the user identification (Identity document, ID) of the first user for the first user, and invokes the first encryption algorithm to encrypt the first user's ID through the first user password or the system password obtained based on the first user password. User ID, get the user ID data.
第一用户的用户标识用于唯一指向第一用户,本申请实施例对第一用户标识的表现形式不做限定,可以根据实际需求进行配置。例如,第一用户标识可以是一组数字的组合,或者字母的组合,或者数字加字母的组合等等。The user ID of the first user is used to uniquely point to the first user. The embodiment of the present application does not limit the expression form of the first user ID, which can be configured according to actual needs. For example, the first user identifier may be a combination of a group of numbers, or a combination of letters, or a combination of numbers and letters, and so on.
本申请实施例对创建第一用户的用户标识的算法不作具体限定。例如,创建第一用户的用户标识的算法可以包括随机算法或者哈希算法等等。The embodiment of the present application does not specifically limit the algorithm for creating the user identifier of the first user. For example, the algorithm for creating the user ID of the first user may include a random algorithm or a hash algorithm and the like.
需要说明的是,第一加密算法的加密密码与第一解密算法的解密密码应保持一致。例如,第一解密算法的加密密码为第一用户密码的情况下,对应的第一加密算法的加密密码为第一用户密码;第一解密算法的解密密码为系统密码的情况下,第一解密算法的加密密码为该加密密码。It should be noted that the encryption password of the first encryption algorithm and the decryption password of the first decryption algorithm should be consistent. For example, when the encryption password of the first decryption algorithm is the first user password, the corresponding encryption password of the first encryption algorithm is the first user password; when the decryption password of the first decryption algorithm is the system password, the first decryption algorithm The encryption password of the algorithm is the encryption password.
S302、第一设备获得与所述第一用户密码关联的实际用户标识。S302. The first device obtains an actual user identifier associated with the first user password.
第一设备基于输入的第一用户密码,采用与第一设备基于第一用户得到用户标识数据,相同的方法重新生成用户标识,作为与所述第一用户密码关联的实际用户标识。Based on the input first user password, the first device uses the same method as the first device obtains the user identification data based on the first user to regenerate the user identification as the actual user identification associated with the first user password.
S303、若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,第一设备基于所述第一用户密码解密第一加密数据,得到第一用户密码因子。S303. If the predicted user ID is the same as the actual user ID, determine that the verification of the first user password is successful, and the first device decrypts the first encrypted data based on the first user password to obtain a first user password factor .
其中,第一加密数据包括被加密的第一用户密码因子。Wherein, the first encrypted data includes the encrypted first user password factor.
第一加密数据可以是将第一用户密码因子加密后的数据,或者,第一加密数据还可以是将第一用户密码因子打包为文件(例如文件夹或者压缩文件等)后,并将该文件加密后的数据。The first encrypted data can be the data after the first user password factor is encrypted, or the first encrypted data can also be after the first user password factor is packaged into a file (such as a folder or a compressed file, etc.), and the file Encrypted data.
第一用户密码因子,用于得到加密或解密目标对象的密码,本申请实施例对于第一用户密码因子的表现形式不作限定,可以根据实际需求进行配置。The first user password factor is used to obtain the password for encrypting or decrypting the target object. The embodiment of the present application does not limit the expression form of the first user password factor, which can be configured according to actual needs.
例如,第一用户密码因子可以为一组随机数字,或者第一用户密码因子可以为一组随机的数字与字母的组合等等。For example, the first user password factor may be a group of random numbers, or the first user password factor may be a combination of a group of random numbers and letters, and so on.
S303可以实施为:第一设备判断预测用户标识与实际用户标识是否相同,若预测用户标识与实际用户标识相同,则确定第一用户密码校验成功,第一设备调用第二解密算法,基于第一用户密码得到解密密码,通过该解密密码对第一加密数据进行解密,得到第一用户密码因子;若预测用户标识与实际用户标识不相同,则确定第一用户密码校验失败,则结束。S303 may be implemented as: the first device judges whether the predicted user ID is the same as the actual user ID, and if the predicted user ID is the same as the actual user ID, then it is determined that the first user password verification is successful, and the first device invokes the second decryption algorithm based on the first A decryption password is obtained from a user password, and the first encrypted data is decrypted by the decryption password to obtain the first user password factor; if the predicted user ID is not the same as the actual user ID, it is determined that the verification of the first user password fails, and the process ends.
本申请实施例对第二解密算法的类型不作唯一限定,可以根据实际需求进行配置。The embodiment of the present application does not uniquely limit the type of the second decryption algorithm, which can be configured according to actual requirements.
在一种可能的实施方式中,第二解密算法可以包括:无线局域网标准的分组数据算法(SM4解密算法)。例如,第二解密算法可以包括SM4DNCRYPT(D,P)算法,其中,D表示解密对象,P表示解密密码。可以理解的,D包括第一加密数据;P包括第一用户密码或基于第一用户密码生成的系统密码。In a possible implementation manner, the second decryption algorithm may include: a wireless local area network standard packet data algorithm (SM4 decryption algorithm). For example, the second decryption algorithm may include the SM4DNCRYPT(D, P) algorithm, where D represents a decryption object, and P represents a decryption password. It can be understood that D includes the first encrypted data; P includes the first user password or a system password generated based on the first user password.
在另一种可能的实施方式中,第二解密算法可以包括:非对称加密算法(SM2算法)。In another possible implementation manner, the second decryption algorithm may include: an asymmetric encryption algorithm (SM2 algorithm).
可选的,在执行S303之前,本申请实施例提供的数据处理方法还可以包括注册过程。Optionally, before performing S303, the data processing method provided in the embodiment of the present application may further include a registration process.
第一用户的注册过程可以包括:第一设备接收第一用户密码,针对第一用户密码创建第一用户,针对第一用户创建第一用户密码因子,并基于第一用户密码加密第一用户密码因子, 得到第一加密数据。The registration process for the first user may include: the first device receiving the first user password, creating the first user for the first user password, creating a first user password factor for the first user, and encrypting the first user password based on the first user password factor to obtain the first encrypted data.
本申请实施例对创建第一用户密码因子的算法不作唯一限定。例如,创建第一用户密码因子的算法可以包括随机算法、或者哈希算法等等。The embodiment of the present application does not uniquely limit the algorithm for creating the first user password factor. For example, the algorithm for creating the first user password factor may include a random algorithm, or a hash algorithm, and the like.
本申请实施例对加密第一用户密码因子的第二加密算法也不作唯一限定。The embodiment of the present application also makes no unique limitation on the second encryption algorithm for encrypting the first user password factor.
在一种可能的实施方式中,第二加密算法可以包括:无线局域网标准的分组数据算法(SM4加密算法)。例如,第二加密算法可以包括SM4ENCRYPT(S,P)算法。In a possible implementation manner, the second encryption algorithm may include: a wireless local area network standard packet data algorithm (SM4 encryption algorithm). For example, the second encryption algorithm may include the SM4ENCRYPT(S,P) algorithm.
在另一种可能的实施方式中,第二加密算法可以包括:高级加密标准(Advanced Encryption Standard,AES)算法。In another possible implementation manner, the second encryption algorithm may include: an Advanced Encryption Standard (Advanced Encryption Standard, AES) algorithm.
需要说明的是,第二加密算法应与第二解密算法对应。例如,第二解密算法为SM4DECRYPT(D,P)算法的情况下,对应的注册过程的第二加密算法为SM4ENCRYPT(S,P)算法,其中,S表示加密对象,P表示加密密码。可以理解的,S包括第一用户密码因子;P包括第一用户密码或基于第一用户密码生成的系统密码。It should be noted that the second encryption algorithm should correspond to the second decryption algorithm. For example, when the second decryption algorithm is the SM4DECRYPT(D, P) algorithm, the corresponding second encryption algorithm in the registration process is the SM4ENCRYPT(S, P) algorithm, where S represents the encryption object and P represents the encryption password. It can be understood that S includes the first user password factor; P includes the first user password or a system password generated based on the first user password.
需要说明的是,第二加密算法的加密密码应与第二解密算法的解密密码保持一致。It should be noted that the encryption password of the second encryption algorithm should be consistent with the decryption password of the second decryption algorithm.
例如,第二解密算法的解密密码为第一用户密码的情况下,对应的,第二加密算法的加密密码也为第一用户密码;在第二解密算法的解密密码为系统密码的情况下,对应的,第二加密算法的加密密码也为该系统密码。For example, when the decryption password of the second decryption algorithm is the first user password, correspondingly, the encryption password of the second encryption algorithm is also the first user password; when the decryption password of the second decryption algorithm is the system password, Correspondingly, the encryption password of the second encryption algorithm is also the system password.
需要说明的是,在注册的过程中,对于接收到的第一用户密码不做存储,换而言之,对第一用户密码使用完立即销毁。这样,可以减少第一用户密码泄漏的概率,提高安全性。It should be noted that during the registration process, the received first user password is not stored, in other words, the first user password is destroyed immediately after use. In this way, the probability of leakage of the first user's password can be reduced and the security can be improved.
S304、第一设备至少基于所述第一用户密码因子,生成第一密码。S304. The first device generates a first password based at least on the first user password factor.
在一种可能的实施方式中,第一设备采用第一密码生成算法,根据第一用户密码因子生成第一密码。In a possible implementation manner, the first device uses a first password generation algorithm to generate the first password according to a first user password factor.
在另一种可能的实施方式中,第一设备采用第一密码生成算法,根据第一用户密码因子以及针对目标对象的对象密码因子生成第一密码。In another possible implementation manner, the first device uses a first password generation algorithm to generate the first password according to the first user password factor and the object password factor for the target object.
本申请实施例对第一密码生成算法的算法类型不作限定,可以根据实际需求进行配置。The embodiment of the present application does not limit the algorithm type of the first password generation algorithm, which can be configured according to actual requirements.
在一示例中,第一密码生成算法可以包括:哈希算法,或者信息摘要(Message Digest algorithm 5,MD5)算法、安全散列(Secure Hash Algorithm,SHA)算法。In an example, the first password generation algorithm may include: a hash algorithm, or a message digest (Message Digest algorithm 5, MD5) algorithm, a secure hash (Secure Hash Algorithm, SHA) algorithm.
在另一示例中,第一密码生成算法可以包括:哈希算法和随机生成密码算法(例如GENPSW算法),或者MD5算法和随机生成密码算法,或者SHA算法和随机生成密码算法。In another example, the first password generation algorithm may include: a hash algorithm and a random generation password algorithm (such as GENPSW algorithm), or an MD5 algorithm and a random generation password algorithm, or an SHA algorithm and a random generation password algorithm.
S305、第一设备通过所述第一密码对目标对象进行加密或解密。S305. The first device encrypts or decrypts the target object by using the first password.
目标对象可以包括待加密的目标对象及待解密的目标对象,其中,待加密的目标对象也可以称为第一目标对象,待解密的目标对象也可以称为第二目标对象。The target object may include a target object to be encrypted and a target object to be decrypted, wherein the target object to be encrypted may also be called a first target object, and the target object to be decrypted may also be called a second target object.
