+

WO2018133686A1 - Procédé et dispositif de protection de mot de passe, et support de stockage - Google Patents

Procédé et dispositif de protection de mot de passe, et support de stockage Download PDF

Info

Publication number
WO2018133686A1
WO2018133686A1 PCT/CN2018/071734 CN2018071734W WO2018133686A1 WO 2018133686 A1 WO2018133686 A1 WO 2018133686A1 CN 2018071734 W CN2018071734 W CN 2018071734W WO 2018133686 A1 WO2018133686 A1 WO 2018133686A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
ciphertext
key
encryption
sha
Prior art date
Application number
PCT/CN2018/071734
Other languages
English (en)
Chinese (zh)
Inventor
吴晓麟
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018133686A1 publication Critical patent/WO2018133686A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the embodiment of the present invention relates to the field of information security technologies, and in particular, to a password protection method, apparatus, and storage medium.
  • the existing account system generally stores the password in plain text. This storage method can easily lead to password leakage, which brings great security risks to users.
  • some account systems encrypt and store the password using Message Digest Algorithm 5 (MD5). It is confirmed that the MD5 encryption algorithm can be cracked, and the MD5 algorithm cannot prevent collisions. After the MD5 password, the crack is only a matter of time, that is, the security of the password cannot be guaranteed in this way, and the risk of the password being compromised is still very large.
  • MD5 Message Digest Algorithm 5
  • the embodiment of the present application provides a password protection method, including:
  • the server obtains the user identifier and the first plaintext password
  • the server uses a preset salt value to add salt to the first plaintext password to obtain a first key
  • the server uses the first key as an encryption key for the hash message authentication code HMAC operation, and uses the secure hash algorithm SHA as a hash function for HMAC operation to perform an HMAC operation to obtain a first ciphertext password;
  • the server stores the user identifier in the database corresponding to the first ciphertext password.
  • the embodiment of the present application further provides a password protection apparatus, including:
  • An obtaining unit configured to obtain a user identifier and a first plaintext password
  • a salt adding unit configured to add a salt to the first plaintext password by using a preset salt value to obtain a first key
  • a first encryption unit configured to use the first key as an encryption key of a hash message authentication code HMAC operation, and use a secure hash algorithm SHA as an encryption hash function for HMAC operation, and perform an HMAC operation to obtain a first Ciphertext password;
  • a storage unit configured to store the user identifier in the database corresponding to the first ciphertext password.
  • the present application also proposes a non-transitory computer readable storage medium storing computer readable instructions that cause at least one processor to perform the methods described above.
  • FIG. 1 is a schematic diagram of a scenario of a password protection method provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a password protection method provided by an embodiment of the present application.
  • FIG. 3a is a schematic diagram of a registration process provided by an embodiment of the present application.
  • FIG. 3b is a schematic diagram of an original ciphertext password generation process provided by an embodiment of the present application.
  • 4a is a schematic diagram of a verification process provided by an embodiment of the present application.
  • 4b is a schematic diagram of a real-time ciphertext password generation process provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a password protection apparatus according to an embodiment of the present application.
  • FIG. 6 is another schematic structural diagram of a password protection apparatus according to an embodiment of the present application.
  • the embodiment of the present application provides a password protection method and device, which can protect password security and reduce the risk of password being leaked.
  • the password protection method provided by the embodiment of the present application can be implemented in a password protection device, and the password protection device can be a server.
  • An implementation scenario of the password protection method in this embodiment may be as shown in FIG. 1 , including a server 101 and a client 102.
  • the server 101 may obtain a user identifier and an original plaintext password from the client 102, and use the preset salt value to the original plaintext.
  • the password is added to the salt to obtain the original key, and then the original key is used as an encryption key of a Hash-based Message Authentication Code (HMAC) operation, and a Secure Hash Algorithm (SHA) is used as a security hash algorithm (SHA).
  • HMAC Hash-based Message Authentication Code
  • SHA Secure Hash Algorithm
  • the hash function of the HMAC operation is performed by performing an HMAC operation to obtain an original ciphertext password, and finally storing the user identifier in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash.
  • the original ciphertext password obtained by the function of the HMAC operation even if it is exhaustive, it is difficult to crack the original plaintext password. Therefore, the method of the embodiment of the present application can protect the password security and reduce the risk of the password being leaked.
  • the original plaintext password is used. It may also be referred to as a first plaintext password, and the original ciphertext password may also be referred to as a first ciphertext password, and the original key may also be referred to as a first key.
  • the method in this embodiment of the present application includes the following steps:
  • Step 201 Obtain a user identifier and an original plaintext password.
  • the server when the client registers, the server obtains the user identifier and the original plaintext password from the client, and the user identifier may also be referred to as a user name, a registered account, etc., and the original plaintext password is the registration password provided by the client when registering. .
  • the client can directly carry the user identifier and the original plaintext password in the registration request, and the server directly obtains the user identifier and the original plaintext password from the registration request.
  • the password is transmitted between the client and the server in clear text, which is easily intercepted by a third party, resulting in a password leak. Therefore, in the embodiment of the present application, the client may also encrypt the original plaintext password, and carry the encrypted original plaintext password and the user identifier in the registration request to the server.
  • the client can first encrypt the original plaintext password by using the asymmetric encryption algorithm RSA public key, and then encrypt the encrypted original plaintext password again by using the Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) public key.
  • HTTPS Hyper Text Transfer Protocol over Secure Socket Layer
  • the first ciphertext is obtained, and the first ciphertext and the user identifier are carried in the registration request and sent to the server.
  • the server extracts the user identifier and the first ciphertext from the registration request, decrypts the first ciphertext by using an HTTPS private key, and then uses the RSA private key to decrypt the decrypted first ciphertext again. Decrypt to obtain the original plaintext password.
  • the password is transmitted between the client and the server in the form of cipher text.
  • the public key and the private key are two kinds of keys in the asymmetric encryption algorithm.
