CN-120934807-B - Data encryption and decryption method for enterprise identity authentication

Abstract

The invention discloses a data encryption and decryption method for enterprise identity authentication, in particular to the field of data encryption and decryption, which comprises the steps that a user terminal identifies an accessed UKey in a current session and completes equipment initialization; and establishing a session channel based on the current user terminal and the UKey, and writing state information into the session channel, wherein the state information comprises a user terminal identifier, a session context and the UKey identifier. By introducing a multisource state abstract construction, countermeasure consistency verification and credibility scoring mechanism before key calling, key use behaviors are bound to context states generated in real time, so that deep decoupling and dynamic rebinding between identity authentication and decryption actions are realized, a static inheritance path of an authentication state is blocked, hijacking prevention capability and data access isolation precision of a terminal are improved, and the data leakage and permission abuse risks caused by continuous exposure of keys after authentication in a traditional structure are solved.

Inventors

• LUO XIN
• ZHU CHUAN

Assignees

• 南京银辉信息科技有限公司

Dates

Publication Date

20260508

Application Date

20250805

Claims (6)

1. 1. A data encryption and decryption method for enterprise identity authentication comprises the following steps: s1, a user terminal identifies an accessed UKey in a current session and completes equipment initialization, a session channel is established based on the current user terminal and the UKey, and state information is written into the session channel, wherein the state information comprises a user terminal identifier, a session context and a UKey identifier; S2, calling authentication identification information and authentication key information stored in the UKey through the session channel, after a user inputs an identity password, sending the authentication identification information to a server, after the server passes verification, generating an authentication credential based on a terminal identification, a timestamp and the identification of the current session channel, and returning the authentication credential to the user terminal; the method is characterized in that: S3, after the authentication credentials are returned, the user terminal extracts the session context from the current session channel, records user interaction records and collects relevant parameters of the terminal environment, respectively generates a corresponding context abstract, an interaction abstract and a terminal environment abstract as state abstracts, and writes the state abstracts into a state buffer area of the UKey; S4, when a user initiates a decryption request, regenerating a state abstract to be compared by the user terminal according to the session context of the current page and the related parameters of the user interaction record and the terminal environment, and carrying out consistency check on the state abstract to be compared and the original state abstract; S5, when consistency verification is established, the decryption key information in the UKey is called to execute decryption operation on the target ciphertext data, and if verification fails, the decryption operation is refused and an authentication failure prompt is returned.
2. 2. The method for encrypting and decrypting the data for the identity authentication of the enterprise according to claim 1, wherein the method comprises the following steps: In S1, after a user terminal completes identification and initialization of an accessed UKey, establishing a communication relationship based on the user terminal identification and the UKey identification, generating a session channel identification with the same structure, and initializing a data structure of a session channel by the channel identification; After the session channel is initialized, the user terminal identification, the session context and the UKey identification are encoded and sorted according to a preset field sequence to construct state information, and the state information is embedded into a corresponding state field position in a data structure of the session channel; After the writing of the state information is completed, the state field is bound to a corresponding area of the session channel and used as an associated index of the identity authentication behavior and the key request behavior, and the associated index is used for referring to the corresponding state information to realize the authentication state tracing when the decryption request passes through the session channel.
3. 3. The method for encrypting and decrypting the data for the identity authentication of the enterprise according to claim 2, wherein the method comprises the following steps: In the S2, after the establishment of the session channel is completed, accessing the accessed UKey through the session channel by the user terminal, and calling authentication identification information and authentication key information pre-stored in the UKey to execute authentication data reading operation, wherein the authentication identification information comprises a unique identification field corresponding to an enterprise and is used for identifying the user identity; After the authentication data is read, receiving an identity password input by a user, unlocking and checking the authentication key information, and after the authentication key information passes the unlocking and checking, jointly packaging the authentication identification information and the current terminal identification to form an authentication request message; The authentication request message is sent to a server side through the session channel, the server performs matching verification on the authentication identification information, and after verification, an authentication credential is generated based on a terminal identification, a time stamp and the identification of the current session channel; after the authentication credentials are generated, the authentication credentials are returned to the user terminal through the original channel and stored in the terminal local cache area.
4. 4. The method for encrypting and decrypting the data for the identity authentication of the enterprise according to claim 3, wherein the method comprises the following steps: In the S3, in the authentication credentials After returning, the user terminal extracts three input sequences from the current session channel, namely session context sequences User interaction recording sequence And terminal context sequence Splicing the three input sequences into an initial state tensor : ; Constructing a first countermeasure phase of S3: initializing a counter-sub-structure by perturbing a network For a pair of Adding Gaussian disturbance Generating a pseudo-state tensor As an countermeasure structure: ; executing countermeasure discrimination cycles, building a state discriminator Comparing initial state tensors And pseudo state tensor Consistency scoring of (C) : ; Definition of the definition For a preset consistency threshold, if Then resampling and reconstruction of the Gaussian disturbance is performed to regenerate a new one And iteratively construct new Definition of Representing a new , Represent the first The covariance matrix used in the wheel disturbance samples, Representing the current challenge generation process The round iteration index, expressed as: ; otherwise, the second countermeasure phase of S3 is shifted to: In the second countermeasure phase of S3, a digest-generating function is constructed For a pair of Performing multi-headed segmentation mapping to extract context abstract Interactive abstract Terminal environment abstract Merging into a final state summary : ; Reliability detection, constructing a reliability verifier Calculating a confidence score : ; Definition of the definition Is a preset credibility score threshold value, if Then the state abstract fails the binding verification, and then the execution is re-executed Up to Status abstract that will pass verification Writing into a state buffer area of the UKey, and taking the state abstract as a current authentication credential Is a unique state binding structure of (1); Wherein the method comprises the steps of To combat the disturbance vector; representing a mean value of 0 and a covariance matrix of 0 Multi-dimensional Gaussian disturbance of (1) Representing a pair of opposing disturbance vectors Obeying the mean value to be 0 and the covariance matrix to be 0 Is a multi-dimensional gaussian distribution of (c).
5. 5. The method for encrypting and decrypting the data for the identity authentication of the enterprise according to claim 4, wherein the method comprises the following steps: In the step S4, at the moment when the user terminal receives the decryption request, the session context of the page at the current moment, the related parameters of the user interaction record and the terminal environment are collected, and the session context abstract, the user interaction abstract and the terminal environment abstract to be compared are respectively constructed through the context abstract generating function, the interaction abstract generating function and the terminal environment abstract generating function; sequentially inputting three digests to be compared into a digest generation function In (1) at the point in time To be compared, state abstract of (c) : ; Wherein, the Is shown at the time point Collected ; Is shown at the time point Collected ; Is shown at the time point Collected ; Representing the number of partial nested fragments segmented in the generation of the state abstract; an index representing the local segment; Represent the first Attention weighting coefficients of the individual local segments; Is a multi-layer perceptron; Represent the first Splicing three abstracts to be compared in the partial fragments to form unified input; synchronous call from UKey And abstracts the state to be compared And (3) with Input to a state discriminator In (3) passing state discriminator Outputting the preliminary consistency marking result : ; If the preliminary consistency marking results Continue to And disturbance generating network Multiple groups of disturbance state abstracts generated Together with the trust verifier Stability verification and credibility verifier Output value of (2) The method meets the following conditions: ; Wherein the method comprises the steps of Represent the first Generating a network from the disturbance The generated disturbance state abstract; Representing these disturbance state abstractions is by disturbance generating networks Generating; Indicating that this is the first A plurality of disturbance samples; representing a set of perturbation state summaries, from 1 st to 1 st And (3) co- A disturbance state abstract; representing the total number of perturbed samples; Wherein the method comprises the steps of Mean vectors representing summaries of all disturbance states; Representation of Mapping weight matrix of (2), dimension is Wherein For the dimension of the state abstract, Is the dimension of the middle hidden layer; Representation of Mapping weight matrix of (2), dimension is ; A scoring vector representing a transposed version of the confidence output, the dimension being ; Definition of the definition For presetting the credibility threshold value, if The current request is determined to be in a valid authentication state, the execution of the subsequent key invoking step is allowed, if so If the trusted state is not established, rejecting the key call and returning authentication failure prompt information; If the preliminary consistency marking results And rejecting the state consistency check, directly blocking the decryption flow, and considering the current request as an untrusted request.
6. 6. The method for encrypting and decrypting the data for the identity authentication of the enterprise according to claim 5, wherein the method comprises the following steps: And S6, when the decryption operation is finished, writing the key use behavior and the associated state abstract into a log of the user terminal, and synchronously uploading the key use behavior and the associated state abstract to an audit module of the server through the session channel.

Description

Data encryption and decryption method for enterprise identity authentication Technical Field The invention relates to the technical field of data encryption and decryption, in particular to a data encryption and decryption method for enterprise identity authentication. Background In an enterprise identity authentication and data encryption and decryption system based on a UKey, a typical execution flow is that after a user inserts the UKey into a terminal and completes identity authentication, the system sends identity information such as a CN number to a server for comparison and confirmation, and an RSA private key in the UKey can be used for executing decryption operation after authentication is passed; The key is activated by default and kept in an available state once authentication is successful, and the system does not establish a real-time verification mechanism or context constraint on key calling behavior, so that decryption permission granted by any authentication stays at the terminal local all the time during the whole session, and persistent permission keeping is formed, thereby causing static inheritance of authentication state and being difficult to cope with sudden session hijacking or context transfer attack; Under an actual attack scene, if the terminal environment encounters problems of script injection, remote control, user switching or sandbox escape and the like, an attacker can illegally call a key without re-authentication, and perform operations such as data decryption, sensitive information extraction or cross-session authority abuse; the behavior bypasses the original authentication protection, breaks the control boundary of decryption action, and enables the security of the terminal to be the same as that of the terminal, particularly in the enterprise scene, the situation that a plurality of users share login equipment or access a background system through browser plug-ins exists, the structure for keeping the key available by default can greatly enlarge the risk of data leakage after the node is controlled; Therefore, the fact that the dynamic constraint and real-time identity association control are not carried out on the decryption authority in the prior art can be seen, so that the secret key is exposed to the terminal for a long time after authentication, and the security of the terminal and the data access isolation policy at the node level are affected. Disclosure of Invention In order to overcome the defects of the prior art, the embodiment of the invention provides a data encryption and decryption method for enterprise identity authentication, which is characterized in that a multisource state abstract construction, countermeasure consistency verification and credibility scoring mechanism is introduced before key invocation, and key use behaviors are bound to context states generated in real time, so that deep decoupling and dynamic rebinding between identity authentication and decryption actions are realized, static inheritance paths of authentication states are blocked, the hijacking resistance and data access isolation precision of a terminal are improved, and the problems of data leakage and authority abuse risks caused by continuous exposure of keys after authentication in a traditional structure are solved. In order to achieve the above purpose, the invention provides a data encryption and decryption method for enterprise identity authentication, which comprises the following steps: s1, a user terminal identifies an accessed UKey in a current session and completes equipment initialization, a session channel is established based on the current user terminal and the UKey, and state information is written into the session channel, wherein the state information comprises a user terminal identifier, a session context and a UKey identifier; S2, calling authentication identification information and authentication key information stored in the UKey through the session channel, after a user inputs an identity password, sending the authentication identification information to a server, after the server passes verification, generating an authentication credential based on a terminal identification, a timestamp and the identification of the current session channel, and returning the authentication credential to the user terminal; S3, after the authentication credentials are returned, the user terminal extracts the session context from the current session channel, records user interaction records and collects relevant parameters of the terminal environment, respectively generates a corresponding context abstract, an interaction abstract and a terminal environment abstract as state abstracts, and writes the state abstracts into a state buffer area of the UKey; S4, when a user initiates a decryption request, regenerating a state abstract to be compared by the user terminal according to the session context of the current page and the related parameters of the user interaction re