CN113094661A - SDK security enhancement method - Google Patents
SDK security enhancement method Download PDFInfo
- Publication number
- CN113094661A CN113094661A CN202110362999.4A CN202110362999A CN113094661A CN 113094661 A CN113094661 A CN 113094661A CN 202110362999 A CN202110362999 A CN 202110362999A CN 113094661 A CN113094661 A CN 113094661A
- Authority
- CN
- China
- Prior art keywords
- sdk
- white
- box
- key
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an SDK security enhancement method, which comprises the steps of generating a white-box password corresponding to an SDK default key, and generating the white-box password through a white-box password algorithm by taking the SDK default key as input; then putting the look-up table of the white-box password and the cryptography API into the SDK; replacing a cryptographic API in the SDK that uses the SDK default key with a cryptographic API in the white-box password; finally, the SDK is reissued. The invention protects the SDK default key by applying the white-box cryptography to the encryption and decryption key protection of the SDK, can ensure the security of the SDK default key in the white-box attack environment, effectively reduces the risk of key leakage and improves the management security of the key.
Description
Technical Field
The invention relates to the technical field of computer internet of things, in particular to an SDK security enhancement method.
Background
SDK generally refers to a software development kit. A software development kit is generally a collection of development tools used by some software engineers to build application software for a particular software package, software framework, hardware platform, operating system, and the like.
More and more SDKs of the SDK default key in the field of Internet of things are used for connecting a cloud, a security chip, a trusted execution environment and the like, and in order to realize functions of security communication, authentication and the like, a cryptographic algorithm and a corresponding key are integrated in the SDK, and the key is called as the SDK default key; however, with the continuous upgrade of the internet of things attack, the security of the SDK default key becomes a new hidden danger for the security of the supply chain, and meanwhile, the emergence of security regulations and security standards makes the security compliance of the SDK default key urgent.
In a White-Box Attack environment (White-Box attach Context), the execution process of the software is completely visible to an attacker, and if the cryptographic software running in the environment does not specially protect the key, the attacker can easily obtain the key information by observing or executing the cryptographic software.
The white-box cryptographic technology is provided aiming at the white-box attack environment, and aims to protect a key in the white-box attack environment, hide key information in the execution process of cryptographic software and prevent an attacker from extracting the key in the white-box attack environment. Hiding the designated key into a particular cryptographic algorithm, a process known as white-box cipher generation, such as hiding AES keys into AES algorithms, hiding SM4 ciphers into SM4 algorithms, and so on; the generated white-box password is a piece of executable program, and an Application Program Interface (API) is used for other programs to call.
At present, the SDK default key is protected mainly by adopting a splitting or confusion mode, the security intensity is low, an attacker can randomly steal the SDK default key, the data security threat is brought, and the personal privacy data is threatened, so that huge potential safety hazards exist, and the security of the SDK default key cannot be ensured under the white-box attack environment at present.
Disclosure of Invention
Aiming at the technical problems in the related art, the invention provides an SDK security enhancement method which can overcome the defects of the prior art.
In order to achieve the technical purpose, the technical scheme of the invention is realized as follows:
an SDK security enhancement method, comprising the steps of:
s1, firstly, generating a white-box password corresponding to the SDK default key, and generating the white-box password through a white-box password algorithm by taking the SDK default key as input;
s2, then putting the look-up table of the white-box password and the cryptography API into the SDK;
s3, replacing the cryptography API in the SDK, which uses the SDK default key, with the cryptography API in the white-box password;
s4, finally, the SDK is reissued.
Further, the white-box cryptographic algorithm is an algorithm for protecting the security of a secret key in a white-box attack environment, and is an operation of segmenting, encoding, table look-up and affine transformation of a cryptographic algorithm structure.
Further, the generated white-box password is a lookup table with hidden key information and a set of passwords of a cryptography API.
Further, the SDK is an independent SDK module.
Further, the white-box cipher algorithm is one of the ways of generating a white-box cipher.
The invention has the beneficial effects that: by applying the white-box cryptographic technology to encryption and decryption key protection of the SDK, the default key of the SDK is protected, the security of the default key of the SDK can be ensured in a white-box attack environment, the risk of key leakage is effectively reduced, and the management security of the key is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a flow chart of a method for enhancing security of an SDK according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention belong to the protection scope of the present invention, and for the convenience of understanding the above technical solutions of the present invention, the above technical solutions of the present invention are described in detail below by specific use modes.
As shown in fig. 1, according to the SDK security enhancing method in the embodiment of the present invention, a white-box password corresponding to an SDK default key needs to be generated, and the SDK default key is used as an input, for example: an unscented char key [16] = {0xe8, 0xc5, 0x50, 0x1b, 0xa4, 0x21, 0x86, 0xc0, 0x8d, 0x65, 0xd8, 0xdb, 0x5f, 0xbc, 0x34, 0x70}, taking a white-box cipher SM4 algorithm with a key length of 128 bits as an example, a white-box cipher is generated by the white-box cipher SM4 algorithm, and the white-box cipher SM4 algorithm is an algorithm capable of protecting key security in a white-box attack environment, and hides key information in a lookup table by performing operations such as segmentation, encoding, lookup table and affine transformation on a cipher algorithm structure to prevent an attacker from obtaining key information; the finally generated white-box password is a lookup table hiding key information and a set of cryptography API, and is mainly used for white-box password integration.
The cryptography API is:
/**
* \param[in] plain_text to be encrypt data.
* \param[in] plain_text_len _text to be encrypt data length.
* \param[in] iv input iv.
* \param[in]iv_len input iv length.
* \param[out] cipher_text out buffer used to receive encrypted data.
* \param[out] cipher_text_len out data length.
*/
int ut_pf_wbox_ctr(const unsigned char *plain_text,
const unsigned int plain_text_len,
const unsigned char *iv,
const unsigned int iv_len,
unsigned char *cipher_text,
unsigned int *cipher_text_len);。
after the white-box password is generated, the white-box password is required to be integrated, and the integrated white-box password is obtained by putting a lookup table and a cryptography API (application program interface) included in the white-box password into the SDK; replacing the cryptographic API in the SDK that uses the SDK default key with the cryptographic API in the white-box password.
And finally, the SDK with the enhanced safety is released again on the platform.
The method for enhancing the safety of the SDK is an independent module, is simply and conveniently integrated into the SDK, has usability, is irrelevant to a hardware platform and an operating system, has good portability, can obviously improve the safety of the SDK, and provides guarantee for the safety of supply chains of various industries.
In summary, by applying the white-box cryptographic technology to encryption and decryption key protection of the SDK, the default SDK key is protected, the security of the default SDK key can be ensured in a white-box attack environment, the risk of key leakage is effectively reduced, and the management security of the key is improved.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (5)
1. An SDK security enhancement method, comprising the steps of:
s1, firstly, generating a white-box password corresponding to the SDK default key, and generating the white-box password through a white-box password algorithm by taking the SDK default key as input;
s2, then putting the look-up table of the white-box password and the cryptography API into the SDK;
s3, replacing the cryptography API in the SDK, which uses the SDK default key, with the cryptography API in the white-box password;
s4, finally, the SDK is reissued.
2. The SDK security enhancing method according to claim 1, wherein in step S1, the white-box cryptographic algorithm is an algorithm for protecting the key security in a white-box attack environment, and is obtained by performing operations of partitioning, encoding, table lookup and affine transformation on the cryptographic algorithm structure.
3. The SDK security enhancement method of claim 1, wherein the generated white-box password is a hidden key information look-up table and a set of cryptographic APIs password.
4. The SDK security enhancement method of claim 1, wherein the SDK is a stand-alone SDK module.
5. The SDK security enhancement method of claim 1 wherein the white-box cryptographic algorithm is one of the ways of generating a white-box cipher.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110362999.4A CN113094661A (en) | 2021-04-02 | 2021-04-02 | SDK security enhancement method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110362999.4A CN113094661A (en) | 2021-04-02 | 2021-04-02 | SDK security enhancement method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113094661A true CN113094661A (en) | 2021-07-09 |
Family
ID=76673814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110362999.4A Pending CN113094661A (en) | 2021-04-02 | 2021-04-02 | SDK security enhancement method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113094661A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107809313A (en) * | 2017-10-31 | 2018-03-16 | 北京三未信安科技发展有限公司 | A kind of whitepack crypto-operation method and system |
| CN108270550A (en) * | 2018-01-10 | 2018-07-10 | 成都卫士通信息产业股份有限公司 | A kind of safe and efficient whitepack implementation method and device based on SM4 algorithms |
| CN110278072A (en) * | 2019-07-11 | 2019-09-24 | 北京电子科技学院 | One kind 16 takes turns SM4-128/128 whitepack password implementation method |
| CN111538977A (en) * | 2020-06-23 | 2020-08-14 | 腾讯科技(深圳)有限公司 | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server |
-
2021
- 2021-04-02 CN CN202110362999.4A patent/CN113094661A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107809313A (en) * | 2017-10-31 | 2018-03-16 | 北京三未信安科技发展有限公司 | A kind of whitepack crypto-operation method and system |
| CN108270550A (en) * | 2018-01-10 | 2018-07-10 | 成都卫士通信息产业股份有限公司 | A kind of safe and efficient whitepack implementation method and device based on SM4 algorithms |
| CN110278072A (en) * | 2019-07-11 | 2019-09-24 | 北京电子科技学院 | One kind 16 takes turns SM4-128/128 whitepack password implementation method |
| CN111538977A (en) * | 2020-06-23 | 2020-08-14 | 腾讯科技(深圳)有限公司 | Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105681039B (en) | Method and apparatus for generating keys and corresponding decryption | |
| CN101369889B (en) | Method for electronic endorsement of document | |
| US9143317B2 (en) | Protecting against white box attacks using column rotation | |
| CN110855433B (en) | Data encryption method and device based on encryption algorithm and computer equipment | |
| CN106228076B (en) | A kind of picture validation code guard method and system based on SGX | |
| JPH09270785A (en) | Information processor | |
| CN105612527A (en) | Method for providing security for common intermediate language-based program | |
| US20120288089A1 (en) | System and method for device dependent and rate limited key generation | |
| CN114124364B (en) | Key security processing method, device, equipment and computer readable storage medium | |
| CN107491317A (en) | A kind of symmetrical encryption and decryption method and systems of AES for accelerating platform based on isomery | |
| US20120179920A1 (en) | Securing cryptographic process keys using internal structures | |
| KR20180110550A (en) | Method and apparatus for white-box cryptography for protecting against side channel analysis | |
| CN106452771A (en) | Method and device for calling cipher card by JCE (Java Cryptography Extension) to implement internal RSA secret key operation | |
| CN109165531B (en) | AES mask method, electronic equipment and storage medium | |
| US10075290B2 (en) | Operator lifting in cryptographic algorithm | |
| abd Qasim et al. | Data protection enhancement in smart grid communication: An efficient multi-layer encrypting approach based on chaotic techniques and steganography | |
| TWI517655B (en) | Cryptographic device and secret key protection method | |
| EP4364023A1 (en) | Secure communication between a client computer and a remote computer | |
| CN104504310A (en) | Method and device for software protection based on shell technology | |
| CN113094661A (en) | SDK security enhancement method | |
| CN103605927A (en) | Encryption and decryption method based on embedded Linux system | |
| CN104392153A (en) | Software protection method and system | |
| CN103763097A (en) | Security encryption method for password or secret key | |
| CN106936822A (en) | For the mask realization method and system of the anti-high-order bypass analysis of SMS4 | |
| EP3425614A1 (en) | Data processing method and data processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210709 |