[go: up one dir, main page]

CN115603907A - Method, device, device and storage medium for encrypting stored data - Google Patents

Method, device, device and storage medium for encrypting stored data Download PDF

Info

Publication number
CN115603907A
CN115603907A CN202211252335.3A CN202211252335A CN115603907A CN 115603907 A CN115603907 A CN 115603907A CN 202211252335 A CN202211252335 A CN 202211252335A CN 115603907 A CN115603907 A CN 115603907A
Authority
CN
China
Prior art keywords
data
key
master key
identifier
initial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202211252335.3A
Other languages
Chinese (zh)
Inventor
宋鹏玉
张志桐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Sankuai Online Technology Co Ltd
Original Assignee
Beijing Sankuai Online Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sankuai Online Technology Co Ltd filed Critical Beijing Sankuai Online Technology Co Ltd
Priority to CN202211252335.3A priority Critical patent/CN115603907A/en
Publication of CN115603907A publication Critical patent/CN115603907A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本申请实施例公开了一种加密存储数据的方法、装置、设备和存储介质,属于计算机技术领域。所述方法包括:获取初始密钥材料,并获取主密钥和对应的主密钥标识;基于密钥生成函数,对所述初始密钥材料和所述主密钥进行处理,得到数据密钥;基于所述数据密钥和加密算法,对数据明文进行加密,得到数据密文;将所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据;对所述拼接数据进行存储。采用本申请实施例,可以减少存储空间的浪费。

Figure 202211252335

The embodiment of the application discloses a method, device, device and storage medium for encrypting and storing data, which belong to the field of computer technology. The method includes: obtaining initial key material, and obtaining a master key and a corresponding master key identifier; based on a key generation function, processing the initial key material and the master key to obtain a data key ; Based on the data key and encryption algorithm, encrypt the data plaintext to obtain data ciphertext; splice the master key identifier, the initial key material and the data ciphertext to obtain spliced data; The spliced data is stored. By adopting the embodiment of the present application, the waste of storage space can be reduced.

Figure 202211252335

Description

加密存储数据的方法、装置、设备和存储介质Method, device, device and storage medium for encrypting stored data

技术领域technical field

本申请实施例涉及计算机技术领域,特别涉及一种加密存储数据的方法、装置、设备和存储介质。The embodiments of the present application relate to the field of computer technology, and in particular, to a method, device, device, and storage medium for encrypting and storing data.

背景技术Background technique

随着人们对隐私保护的重视程度的越来越高,信息保密技术也成为一项重要的研究课题。信息保密技术包括信息加密技术和信息隐藏技术。其中,信息加密技术是通过加密算法将数据明文转为数据密文,数据明文是指一些需要被存储的信息,数据密文是指加密后的信息,加密后的信息是乱码,需要解密才能被读懂。As people pay more and more attention to privacy protection, information security technology has become an important research topic. Information security technology includes information encryption technology and information hiding technology. Among them, information encryption technology converts data plaintext into data ciphertext through an encryption algorithm. Data plaintext refers to some information that needs to be stored, and data ciphertext refers to encrypted information. The encrypted information is garbled and needs to be decrypted to be read. understand.

在一些应用程序中,用户的一些信息需要在服务器上进行存储,在进行存储之前,这些信息需要进入密钥管理系统进行加密处理。加密处理的具体过程可以是:首先,随机数生成器创建DK(data key,数据密钥),将DK和已经存储在服务器中的MK(master key,主密钥)输入到AES(advanced encryption standard,高级加密标准)中,得到EDK(encrypteddata key,加密的数据密钥)。然后,将DK和数据明文输入到AES中,得到数据密文。最后,将数据密文和EDK进行拼接得到最终密文,最终密文就可以被存储到服务器。In some applications, some user information needs to be stored on the server, and before being stored, the information needs to enter the key management system for encryption. The specific process of encryption processing can be: first, the random number generator creates a DK (data key, data key), and inputs the DK and the MK (master key, master key) already stored in the server to the AES (advanced encryption standard , Advanced Encryption Standard), get EDK (encrypted data key, encrypted data key). Then, input DK and data plaintext into AES to obtain data ciphertext. Finally, the data ciphertext and EDK are spliced to obtain the final ciphertext, and the final ciphertext can be stored in the server.

在相关技术中,EDK的长度较长,其长度是DK的长度和28字节的和值,导致最终密文的长度较长。在对大量的小数据进行加密存储时,会导致比较大的存储空间的占用,造成存储空间的浪费。In the related art, the length of EDK is relatively long, and its length is the sum of the length of DK and 28 bytes, resulting in relatively long length of final ciphertext. When a large amount of small data is encrypted and stored, a relatively large storage space will be occupied, resulting in a waste of storage space.

发明内容Contents of the invention

本申请实施例提供了一种加密存储数据的方法、装置、设备和存储介质,能够解决相关技术的问题。技术方案如下:Embodiments of the present application provide a method, device, device, and storage medium for encrypting and storing data, which can solve problems in related technologies. The technical solution is as follows:

第一方面,提供了一种加密存储数据的方法,所述方法包括:In a first aspect, a method for encrypting stored data is provided, the method comprising:

获取初始密钥材料,并获取主密钥和对应的主密钥标识;Obtain the initial key material, and obtain the master key and the corresponding master key identifier;

基于密钥生成函数,对所述初始密钥材料和所述主密钥进行处理,得到数据密钥;processing the initial key material and the master key based on a key generation function to obtain a data key;

基于所述数据密钥和加密算法,对数据明文进行加密,得到数据密文;Encrypting the data plaintext based on the data key and the encryption algorithm to obtain the data ciphertext;

将所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据;splicing the master key identifier, the initial key material, and the data ciphertext to obtain spliced data;

对所述拼接数据进行存储,并将所述主密钥与所述数据标识对应存储。The splicing data is stored, and the master key and the data identifier are stored correspondingly.

在一种可能的实现方式中,所述获取初始密钥材料,包括:In a possible implementation manner, the acquiring initial key material includes:

基于随机数生成器生成的随机数,将所述随机数作为初始密钥材料。Based on the random number generated by the random number generator, the random number is used as initial key material.

在一种可能的实现方式中,所述获取主密钥,包括:In a possible implementation manner, the acquiring the master key includes:

获取所述数据明文的类型;Obtain the type of the data plaintext;

基于类型与主密钥标识的对应关系,获取所述数据明文的类型对应的主密钥标识;Based on the corresponding relationship between the type and the master key identifier, obtain the master key identifier corresponding to the type of the data plaintext;

获取所述主密钥标识对应的主密钥。Obtain the master key corresponding to the master key identifier.

在一种可能的实现方式中,所述将所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据,包括:In a possible implementation manner, the splicing of the master key identifier, the initial key material, and the data ciphertext to obtain spliced data includes:

将版本标识、所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据,其中,所述版本标识用于指示所述拼接数据中包括所述主密钥标识、所述初始密钥材料和所述数据密文对应的字段。splicing the version identifier, the master key identifier, the initial key material, and the data ciphertext to obtain spliced data, wherein the version identifier is used to indicate that the spliced data includes the master key Fields corresponding to the identifier, the initial key material, and the data ciphertext.