  • the two are a pair of mutually matching keys for encryption and decryption.
  • the HTTPS private key can decrypt the first ciphertext encrypted by the HTTPS public key. .
  • Step 202 Adding a salt to the original plaintext password by using a preset salt value to obtain an original key
  • salt refers to the security of the password by inserting a specific character string at any fixed position of the password so that the hashed result does not match the hash result of the original password.
  • the preset salt value needs to be obtained first, and the preset salt value may be generated randomly, and may also be generated according to a preset rule.
  • the random salt value may be a string generated in any manner, and the length of the string may be customized according to actual needs, in order to balance security and encryption efficiency.
  • the length of the string representing the random salt value may be 32 bits.
  • the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT.
  • the random number can be generated using the Martsett Rotation algorithm (Mersenne Twister), for example, the random number can be: 2101077161.
  • Martsett Rotation algorithm Merenne Twister
  • the random number can be: 2101077161.
  • the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.
  • the random salt value is used as an encryption key for HMAC calculation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value.
  • HMAC is a key-related hash operation message authentication code.
  • the HMAC operation uses a hash algorithm to input a message digest as an output with a key and a message as input. Defining HMAC requires an encryption hash function and an encryption key.
  • the random salt value may be used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value. .
  • SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by Federal Information Processing Standards (FIPS).
  • the hash function can shuffle the data and recreate a fingerprint called a hash value, which is usually used to represent a string of short random letters and numbers.
  • SHA is an algorithm that can calculate a fixed-length string (also known as a message digest) corresponding to a digital message. If the input message is different, different strings will be obtained, and the probability of obtaining different strings is very high.
  • the SHA algorithm is called "security" and is mainly based on the following two points:
  • the SHA family includes SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and SHA-3, designed by the National Security Agency (NSA) and studied by the US National Standards and Technology. Published by the National Institute of Standards and Technology (NIST), is the government standard of the United States. Among them, SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2.
  • the SHA-2 type algorithm can be used as an encryption hash function for HMAC operations.
  • the original plaintext password may be salted with the preset salt value to obtain an original key.
  • Step 203 The original key is used as an encryption key for the hash message authentication code HMAC operation, and the secure hash algorithm SHA is used as an encryption hash function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password;
  • Step 204 Store the user identifier corresponding to the original ciphertext password in a database.
  • the server can use the original ciphertext password stored in the database to authenticate the client to identify whether the client is a legitimate user.
  • the original plaintext password is salted by using a preset salt value to obtain an original key, and then the original key is used as an encryption key of the HMAC operation.
  • the SHA is used as the hash function for the HMAC operation, and the HMAC operation is performed to obtain the original ciphertext password.
  • the user identifier is stored in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash.
  • the original ciphertext password obtained by the function of the HMAC operation is difficult to crack out the original plaintext password even if it is exhaustive. Therefore, the method of the embodiment of the present application can protect the password security and reduce the risk of the password being leaked.
  • the description process of the embodiment of the present application is divided into two phases, namely, a registration phase and a verification phase.
  • the process of the registration phase will be described below, as shown in Figure 3a.
  • the registration phase includes the following steps:
  • Step 301 Receive a registration request sent by a client, where the registration request includes a user identifier and a first ciphertext, where the first ciphertext is obtained by the client encrypting the original plaintext password by using a preset encryption algorithm.
  • the user ID can also be called a user name, a registered account, etc.
  • the original plain text password is the registration password provided by the client at the time of registration.
  • the client may first encrypt the original plaintext password by using the RSA public key, and then encrypt the encrypted original plaintext password with the HTTPS public key to obtain the first ciphertext, and carry the first ciphertext and the user identifier. Sent to the server in the registration request, the server receives the registration request sent by the client.
  • Step 302 Obtain a user identifier from the registration request, and use a preset decryption algorithm corresponding to the preset encryption algorithm to decrypt the first ciphertext included in the registration request to obtain the original plaintext password.
  • the server may extract the user identifier and the first ciphertext from the registration request, decrypt the first ciphertext by using an HTTPS private key, and then use the RSA private key pair to decrypt the first
  • the ciphertext is decrypted again to obtain the original plaintext password.
  • the password is transmitted between the client and the server in the form of cipher text. Even if intercepted by a third party, the third party cannot easily obtain the original plaintext password, thereby further ensuring the security of the password.
  • Step 303 Generate a random salt value and a random number
  • the random salt value may be a string generated in any manner, and the length of the string may be customized according to actual requirements.
  • the length of the string representing the random salt value may be 32 bits.
  • the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT.
  • Random numbers can be generated using the Marsett Rotation algorithm (Mersenne Twister).
  • the random number can be: 2101077161.
  • the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.
  • Step 304 Using a random salt value as an encryption key for HMAC operation, using SHA as a hash function for HMAC operation, and performing HMAC operation using the random number to obtain a preset salt value;
  • SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by the Federal Information Processing Standard FIPS.
  • the SHA algorithm is called "security" and is mainly based on the following two points:
  • the embodiment of the present application adopts SHA as a hash function for encryption of HMAC operation.
  • the SHA family includes SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and SHA-3.
  • SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2.
  • the SHA-2 type algorithm can be used as an encryption hash function for HMAC operations.
  • Step 305 Adding a salt to the original plaintext password by using a preset salt value to obtain an original key
  • a spliced string such as "preset salt value + original plaintext password" may be used as the original key.
  • Step 306 The original key is used as an encryption key for HMAC operation, and SHA is used as an encryption function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password.
  • Step 307 Store the user identifier in the database corresponding to the original ciphertext password.
  • the SHA algorithm itself is difficult to be cracked.
  • the original plaintext password is changed to the original key through two steps of salting.
  • the original key is quite complicated, so the original key is used as the encryption key.
  • the risks, especially for defensive profit cracking, man-in-the-middle attacks, hijacking and reverse decryption have a good effect.
  • the verification phase includes the following steps:
  • Step 401 Receive an authentication request sent by the client, where the verification request includes a user identifier and a second ciphertext, where the second ciphertext is obtained by the client using a preset encryption algorithm to encrypt the real-time plaintext password.
  • the verification request may be sent to the server, such as login, recharge, etc., which is not specifically limited herein.
  • the real-time plaintext password that is, the password to be verified provided by the client during verification, wherein the real-time plaintext password may also be referred to as a second plaintext password.
  • the client may first encrypt the real-time plaintext password by using the RSA public key, and then encrypt the encrypted real-time plaintext password with the HTTPS public key to obtain the second ciphertext, and carry the second ciphertext and the user identifier. Sent to the server in the verification request, the server receives the verification request sent by the client.
  • Step 402 Obtain a user identifier from the verification request, and use a preset decryption algorithm corresponding to the preset encryption algorithm to decrypt the second ciphertext included in the verification request to obtain a real-time plaintext password.
  • the server may extract the user identifier and the second ciphertext from the verification request, decrypt the second ciphertext by using an HTTPS private key, and then use the RSA private key pair to decrypt the second ciphertext.
  • the ciphertext is decrypted again to obtain the real-time plaintext password.
  • Step 403 Add a salt to the real-time plaintext password by using a preset salt value to obtain a real-time key
  • the preset salt value is the preset salt value obtained in step 304.
  • the splicing string such as “preset salt value + real-time plaintext password” may be used as the real-time key, wherein the real-time key is also It can be called a second key.
  • Step 404 The real-time key is used as an encryption key for HMAC operation, and the SHA is used as an encryption function for HMAC operation, and an HMAC operation is performed to obtain a real-time ciphertext password.
  • the real-time ciphertext password can also be referred to as a second ciphertext password, and the process of generating a real-time ciphertext password can be referred to the schematic diagram of FIG. 4b.
  • Step 405 Obtain an original ciphertext password corresponding to the user identifier from the database.
  • Step 406 it is determined whether the real-time ciphertext password and the original ciphertext password are the same, if the same, step 407 is performed, otherwise, step 408 is performed;
  • Step 407 confirming that the verification is successful
  • the client is allowed to perform the corresponding operation.
  • Step 408 confirming that the verification fails.
  • the client is not allowed to perform the corresponding operation.
  • the ciphertext in the process of verification, is transmitted between the client and the server, so that the password can be prevented from being intercepted and cracked by the third party, and when the verification is performed, the password of the real-time password is directly compared.
  • the ciphertext of the original password stored in the text and the database, thus ensuring password security and reducing the risk of the password being leaked.
  • the embodiment of the present application further provides a password protection apparatus.
  • the password protection apparatus of this embodiment includes: one or more memories; one or more processors;
  • the one or more memory modules are stored by one or more instruction modules, and are configured to be executed by the one or more processors; wherein the one or more instruction modules include: an obtaining unit 501, a salting unit 502,
  • the first encryption unit 503 and the storage unit 504 are as follows:
  • the obtaining unit 501 is configured to obtain a user identifier and an original plaintext password.
  • the obtaining unit 501 may obtain the user identifier and the original plaintext password from the client when the client registers, and the user identifier may also be referred to as a user name, a registered account, etc., and the original plaintext password is provided by the client when registering. sign up password.
  • the device of the embodiment of the present application may further include a receiving unit, where the client may directly carry the user identifier and the original plaintext password in the registration request, the receiving unit receives the registration request, and the obtaining unit 501 directly obtains the user identifier and the original from the registration request. Clear text password.
  • the client may also encrypt the original plaintext password, and carry the encrypted original plaintext password and the user identifier in the registration request to the server.
  • the client can first encrypt the original plaintext password by using the asymmetric encryption algorithm RSA public key, and then encrypt the encrypted original plaintext password again by using the Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) public key.
  • the first ciphertext is obtained, and the first ciphertext and the user identifier are carried in the registration request and sent to the server.
  • the obtaining unit 501 may extract the user identifier and the first ciphertext from the registration request, decrypt the first ciphertext by using an HTTPS private key, and then decrypt the decrypted using the RSA private key pair.
  • the first ciphertext is decrypted again to obtain the original plaintext password.
  • the password is transmitted between the client and the server in the form of ciphertext, and even if intercepted by a third party, the third party cannot easily obtain the original plaintext password.
  • the salt adding unit 502 is configured to add the salt to the original plaintext password by using a preset salt value to obtain an original key.
  • salt refers to the security of the password by inserting a specific character string at any fixed position of the password so that the hashed result does not match the hash result of the original password.
  • the preset salt value may be randomly generated, and may be generated according to a preset rule.
  • the following describes the method for generating a preset salt value according to the preset rule provided by the embodiment of the present application, that is, the device of the embodiment of the present application further includes a generating unit and The second encryption unit is as follows:
  • a generating unit for generating random salt values and random numbers.
  • the random salt value may be a string generated in any manner, and the length of the string may be customized according to actual requirements.
  • the length of the string representing the random salt value may be 32 bits.
  • the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT.
  • the random number can be generated using the Martsett Rotation algorithm (Mersenne Twister), for example, the random number can be: 2101077161.
  • Martsett Rotation algorithm Merenne Twister
  • the random number can be: 2101077161.
  • the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.
  • the second encryption unit is configured to use the random salt value as an encryption key for HMAC operation, and use SHA as an encryption hash function for HMAC operation, and perform HMAC operation using the random number to obtain the preset salt value.
  • HMAC is a key-related hash operation message authentication code.
  • the HMAC operation uses a hash algorithm to input a message digest as an output with a key and a message as input. Defining HMAC requires an encryption hash function and an encryption key.
  • the random salt value may be used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value. .
  • SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by Federal Information Processing Standards (FIPS). SHA is an algorithm that can calculate a fixed length string (also known as a message digest) corresponding to a digital message. If the input message is different, different strings will be obtained, and the probability of obtaining different strings is very high.
  • the SHA algorithm is called "security" and is mainly based on the following two points:
  • the SHA family includes SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and SHA-3, designed by the National Security Agency (NSA) and studied by the US National Standards and Technology. Published by the National Institute of Standards and Technology (NIST), is the government standard of the United States. Among them, SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2.
  • the SHA-2 type algorithm can be used as an encryption hash function for HMAC operations.
  • the salting unit 502 can salt the original plaintext password with the preset salt value to obtain the original key.
  • the first encryption unit 503 is configured to use the original key as an encryption key for the hash message authentication code HMAC operation, and use the secure hash algorithm SHA as a hash function for HMAC operation to perform an HMAC operation to obtain an original secret. Text password.
  • the storage unit 504 is configured to store the user identifier in the database corresponding to the original ciphertext password.
  • the receiving unit is further configured to receive an authentication request sent by the client, where the verification request includes the user identifier and a second ciphertext, where the second ciphertext is adopted by the client
  • the preset encryption algorithm encrypts the real-time plaintext password.
  • the verification request may be sent to the server, such as login, recharge, etc., which is not specifically limited herein.
  • Real-time plaintext password which is the password to be verified provided by the client during authentication.
  • the obtaining unit 501 is further configured to: obtain the user identifier from the verification request, and decrypt the second ciphertext included in the verification request by using a preset decryption algorithm corresponding to the preset encryption algorithm. Obtaining the real-time plaintext password;
  • the salting unit 502 is further configured to: obtain a real-time key by adding salt to the real-time plaintext password by using the preset salt value;
  • the first encryption unit 503 is further configured to use the real-time key as an encryption key for HMAC operation, and use the SHA as a hash function for HMAC operation to perform an HMAC operation to obtain a real-time ciphertext password;
  • the device also includes:
  • the extracting unit 505 is configured to retrieve the original ciphertext password corresponding to the user identifier from the database;
  • the determining unit 506 is configured to determine whether the real-time ciphertext password is the same as the original ciphertext password;
  • the confirmation unit 507 is configured to confirm that the verification is successful when the real-time ciphertext password is the same as the original ciphertext password, and the verification succeeds to allow the client to perform a corresponding operation; and the real-time ciphertext password and the original secret If the passwords are different, the verification fails. If the verification fails, the client is not allowed to perform the corresponding operations.
  • the password protection device provided by the foregoing application embodiment implements password protection
  • only the division of each functional module described above is used for example.
  • the function distribution may be completed by different functional modules as needed.
  • the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
  • the password protection device and the password protection method provided by the foregoing application embodiments are in the same concept, and the implementation process thereof is described in the method application embodiment, and details are not described herein again.
  • the salting unit may use the preset salt value to add salt to the original plaintext password to obtain the original key, and then the first encryption unit will use the original secret.
  • the key is used as the encryption key of the HMAC operation
  • the SHA is used as the hash function for the HMAC operation to perform the HMAC operation to obtain the original ciphertext password.
  • the storage unit stores the user identifier and the original ciphertext password in the database. in. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash.
  • the device in the embodiment of the present application can protect the password security and reduce the risk of the password being leaked, especially for the defensive profit cracking, Man-in-the-middle attacks, hijacking, and reverse decryption all have good results.
  • FIG. 6 shows a schematic structural diagram of a device involved in the embodiment of the present application, specifically:
  • the apparatus may include one or more processing core processor 601, one or more computer readable storage medium memories 602, a radio frequency (RF) circuit 603, a power source 604, an input unit 605, and a display unit 606, etc. component.
  • RF radio frequency
  • FIG. 6 does not constitute a limitation to the device, and may include more or less components than those illustrated, or some components may be combined, or different component arrangements. among them:
  • Processor 601 is the control center of the device, connecting various portions of the entire device using various interfaces and lines, by running or executing software programs and/or modules stored in memory 602, and recalling data stored in memory 602, Performing various functions and processing data of the device to thereby perform overall monitoring of the device.
  • the processor 601 can include one or more processing cores; in some examples, the processor 601 can integrate the application processor and modem A processor, wherein the application processor primarily processes an operating system, a user interface, an application, etc., and the modem processor primarily processes wireless communications. It can be understood that the above modem processor may not be integrated into the processor 601.
  • the memory 602 can be used to store software programs and modules, and the processor 601 executes various functional applications and data processing by running software programs and modules stored in the memory 602.
  • the memory 602 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to Data created by the use of the device, etc.
  • memory 602 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 602 can also include a memory controller to provide processor 601 access to memory 602.
  • the RF circuit 603 can be used for receiving and transmitting signals during the process of transmitting and receiving information. Specifically, after receiving the downlink information of the base station, the downlink information is processed by one or more processors 601. In addition, the data related to the uplink is sent to the base station. Generally, the RF circuit 603 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, and a Low Noise Amplifier (LNA). , duplexer, etc. In addition, RF circuit 603 can also communicate with the network and other devices via wireless communication.
  • SIM Subscriber Identity Module
  • LNA Low Noise Amplifier
  • the wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), and Code Division Multiple Access (CDMA). , Code Division Multiple Access), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), e-mail, Short Messaging Service (SMS), and the like.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • SMS Short Messaging Service
  • the apparatus also includes a power source 604 (such as a battery) that supplies power to the various components.
  • the power source 604 can be logically coupled to the processor 601 via a power management system to manage charging, discharging, and power management through the power management system.
  • the power supply 604 can also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
  • the apparatus can also include an input unit 605 that can be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls.
  • input unit 605 can include a touch-sensitive surface as well as other input devices. Touch-sensitive surfaces, also known as touch screens or trackpads, collect touch operations on or near the user (such as the user using a finger, stylus, etc., any suitable object or accessory on a touch-sensitive surface or touch-sensitive Operation near the surface), and drive the corresponding connecting device according to a preset program.
  • the touch sensitive surface can include both portions of the touch detection device and the touch controller.
  • the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information.
  • the processor 601 is provided and can receive commands from the processor 601 and execute them.
  • touch-sensitive surfaces can be implemented in a variety of types, including resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit 605 can also include other input devices.
  • other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.
  • the apparatus can also include a display unit 606 that can be used to display information entered by the user or information provided to the user and various graphical user interfaces of the device, which can be represented by graphics, text, icons, video, and It is composed of any combination.
  • the display unit 606 can include a display panel.
  • the display panel can be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.
  • the touch-sensitive surface may cover the display panel, and when the touch-sensitive surface detects a touch operation thereon or nearby, it is transmitted to the processor 601 to determine the type of the touch event, and then the processor 601 displays the type according to the touch event. A corresponding visual output is provided on the panel.
  • the touch-sensitive surface and display panel are implemented as two separate components to implement input and input functions, in some embodiments, the touch-sensitive surface can be integrated with the display panel to implement input and output functions.
  • the device may further include a camera, a Bluetooth module, and the like, and details are not described herein again.
  • the processor 601 in the device loads the executable file corresponding to the process of one or more application programs into the memory 602 according to the following instructions, and is executed by the processor 601 to be stored in the memory.
  • the application in 602 thus implementing various functions, as follows:
  • the original key is used as an encryption key for the hash message authentication code HMAC operation, and the secure hash algorithm SHA is used as an encryption hash function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password;
  • the user identifier is stored in the database corresponding to the original ciphertext password.
  • processor 601 is further configured to:
  • the registration request sent by the client is received, where the registration request includes the user identifier and the first ciphertext, and the first ciphertext adopts a preset encryption algorithm by the client. Encrypting the original plaintext password to obtain;
  • the processor 601 can obtain the user identification and the original plaintext password as follows:
  • the processor 601 obtains the user identifier from the registration request, and decrypts the first ciphertext included in the registration request to obtain the original by using a preset decryption algorithm corresponding to the preset encryption algorithm. Clear text password.
  • the encrypting the original plaintext password by the client by using a preset encryption algorithm to obtain the first ciphertext includes:
  • the client encrypts the original plaintext password by using an asymmetric encryption algorithm RSA public key, and then encrypts the encrypted original plaintext password by using a secure hypertext transfer protocol HTTPS public key to obtain the first ciphertext;
  • the processor 601 uses a preset decryption algorithm corresponding to the preset encryption algorithm, and the decrypting the first ciphertext included in the registration request to obtain the original plaintext password includes:
  • the processor 601 decrypts the first ciphertext by using an HTTPS private key, and then decrypts the decrypted first ciphertext again by using an RSA private key to obtain the original plaintext password.
  • the processor 601 is further configured to: after obtaining the user identifier and the original plaintext password,
  • the random salt value is used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value.
  • processor 601 is further configured to:
  • the real-time key is used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and HMAC operation is performed to obtain a real-time ciphertext password;
  • the SHA includes: a SHA-1 class algorithm, a SHA-2 class algorithm, or a SHA-3 class algorithm.
  • the device in the embodiment of the present application adds the salt to the original plaintext password by using a preset salt value to obtain the original key, and then uses the original key as the HMAC operation.
  • the encryption key is used as an encryption function for HMAC operation, and the HMAC operation is performed to obtain an original ciphertext password.
  • the user identifier is stored in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash.
  • the device in the embodiment of the present application can protect the password security and reduce the risk of the password being leaked, especially for the defensive profit cracking, Man-in-the-middle attacks, hijacking, and reverse decryption all have good results.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the object of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, device, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
  • the embodiment of the present application further provides a storage medium in which a data processing program is stored, and the data processing program is used to execute any one of the foregoing methods in the embodiments of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé et un dispositif de protection de mot de passe. Dans le procédé de protection de mot de passe selon l'invention, un serveur : obtient un identificateur d'utilisateur et un premier mot de passe en clair ; utilise une valeur de salage prédéfinie pour saler le premier mot de passe en clair et obtenir une première clé ; considère la première clé comme une clé de chiffrement pour une opération HMAC (code d'authentification de message basé sur un hachage) ; et considère un algorithme de hachage sécurisé (SHA) comme une fonction de hachage cryptographique pour l'opération HMAC, de sorte à exécuter l'opération HMAC et obtenir un premier mot de passe de texte chiffré ; et stocker l'identificateur d'utilisateur et le premier mot de passe de texte chiffré dans une base de données.
PCT/CN2018/071734 2017-01-18 2018-01-08 Procédé et dispositif de protection de mot de passe, et support de stockage WO2018133686A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710036798.9A CN106656476B (zh) 2017-01-18 2017-01-18 一种密码保护方法、装置及计算机可读存储介质
CN201710036798.9 2017-01-18

Publications (1)

Publication Number Publication Date
WO2018133686A1 true WO2018133686A1 (fr) 2018-07-26

Family

ID=58841701

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/071734 WO2018133686A1 (fr) 2017-01-18 2018-01-08 Procédé et dispositif de protection de mot de passe, et support de stockage

Country Status (2)

Country Link
CN (1) CN106656476B (fr)
WO (1) WO2018133686A1 (fr)

Families Citing this family (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656476B (zh) * 2017-01-18 2020-12-01 腾讯科技(深圳)有限公司 一种密码保护方法、装置及计算机可读存储介质
CN107257349A (zh) * 2017-07-27 2017-10-17 四川长虹电器股份有限公司 基于单向和公钥加密算法的密码加密方法与系统
CN109687966A (zh) * 2017-10-18 2019-04-26 北京明特量化信息技术有限公司 加密方法及其系统
CN107733656A (zh) * 2017-10-23 2018-02-23 北京深思数盾科技股份有限公司 一种密码认证方法及装置
CN107911343B (zh) * 2017-10-27 2020-09-15 深圳英飞拓科技股份有限公司 安全的密码存储验证方法和装置
CN107948152B (zh) * 2017-11-23 2021-05-14 腾讯科技(深圳)有限公司 信息存储方法、获取方法、装置及设备
CN107948155A (zh) * 2017-11-24 2018-04-20 重庆金融资产交易所有限责任公司 密码校验方法、装置、计算机设备和计算机可读存储介质
CN108134666A (zh) * 2018-02-07 2018-06-08 北京安博通科技股份有限公司 一种加密解密方法及装置
CN108650210A (zh) * 2018-03-14 2018-10-12 深圳市中易通安全芯科技有限公司 一种认证系统和方法
CN108494775B (zh) * 2018-03-26 2020-12-15 四川长虹电器股份有限公司 防止利用合法数据或篡改合法数据进行网络攻击的方法
CN108616878B (zh) * 2018-03-28 2021-03-26 努比亚技术有限公司 一种加密解密方法、设备和计算机存储介质
CN108768613A (zh) * 2018-04-03 2018-11-06 四川新网银行股份有限公司 一种基于多种加密算法的密文口令校验方法
CN108868367B (zh) * 2018-06-07 2020-06-30 安钥(北京)科技股份有限公司 智能锁装置
CN109450622A (zh) * 2018-10-16 2019-03-08 平安普惠企业管理有限公司 数据加密方法、数据校验方法、装置、设备及存储介质
TWI774902B (zh) * 2018-12-28 2022-08-21 新唐科技股份有限公司 密鑰保護方法及密鑰保護系統
CN109639436A (zh) * 2019-01-04 2019-04-16 平安科技(深圳)有限公司 基于盐值的数据持有性验证方法及终端设备
CN111767364B (zh) * 2019-03-26 2023-12-29 钉钉控股(开曼)有限公司 数据处理方法、装置和设备
CN111865869B (zh) * 2019-04-24 2023-08-08 北京沃东天骏信息技术有限公司 基于随机映射的注册、认证方法及装置、介质及电子设备
US12155646B2 (en) * 2019-06-10 2024-11-26 Microsoft Technology Licensing, Llc Authentication with random noise symbols and pattern recognition
CN110166224B (zh) * 2019-06-20 2022-03-29 大连海事大学 一种vdes电子海图数据在线更新与保护方法
CN110493207B (zh) * 2019-08-06 2022-02-25 北京达佳互联信息技术有限公司 一种数据处理方法、装置、电子设备和存储介质
CN110740124A (zh) * 2019-09-20 2020-01-31 平安普惠企业管理有限公司 账户密码分发方法、装置、存储介质和计算机设备
CN110889595A (zh) * 2019-11-06 2020-03-17 国网浙江省电力有限公司 一种基于哈希算法的电力物资编码优化方法
CN110990809B (zh) * 2019-11-26 2021-08-03 卓尔购信息科技(武汉)有限公司 一种基于工作量的密码加盐验证方法及系统
CN111339270B (zh) * 2020-02-20 2023-04-25 中国农业银行股份有限公司 一种密码校验方法及装置
CN111428253B (zh) * 2020-03-24 2023-04-07 福建福链科技有限公司 一种适用于区块链的数据保护方法及系统
CN111611576B (zh) * 2020-04-30 2022-09-23 南京南瑞继保工程技术有限公司 账户密钥验证方法、装置及计算机存储介质
CN111538983A (zh) * 2020-07-03 2020-08-14 杭州摸象大数据科技有限公司 用户密码生成方法、装置、计算机设备及存储介质
CN111984978B (zh) * 2020-08-13 2022-11-29 成都安恒信息技术有限公司 一种高扩展性密码加密存储方法
CN112511305A (zh) * 2020-12-11 2021-03-16 武汉大学 一种基于n明文的数据对称加密方法
CN112507365B (zh) * 2020-12-16 2023-08-22 平安银行股份有限公司 数据匹配方法、终端及存储介质
CN113014380B (zh) * 2021-02-08 2022-12-27 深圳市亿图软件有限公司 文件数据的密码管理方法、装置、计算机设备及存储介质
CN115130089A (zh) * 2021-03-26 2022-09-30 Oppo广东移动通信有限公司 密码设置方法、密码设置装置、电子装置和存储介质
CN113078999A (zh) * 2021-04-13 2021-07-06 傲普(上海)新能源有限公司 一种密码安全加密保存方式
CN113254952B (zh) * 2021-04-25 2022-07-15 浙江工业大学 一种基于Android系统的密钥保护管理方法
CN113517981B (zh) * 2021-04-28 2023-05-23 河南中烟工业有限责任公司 一种密钥管理方法、代码版本的管理方法及装置
CN113486375B (zh) * 2021-07-16 2024-04-19 青岛海尔科技有限公司 设备信息的存储方法和装置、存储介质及电子装置
CN113630238B (zh) * 2021-08-10 2024-02-23 中国工商银行股份有限公司 一种基于密码混淆的用户请求许可方法及装置
CN113626802B (zh) * 2021-08-23 2023-05-12 重庆第二师范学院 一种设备密码的登录验证系统及方法
CN114117406B (zh) * 2021-09-30 2025-01-28 深圳前海微众银行股份有限公司 一种数据处理方法、装置、设备及存储介质
CN114567430A (zh) * 2022-01-26 2022-05-31 银盛通信有限公司 一种移动转售系统给用户密码增加私钥的方法
CN114584291B (zh) * 2022-02-18 2023-12-29 杭州代码狗科技有限公司 基于hmac算法的密钥保护方法、装置、设备和存储介质
CN114785485A (zh) * 2022-04-21 2022-07-22 中国联合网络通信集团有限公司 信息加密传输方法、装置、设备及存储介质
CN115022057A (zh) * 2022-06-13 2022-09-06 中信百信银行股份有限公司 安全认证方法、装置和设备及存储介质
CN115102750B (zh) * 2022-06-16 2024-02-02 平安银行股份有限公司 隐私数据处理方法、系统、计算机终端及可读存储介质
CN115941187A (zh) * 2022-11-25 2023-04-07 天翼电子商务有限公司 一种基于md5的不可逆随机加盐加密方法及系统
CN116155497B (zh) * 2023-01-06 2023-09-29 南京通力峰达软件科技有限公司 一种车联网用户应用程序中的敏感数据加密和保存方法
CN115906055B (zh) * 2023-01-31 2023-05-16 江苏金盾检测技术股份有限公司 基于密码库比对带有自动校准功能的密码测评方法和系统
CN117056901A (zh) * 2023-08-09 2023-11-14 中移互联网有限公司 数据处理方法、装置、电子设备及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079362A1 (en) * 2005-09-30 2007-04-05 Lortz Victor B Method for secure device discovery and introduction
CN103116730A (zh) * 2013-01-21 2013-05-22 厦门市美亚柏科信息股份有限公司 一种dpapi加密数据的解密方法和系统
CN103701829A (zh) * 2014-01-03 2014-04-02 厦门市美亚柏科信息股份有限公司 一种离线解析dpapi加密数据的方法
CN103914666A (zh) * 2013-09-17 2014-07-09 亚欧宝龙信息安全技术(湖南)有限公司 一种基于分区的文件加解密方法和装置
CN104885093A (zh) * 2012-12-12 2015-09-02 思杰系统有限公司 基于加密的数据访问管理
CN106656476A (zh) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 一种密码保护方法及装置

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8429724B2 (en) * 2006-04-25 2013-04-23 Seagate Technology Llc Versatile access control system
CN101132275B (zh) * 2006-08-23 2010-05-12 中国科学院计算技术研究所 一种实现数字内容使用权利的安全保护系统
US8861737B2 (en) * 2009-05-28 2014-10-14 Qualcomm Incorporated Trust establishment from forward link only to non-forward link only devices
CN103914662A (zh) * 2013-09-17 2014-07-09 亚欧宝龙信息安全技术(湖南)有限公司 一种基于分区的文件加密系统的访问控制方法和装置
CN105721390A (zh) * 2014-12-01 2016-06-29 阿里巴巴集团控股有限公司 一种加密存储方法和装置
US9807086B2 (en) * 2015-04-15 2017-10-31 Citrix Systems, Inc. Authentication of a client device based on entropy from a server or other device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070079362A1 (en) * 2005-09-30 2007-04-05 Lortz Victor B Method for secure device discovery and introduction
CN104885093A (zh) * 2012-12-12 2015-09-02 思杰系统有限公司 基于加密的数据访问管理
CN103116730A (zh) * 2013-01-21 2013-05-22 厦门市美亚柏科信息股份有限公司 一种dpapi加密数据的解密方法和系统
CN103914666A (zh) * 2013-09-17 2014-07-09 亚欧宝龙信息安全技术(湖南)有限公司 一种基于分区的文件加解密方法和装置
CN103701829A (zh) * 2014-01-03 2014-04-02 厦门市美亚柏科信息股份有限公司 一种离线解析dpapi加密数据的方法
CN106656476A (zh) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 一种密码保护方法及装置

Also Published As

Publication number Publication date
CN106656476A (zh) 2017-05-10
CN106656476B (zh) 2020-12-01

Similar Documents

Publication Publication Date Title
WO2018133686A1 (fr) Procédé et dispositif de protection de mot de passe, et support de stockage
US10666642B2 (en) System and method for service assisted mobile pairing of password-less computer login
US10063531B2 (en) Method for key rotation
US10142107B2 (en) Token binding using trust module protected keys
WO2018157858A1 (fr) Procédé de stockage d'informations, dispositif et support d'enregistrement lisible par ordinateur
EP3324572B1 (fr) Procédé de transmission d'informations et dispositif mobile
CN110572804B (zh) 蓝牙通信认证请求、接收及通信方法、移动端、设备端
WO2015192670A1 (fr) Procédé d'authentification d'identité d'utilisateur, terminal et terminal de service
US8904195B1 (en) Methods and systems for secure communications between client applications and secure elements in mobile devices
US20180091487A1 (en) Electronic device, server and communication system for securely transmitting information
EP3282737B1 (fr) Dispositif de traitement d'informations, dispositif d'authentification, système, procédé de traitement d'informations, programme et procédé d'authentification
CN109951513B (zh) 基于量子密钥卡的抗量子计算智能家庭量子云存储方法和系统
TW201824809A (zh) 資訊安全的驗證方法、裝置和系統
CN106845177A (zh) 密码管理方法及系统
CN111193588B (zh) 基于进程的信息处理方法、装置及存储介质
TWI724684B (zh) 用於執行經過身分驗證的加密操作的方法、系統及裝置
WO2010023506A1 (fr) Procédés, appareils, produits-programmes informatiques et systèmes pour l'appariement et l'association sécurisés de dispositifs sans fil
WO2016045464A1 (fr) Procédé de déchiffrement et terminal mobile
CN117240475B (zh) 一种智能门锁的通信方法、系统、设备及介质
WO2015158173A1 (fr) Procédé de traitement de données à base de clé d'accord
WO2015124798A2 (fr) Procédé et système autorisant une opération validée par authentification pour un dispositif de traitement de données
CN107623571B (zh) 一种握手处理方法、客户端及服务器
CN112765628B (zh) 一种信息交互方法和电子设备
WO2016003310A1 (fr) Amorçage d'un dispositif à un réseau sans fil
CN115529591A (zh) 基于令牌的认证方法、装置、设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18741377

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18741377

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载