Method, device, equipment, storage medium and product for protecting service key
By encrypting the business private key to generate password verification ciphertext and combining it with the decryption operation of the software cryptographic module, the risk of leakage during key transmission is solved, and the security of data transmission is improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2023-06-19
- Publication Date
- 2026-06-26
Smart Images

Figure CN119172089B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data encryption technology, and in particular to a method, apparatus, device, storage medium, and product for protecting business keys. Background Technology
[0002] With the continuous development of network technology, data security has gradually become a key concern across various industries. During data transmission, data is typically encrypted using a key before being sent to the recipient. The recipient then decodes the encrypted data to retrieve it. Therefore, ensuring the secure transmission of keys is also of paramount importance.
[0003] In related technologies, the method to ensure key security usually involves managing the key with a cryptographic device and performing cryptographic operations by a software cryptographic module (an application with cryptographic operation capabilities). The first application obtains the key through the cryptographic device, sends the key and transmission data to the software cryptographic module for cryptographic operations, and obtains the cryptographic operation result for data transmission.
[0004] However, in related technologies, since the cryptographic device manages the key in a black-box environment, the key needs to be decrypted and sent to the first application, which then sends it to the software cryptographic module. During this process, there is a possibility that the key content may be intercepted or leaked, which weakens the security of key management and consequently reduces the security of key transmission. Summary of the Invention
[0005] This application provides a method, apparatus, device, storage medium, and product for protecting business keys, which can ensure the security of data transmission under encrypted conditions by improving the security strength of key management. The technical solution is as follows.
[0006] On the one hand, a method for protecting business keys is provided, the method comprising:
[0007] The password verification ciphertext is obtained by encrypting the business private key in the business public-private key pair. The password verification ciphertext refers to the password text parameter generated after encrypting the business private key in the business public-private key pair, which is a password text parameter used to encrypt and protect the business private key.
[0008] The system obtains the received key ciphertext generated by encrypting the business key with the business public key in the business public-private key pair by a cryptographic device, and obtains the business data sent by the first application. The key ciphertext refers to the cryptographic text parameter obtained by encrypting the business key with the business public key in the business public-private key pair by a cryptographic device, and the business key refers to the cryptographic text parameter used to perform cryptographic operations on the business data.
[0009] The password verification ciphertext is decrypted to obtain the business private key corresponding to the key ciphertext.
[0010] The business key is obtained by decrypting the ciphertext of the key using the business private key.
[0011] The cryptographic operation is performed on the business data using the business key to obtain the cryptographic operation result corresponding to the business data.
[0012] On the other hand, a method for protecting business keys is also provided, the method comprising:
[0013] Receive a data encryption request sent by a first application, the data encryption request being used to encrypt business data;
[0014] The password verification ciphertext is obtained by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key.
[0015] The system obtains the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and obtains the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform encryption operations on the business data.
[0016] The password verification ciphertext is decrypted to obtain the business private key corresponding to the key ciphertext.
[0017] The business key is obtained by decrypting the ciphertext of the key using the business private key.
[0018] The encryption operation is performed on the business data using the business key to obtain encrypted data corresponding to the business data. Based on the data encryption request, the encrypted data is sent to the second application for data processing. The second application and the first application transmit data under encrypted conditions.
[0019] On the other hand, a business key protection device is provided, the device comprising:
[0020] The first acquisition module is used to obtain password verification ciphertext by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key.
[0021] The first receiving module is used to obtain the key ciphertext generated by the cryptographic device encrypting the business key with the business public key in the business public-private key pair, and to obtain the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform cryptographic operations on the business data.
[0022] The first calculation module is used to perform decryption operations on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0023] The computing module is further configured to perform decryption operations on the key ciphertext using the business private key to obtain the business key;
[0024] The computing module is further configured to perform the cryptographic operation on the business data using the business key to obtain the cryptographic operation result corresponding to the business data.
[0025] On the other hand, a business key protection device is also provided, the device comprising:
[0026] The second receiving module is used to receive a data encryption request sent by the first application, wherein the data encryption request is used to encrypt business data;
[0027] The second acquisition module is used to obtain password verification ciphertext by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key.
[0028] The second acquisition module is further configured to acquire the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and to acquire the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform encryption operations on the business data;
[0029] The second calculation module is used to perform decryption operations on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0030] The second calculation module is further configured to perform decryption operations on the key ciphertext using the business private key to obtain the business key;
[0031] The sending module is used to perform the encryption operation on the business data using the business key to obtain encrypted data corresponding to the business data, and send the encrypted data to the second application for data processing based on the data encryption request. The second application and the first application transmit data under encrypted conditions.
[0032] On the other hand, a computer device is provided, the computer device including a processor and a memory, the memory storing at least one instruction, at least one program, code set or instruction set, the at least one instruction, the at least one program, the code set or instruction set being loaded and executed by the processor to implement the business key protection method as described in any of the embodiments of this application above.
[0033] On the other hand, a computer-readable storage medium is provided, wherein at least one instruction, at least one program, code set, or instruction set is stored therein, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the business key protection method as described in any of the embodiments of this application above.
[0034] On the other hand, a computer program product or computer program is provided, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the business key protection method described in any of the above embodiments.
[0035] The beneficial effects of the technical solutions provided in this application include at least the following:
[0036] First, the ciphertext corresponding to the business private key in the business public-private key pair is obtained. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with the business data, the ciphertext is first decrypted to obtain the business private key corresponding to the key ciphertext. Then, the key ciphertext is decrypted using the business private key to obtain the business key. Finally, the business data is cryptographically processed using the business key to obtain the cryptographic result. In other words, by combining the software cryptographic module and the cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained by decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission. Attached Figure Description
[0037] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0038] Figure 1 This is a schematic diagram of a method for protecting a business key provided in an exemplary embodiment of this application;
[0039] Figure 2 This is a schematic diagram of an implementation environment provided by an exemplary embodiment of this application;
[0040] Figure 3This is a flowchart of a business key protection method provided in an exemplary embodiment of this application;
[0041] Figure 4 This is a flowchart of a business key protection method provided in another exemplary embodiment of this application;
[0042] Figure 5 This is a flowchart of the training process for a business key protection method provided in another exemplary embodiment of this application;
[0043] Figure 6 This is a flowchart of the training process for a business key protection method provided in another exemplary embodiment of this application;
[0044] Figure 7 This is a schematic diagram of a method for protecting business keys provided in another exemplary embodiment of this application;
[0045] Figure 8 This is a schematic diagram of a method for protecting business keys provided in another exemplary embodiment of this application;
[0046] Figure 9 This is a structural block diagram of a business key protection device provided in an exemplary embodiment of this application;
[0047] Figure 10 This is a structural block diagram of a business key protection device provided in another exemplary embodiment of this application;
[0048] Figure 11 This is a structural block diagram of a business key protection device provided in another exemplary embodiment of this application;
[0049] Figure 12 This is a schematic diagram of the structure of a server provided in an exemplary embodiment of this application. Detailed Implementation
[0050] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.
[0051] First, a brief introduction to the terms used in the embodiments of this application will be given.
[0052] Software cryptography module: An entity that performs cryptographic functions (such as encryption, decryption, signing, and verification) in software form. It can be a software development kit (SDK) or an application.
[0053] White-box encryption, also known as white-box symmetric encryption, refers to a special encryption method that can resist external attacks in a white-box environment. White-box encryption does not require the full key to be presented during the encryption process; therefore, even if the relevant data is stolen during the entire encryption process, the full key cannot be obtained.
[0054] First, the implementation environment corresponding to this application will be introduced. Please refer to the illustrative example. Figure 1 It illustrates a schematic diagram of an implementation environment provided by an exemplary embodiment of this application, such as... Figure 1 As shown, the implementation environment includes a terminal 110, a cryptographic device 120, and a server 130, which are connected via a communication network 140.
[0055] Indicatively, a first application runs in terminal 110. The first application ensures that business data is transmitted under encrypted conditions by calling a software cryptographic module and a cryptographic device. For example, during the data transmission process between the first application and the second application, the first application encrypts the business data by calling the software cryptographic module and the cryptographic device before sending it to the second application. When the second application receives the encrypted business data, it decrypts the encrypted business data by calling the software cryptographic module and the cryptographic device to obtain the business data.
[0056] In an optional embodiment, server 130 integrates at least one software cryptographic module, wherein the software cryptographic module is used to perform cryptographic operations on the input business data using a key. Optionally, server 130 integrates one or more software cryptographic modules. When server 130 integrates multiple software cryptographic modules, the multiple software cryptographic modules can be integrated within the same business service architecture, wherein the business service architecture refers to the architecture used to provide a specified service type.
[0057] In another alternative embodiment, the software cryptography module may also be integrated into the terminal. That is, in the current case, the software cryptography module and the first application are in the same terminal or in different terminals, without limitation.
[0058] In this embodiment, the example is that the software cryptography module is integrated into the server 130. During the operation of the first application on the terminal 110, when the first application needs to perform cryptographic operations on business data, taking the data encryption operation as an example, the terminal 110 receives the key ciphertext sent by the cryptographic device 120. The key ciphertext refers to the cryptographic text parameter (e.g., a string represented in binary form) obtained by the cryptographic device encrypting the business key using the business public key in the business public-private key pair. The business key is used to encrypt the business data generated in the first application.
[0059] After obtaining the key ciphertext, terminal 110 sends the key ciphertext and business data to server 130 for data encryption.
[0060] Server 130 integrates a software cryptographic module that stores password verification ciphertext. This ciphertext refers to the password text parameter generated after encrypting the business private key in the business public-private key pair. When server 130 receives the key ciphertext and business data, it first decrypts the password verification ciphertext using the software cryptographic module to obtain the corresponding business private key. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it encrypts the business data using the business key to obtain the encrypted data, which is then sent back to terminal 110.
[0061] Among them, terminal 110 includes at least one of the following terminals: smartphone, tablet computer, portable laptop, desktop computer, smart speaker, smart wearable device, smart voice interaction device, smart home appliance, vehicle terminal, etc. Server 130 can be applied to scenarios that realize command operation in the fields of smart transportation, vehicle terminal and Internet of Things.
[0062] It is worth noting that the aforementioned communication network 140 can be implemented as a wired network or a wireless network, and the communication network 140 can be implemented as any one of a local area network, a metropolitan area network, or a wide area network. This application embodiment does not limit this.
[0063] It is worth noting that the aforementioned server 130 can be implemented as a cloud server in the cloud. Cloud technology refers to a hosting technology that unifies a series of resources such as hardware, software, and networks within a wide area network or local area network to realize the calculation, storage, processing, and sharing of data.
[0064] In some embodiments, the server 130 described above can also be implemented as a node in a blockchain system.
[0065] It is worth noting that the method for protecting the business key provided in this application embodiment can be implemented by the terminal 110 alone, by the server 130 alone, or by the terminal 110 and the server 130 working together.
[0066] When the terminal 110 and the server 130 work together to implement the solution provided in this application embodiment, the terminal 110 and the server 130 can be directly or indirectly connected through wired or wireless communication, and this application embodiment does not limit this.
[0067] It should be noted that this application may display prompt interfaces, pop-ups, or output voice prompts before and during the collection of user data. These prompt interfaces, pop-ups, or voice prompts are used to inform the user that their data is being collected. This ensures that the application only begins the steps for collecting user data after receiving confirmation from the user regarding the prompt interface or pop-up; otherwise (i.e., without user confirmation), the steps for collecting user data end, meaning no user data is collected. In other words, all user data collected in this application is collected with the user's consent and authorization, and the collection, use, and processing of related user data must comply with the relevant laws, regulations, and standards of the relevant regions.
[0068] Based on the above-described terminology and implementation environment, the method for protecting business keys provided in this application embodiment will be explained. The explanation will use the example of a server executing the method as an illustration. Please refer to [reference needed]. Figure 2 The diagram illustrates a flowchart of a method for protecting a business key provided in an exemplary embodiment of this application, the method comprising the following steps.
[0069] Step 210: Obtain the password verification ciphertext by encrypting the business private key in the business public-private key pair.
[0070] Among them, the password verification ciphertext refers to the password text parameter used to encrypt and protect the business private key.
[0071] In some embodiments, the server integrates at least one software cryptographic module. The method for protecting the business key in this application embodiment is illustrated by taking its application in the software cryptographic module as an example. In another feasible implementation, the software cryptographic module may also be integrated into the terminal, and this is not limited.
[0072] In illustrative terms, a business public-private key pair refers to a shared key pair agreed upon between a cryptographic device and a software cryptographic module. This pair includes a business public key and a business private key. The shared key pair is used for authentication between the cryptographic device and the software cryptographic module. For example, the cryptographic device encrypts part of the data using the business public key, and the software cryptographic module, after receiving the encrypted data, decrypts it using the business private key to recover the remaining data.
[0073] Therefore, the business public-private key pair is a shared key pair in an asymmetric encryption technology, that is, both the public key and the private key belong to the key.
[0074] In some embodiments, both the business private key and the business public key are strings composed of random numbers.
[0075] As an illustration, the business private key in the business public-private key pair is stored in the software cryptographic module in an encrypted manner. Therefore, the password text parameter generated after encrypting the business private key is the password verification ciphertext.
[0076] Optionally, the private key can be encrypted using at least one of the following methods:
[0077] 1. Use white-box encryption technology to encrypt the business private key. For example, after obfuscating the business private key multiple times, generate a relatively complex matrix for storage. In this way, even if the software cryptographic module is attacked, only the obfuscated matrix can be obtained, and the business private key cannot be directly obtained or restored.
[0078] 2. Use black-box encryption technology to encrypt the business private key. For example, after encrypting the business private key with a specified type, an encrypted data is obtained. The specified type can be implemented by converting the business private key, which is originally represented in binary form, into decimal representation and marking the encryption type corresponding to the encrypted data.
[0079] It is worth noting that the above-described encryption methods for business private keys are merely illustrative examples, and the embodiments of this application do not limit them.
[0080] White-box encryption technology refers to encrypting business data to make it resistant to white-box attacks. A white-box attack, in particular, refers to an attacker gaining complete control over the operating environment and executable program of an encryption system (such as a software cryptographic module), allowing them to observe and modify arbitrary internal operations and data, including the device's central processing unit (CPU), registers, and memory.
[0081] Black-box encryption technology refers to encrypting business data so that the encrypted data can withstand black-box attacks. A black-box attack, in particular, refers to an attacker performing statistical analysis on both the plaintext (business data) and the ciphertext (encrypted business data).
[0082] In some embodiments, the software cryptography module obtains the password verification ciphertext from a pre-stored parameter file.
[0083] Optionally, the software cryptographic module stores one or more password verification ciphertexts. When the software cryptographic module stores multiple password verification ciphertexts, different password verification ciphertexts correspond to different first applications. For example, when the software cryptographic module receives a password operation request from the first application a, it retrieves the password verification ciphertext 1 corresponding to the first application a from the parameter file. When the software cryptographic module receives a password operation request from the first application b, it retrieves the password verification ciphertext 2 corresponding to the first application b from the parameter file.
[0084] Step 220: Obtain the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and obtain the business data sent by the first application.
[0085] Among them, the business key refers to the cryptographic text parameter used to perform cryptographic operations on business data.
[0086] In some embodiments, the business data is related data generated by a first application. For example, the first application is an application with pathological data recording capabilities. After the first application generates pathological data corresponding to a user, it needs to encrypt the pathological data before sending it to the diagnostic platform for medical diagnosis. Therefore, the first application currently has an encryption requirement. It is worth noting that, at this time, the diagnostic platform is the second application, used to transmit data with the first application under encrypted conditions.
[0087] In illustrative terms, the role of the business key is to perform corresponding cryptographic operations on the business data generated by the first application according to the business requirements corresponding to the first application.
[0088] Optionally, cryptographic operations include at least one of the following types of operations: encryption, decryption, signing, and signature verification.
[0089] Encryption refers to encrypting business data to obtain encrypted data; decryption refers to performing relevant operations on the encrypted business data to restore it to its original state; signature refers to identity verification during data transmission under encrypted conditions, for example, when the sender sends encrypted data to the receiver, it also sends a data signature to verify the sender's identity information; signature verification refers to the receiver verifying the sender's identity information through the data signature.
[0090] In some embodiments, a cryptographic device refers to a hardware device used for storing and managing business keys. Optionally, the cryptographic device includes at least one of the following device types: hardware cryptographic machine, managed cryptographic machine, hardware cryptographic card, etc.
[0091] To illustrate, when the cryptographic device receives a cryptographic operation request from the first application, the cryptographic device encrypts the business key according to the business public key in the business public-private key pair pre-agreed with the software cryptographic module, obtains the key ciphertext corresponding to the business key, and sends it to the first application.
[0092] Optionally, after generating the key ciphertext, the cryptographic device sends the key ciphertext to the first application, which then sends it to the software cryptographic module; or, the cryptographic device sends the key ciphertext directly to the software cryptographic module after generating it, without limitation.
[0093] Optionally, the data file format corresponding to the key ciphertext includes at least one of the following format types: format with the suffix ".cer", format with the suffix ".ce rt", format with the suffix ".crt", and format with the suffix ".key".
[0094] Optionally, the key algorithm type of the business public-private key pair includes at least one of the following types: Elliptic Curve Cryptography (SM2), based on special invertible modular exponentiation (RSA), Block Data Algorithm (SM4), Elliptic Curve Digital Signature Algorithm (ECDSA), and Advanced Encryption Standard (AES).
[0095] It is worth noting that the business public key and business private key in the business public-private key pair correspond to the same key algorithm type. For example, business public-private key pair a includes an SM2 public key and an SM2 private key.
[0096] Optionally, the business private key and business public key in the business public-private key pair are generated simultaneously; or, the business private key is generated first, and then the corresponding business public key is obtained by performing public key operations based on the business private key; or, the business public key is generated first, and then the corresponding business public key is obtained by performing private key operations based on the business public key.
[0097] Both public key operations and private key operations employ a specified type of mathematical algorithm to perform mathematical calculations on the business private key / business public key to obtain the corresponding business public key / business private key.
[0098] In some embodiments, after receiving the key ciphertext sent by the cryptographic device, the first application sends the key ciphertext and business data to the software cryptographic module.
[0099] In other embodiments, the first application sends only business data to the software cryptographic module, and the cryptographic device sends the key ciphertext to the software cryptographic module.
[0100] Step 230: Decrypt the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0101] To illustrate, after obtaining the key ciphertext and business data, and based on the obtained password verification ciphertext, the password verification ciphertext is first decrypted to restore the password verification ciphertext to the business private key in the business private key pair.
[0102] In some embodiments, during the process of white-box encryption of the business private key using white-box encryption technology, the business private key is encrypted with a pre-generated white-box key to obtain the password verification ciphertext. Therefore, the process of decrypting the verification password ciphertext involves using the pre-generated white-box key to perform decryption operations, thereby restoring the business private key in the business public-private key pair.
[0103] Step 240: Decrypt the ciphertext of the key using the business private key to obtain the business key.
[0104] As an illustration, after obtaining the business private key, the key ciphertext is decrypted using the business private key to obtain the business key.
[0105] Optionally, when the type of business private key is different, the method of decrypting the key ciphertext using the business private key will also be different.
[0106] Step 250: Perform cryptographic operations on the business data using the business key to obtain the cryptographic operation result corresponding to the business data.
[0107] As an illustration, after the software cryptographic module obtains the business key through decryption, the software cryptographic module performs cryptographic operations on the business data using the business key, thereby obtaining the cryptographic operation result corresponding to the business data.
[0108] In a feasible scenario, when the cryptographic operation is encryption, the business data is encrypted using the business key to obtain the encrypted data corresponding to the business data.
[0109] In a feasible scenario, when the cryptographic operation is decryption, the business data (which is now implemented as encrypted data) is decrypted using the business key, thereby restoring the decrypted data.
[0110] In a feasible scenario, when the cryptographic operation is a signature, the business data is signed using the business key to obtain the digital signature corresponding to the business data.
[0111] In a feasible scenario, when the cryptographic operation is for signature verification, the business data is subjected to signature verification operation using the business key to obtain the signature verification result corresponding to the business data. The signature verification result includes two cases: verification successful and verification failed.
[0112] In some embodiments, the cryptographic operation result corresponding to the business data will be sent to the first application by the software cryptographic module, so that the first application can subsequently process the cryptographic operation result. For example, the first application can transmit the cryptographic operation result to other applications, thereby ensuring that the data transmission process is carried out under encrypted conditions.
[0113] In summary, the business key protection method provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, the method first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0114] In some embodiments, the business private key is encrypted using white-box encryption technology. Please refer to the illustrative example. Figure 3 This illustrates a flowchart of a business key protection method provided by an exemplary embodiment of this application, specifically, step 210 includes steps 211 and 212, as follows: Figure 3 As shown, the method includes the following steps.
[0115] Step 211: Randomly generate a business private key, and generate a business public key from the business private key pair based on the business private key.
[0116] This is an example of how a random number generator randomly generates a business private key based on a specified key algorithm type.
[0117] The random number generator is a device used to generate keys. First, the specified key algorithm type is determined. For example, the SM2 algorithm is selected as the key generation condition. The key generation condition is input into the random number generator, and a string combination is output. The string combination is used as the business private key, that is, the SM2 private key, denoted as Pri_S.
[0118] After obtaining the business private key, mathematical calculations are performed on the business private key using a mathematical algorithm, and the result is used as the business public key in the business public-private key pair.
[0119] Step 212: Encrypt the business private key using the pre-acquired white-box key to obtain the encryption result as the password verification ciphertext.
[0120] To illustrate, a white-box key refers to a key generated using white-box encryption technology. The white-box key is used to encrypt the SM4 private key to obtain the password verification ciphertext.
[0121] In some embodiments, a first key is randomly generated; a white-box encryption operation is performed on the first key to obtain a white-box key corresponding to the first key. The white-box encryption operation refers to the encryption operation performed on the first key in a white-box environment; the business private key is encrypted using the white-box key to obtain the encryption operation result as the password verification ciphertext.
[0122] In this embodiment, a first key is first generated randomly by a random number generator using a specified key algorithm type, and then a white-box encryption operation is performed on the first key to obtain a white-box key.
[0123] First, determine the specified key algorithm type. For example, select the SM4 algorithm as the key generation condition. Input the key generation condition into the random number generator, and output a string combination. Use this string combination as the first key, that is, the SM4 key.
[0124] Optionally, the order of generating the business private key and the first key can be either generating the business private key first and then generating the first key, or generating the first key first and then generating the business private key. That is, there is no restriction on the order of generating the business private key and the first key.
[0125] After obtaining the first key, the first key is obfuscated using white-box encryption technology. The obfuscated data is then used as the white-box key corresponding to the first key, denoted as Key_WB.
[0126] After obtaining the white-box key and the business private key, the business private key is encrypted using the white-box key to obtain the encrypted data as the password verification ciphertext, denoted as module fingerprint F.
[0127] Optionally, the password verification ciphertext is represented in at least one of the following formats: binary, octal, hexadecimal, etc.
[0128] It is worth noting that the above-mentioned process of generating the password verification ciphertext can be implemented during the design process of the software cryptographic module. That is, when the software cryptographic module is delivered for use, the password verification ciphertext has already been packaged and stored in the software cryptographic module.
[0129] Step 230: Decrypt the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0130] In some embodiments, a white-box decryption operation is performed on the ciphertext for password verification to obtain the business private key corresponding to the key ciphertext. The white-box decryption operation refers to the decryption operation on the ciphertext for password verification in a white-box environment.
[0131] In this embodiment, during the white-box decryption operation on the password verification ciphertext, the white-box key is used to decrypt the business private key, thereby obtaining the business private key corresponding to the key ciphertext.
[0132] In other words, the white-box key can both encrypt and decrypt the business private key.
[0133] In summary, the business key protection method provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, the method first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0134] In this embodiment, the method of encrypting the randomly generated business private key with a white-box key to obtain the password verification ciphertext ensures that even if the password verification ciphertext is leaked, the business private key cannot be recovered, thus improving the security strength of the password operation.
[0135] In this embodiment, the security performance of the key can be guaranteed by performing white-box encryption on the randomly generated first key to obtain the white-box key.
[0136] In some embodiments, a certificate verification process also exists during business key protection. Please refer to the illustrative example. Figure 4 It illustrates a flowchart of a business key protection method provided by an exemplary embodiment of this application, that is, steps 2201 and 2202 are included before step 220, and step 220 further includes step 221.
[0137] Step 2201: Obtain the business certificate corresponding to the first application.
[0138] The business certificate is used to authorize and verify the cryptographic operation requirements of the first application.
[0139] Illustratively, a business certificate is a pre-issued digital certificate between a first application and a software cryptographic module, used to indicate that the cryptographic operations of the current first application are authorized to be implemented by the software cryptographic module; it is a digital signature statement.
[0140] Optionally, the business certificate may include at least one of the following: certificate validity period, certificate signature, certificate serial number, certificate issuing authority name, certificate version information, and public key data corresponding to the certificate.
[0141] Optionally, the business certificate is issued by a designated issuing authority to the first application and the software cryptographic module, or the business certificate is automatically generated during the design of the software cryptographic module.
[0142] In one optional scenario, multiple different first applications share the same software cryptographic module, and therefore the business certificates corresponding to the different first applications are also different.
[0143] In some embodiments, the business private key is subjected to public key operations to obtain the business public key in the business public-private key pair; the business public key is used to compile a certificate to obtain the certificate request content; and the certificate request content is digitally signed by verifying the verification private key in the verification public-private key pair to obtain the business certificate.
[0144] In this embodiment, the process of generating the business certificate is carried out synchronously during the design process of the software cryptographic module. Therefore, after obtaining the SM2 private key (i.e., the business private key) in the above embodiment, the public key is calculated based on the SM2 private key to obtain the business public key Pub_S in the business public-private key pair.
[0145] After obtaining the business public key Pub_S, the business public key and various contents in the aforementioned business certificate are compiled, and the compiled result is used as the certificate request content, that is, the certificate request string.
[0146] Furthermore, during the design of the software cryptography module, a verification public-private key pair was pre-designed. This pair is used to manage the business authorization process of the software cryptography module. This verification public-private key pair is packaged and stored in the parameter file corresponding to the software cryptography module. The method for generating the verification public-private key pair can refer to the method for generating the business public-private key pair described above, and will not be repeated here.
[0147] The certificate request string is digitally signed by verifying the verification private key Pri corresponding to the public and private keys, thereby generating the final business certificate, denoted as Cert. The digital signing process involves first generating an electronic file corresponding to the certificate request string, then generating a digital digest using a hash algorithm, encrypting the digital digest using the verification private key to obtain the signature result, which is then used as the business certificate.
[0148] It is worth noting that before the software cryptography module is delivered and put into use, the white-box key, cryptographic verification ciphertext, business certificate, and business public key in the above embodiments are all pre-compiled parameters that can be used directly during the delivery and use of the software cryptography module.
[0149] Therefore, in the process of performing cryptographic operations on business data, the first application first inputs the business certificate to the software cryptographic module, so that the software cryptographic module can verify the business certificate.
[0150] Step 2202: Verify the business certificate and obtain the certificate verification result.
[0151] In some embodiments, during the certificate verification process for a business certificate, the validity of certificate parameters such as certificate validity period, certificate signature, and business public key in the business certificate is verified.
[0152] In some embodiments, the business certificate is verified using the verification public key in a pre-obtained verification public-private key pair to obtain a first verification result; in response to the first verification result meeting the first verification condition, the business certificate is analyzed to obtain an analysis public key; the business private key is processed by public key operation to obtain the business public key in the business public-private key pair; and the comparison result between the analysis public key and the business public key is used as the certificate verification result.
[0153] In this embodiment, upon receiving the business certificate input by the first application, the software cryptographic module uses the verification public key Pub to decrypt and verify the Cert, obtaining a first verification result. The first verification result is mainly used to verify information such as the certificate validity period and certificate signature. In this embodiment, the first verification result is a digital digest. Furthermore, the software cryptographic module performs a hash algorithm on the pre-stored certificate request string to obtain a verification digest. The digital digest and the verification digest are compared. If the comparison result is consistent, it indicates that the first verification result meets the first verification condition. If the comparison result is inconsistent, it indicates that the first verification result does not meet the first verification condition.
[0154] If the first verification result meets the first verification condition, certificate analysis is performed on the business certificate. Based on the analysis result, the analysis public key is obtained, denoted as Pub_S'. The software cryptography module decrypts the password verification ciphertext using a white-box key to obtain the business private key. Based on the business private key, the public key is calculated to obtain the business public key in the business public-private key pair. The business public key and the analysis public key are used as the certificate verification result.
[0155] Step 221: In response to the certificate verification result meeting the verification pass conditions, receive the key ciphertext and business data sent by the first application.
[0156] In some embodiments, the analysis public key is compared with the business public key to obtain a public key comparison result; in response to the public key comparison result being consistent with the analysis public key and the business public key, the certificate verification result meets the verification pass condition.
[0157] In this embodiment, after obtaining the certificate verification result, the analysis public key and the business public key are compared. If the analysis public key and the business public key are the same, it indicates that the certificate verification result meets the verification pass conditions. If the analysis public key and the business public key are different, it indicates that the certificate verification result does not meet the verification pass conditions.
[0158] In summary, the business key protection method provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, the method first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0159] In this embodiment, by obtaining the business certificate corresponding to the first application and verifying it, it is possible to ensure that the key ciphertext and business data are received only after the verification is successful, thereby improving the security strength of cryptographic operations.
[0160] In this embodiment, the business certificate is first verified by verifying the public key, and then the analysis public key obtained by analyzing the business certificate is compared with the business public key to finally determine whether the verification passes, thereby improving the security of certificate verification.
[0161] In this embodiment, the certificate is compiled using the business public key of the business public-private key pair, and the digital signature is performed using the verification private key. The final generated business certificate can improve the accuracy of certificate generation and ensure its privacy and security.
[0162] In some embodiments, the example provided illustrates the need for data transmission between the first application and the second application under encrypted conditions. Please refer to the illustrative example. Figure 5 It illustrates a flowchart of a business key protection method provided in an exemplary embodiment of this application, such as... Figure 5 As shown, the method includes the following steps.
[0163] Step 510: Receive the data encryption request sent by the first application.
[0164] Among them, the data encryption request is used to encrypt business data.
[0165] As an illustration, when the software cryptography module receives a data encryption request sent by the first application, it initiates the data encryption function.
[0166] In some embodiments, a data encryption request refers to requesting the software cryptography module to encrypt business data sent by the first application.
[0167] In one feasible scenario, the data encryption request includes the business data corresponding to the first application and encryption request indication information. In another feasible scenario, the data encryption request only contains encryption request indication information.
[0168] Step 520: Obtain the password verification ciphertext by encrypting the business private key in the business public-private key pair.
[0169] Among them, the password verification ciphertext is a password text parameter used to encrypt and protect the business private key.
[0170] As an illustration, the method for obtaining the password verification ciphertext in step 520 has been explained in detail in step 210 above, and will not be repeated here.
[0171] Optionally, step 520 can be performed before or after step 510.
[0172] In some embodiments, the generation of the password verification ciphertext is a parallel process during the design of the software cryptographic module. That is, when the software cryptographic module is used, the password verification ciphertext is already stored in the software cryptographic module.
[0173] In an optional embodiment, when the software cryptography module stores password verification ciphertexts corresponding to multiple applications respectively, when the software cryptography module receives a data encryption request, it selects the password verification ciphertext corresponding to the first application from the stored folder according to the data encryption request.
[0174] Step 530: Obtain the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and obtain the business data sent by the first application.
[0175] Among them, the business key refers to the cryptographic text parameter used to encrypt business data.
[0176] In some embodiments, after the first application sends a data encryption request to the software cryptographic module, the first application also sends a data encryption request to the cryptographic device. The cryptographic device then encrypts the business key using the business public key in the business public-private key pair according to the data encryption request, thereby generating key ciphertext. The cryptographic device sends the key ciphertext to the first application, which then sends the key ciphertext and business data to the software cryptographic module. The data receiving interface corresponding to the software cryptographic module receives the key ciphertext and business data.
[0177] As an illustration, the explanation of the key ciphertext and business data generation process in step 530 has been explained in detail in step 220 above, and will not be repeated here.
[0178] Step 540: Decrypt the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0179] As an illustration, after the software cryptography module receives the business data and the key ciphertext, it performs a white-box decryption operation on the password verification ciphertext to obtain the business private key corresponding to the password verification ciphertext.
[0180] Step 550: Decrypt the ciphertext of the key using the business private key to obtain the business key.
[0181] As an illustration, the software cryptography module uses the SM2 private key to decrypt the business private key to obtain the business key.
[0182] Step 560: Encrypt the business data using the business key to obtain the encrypted data corresponding to the business data, and send the encrypted data to the second application for data processing based on the data encryption request.
[0183] The second application and the first application transmit data under encrypted conditions.
[0184] As an illustration, after the software cryptography module decrypts and obtains the business key, it uses the business key to perform encryption operations on the business data sent by the first application, thereby obtaining the encrypted data corresponding to the business data, and then sends the encrypted data to the second application according to the data encryption request.
[0185] The second application is the application that needs to transmit data with the first application under encrypted conditions.
[0186] When the second application receives the encrypted data corresponding to the business data, it can also call the corresponding cryptographic device and / or software cryptographic module to decrypt the encrypted data, thereby reading the corresponding business data.
[0187] In summary, the business key protection method provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, the method first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0188] In some embodiments, the example is taken as a scenario where the cryptographic operation type is encryption. This is illustrative; please refer to [the relevant documentation / reference]. Figures 6 to 8 The diagram illustrates a flowchart of a business key protection method provided in an exemplary embodiment of this application, which consists of three parts: a process for generating cryptographic verification ciphertext and a business certificate, an encryption process based on the cryptographic verification ciphertext, and a certificate verification process.
[0189] First, the process of generating the password verification ciphertext and the business certificate will be explained, such as... Figure 6 As shown, the method includes Follow these steps.
[0190] Step 601: Generate the first key using a random number generator.
[0191] First, the cryptographic operation type is determined to be SM4. Using SM4 as the key generation condition, a random number generator is used to randomly generate an SM4 key as the first key.
[0192] Step 602: Perform white-box encryption on the first key to obtain the white-box key.
[0193] A white-box key is generated by performing encryption operations on the SM4 key in a white-box environment.
[0194] Step 603: Generate a business private key using a random number generator.
[0195] The cryptographic operation type is determined to be SM2. Using SM2 as the key generation condition, a random number generator is used to randomly generate an SM2 private key, which is then used as the business private key.
[0196] Step 604: Perform white-box encryption on the business private key using the white-box key to obtain the password verification ciphertext.
[0197] The business private key is encrypted using a white-box key, and the resulting ciphertext is used as the password verification ciphertext. The password verification ciphertext is a binary file.
[0198] Step 605: Perform public key operations on the business private key to obtain the business public key.
[0199] By performing public key operations on the business private key, the business public key corresponding to the business private key is determined based on the result of the public key operation.
[0200] Step 606: Generate certificate request content based on the business public key.
[0201] By compiling the business public key into a certificate, the compiled result is used as the certificate request content.
[0202] Step 607: Based on the certificate request content, sign it using the verification private key in the software cryptography module to generate a business certificate.
[0203] After obtaining the certificate request content, the verification private key of the public-private key pair used to manage business authorization in the software cryptography module is used to sign it, thereby generating a business certificate.
[0204] Step 608: Package the white-box key and password verification ciphertext into the software cryptographic module for compilation.
[0205] The white-box key and the password verification ciphertext are packaged into the software cryptography module for compilation, so that the software cryptography module can directly obtain the above parameters for cryptographic operations during subsequent application.
[0206] Furthermore, during the delivery and use of the first application and software cryptographic module, certificates and business private keys are both products of the packaged delivery.
[0207] It is worth noting that the above-mentioned processes for generating password verification ciphertext and certificate generation are completed before the software cryptographic module is delivered and put into use. Therefore, when the software cryptographic module performs cryptographic operations, the corresponding password verification ciphertext can be directly obtained from the stored folder.
[0208] Secondly, the encryption process based on password verification of ciphertext is explained, such as... Figure 7 As shown, the method includes the following steps Suddenly.
[0209] Step 701: The first application requests the cryptographic device to encrypt the business key using the business public key to obtain the key ciphertext corresponding to the business key.
[0210] When the first application needs to encrypt business data, it first sends an encryption request to the cryptographic device, which then encrypts the business public key in the business public-private key pair to obtain the key ciphertext corresponding to the business key.
[0211] The cryptographic device sends the encrypted key ciphertext to the first application.
[0212] Step 702: The first application inputs the business certificate to the software cryptography module, and the software cryptography module completes the verification of the business certificate.
[0213] The first application inputs a business certificate to the software cryptography module, which then verifies the software cryptography module's authorization for its business services. The business certificate is a pre-generated digital certificate.
[0214] After the software cryptography module verifies the business certificate, it proceeds to the next step if the verification is successful, and stops receiving data if the verification fails.
[0215] Step 703: The first application inputs the key ciphertext and business data into the corresponding interface of the software cryptography module.
[0216] After the software cryptography module verifies the business certificate, the first application inputs the key ciphertext and business data into the interface corresponding to the software cryptography module, so that the software cryptography module receives the key ciphertext and business data.
[0217] Step 704: The software cryptographic module performs white-box decryption on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0218] After the software cryptographic module receives the key ciphertext and business data, it retrieves the password verification ciphertext corresponding to the business private key from the pre-stored parameter file, and then decrypts the password verification ciphertext using a white-box key to obtain the business private key.
[0219] Step 705: The software cryptographic module decrypts the key ciphertext using the business private key to obtain the business key.
[0220] The software cryptography module uses the obtained business private key to decrypt the key ciphertext, thereby obtaining the business key.
[0221] Step 706: The software cryptography module uses the business key to encrypt the business data and outputs the result.
[0222] After obtaining the business key through decryption, the software cryptography module uses the decrypted business key to perform encryption operations on the business data, generating encrypted data corresponding to the business data, and then sends the encrypted data to the first application.
[0223] Finally, the certificate verification process in the above encryption process will be explained in detail, such as... Figure 8 As shown, the method includes The steps include the following.
[0224] Step 801: The first application inputs the business certificate to the software cryptography module.
[0225] First, the first application sends a pre-issued business certificate to the software cryptography module.
[0226] Step 802: The software cryptographic module uses the verification public key to verify the business certificate.
[0227] The software cryptography module verifies the business certificate using the verification public key in the verification public-private key pair used to manage business authorization, and obtains the first verification result, which mainly verifies the certificate validity period, certificate signature, etc.
[0228] If the first verification result is valid, the verification passes and the next step is executed. If the first verification result is invalid, the verification fails and the current process ends.
[0229] Step 803: The software cryptography module parses the certificate to obtain the analysis public key.
[0230] If the first verification result is valid, the software cryptography module performs certificate analysis on the business certificate to obtain the analysis public key.
[0231] Step 804: The software cryptographic module uses a white-box key to decrypt the password verification ciphertext to obtain the business private key.
[0232] The software cryptography module obtains the business private key by performing white-box decryption on the password verification password.
[0233] Step 805: Perform public key operations on the business private key to obtain the business public key.
[0234] After the software cryptography module performs operations on the business private key and the public key, it obtains the business public key from the business public-private key pair.
[0235] Step 806: Compare the consistency between the business public key and the business private key.
[0236] The analysis public key and the business public key are compared. If the analysis public key and the business public key are the same, it means that the business public key and the business private key are consistent and the certificate verification is successful. If the business public key and the business private key are different, it means that the certificate verification fails.
[0237] In summary, the business key protection method provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, the method first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0238] The overall solution can be applied to cryptographic application modes that combine software and hardware, solving the security problem of keys outside the boundaries of software cryptographic modules. At the same time, the introduction of fingerprint technology based on white-box encryption and initialization authentication methods can improve the security strength of the software cryptographic module itself and resist security problems such as decompilation and unauthorized use of modules.
[0239] Figure 9 This is a structural block diagram of a business key protection device provided in an exemplary embodiment of this application, as shown below. Figure 9 As shown, the device includes:
[0240] The first acquisition module 910 is used to acquire password verification ciphertext, which refers to the password text parameter generated after encrypting the business private key in the business public-private key pair.
[0241] The first receiving module 920 is used to receive key ciphertext and business data. The key ciphertext refers to the cryptographic text parameter obtained by encrypting the business key with the business public key in the business public-private key pair using a cryptographic device. The business key refers to the cryptographic text parameter used to perform cryptographic operations on the business data.
[0242] The first arithmetic module 930 is used to perform decryption operations on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0243] The first calculation module 930 is further configured to perform decryption operation on the key ciphertext using the business private key to obtain the business key;
[0244] The first calculation module 930 is further configured to perform the cryptographic operation on the business data using the business key to obtain the cryptographic operation result corresponding to the business data, and the cryptographic operation result is used for data transmission under encrypted conditions.
[0245] In some embodiments, such as Figure 10 As shown, the first acquisition module 910 includes:
[0246] The generation unit 911 is used to randomly generate the business private key and generate the business public key in the business public-private key pair based on the business private key;
[0247] The operation unit 912 is used to perform encryption operation on the business private key using a pre-acquired white-box key, and obtain the encryption operation result as the password verification ciphertext.
[0248] In some embodiments, the operation unit 912 is configured to randomly generate a first key; perform a white-box encryption operation on the first key to obtain the white-box key corresponding to the first key, wherein the white-box encryption operation refers to performing an encryption operation on the first key in a white-box environment; and perform the encryption operation on the business private key using the white-box key to obtain the encryption operation result as the password verification ciphertext.
[0249] In some embodiments, the apparatus further includes:
[0250] The first acquisition module 910 is used to acquire the business certificate corresponding to the first application, the first application is used to send the business data, and the business certificate is used to authorize and verify the cryptographic operation requirements of the first application.
[0251] Verification module 940 is used to verify the business certificate and obtain the certificate verification result;
[0252] The first receiving module 920 is configured to receive the key ciphertext and the business data sent by the first application in response to the certificate verification result meeting the verification pass conditions.
[0253] In some embodiments, the verification module 940 is configured to perform certificate verification on the business certificate using the verification public key in a pre-acquired verification public-private key pair to obtain a first verification result; in response to the first verification result meeting the first verification condition, perform certificate analysis on the business certificate to obtain an analysis public key; perform public key operation on the business private key to obtain the business public key in the business public-private key pair; and use the comparison result between the analysis public key and the business public key as the certificate verification result.
[0254] In some embodiments, the apparatus further includes:
[0255] The comparison module 950 is used to compare the analysis public key with the business public key to obtain a public key comparison result; in response to the public key comparison result being consistent with the analysis public key and the business public key, the certificate verification result meets the verification pass condition.
[0256] In some embodiments, the first calculation module 930 is further configured to perform public key calculation on the business private key to obtain the business public key in the business public-private key pair; perform certificate compilation on the business public key to obtain certificate request content; and perform digital signature on the certificate request content using the verification private key in the verification public-private key pair to obtain the business certificate.
[0257] In some embodiments, the first calculation module 930 is further configured to perform white-box decryption operation on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext, wherein the white-box decryption operation refers to performing the decryption operation on the password verification ciphertext in the white-box environment.
[0258] Figure 11 This is a structural block diagram of a business key protection device provided in an exemplary embodiment of this application, as shown below. Figure 11 As shown, the device includes:
[0259] The second receiving module 1110 is used to receive a data encryption request sent by the first application, the data encryption request being used to encrypt business data;
[0260] The second acquisition module 1120 is used to obtain password verification ciphertext by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key.
[0261] The second acquisition module 1120 is further configured to acquire the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and to acquire the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform encryption operations on the business data;
[0262] The second operation module 1130 is used to perform decryption operation on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext.
[0263] The second operation module 1130 is further configured to perform decryption operation on the key ciphertext using the business private key to obtain the business key;
[0264] The sending module 1140 is used to perform the encryption operation on the business data using the business key to obtain encrypted data corresponding to the business data, and send the encrypted data to the second application for data processing based on the data encryption request. The second application and the first application transmit data under encrypted conditions.
[0265] In summary, the business key protection device provided in this application first obtains the ciphertext corresponding to the business private key in the business public-private key pair. Upon receiving the ciphertext content encrypted by the cryptographic device using the business public key in the business public-private key pair, along with business data, it first decrypts the ciphertext to obtain the business private key corresponding to the key ciphertext. Then, it decrypts the key ciphertext using the business private key to obtain the business key. Finally, it performs cryptographic operations on the business data using the business key to obtain the cryptographic operation result. That is, by combining a software cryptographic module and a cryptographic device, a ciphertext verification text generated after encrypting the business private key is added to the software cryptographic module. The business private key obtained after decrypting the ciphertext then decrypts the key ciphertext, enhancing the protection strength of the key security, preventing key leakage during transmission, improving key protection security, and thus improving the security of encrypted data transmission.
[0266] It should be noted that the service key protection device provided in the above embodiments is only an example of the division of the above functional modules. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. In addition, the service key protection device and the service key protection method embodiments provided in the above embodiments belong to the same concept, and the specific implementation process can be found in the method embodiments, which will not be repeated here.
[0267] Figure 12 A schematic diagram of the structure of a server provided in an exemplary embodiment of this application is shown. Specifically:
[0268] Server 1200 includes a Central Processing Unit (CPU) 1201, a system memory 1204 including Random Access Memory (RAM) 1202 and Read Only Memory (ROM) 1203, and a system bus 1205 connecting the system memory 1204 and the CPU 1201. Server 1200 also includes a mass storage device 1206 for storing the operating system 1213, application programs 1214, and other program modules 1215.
[0269] Mass storage device 1206 is connected to central processing unit 1201 via a mass storage controller (not shown) connected to system bus 1205. Mass storage device 1206 and its associated computer-readable media provide non-volatile storage for server 1200. That is, mass storage device 1206 may include computer-readable media (not shown) such as hard disk or compact disc read-only memory (CD-ROM) drive.
[0270] Without loss of generality, computer-readable media can include computer storage media and communication media. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented using any method or technology for storing information such as computer-readable instructions, data structures, program modules, or other data. Computer storage media include RAM, ROM, erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other solid-state storage technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape cassettes, magnetic tape, disk storage, or other magnetic storage devices. Of course, those skilled in the art will recognize that computer storage media are not limited to the above-mentioned types. The system memory 1204 and mass storage device 1206 described above can be collectively referred to as memory.
[0271] According to various embodiments of this application, server 1200 can also be connected to a remote computer on a network, such as the Internet. That is, server 1200 can be connected to network 1212 via network interface unit 1211 connected to system bus 1205, or network interface unit 1211 can be used to connect to other types of networks or remote computer systems (not shown).
[0272] The aforementioned memory also includes one or more programs, which are stored in the memory and configured to be executed by the CPU.
[0273] Embodiments of this application also provide a computer device, which includes a processor and a memory. The memory stores at least one instruction, at least one program, code set, or instruction set. The at least one instruction, at least one program, code set, or instruction set is loaded and executed by the processor to implement the business key protection method provided in the above-described method embodiments.
[0274] Embodiments of this application also provide a computer-readable storage medium storing at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, at least one program, code set, or instruction set is loaded and executed by a processor to implement the business key protection method provided in the above-described method embodiments.
[0275] Embodiments of this application also provide a computer program product, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform any of the business key protection methods described in the above embodiments.
[0276] Optionally, the computer-readable storage medium may include: read-only memory (ROM), random access memory (RAM), solid-state drive (SSD), or optical disk, etc. The random access memory may include resistive random access memory (ReRAM) and dynamic random access memory (DRAM). The sequence numbers of the embodiments in this application are merely descriptive and do not represent the superiority or inferiority of the embodiments.
[0277] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.
[0278] The above description is merely an optional embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.
Claims
1. A method for protecting a business key, characterized in that, The method includes: The password verification ciphertext is obtained by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key. Obtain the business certificate corresponding to the first application, the business certificate being used to perform business authorization verification for the cryptographic operation requirements of the first application; The business certificate is verified using the verification public key from the pre-obtained verification public-private key pair to obtain a first verification result; In response to the first verification result meeting the first verification condition, certificate analysis is performed on the business certificate to obtain the analysis public key; Perform public key operations on the business private key to obtain the business public key in the business public-private key pair; The comparison result between the analysis public key and the business public key is used as the certificate verification result; The system obtains the key ciphertext generated by encrypting the business key with the business public key in the business public-private key pair by the cryptographic device, and obtains the business data sent by the first application in response to the certificate verification result meeting the verification pass condition. The business key refers to the cryptographic text parameter used to perform cryptographic operations on the business data. The password verification ciphertext is decrypted to obtain the business private key corresponding to the key ciphertext. The business key is obtained by decrypting the ciphertext of the key using the business private key. The cryptographic operation is performed on the business data using the business key to obtain the cryptographic operation result corresponding to the business data.
2. The method according to claim 1, characterized in that, The process of obtaining the password verification ciphertext by encrypting the business private key in the business public-private key pair includes: Randomly generate the business private key, and generate the business public key in the business public-private key pair based on the business private key; The business private key is encrypted using a pre-acquired white-box key, and the encrypted result is used as the password verification ciphertext.
3. The method according to claim 2, characterized in that, The step of encrypting the business private key using a pre-acquired white-box key to obtain the encryption result as the password verification ciphertext includes: Randomly generate the first key; Perform white-box encryption operation on the first key to obtain the white-box key corresponding to the first key. The white-box encryption operation refers to encrypting the first key in a white-box environment. The encryption operation is performed on the business private key using the white-box key, and the result of the encryption operation is used as the password verification ciphertext.
4. The method according to any one of claims 1 to 3, characterized in that, Before obtaining the service data sent by the first application, the method further includes: The analysis public key is compared with the business public key to obtain the public key comparison result. If the public key comparison result shows that the analysis public key matches the business public key, then the certificate verification result meets the verification pass condition.
5. The method according to claim 4, characterized in that, Before obtaining the business certificate corresponding to the first application, the process also includes: Perform public key operations on the business private key to obtain the business public key in the business public-private key pair; The certificate request content is obtained by compiling the business public key. The certificate request content is digitally signed using the verification private key in the verification public-private key pair to obtain the business certificate.
6. The method according to any one of claims 1 to 3, characterized in that, The step of decrypting the ciphertext to obtain the business private key corresponding to the key ciphertext includes: The password verification ciphertext is subjected to white-box decryption to obtain the business private key corresponding to the key ciphertext. The white-box decryption refers to performing the decryption operation on the password verification ciphertext in a white-box environment.
7. A method for protecting a business key, characterized in that, The method includes: Receive a data encryption request sent by a first application, the data encryption request being used to encrypt business data; The password verification ciphertext is obtained by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key. Obtain the business certificate corresponding to the first application, the business certificate being used to perform business authorization verification for the cryptographic operation requirements of the first application; The business certificate is verified using the verification public key from the pre-obtained verification public-private key pair to obtain a first verification result; In response to the first verification result meeting the first verification condition, certificate analysis is performed on the business certificate to obtain the analysis public key; Perform public key operations on the business private key to obtain the business public key in the business public-private key pair; The comparison result between the analysis public key and the business public key is used as the certificate verification result; Obtain the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair, and in response to the certificate verification result meeting the verification pass condition, obtain the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform encryption operations on the business data; The password verification ciphertext is decrypted to obtain the business private key corresponding to the key ciphertext. The business key is obtained by decrypting the ciphertext of the key using the business private key. The encryption operation is performed on the business data using the business key to obtain the encrypted data corresponding to the business data. Based on the data encryption request, the encrypted data is sent to the second application for data processing. The second application and the first application transmit data under encrypted conditions.
8. A protection device for a business key, characterized in that, The device includes: The first acquisition module is used to obtain password verification ciphertext by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key. A first receiving module is configured to acquire a business certificate corresponding to a first application, wherein the business certificate is used to perform business authorization verification for the cryptographic operation requirements of the first application; perform certificate verification on the business certificate using the verification public key in a pre-acquired verification public-private key pair to obtain a first verification result; in response to the first verification result meeting the first verification condition, perform certificate analysis on the business certificate to obtain an analysis public key; perform public key operation on the business private key to obtain the business public key in the business public-private key pair; and use the comparison result between the analysis public key and the business public key as the certificate verification result. The system obtains the key ciphertext generated by encrypting the business key with the business public key in the business public-private key pair by the cryptographic device, and obtains the business data sent by the first application in response to the certificate verification result meeting the verification pass condition. The business key refers to the cryptographic text parameter used to perform cryptographic operations on the business data. The first calculation module is used to perform decryption operations on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext. The first calculation module is further configured to perform decryption operations on the key ciphertext using the business private key to obtain the business key; The first calculation module is further configured to perform the cryptographic operation on the business data using the business key to obtain the cryptographic operation result corresponding to the business data.
9. A protection device for a business key, characterized in that, The device includes: The second receiving module is used to receive a data encryption request sent by the first application, the data encryption request being used to encrypt business data; The second acquisition module is used to obtain password verification ciphertext by encrypting the business private key in the business public-private key pair. The password verification ciphertext is a password text parameter used to encrypt and protect the business private key. The second acquisition module is further configured to acquire a business certificate corresponding to the first application, the business certificate being used to perform business authorization verification for the cryptographic operation requirements of the first application; perform certificate verification on the business certificate using the verification public key in a pre-acquired verification public-private key pair to obtain a first verification result; in response to the first verification result meeting the first verification condition, perform certificate analysis on the business certificate to obtain an analysis public key; perform public key operation on the business private key to obtain the business public key in the business public-private key pair; use the comparison result between the analysis public key and the business public key as the certificate verification result; acquire the key ciphertext generated by the cryptographic device encrypting the business key using the business public key in the business public-private key pair; and in response to the certificate verification result meeting the verification pass condition, acquire the business data sent by the first application, wherein the business key refers to the cryptographic text parameter used to perform encryption operation on the business data; The second calculation module is used to perform decryption operations on the password verification ciphertext to obtain the business private key corresponding to the key ciphertext. The second calculation module is further configured to perform decryption operations on the key ciphertext using the business private key to obtain the business key; The sending module is used to perform the encryption operation on the business data using the business key to obtain encrypted data corresponding to the business data, and send the encrypted data to the second application for data processing based on the data encryption request. The second application and the first application transmit data under encrypted conditions.
10. A computer device, characterized in that, The computer device includes a processor and a memory, the memory storing at least one program, which is loaded and executed by the processor to implement the business key protection method as described in any one of claims 1 to 7.
11. A computer-readable storage medium, characterized in that, The storage medium stores at least one program segment, which is loaded and executed by a processor to implement the business key protection method as described in any one of claims 1 to 7.
12. A computer program product, characterized in that, It includes a computer program that, when executed by a processor, implements the method for protecting the business key as described in any one of claims 1 to 7.