在一种可能的实现方式中,所述密钥生成函数为基于散列消息鉴别码的密钥导出函数HKDF。In a possible implementation manner, the key generation function is a key derivation function HKDF based on a hashed message authentication code.

在一种可能的实现方式中,所述对所述拼接数据进行存储,包括:In a possible implementation manner, the storing the splicing data includes:

对所述拼接数据进行编码;Encoding the spliced data;

将经过编码得到的字符串进行存储。Store the encoded string.

在一种可能的实现方式中,所述对所述拼接数据进行存储之后,还包括:In a possible implementation manner, after storing the spliced data, further include:

对所述拼接数据进行拆分,得到所述主密钥标识、所述初始密钥材料和所述数据密文;Splitting the spliced data to obtain the master key identifier, the initial key material, and the data ciphertext;

基于拆分得到的主密钥标识获取所述主密钥;Obtain the master key based on the master key identifier obtained by splitting;

基于所述密钥生成函数,对所述主密钥和拆分得到的初始密钥材料进行处理,得到所述数据密钥;Based on the key generation function, process the master key and the split initial key material to obtain the data key;

基于所述数据密钥和解密算法,对拆分得到的数据密文进行解密,得到所述数据明文。Based on the data key and the decryption algorithm, the data ciphertext obtained by splitting is decrypted to obtain the data plaintext.

第二方面,提供了一种加密存储数据的装置,所述装置包括:In a second aspect, a device for encrypting and storing data is provided, the device comprising:

获取模块,用于获取初始密钥材料,并获取主密钥和对应的主密钥标识;An acquisition module, configured to acquire initial key material, and acquire a master key and a corresponding master key identifier;

生成模块,用于基于密钥生成函数,对所述初始密钥材料和所述主密钥进行处理,得到数据密钥;A generation module, configured to process the initial key material and the master key based on a key generation function to obtain a data key;

加密模块,用于基于所述数据密钥和加密算法,对数据明文进行加密,得到数据密文;An encryption module, configured to encrypt data plaintext based on the data key and an encryption algorithm to obtain data ciphertext;

拼接模块,用于将所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据;A splicing module, configured to splice the master key identifier, the initial key material, and the data ciphertext to obtain spliced data;

存储模块,用于对所述拼接数据进行存储。A storage module, configured to store the splicing data.

在一种可能的实现方式中,所述获取模块,用于:In a possible implementation manner, the obtaining module is configured to:

基于随机数生成器生成的随机数,将所述随机数作为初始密钥材料。Based on the random number generated by the random number generator, the random number is used as initial key material.

在一种可能的实现方式中,所述获取模块,用于:In a possible implementation manner, the obtaining module is configured to:

获取所述数据明文的类型;Obtain the type of the data plaintext;

基于类型与主密钥标识的对应关系,获取所述数据明文的类型对应的主密钥标识;Based on the corresponding relationship between the type and the master key identifier, obtain the master key identifier corresponding to the type of the data plaintext;

获取所述主密钥标识对应的主密钥。Obtain the master key corresponding to the master key identifier.

在一种可能的实现方式中,所述拼接模块,还用于:In a possible implementation manner, the splicing module is also used for:

将版本标识、所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据,其中,所述版本标识用于指示所述拼接数据中包括所述主密钥标识、所述初始密钥材料和所述数据密文对应的字段。splicing the version identifier, the master key identifier, the initial key material, and the data ciphertext to obtain spliced data, wherein the version identifier is used to indicate that the spliced data includes the master key Fields corresponding to the identifier, the initial key material, and the data ciphertext.

在一种可能的实现方式中,所述密钥生成函数为基于散列消息鉴别码的密钥导出函数HKDF。In a possible implementation manner, the key generation function is a key derivation function HKDF based on a hashed message authentication code.

在一种可能的实现方式中,所述存储模块,用于:In a possible implementation manner, the storage module is configured to:

对所述拼接数据进行编码;Encoding the spliced data;

将经过编码得到的字符串进行存储。Store the encoded string.

在一种可能的实现方式中,所述装置,还包括:In a possible implementation manner, the device further includes:

解密模块,用于:Decryption module for:

对所述拼接数据进行拆分,得到所述主密钥标识、所述初始密钥材料和所述数据密文;Splitting the spliced data to obtain the master key identifier, the initial key material, and the data ciphertext;

基于拆分得到的主密钥标识获取所述主密钥;Obtain the master key based on the master key identifier obtained by splitting;

基于所述密钥生成函数,对所述主密钥和拆分得到的初始密钥材料进行处理,得到所述数据密钥;Based on the key generation function, process the master key and the split initial key material to obtain the data key;

基于所述数据密钥和解密算法,对拆分得到的数据密文进行解密,得到所述数据明文。Based on the data key and the decryption algorithm, the data ciphertext obtained by splitting is decrypted to obtain the data plaintext.

第三方面,提供了一种计算机设备,计算机设备包括存储器和处理器,存储器用于存储计算机指令;处理器执行存储器存储的计算机指令,以使计算机设备执行第一方面及其可能的实现方式的方法。A third aspect provides a computer device, the computer device includes a memory and a processor, the memory is used to store computer instructions; the processor executes the computer instructions stored in the memory, so that the computer device executes the first aspect and possible implementations thereof method.

第四方面,提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序代码,响应于计算机程序代码被计算机设备执行,计算机设备执行第一方面及其可能的实现方式的方法。In a fourth aspect, a computer-readable storage medium is provided. The computer-readable storage medium stores computer program codes. In response to the computer program code being executed by a computer device, the computer device executes the method of the first aspect and possible implementations thereof.

第五方面,提供了一种计算机程序产品,计算机程序产品包括计算机程序代码,响应于计算机程序代码被计算机设备执行,计算机设备执行第一方面及其可能的实现方式的方法。In a fifth aspect, a computer program product is provided, the computer program product includes computer program code, and in response to the computer program code being executed by a computer device, the computer device executes the method of the first aspect and possible implementations thereof.

本申请的实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present application may include the following beneficial effects:

通过本申请实施例提供的方法,首先,获取初始密钥材料、主密钥和主密钥标识。然后,将初始密钥材料和主密钥作为密钥生成函数的输入,计算得到数据密钥。再使用数据密钥和加密算法对数据明文进行加密,得到数据密文。最后,将数据明文对应的主密钥标识、初始密钥材料和数据密文进行拼接,得到拼接数据。将拼接数据进行存储。因为一般的密钥生成函数所使用的初始密钥材料的长度是可以任意设置的,所以可以将初始密钥材料的长度设置为一个较小的数值,从而,占用的存储空间较小,可以减少存储空间的浪费。Through the method provided in the embodiment of this application, firstly, the initial key material, the master key and the master key identifier are acquired. Then, the initial key material and the master key are used as the input of the key generation function to calculate the data key. Then use the data key and encryption algorithm to encrypt the data plaintext to obtain the data ciphertext. Finally, the master key identifier corresponding to the data plaintext, the initial key material and the data ciphertext are spliced to obtain spliced data. Store the spliced data. Because the length of the initial key material used by the general key generation function can be set arbitrarily, the length of the initial key material can be set to a smaller value, so that the occupied storage space is smaller and can be reduced Waste of storage space.

附图说明Description of drawings

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1是本申请实施例提供的一种业务服务器的结构示意图;FIG. 1 is a schematic structural diagram of a service server provided by an embodiment of the present application;

图2是本申请实施例提供的一种加密存储数据方法的流程示意图;FIG. 2 is a schematic flow diagram of a method for encrypting and storing data provided in an embodiment of the present application;

图3是本申请实施例提供的一种数据密文的结构的示意图;Fig. 3 is a schematic diagram of the structure of a data ciphertext provided by the embodiment of the present application;

图4是本申请实施例提供的一种拼接数据的结构的示意图;Fig. 4 is a schematic diagram of a structure of splicing data provided by an embodiment of the present application;

图5是本申请实施例提供的一种解密数据方法的流程示意图;FIG. 5 is a schematic flow diagram of a method for decrypting data provided in an embodiment of the present application;

图6是本申请实施例提供的一种加密存储数据装置的结构示意图。Fig. 6 is a schematic structural diagram of a device for encrypting and storing data provided by an embodiment of the present application.

具体实施方式detailed description

本申请实施例提供了一种加密存储数据的方法,该方法可以应用于业务服务器,业务服务器可以是单独的服务器,也可以是多台设备组成的设备组。The embodiment of the present application provides a method for encrypting and storing data, which can be applied to a service server, and the service server can be a single server or a device group composed of multiple devices.

从硬件组成上来看,业务服务器的结构可以如图1所示,包括处理器110、存储器120和通信部件130。In terms of hardware composition, the structure of the service server may be as shown in FIG. 1 , including a processor 110 , a memory 120 and a communication component 130 .

处理器110可以是CPU(central processing unit,中央处理器)或SoC(system onchip,系统级芯片)等,处理器110可以用于执行该方法涉及的各种指令等。The processor 110 may be a CPU (central processing unit, central processing unit) or a SoC (system on chip, system-on-chip), and the processor 110 may be configured to execute various instructions involved in the method, and the like.

存储器120可以包括各种易失性存储器或非易失性存储器,如SSD(solid statedisk,固态硬盘)、DRAM(dynamic random access memory,动态随机存取存储器)内存等。存储器120可以用于存储加密过程中的预存数据、中间数据和结果数据,例如,数据密文、拼接数据等。The memory 120 may include various volatile memories or nonvolatile memories, such as SSD (solid state disk, solid state disk), DRAM (dynamic random access memory, dynamic random access memory) memory, and the like. The memory 120 may be used to store pre-stored data, intermediate data, and result data during the encryption process, for example, data ciphertext, concatenated data, and the like.

通信部件130可以是有线网络连接器、WiFi(wireless fidelity,无线保真)模块、蓝牙模块、蜂巢网通信模块等。通信部件可以用于与其他设备进行数据传输,其他设备可以是服务器、也可以是其他终端等。The communication component 130 may be a wired network connector, a WiFi (wireless fidelity, wireless fidelity) module, a Bluetooth module, a cellular network communication module, and the like. The communication component may be used for data transmission with other devices, and the other devices may be servers or other terminals.

下面,对本申请实施例中涉及的若干个名词进行介绍:Below, several nouns involved in the embodiments of this application are introduced:

MK(master key,主密钥):是直接或间接用于数据加密的密钥。在本申请实施例中,主密钥间接用于数据加密。MK (master key, master key): It is a key used directly or indirectly for data encryption. In this embodiment of the application, the master key is indirectly used for data encryption.

DK(data key,数据密钥):是直接用于数据加密的密钥。在本申请实施例中,DK是由密钥生成函数对MK和其他数据处理生成的。DK (data key, data key): It is a key directly used for data encryption. In the embodiment of this application, DK is generated by processing MK and other data by a key generation function.

HKDF(hash-based message authentication code-based extract-and-expandkey derivation function,基于散列消息鉴别码的密钥导出函数):用于基于一些密钥材料计算数据密钥的函数。HKDF (hash-based message authentication code-based extract-and-expandkey derivation function, key derivation function based on hash message authentication code): A function used to calculate a data key based on some key material.

IKM(initial key material,初始密钥材料):是使用HKDF生成数据密钥时的输入数据之一,顾名思义就是用来生成数据密钥的原材料。在本申请实施例中,初始密钥材料和主密钥共同用于生成数据密钥。IKM (initial key material, initial key material): It is one of the input data when using HKDF to generate the data key. As the name implies, it is the raw material used to generate the data key. In this embodiment of the application, the initial key material and the master key are jointly used to generate a data key.

AES(advanced encryption Standard,高级加密标准):是一种对称数据密钥算法,即加密和解密使用同一个数据密钥。在加密时,可以使用AES_GCM_encrypt(一种加密算法),将数据明文加密为数据密文;在解密时,可以使用AES_GCM_decrypt(一种解密算法),将数据密文解密为数据明文。其中,GCM(Galois counter mode,伽罗瓦计数器模式)是对称加密的一种加密模式,带有GMAC(Galois message authentication code mode,伽罗瓦消息验证码),可以对数据密文做完整性校验。AES (advanced encryption Standard, Advanced Encryption Standard): It is a symmetric data key algorithm, that is, encryption and decryption use the same data key. When encrypting, AES_GCM_encrypt (an encryption algorithm) can be used to encrypt data plaintext into data ciphertext; when decrypting, AES_GCM_decrypt (a decryption algorithm) can be used to decrypt data ciphertext into data plaintext. Among them, GCM (Galois counter mode, Galois counter mode) is an encryption mode of symmetric encryption, with GMAC (Galois message authentication code mode, Galois message authentication code), which can perform integrity verification on data ciphertext test.

KMS(key management service,密钥管理服务):是提供一站式密钥管理和数据明文加密服务的软件或软硬件组合,提供简单、可靠、安全、合规的数据明文加密保护能力。KMS可以搭建在独立的服务器上,也可以以软件的形式安装在进行数据存储的设备上。KMS (key management service, key management service): It is a software or a combination of software and hardware that provides one-stop key management and data plaintext encryption services, providing simple, reliable, safe, and compliant data plaintext encryption protection capabilities. KMS can be built on an independent server, or installed in the form of software on a device for data storage.

在一些情况下,业务服务器会基于终端的请求进行一些业务处理,也可能基于本地的处理逻辑自主触发进行一些业务处理,在业务处理中可能会生成业务数据并需要对业务数据进行加密存储。In some cases, the business server will perform some business processing based on the terminal's request, or may independently trigger some business processing based on the local processing logic. During the business processing, business data may be generated and need to be encrypted for storage.

本申请实施例针对该应用场景,提供了一种加密存储数据的方法,该方法的处理流程可以如图2所示,包括如下处理步骤:For this application scenario, the embodiment of the present application provides a method for encrypting and storing data. The processing flow of this method can be shown in Figure 2, including the following processing steps:

201,获取初始密钥材料,并获取主密钥和对应的主密钥标识。201. Acquire initial key material, and acquire a master key and a corresponding master key identifier.

其中,初始密钥材料可以是随机数,通过随机数生成器生成,其长度可以按需求进行设置。例如,初始密钥材料可以是16字节的随机数。Wherein, the initial key material can be a random number, which is generated by a random number generator, and its length can be set as required. For example, the initial key material may be a 16-byte random number.

主密钥是预先基于某种规则生成的并存储在KMS中,主密钥的长度可以按需求进行设置。主密钥的长度与数据加密的安全性正相关,所以可以设置主密钥的长度大于一定的长度阈值,如100字节。The master key is pre-generated based on certain rules and stored in KMS. The length of the master key can be set as required. The length of the master key is positively related to the security of data encryption, so the length of the master key can be set to be greater than a certain length threshold, such as 100 bytes.

在实施中,当用户在终端上的应用程序中完成某个业务之后,终端将完成业务的消息发送到业务服务器。该消息中可以携带有业务数据,例如,在完成修改账户头像的业务时,终端向服务器发送业务数据是头像图片。业务数据即后续需要加密存储的数据,所以也可称作数据明文。业务服务器接收到此消息之后,获取初始密钥材料、主密钥和主密钥对应的主密钥标识。In implementation, after the user completes a certain service in the application program on the terminal, the terminal sends a message of completing the service to the service server. The message may carry business data. For example, when the business of modifying the account profile picture is completed, the terminal sends the service data to the server as a picture of the profile picture. Business data is the data that needs to be encrypted and stored later, so it can also be called data plaintext. After receiving this message, the business server obtains the initial key material, the master key, and the master key identifier corresponding to the master key.

获取初始密钥材料的方式可以是,业务服务器在接收到数据明文之后,调用随机数生成器生成随机数。或者,在业务服务器中预先存储一些随机数,在接收到数据明文之后,随机选择一个随机数作为初始密钥材料。The way to obtain the initial key material may be that after receiving the data plaintext, the service server invokes a random number generator to generate a random number. Alternatively, store some random numbers in advance in the service server, and randomly select a random number as the initial key material after receiving the data plaintext.

获取主密钥标识的方式可以是,基于数据明文的类型确定主密钥标识。在业务服务器预先建立数据明文的类型和主密钥标识的对应关系表(如表1所示)。业务服务器接收到数据明文之后,确定出数据明文的类型,在上述对应关系表中查找对应的主密钥标识。The manner of obtaining the master key identifier may be to determine the master key identifier based on the type of the data plaintext. A correspondence table (as shown in Table 1) between the type of data plaintext and the identification of the master key is pre-established on the service server. After receiving the data plaintext, the service server determines the type of the data plaintext, and searches for the corresponding master key identifier in the above correspondence table.

表1Table 1

数据明文的类型Type of data plaintext 主密钥标识master key ID 头像avatar 00010001 昵称Nick name 00020002 签名sign 00030003 账户级别account level 00040004 ……... ……...

例如,当用户在终端完成修改昵称的业务,终端向服务器发送业务数据是用户设置的昵称,业务服务器接收到此业务数据之后,通过查表确定出昵称的类型对应的主密钥标识是0002。For example, when the user completes the service of modifying the nickname on the terminal, the terminal sends the service data to the server, which is the nickname set by the user. After receiving the service data, the service server checks the table to determine that the master key identifier corresponding to the type of nickname is 0002.

获取主密钥的方式可以是,首先进行准备工作,在生成主密钥时,给每个主密钥分配对应的主密钥标识,并且将主密钥和主密钥标识对应存储。当需要对数据明文进行加密存储时,确定主密钥标识之后,基于主密钥标识进行查表,确定出对应的主密钥。The way to obtain the master key may be to firstly carry out preparatory work, when generating the master key, assign a corresponding master key identifier to each master key, and store the master key and the master key identifier correspondingly. When the data plaintext needs to be encrypted and stored, after the master key identifier is determined, a table lookup is performed based on the master key identifier to determine the corresponding master key.

202,基于密钥生成函数,对初始密钥材料和主密钥进行处理,得到数据密钥。202. Based on the key generation function, process the initial key material and the master key to obtain a data key.

其中,密钥生成函数是HKDF,包括两个模块,分别为提取模块和延展模块。Among them, the key generation function is HKDF, which includes two modules, namely an extraction module and an extension module.

在实施中,将主密钥设置为Salt(盐值),将Salt和初始密钥材料输入到HKDF的提取模块中,提取模块通过计算得到PRK(pseudo random key,伪随机密钥)。将PRK、info、L输入到延展模块中,延展模块通过计算得到数据密钥。其中,info是主密钥标识,L是输出的数据密钥的长度,L可以人为设置并存储。In the implementation, the master key is set as Salt (salt value), and the Salt and initial key material are input into the extraction module of HKDF, and the extraction module obtains PRK (pseudo random key, pseudo-random key) through calculation. Input PRK, info, and L into the extension module, and the extension module obtains the data key through calculation. Among them, info is the master key identifier, L is the length of the output data key, and L can be manually set and stored.

采用HKDF,可以通过设定L,生成特定长度的数据密钥。对于HKDF的提取模块和延展模块,在输入参数(Salt、初始密钥材料、info、L)相同的情况下,输出的数据密钥是相同的。由于数据密钥用于加密数据明文,所以为了保证加密的安全性,一般不会将数据密钥存储在服务器中。在使用数据密钥时,通过HKDF,使用获取到的初始密钥材料和主密钥,实时生成数据密钥。With HKDF, a data key of a specific length can be generated by setting L. For the extraction module and extension module of HKDF, when the input parameters (Salt, initial key material, info, L) are the same, the output data key is the same. Since the data key is used to encrypt data plaintext, in order to ensure the security of the encryption, the data key is generally not stored in the server. When using the data key, use the acquired initial key material and master key to generate the data key in real time through HKDF.

203,基于数据密钥和加密算法,对数据明文进行加密,得到数据密文。203. Encrypt the plaintext of the data based on the data key and the encryption algorithm to obtain the ciphertext of the data.

其中,加密算法可以是AES_GCM_encrypt。Wherein, the encryption algorithm may be AES_GCM_encrypt.

在实施中,将数据密钥和数据明文输入到AES_GCM_encrypt中,AES_GCM_encrypt使用数据密钥对数据明文进行加密后,输出数据密文,即,数据密文=AES_GCM_encrypt(X,DK),其中X为数据明文。通过AES_GCM_encrypt加密得到的数据密文可以由三部分组成,包括IV(initialization vector,初始向量)、密文和GMAC,其中IV和GMAC的长度是固定的,分别为12字节和16字节。In implementation, the data key and the data plaintext are input into AES_GCM_encrypt, and after AES_GCM_encrypt uses the data key to encrypt the data plaintext, the data ciphertext is output, that is, the data ciphertext=AES_GCM_encrypt(X, DK), where X is the data clear text. The data ciphertext encrypted by AES_GCM_encrypt can be composed of three parts, including IV (initialization vector, initial vector), ciphertext and GMAC, wherein the lengths of IV and GMAC are fixed, 12 bytes and 16 bytes respectively.

主密钥标识是通过数据明文的类型确定的,对于同样的数据明文的类型,主密钥标识是相同的,即在生成数据密钥时使用的主密钥相同。在一些情况下,同一个数据明文可能被多次加密时,如果数据密钥相同,那么生成的数据密文也相同。因此,为了保证安全性,可以加入一个干扰项,即IV,得到不同的数据密文。GMAC是经过特定算法后产生的一段信息,特定算法可以是AES_GCM_encrypt,GMAC用于检查消息在传递过程中内容是否被更改过。The master key identifier is determined by the type of data plaintext. For the same data plaintext type, the master key identifier is the same, that is, the master key used when generating the data key is the same. In some cases, when the same data plaintext may be encrypted multiple times, if the data key is the same, the generated data ciphertext is also the same. Therefore, in order to ensure security, an interference item, ie IV, can be added to obtain different data ciphertexts. GMAC is a piece of information generated after a specific algorithm. The specific algorithm can be AES_GCM_encrypt. GMAC is used to check whether the content of the message has been changed during the delivery process.

经过加密之后得到的数据密文的结构如图3所示。数据密文的长度为28字节和密文长度的和值,密文的长度同数据明文。The structure of the data ciphertext obtained after encryption is shown in FIG. 3 . The length of the data ciphertext is the sum of 28 bytes and the length of the ciphertext, and the length of the ciphertext is the same as the data plaintext.

204,将主密钥标识、初始密钥材料和数据密文进行拼接,得到拼接数据。204. Concatenate the master key identifier, initial key material, and data ciphertext to obtain concatenated data.

其中,主密钥标识的长度是固定的。Wherein, the length of the master key identifier is fixed.

在实施中,主密钥标识、初始密钥材料、数据密文的拼接顺序可以是:主密钥标识、初始密钥材料、数据密文,或者是,初始密钥材料、主密钥标识、数据密文,或者是,主密钥标识、数据密文、初始密钥材料等。也可以将初始密钥材料和数据密文进行拼接。In implementation, the splicing sequence of master key identifier, initial key material, and data ciphertext may be: master key identifier, initial key material, data ciphertext, or initial key material, master key identifier, Data ciphertext, or, master key identifier, data ciphertext, initial key material, etc. It is also possible to concatenate the initial key material and data ciphertext.

这样,初始密钥材料的长度是随意进行设置的,将初始密钥材料作为拼接数据的一部分,在保证加密安全性的前提下,可以减少拼接数据的长度,减少存储空间的浪费。In this way, the length of the initial key material is set arbitrarily, and the initial key material is used as a part of the concatenated data. On the premise of ensuring encryption security, the length of the concatenated data can be reduced and the waste of storage space can be reduced.

如图4所示,主密钥标识的长度为A字节、初始密钥材料的长度是B字节,数据明文的长度是C字节。AES_GCM_encrypt对数据明文进行加密后得到的数据密文的长度是28字节和C字节的和值。将主密钥标识、初始密钥材料、数据密文进行拼接得到的拼接数据的长度是(A+B+C+28)字节。As shown in Figure 4, the length of the master key identifier is A bytes, the length of the initial key material is B bytes, and the length of the data plaintext is C bytes. The length of the data ciphertext obtained after AES_GCM_encrypt encrypts the data plaintext is the sum of 28 bytes and C bytes. The length of the concatenated data obtained by concatenating the master key identifier, the initial key material and the data ciphertext is (A+B+C+28) bytes.

在步骤204中,也可以是将第一版本标识、主密钥标识、初始密钥材料和数据密文进行拼接,得到拼接数据。In step 204, the first version identification, master key identification, initial key material and data ciphertext may also be concatenated to obtain concatenated data.

其中,第一版本标识用于指示拼接数据中包括主密钥标识、初始密钥材料和数据密文对应的字段。第一版本标识的长度可以是一个字节。基于一些其他的需求,还可以对拼接数据的字段进行其他设置,相应的可以采用其他的版本标识。例如,可以将第二版本标识和一些指定的数据进行拼接,得到拼接数据,则第二版本标识用于指示拼接数据包括这些指定的数据。Wherein, the first version identifier is used to indicate that the concatenated data includes fields corresponding to the master key identifier, initial key material, and data ciphertext. The length of the first version identifier may be one byte. Based on some other requirements, other settings can also be made to the fields of the spliced data, and other version identifiers can be used accordingly. For example, the second version identifier can be concatenated with some specified data to obtain spliced data, and the second version identifier is used to indicate that the spliced data includes these specified data.

205,对拼接数据进行存储。205. Store the spliced data.

在实施中,可以通过Base64(一种编解码算法)对拼接数据进行编码,将经过编码得到的字符串进行存储。In implementation, the spliced data may be encoded by using Base64 (a codec algorithm), and the encoded character strings may be stored.

对应于上述对数据明文进行加密存储的处理步骤,解密的处理步骤可以是:Corresponding to the above-mentioned processing steps of encrypting and storing plaintext data, the decryption processing steps may be:

501,对拼接数据进行拆分,得到主密钥标识、初始密钥材料和数据密文。501. Split the concatenated data to obtain a master key identifier, initial key material, and data ciphertext.

在实施中,在某些业务过程中,终端会向业务服务器发送读取请求。其中,读取请求中可以携带有需要读取的数据明文的数据标识。业务服务器可以获取读取请求中携带的数据标识,在其存储的所有拼接数据对应的字符串中,确定出该数据标识对应的拼接数据的字符串。通过Base64对该字符串进行解码,得到对应的拼接数据。然后,对拼接数据进行拆分。In implementation, in some business processes, the terminal will send a read request to the business server. Wherein, the read request may carry the data identifier of the data to be read in plaintext. The service server can obtain the data identifier carried in the read request, and determine the character string of the spliced data corresponding to the data identifier among the strings corresponding to all the spliced data stored in it. The string is decoded by Base64 to obtain the corresponding spliced data. Then, split the spliced data.

在对拼接数据进行拆分时,可以通过预先记录的拼接数据的组成,以及每一个组成部分的长度,对拼接数据进行拆分。When splitting the spliced data, the spliced data can be split according to the pre-recorded composition of the spliced data and the length of each component.

例如,拼接数据的组成部分依次是主密钥标识、初始密钥材料、数据密文三部分,其中,主密钥标识的长度是X字节,初始密钥材料的长度是Y字节,数据密文是Z字节。可以在拼接数据中确定自首字节开始的第X字节,在第X字节和第X+1字节之间的位置,对拼接数据进行拆分,得到前X字节的数据(可称作第一数据段)和其他数据(可称作第二数据段)。将前X字节的数据确定为主密钥标识。然后,在第二数据段中确定自首字节开始的第Y字节,在第Y字节到Y+1字节之间的位置,对拼接数据进行拆分,得到前Y字节的数据。将前Y字节的数据确定为初始密钥材料,剩下的部分即为数据密文。或者,可以在拼接数据中确定自首字节开始的第X字节,在第X字节和第X+1字节之间的位置进行标记,再继续确定自首字节开始的第X+Y,在第X+Y字节和X+Y+1字节之间的位置进行标记。然后,对有标记的位置进行拆分,得到主密钥标识、初始密钥材料、数据密文。For example, the components of the concatenated data are three parts: the master key identifier, the initial key material, and the data ciphertext, in which the length of the master key identifier is X bytes, the length of the initial key material is Y bytes, and the data The ciphertext is Z bytes. In the spliced data, the Xth byte starting from the first byte, the position between the Xth byte and the X+1th byte can be determined, and the spliced data is split to obtain the data of the first X bytes (which can be called as the first data segment) and other data (may be referred to as the second data segment). Identify the first X bytes of data as the master key identifier. Then, determine the Yth byte starting from the first byte in the second data segment, and the position between the Yth byte and the Y+1 byte, and split the spliced data to obtain the data of the first Y bytes. The first Y bytes of data are determined as the initial key material, and the remaining part is the data ciphertext. Alternatively, the Xth byte from the first byte can be determined in the spliced data, the position between the Xth byte and the X+1th byte can be marked, and then continue to determine the X+Yth byte from the first byte, The position between the X+Yth byte and the X+Y+1 byte is marked. Then, split the marked position to obtain the master key identifier, initial key material, and data ciphertext.

对于拼接数据中还包括版本标识的情况,也可以在拼接数据的第一个字节和第二字节的位置处进行拆分,得到第一版本标识和剩余部分。根据拆分得到的第一版本标识来确定拼接数据的剩余部分的组成部分,以及剩余部分的每一个组成部分的长度,对拼接数据的剩余部分按照上述拆分方式进行拆分,此处不再赘述。In the case that the spliced data also includes a version identifier, splitting may also be performed at the positions of the first byte and the second byte of the spliced data to obtain the first version identifier and the rest. Determine the components of the remaining part of the spliced data according to the first version identifier obtained by splitting, and the length of each component of the remaining part, and split the remaining part of the spliced data according to the above splitting method, which will not be repeated here repeat.

502,基于拆分得到的主密钥标识获取主密钥。502. Acquire a master key based on the master key identifier obtained through splitting.

在实施中,业务服务器可以获取对拼接数据拆分得到的主密钥标识。在KMS基于该主密钥标识,从上述的主密钥和主密钥标识的对应关系中,查找对应的主密钥。In implementation, the service server can obtain the master key identifier obtained by splitting the spliced data. Based on the master key identifier, the KMS searches for the corresponding master key from the above-mentioned correspondence between the master key and the master key identifier.

可选的,在另一种处理方式中,在读取请求中可以携带有需要读取的数据明文的类型。业务服务器可以使用该类型,在上述数据明文的类型和主密钥标识的对应关系表中,查找对应的主密钥标识。KMS从主密钥标识和主密钥的对应关系表中,查找对应的主密钥。Optionally, in another processing manner, the type of plaintext data to be read may be carried in the read request. The business server can use this type to search for the corresponding master key identifier in the above-mentioned correspondence table between the data plaintext type and the master key identifier. The KMS searches for the corresponding master key from the correspondence table between the master key identifier and the master key.

503,基于密钥生成函数,对主密钥和拆分得到的初始密钥材料进行处理,得到数据密钥。503. Based on the key generation function, process the master key and the split initial key material to obtain a data key.

在实施中,将主密钥和拆分得到的初始密钥材料输入到HKDF的提取模块中,输出是PRK。将PRK、主密钥标识、L输入到延展模块中,输出数据密钥。In the implementation, the master key and the split initial key material are input into the extraction module of HKDF, and the output is PRK. Input PRK, master key identifier, and L into the extension module, and output the data key.

504,基于数据密钥和解密算法,对数据密文进行解密,得到数据明文。504. Based on the data key and the decryption algorithm, decrypt the data ciphertext to obtain the data plaintext.

其中,解密算法可以是AES_GCM_decrypt。Wherein, the decryption algorithm may be AES_GCM_decrypt.

在实施中,将输入数据密钥和数据密文输入到AES_GCM_decrypt中,AES_GCM_decrypt使用数据密钥对数据密文进行解密后,输出数据明文,即数据明文=AES_GCM_decrypt(X,DK),其中X是数据密文。业务服务器将解密后得到的数据明文发送到终端,或者在本地基于数据明文进行后续业务处理。In implementation, the input data key and data ciphertext are input into AES_GCM_decrypt, and after AES_GCM_decrypt uses the data key to decrypt the data ciphertext, the data plaintext is output, that is, data plaintext=AES_GCM_decrypt(X, DK), where X is the data ciphertext. The business server sends the decrypted plaintext data to the terminal, or performs subsequent business processing locally based on the plaintext data.

通过本申请实施例提供的方法,首先,获取初始密钥材料、主密钥和主密钥标识。然后,将初始密钥材料和主密钥作为密钥生成函数的输入,计算得到数据密钥。再使用数据密钥和加密算法对数据明文进行加密,得到数据密文。最后,将主密钥标识、初始密钥材料和数据密文进行拼接,得到拼接数据。将拼接数据进行存储。因为一般的密钥生成函数所使用的初始密钥材料的长度是可以任意设置的,所以可以将初始密钥材料的长度设置为一个较小的数值,从而,占用的存储空间较小,可以减少存储空间的浪费。Through the method provided in the embodiment of this application, firstly, the initial key material, the master key and the master key identifier are obtained. Then, the initial key material and the master key are used as the input of the key generation function to calculate the data key. Then use the data key and encryption algorithm to encrypt the data plaintext to obtain the data ciphertext. Finally, the master key identifier, initial key material and data ciphertext are concatenated to obtain concatenated data. Store the spliced data. Because the length of the initial key material used by the general key generation function can be set arbitrarily, the length of the initial key material can be set to a smaller value, so that the occupied storage space is smaller and can be reduced Waste of storage space.

基于相同的技术构思,本申请实施例还提供了一种加密存储数据的装置,如图6所示,该装置包括:Based on the same technical concept, the embodiment of the present application also provides a device for encrypting and storing data, as shown in Figure 6, the device includes:

获取模块610,用于获取初始密钥材料,并获取主密钥和对应的主密钥标识;An acquisition module 610, configured to acquire initial key material, and acquire a master key and a corresponding master key identifier;

生成模块620,用于基于密钥生成函数,对所述初始密钥材料和所述主密钥进行处理,得到数据密钥;A generation module 620, configured to process the initial key material and the master key based on a key generation function to obtain a data key;

加密模块630,用于基于所述数据密钥和加密算法,对数据明文进行加密,得到数据密文;An encryption module 630, configured to encrypt data plaintext based on the data key and an encryption algorithm to obtain data ciphertext;

拼接模块640,用于将所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据;A splicing module 640, configured to splice the master key identifier, the initial key material, and the data ciphertext to obtain spliced data;

存储模块650,用于对所述拼接数据进行存储。The storage module 650 is configured to store the splicing data.

在一种可能的实现方式中,所述获取模块610,用于:In a possible implementation manner, the obtaining module 610 is configured to:

基于随机数生成器生成的随机数,将所述随机数作为初始密钥材料。Based on the random number generated by the random number generator, the random number is used as initial key material.

在一种可能的实现方式中,所述获取模块610,用于:In a possible implementation manner, the obtaining module 610 is configured to:

获取所述数据明文的类型;Obtain the type of the data plaintext;

基于类型与主密钥标识的对应关系,获取所述数据明文的类型对应的主密钥标识;Based on the corresponding relationship between the type and the master key identifier, obtain the master key identifier corresponding to the type of the data plaintext;

获取所述主密钥标识对应的主密钥。Obtain the master key corresponding to the master key identifier.

在一种可能的实现方式中,所述拼接模块,还用于:In a possible implementation manner, the splicing module is also used for:

将版本标识、所述主密钥标识、所述初始密钥材料和所述数据密文进行拼接,得到拼接数据,其中,所述版本标识用于指示所述拼接数据中包括所述主密钥标识、所述初始密钥材料和所述数据密文对应的字段。splicing the version identifier, the master key identifier, the initial key material, and the data ciphertext to obtain spliced data, wherein the version identifier is used to indicate that the spliced data includes the master key Fields corresponding to the identifier, the initial key material, and the data ciphertext.

在一种可能的实现方式中,所述密钥生成函数为基于散列消息鉴别码的密钥导出函数HKDF。In a possible implementation manner, the key generation function is a key derivation function HKDF based on a hashed message authentication code.

在一种可能的实现方式中,所述存储模块650,用于:In a possible implementation manner, the storage module 650 is configured to:

对所述拼接数据进行编码;Encoding the spliced data;

将经过编码得到的字符串进行存储。Store the encoded string.

在一种可能的实现方式中,所述装置,还包括:In a possible implementation manner, the device further includes:

解密模块,用于:Decryption module for:

对所述拼接数据进行拆分,得到所述主密钥标识、所述初始密钥材料和所述数据密文;Splitting the spliced data to obtain the master key identifier, the initial key material, and the data ciphertext;

基于拆分得到的主密钥标识获取所述主密钥;Obtain the master key based on the master key identifier obtained by splitting;

基于所述密钥生成函数,对所述主密钥和拆分得到的初始密钥材料进行处理,得到所述数据密钥;Based on the key generation function, process the master key and the split initial key material to obtain the data key;

基于所述数据密钥和解密算法,对拆分得到的数据密文进行解密,得到所述数据明文。Based on the data key and the decryption algorithm, the data ciphertext obtained by splitting is decrypted to obtain the data plaintext.

通过本申请实施例提供的装置,首先,获取初始密钥材料、主密钥和主密钥标识。然后,将初始密钥材料和主密钥作为密钥生成函数的输入,计算得到数据密钥。再使用数据密钥和加密算法对数据明文进行加密,得到数据密文。最后,将主密钥标识、初始密钥材料和数据密文进行拼接,得到拼接数据。将拼接数据进行存储。因为一般的密钥生成函数所使用的初始密钥材料的长度是可以任意设置的,所以可以将初始密钥材料的长度设置为一个较小的数值,从而,占用的存储空间较小,可以减少存储空间的浪费。Through the device provided by the embodiment of this application, firstly, the initial key material, the master key and the master key identifier are obtained. Then, the initial key material and the master key are used as the input of the key generation function to calculate the data key. Then use the data key and encryption algorithm to encrypt the data plaintext to obtain the data ciphertext. Finally, the master key identifier, initial key material and data ciphertext are concatenated to obtain concatenated data. Store the spliced data. Because the length of the initial key material used by the general key generation function can be set arbitrarily, the length of the initial key material can be set to a smaller value, so that the occupied storage space is smaller and can be reduced Waste of storage space.

需要说明的是:上述实施例提供的加密存储数据的装置在进行加密存储数据时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的加密存储数据的装置与加密存储数据的方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the device for encrypting and storing data provided by the above-mentioned embodiments encrypts and stores data, it only uses the division of the above-mentioned functional modules as an example for illustration. In practical applications, the above-mentioned functions can be allocated by different functions Module completion means that the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the device for encrypting and storing data provided by the above embodiments and the method for encrypting and storing data belong to the same idea, and the specific implementation process thereof is detailed in the method embodiment, and will not be repeated here.

在本申请实施例中,还提供了一种计算机可读存储介质,例如包括指令的存储器,上述指令可由终端中的处理器执行以完成上述实施例中执行互动操作的方法。该计算机可读存储介质可以是非暂态的。例如,所述计算机可读存储介质可以是ROM(Read-OnlyMemory,只读存储器)、RAM(Random Access Memory,随机存取存储器)、CD-ROM、磁带、软盘和光数据存储设备等。In the embodiment of the present application, there is also provided a computer-readable storage medium, such as a memory including instructions, and the above instructions can be executed by a processor in the terminal to complete the method for performing interactive operations in the above embodiments. The computer readable storage medium may be non-transitory. For example, the computer-readable storage medium may be ROM (Read-Only Memory, read only memory), RAM (Random Access Memory, random access memory), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.

需要说明的是,本申请所涉及的信息(包括但不限于用户设备信息、用户个人信息等)、数据(包括但不限于用于分析的数据、存储的数据、展示的数据等)以及信号(包括但不限于用户终端与其他设备之间传输的信号等),均为经用户授权或者经过各方充分授权的,且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准。It should be noted that the information involved in this application (including but not limited to user equipment information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.) and signals ( Including but not limited to signals transmitted between the user terminal and other devices, etc.), are authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data must comply with the relevant laws and regulations of the relevant countries and regions and standard.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上所述仅为本申请的部分可能的实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only some possible embodiments of the application, and are not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application shall be included in the scope of the application. within the scope of protection.

Claims (10)

1. A method of encrypting stored data, the method comprising:
acquiring initial key material, and acquiring a master key and a corresponding master key identifier;
processing the initial key material and the master key based on a key generation function to obtain a data key;
encrypting a data plaintext based on the data key and an encryption algorithm to obtain a data ciphertext;
splicing the master key identification, the initial key material and the data ciphertext to obtain spliced data;
and storing the spliced data.
2. The method of claim 1, wherein obtaining initial keying material comprises:
the random number is used as initial key material based on the random number generated by the random number generator.
3. The method of claim 1, wherein obtaining the master key and the corresponding master key identifier comprises:
acquiring the type of the data plaintext;
acquiring a master key identifier corresponding to the type of the data plaintext based on the corresponding relationship between the type and the master key identifier;
and acquiring a master key corresponding to the master key identification.
4. The method according to claim 1, wherein the concatenating the master key identifier, the initial key material, and the data ciphertext to obtain concatenated data comprises:
and splicing the version identifier, the master key identifier, the initial key material and the data ciphertext to obtain spliced data, wherein the version identifier is used for indicating fields corresponding to the master key identifier, the initial key material and the data ciphertext in the spliced data.
5. The method of claim 1, wherein the key generation function is a key derivation function HKDF based on a hashed message authentication code.
6. The method of claim 1, wherein storing the splice data comprises:
encoding the spliced data;
and storing the character string obtained by encoding.
7. The method according to any one of claims 1 to 6, wherein after storing the splicing data, further comprising:
splitting the spliced data to obtain the master key identification, the initial key material and the data ciphertext;
acquiring the master key based on the master key identification obtained by splitting;
processing the master key and the initial key material obtained by splitting based on the key generation function to obtain the data key;
and decrypting the data ciphertext obtained by splitting based on the data key and a decryption algorithm to obtain the data plaintext.
8. An apparatus for encrypting stored data, the apparatus comprising:
the acquisition module is used for acquiring initial key materials and acquiring a master key and a corresponding master key identifier;
a generating module, configured to process the initial key material and the master key based on a key generation function to obtain a data key;
the encryption module is used for encrypting a data plaintext based on the data secret key and an encryption algorithm to obtain a data ciphertext;
the splicing module is used for splicing the master key identification, the initial key material and the data ciphertext to obtain spliced data;
and the storage module is used for storing the spliced data.
9. A computer device, comprising a memory for storing computer instructions and a processor;
the processor executes the computer instructions stored by the memory to cause the computer device to perform the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer program code which, in response to execution of the computer program code by a computer device, executes the method of any of the preceding claims 1 to 7.
CN202211252335.3A 2022-10-13 2022-10-13 Method, device, device and storage medium for encrypting stored data Withdrawn CN115603907A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211252335.3A CN115603907A (en) 2022-10-13 2022-10-13 Method, device, device and storage medium for encrypting stored data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211252335.3A CN115603907A (en) 2022-10-13 2022-10-13 Method, device, device and storage medium for encrypting stored data

Publications (1)

Publication Number Publication Date
CN115603907A true CN115603907A (en) 2023-01-13

Family

ID=84847550

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211252335.3A Withdrawn CN115603907A (en) 2022-10-13 2022-10-13 Method, device, device and storage medium for encrypting stored data

Country Status (1)

Country Link
CN (1) CN115603907A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN116522367A (en) * 2023-06-28 2023-08-01 星汉智能科技股份有限公司 Smart card data generation encryption method, system, device and storage medium
CN118337370A (en) * 2024-06-17 2024-07-12 成都中创锐科信息技术有限公司 Waveform data encryption storage and transmission method based on AES algorithm
CN119030713A (en) * 2024-10-22 2024-11-26 深圳竹云科技股份有限公司 Key generation method, device and computer equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030037237A1 (en) * 2001-04-09 2003-02-20 Jean-Paul Abgrall Systems and methods for computer device authentication
CN110868287A (en) * 2019-10-24 2020-03-06 广州江南科友科技股份有限公司 Authentication encryption ciphertext coding method, system, device and storage medium
US20200226952A1 (en) * 2019-01-10 2020-07-16 Bank Of America Corporation Digital cryptosystem with re-derivable hybrid keys
WO2021208690A1 (en) * 2020-11-11 2021-10-21 平安科技(深圳)有限公司 Method and apparatus for data encryption and decryption, device, and storage medium
US20220329422A1 (en) * 2020-06-30 2022-10-13 Tencent Technology (Shenzhen) Company Limited Data processing method, apparatus, computer program, and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030037237A1 (en) * 2001-04-09 2003-02-20 Jean-Paul Abgrall Systems and methods for computer device authentication
US20200226952A1 (en) * 2019-01-10 2020-07-16 Bank Of America Corporation Digital cryptosystem with re-derivable hybrid keys
CN110868287A (en) * 2019-10-24 2020-03-06 广州江南科友科技股份有限公司 Authentication encryption ciphertext coding method, system, device and storage medium
US20220329422A1 (en) * 2020-06-30 2022-10-13 Tencent Technology (Shenzhen) Company Limited Data processing method, apparatus, computer program, and storage medium
WO2021208690A1 (en) * 2020-11-11 2021-10-21 平安科技(深圳)有限公司 Method and apparatus for data encryption and decryption, device, and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116318686A (en) * 2023-05-17 2023-06-23 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN116318686B (en) * 2023-05-17 2023-09-05 成都赛力斯科技有限公司 Data encryption transmission method and device, electronic equipment and storage medium
CN116522367A (en) * 2023-06-28 2023-08-01 星汉智能科技股份有限公司 Smart card data generation encryption method, system, device and storage medium
CN116522367B (en) * 2023-06-28 2024-05-17 星汉智能科技股份有限公司 Smart card data generation encryption method, system, device and storage medium
CN118337370A (en) * 2024-06-17 2024-07-12 成都中创锐科信息技术有限公司 Waveform data encryption storage and transmission method based on AES algorithm
CN119030713A (en) * 2024-10-22 2024-11-26 深圳竹云科技股份有限公司 Key generation method, device and computer equipment

Similar Documents

Publication Publication Date Title
CN110324143B (en) Data transmission method, electronic device and storage medium
CN115603907A (en) Method, device, device and storage medium for encrypting stored data
CN109714176B (en) Password authentication method, device and storage medium
WO2019071886A1 (en) Softphone encryption and decryption method and apparatus, and computer-readable storage medium
CN106452770B (en) Data encryption method, data decryption method, device and system
US11424919B2 (en) Protecting usage of key store content
CN113572743A (en) Data encryption and decryption method and device, computer equipment and storage medium
KR102391952B1 (en) System, device or method for encryption distributed processing
WO2020224138A1 (en) Blockchain technology-based multi-party authorization method and device
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN115883052A (en) Data encryption method, data decryption method, device and storage medium
US9641328B1 (en) Generation of public-private key pairs
CN112004201A (en) Short message sending method and device and computer system
CN107707562B (en) A method and device for asymmetric dynamic token encryption and decryption algorithm
CN104579680A (en) Method for safe distribution of seed
CN111404892B (en) Data supervision method and device and server
CN118157855A (en) Information transmission encryption method, device and electronic equipment
CN108418679B (en) Method and device for processing secret key under multiple data centers and electronic equipment
CN115023920B (en) Method and device for data processing in a equity incentive system
CN104410498B (en) A kind of dynamic password authentication method and its system
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
CN106230600A (en) A kind of generation method and system of dynamic password
CN115022042A (en) A compliance code verification method and computer-readable medium for protecting data privacy
CN111726320B (en) Data processing method, device and equipment
CN110890979B (en) Automatic deployment method, device, equipment and medium for fort machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20230113