[go: up one dir, main page]

CN119539807A - A secure encryption method, device and product suitable for payment system - Google Patents

A secure encryption method, device and product suitable for payment system Download PDF

Info

Publication number
CN119539807A
CN119539807A CN202510098413.6A CN202510098413A CN119539807A CN 119539807 A CN119539807 A CN 119539807A CN 202510098413 A CN202510098413 A CN 202510098413A CN 119539807 A CN119539807 A CN 119539807A
Authority
CN
China
Prior art keywords
encryption
dynamic key
payment system
key
factor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202510098413.6A
Other languages
Chinese (zh)
Other versions
CN119539807B (en
Inventor
徐海龙
孙羽菲
方毅铭
朱函蝶
田舒洋
周鑫澳
李辕
郭强
张智强
林勇良
张玉志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haihe Laboratory Of Advanced Computing And Key Software Xinchuang
Nankai University
Original Assignee
Haihe Laboratory Of Advanced Computing And Key Software Xinchuang
Nankai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haihe Laboratory Of Advanced Computing And Key Software Xinchuang, Nankai University filed Critical Haihe Laboratory Of Advanced Computing And Key Software Xinchuang
Priority to CN202510098413.6A priority Critical patent/CN119539807B/en
Publication of CN119539807A publication Critical patent/CN119539807A/en
Application granted granted Critical
Publication of CN119539807B publication Critical patent/CN119539807B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention relates to the field of data security, and provides a secure encryption method, device and product suitable for a payment system, wherein the method comprises the steps of obtaining a dynamic key through an optimization method of dynamic key generation and rotation; the method comprises the steps of encrypting an authorization token through a double-layer encryption mechanism and a dynamic key, obtaining a target working factor through adjusting the working factor, optimizing encryption salt through the dynamic key to obtain encryption salt protection, optimizing BCrypt encryption algorithm through the target working factor and the encryption salt protection, encrypting user privacy data through the optimized BCrypt encryption algorithm, and encrypting a payment system through the encryption authorization token and the encrypted user privacy data. The invention provides a comprehensive data protection solution for users through authorization token optimization and BCrypt encryption algorithm optimization, not only improves the security of the system, but also improves the user experience, and simultaneously improves the performance of the payment system.

Description

Secure encryption method, device and product suitable for payment system
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a secure encryption method, apparatus, and product suitable for a payment system.
Background
The original payment system suitable for overseas countries adopts a relatively simple micro-service architecture, mainly focuses on meeting decoupling requirements among single project services, and only realizes basic communication functions among services. Under this architecture, the system completes the generation and distribution of tokens through the tool class, but lacks a unified management mechanism for token verification. In addition, an effective solution to the problem of non-inductive refreshing in the use process of the user is not provided, so that the user needs to frequently log in again, and the user experience is obviously reduced. Meanwhile, the system still has a defect in the aspect of supporting the international three-party request protocol standard, and the demand of the payment system for externally opened resources cannot be met. As a modern payment system, there is a need to provide an efficient and safe interface, so as to facilitate third party companies or service providers to call payment services, thereby realizing cross-platform and cross-regional interconnection and interworking, and improving flexibility and internationalization capability of the system.
The existing payment system has a spring security (a security framework) on the application layer level, and the spring security is deployed on the security framework of each micro service. But the system lacks multi-level security measures such as end-to-end encryption, multi-factor authentication, real-time monitoring, anomaly detection, etc.
The existing payment system has the defects in encryption preservation of user sensitive information, mainly comprises a single encryption mechanism, relies on a fixed algorithm such as an advanced encryption standard (Advanced Encryption Standard, for short, AES-256) or a 256-bit secure hash algorithm (Secure Hash Algorithm, for short, SHA-256) with 256-bit key length, lacks high-level security support, is not fine enough in key management, generally adopts a static key to encrypt without a key rotation, expiration and backup mechanism, is extremely high in risk once the key is broken, and is provided with multi-level encryption protection measures, different encryption strategies are not applied to stored data and transmitted data respectively, so that the protection force of the sensitive data under different security requirements is consistent, complex security threats cannot be handled pertinently, the existing encryption method is limited in anti-decryption capability, lacks dynamic encryption and self-adaptive algorithm adjustment capability, is difficult to optimize the encryption strategy in real time according to the evolution of hardware performance and means attack, and the privacy protection effect of the user is gradually reduced in a long-time operation process.
The system does not support three-party integration, and the current system does not have good third-party integration supporting capability. The third party integration is to allow the product of another company to apply for the use authority of the paid product to realize multi-platform and multi-field payment, so that the flexibility and convenience of external service and application access are limited, and increasingly diversified business requirements are difficult to meet.
The performance and architecture of the existing micro-service architecture are not clear, which is not beneficial to service expansion. The system lacks of standardization and optimization in the selection of communication modes among services, and does not reasonably choose communication modes such as HTTP, remote procedure call (Remote Procedure Call, RPC for short) and the like, so that the reliability and efficiency of service communication are lower.
Disclosure of Invention
The present invention is directed to solving at least one of the technical problems existing in the related art. The invention provides a secure encryption method, equipment and a product suitable for a payment system, which are used for encrypting an authorization token through a double-layer encryption mechanism and a dynamic key generation and rotation optimization method, optimizing BCrypt (cross-platform file encryption tool) encryption algorithm through an adjustable working factor, and encrypting user privacy data through the optimized BCrypt encryption algorithm.
The invention provides a secure encryption method suitable for a payment system, which comprises the following steps:
Obtaining a dynamic key through an optimization method of dynamic key generation and rotation;
encrypting the authorization token through a double-layer encryption mechanism and a dynamic key;
The target working factor is obtained by adjusting the working factor, and the encryption salt is optimized by the dynamic key to obtain encryption salt protection;
Optimizing BCrypt an encryption algorithm through target working factors and encryption salt protection;
Encrypting the user privacy data through the optimized BCrypt encryption algorithm;
The payment system is encrypted by encrypting the authorization token and encrypting the user privacy data.
The invention provides a secure encryption method suitable for a payment system, which also comprises the following steps of:
storing a dynamic key ID generated based on the time stamp and the random number in a key pool;
analyzing the head key of the authorization token to obtain a head key ID, and searching a dynamic key ID in a key pool according to the head key ID to obtain a dynamic key;
The payload portion of the authorization token is decrypted using the dynamic key.
The invention provides a secure encryption method suitable for a payment system, which further comprises the steps that the double-layer encryption mechanism embeds a secret key into the head part of an authorization token, and AES-256 encryption is carried out on the load part of the authorization token.
The invention provides a secure encryption method suitable for a payment system, which further comprises the steps of:
Acquiring a current system time stamp;
Generating a random number of a fixed length using a random number generator;
Combining the time stamp with the random number to obtain a dynamic key ID, wherein the dynamic key ID has a calculation expression as follows:
Wherein, In order for the dynamic key ID to be used,For the SHA-256 hash algorithm,As the current system time stamp is to be used,A random number generated for a random number generator.
According to the secure encryption method applicable to the payment system provided by the invention, the secure encryption method further comprises the steps of:
setting a target encryption time and a threshold value and initializing a working factor,
If the time required for encryption is less than the target encryption time and the difference between the time required for encryption and the target encryption time is greater than or equal to a threshold value, increasing the working factor;
If the time required for encryption is greater than the target encryption time and the difference between the time required for encryption and the target encryption time is greater than or equal to a threshold value, reducing the work factor;
if the difference between the time required for encryption and the target encryption time is smaller than a threshold value, the adjustment is terminated;
The calculation expression of the target working factor is:
Wherein, As a result of the work factor of the object,The time required for encryption for the current operating factor,For the target encryption time it is possible to encrypt the data,To maximize the objective function variable values at small values.
According to the secure encryption method suitable for the payment system, which is provided by the invention, the secure encryption method further comprises BCrypt encryption algorithm and encryption salt protection, a 16-byte random salt value is automatically generated through BCrypt encryption algorithm, and the encryption salt is optimized by mixing the random salt value with a dynamic key, so that the encryption salt protection is obtained.
The invention provides a secure encryption method suitable for a payment system, which further comprises the steps that the payment system is authorized and verified by adopting an OAuth 2.0 protocol, and a refresh token and a self-defined refresh filter are built in the OAuth 2.0 protocol.
The invention provides a secure encryption method suitable for a payment system, which further comprises an access token, wherein the OAuth 2.0 protocol is used for user identity verification and resource access authorization, the refresh token acquires a new access token again after the access token expires, and the refresh filter automatically detects the access token within a time T before the expiration of the validity period of the access token.
The present invention also provides a secure encryption apparatus suitable for a payment system, for performing a secure encryption method suitable for a payment system as set forth in any one of the above, comprising:
the dynamic key acquisition module acquires a dynamic key through a dynamic key generation and rotation optimization method;
the authorization token encryption module encrypts the authorization token through a double-layer encryption mechanism and a dynamic key;
the adjusting module is used for obtaining a target working factor by adjusting the working factor, optimizing the encryption salt through the dynamic key and obtaining encryption salt protection;
The encryption algorithm optimization module optimizes BCrypt the encryption algorithm through the target working factor and encryption salt protection;
the user privacy encryption module encrypts user privacy data through an optimized BCrypt encryption algorithm;
And the payment system encryption module encrypts the payment system through encrypting the authorization token and encrypting the user privacy data.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a secure encryption method applicable to a payment system as claimed in any one of the preceding claims.
The above-mentioned one or more technical methods in the embodiments of the present invention have at least one of the following technical effects:
the invention provides a comprehensive data protection solution for users through authorization token optimization and BCrypt encryption algorithm optimization, not only improves the security of the system, but also improves the user experience, and simultaneously improves the performance of the payment system.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are some embodiments of the invention and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a secure encryption method suitable for a payment system.
Fig. 2 is a schematic structural diagram of a secure encryption apparatus suitable for use in a payment system according to the present invention.
Reference numerals:
101. The system comprises a dynamic key acquisition module, an authorization token encryption module, a 103, an adjustment module, a 104, an encryption algorithm optimization module, a 105, a user privacy encryption module and a 106, payment system encryption module.
Detailed Description
To further clarify the objects, technical methods and advantages of the present invention, a more complete and thorough description of the technical methods of the present invention will be provided below, and it should be apparent that the embodiments described are some, but not all, embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention. The following examples are illustrative of the invention but are not intended to limit the scope of the invention.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the embodiments of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
A secure encryption method, apparatus and product suitable for use in a payment system according to the present invention is described below in conjunction with fig. 1-2.
As shown in fig. 1, a secure encryption method suitable for a payment system includes:
S1, obtaining a dynamic key through an optimization method of dynamic key generation and rotation;
S11, storing a dynamic key ID generated based on the time stamp and the random number in a key pool;
The dynamic key ID generated based on the time stamp and the random number includes:
Acquiring a current system time stamp;
Generating a random number of a fixed length using a random number generator;
combining the time stamp with the random number to obtain a dynamic key ID, wherein the calculation expression is as follows:
Wherein, In order for the dynamic key ID to be used,For the SHA-256 hash algorithm,As the current system time stamp is to be used,A random number generated for the random number generator;
After the timestamp and the random number are combined, a SHA-256 hash algorithm is used for generating a Key ID with fixed 64-bit length, the Key ID generated through the formula has high uniqueness and unpredictability, when a new Key is generated each time, the unique Key ID is allocated to the Key ID and stored in a Key pool, and the Key ID is not only used for identifying the version of the Key, but also plays a role in Key matching in the JWT generation and verification process;
s12, analyzing a head key of the authorization token to obtain a head key ID, and searching a dynamic key ID in a key pool according to the head key ID to obtain a dynamic key;
The payload portion of the authorization token is decrypted using the dynamic key.
The matching of the embedded password of the authorization token header with the key version of the key pool ensures that each authorization token is decrypted and verified using the corresponding latest key.
S2, encrypting the authorization token through a double-layer encryption mechanism and a dynamic key;
The double-layer encryption mechanism embeds a key into the head part of the authorization token, and carries out AES-256 encryption on the load part of the authorization token;
By AES-256 encrypting the authorization token payload portion, a malicious user cannot decrypt sensitive information therein even if the authorization token is intercepted during transmission. The encrypted data can be decrypted only by the corresponding dynamic key, so that the difficulty of cracking after leakage is increased.
Through the key pool and the caching mechanism, the payment system can avoid the problem of key synchronization lag while ensuring high performance.
Meanwhile, the anti-leakage capability of the authorization token is obviously enhanced, and the anti-leakage capability is expressed in that:
the authorization token payload portion is AES-256 encrypted, and even if the authorization token is intercepted during transmission, a malicious user cannot decrypt sensitive information therein. The encrypted data can be decrypted only by the corresponding dynamic key, so that the difficulty of cracking after leakage is increased.
Traditional static Key IDs may be easily guessed or predicted by an attacker, and each Key ID has high randomness and uniqueness based on the Key ID generation manner of the timestamp and the random number. An attacker would need to face a huge computational complexity if he wants to predict or crash out a valid kid.
The rotation strategy of the key ensures that even if a certain key is exposed or leaked in a long time, token verification in a short time can be influenced, and by periodically updating the key, the system greatly reduces the leakage risk caused by using the same key for a long time.
S3, obtaining a target working factor by adjusting the working factor, and optimizing encryption salt by a dynamic key to obtain encryption salt protection;
The working factor BCrypt uses an adjustable working factor called a cost parameter to increase the complexity and time consumption of encryption, and a higher cost parameter is set to enable the violent cracking to take longer, so that the data security is enhanced.
The working factor is represented by a power of 2 in BCrypt, which represents the complexity of the algorithm, that is, the number of algorithm iterations in the encryption process, if the working factor is set to 10, the number of iterations of BCrypt is 2 10 =1024, 1024 rounds of processing are performed, if the working factor is too high, the encryption calculation becomes very time-consuming, the difficulty of violent cracking is greatly increased, and unnecessary system overhead is caused.
The invention adjusts and optimizes the working factor BCrypt to make it fit the payment system hardware intelligently, specifically, sets the time to realize the encryption of the system cipher within 100 ms, selects an initial working factor (such as 10) randomly, encrypts the test cipher by using this working factor, records the time needed to complete encryption in the encryption process, if the obtained time is far lower than 100 ms, increases the working factor, if it exceeds 100 ms, decreases, finds the best working factor close to the target time by the repeated adjustment and test of the working factor. Based on the current hardware performance support and the safety requirement of the payment system, the working factor is set at about 12 through continuous test optimization, so that the balance of the safety and the speed of the system is achieved.
By adjusting the work factor, obtaining the target work factor includes:
setting a target encryption time and a threshold value and initializing a working factor,
If the time required for encryption is less than the target encryption time and the difference between the time required for encryption and the target encryption time is greater than or equal to a threshold value, increasing the working factor;
Wherein, As a result of the new work factor,As a function of the current operating factor,The amount of change in the operating factor is,
If the time required for encryption is greater than the target encryption time and the difference between the time required for encryption and the target encryption time is greater than or equal to a threshold value, reducing the work factor;
If the error between the time required for encryption and the target encryption time is smaller than the threshold value, the adjustment is terminated.
The calculation expression of the work factor optimization is as follows:
Wherein, As a result of the work factor of the object,The time required for encryption for the current operating factor,For the target encryption time it is possible to encrypt the data,To maximize the objective function variable values at small values.
And the encryption salt protection step BCrypt automatically generates a 16-byte random salt value, and superimposes the random salt value and the password, so that the same password has different encryption results each time, and the rainbow table attack is prevented.
S4, optimizing BCrypt an encryption algorithm through target working factors and encryption salt protection;
BCrypt the encryption algorithm includes encryption salt protection and work factors, and BCrypt the encryption algorithm is optimized by the target work factors and encryption salt protection.
The working factor can be adjusted, so that the system can be ensured to always run with the optimal working factor, and the performance of the encryption process is optimized while the safety requirement is met;
As the system functions and architecture continue to be perfected, the hardware performance thereof also improves, and the original working factors may not be sufficiently safe. By adjusting the working factors regularly, the anti-cracking capability of the algorithm is ensured not to be reduced due to the improvement of the computing capability, and the password protection of the system is ensured to be in an optimal state all the time.
S5, encrypting the user privacy data through an optimized BCrypt encryption algorithm;
The system needs to encrypt when storing privacy sensitive information such as personal information, payment information, identity information and the like of the user, and encrypts user privacy data through an optimized BCrypt encryption algorithm by using a target work factor and encryption salt protection optimization BCrypt encryption algorithm.
S6, encrypting the payment system by encrypting the authorization token and encrypting the user privacy data.
The payment system adopts an open authorization (Open Authentication, OAuth) 2.0 protocol for authorization and verification, and the OAuth 2.0 protocol is internally provided with a refresh token and a self-defined refresh filter;
The OAuth 2.0 protocol also includes an access token for user authentication and authorization to access the resource, the refresh token reacquires a new access token after expiration of the access token, and the refresh filter automatically detects within the time T of expiration of the access token validity period.
In some embodiments of the invention, t=0.5 hours.
As shown in fig. 2, a secure encryption apparatus suitable for a payment system includes:
the dynamic key obtaining module 101 obtains a dynamic key through an optimization method of dynamic key generation and rotation;
the authorization token encryption module 102 encrypts the authorization token through a double-layer encryption mechanism and a dynamic key;
The adjustment module 103 obtains a target working factor by adjusting the working factor, and obtains encryption salt protection by optimizing encryption salt through a dynamic key;
The encryption algorithm optimization module 104 optimizes BCrypt the encryption algorithm through the target working factor and encryption salt protection;
The user privacy encryption module 105 encrypts the user privacy data through the optimized BCrypt encryption algorithm;
The payment system encryption module 106 encrypts the payment system by encrypting the authorization token and encrypting the user privacy data.
Through the cooperative work of the modules, the safe encryption of the payment system is realized, a comprehensive data protection solution is provided for a user, the safety of the system is improved, the user experience is improved, and the performance of the payment system is improved.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the execution of a secure encryption method for a payment system provided by the methods described above.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a secure encryption method applicable to a payment system as provided above.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the method of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the above-described technical methods, in essence or contributing to the prior art, may be embodied in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., comprising instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the method described by the various embodiments or portions of the embodiments.
It should be finally noted that the above-mentioned embodiments are only intended to illustrate the technical method of the present invention, and not to limit it, and although the present invention has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical method described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not depart from the spirit and scope of the technical method of the embodiments of the present invention from the essence of the corresponding technical method.

Claims (10)

1. A secure encryption method suitable for use in a payment system, comprising:
Obtaining a dynamic key through an optimization method of dynamic key generation and rotation;
encrypting the authorization token through a double-layer encryption mechanism and a dynamic key;
The target working factor is obtained by adjusting the working factor, and the encryption salt is optimized by the dynamic key to obtain encryption salt protection;
Optimizing BCrypt an encryption algorithm through target working factors and encryption salt protection;
Encrypting the user privacy data through the optimized BCrypt encryption algorithm;
The payment system is encrypted by encrypting the authorization token and encrypting the user privacy data.
2. A secure encryption method applicable to a payment system according to claim 1, characterized in that the optimization method of dynamic key generation and rotation comprises:
storing a dynamic key ID generated based on the time stamp and the random number in a key pool;
analyzing the head key of the authorization token to obtain a head key ID, and searching a dynamic key ID in a key pool according to the head key ID to obtain a dynamic key;
The payload portion of the authorization token is decrypted using the dynamic key.
3. A secure encryption method for use in a payment system according to claim 1, wherein the dual layer encryption mechanism embeds a key into the header of the authorization token and AES-256 encrypts the payload portion of the authorization token.
4. A secure encryption method for use in a payment system according to claim 2, wherein the dynamic key ID generated based on the time stamp and the random number comprises:
Acquiring a current system time stamp;
Generating a random number of a fixed length using a random number generator;
Combining the time stamp with the random number to obtain a dynamic key ID, wherein the dynamic key ID has a calculation expression as follows:
Wherein, In order for the dynamic key ID to be used,For the SHA-256 hash algorithm,As the current system time stamp is to be used,A random number generated for a random number generator.
5. A secure encryption method for use in a payment system according to claim 1, wherein obtaining the target work factor by adjusting the work factor comprises:
setting a target encryption time and a threshold value and initializing a working factor,
If the time required for encryption is less than the target encryption time and the difference between the time required for encryption and the target encryption time is greater than or equal to a threshold value, increasing the working factor;
if the difference between the time required for encryption and the target encryption time is smaller than a threshold value, the adjustment is terminated;
The calculation expression of the target working factor is:
Wherein, As a result of the work factor of the object,The time required for encryption for the current operating factor,For the target encryption time it is possible to encrypt the data,To maximize the objective function variable values at small values.
6. The secure encryption method for payment systems according to claim 1, wherein BCrypt the encryption algorithm further comprises encryption salt protection, wherein a 16 byte random salt value is automatically generated by BCrypt the encryption algorithm, and the encryption salt is optimized by mixing the random salt value with the dynamic key to obtain the encryption salt protection.
7. The secure encryption method for a payment system of claim 1, wherein the payment system is authorized and authenticated using OAuth 2.0 protocol, the OAuth 2.0 protocol having a refresh token and a custom refresh filter built in.
8. The secure encryption method applicable to a payment system of claim 7, wherein said OAuth 2.0 protocol further comprises an access token for user authentication and authorization to access a resource, said refresh token reacquires a new access token after expiration of said access token, said refresh filter automatically detects within a time T before expiration of said access token validity period.
9. A secure encryption apparatus adapted for use in a payment system for performing a secure encryption method according to any one of claims 1 to 8, comprising:
the dynamic key acquisition module acquires a dynamic key through a dynamic key generation and rotation optimization method;
the authorization token encryption module encrypts the authorization token through a double-layer encryption mechanism and a dynamic key;
the adjusting module is used for obtaining a target working factor by adjusting the working factor, optimizing the encryption salt through the dynamic key and obtaining encryption salt protection;
The encryption algorithm optimization module optimizes BCrypt the encryption algorithm through the target working factor and encryption salt protection;
the user privacy encryption module encrypts user privacy data through an optimized BCrypt encryption algorithm;
And the payment system encryption module encrypts the payment system through encrypting the authorization token and encrypting the user privacy data.
10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements a secure encryption method applicable to a payment system as claimed in any one of claims 1 to 8.
CN202510098413.6A 2025-01-22 2025-01-22 A secure encryption method, device and product suitable for payment system Active CN119539807B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510098413.6A CN119539807B (en) 2025-01-22 2025-01-22 A secure encryption method, device and product suitable for payment system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510098413.6A CN119539807B (en) 2025-01-22 2025-01-22 A secure encryption method, device and product suitable for payment system

Publications (2)

Publication Number Publication Date
CN119539807A true CN119539807A (en) 2025-02-28
CN119539807B CN119539807B (en) 2025-05-06

Family

ID=94697217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510098413.6A Active CN119539807B (en) 2025-01-22 2025-01-22 A secure encryption method, device and product suitable for payment system

Country Status (1)

Country Link
CN (1) CN119539807B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
CN110493202A (en) * 2019-07-29 2019-11-22 深圳壹账通智能科技有限公司 Log in generation and the verification method, device and server of token
US20210036856A1 (en) * 2018-01-25 2021-02-04 Visa International Service Association Token offline provisioning
CN116192371A (en) * 2022-12-28 2023-05-30 天翼云科技有限公司 Token sending and access request processing method, device, equipment, medium and product
CN118714568A (en) * 2024-08-30 2024-09-27 深圳安视信息技术有限公司 5G network information security authority authentication method and system based on asymmetric algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
US20210036856A1 (en) * 2018-01-25 2021-02-04 Visa International Service Association Token offline provisioning
CN110493202A (en) * 2019-07-29 2019-11-22 深圳壹账通智能科技有限公司 Log in generation and the verification method, device and server of token
CN116192371A (en) * 2022-12-28 2023-05-30 天翼云科技有限公司 Token sending and access request processing method, device, equipment, medium and product
CN118714568A (en) * 2024-08-30 2024-09-27 深圳安视信息技术有限公司 5G network information security authority authentication method and system based on asymmetric algorithm

Also Published As

Publication number Publication date
CN119539807B (en) 2025-05-06

Similar Documents

Publication Publication Date Title
Li et al. Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks
CN118433704A (en) A mobile office data security access system based on encrypted mirror transmission
WO2019085531A1 (en) Method and device for network connection authentication
CN115834211B (en) CoAP network security access method based on software defined boundary
CN113872944A (en) Block chain-oriented zero-trust security architecture and cluster deployment framework thereof
CN118019000B (en) High-security mobile phone communication system based on dynamic token link encryption
CN109525565B (en) Defense method and system for short message interception attack
CN112866197A (en) Password edge calculation method and system for realizing security of terminal of Internet of things and terminal
CN115473655B (en) Terminal authentication method, device and storage medium for access network
EP4070213A1 (en) Authentication of an entity
CN112187741A (en) Login authentication method and device based on operation and maintenance audit system and electronic device
Rizvi et al. A trusted third-party (TTP) based encryption scheme for ensuring data confidentiality in cloud environment
Agarkhed et al. An efficient auditing scheme for data storage security in cloud
Castiglione et al. An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update
CN120017386A (en) A cloud computing data secure transmission system and method
CN116074028B (en) Access control method, device and system for encrypted traffic
Bharadwaj et al. Proposing a key escrow mechanism for real-time access to end-to-end encryption systems in the interest of law enforcement
CN118764173A (en) An algorithm system for encrypted transmission of audio and video big data
CN119539807B (en) A secure encryption method, device and product suitable for payment system
CN111147456B (en) An interface authentication method suitable for multi-framework and multi-platform
CN113242216A (en) Credible network camera based on domestic commercial cryptographic algorithm
Shen et al. An authorized identity authentication-based data access control scheme in cloud
CN115277201B (en) A website defense system with dynamic code encapsulation
KR20200101140A (en) Multi functional Certification Server
CN111031075B (en) Network service security access method, terminal, system and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant