[go: up one dir, main page]

CN119203172A - A data encryption and decryption method and related device - Google Patents

A data encryption and decryption method and related device Download PDF

Info

Publication number
CN119203172A
CN119203172A CN202411214645.5A CN202411214645A CN119203172A CN 119203172 A CN119203172 A CN 119203172A CN 202411214645 A CN202411214645 A CN 202411214645A CN 119203172 A CN119203172 A CN 119203172A
Authority
CN
China
Prior art keywords
data
key
signature certificate
key data
protected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411214645.5A
Other languages
Chinese (zh)
Inventor
罗超
肖莹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan MgtvCom Interactive Entertainment Media Co Ltd
Original Assignee
Hunan MgtvCom Interactive Entertainment Media Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan MgtvCom Interactive Entertainment Media Co Ltd filed Critical Hunan MgtvCom Interactive Entertainment Media Co Ltd
Priority to CN202411214645.5A priority Critical patent/CN119203172A/en
Publication of CN119203172A publication Critical patent/CN119203172A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data encryption and decryption method and a related device, wherein the scheme utilizes first information in a signature certificate of a target application to generate first key data, and then uses the generated first key data to encrypt data to be protected of the target application, thereby ensuring the security of data storage to be protected; when the data to be protected is needed to be used, the signature certificate of the target application is obtained again, second key data homologous to the signature certificate is generated in the dynamic calculation process, and decryption of the data to be protected is conducted based on the second key data. In the scheme, the first key data is closely related to the signature certificate of the target application, and the signature certificate of the target is an important means for verifying the identity of a developer and ensuring the integrity of the target application, so that the generation mechanism of the first key data highly related to the signature certificate effectively resists the risk of illegal acquisition of the data to be protected while enhancing the key uniqueness and the security.

Description

Data encryption and decryption method and related device thereof
Technical Field
The application relates to the technical field of software security, in particular to a data encryption and decryption method and a related device thereof.
Background
In the field of mobile application development, key security is an important factor in ensuring data integrity and protecting user privacy. However, conventional methods of key storage and use often present a risk of being illegally acquired by a malicious attacker, resulting in leakage of application data, which poses a potential threat to the user. Therefore, how to better ensure the security of the key and reduce the risk of key leakage are important concerns for technicians in the field.
Disclosure of Invention
In view of this, the present application provides the following technical solutions:
the first aspect of the present application provides a data encryption and decryption method, including:
creating a signature certificate of the target application;
generating first key data in a first mode based on first information in the signature certificate;
encrypting data to be protected based on the first key data to obtain encrypted data and storing the encrypted data, wherein the data to be protected is data related to the target application;
If the data to be protected needs to be called, the signature certificate is obtained;
generating second key data in the first mode based on first information in the signature certificate obtained from the application file, wherein the second key data is identical to the first key data;
and decrypting the encrypted data based on the second key data to obtain the data to be protected.
In one possible implementation, the obtaining the signature certificate includes:
and calling a first interface to obtain the signature certificate from the locally stored application file of the target application.
In one possible implementation, before the invoking the first interface obtains the signature certificate from the locally stored application file of the target application, the method further includes:
And completing call verification of the first interface, wherein the call verification comprises verification of whether the signature certificate of the call target application is a preset signature certificate.
In one possible implementation, the generating the first key data in the first manner based on the first information in the signature certificate includes:
generating first key data by adopting a message digest algorithm based on first information in the signature certificate;
generating second key data in the first manner based on first information in the signed certificate obtained from the application file, including:
Generating second key data using the message digest algorithm based on first information in the signed certificate obtained from the application file.
In one possible implementation, the first information includes certificate fingerprint data and certificate public key modulus data, and based on the first information in the signed certificate, generating the first key data or the second key data using a message digest algorithm includes:
the size of the certificate fingerprint data is adjusted to be the same as the size of an input data block of a target hash algorithm, and adjusted data are obtained;
performing hash calculation of the target hash algorithm based on the adjusted data;
Adding the certificate public key modulus data into the hash calculation to obtain a hash calculation result;
and adjusting the hash calculation result to the size required by the key of the symmetric cryptographic algorithm to obtain first key data or second key data.
In one possible implementation, the generating the first key data in the first manner based on the first information in the signature certificate includes:
Generating first key data of a symmetric cryptographic algorithm in a first mode based on first information in the signature certificate;
generating second key data in the first manner based on first information in the signed certificate obtained from the application file, including:
generating second key data of the symmetric cryptographic algorithm in the first manner based on the first information in the signed certificate obtained from the application file.
In one possible implementation, encrypting the data to be protected based on the first key data to obtain encrypted data and storing the encrypted data includes:
carrying out symmetric cryptographic algorithm encryption on the data to be protected based on the first key data to obtain encrypted data and storing the encrypted data;
Decrypting the encrypted data based on the second key data to obtain the data to be protected, including:
And decrypting the encrypted data by using a symmetric cryptographic algorithm based on the second key data to obtain the data to be protected.
The second aspect of the present application provides a data encryption and decryption device, including:
the certificate creation module is used for creating a signature certificate of the target application;
the key generation module is used for generating first key data in a first mode based on first information in the signature certificate;
The data encryption module is used for encrypting data to be protected based on the first key data, obtaining encrypted data and storing the encrypted data, wherein the data to be protected is data related to the target application;
The certificate obtaining module is used for obtaining the signature certificate when the data to be protected needs to be called;
A key obtaining module, configured to generate second key data in the first manner based on first information in the signature certificate obtained from the application file, where the second key data is the same as the first key data;
and the data decryption module is used for decrypting the encrypted data based on the second key data to obtain the data to be protected.
A third aspect of the present application provides a computer program product comprising computer readable instructions which, when run on an electronic device, cause the electronic device to implement any one of the data encryption and decryption methods described above.
A fourth aspect of the application provides an electronic device comprising at least one processor and a memory coupled to the processor, wherein:
the memory is used for storing a computer program;
the processor is used for executing the computer program so that the electronic equipment can realize any one of the data encryption and decryption methods.
According to the technical scheme, the embodiment of the application discloses a data encryption and decryption method and a related device, wherein first information in a signature certificate of a target application is utilized to generate first key data, encryption processing is carried out on data to be protected of the target application by using the generated first key data, storage security of the data to be protected is ensured, when the data to be protected is required to be used, the signature certificate of the target application is obtained again, second key data homologous to the signature certificate of the target application is generated in a dynamic calculation process, and decryption of the data to be protected is carried out based on the second key data. In the scheme, the first key data is closely related to the signature certificate of the target application, and the signature certificate of the target is an important means for verifying the identity of a developer and ensuring the integrity of the target application, so that the generation mechanism of the first key data highly related to the signature certificate effectively resists the risk of illegal acquisition of the data to be protected while enhancing the key uniqueness and the security.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data encryption and decryption method disclosed in an embodiment of the application;
FIG. 2 is a flow chart of generating key data for data to be protected according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating an example of a module implementation of a data encryption and decryption method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a data encryption and decryption device according to an embodiment of the present application;
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application can be applied to electronic equipment, the application does not limit the product form of the electronic equipment, and the product form can comprise but is not limited to smart phones, tablet computers, wearable equipment, personal computers (personal computer, PC), netbooks and the like, and can be selected according to application requirements.
Fig. 1 is a flowchart of a data encryption and decryption method disclosed in an embodiment of the present application. Referring to fig. 1, the data encryption and decryption method may include:
step 101, creating a signature certificate of the target application.
The target application can be an Android application, and an operating system of the electronic device executing the method can also be an Android system.
In the embodiment of the application, the key for encrypting the data to be protected is obtained based on the signature certificate of the target application, so that the signature certificate of the target application needs to be obtained first. In an implementation, the signature certificate may be created using keytool commands or by the Android Studio's build tool. The signature certificate is typically a file in the jks (Java keystore) format that is used to digitally sign the APK file of the application. The APK file is an installation package format of an Android application program, and is a file in which all information required by the installation and running of the Android application on the device is packaged together. Typically the signed certificate of an Android application is a digital certificate used to verify that the application is from a trusted issuer. When a user installs an application on an Android device, the system will check if the application is properly signed to ensure the security and integrity of the application. If the application does not have a valid signature certificate, the system will refuse to install it. Or in other implementations, the signed certificate may also be obtained directly from the certificate authority CA, as the application is not limited in this regard.
Step 102, based on the first information in the signature certificate, generating first key data in a first mode.
Wherein the first information may be any information in the signed certificate, including but not limited to fingerprint information and public key modulus. Different encryption algorithms may have different corresponding key formats, so in the embodiment of the present application, after determining the encryption algorithm to be used, the corresponding first key data may be generated based on the key format. The specific implementation of the generation of the first key data will be described in detail in the following embodiments and will not be described here too much.
And 103, encrypting data to be protected based on the first key data, obtaining encrypted data and storing the encrypted data, wherein the data to be protected is data related to the target application.
After the first key data is obtained, the data to be protected can be encrypted and stored based on the first key data. After the encrypted data is obtained by encryption, the first key data can be directly deleted without being stored, so that the stored first key data is prevented from being illegally stolen.
The data to be protected is data related to the target application, such as an application key of the target application, so that the application key is encrypted and stored instead of being directly stored, and the security of the application key can be effectively improved.
Step 104, if the data to be protected needs to be called, the signature certificate is obtained.
Later when the data to be protected needs to be used, the secret data needs to be decrypted first. Since the first key data for encrypting the data to be protected is not previously stored, when the encrypted data needs to be decrypted, the key data thereof needs to be retrieved.
For an APK file that has been signed before by the target application, the signature certificate is contained in the APK file, and thus the signature certificate can be obtained from the APK file of the target application.
Step 105 of generating second key data in the first manner based on first information in the signed certificate obtained from the application file, the second key data being identical to the first key data.
After the signature certificate is obtained, the second key data is generated based on the first information, such as the fingerprint information number public key modulus, and based on the same first mode as the first key data, theoretically, the obtained key data is the same because the original data is based on the same, and the adopted generation mode is the same, that is, the first key data is the same as the second key data.
And 106, decrypting the encrypted data based on the second key data to obtain the data to be protected.
After the second key data is obtained, the first key data is adopted to decrypt the encrypted data, so that the data to be protected, such as an application key of the target application, is obtained, and the target application can be ensured to normally operate.
According to the data encryption and decryption method, the first key data is generated by utilizing the first information in the signature certificate of the target application, then encryption processing is carried out on the data to be protected of the target application by using the generated first key data, so that the security of data storage to be protected is ensured, when the data to be protected is required to be used, the signature certificate of the target application is obtained again, the second key data homologous to the signature certificate of the target application is generated in the dynamic calculation process, and decryption of the data to be protected is carried out on the basis of the second key data. In the scheme, the first key data is closely related to the signature certificate of the target application, and the signature certificate of the target is an important means for verifying the identity of a developer and ensuring the integrity of the target application, so that the generation mechanism of the first key data highly related to the signature certificate effectively resists the risk of illegal acquisition of the data to be protected while enhancing the key uniqueness and the security.
In the above embodiment, the obtaining the signature certificate may include calling a first interface to obtain the signature certificate from a locally stored application file of the target application.
Wherein the first interface may be a Native layer interface implemented by JNI (JavaNative Interface) technology, which allows communication between Java code and Native (Native) code, enabling exploitation of the Native language (e.g. C, C ++) security features. In one specific implementation, the first interface may be an API (Application Programming Interface ) interface.
In order to ensure the safety and high efficiency of the secret key in practical application, an interface (a first interface) specially designed for the use of the secret key is provided in the scheme implementation process, and the internal logic aims to eliminate the direct contact of the application layer to the secret key, so that the safety of the secret key is ensured. The scheme not only ensures the safety of key storage, but also improves the safety of key use.
Based on the above, in one implementation, before the calling the first interface obtains the signature certificate from the locally stored application file of the target application, the method may further include completing a call verification of the first interface, where the call verification includes verifying whether the signature certificate of the calling target application is a preset signature certificate.
When the Native interface is called, whether the signature certificate of the caller application is matched with the signature certificate required in the interface or not is checked, and if the signature certificate is not matched with the signature certificate required in the interface, the calling of the interface is refused, so that possible attack behaviors are prevented. In addition, the scheme of the application can finish encryption and decryption operations in the target application running logic, and avoid direct exposure of the data to be protected of the target application.
In the embodiment of the application, when the data to be protected is required to be encrypted or used, the decryption operation of the data to be protected can be carried out in the internal logic of the target application through the security interface (the first interface), so that the direct exposure of the data to be protected is avoided, and the security of the data to be protected is effectively ensured.
In one implementation, the generating the first key data in a first manner based on the first information in the signed certificate includes generating the first key data in a message digest algorithm based on the first information in the signed certificate. Generating second key data in the first manner based on the first information in the signed certificate obtained from the application file may include generating second key data in the message digest algorithm based on the first information in the signed certificate obtained from the application file.
That is, in the embodiment of the present application, the message digest algorithm is used to generate key data for encrypting data to be protected and decrypting data to be protected. Message digest algorithms may include MD (MESSAGE DIGEST, message digest algorithm), SHA (SecureHash Algorithm ) and HmacMD5 (Message Authentication Code, message authentication code algorithm).
In one example, the first information includes certificate fingerprint data and certificate public key modulus data, and a flowchart of generating key data of data to be protected is shown in fig. 2. As shown in fig. 2, generating the first key data or the second key data using the message digest algorithm based on the first information in the signature certificate may include:
And step 201, adjusting the size of the certificate fingerprint data to be the same as the size of the input data block of the target hash algorithm, and obtaining adjusted data.
And 202, carrying out hash calculation of the target hash algorithm based on the adjusted data.
And 203, adding the certificate public key modulus data into the hash calculation to obtain a hash calculation result.
And 204, adjusting the hash calculation result to the size required by the key of the symmetric cryptographic algorithm to obtain the first key data or the second key data.
For example, using the SHA512 (Secure Hash Algorithm) secure hash algorithm to generate key data for data to be protected may include resizing (random padding or other padding algorithms) the signed certificate fingerprint (e.g., MD5 fingerprint, SHA-1 fingerprint, etc.) data to the size of the SHA512 chunk (typically 64 bytes), then adding to the hash calculation, then adding the certificate public key modulus data to the SHA-512 hash process being calculated, completing the hash calculation of SHA-512, and finally resizing the generated result to the size required by the symmetric cryptographic algorithm (e.g., AES) key.
The purpose of the SHA512 secure hash algorithm is to combine the certificate fingerprint with the public key modulus and possibly other information to generate a hash value of appropriate length as a key, such key being associated with a particular certificate, and the generated hash data and thus the generated key being changed once the signed certificate content is tampered with (the application uses other certificate signatures or re-signatures).
Based on the above example, the generating the first key data in the first manner based on the first information in the signed certificate may include generating the first key data of the symmetric cryptographic algorithm in the first manner based on the first information in the signed certificate. The generating second key data in the first manner based on the first information in the signature certificate obtained from the application file may include generating second key data of the symmetric cryptographic algorithm in the first manner based on the first information in the signature certificate obtained from the application file.
The encryption of the data to be protected based on the first key data to obtain encrypted data and saving the encrypted data comprises the steps of carrying out symmetric cryptographic algorithm encryption on the data to be protected based on the first key data to obtain encrypted data and saving the encrypted data. Decrypting the encrypted data based on the second key data to obtain the data to be protected, wherein the decrypting the encrypted data based on the second key data by using a symmetric cryptographic algorithm to obtain the data to be protected.
The above details the specific implementation of generating the first key data and the second key data based on the signature certificate, which is convenient for the person skilled in the art to better understand and implement the technical scheme of the application.
In the implementation, the implementation of the data encryption and decryption scheme can be implemented based on the cooperation of different functional modules, as shown in fig. 3, which is a block implementation flow example diagram of the data encryption and decryption method disclosed in the embodiment of the application.
The system comprises an encryption key (first key data) generation module, an encryption key storage module and an encryption and decryption module. As shown in fig. 3, the data encryption and decryption method may include the following:
1. acquiring certificate specific information (including but not limited to fingerprint information and public key modulus) through an applied signature certificate;
2. Dynamically calculating and generating a key for a symmetric cryptographic algorithm (such as AES) using a specific algorithm based on the 1-certificate specific information;
3. encrypting the key by using a symmetric cipher algorithm (such as AES) according to the key of the 2 symmetric cipher algorithm to obtain an encryption key;
4. The obtained encryption key is stored safely;
5. Acquiring a signature certificate of an application through an Android system API (such as a Signing info. GetApkContentsSigners, which is used for returning a signature certificate used for signing APK content), so as to acquire specific information of the certificate;
6. Dynamically calculating and generating a key of a symmetric cryptographic algorithm by using the same algorithm according to the specific information of the certificate 5;
7. extracting an encryption key;
8. Decrypting the encryption key by using a symmetric encryption algorithm (such as AES) according to the key of the 6 symmetric encryption algorithm and the 7 encryption key to obtain a key;
9. and encrypting and decrypting the data through the provided interface, and returning a result.
The data encryption and decryption method of the embodiment of the application can be applied to a general software encryption scheme, an original key and a key used by a symmetric cipher algorithm are not directly stored in the scheme implementation process, the key used by the symmetric cipher algorithm is obtained by dynamic calculation of specific information in a signature certificate of a target application, and the original key is obtained by decrypting the encryption key by using the symmetric cipher algorithm. The scheme ensures the safety of the key in the storage and use processes by closely associating the encryption key (first key data) or the decryption key (second key data) of the data to be protected with the signature certificate of the target application and using the key in an interface mode, and effectively prevents illegal acquisition and leakage of the key.
For the foregoing method embodiments, for simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will appreciate that the present application is not limited by the order of acts, as some steps may, in accordance with the present application, occur in other orders or concurrently. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
The method is described in detail in the embodiments disclosed in the present application, and the method can be implemented by using various types of devices, so that the present application also discloses a device, and specific embodiments are given below for details.
Fig. 4 is a schematic structural diagram of a data encryption and decryption device according to an embodiment of the present application. Referring to fig. 4, the data encryption and decryption apparatus 40 may include:
the certificate creation module 401 is configured to create a signature certificate of the target application.
The key generation module 402 is configured to generate first key data in a first manner based on first information in the signature certificate.
And the data encryption module 403 is configured to encrypt data to be protected based on the first key data, obtain encrypted data, and store the encrypted data, where the data to be protected is data related to the target application.
And the certificate obtaining module 404 is configured to obtain the signature certificate when the data to be protected needs to be called.
A key obtaining module 405, configured to generate second key data according to the first manner, where the second key data is identical to the first key data, based on first information in the signature certificate obtained from the application file.
And the data decryption module 406 is configured to decrypt the encrypted data based on the second key data, to obtain the data to be protected.
According to the data encryption and decryption device, the first key data is generated by utilizing the first information in the signature certificate of the target application, then encryption processing is carried out on the data to be protected of the target application by using the generated first key data, so that the storage safety of the data to be protected is ensured, when the data to be protected is required to be used, the signature certificate of the target application is obtained again, the second key data homologous to the signature certificate of the target application is generated in the dynamic calculation process, and decryption of the data to be protected is carried out on the basis of the second key data. In the scheme, the first key data is closely related to the signature certificate of the target application, and the signature certificate of the target is an important means for verifying the identity of a developer and ensuring the integrity of the target application, so that the generation mechanism of the first key data highly related to the signature certificate effectively resists the risk of illegal acquisition of the data to be protected while enhancing the key uniqueness and the security.
The specific implementation of the data encryption and decryption device and each module included in the data encryption and decryption device may be described by referring to the content of the corresponding part in the method embodiment, and the detailed description is not repeated here.
Any one of the data encrypting and decrypting apparatuses in the above embodiments includes a processor and a memory, and the certificate creating module, the key generating module, the data encrypting module, the certificate obtaining module, the key obtaining module, the data decrypting module, and the like in the above embodiments are stored in the memory as program modules, and the processor executes the program modules stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel fetches the corresponding program module from the memory. The kernel can be provided with one or more kernels, and the processing of the return visit data is realized by adjusting kernel parameters.
The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
In an exemplary embodiment, a computer readable storage medium is also provided, which can be directly loaded into an internal memory of a computer, and contains software codes, and the computer program can implement the steps shown in any embodiment of the data encryption and decryption method after being loaded and executed by the computer.
In an exemplary embodiment, a computer program product is also provided, which can be directly loaded into an internal memory of a computer, and contains software codes, and the computer program can implement the steps shown in any embodiment of the data encryption and decryption method after being loaded and executed by the computer.
Further, the embodiment of the application provides electronic equipment. Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 5, the electronic device 50 includes at least one processor 501, and at least one memory 502 and a bus 503 connected to the processor, where the processor and the memory complete communication with each other through the bus, and the processor is configured to call program instructions in the memory to execute the above-mentioned data encryption and decryption method.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1.一种数据加解密方法,其特征在于,包括:1. A data encryption and decryption method, comprising: 创建目标应用的签名证书;Create a signing certificate for the target application; 基于所述签名证书中的第一信息,采用第一方式生成第一密钥数据;Based on the first information in the signature certificate, generate first key data in a first manner; 基于所述第一密钥数据对待保护数据进行加密,得到加密数据并保存,所述待保护数据为与所述目标应用相关的数据;Encrypting the data to be protected based on the first key data to obtain and save the encrypted data, wherein the data to be protected is data related to the target application; 若需要调用所述待保护数据,获得所述签名证书;If the data to be protected needs to be called, the signature certificate is obtained; 基于从所述应用文件获得的所述签名证书中的第一信息,采用所述第一方式生成第二密钥数据,所述第二密钥数据与所述第一密钥数据相同;Based on the first information in the signature certificate obtained from the application file, generate second key data in the first manner, where the second key data is the same as the first key data; 基于所述第二密钥数据对所述加密数据进行解密,得到所述待保护数据。The encrypted data is decrypted based on the second key data to obtain the data to be protected. 2.根据权利要求1所述的数据加解密方法,其特征在于,所述获得所述签名证书,包括:2. The data encryption and decryption method according to claim 1, wherein obtaining the signature certificate comprises: 调用第一接口从本地存储的所述目标应用的应用文件中获得所述签名证书。The first interface is called to obtain the signature certificate from the application file of the target application stored locally. 3.根据权利要求2所述的数据加解密方法,其特征在于,在所述调用第一接口从本地存储的所述目标应用的应用文件中获得所述签名证书前,还包括:3. The data encryption and decryption method according to claim 2, characterized in that before the first interface is called to obtain the signature certificate from the application file of the target application stored locally, it also includes: 完成第一接口的调用验证,所述调用验证包括验证调用目标应用的签名证书是否为预设签名证书。The call verification of the first interface is completed, wherein the call verification includes verifying whether the signature certificate of the calling target application is a preset signature certificate. 4.根据权利要求1所述的数据加解密方法,其特征在于,所述基于所述签名证书中的第一信息,采用第一方式生成第一密钥数据,包括:4. The data encryption and decryption method according to claim 1, characterized in that the first information in the signature certificate is used to generate the first key data in a first manner, comprising: 基于所述签名证书中的第一信息,采用消息摘要算法生成第一密钥数据;Based on the first information in the signature certificate, generate first key data using a message digest algorithm; 基于从所述应用文件获得的所述签名证书中的第一信息,采用所述第一方式生成第二密钥数据,包括:Generating second key data in the first manner based on first information in the signature certificate obtained from the application file includes: 基于从所述应用文件获得的所述签名证书中的第一信息,采用所述消息摘要算法生成第二密钥数据。Based on the first information in the signature certificate obtained from the application file, the second key data is generated using the message digest algorithm. 5.根据权利要求4所述的数据加解密方法,其特征在于,所述第一信息包括证书指纹数据和证书公钥模数数据,基于所述签名证书中的第一信息,采用消息摘要算法生成第一密钥数据或第二密钥数据,包括:5. The data encryption and decryption method according to claim 4, characterized in that the first information includes certificate fingerprint data and certificate public key modulus data, and based on the first information in the signature certificate, a message digest algorithm is used to generate the first key data or the second key data, including: 将所述证书指纹数据的大小调整至与目标哈希算法的输入数据块的大小相同,得到调整后数据;Adjusting the size of the certificate fingerprint data to be the same as the size of the input data block of the target hash algorithm to obtain adjusted data; 基于所述调整后数据进行所述目标哈希算法的哈希计算;Performing hash calculation of the target hash algorithm based on the adjusted data; 将所述证书公钥模数数据添加到所述哈希计算中,得到哈希计算结果;Adding the certificate public key modulus data to the hash calculation to obtain a hash calculation result; 将所述哈希计算结果调整到对称密码算法的密钥所需大小,得到第一密钥数据或第二密钥数据。The hash calculation result is adjusted to the size required by the key of the symmetric encryption algorithm to obtain the first key data or the second key data. 6.根据权利要求1所述的数据加解密方法,其特征在于,所述基于所述签名证书中的第一信息,采用第一方式生成第一密钥数据,包括:6. The data encryption and decryption method according to claim 1, characterized in that the first information in the signature certificate is used to generate the first key data in a first manner, comprising: 基于所述签名证书中的第一信息,采用第一方式生成对称密码算法的第一密钥数据;Based on the first information in the signature certificate, generating first key data of a symmetric cryptographic algorithm in a first manner; 基于从所述应用文件获得的所述签名证书中的第一信息,采用所述第一方式生成第二密钥数据,包括:Generating second key data in the first manner based on first information in the signature certificate obtained from the application file includes: 基于从所述应用文件获得的所述签名证书中的所述第一信息,采用所述第一方式生成所述对称密码算法的第二密钥数据。Based on the first information in the signature certificate obtained from the application file, second key data of the symmetric cryptographic algorithm is generated in the first manner. 7.根据权利要求6所述的数据加解密方法,其特征在于,所述基于所述第一密钥数据对待保护数据进行加密,得到加密数据并保存,包括:7. The data encryption and decryption method according to claim 6, characterized in that encrypting the data to be protected based on the first key data to obtain and save the encrypted data comprises: 基于所述第一密钥数据对待保护数据进行对称密码算法加密,得到加密数据并保存;Encrypt the data to be protected using a symmetric cryptographic algorithm based on the first key data to obtain and save the encrypted data; 基于所述第二密钥数据对所述加密数据进行解密,得到所述待保护数据,包括:Decrypting the encrypted data based on the second key data to obtain the data to be protected includes: 基于所述第二密钥数据对所述加密数据进行对称密码算法解密,得到所述待保护数据。The encrypted data is decrypted using a symmetric cryptographic algorithm based on the second key data to obtain the data to be protected. 8.一种数据加解密装置,其特征在于,包括:8. A data encryption and decryption device, comprising: 证书创建模块,用于创建目标应用的签名证书;The certificate creation module is used to create a signature certificate for the target application; 密钥生成模块,用于基于所述签名证书中的第一信息,采用第一方式生成第一密钥数据;A key generation module, configured to generate first key data in a first manner based on the first information in the signature certificate; 数据加密模块,用于基于所述第一密钥数据对待保护数据进行加密,得到加密数据并保存,所述待保护数据为与所述目标应用相关的数据;a data encryption module, used to encrypt the data to be protected based on the first key data, obtain the encrypted data and save it, wherein the data to be protected is data related to the target application; 证书获得模块,用于在需要调用所述待保护数据时,获得所述签名证书;A certificate obtaining module, used to obtain the signature certificate when the data to be protected needs to be called; 密钥获得模块,用于基于从所述应用文件获得的所述签名证书中的第一信息,采用所述第一方式生成第二密钥数据,所述第二密钥数据与所述第一密钥数据相同;a key obtaining module, configured to generate second key data in the first manner based on first information in the signature certificate obtained from the application file, wherein the second key data is the same as the first key data; 数据解密模块,用于基于所述第二密钥数据对所述加密数据进行解密,得到所述待保护数据。A data decryption module is used to decrypt the encrypted data based on the second key data to obtain the data to be protected. 9.一种计算机程序产品,其特征在于,包括计算机可读指令,当所述计算机可读指令在电子设备上运行时,使得所述电子设备实现如权利要求1至7中任意一项所述的数据加解密方法。9. A computer program product, characterized in that it comprises computer-readable instructions, and when the computer-readable instructions are executed on an electronic device, the electronic device implements the data encryption and decryption method as claimed in any one of claims 1 to 7. 10.一种电子设备,其特征在于,包括至少一个处理器和与所述处理器连接的存储器,其中:10. An electronic device, comprising at least one processor and a memory connected to the processor, wherein: 所述存储器用于存储计算机程序;The memory is used to store computer programs; 所述处理器用于执行所述计算机程序,以使所述电子设备能够实现如权利要求1至7中任意一项所述的数据加解密方法。The processor is used to execute the computer program so that the electronic device can implement the data encryption and decryption method as described in any one of claims 1 to 7.
CN202411214645.5A 2024-08-30 2024-08-30 A data encryption and decryption method and related device Pending CN119203172A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411214645.5A CN119203172A (en) 2024-08-30 2024-08-30 A data encryption and decryption method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411214645.5A CN119203172A (en) 2024-08-30 2024-08-30 A data encryption and decryption method and related device

Publications (1)

Publication Number Publication Date
CN119203172A true CN119203172A (en) 2024-12-27

Family

ID=94041097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411214645.5A Pending CN119203172A (en) 2024-08-30 2024-08-30 A data encryption and decryption method and related device

Country Status (1)

Country Link
CN (1) CN119203172A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101115060A (en) * 2007-08-09 2008-01-30 上海格尔软件股份有限公司 Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system
JP2008167107A (en) * 2006-12-28 2008-07-17 Tokyo Institute Of Technology Challenge-response authentication method using public key infrastructure
EP2129115A1 (en) * 2008-05-29 2009-12-02 Nagracard S.A. Method for updating security data in a security module and security module for implementing this method
US9043241B1 (en) * 2005-03-16 2015-05-26 Hewlett-Packard Development Company, L.P. Encrypting a text unit from package information for package authentication
GB201602088D0 (en) * 2016-02-05 2016-03-23 Thales Holdings Uk Plc A method of data transfer, a method of controlling use of data and a cryptographic device
CN107276961A (en) * 2016-04-06 2017-10-20 北京天威诚信电子商务服务有限公司 A kind of method and device based on cipher algorithm encryption and ciphertext data
CN110868291A (en) * 2019-11-26 2020-03-06 普联技术有限公司 Data encryption transmission method, device, system and storage medium
CN111428225A (en) * 2020-02-26 2020-07-17 深圳壹账通智能科技有限公司 Data interaction method, device, computer equipment and storage medium
CN112257033A (en) * 2020-10-14 2021-01-22 郑州阿帕斯数云信息科技有限公司 Application packaging method, device and equipment
CN116112172A (en) * 2022-11-09 2023-05-12 上海创蓝云智信息科技股份有限公司 Method and device for security verification of Android client gRPC interface
CN116956318A (en) * 2023-07-04 2023-10-27 北京可信华泰信息技术有限公司 Application safety protection method and device, storage medium and electronic equipment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9043241B1 (en) * 2005-03-16 2015-05-26 Hewlett-Packard Development Company, L.P. Encrypting a text unit from package information for package authentication
JP2008167107A (en) * 2006-12-28 2008-07-17 Tokyo Institute Of Technology Challenge-response authentication method using public key infrastructure
CN101115060A (en) * 2007-08-09 2008-01-30 上海格尔软件股份有限公司 Method for protecting user encryption key in asymmetric cipher key transmitting process of user key management system
EP2129115A1 (en) * 2008-05-29 2009-12-02 Nagracard S.A. Method for updating security data in a security module and security module for implementing this method
GB201602088D0 (en) * 2016-02-05 2016-03-23 Thales Holdings Uk Plc A method of data transfer, a method of controlling use of data and a cryptographic device
CN107276961A (en) * 2016-04-06 2017-10-20 北京天威诚信电子商务服务有限公司 A kind of method and device based on cipher algorithm encryption and ciphertext data
CN110868291A (en) * 2019-11-26 2020-03-06 普联技术有限公司 Data encryption transmission method, device, system and storage medium
CN111428225A (en) * 2020-02-26 2020-07-17 深圳壹账通智能科技有限公司 Data interaction method, device, computer equipment and storage medium
CN112257033A (en) * 2020-10-14 2021-01-22 郑州阿帕斯数云信息科技有限公司 Application packaging method, device and equipment
CN116112172A (en) * 2022-11-09 2023-05-12 上海创蓝云智信息科技股份有限公司 Method and device for security verification of Android client gRPC interface
CN116956318A (en) * 2023-07-04 2023-10-27 北京可信华泰信息技术有限公司 Application safety protection method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN111917540B (en) Data encryption and decryption method and device, mobile terminal and storage medium
JP4689945B2 (en) Resource access method
JP4664398B2 (en) Incremental code signing method and apparatus
US8281115B2 (en) Security method using self-generated encryption key, and security apparatus using the same
JP4689946B2 (en) A system that executes information processing using secure data
CN101816004B (en) Security policy divided by security kernel design
US20030196096A1 (en) Microcode patch authentication
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN108255505A (en) A kind of firmware update, device, equipment and computer readable storage medium
JP2007512787A (en) Trusted mobile platform architecture
US8099789B2 (en) Apparatus and method for enabling applications on a security processor
CN111614467B (en) System backdoor defense method and device, computer equipment and storage medium
JP6930884B2 (en) BIOS management device, BIOS management system, BIOS management method, and BIOS management program
US20130019110A1 (en) Apparatus and method for preventing copying of terminal unique information in portable terminal
CN108229144B (en) Verification method of application program, terminal equipment and storage medium
CN106295257A (en) A kind of authentication method being reinforced software and device
JP2017157018A (en) Information processing apparatus, information processing method, information processing program, and trusted platform module
JP2010517449A (en) Secret protection for untrusted recipients
CN115859267A (en) A method for safely starting an application program, a storage control chip and an electronic device
JP7476131B2 (en) Efficient Data Item Authentication
CN111385083B (en) Key protection method and key protection system
JP2022124424A5 (en)
CN114816549B (en) Method and system for protecting bootloader and environment variable thereof
CN119203172A (en) A data encryption and decryption method and related device
WO2023212838A1 (en) Fast signature generation and verification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination