CN118413369A

CN118413369A - Signature program encryption method and device, signature program decryption method and device

Info

Publication number: CN118413369A
Application number: CN202410500292.9A
Authority: CN
Inventors: 卜异亚
Original assignee: China Citic Bank Corp Ltd
Current assignee: China Citic Bank Corp Ltd
Priority date: 2024-04-24
Filing date: 2024-04-24
Publication date: 2024-07-30

Abstract

The present disclosure relates to the field of information security technologies, and in particular, to a signature program encryption method and apparatus, and a signature program decryption method and apparatus. The method comprises the following steps: acquiring a unique identifier of a signature program for a certain user; generating a first encryption key from the unique identifier; encrypting the target information of the signature program by using a preset second encryption key to obtain an encryption signature result; the target information comprises the first encryption key, a signature private key of the signature program and an operation log; encrypting the second encryption key by using the first encryption key to obtain an encrypted ciphertext; and forming the encrypted ciphertext, the encrypted signature result and the signature program after encrypting the target information into an encrypted signature program. According to the embodiment of the specification, hardware encryption authentication is not needed, so that the protection of a signature program can be improved while the encryption application scene is enlarged.

Description

Signature program encryption method and device, signature program decryption method and device

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to a signature program encryption method and apparatus, and a signature program decryption method and apparatus.

Background

The existing client signature program is generally deployed on a terminal machine, a set of database system is deployed on a server, compliance of operation records is checked through the operation records of the server, the protection mode of the client signature program at present is to protect the client program by using a sensitive medium, namely, by means of hardware encryption authentication, such as U-shield, dongle and the like, the private key of the client signature program is stored in hardware, the security is high, but the method has the defects of inconvenient use and limited application scene, the protection of the local program cannot be realized on some computers which do not allow peripheral insertion, and because the client program does not have a database system, only a set of database system is deployed on the server, the operation log cannot be recorded through the server, and the risk of deleting or tampering the records exists on the client record, so that a signature program encryption method is needed to expand the encryption application scene and improve the protection strength of the signature program.

Disclosure of Invention

In view of the fact that the current protection mode of the client signature program is to use a sensitive medium protection, namely to protect the use of the client program by means of hardware encryption authentication, the defects of inconvenient use and limited application scenarios exist, and because the client program has no database system, a set of database system is only deployed at a server, an operation log cannot be recorded through the server, and the risk of deleting or falsifying the record exists in the client record, the scheme is proposed so as to overcome the problems or at least partially solve the problems.

In one aspect, some embodiments of the present specification aim to provide a signature program encryption method, the method comprising:

acquiring a unique identifier of a signature program for a certain user;

Generating a first encryption key from the unique identifier;

encrypting the target information of the signature program by using a preset second encryption key to obtain an encryption signature result; the target information comprises the first encryption key, a signature private key of the signature program and an operation log;

encrypting the second encryption key by using the first encryption key to obtain an encrypted ciphertext;

And forming the encrypted ciphertext, the encrypted signature result and the signature program after encrypting the target information into an encrypted signature program.

Further, after obtaining the unique identifier of the signature program for a certain user, the method further comprises:

Generating a device identification code corresponding to the unique identifier;

Judging whether the equipment identification code is in a preset equipment list or not;

If the equipment identification code is not in the preset equipment list, the signature program encryption operation is terminated, and a security alarm is returned.

Further, the preset device list is established and obtained by the following steps:

Acquiring hardware configuration information of a plurality of machines to be operated with signature programs;

Inserting a specific character string into a designated position of each piece of hardware configuration information to obtain corresponding piece of hardware configuration encryption information;

Inputting the hardware configuration encryption information into a preset national encryption algorithm, and generating a plurality of equipment identifiers corresponding to the machine;

And establishing a preset equipment list according to the plurality of equipment identifiers.

Further, after the device list is established, the method further includes:

And remotely managing the machine to be operated with the signature program by using the fort machine, and recording a management log so as to carry out matching verification on the management log and the operation log.

Further, generating a first encryption key from the unique identifier includes:

salt treatment is carried out on the unique identifier;

And inputting the salt adding processing result into a preset national encryption algorithm to obtain the first encryption key.

Further, the second encryption key is obtained by:

mixing and inserting preset random numbers and confusion factors;

And inputting the mixed and interpenetrated result into a preset national encryption algorithm to obtain the second encryption key.

Further, encrypting the target information of the signature program by using a preset second encryption key to obtain an encrypted signature result, and further comprising:

Encrypting the target information of the signature program by adopting a preset second encryption key through a corresponding national encryption algorithm to obtain an encryption signature result; the encryption signature result comprises a first encryption key ciphertext, a signature private key ciphertext and an operation log ciphertext.

Further, encrypting the target encryption information by using the second encryption key to obtain an encryption signature result, further comprising:

and storing the first encryption key ciphertext and the signature private key ciphertext into a first storage area, and storing the operation log ciphertext into a second storage area.

Further, after the encrypted ciphertext and the encrypted signature result are returned, the method further comprises:

And irreversibly destroying the first encryption key, the second encryption key and the target information, and recording the destroying process.

Some embodiments of the present specification also provide a signature program decryption method based on the same inventive concept, the method including:

Acquiring a unique identifier in an encrypted signature program, wherein the encrypted signature program comprises an encrypted ciphertext, an encrypted signature result and a signature program after encrypting target information;

Generating a first decryption key from the unique identifier;

decrypting the encrypted ciphertext by using the first decryption key to obtain a second decryption key;

Partial decryption is carried out on the encryption signature result by utilizing the second decryption key, so as to obtain a first encryption key;

verifying whether the first decryption key matches the first encryption key;

And if the result is matched, performing full decryption on the encrypted signature result.

Further, generating a first decryption key from the unique identifier, further comprising:

acquiring a unique identifier of the non-encrypted signature program from the signature program after encrypting the target information;

salt treatment is carried out on the unique identifier;

and inputting the salt adding processing result into a preset national encryption algorithm to obtain the first decryption key.

Further, after the encryption signature result is fully decrypted, the signature method further comprises the step of signing the target file by using a signature private key of the signature program.

In another aspect, some embodiments of the present specification further provide a signature program encryption apparatus, the apparatus including:

The acquisition module is used for acquiring a unique identifier of a signature program for a certain user;

An encryption key generation module for generating a first encryption key according to the unique identifier;

The information encryption module is used for encrypting the target information of the signature program by using a preset second encryption key to obtain an encryption signature result; the target information comprises the first encryption key, a signature private key of the signature program and an operation log;

The key encryption module is used for encrypting the second encryption key by utilizing the first encryption key to obtain an encrypted ciphertext;

and the forming module is used for forming the encrypted ciphertext, the encrypted signature result and the signature program after encrypting the target information into an encrypted signature program.

Based on the same inventive concept, in another aspect, some embodiments of the present specification further provide a signature program decryption apparatus, the apparatus including:

The receiving module is used for acquiring a unique identifier in the encrypted signature program, wherein the encrypted signature program comprises an encrypted ciphertext, an encrypted signature result and a signature program after encrypting the target information;

A decryption key generation module for generating a first decryption key according to the unique identifier;

The decryption module is used for decrypting the encrypted ciphertext by using the first decryption key to obtain a second decryption key;

the partial decryption module is used for partially decrypting the encryption signature result by using the second decryption key to obtain a first encryption key;

The verification module is used for verifying whether the first decryption key is matched with the first encryption key;

and the full decryption module is used for fully decrypting the encrypted signature result if the encrypted signature result is matched with the encrypted signature result.

In another aspect, some embodiments of the present description also provide a computer device including a memory, a processor, and a computer program stored on the memory, which when executed by the processor, performs the instructions of the above method.

In another aspect, some embodiments of the present description also provide a computer storage medium having stored thereon a computer program which, when executed by a processor of a computer device, performs instructions of the above method.

One or more technical solutions provided in some embodiments of the present disclosure at least have the following technical effects:

the embodiment of the specification automatically acquires the unique identifier of the signature program for a certain user, and generates the first encryption key according to the unique identifier, but the target information is not directly encrypted by the first encryption key, but is encrypted by the preset second encryption key to obtain an encryption signature result, then the second encryption key is encrypted by the first encryption key to obtain an encryption ciphertext, and the encryption ciphertext, the encryption signature result and the signature program after encrypting the target information form an encrypted signature program, so that the signature program is encrypted by the double keys, the risk of deleting or falsifying the record in the client record is reduced, and the protection degree of the signature program is improved while the encryption application scene is enlarged.

The foregoing description is merely an overview of some embodiments of the present disclosure, which may be practiced in accordance with the disclosure of the present disclosure, for the purpose of making the foregoing and other objects, features, and advantages of some embodiments of the present disclosure more readily apparent, and for the purpose of providing a more complete understanding of the present disclosure's technical means.

Drawings

In order to more clearly illustrate some embodiments of the present description or technical solutions in the prior art, the following description will briefly explain the embodiments or drawings needed in the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments described in the present description, and other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art. In the drawings:

FIG. 1 is a schematic diagram of a system for implementing a signature program encryption method in some embodiments of the present disclosure;

FIG. 2 illustrates a flow chart of a method of signing program encryption in some embodiments of the present description;

FIG. 3 is a schematic diagram illustrating steps for matching device identification codes in some embodiments of the present disclosure;

FIG. 4 is a schematic diagram illustrating steps for creating a device list in some embodiments of the present disclosure;

FIG. 5 is a schematic diagram illustrating steps for generating a first encryption key in some embodiments of the present disclosure;

FIG. 6 is a schematic diagram illustrating steps for generating a second encryption key in some embodiments of the present disclosure;

FIG. 7 illustrates a flow chart of a method of signature program decryption in some embodiments of the present description;

FIG. 8 is a schematic diagram illustrating steps for generating a first decryption key in some embodiments of the present disclosure;

FIG. 9 is a schematic diagram illustrating the structure of a data encryption hierarchy in some embodiments of the present description;

FIG. 10 is a schematic diagram illustrating the overall process of encrypting and decrypting a signature program in some embodiments of the present disclosure;

FIG. 11 is a schematic diagram illustrating a signing authority in some embodiments of the present disclosure;

FIG. 12 is a schematic diagram illustrating a configuration of a signature program decryption device according to some embodiments of the present disclosure;

fig. 13 is a schematic diagram of a computer device provided in some embodiments of the present disclosure.

[ Reference numerals description ]

101. A terminal;

102. a server;

1101. An acquisition module;

1102. An encryption key generation module;

1103. an information encryption module;

1104. A key encryption module;

1105. forming a module;

1201. a receiving module;

1202. A decryption key generation module;

1203. a decryption module;

1204. a partial decryption module;

1205. a verification module;

1206. A full decryption module;

1302. a computer device;

1304. A processor;

1306. a memory;

1308. a driving mechanism;

1310. An input/output interface;

1312. An input device;

1314. an output device;

1316. a presentation device;

1318. a graphical user interface;

1320. a network interface;

1322. A communication link;

1324. a communication bus.

Detailed Description

In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in some embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure based on some embodiments in the present disclosure.

It should be noted that the terms "first," "second," and the like in the description and claims herein and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or device. It should be noted that, in the technical scheme of the application, the acquisition, storage, use, processing and the like of the data all conform to the relevant regulations of the relevant laws and regulations.

Fig. 1 is a schematic diagram of an implementation system of a signature program encryption method according to an embodiment of the present invention, which may include: the terminal 101 and the server 102 communicate with each other via a network, which may include a local area network (Local Area Network, abbreviated as LAN), a wide area network (Wide Area Network, abbreviated as WAN), the internet, or a combination thereof, and are connected to a website, user equipment (e.g., a computing device), and a back-end system. The staff can send a signature program encryption request to the server 102 through the terminal 101, after the server 102 receives the signature program encryption request, the server 102 invokes the unique identifier, the signature program and other data in the database to perform calculation processing, so as to obtain a calculation result, and sends the calculation result to the terminal 101, so that the staff processes the service according to the calculation result.

In this embodiment of the present disclosure, the server 102 may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN, content Delivery Network), and basic cloud computing services such as big data and an artificial intelligence platform.

In an alternative embodiment, terminal 101 may include, but is not limited to, a self-service terminal device, a desktop computer, a tablet computer, a notebook computer, a smart wearable device, and the like. Alternatively, the operating system running on the electronic device may include, but is not limited to, an android system, an IOS system, linux, windows, and the like. Of course, the terminal 101 is not limited to the above-mentioned electronic device having a certain entity, and may be software running in the above-mentioned electronic device.

In addition, it should be noted that, fig. 1 is only an application environment provided by the present disclosure, and in practical application, a plurality of terminals 101 may also be included, which is not limited in this specification.

Fig. 2 is a flowchart of a signature program encryption method provided by an embodiment of the present invention, where the method steps described in the examples or flowcharts are provided, but more or fewer steps may be included based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When a system or apparatus product in practice is executed, it may be executed sequentially or in parallel according to the method shown in the embodiments or the drawings. As shown in fig. 2, the method may include:

S201: acquiring a unique identifier of a signature program for a certain user;

s202: generating a first encryption key from the unique identifier;

s203: encrypting the target information of the signature program by using a preset second encryption key to obtain an encryption signature result; the target information comprises the first encryption key, a signature private key of the signature program and an operation log;

s204: encrypting the second encryption key by using the first encryption key to obtain an encrypted ciphertext;

s205: and forming the encrypted ciphertext, the encrypted signature result and the signature program after encrypting the target information into an encrypted signature program.

It may be understood that, in some embodiments, in order to ensure the running and use security of the signature program on the premise that the electronic device deployed with the signature program does not allow the peripheral, first obtain a unique identifier of the signature program for a certain user, for example, the unique identifier of the user may be a user PIN code or the like, so as to be used for characterizing the unique identity of the user, and for the signature program, the unique identifier is legal and safe, then generate a corresponding first encryption key according to the unique identifier, and encrypt target information of the signature program by using a preset second encryption key to obtain an encryption signature result, specifically, the target information includes the first encryption key, a signature private key of the signature program and an operation log, the signature private key may be constructed by using an SM2 cryptographic algorithm (asymmetric algorithm), the length of which is 32 bytes, and there is a corresponding public key for signing, on the one hand, the signature program which lacks target information cannot normally encrypt a data file, on the other hand, the whole signature program is encrypted with high encryption difficulty, high resources and high decryption cost, and because an attacker obtains the second encryption key, and then can encrypt the target information by using the second encryption key, and then use the second encryption key to encrypt the second encryption key, and the signature program, and the second encryption key is required to be encrypted by the second encryption key and the second encryption key is required to be encrypted by the second encryption key, and the second encryption key is required to be made to be encrypted by the second encryption key and the second encryption key is required to be encrypted by the second encryption key and the second encryption key.

Referring to fig. 3, in some embodiments, after obtaining the unique identifier of the signature program for a user, the method may further include:

S301: generating a device identification code corresponding to the unique identifier;

S302: judging whether the equipment identification code is in a preset equipment list or not;

S303: if the equipment identification code is not in the preset equipment list, the signature program encryption operation is terminated, and a security alarm is returned.

It will be appreciated that in some embodiments, after the unique identifier of a user is obtained by the signature program, it is determined whether the device that sends the unique identifier is in a preset security device, specifically, first, it needs to generate the device identifier of the device that sends the unique identifier, then determine whether the device identifier is in a preset device list, if the device identifier is in the preset device list, then continue the signature encryption operation, but if the device identifier is not in the preset device list, then indicate that the unique identifier is not sent by the security device, and there may be a security threat, so it is necessary to terminate the signature program encryption operation and return a security alarm.

Referring to fig. 4, in some embodiments, the preset list of devices is created using the following steps:

s401: acquiring hardware configuration information of a plurality of machines to be operated with signature programs;

s402: inserting a specific character string into a designated position of each piece of hardware configuration information to obtain corresponding piece of hardware configuration encryption information;

s403: inputting the hardware configuration encryption information into a preset national encryption algorithm, and generating a plurality of equipment identifiers corresponding to the machine;

s404: and establishing a preset equipment list according to the plurality of equipment identifiers.

It may be understood that in some embodiments, the preset device list includes one or more device identifiers, and is generated based on hardware configuration information of a machine to be operated with a signature program, specifically, the hardware configuration information is formed by splicing one or more of Mac address, CPU information, motherboard number, hard disk number, and the like according to a predetermined sequence, and is a segment of character string, and a specific character string, such as a logic code, is inserted again on the basis of the hardware configuration information, so as to perform preliminary encryption on the hardware configuration information to obtain corresponding hardware configuration encryption information, and then the irreversibility and security of the generated device identifier are ensured by using an irreversible state secret SM3 algorithm, so as to establish the preset device list. Further, when generating the device identifier corresponding to the unique identifier, a specific character string is first inserted into the hardware configuration information of the device that sends the unique identifier, and then the corresponding device identifier can be generated by using the cryptographic SM3 algorithm.

Further, in some embodiments, after establishing the device list, the method further includes:

It may be understood that in some embodiments, after each signing procedure signs a data file to be signed, a corresponding operation log may be generated, but only the signing procedure end records the risk that the operation log may be deleted or tampered, so that a fort machine is introduced to remotely manage a machine to be operated with the signing procedure, that is, in a specific network environment, in order to ensure that a network and data are not invaded and damaged by external and internal users, various technical means are used to monitor and record operation behaviors of operation and maintenance personnel on devices such as servers, network devices, security devices, databases and the like in the network, so as to centralize alarm, timely process and audit responsibility, and through the fort machine, the management log is recorded, the auditability and compliance of the operation log are ensured by the double-layer log record, and the protection of the operation log in the target information can be enhanced by checking the operation log and the management log.

Referring to fig. 5, in some embodiments, generating the first encryption key from the unique identifier may include:

S501: salt treatment is carried out on the unique identifier;

S502: and inputting the salt adding processing result into a preset national encryption algorithm to obtain the first encryption key.

It will be appreciated that in some embodiments, since the unique identifier is in plaintext, it needs to be encrypted, the unique identifier is primarily encrypted by salifying, and then the first encryption key can be obtained by using the cryptographic SM3 algorithm.

Referring to fig. 6, in some embodiments, the second encryption key may be obtained by:

S601: mixing and inserting preset random numbers and confusion factors;

s602: and inputting the mixed and interpenetrated result into a preset national encryption algorithm to obtain the second encryption key.

It may be understood that in some embodiments, the random number may be obtained by using an open-source random number generation model, for example, an open-source opensl, where the entropy source model is composed of a noise source, an optional adjustment component and a health test component, the generated random number conforms to an industry safety specification, the obfuscation factor is a string of a specific meaning, that is, a string of fixed strings hard-coded inside the program, which is used to make the mixed interleaving result and the second encryption key more random, and the interleaving manner may be to insert the obfuscation factor split into a specified location of the random number, and further, the preset second encryption key may be obtained by using the following manner:

second encryption key innerKey =sm3 (random number + confusion factor)

The random number is 16 bytes, and the second encryption key innerKey is 32 bytes, so that the function of a symmetric key is achieved, further, the research and development cost can be reduced by using the national encryption algorithm, and the compliance of the supervision requirements can be fully ensured.

Further, in some embodiments, encrypting the target information of the signature program with a preset second encryption key to obtain an encrypted signature result, further includes:

After the encrypted ciphertext and the encrypted signature result are returned, the method further comprises the following steps:

It will be appreciated that in some embodiments, the target information is encrypted using the second encryption key, and for the signature private key and the first encryption key, the following may be used:

signature private key ciphertext=sm4 (innerKey, signature private key)

First encryption key ciphertext=sm4 (innerKey, first encryption key)

Wherein innerKey is a second encryption key, and SM4 is a reversible cryptographic algorithm.

In some embodiments, for the oplog, the following may be used:

Operation log ciphertext=sm4 (innerKey, "time machine name operation action execution result")

Wherein innerKey is a second encryption key, the "time machine name operation action execution result" represents the basic content in the operation log, and SM4 is a reversible cryptographic algorithm. Further, in some embodiments, since the target information is further decrypted in the subsequent decryption process, an irreversible cryptographic algorithm such as SM3 algorithm is selected, but an SM4 algorithm is selected, and due to the setting of the cryptographic algorithm, the first encryption key ciphertext and the signature private key ciphertext are both 32 bytes, further, in some embodiments, each operation log ciphertext is usually generated and stored by using 128 bytes, but not limited to 128 bytes, which is not limited herein.

Based on the same inventive concept, referring to fig. 7, some embodiments of the present disclosure further provide a signature program decryption method, where the method includes:

S701: acquiring a unique identifier in an encrypted signature program, wherein the encrypted signature program comprises an encrypted ciphertext, an encrypted signature result and a signature program after encrypting target information;

s702: generating a first decryption key from the unique identifier;

s703: decrypting the encrypted ciphertext by using the first decryption key to obtain a second decryption key;

s704: partial decryption is carried out on the encryption signature result by utilizing the second decryption key, so as to obtain a first encryption key;

s705: verifying whether the first decryption key matches the first encryption key;

S706: and if the result is matched, performing full decryption on the encrypted signature result.

It may be understood that in some embodiments, the unique identifier in the encrypted signature program is first obtained, and a corresponding first decryption key is generated, the step of decrypting the encrypted ciphertext is only implemented on the premise that the unique identifier and the first decryption key are both correct, and the second decryption key is obtained.

Referring to fig. 8, in some embodiments, generating the first decryption key from the unique identifier may further include:

S801: acquiring a unique identifier of the non-encrypted signature program from the signature program after encrypting the target information;

s802: salt treatment is carried out on the unique identifier;

S803: and inputting the salt adding processing result into a preset national encryption algorithm to obtain the first decryption key.

It may be understood that in some embodiments, a user may log in a signature program after encrypting the target information indirectly through a fort machine, so that a unique identifier of the non-encrypted signature program is obtained in the signature program after encrypting the target information, in order to verify compliance of the obtained unique identifier, salt adding processing and preset cryptographic algorithm processing are required to be sequentially performed on the obtained unique identifier to obtain a first decryption key, and the unique identifier, the salt adding processing and the compliance of the preset cryptographic algorithm are verified through a decryption process of the first decryption key, so that once any link among the unique identifier, the salt adding processing and the preset cryptographic algorithm processing is found, a correct first decryption key cannot be obtained, thereby improving difficulty of cracking the first decryption key.

Further, in some embodiments, after fully decrypting the encrypted signature result, signing the target file with a signature private key of the signing program is further included.

It will be appreciated that in some embodiments, the signature private key of the signature program may be used to sign the target file only after the encrypted signature result is fully decrypted, otherwise the signature private key of the signature program may not be invoked to perform the signature operation.

Further, in order to make the person skilled in the art more aware of the present disclosure, a typical embodiment is presented herein, specifically, referring to fig. 9 and fig. 10, the first decryption key is obtained based on a unique identifier sent by a machine where a signature program is deployed and logged in by a user through indirect operation of a fort machine, in some embodiments, the unique identifier may be a PIN code, before obtaining the unique identifier, in some embodiments, the compliance of a device identifier of the machine where the signature program is deployed needs to be verified, for example, a device identifier constructed by using a MAC address or the like, and specifically, a precondition of verifying the device identifier is that hardware information such as a MAC address of the machine to be deployed is predetermined in a compiling stage, the machine to be deployed refers to the machine where the signature program is deployed, that is, the machine to be deployed is to be understood as a computer device or the like that is safe for current communication, after completing a compiling stage, the signature program (that is a client certificate signing tool) may be deployed into a specific machine, after completing the deployment, the user may remotely control the machine through the fort machine to implement the private key encryption operation and the signature program after completing the encryption. Further, in some embodiments, during decryption, the first decryption key needs to decrypt the encrypted ciphertext to obtain the second decryption key, specifically, the encrypted ciphertext stores the encrypted information of the second encryption key encrypted by using the first decryption key, the second decryption key (i.e., the second encryption key) can be obtained only when the first decryption key is consistent with the first encryption key, after the encrypted signature result is decrypted by using the second decryption key, the signature private key and the operation log can be further obtained only by checking the first encryption key stored in the encrypted signature result with the first decryption key, so that an attacker can directly obtain the signature private key and the operation log under the condition of cracking the second decryption key, and the attacker cannot obtain the signature private key and the operation log just by cracking the first decryption key.

It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.

In correspondence to the signature program encryption method described above, some embodiments of the present disclosure further provide a signature program encryption apparatus, referring to fig. 11, in some embodiments, the apparatus may include:

An obtaining module 1101, configured to obtain a unique identifier of a signature program for a certain user;

an encryption key generation module 1102, configured to generate a first encryption key according to the unique identifier;

An information encryption module 1103, configured to encrypt the target information of the signature program with a preset second encryption key, so as to obtain an encrypted signature result; the target information comprises the first encryption key, a signature private key of the signature program and an operation log;

A key encryption module 1104, configured to encrypt the second encryption key with the first encryption key to obtain an encrypted ciphertext;

a forming module 1105, configured to form the encrypted ciphertext, the encrypted signature result, and the signature program after encrypting the target information into an encrypted signature program.

In correspondence to the signature program decryption method described above, some embodiments of the present disclosure further provide a signature program decryption apparatus, as shown in fig. 12, and in some embodiments, the apparatus may include:

A receiving module 1201, configured to obtain a unique identifier in an encrypted signature program, where the encrypted signature program includes an encrypted ciphertext, an encrypted signature result, and a signature program after encrypting target information;

a decryption key generation module 1202 for generating a first decryption key from the unique identifier;

a decryption module 1203, configured to decrypt the encrypted ciphertext using the first decryption key to obtain a second decryption key;

The partial decryption module 1204 is configured to perform partial decryption on the encrypted signature result by using the second decryption key, so as to obtain a first encryption key;

A verification module 1205 for verifying whether the first decryption key matches the first encryption key;

the full decryption module 1206 is configured to fully decrypt the encrypted signature result if the encrypted signature results match.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.

In the embodiments of the present disclosure, the user information (including, but not limited to, user device information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) are information and data that are authorized by the user and are sufficiently authorized by each party.

Embodiments of the present description also provide a computer device. As shown in fig. 13, in some embodiments of the present description, the computer device 1302 may include one or more processors 1304, such as one or more Central Processing Units (CPUs) or Graphics Processors (GPUs), each of which may implement one or more hardware threads. The computer device 1302 may also include any memory 1306 for storing any kind of information, such as code, settings, data, etc., and in a particular embodiment, a computer program on the memory 1306 and executable on the processor 1304, which when executed by the processor 1304, may perform the instructions of the method described in any of the embodiments above. For example, and without limitation, memory 1306 may include any one or more of the following combinations: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may store information using any technique. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 1302. In one case, when the processor 1304 executes associated instructions stored in any memory or combination of memories, the computer device 1302 can perform any of the operations of the associated instructions. The computer device 1302 also includes one or more drive mechanisms 1308 for interacting with any memory, such as a hard disk drive mechanism, optical disk drive mechanism, and the like.

Computer device 1302 can also include an input/output interface 1310 (I/O) for receiving various inputs (via input device 1312) and for providing various outputs (via output device 1314). One particular output mechanism may include a presentation device 1316 and an associated graphical user interface 1318 (GUI). In other embodiments, input/output interface 1310 (I/O), input device 1312, and output device 1314 may not be included, but merely as a computer device in a network. Computer device 1302 can also include one or more network interfaces 1320 for exchanging data with other devices via one or more communication links 1322. One or more communication buses 1324 couple the above-described components together.

The communication link 1322 may be implemented in any manner, for example, through a local area network, a wide area network (e.g., the internet), a point-to-point connection, etc., or any combination thereof. Communication link 1322 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), computer-readable storage media and computer program products according to some embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processor to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processor, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processor to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processor to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computer device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computer device. Computer readable media, as defined in the specification, does not include transitory computer readable media (transmission media), such as modulated data signals and carrier waves.

It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description embodiments may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present embodiments may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processors that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

It should also be understood that, in the embodiments of the present specification, the term "and/or" is merely one association relationship describing the association object, meaning that three relationships may exist. For example, a and/or B may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the embodiments of the present specification. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims

1. A method of signing program encryption, the method comprising:

acquiring a unique identifier of a signature program for a certain user;

Generating a first encryption key from the unique identifier;

2. The method of claim 1, further comprising, after obtaining the unique identifier of the signature program for the user:

Generating a device identification code corresponding to the unique identifier;

3. The method of claim 2, wherein the predetermined list of devices is created by:

4. A method according to claim 3, further comprising, after establishing the list of devices:

5. The method of claim 1, wherein generating a first encryption key from the unique identifier comprises:

salt treatment is carried out on the unique identifier;

6. The method according to claim 1, wherein the second encryption key is obtained by:

mixing and inserting preset random numbers and confusion factors;

7. The method of claim 6, wherein encrypting the target information of the signing process with a predetermined second encryption key results in an encrypted signing result, further comprising,

8. The method of claim 7, wherein encrypting the target encryption information using the second encryption key, after obtaining the encrypted signature result, further comprises:

9. The method of claim 1, further comprising, after returning the encrypted ciphertext and encrypted signature result:

10. A signature program decryption method, the method comprising:

Generating a first decryption key from the unique identifier;

verifying whether the first decryption key matches the first encryption key;

11. The method of claim 10, wherein generating a first decryption key from the unique identifier, further comprises:

salt treatment is carried out on the unique identifier;

12. The method of claim 10, further comprising, after fully decrypting the encrypted signature result, signing the target file with a signature private key of the signing program.

13. A signature program encryption apparatus, characterized in that the apparatus comprises:

14. A signature program decrypting apparatus, characterized in that the apparatus comprises:

15. A computer device comprising a memory, a processor, and a computer program stored on the memory, characterized in that the computer program, when being executed by the processor, performs the instructions of the method according to any of claims 1-12.

16. A computer storage medium having stored thereon a computer program, which, when executed by a processor of a computer device, performs the instructions of the method according to any of claims 1-12.