在一种可能的实施方式中,S305可以实施为:第一设备调用第三加密算法,通过第一密码加密第一目标对象。In a possible implementation manner, S305 may be implemented as: the first device invokes a third encryption algorithm, and encrypts the first target object by using the first password.
在另一种可能的实施方式中,S305可以实施为:第一设备调用第三解密算法,通过第一密码解密第二目标对象。In another possible implementation manner, S305 may be implemented as: the first device invokes a third decryption algorithm, and decrypts the second target object by using the first password.
本申请实施例对第三加密算法与第三解密算法的算法类型不作限定,可以根据实际需求 进行配置。例如,第三加密算法可以包括SM4加密算法,或者SM2加密算法;第三解密算法可以包括SM4解密算法,或者SM2解密算法。The embodiment of this application does not limit the algorithm types of the third encryption algorithm and the third decryption algorithm, which can be configured according to actual needs. For example, the third encryption algorithm may include the SM4 encryption algorithm, or the SM2 encryption algorithm; the third decryption algorithm may include the SM4 decryption algorithm, or the SM2 decryption algorithm.
需要说明的是,第三解密算法应与第二加密算法对应。例如,第三加密算法为SM4ENCRYPT算法的情况下,第三解密算法为SM4DECRYPT。It should be noted that the third decryption algorithm should correspond to the second encryption algorithm. For example, when the third encryption algorithm is the SM4ENCRYPT algorithm, the third decryption algorithm is SM4DECRYPT.
本申请实施例提供的数据处理方案包括:基于接收的第一用户密码解密用户标识数据,得到预测用户标识;获得与所述第一用户密码关联的实际用户标识;若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;至少基于所述第一用户密码因子,生成第一密码;通过所述第一密码对目标对象进行加密或解密。这样,第一点,第一密码是基于用户密码得到的,可以保证用户参与加密或解密的过程,第二点,该方案不是通过第一用户密码加密或解密目标对象,而是基于第一用户密码得到的用户密码因子确定第一密码,通过第一密码加密或解密目标对象,增大了破解第一密码的难度,进一步提高了安全性;第三点,该方案在校验时,基于预测用户标识与实际用户标识进行校验;而非直接基于密码进行校验,所以,该方案不需要存储用户密码,减少了用户密码泄漏的渠道,进一步提高了安全性。The data processing solution provided by the embodiment of the present application includes: decrypting the user identification data based on the received first user password to obtain a predicted user identification; obtaining the actual user identification associated with the first user password; if the predicted user identification is consistent with the If the actual user IDs are the same, it is determined that the first user password verification is successful, and the first encrypted data is decrypted based on the first user password to obtain the first user password factor. The first encrypted data includes the encrypted first A user password factor; generating a first password based at least on the first user password factor; encrypting or decrypting a target object by using the first password. In this way, first, the first password is obtained based on the user password, which can ensure that the user participates in the encryption or decryption process. Second, the scheme does not encrypt or decrypt the target object through the first user password, but based on the first user password. The user password factor obtained by the password determines the first password, and the target object is encrypted or decrypted by the first password, which increases the difficulty of cracking the first password and further improves security; The user ID is verified against the actual user ID; it is not directly based on the password. Therefore, this solution does not need to store the user password, which reduces the channels for user password leakage and further improves security.
需要说明的是,本申请实施例提供的数据处理过程可以对第一用户密码不做存储,即对于数据处理的每个阶段(加密或者解密等)均需要用户输入第一用户密码,第一设备接收第一用户密码,并基于第一用户密码进行加密或者解密等操作。这样,可以避免存储第一用户密码的过程中,第一用户密码被盗或者存储第一用户密码的设备违规解密文件的可能性,从而进一步提高了数据的安全性。It should be noted that the data processing process provided by the embodiment of the present application may not store the first user password, that is, each stage of data processing (encryption or decryption, etc.) requires the user to input the first user password, and the first device The first user password is received, and operations such as encryption or decryption are performed based on the first user password. In this way, the possibility of the first user password being stolen or the device storing the first user password illegally decrypting the file during the process of storing the first user password can be avoided, thereby further improving data security.
下面,对S303中,第一设备基于所述第一用户密码解密第一加密数据,得到第一用户密码因子的过程进行说明。该过程包括但不限于下述实施方式A或实施方式B。Next, in S303, the process of the first device decrypting the first encrypted data based on the first user password to obtain the first user password factor will be described. This process includes but is not limited to Embodiment A or Embodiment B below.
实施方式A,通过第一用户密码解密第一加密数据;Embodiment A, decrypting the first encrypted data through the first user password;
实施方式B,通过第一用户密码生成的系统密码解密第一加密数据。Embodiment B, the first encrypted data is decrypted using the system password generated by the first user password.
其中,系统密码为与第一用户密码对应的针对系统的密码。Wherein, the system password is a system-specific password corresponding to the first user password.
实施方式A可以包括:第一设备调用第二解密算法,通过第一用户密码解密第一加密数据,得到第一用户密码因子。Embodiment A may include: the first device invokes the second decryption algorithm, decrypts the first encrypted data through the first user password, and obtains the first user password factor.
例如,第一用户密码因子S1可以通过下述公式(1)得到。For example, the first user password factor S1 can be obtained by the following formula (1).
S1=SM4DECRYPT(D1,P0)         公式(1);S1=SM4DECRYPT(D1, P0) Formula (1);
其中,S1表示第一用户密码因子,D1表示第一加密数据,SM4ENCRYPT表示SM4解密算法(第一解密算法),P0表示第一用户密码。Wherein, S1 represents the first user password factor, D1 represents the first encrypted data, SM4ENCRYPT represents the SM4 decryption algorithm (the first decryption algorithm), and P0 represents the first user password.
实施方式B可以包括但不限于下述S3021和S3022。Embodiment B may include but not limited to the following S3021 and S3022.
S3021、第一设备基于所述第一用户密码生成与所述第一用户密码对应的系统密码。S3021. The first device generates a system password corresponding to the first user password based on the first user password.
第一设备采用第二密码生成算法,根据第一用户密码生成与第一用户密码对应的系统密码。The first device uses the second password generation algorithm to generate a system password corresponding to the first user password according to the first user password.
本申请实施对第二密码生成算法的算法类型不作限定,可以根据实际需求进行配置。其 中,第二密码生成算法可以与第一密码生成算法相同,也可以与第一密码生成算法不同。The implementation of this application does not limit the algorithm type of the second password generation algorithm, which can be configured according to actual needs. Wherein, the second password generation algorithm may be the same as the first password generation algorithm, or may be different from the first password generation algorithm.
例如,系统密码P1可以通过下述公式(2)得到。For example, the system password P1 can be obtained by the following formula (2).
P1=GEMPSW(SM3(SALT0+P0))       公式(2);P1=GEMPSW(SM3(SALT0+P0)) Formula (2);
其中,P1表示系统密码,GEMPSW表示随机生成密码算法,SM3表示加盐哈希算法,SALT0表示盐值,P0表示第一用户密码,GEMPSW和SM3构成第二密码生成算法。Among them, P1 represents the system password, GEMPSW represents the random generation password algorithm, SM3 represents the salted hash algorithm, SALT0 represents the salt value, P0 represents the first user password, and GEMPSW and SM3 constitute the second password generation algorithm.
S3022、第一设备通过所述系统密码解密所述第一加密数据,得到所述第一用户密码因子。S3022. The first device decrypts the first encrypted data by using the system password to obtain the first user password factor.
第一设备调用第二解密算法,通过该系统密码解密第一加密数据得到第一用户密码因子。The first device invokes the second decryption algorithm, and decrypts the first encrypted data through the system password to obtain the first user password factor.
例如,第一用户密码因子可以通过下述公式(3)得到。For example, the first user password factor can be obtained by the following formula (3).
S1=SM4DECRYPT(D1,P1)         公式(3);S1=SM4DECRYPT(D1, P1) Formula (3);
其中,S1表示第一用户密码因子,SM4ENCRYPT表示SM4解密算法,D1表示第一加密数据,P1表示系统密码。Wherein, S1 represents the first user password factor, SM4ENCRYPT represents the SM4 decryption algorithm, D1 represents the first encrypted data, and P1 represents the system password.
可选的,第一设备得到第一加密数据的过程可以包括但不限于下述实施方式A1或实施方式B1。Optionally, the process for the first device to obtain the first encrypted data may include but not limited to the following implementation manner A1 or implementation manner B1.
实施方式A1对应实施例A,通过第一用户密码加密得到第一加密数据;Embodiment A1 corresponds to Embodiment A, and the first encrypted data is obtained by encrypting the first user password;
实施方式B1对应实施例B,通过第一用户密码生成的系统密码加密得到第一加密数据。Embodiment B1 corresponds to embodiment B, and the first encrypted data is obtained by encrypting the system password generated by the first user password.
实施方式A1可以包括:第一设备调用第二加密算法,通过第一用户密码加密第一用户密码因子,得到第一加密数据。Embodiment A1 may include: the first device invokes the second encryption algorithm, encrypts the first user password factor through the first user password, and obtains the first encrypted data.
例如,第一加密数据可以通过下述公式(4)得到。For example, the first encrypted data can be obtained by the following formula (4).
D1=SM4ENCRYPT(S1,P0)      公式(4);D1=SM4ENCRYPT(S1, P0) Formula (4);
其中,D1表示第一加密数据,SM4ENCRYPT表示SM4加密算法(第二加密算法),S1表示第一用户密码因子,P0表示第一用户密码。Wherein, D1 represents the first encrypted data, SM4ENCRYPT represents the SM4 encryption algorithm (second encryption algorithm), S1 represents the first user password factor, and P0 represents the first user password.
实施方式B1可以包括:第一设备采用第二密码生成算法,根据第一用户密码生成与第一用户密码对应的系统密码;然后第一设备调用第二加密算法,通过该系统密码加密第一用户密码因子,得到第一加密数据。Embodiment B1 may include: the first device uses the second password generation algorithm to generate a system password corresponding to the first user password according to the first user password; then the first device invokes the second encryption algorithm to encrypt the first user password through the system password password factor to obtain the first encrypted data.
例如,系统密码P1可以通过下述公式(2)得到,第一加密数据D1可以通过下述公式(5)得到。For example, the system password P1 can be obtained by the following formula (2), and the first encrypted data D1 can be obtained by the following formula (5).
P1=GEMPSW(SM3(SALT0+P0))     公式(2)P1=GEMPSW(SM3(SALT0+P0)) Formula (2)
D1=SM4ENCRYPT(S1,P1)    公式(5);D1=SM4ENCRYPT(S1, P1) formula (5);
其中,D1表示第一加密数据,SM4ENCRYPT表示SM4加密算法,S1表示第一用户密码因子,P1表示与第一用户密码对应的系统密码。Wherein, D1 represents the first encrypted data, SM4ENCRYPT represents the SM4 encryption algorithm, S1 represents the first user password factor, and P1 represents the system password corresponding to the first user password.
实施方式B1的方案中,没有通过第一用户密码加密第一用户密码因子,而是通过第一用户密码生成的系统密码加密第一用户密码因子,这样实现了多层加密,更加安全,实施方式A与实施方式B相比,实施方式B具有较高的安全性,实施方式A的实现较简单。In the scheme of embodiment B1, the first user password factor is not encrypted by the first user password, but the first user password factor is encrypted by the system password generated by the first user password, which realizes multi-layer encryption and is more secure. A Compared with the implementation mode B, the implementation mode B has higher security, and the implementation of the implementation mode A is simpler.
下面,对304第一设备至少基于所述第一用户密码因子,生成第一密码的过程进行说明, 该过程可以包括但不限于下述实施方式A2或实施方式B2。Next, a process of generating a first password by the first device at least based on the first user password factor at 304 will be described, and the process may include but not limited to the following implementation manner A2 or implementation manner B2.
实施方式A2、基于第一用户密码因子生成第一密码;Embodiment A2, generating the first password based on the first user password factor;
实施方式B2、基于第一用户密码因子和针对目标对象的对象密码因子生成第一密码。Embodiment B2, generating the first password based on the first user password factor and the object password factor for the target object.
实施方式A2可以包括:第一设备采用第一密码生成算法,根据第一用户密码因子生成第一密码。Implementation manner A2 may include: the first device generates the first password according to the first user password factor by using a first password generation algorithm.
示例性的,第一密码生成算法可以包括哈希算法和随机生成密码算法。对应的,实施方式A2可以实施为:第一设备将第一用户密码因子经过哈希算法得到哈希值后,采用随机密码生成算法截断该哈希值的前128位作为第一密码。Exemplarily, the first password generation algorithm may include a hash algorithm and a random password generation algorithm. Correspondingly, Embodiment A2 may be implemented as follows: After the first device obtains a hash value through a hash algorithm for the first user password factor, it uses a random password generation algorithm to truncate the first 128 bits of the hash value as the first password.
例如,第一密码P3可以通过公式(6)得到。For example, the first password P3 can be obtained by formula (6).
P3=GENPSW(SM3(S1))     公式(6);P3=GENPSW(SM3(S1)) Formula (6);
其中,P3表示第一密码,GENPSW表示随机密码生成算法,SM3表示哈希算法,S1表示第一用户密码因子,SM3(S1)表示将第一用户密码因子经过哈希算法得到哈希值。Among them, P3 represents the first password, GENPSW represents the random password generation algorithm, SM3 represents the hash algorithm, S1 represents the first user password factor, and SM3(S1) represents the first user password factor through the hash algorithm to obtain the hash value.
对于实施方式B2,本申请是实施例提供的数据处理方法还可以包括如图4所示的S306。For implementation mode B2, the data processing method provided by the embodiment of this application may further include S306 as shown in FIG. 4 .
S306、第一设备获得针对所述目标对象的对象密码因子。S306. The first device obtains an object encryption factor for the target object.
对象密码因子为针对对象的密码因子,或者说为对象级别的密码因子。The object encryption factor is an object-specific encryption factor, or an object-level encryption factor.
为了便于描述,下面将针对目标对象的对象密码因子简称为对象密码因子。For ease of description, the object encryption factor for the target object is referred to as the object encryption factor for short below.
对应的,实施方式B2可以包括:第一设备采用第一密码生成算法,根据第一用户密码因子和对象密码因子,生成第一密码。Correspondingly, implementation manner B2 may include: the first device generates the first password according to the first user password factor and the object password factor by using the first password generation algorithm.
示例性的,第一密码生成算法可以包括加盐哈希算法和随机生成密码算法。Exemplarily, the first password generation algorithm may include a salted hash algorithm and a random password generation algorithm.
例如,第一设备可以将第一用户密码因子和对象密码因子组合后经过加盐哈希算法得到哈希值后,采用随机密码生成算法截断该哈希值的前128位作为第一密码。For example, the first device may combine the first user password factor and the object password factor to obtain a hash value through a salted hash algorithm, and use a random password generation algorithm to truncate the first 128 bits of the hash value as the first password.
例如,第一密码P3还可以通过公式(7)得到。For example, the first password P3 can also be obtained through formula (7).
P3=GENPSW(SM3(S1+S2+SALT0))     公式(7);P3=GENPSW(SM3(S1+S2+SALT0)) Formula (7);
其中,P3表示第一密码,GENPSW表示随机密码生成算法,SM3表示加盐哈希算法,S1表示第一用户密码因子,S2表示对象密码因子,SALT0表示盐值,SM3(S1+S2+SALT0)表示将第一用户密码因子和对象密码因子组合后经过加盐哈希算法得到哈希值。Among them, P3 represents the first password, GENPSW represents the random password generation algorithm, SM3 represents the salted hash algorithm, S1 represents the first user password factor, S2 represents the object password factor, SALT0 represents the salt value, SM3(S1+S2+SALT0) Indicates that the first user password factor and the object password factor are combined to obtain a hash value through a salted hash algorithm.
下面,对S306第一设备获得针对目标对象的对象密码因子的实现做详细说明。该过程可以包括但不限于下述实施方式A3或实施方式B3。Next, the realization of S306 that the first device obtains the object encryption factor for the target object will be described in detail. This process may include but not limited to the following implementation mode A3 or implementation mode B3.
实施方式A3、针对加密过程,第一设备创建针对目标对象的对象密码因子。Embodiment A3. For the encryption process, the first device creates an object encryption factor for the target object.
实施方式B3、针对解密过程,第一设备解密第二加密数据得到对象密码因子。Embodiment B3. For the decryption process, the first device decrypts the second encrypted data to obtain the object encryption factor.
实施方式A3可以包括:第一设备针对目标对象创建一个对象密码因子,作为针对目标对象的对象密码因子。Implementation manner A3 may include: the first device creates an object encryption factor for the target object as the object encryption factor for the target object.
本申请实施例对创建对象密码因子的算法不作唯一限定。例如,创建对象密码因子的算法可以包括随机算法、或者哈希算法等等。The embodiment of the present application does not uniquely limit the algorithm for creating an object encryption factor. For example, an algorithm for creating an object password factor may include a random algorithm, or a hash algorithm, and the like.
创建对象密码因子的算法可以与创建第一用户密码因子的算法相同,也可以与创建第一 用户密码因子的算法不同。The algorithm for creating the object password factor can be the same as the algorithm for creating the first user password factor, or it can be different from the algorithm for creating the first user password factor.
可选的,在创建对象密码因子后,第一设备可以将对象密码因子加密存储。Optionally, after the object encryption factor is created, the first device may encrypt and store the object encryption factor.
第一设备针对目标对象生成第二密码,第一设备基于第二密码加密对象密码因子,得到第二加密数据,保存第二加密数据。The first device generates a second password for the target object, and the first device encrypts a password factor of the object based on the second password to obtain second encrypted data and save the second encrypted data.
第一设备基于第二密码加密对象密码因子,可以包括:第一设备调用第四加密算法,通过第二密码加密对象密码因子;或者,第一设备基于第二密码生成第三密码,通过第三密码加密对象密码因子。Encrypting the object password factor by the first device based on the second password may include: the first device calls the fourth encryption algorithm, and encrypts the object password factor by the second password; or, the first device generates a third password based on the second password, and uses the third password to encrypt the object password factor; The cryptographic factor of the cryptographic object.
实施方式B3可以包括:第一设备基于第二密码解密第二加密数据,得到对象密码因子。Implementation manner B3 may include: the first device decrypts the second encrypted data based on the second password to obtain the object password factor.
一种可能的实施方式中,加密对象密码因子的加密密码为第二密码的情况下,第一设备调用第四解密算法,通过第二密码解密第二加密数据,得到对象密码因子。In a possible implementation manner, when the encryption password for encrypting the target password factor is the second password, the first device invokes the fourth decryption algorithm to decrypt the second encrypted data by using the second password to obtain the target password factor.
另一种可能的实施方式中,加密对象密码因子的加密密码为基于第二密码生成的第三密码的情况下,第一设备调用第四解密算法,通过第三密码解密第二加密数据得到对象密码因子。In another possible implementation manner, when the encryption password of the encryption object password factor is the third password generated based on the second password, the first device invokes the fourth decryption algorithm to decrypt the second encrypted data through the third password to obtain the object password factor.
下面,对实施方式B2基于第一用户密码因子和针对目标对象的对象密码因子生成第一密码的过程进行说明,具体可以包括但不限于图5所示的S3031至S3033。Next, the process of generating the first password based on the first user password factor and the object password factor for the target object in Embodiment B2 will be described, which may specifically include but not limited to S3031 to S3033 shown in FIG. 5 .
S3031、第一设备将所述第一用户因子与所述对象密码因子之和组装为密码字符串。S3031. The first device assembles the sum of the first user factor and the object password factor into a password string.
S3032、第一设备对所述密码字符串进行加盐哈希计算,得到密码哈希值。S3032. The first device performs salted hash calculation on the password string to obtain a password hash value.
其中,可以根据实际需求皮遏制加盐哈希算法中的具体盐值,本申请实施例对此不予具体限定。Wherein, the specific salt value in the salted hash algorithm can be controlled according to actual needs, which is not specifically limited in this embodiment of the present application.
S3033、第一设备截断所述密码哈希值的前W位,生成所述第一密码。S3033. The first device truncates the first W digits of the hash value of the password to generate the first password.
本申请实施例对W的具体取值不作限定,可以根据实际需求进行配置。在一示例中W可以为128。The embodiment of the present application does not limit the specific value of W, which may be configured according to actual requirements. W may be 128 in one example.
第一设备通过GEMPSW算法截断密码哈希值的前W位,生成第一密码。The first device truncates the first W bits of the hash value of the password through the GEMPSW algorithm to generate the first password.
本申请实施例提供的数据处理方法,还可以修改第一用户的用户密码,现以将第一用户密码修改为第二用户密码为例,对用户密码的修改过程进行说明。The data processing method provided in the embodiment of the present application can also modify the user password of the first user. Now, the modification process of the user password will be described by taking the modification of the first user password to the second user password as an example.
该过程可以包括但不限于图6所示的S307至S309。This process may include but not limited to S307 to S309 shown in FIG. 6 .
S307、第一设备在接收到第二用户密码的情况下,获取第二用户密码因子。S307. The first device acquires the second user password factor when receiving the second user password.
第一用户密码因子和第二用户密码因子的内容相同。The contents of the first user password factor and the second user password factor are the same.
S308、第一设备基于接收的第二用户密码加密所述第二用户密码因子,得到第三加密数据。S308. The first device encrypts the second user password factor based on the received second user password to obtain third encrypted data.
S308的实施可以参考注册过程中得到第一加密数据的具体描述,此处不再一一赘述。The implementation of S308 can refer to the specific description of obtaining the first encrypted data in the registration process, and details will not be repeated here.
S309、第一设备基于所述第三加密数据对所述第一加密数据进行更新。S309. The first device updates the first encrypted data based on the third encrypted data.
第一设备将第一加密数据更新为该第三加密数据。The first device updates the first encrypted data to the third encrypted data.
这样,在将用户密码由第一用户密码修改为第二用户密码后,只需根据第一用户密码生成第三加密数据,再将第一加密数据更新为第三加密数据,就可以完成修改密码后的文件修改过程;与现有技术相比,由于现有技术在修改用户密码后,需要将源加密文件进行解密, 然后采用修改后的用户密码加密,以完成文件的更新;所以,本申请的方案实现简单、便捷,尤其是针对大量存储的场景,实现更加便捷。In this way, after the user password is changed from the first user password to the second user password, only the third encrypted data is generated according to the first user password, and then the first encrypted data is updated to the third encrypted data, and the password modification can be completed After the modification process of the file; compared with the prior art, because the prior art needs to decrypt the source encrypted file after modifying the user password, and then use the modified user password to encrypt to complete the update of the file; therefore, the present application The implementation of the solution is simple and convenient, especially for the scenario of a large amount of storage, the implementation is more convenient.
进一步的,在执行S307之前,可以先进行一次性密码(One Time Password,OTP)验证。Further, before performing S307, a one-time password (One Time Password, OTP) verification may be performed first.
例如,在注册过程中,第一设备还接收并存储了针对第一用户第一手机号。For example, during the registration process, the first device also receives and stores the first mobile phone number for the first user.
第一设备基于第一手机号进行OTP验证,若验证成功则执行S307,若验证失败,则结束。The first device performs OTP verification based on the first mobile phone number, and if the verification is successful, execute S307, and if the verification fails, then end.
下面,对S307第一设备获取第二用户密码因子的情况做详细说明,具体可以包括但不限于图7所示的S3071至S3076。Next, the situation of S307 that the first device acquires the second user password factor will be described in detail, which may specifically include but not limited to S3071 to S3076 shown in FIG. 7 .
S3071、第一设备发送所述第四加密数据至所述第二设备或第三设备。S3071. The first device sends the fourth encrypted data to the second device or the third device.
在一种可能的实施方式中,S3071可以实施为:第一设备发送第四加密数据至第二设备。In a possible implementation manner, S3071 may be implemented as: the first device sends the fourth encrypted data to the second device.
在另一种可能的实施方式中,S3071可以实施为:第一设备发送第四加密数据至第三设备。In another possible implementation manner, S3071 may be implemented as: the first device sends the fourth encrypted data to the third device.
需要说明的是,执行S3071之前,本申请实施例提供的数据处理方法还包括生成第四加密数据的过程。It should be noted that, before performing S3071, the data processing method provided in the embodiment of the present application further includes a process of generating fourth encrypted data.
第一设备生成第四加密数据的过程可以包括但不限于S3070和S3070A。The process for the first device to generate the fourth encrypted data may include but not limited to S3070 and S3070A.
S3070、第一设备接收针对第二设备的第一公钥。S3070. The first device receives the first public key for the second device.
第二设备会生成一组公私钥对(第一公钥和第一私钥),第二设备将第一公钥发送至第一设备,第一设备接收针对第二设备的第一公钥。The second device generates a set of public-private key pairs (the first public key and the first private key), the second device sends the first public key to the first device, and the first device receives the first public key for the second device.
可选的,第一设备还可以生成一组公私钥对(第二公钥和第二私钥),第一设备将第二公钥发送至第二设备,第二设备接收第二公钥。Optionally, the first device may also generate a set of public-private key pairs (the second public key and the second private key), the first device sends the second public key to the second device, and the second device receives the second public key.
S3070A、第一设备采用第一公钥加密第一用户密码因子,得到第四加密数据。S3070A. The first device encrypts the first user password factor using the first public key to obtain fourth encrypted data.
S3072A、第二设备接收第四加密数据,并采用第一私钥解密第四加密数据,得到第二用户密码因子。S3072A. The second device receives the fourth encrypted data, and uses the first private key to decrypt the fourth encrypted data to obtain a second user password factor.
S3072B、第三设备接收第四加密数据,在可信执行环境(Trusted Execution Environment,TEE)下采用第一私钥解密第四加密数据,得到第二用户密码因子。S3072B. The third device receives the fourth encrypted data, and uses the first private key to decrypt the fourth encrypted data under the trusted execution environment (Trusted Execution Environment, TEE), to obtain the second user password factor.
需要说明的是,在执行S3072B之前,第二设备将第一私钥发送至第三设备,第一设备将第二公钥发送至第三设备。It should be noted that, before performing S3072B, the second device sends the first private key to the third device, and the first device sends the second public key to the third device.
S3073A、第二设备将第二用户密码因子通过第二公钥加密后,得到第五加密数据。S3073A. The second device encrypts the second user password factor with the second public key to obtain fifth encrypted data.
S3073B、第三设备在TEE下,将第二用户密码因子通过第二公钥加密后,得到第五加密数据。S3073B. Under the TEE, the third device encrypts the second user password factor with the second public key to obtain fifth encrypted data.
S3074A、第二设备将第五加密数据发送至第一设备。S3074A. The second device sends the fifth encrypted data to the first device.
S3074B、第三设备将第五加密数据发送至第一设备。S3074B. The third device sends the fifth encrypted data to the first device.
S3075、第一设备接收第五加密数据。S3075. The first device receives fifth encrypted data.
一种可能的实施方式中,第一设备接收第二设备发送的第五加密数据。In a possible implementation manner, the first device receives fifth encrypted data sent by the second device.
另一种可能的实施方式中,第一设备接收第三设备发送的第五加密数据。In another possible implementation manner, the first device receives fifth encrypted data sent by the third device.
S3076、第一设备通过针对所述第二公钥对应的第二私钥解密所述第五加密数据,得到所述第二用户密码因子。S3076. The first device obtains the second user password factor by decrypting the fifth encrypted data with respect to the second private key corresponding to the second public key.
需要说明的是,本申请实施例对采用公钥加密数据的公钥加密算法,采用私钥解密数据的私钥解密算法不作具体限定可以根据实际需求进行配置。例如,公钥加密算法可以包括但不限于:SM2公钥加密算法,罗纳德·李维斯特、阿迪·萨莫尔和伦纳德·阿德曼(Ron Rivest、Adi Shamir、Leonard Adleman,RSA)公钥加密算法;私钥解密算法可以包括但不限于:SM2私钥解密算法,RSA私钥解密算法。It should be noted that the embodiment of the present application does not specifically limit the public key encryption algorithm using the public key to encrypt data, and the private key decryption algorithm using the private key to decrypt data, which can be configured according to actual needs. For example, public key encryption algorithms may include, but are not limited to: SM2 public key encryption algorithm, Ron Rivest, Adi Shamir, Leonard Adleman (RSA) Public key encryption algorithm; private key decryption algorithm may include but not limited to: SM2 private key decryption algorithm, RSA private key decryption algorithm.
这样,第一设备存储加密的第一用户密码因子,但是第一设备自身不具有解密能力,且第一设备与第二设备之间的通信数据均以加密,所以该方法获取第二用户密码因子,安全性较高。In this way, the first device stores the encrypted first user password factor, but the first device itself does not have the ability to decrypt, and the communication data between the first device and the second device is encrypted, so this method obtains the second user password factor , higher security.
下面,通过具体的应用场景对本申请实施例提供的数据处理方法进行说明。In the following, the data processing method provided by the embodiment of the present application will be described through specific application scenarios.
为了便于理解,先对部分技术属于进行解释。For ease of understanding, some technologies are explained first.
SM2算法:指椭圆曲线公钥密码算法,是一种非对称加密算法。SM2 algorithm: refers to the elliptic curve public key cryptography algorithm, which is an asymmetric encryption algorithm.
SM3算法:指密码散列函数标准,是一种哈希算法。SM3 algorithm: Refers to the cryptographic hash function standard, which is a hash algorithm.
SM4算法:指分组密码标准,是一种国产对称加密算法。SM4 algorithm: Refers to the block cipher standard, which is a domestic symmetric encryption algorithm.
在加密存储过程中,包括加密与解密过程。对于加密与解密过程,第一种方案是通过设备的内置随机密码对文件进行加密或解密;第二种方案是直接通过用户密码对文件本进行加密或解密。In the encryption storage process, including encryption and decryption process. For the encryption and decryption process, the first solution is to encrypt or decrypt the file through the built-in random password of the device; the second solution is to directly encrypt or decrypt the file through the user password.
上述第一种方案无法让用户密码参与到加密的过程。理论上来说,提供加密或解密的机构有解密文本的能力,所以安全性较低。The above-mentioned first scheme cannot allow the user password to participate in the encryption process. Theoretically speaking, the organization that provides encryption or decryption has the ability to decrypt the text, so the security is low.
上述第二种方案能做到用户密码直接参与文件加密的过程,如果实现是需要存储用户独立密码,则其安全性同样依赖于密码存储的方案。如果该方法无需存储用户密码直接通过客户端加密完成后上送加密文件,在一定程度上,能做到相对安全,且文件存储机构无法做到“监守自盗”。但却影响其可用性,用户密码的丢失,加密内容将无法还原,且无法提供类似独立密码修改的功能。The above-mentioned second solution can make the user password directly participate in the file encryption process. If the implementation needs to store the user's independent password, its security also depends on the password storage solution. If this method does not need to store the user password and directly uploads the encrypted file through the client after encryption, to a certain extent, it can be relatively safe, and the file storage organization cannot "guard and steal". But it affects its usability. If the user password is lost, the encrypted content will not be restored, and it will not be able to provide functions similar to independent password modification.
依赖于移动端可信执行环境方案,一定程度上做到“密钥仅用户持有”;但当用户设备更换的情况下数据解密会成为问题,而且不支持用户显示设置密码。Relying on the mobile trusted execution environment solution, to a certain extent, "the key is only held by the user"; but when the user's device is replaced, data decryption will become a problem, and it does not support the user to display and set the password.
本申请对此做如下改进:This application makes the following improvements:
1、支持用户自定义密码“间接”参与加密过程,通过使用用户密码加密系统内置密码的方式,让用户密码参与到文件加密的过程。保证用户隐私安全的同时,支持用户密码的修改与重置。且密码的修改对存量数据无影响,无需先解密存量数据再加密,兼顾可用性同时保证了性能。1. Support user-defined passwords to "indirectly" participate in the encryption process. By using the user password to encrypt the system's built-in password, the user password can participate in the file encryption process. While ensuring user privacy and security, it supports modification and reset of user passwords. And the modification of the password has no effect on the stock data, and there is no need to decrypt the stock data and then encrypt it, taking into account the usability and ensuring the performance.
2、区别于传统TEE方案,引入(无商业利益冲突的)第三方可信证书机构作为TEE证书服务商。在移动端使用的场景,使用TEE特性的同时支持设备更换,同时兼容移动端(相当于第三设备,也可以称为终端设备)与非移动端(相当于第二设备,也可以称为认证设备)共用密钥的场景。2. Different from the traditional TEE scheme, a third-party trusted certificate authority (without commercial conflict of interest) is introduced as a TEE certificate service provider. In the scenario of using the mobile terminal, it supports device replacement while using the TEE feature, and is compatible with the mobile terminal (equivalent to the third device, which can also be called terminal device) and the non-mobile terminal (equivalent to the second device, which can also be called authentication) device) shared key scenario.
为了方便理解,对部分算法(函数)做简单解释。In order to facilitate understanding, some algorithms (functions) are briefly explained.
SM3(X),使用SM3计算X的哈希值;SM3(X), use SM3 to calculate the hash value of X;
GENPSW(X),截断X前128bit作为SM4使用的密码;GENPSW(X), truncate the first 128 bits of X as the password used by SM4;
SM4ENCRYPT(S,P),SM4算法采用P加密S;SM4ENCRYPT(S, P), the SM4 algorithm uses P to encrypt S;
SM4DECRYPT(D,P),SM4算法P解密D;SM4DECRYPT(D, P), SM4 algorithm P decrypts D;
SM2ENCRYPT(S,PUK),SM2算法采用公钥(PUK)加密S;SM2ENCRYPT(S, PUK), the SM2 algorithm uses the public key (PUK) to encrypt S;
SM2DECRYPT(D,PRK),SM2算法采用私钥(PRK)解密D。SM2DECRYPT(D, PRK), the SM2 algorithm uses the private key (PRK) to decrypt D.
本申请实施例提供的数据处理方法可以包括但不限于下注册过程、校验密码过程、加密过程、解密过程、密码修改过程、和移动端设备更换过程。The data processing method provided by the embodiment of the present application may include, but not limited to, a registration process, a password verification process, an encryption process, a decryption process, a password modification process, and a mobile device replacement process.
下面,对注册过程进行说明:The following describes the registration process:
用户在第一设备上注册使用文件托管服务系统(以下简称本系统)需要设置用户独立密码P0(相当于第一用户密码)与用于OTP认证的用户手机号。本系统创建用户ID的同时会创建用户级别的随机密码因子S1(相当于第一用户密码因子),本系统会使用用户独立密码P0通过加盐哈希算法(SM3算法)并截断前128位(bit)的方式生成系统密码P1。采用SM4算法通过P1加密S1的到密文D1(相当于第一加密数据)。When a user registers on the first device to use the file hosting service system (hereinafter referred to as the system), it is necessary to set the user's independent password P0 (equivalent to the first user's password) and the user's mobile phone number for OTP authentication. When the system creates a user ID, it will create a user-level random password factor S1 (equivalent to the first user password factor). The system will use the user's independent password P0 to pass the salt hash algorithm (SM3 algorithm) and truncate the first 128 bits ( bit) to generate the system password P1. Use the SM4 algorithm to encrypt S1 to the ciphertext D1 (equivalent to the first encrypted data) through P1.
例如,P1可以通过上述公式(2)得到,D1可以通过上述公式(5)得到。For example, P1 can be obtained by the above formula (2), and D1 can be obtained by the above formula (5).
P1=GEMPSW(SM3(SALT0+P0))     公式(2);P1=GEMPSW(SM3(SALT0+P0)) Formula (2);
D1=SM4ENCRYPT(S1,P1)     公式(5)。D1=SM4ENCRYPT(S1, P1) Formula (5).
用户注册完成,本系统会生成公私钥对<PUK0,PRK0>(PUK0为本系统的公钥,PRK0为本系统的私钥)(相当于第二公钥和第二私钥),,将用户信息(包括手机号以及PUK0)传给第三方证书机构登记(相当于第二设备或者认证设备),第三方证书机构负责登记并生成用户级别的公私钥对<PUK1,PRK1>(PUK1为第三方证书机构的公钥,PRK1为第三方证书机构的私钥)(相当于第一公钥和第一私钥))。第三方证书机构将PUK1下发到本系统,本系统使用SM2算法通过PUK1对S1进行加密得到密文D2(相当于第四加密数据)。After the user registration is completed, the system will generate a public-private key pair <PUK0, PRK0> (PUK0 is the public key of the system, and PRK0 is the private key of the system) (equivalent to the second public key and the second private key), and the user The information (including mobile phone number and PUK0) is sent to a third-party certificate authority for registration (equivalent to the second device or authentication device), and the third-party certificate authority is responsible for registration and generates a user-level public-private key pair <PUK1, PRK1> (PUK1 is a third-party The public key of the certificate authority, PRK1 is the private key of the third-party certificate authority) (equivalent to the first public key and the first private key)). The third-party certificate authority issues PUK1 to the system, and the system uses the SM2 algorithm to encrypt S1 through PUK1 to obtain ciphertext D2 (equivalent to the fourth encrypted data).
可选的,针对移动端设备(相当于第三设备)的TEE场景,第三方证书机构注入PRK1以及PUK0到用户TEE;针对非TEE场景,无需注入。D2相当于用户因子S1在本系统中的备份,但解密用的密码存储于第三方证书机构与TEE环境,从而保证本系统无法直接解密D2还原密码因子S1。用户独立密码P0全程不记录,用完即销毁。最后使用SM4通过P1加密用户ID加密得到密文D3(相当于用户标识数据),存储D1、D2、D3、PRK0、PUK1。Optionally, for the TEE scenario of the mobile terminal device (equivalent to the third device), the third-party certificate authority injects PRK1 and PUK0 into the user TEE; for non-TEE scenarios, no injection is required. D2 is equivalent to the backup of user factor S1 in this system, but the password used for decryption is stored in the third-party certificate authority and TEE environment, so as to ensure that the system cannot directly decrypt D2 to restore the password factor S1. The user's independent password P0 is not recorded in the whole process and will be destroyed when it is used up. Finally, use SM4 to encrypt the user ID through P1 to obtain ciphertext D3 (equivalent to user identification data), and store D1, D2, D3, PRK0, and PUK1.
例如,D2可以通过公式(8)得到,D3可以通过公式(9)得到。For example, D2 can be obtained by formula (8), and D3 can be obtained by formula (9).
D2=SM2ENCRYPT(S1,PUK1)      公式(8);D2=SM2ENCRYPT(S1, PUK1) formula (8);
其中,D2表示得到的密文,SM2ENCRYPT表示SM2加密算法,S1表示用户级别的随机密码因子,PUK1表示第三方证书机构的公钥。Among them, D2 represents the obtained ciphertext, SM2ENCRYPT represents the SM2 encryption algorithm, S1 represents the user-level random password factor, and PUK1 represents the public key of the third-party certificate authority.
D3=SM4ENCRYPT(ID,P1)    公式(9);D3=SM4ENCRYPT(ID, P1) formula (9);
其中,D3表示得到的密文,SM4ENCRYPT表示SM4加密算法,ID表示用户标识,P1表 示系统密码。Among them, D3 represents the obtained ciphertext, SM4ENCRYPT represents the SM4 encryption algorithm, ID represents the user identification, and P1 represents the system password.
校验密码过程可以包括:The verification password process may include:
所有后续加密或解密相关方法均需要用户传入独立密码P0(此操作可由其他前置系统完成,用户只用输入一遍后缓存至服务器)。本系统通过P0得到P1,根据P1解密(SM4)D3的到明文字符串S,校验S与用户ID是否相等,若相等则认为校验成功,若不相等,则校验失败。All subsequent encryption or decryption related methods require the user to pass in an independent password P0 (this operation can be completed by other front-end systems, and the user only needs to enter it once and cache it to the server). The system obtains P1 through P0, decrypts (SM4) D3 to the plaintext string S according to P1, and checks whether S is equal to the user ID. If they are equal, the verification is considered successful, and if they are not equal, the verification fails.
例如,P1可以通过公式(2)得到,ID’可以通过公式(10)得到。For example, P1 can be obtained by formula (2), and ID' can be obtained by formula (10).
P1=GENPSW(SM3(SALT0+P0))    公式(2);P1=GENPSW(SM3(SALT0+P0)) Formula (2);
ID’=SM4DECRYPT(D3,P1)     公式(10);ID'=SM4DECRYPT(D3, P1) Formula (10);
其中,ID’表示预测用户标识,SM4DECRYPT表示SM4解密算法,D3表示密文,SALT0表示盐值,P1表示系统密码。Among them, ID' represents the predicted user ID, SM4DECRYPT represents the SM4 decryption algorithm, D3 represents the ciphertext, SALT0 represents the salt value, and P1 represents the system password.
加密过程可以包括:The encryption process can include:
用户上传待加密文件F0(相当于目标对象)及用户独立密码P0,本系统在用户密码正确的前提下,创建对应文件ID后本系统生成文件级别的密码因子S2(相当于对象密码因子)以及与其对应的文件密码P2(相当于第二密码)。本系统通过对P0还原P1,使用P1解密D1还原出用户因子S1,通过S1+S2组装新的字符串S3,通过加盐哈希算法(SM3算法)截断S3前128位得到密码P3(相当于第一密码),采用SM4算法通过P3加密F0(相当于第一目标对象)得到加密文件F1;将密码P2通过SM3算法截取前128bit计算得到密码P4,采用SM4加密通过P4加密S2得到密文D4(相当于第二加密数据),本系统记录F1、P2以及D4。The user uploads the file to be encrypted F0 (equivalent to the target object) and the user's independent password P0. On the premise that the user's password is correct, the system generates a file-level password factor S2 (equivalent to the object password factor) and The corresponding file password P2 (equivalent to the second password). The system restores P1 to P0, uses P1 to decrypt D1 to restore the user factor S1, assembles a new character string S3 through S1+S2, and truncates the first 128 bits of S3 through the salt hash algorithm (SM3 algorithm) to obtain the password P3 (equivalent to The first password), use the SM4 algorithm to encrypt F0 (equivalent to the first target object) through P3 to obtain the encrypted file F1; calculate the password P2 through the SM3 algorithm to intercept the first 128 bits to obtain the password P4, use SM4 encryption to obtain the ciphertext D4 through P4 encryption S2 (equivalent to the second encrypted data), this system records F1, P2 and D4.
例如,P1可以通过公式(2)得到,S1可以通过公式(3)得到,S3可以通过公式(11)得到,P3可以通过公式(12)得到,F1可以通过公式(13)得到,P4可以通过公式(14)得到密码,D4可以通过公式(15)得到。For example, P1 can be obtained by formula (2), S1 can be obtained by formula (3), S3 can be obtained by formula (11), P3 can be obtained by formula (12), F1 can be obtained by formula (13), and P4 can be obtained by Equation (14) gets the password, and D4 can be obtained by Equation (15).
P1=GEMPSW(SM3(SALT0+P0))      公式(2);P1=GEMPSW(SM3(SALT0+P0)) Formula (2);
S1=SM4DECRYPT(D1,P1)    公式(3);S1=SM4DECRYPT(D1, P1) Formula (3);
S3=SALT1+S1+S2    公式11;S3=SALT1+S1+S2 Formula 11;
其中,S3表示新的字符串,SALT1表示盐值,S1表示用户级别的随机密码因子,S2表示文件级别的密码因子。Among them, S3 represents a new character string, SALT1 represents a salt value, S1 represents a user-level random password factor, and S2 represents a file-level password factor.
P3=GENPSW(SM3(S3))    公式(12);P3=GENPSW(SM3(S3)) formula (12);
其中,P3表示得到的密码,GENPSW表示随机密码生成算法,SM3表示加盐哈希算法,S3表示新的字符串。Among them, P3 represents the obtained password, GENPSW represents the random password generation algorithm, SM3 represents the salted hash algorithm, and S3 represents the new character string.
F1=SM4ENCRYPT(F0,P3)    公式(13);F1=SM4ENCRYPT(F0, P3) Formula (13);
其中,F1表示得到加密文件,SM4ENCRYPT表示SM4加密算法,F0表示待加密文件,P3表示加密密码。Among them, F1 represents the encrypted file, SM4ENCRYPT represents the SM4 encryption algorithm, F0 represents the file to be encrypted, and P3 represents the encrypted password.
P4=GENPSW(SM3(SALT2+P2)      公式(14);P4=GENPSW(SM3(SALT2+P2) Formula (14);
其中,P4表示得到的密码,GENPSW表示随机密码生成算法,SM3表示加盐哈希算法,SALT2表示盐值,P2表示文件密码。Among them, P4 represents the obtained password, GENPSW represents the random password generation algorithm, SM3 represents the salted hash algorithm, SALT2 represents the salt value, and P2 represents the file password.
D4=SM4ENCRYPT(S2,P4)     公式(15);D4=SM4ENCRYPT(S2, P4) formula (15);
其中,D4表示得到的文件,SM4ENCRYPT表示SM4加密算法,S2表示文件级别的密码因子,P4表示加密密码。Among them, D4 represents the obtained file, SM4ENCRYPT represents the SM4 encryption algorithm, S2 represents the password factor at the file level, and P4 represents the encryption password.
解密过程可以包括:The decryption process can include:
用户指定需要获取的文件ID与独立密码P0。本系统在用户密码校验正确的前提下,通过对P0还原P1,使用P1解密D1还原出用户因子S1。本系统通过密码P2还原密码P4,通过P4解密D2得到因子S2。The user specifies the file ID to be obtained and the independent password P0. Under the premise that the verification of the user password is correct, the system recovers P1 from P0, and uses P1 to decrypt D1 to recover the user factor S1. The system restores the password P4 through the password P2, and decrypts D2 through P4 to obtain the factor S2.
本系统通过S1与S2使用与加密过程相同的方式组装密码P3。使用P3对加密文件F1(相当于第二目标对象)进行解密还原原始文件F0供用户使用。The system assembles the password P3 through S1 and S2 in the same way as the encryption process. Use P3 to decrypt the encrypted file F1 (equivalent to the second target object) and restore the original file F0 for use by the user.
例如,P1可以通过公式(2)得到,S1可以通过公式(3)得到,P4可以通过公式(14)得到,S2可以通过公式(16)得到,S3可以通过公式(11)得到,P3可以通过公式(12)得到,F0可以通过公式(17)得到。For example, P1 can be obtained by formula (2), S1 can be obtained by formula (3), P4 can be obtained by formula (14), S2 can be obtained by formula (16), S3 can be obtained by formula (11), and P3 can be obtained by Formula (12) is obtained, and F0 can be obtained by formula (17).
P1=GENPSW(SM3(SALT0+P0)     公式(2);P1=GENPSW(SM3(SALT0+P0) Formula (2);
S1=SM4DECRYPT(D1,P1)     公式(3);S1=SM4DECRYPT(D1, P1) Formula (3);
P4=GENPSW(SM3(SALT2+P2)    公式(14);P4=GENPSW(SM3(SALT2+P2) formula (14);
S2=SM4DECRYPT(D4,P4)    公式(16);S2=SM4DECRYPT(D4, P4) formula (16);
其中,S2表示文件级别的密码因子,SM4DECRYPT表示SM4解密算法,D4表示加密S2的密文,P4表示加密密码。Among them, S2 represents the password factor at the file level, SM4DECRYPT represents the SM4 decryption algorithm, D4 represents the encrypted ciphertext of S2, and P4 represents the encrypted password.
S3=SALT1+S1+S2   公式(11);S3=SALT1+S1+S2 formula (11);
P3=GENPSW(SM3(S3))    公式(12);P3=GENPSW(SM3(S3)) formula (12);
F0=SM4DECRYPT(F1,P3)     公式(17);F0=SM4DECRYPT(F1, P3) formula (17);
其中,F0表示解密后的原始文件,SM4DECRYPT表示SM4解密算法,F1表示加密F0的密文,P3表示解密密码。Among them, F0 represents the original file after decryption, SM4DECRYPT represents the SM4 decryption algorithm, F1 represents the encrypted ciphertext of F0, and P3 represents the decryption password.
密码修改过程可以包括:The password change process can include:
非移动端(非TEE环境,或者认证设备或者第二设备)发起的场景:需要进行OTP短信验证。验证通过,并确认校验成功后,得到用户输入的新密码P0’,发送D2给第三方可信证书机构,第三方可信证书机构使用PRK1解密D2得到S1,第三方可信证书机构使用PUK0加密S1回传本系统(保证传输过程的安全)。Scenarios initiated by non-mobile terminals (non-TEE environments, or authentication devices or second devices): OTP SMS verification is required. After passing the verification and confirming that the verification is successful, get the new password P0' input by the user, and send D2 to the third-party trusted certificate authority. The third-party trusted certificate authority uses PRK1 to decrypt D2 to obtain S1, and the third-party trusted certificate authority uses PUK0 The encrypted S1 is sent back to the system (to ensure the security of the transmission process).
移动端TEE发起的场景:可以无需OTP验证,使用TEE中的PRK1解密D2得到S1,使用PUK0加密S1回传本系统。Scenario initiated by mobile TEE: without OTP verification, use PRK1 in TEE to decrypt D2 to get S1, use PUK0 to encrypt S1 and send it back to the system.
本系统接收回传文件,并使用PRK0解密得到S1,使用与注册过程相同的方式生成P1’,并使用P1’加密S1得到新的密文D1’,用D1’替换D1。如此,后续可以使用新的用密码P0’(相当于第二用户密码)进行加密、解密,通过用户密码间接参与加密过程,在兼顾可用性的同 时支持密码更换,且密码更换无需重新加密或解密已经入库的文件(F1),对比传统方案大大的节省了性能的开销。The system receives the returned file, and uses PRK0 to decrypt it to get S1, generates P1' in the same way as the registration process, and uses P1' to encrypt S1 to get a new ciphertext D1', and replaces D1 with D1'. In this way, the new password P0' (equivalent to the second user password) can be used to encrypt and decrypt later, and indirectly participate in the encryption process through the user password, which supports password replacement while taking into account usability, and password replacement does not require re-encryption or decryption. The stored files (F1) greatly save the performance overhead compared with the traditional solution.
例如,针对TEE或第三方可信证书机构,S1可以通过公式(18)得到,S1_ENCRYPTED可以通过公式(19)得到,S1可以通过公式(20)得到,P1’可以通过公式(21)得到。For example, for TEE or a third-party trusted certificate authority, S1 can be obtained by formula (18), S1_ENCRYPTED can be obtained by formula (19), S1 can be obtained by formula (20), and P1' can be obtained by formula (21).
S1=SM2DECRYPT(D2,PRK1)     公式(18);S1=SM2DECRYPT(D2, PRK1) formula (18);
其中,S1表示用户级别的随机密码因子,SM2DECRYPT表示SM2解密算法,D2表示加密S1的密文,PRK1表示第三方可信证书机构的私钥。Among them, S1 represents the user-level random password factor, SM2DECRYPT represents the SM2 decryption algorithm, D2 represents the encrypted ciphertext of S1, and PRK1 represents the private key of the third-party trusted certificate authority.
S1_ENCRYPTED=SM2ENCRYPT(S1,PUK0)      公式(19);S1_ENCRYPTED=SM2ENCRYPT(S1, PUK0) formula (19);
其中,S1_ENCRYPTED表示得到的密文,SM2DECRYPT表示SM2加密算法,S1表示用户级别的随机密码因子,PUK0表示本系统的公钥。Among them, S1_ENCRYPTED represents the obtained ciphertext, SM2DECRYPT represents the SM2 encryption algorithm, S1 represents the user-level random password factor, and PUK0 represents the public key of the system.
例如,针对本系统,S1可以通过公式(20)得到,P1’可以通过公式(21)得到,D1’可以通过公式(22)得到。For example, for this system, S1 can be obtained by formula (20), P1' can be obtained by formula (21), and D1' can be obtained by formula (22).
S1=SM2DECRYPT(S1_ENCRYPTED,PRK0)      公式(20);S1=SM2DECRYPT(S1_ENCRYPTED, PRK0) formula (20);
其中,S1表示用户级别的随机密码因子,SM2DECRYPT示SM2解密算法,S1_ENCRYPTED表示加密S1的密文,PRK0表示本系统的私钥。Among them, S1 represents the user-level random password factor, SM2DECRYPT represents the SM2 decryption algorithm, S1_ENCRYPTED represents the encrypted ciphertext of S1, and PRK0 represents the private key of the system.
P1’=GENPSW(SM3(SALT0+P0’))      公式(21);P1'=GENPSW(SM3(SALT0+P0')) formula (21);
其中,P1’表示更新后的系统密码,GENPSW表示随机密码生成算法,SM3表示加盐哈希算法,SALT0表示盐值,P0’表示修改后的用户密码。Among them, P1' represents the updated system password, GENPSW represents the random password generation algorithm, SM3 represents the salted hash algorithm, SALT0 represents the salt value, and P0' represents the modified user password.
D1’=SM4ENCRYPT(S1,P1’)      公式(22);D1'=SM4ENCRYPT(S1, P1') Formula (22);
其中,D1’表示得到的密文,SM4ENCRYPT表示SM4加密算法,S1表示用户级别的随机密码因子,P1’表示更新后的系统密码。Among them, D1' represents the obtained ciphertext, SM4ENCRYPT represents the SM4 encryption algorithm, S1 represents the user-level random password factor, and P1' represents the updated system password.
移动端设备更换过程可以包括:The mobile device replacement process can include:
在验证用户密码P0成功的前提下,通知第三方可信证书机构重新注入PRK1与PUK0到信的移动设备的TEE中。On the premise that the user password P0 is successfully verified, the third-party trusted certificate authority is notified to re-inject PRK1 and PUK0 into the TEE of the trusted mobile device.
需要说明的是本系统提供开放的(Open)API方式通过使用本系统分配的第三方应用程序以及密码动态刷新机制鉴权,移动端使用的场景也依托于一个中间服务访问本系统使用同样的机制。It should be noted that this system provides an open (Open) API method through the use of third-party applications distributed by this system and the dynamic password refresh mechanism for authentication. The scenario used by the mobile terminal also relies on an intermediate service to access this system using the same mechanism .
设备更换如需将原设备置为失效,然后重新走注册流程重新生成新的公私钥对<PUK1’,PRK1’>,并更新本系统中D2为D2’,将新的PRK1’与PUK0注入到新设备。If the device is replaced, the original device needs to be invalidated, and then go through the registration process to regenerate a new public-private key pair <PUK1', PRK1'>, and update D2 in this system to D2', and inject the new PRK1' and PUK0 into new device.
加盐哈希的盐值在本系统中维护,外部无法直接还原。不同流程中的盐值可以相同,也可以不同。The salt value of the salted hash is maintained in this system and cannot be directly restored externally. The salt value can be the same or different in different processes.
为实现上述数据处理方法,本申请实施例的一种数据处理装置,下面结合图8所示的数据处理装置的结构示意图进行说明。In order to implement the above data processing method, a data processing device according to an embodiment of the present application will be described below with reference to the schematic structural diagram of the data processing device shown in FIG. 8 .
如图8所示,数据处理装置80包括:预测单元801、获得单元802(为了便于区分也可以称为第一获得单元802)、解密单元803、生成单元804和处理单元805。其中:As shown in FIG. 8 , the data processing device 80 includes: a predicting unit 801 , an obtaining unit 802 (also referred to as the first obtaining unit 802 for ease of distinction), a decrypting unit 803 , a generating unit 804 and a processing unit 805 . in:
预测单元801,配置为基于接收的第一用户密码解密用户标识数据,得到预测用户标识;The prediction unit 801 is configured to decrypt the user identification data based on the received first user password to obtain a predicted user identification;
获得单元802,配置为获得与所述第一用户密码关联的实际用户标识;An obtaining unit 802 configured to obtain an actual user identifier associated with the first user password;
解密单元803,配置为若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;The decryption unit 803 is configured to determine that the verification of the first user password is successful if the predicted user ID is the same as the actual user ID, and decrypt the first encrypted data based on the first user password to obtain the first user password factor, the first encrypted data includes an encrypted first user password factor;
生成单元804,配置为至少基于所述第一用户密码因子,生成第一密码;A generating unit 804 configured to generate a first password based at least on the first user password factor;
处理单元805,配置为通过所述第一密码对目标对象进行加密或解密。The processing unit 805 is configured to encrypt or decrypt the target object by using the first password.
在一些实施例中,解密单元803还配置为:In some embodiments, the decryption unit 803 is further configured to:
基于所述第一用户密码生成与所述第一用户密码对应的系统密码;所述系统密码为与所述第一用户密码对应的针对系统的密码;通过所述系统密码解密所述第一加密数据,得到所述第一用户密码因子。Generate a system password corresponding to the first user password based on the first user password; the system password is a system-specific password corresponding to the first user password; decrypt the first encryption by using the system password data to obtain the first user password factor.
在一些实施例中,数据处理装置80还包括第二获得单元。In some embodiments, the data processing device 80 further includes a second obtaining unit.
获得单元,配置为获得针对所述目标对象的对象密码因子;an obtaining unit configured to obtain an object encryption factor for the target object;
对应的,生成单元804,配置为基于所述第一用户密码因子和所述对象密码因子,生成所述第一密码。Correspondingly, the generating unit 804 is configured to generate the first password based on the first user password factor and the object password factor.
在一些实施例中,获得单元还用于:基于第二密码解密第二加密数据,得到所述对象密码因子,所述第二加密数据包括被加密的所述对象密码因子。In some embodiments, the obtaining unit is further configured to: decrypt the second encrypted data based on the second password to obtain the object encryption factor, and the second encrypted data includes the encrypted object encryption factor.
在一些实施例中,生成单元804还配置为:In some embodiments, generating unit 804 is further configured to:
将所述第一用户因子与所述对象密码因子之和组装为密码字符串;Assembling the sum of the first user factor and the subject password factor into a password string;
对所述密码字符串进行加盐哈希计算,得到密码哈希值;Perform salted hash calculation on the password string to obtain a password hash value;
截断所述密码哈希值的前W位,生成所述第一密码。Truncating the first W digits of the password hash value to generate the first password.
在一些实施例中,数据处理装置80还包括密码修改单元。In some embodiments, the data processing device 80 further includes a password modification unit.
密码修改单元,配置为:The password modification unit is configured as:
在接收到第二用户密码的情况下,获取第二用户密码因子,所述第一用户密码因子和所述第二用户密码因子的内容相同;In the case of receiving the second user password, obtain the second user password factor, the contents of the first user password factor and the second user password factor are the same;
基于接收的第二用户密码加密所述第二用户密码因子,得到第三加密数据;基于所述第三加密数据对所述第一加密数据进行更新。Encrypting the second user password factor based on the received second user password to obtain third encrypted data; updating the first encrypted data based on the third encrypted data.
数据处理装置80还包括通信单元。The data processing device 80 also includes a communication unit.
通信单元,配置为:Communication unit configured as:
接收针对认证设备的第一公钥;采用所述第一公钥加密所述第一用户密码因子,得到第四加密数据;receiving the first public key for the authentication device; using the first public key to encrypt the first user password factor to obtain fourth encrypted data;
密码修改单元,还配置为:The password modification unit is also configured to:
发送所述第四加密数据至所述认证设备或终端设备;接收第五加密数据,所述第五加密数据包括通过第二公钥加密的第二用户密码因子,所述第二公钥是针对所述第一设备的公钥;通过针对所述第二公钥对应的第二私钥解密所述第五加密数据,得到所述第二用户密码因子。Sending the fourth encrypted data to the authentication device or terminal device; receiving fifth encrypted data, the fifth encrypted data includes a second user password factor encrypted by a second public key, the second public key is for The public key of the first device; the second user password factor is obtained by decrypting the fifth encrypted data with respect to the second private key corresponding to the second public key.
需要说明的是,本申请实施例提供的数据处理装置包括所包括的各单元,可以通过电子 设备中的处理器来实现;当然也可通过具体的逻辑电路实现;在实施的过程中,处理器可以为中央处理器(CPU,Central Processing Unit)、微处理器(MPU,Micro Processor Unit)、数字信号处理器(DSP,Digital Signal Processor)或现场可编程门阵列(FPGA,Field-Programmable Gate Array)等。It should be noted that the data processing device provided in the embodiment of the present application includes each included unit, which can be realized by a processor in an electronic device; of course, it can also be realized by a specific logic circuit; in the process of implementation, the processor It can be a central processing unit (CPU, Central Processing Unit), a microprocessor (MPU, Micro Processor Unit), a digital signal processor (DSP, Digital Signal Processor) or a field programmable gate array (FPGA, Field-Programmable Gate Array) wait.
以上装置实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请装置实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。The description of the above device embodiment is similar to the description of the above method embodiment, and has similar beneficial effects as the method embodiment. For technical details not disclosed in the device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
需要说明的是,本申请实施例中,如果以软件功能模块的形式实现上述的数据处理方法,并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。这样,本申请实施例不限制于任何特定的硬件和软件结合。It should be noted that, in the embodiment of the present application, if the above-mentioned data processing method is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solutions of the embodiments of the present application or the part that contributes to the related technologies can be embodied in the form of software products. The computer software products are stored in a storage medium and include several instructions to make A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: various media that can store program codes such as U disk, mobile hard disk, read-only memory (Read Only Memory, ROM), magnetic disk or optical disk. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
为实现上述数据处理方法,本申请实施例提供一种电子设备,包括存储器和处理器,所述存储器存储有可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述实施例中提供的数据处理方法中的步骤。In order to implement the above data processing method, an embodiment of the present application provides an electronic device, including a memory and a processor, the memory stores a computer program that can run on the processor, and the processor implements the above implementation when executing the program The steps in the data processing method provided in the example.
下面结合图9所示的电子设备90,对电子设备的结构图进行说明。The structural diagram of the electronic device will be described below with reference to the electronic device 90 shown in FIG. 9 .
在一示例中,电子设备90可以为上述第一设备。如图9所示,所述电子设备90包括:一个处理器901、至少一个通信总线902、用户接口903、至少一个外部通信接口904和存储器905。其中,通信总线902配置为实现这些组件之间的连接通信。其中,用户接口903可以包括显示屏,外部通信接口904可以包括标准的有线接口和无线接口。In an example, the electronic device 90 may be the above-mentioned first device. As shown in FIG. 9 , the electronic device 90 includes: a processor 901 , at least one communication bus 902 , a user interface 903 , at least one external communication interface 904 and a memory 905 . Wherein, the communication bus 902 is configured to realize connection and communication among these components. Wherein, the user interface 903 may include a display screen, and the external communication interface 904 may include a standard wired interface and a wireless interface.
存储器905配置为存储由处理器901可执行的指令和应用,还可以缓存待处理器901以及电子设备中各模块待处理或已经处理的数据(例如,图像数据、音频数据、语音通信数据和视频通信数据),可以通过闪存(FLASH)或随机访问存储器(Random Access Memory,RAM)实现。The memory 905 is configured to store instructions and applications executable by the processor 901, and can also cache data to be processed or processed by the processor 901 and various modules in the electronic device (for example, image data, audio data, voice communication data and video data) Communication data), which can be realized by flash memory (FLASH) or random access memory (Random Access Memory, RAM).
第四方面,本申请实施例提供一种存储介质,也就是计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现上述实施例中提供的数据处理方法中的步骤。In a fourth aspect, the embodiments of the present application provide a storage medium, that is, a computer-readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the steps in the data processing method provided in the above-mentioned embodiments are implemented. .
这里需要指出的是:以上存储介质和设备实施例的描述,与上述方法实施例的描述是类似的,具有同方法实施例相似的有益效果。对于本申请存储介质和设备实施例中未披露的技术细节,请参照本申请方法实施例的描述而理解。It should be pointed out here that: the descriptions of the above storage medium and device embodiments are similar to the descriptions of the above method embodiments, and have similar beneficial effects to those of the method embodiments. For technical details not disclosed in the storage medium and device embodiments of the present application, please refer to the description of the method embodiments of the present application for understanding.
应理解,说明书通篇中提到的“一个实施例”或“一实施例”意味着与实施例有关的特定特征、结构或特性包括在本申请的至少一个实施例中。因此,在整个说明书各处出现的“在一个实施例中”或“在一些实施例中”未必一定指相同的实施例。此外,这些特定的特征、结构或特性可以任意适合的方式结合在一个或多个实施例中。应理解,在本申请的各种实施例中, 上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。It should be understood that reference throughout the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic related to the embodiment is included in at least one embodiment of the present application. Thus, appearances of "in one embodiment" or "in some embodiments" throughout this specification are not necessarily referring to the same embodiments. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that in various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation. The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, in this document, the term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not preclude the presence of additional identical elements in the process, method, article, or apparatus comprising that element.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods, such as: multiple units or components can be combined, or May be integrated into another system, or some features may be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元;既可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units; they may be located in one place or distributed to multiple network units; Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, or each unit can be used as a single unit, or two or more units can be integrated into one unit; the above-mentioned integration The unit can be realized in the form of hardware or in the form of hardware plus software functional unit.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、只读存储器(Read Only Memory,ROM)、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by hardware related to program instructions, and the aforementioned programs can be stored in computer-readable storage media. When the program is executed, the execution includes The steps of the foregoing method embodiments; and the foregoing storage media include: removable storage devices, read-only memory (Read Only Memory, ROM), magnetic disks or optical disks and other media that can store program codes.
或者,本申请上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本申请各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated units of the present application are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solutions of the embodiments of the present application or the part that contributes to the related technologies can be embodied in the form of software products. The computer software products are stored in a storage medium and include several instructions to make A computer device (which may be a personal computer, a server, or a network device, etc.) executes all or part of the methods described in the various embodiments of the present application. The aforementioned storage medium includes various media capable of storing program codes such as removable storage devices, ROMs, magnetic disks or optical disks.
以上所述,仅为本申请的实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only the embodiment of the present application, but the scope of protection of the present application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, and should covered within the scope of protection of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (10)

  1. 一种数据处理方法,所述方法应用于第一设备,所述方法包括:A data processing method, the method being applied to a first device, the method comprising:
    基于接收的第一用户密码解密用户标识数据,得到预测用户标识;Decrypting the user identification data based on the received first user password to obtain a predicted user identification;
    获得与所述第一用户密码关联的实际用户标识;obtaining an actual user identification associated with said first user password;
    若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;If the predicted user ID is the same as the actual user ID, it is determined that the verification of the first user password is successful, and the first encrypted data is decrypted based on the first user password to obtain a first user password factor, the first user password The encrypted data includes an encrypted first user password factor;
    至少基于所述第一用户密码因子,生成第一密码;generating a first password based at least on said first user password factor;
    通过所述第一密码对目标对象进行加密或解密。The target object is encrypted or decrypted by the first password.
  2. 根据权利要求1所述的方法,所述基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,包括:The method according to claim 1, wherein said decrypting the first encrypted data based on the first user password to obtain the first user password factor comprises:
    基于所述第一用户密码生成与所述第一用户密码对应的系统密码;所述系统密码为与所述第一用户密码对应的针对系统的密码;generating a system password corresponding to the first user password based on the first user password; the system password is a system-specific password corresponding to the first user password;
    通过所述系统密码解密所述第一加密数据,得到所述第一用户密码因子。The first encrypted data is decrypted by the system password to obtain the first user password factor.
  3. 根据权利要求1或2所述的方法,所述方法还包括:The method according to claim 1 or 2, said method further comprising:
    获得针对所述目标对象的对象密码因子;obtaining an object encryption factor for the target object;
    所述至少基于所述第一用户密码因子,生成第一密码,包括:The generating a first password at least based on the first user password factor includes:
    基于所述第一用户密码因子和所述对象密码因子,生成所述第一密码。The first password is generated based on the first user password factor and the object password factor.
  4. 根据权利要求3所述的方法,所述获得针对所述目标对象的对象密码因子,包括:The method according to claim 3, said obtaining an object password factor for said target object, comprising:
    基于第二密码解密第二加密数据,得到所述对象密码因子,所述第二加密数据包括被加密的所述对象密码因子。Decrypting the second encrypted data based on the second password to obtain the object encryption factor, the second encrypted data including the encrypted object encryption factor.
  5. 根据权利要求3或4所述的方法,所述基于所述第一用户密码因子和所述对象密码因子,生成所述第一密码,包括:The method according to claim 3 or 4, said generating said first password based on said first user password factor and said object password factor, comprising:
    将所述第一用户因子与所述对象密码因子之和组装为密码字符串;Assembling the sum of the first user factor and the subject password factor into a password string;
    对所述密码字符串进行加盐哈希计算,得到密码哈希值;Perform salted hash calculation on the password string to obtain a password hash value;
    截断所述密码哈希值的前W位,生成所述第一密码。Truncating the first W digits of the password hash value to generate the first password.
  6. 根据权利要求1-5任一项所述的方法,所述方法还包括:The method according to any one of claims 1-5, further comprising:
    在接收到第二用户密码的情况下,获取第二用户密码因子,所述第一用户密码因子和所述第二用户密码因子的内容相同;In the case of receiving the second user password, obtain the second user password factor, the contents of the first user password factor and the second user password factor are the same;
    基于接收的第二用户密码加密所述第二用户密码因子,得到第三加密数据;Encrypting the second user password factor based on the received second user password to obtain third encrypted data;
    基于所述第三加密数据对所述第一加密数据进行更新。The first encrypted data is updated based on the third encrypted data.
  7. 根据权利要求6所述的方法,所述方法还包括:The method of claim 6, further comprising:
    接收针对第二设备的第一公钥;receiving a first public key for a second device;
    采用所述第一公钥加密所述第一用户密码因子,得到第四加密数据;Encrypting the first user password factor with the first public key to obtain fourth encrypted data;
    所述获得所述第二用户密码因子,包括:The obtaining of the second user password factor includes:
    发送所述第四加密数据至所述第二设备或第三设备;sending said fourth encrypted data to said second device or third device;
    接收第五加密数据,所述第五加密数据包括通过第二公钥加密的第二用户密码因子,所述第二公钥是针对所述第一设备的公钥;receiving fifth encrypted data including a second user cryptographic factor encrypted with a second public key, the second public key being a public key for the first device;
    通过针对所述第二公钥对应的第二私钥解密所述第五加密数据,得到所述第二用户密码因子。The second user password factor is obtained by decrypting the fifth encrypted data with respect to the second private key corresponding to the second public key.
  8. 一种数据处理装置,所述装置部署于第一设备;所述装置包括:A data processing device, the device is deployed in a first device; the device includes:
    预测单元,配置为基于接收的第一用户密码解密用户标识数据,得到预测用户标识;The prediction unit is configured to decrypt the user identification data based on the received first user password to obtain a predicted user identification;
    获得单元,配置为获得与所述第一用户密码关联的实际用户标识;An obtaining unit configured to obtain an actual user identifier associated with the first user password;
    解密单元,配置为若所述预测用户标识与所述实际用户标识相同,则确定所述第一用户密码校验成功,基于所述第一用户密码解密第一加密数据,得到第一用户密码因子,所述第一加密数据包括被加密的第一用户密码因子;The decryption unit is configured to determine that the verification of the first user password is successful if the predicted user ID is the same as the actual user ID, decrypt the first encrypted data based on the first user password, and obtain the first user password factor , the first encrypted data includes an encrypted first user password factor;
    生成单元,配置为至少基于所述第一用户密码因子,生成第一密码;a generating unit configured to generate a first password based at least on the first user password factor;
    处理单元,配置为通过所述第一密码对目标对象进行加密或解密。A processing unit configured to encrypt or decrypt the target object by using the first password.
  9. 一种电子设备,包括存储器和处理器,所述存储器存储有可在处理器上运行的计算机程序,所述处理器执行所述程序时实现权利要求1至7任一项所述数据处理方法。An electronic device comprising a memory and a processor, the memory stores a computer program that can run on the processor, and the processor implements the data processing method according to any one of claims 1 to 7 when executing the program.
  10. 一种存储介质,其上存储有计算机程序,该计算机程序被处理器执行时,实现权利要求1至7任一项所述的数据处理方法。A storage medium on which a computer program is stored, and when the computer program is executed by a processor, the data processing method according to any one of claims 1 to 7 is realized.
PCT/CN2022/120112 2021-09-30 2022-09-21 Data processing method and apparatus, and device and storage medium WO2023051337A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111163126.7 2021-09-30
CN202111163126.7A CN114117406A (en) 2021-09-30 2021-09-30 Data processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2023051337A1 true WO2023051337A1 (en) 2023-04-06

Family

ID=80441292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/120112 WO2023051337A1 (en) 2021-09-30 2022-09-21 Data processing method and apparatus, and device and storage medium

Country Status (2)

Country Link
CN (1) CN114117406A (en)
WO (1) WO2023051337A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117406A (en) * 2021-09-30 2022-03-01 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium
CN117728958A (en) * 2024-02-05 2024-03-19 浙江大华技术股份有限公司 Communication method, device and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
CN109547201A (en) * 2018-12-14 2019-03-29 平安科技(深圳)有限公司 A kind of encryption method of root key, computer readable storage medium and terminal device
US20190215157A1 (en) * 2017-03-03 2019-07-11 Tencent Technology (Shenzhen) Company Limited Information storage method, device, and computer-readable storage medium
CN110401538A (en) * 2018-04-24 2019-11-01 北京握奇智能科技有限公司 Data ciphering method, system and terminal
CN111079128A (en) * 2019-12-11 2020-04-28 腾讯科技(深圳)有限公司 Data processing method and device, electronic equipment and storage medium
CN114117406A (en) * 2021-09-30 2022-03-01 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device
US20190215157A1 (en) * 2017-03-03 2019-07-11 Tencent Technology (Shenzhen) Company Limited Information storage method, device, and computer-readable storage medium
CN110401538A (en) * 2018-04-24 2019-11-01 北京握奇智能科技有限公司 Data ciphering method, system and terminal
CN109547201A (en) * 2018-12-14 2019-03-29 平安科技(深圳)有限公司 A kind of encryption method of root key, computer readable storage medium and terminal device
CN111079128A (en) * 2019-12-11 2020-04-28 腾讯科技(深圳)有限公司 Data processing method and device, electronic equipment and storage medium
CN114117406A (en) * 2021-09-30 2022-03-01 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN114117406A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
Yan et al. Deduplication on encrypted big data in cloud
US8732462B2 (en) Methods and apparatus for secure data sharing
JP2020528224A (en) Secure execution of smart contract operations in a reliable execution environment
CN110417750B (en) Block chain technology-based file reading and storing method, terminal device and storage medium
JP2020524421A (en) Distributed Key Management for Trusted Execution Environment
WO2018024056A1 (en) User password management method and server
US10693847B1 (en) Secure message search
WO2019218919A1 (en) Private key management method and apparatus in blockchain scenario, and system
WO2023051337A1 (en) Data processing method and apparatus, and device and storage medium
KR101985179B1 (en) Blockchain based id as a service
EP2095288B1 (en) Method for the secure storing of program state data in an electronic device
CN110445840B (en) File storage and reading method based on block chain technology
WO2017024804A1 (en) Data encryption method, decryption method, apparatus, and system
JP2019514314A (en) Method, system and medium for using dynamic public key infrastructure to send and receive encrypted messages
WO2022126972A1 (en) Data communication method, key management system, device, and storage medium
WO2019120038A1 (en) Encrypted storage of data
US11783091B2 (en) Executing entity-specific cryptographic code in a cryptographic coprocessor
CN113992702B (en) Ceph distributed file system storage state password reinforcement method and system
US9825920B1 (en) Systems and methods for multi-function and multi-purpose cryptography
CN113609522A (en) Data authorization and data access method and device
TW202231014A (en) Message transmitting system, user device and hardware security module for use therein
KR102269753B1 (en) Method for performing backup and recovery private key in consortium blockchain network, and device using them
CN117041956A (en) Communication authentication method, device, computer equipment and storage medium
US20220360429A1 (en) Location-key encryption system
CN113535852A (en) File processing method, file access method, device and system based on block chain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22874724

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE