Search

CN-122027138-A - Web application dynamic key encryption method based on SM3 and SM4

CN122027138ACN 122027138 ACN122027138 ACN 122027138ACN-122027138-A

Abstract

The invention relates to a Web application dynamic key encryption method based on SM3 and SM4, which relates to the technical field of data security, and the method generates a dynamic symmetric key cooperatively at the front end and the rear end, generates a key seed by using an SM3 hash algorithm, and encrypts and transmits sensitive data by combining with an SM4 symmetric encryption algorithm, so that the key is not hard coded and transmitted, meets the requirements of national regulations, and each time the session key dynamically changes, can be completely supported by domestic algorithm, has simple and efficient encryption and decryption processes, does not need a complex certificate system or public key infrastructure, only needs synchronous key generation rules at the front end and the rear end, is suitable for offline or weak network environments, does not depend on real-time network verification, can be used for offline or weak network environments such as an intranet, a government private network and the like, can effectively prevent the replay of historical data by introducing factors such as date and time stamps, thereby effectively preventing the sensitive data from being stolen or tampered in the transmission process, and improving the overall security protection capability of the Web application.

Inventors

  • LI XIN
  • Qiao Zhicheng

Assignees

  • 北京国泰网信科技股份有限公司
  • 成都国泰网信科技有限公司

Dates

Publication Date
20260512
Application Date
20260228

Claims (8)

  1. 1. The Web application dynamic key encryption method based on SM3 and SM4 is characterized by comprising the following steps: S1, a key dynamic generation mechanism is used for acquiring a fixed factor and a dynamic factor in a system and generating a defined key based on the joint participation calculation of the fixed factor and the dynamic factor; S2, a front-end data encryption flow is based on a fixed factor and a dynamic factor, dynamic keys are spliced and calculated according to a stipulated rule, and sensitive data plaintext is encrypted by using an SM4 algorithm to obtain encrypted secret; s3, a back-end data decryption flow is that a fixed factor and a dynamic factor are acquired again, after the secret key is spliced and calculated according to the same rule, a ciphertext is decrypted by using an SM4 algorithm, and a decrypted plaintext is obtained; S4, a security enhancement mechanism, namely introducing a time stamp and a random number as additional factors to prevent replay attack.
  2. 2. The Web application dynamic key encryption method based on SM3 and SM4 according to claim 1, wherein the fixed factor in S1 is a constant parameter preset by a system, including a system name, a module identifier and a current date; the dynamic factors are publicable attribute data input by a user; the specific key generation formula is as follows: Key=Substr(SM3(FF1+FF2+...+DF1+DF2+...),n,16) SM3 (the term.) is to perform SM3 hash operation on the spliced character strings and output 256-bit abstracts; Substr (..n, 16) is to intercept the first 16 bytes of the hash value as an SM4 encryption key, n represents the start coordinate, and the value is 0-15; all factors are spliced in a defined order and encoded using UTF-8.
  3. 3. The Web application dynamic key encryption method based on SM3 and SM4 as claimed in claim 1, wherein the specific process of obtaining the fixed factor and the dynamic factor in the system in S1 is as follows: s11, obtaining a fixed factor path comprises the following steps: hardware fingerprint extraction, namely collecting specific hardware information of a server side; presetting a confusion salt value, namely in the system initialization stage, generating a globally unique random character string by the rear end and storing the globally unique random character string in a security configuration module; application metadata including a unique identifier of the Web application; S12, the dynamic factor refers to a parameter which changes with time and session state in real time, is used for ensuring the one-time pad characteristic of the secret key, and comprises the following steps: capturing a unique identifier of a current HTTP session; A time stamp is used for acquiring high-precision system time; client environment parameters, namely partial characteristics of browser fingerprints and temporary Token of a current login user; s13, after the bottom layer interface is called to obtain the original data, formatting processing is carried out to eliminate the data difference among different hardware platforms; S14, according to a preset rule, the fixed factors and the dynamic factors are arranged and combined.
  4. 4. The Web application dynamic key encryption method based on SM3 and SM4 according to claim 1, wherein the front end in S2 performs the following operations before submitting the sensitive data: s21, collecting fixed factors and dynamic factors; S22, splicing and calculating a dynamic Key Key according to a rule; S23, encrypting the sensitive data plaintext by using an SM4 algorithm: Ciphertex=sm4_encrypt (Key, plantext), where plantext is the Plaintext of the sensitive data; s24, submitting the encrypted key Ciphertex and other non-sensitive fields to the back end.
  5. 5. The Web application dynamic key encryption method based on SM3 and SM4 as claimed in claim 1, wherein the following operations are performed after the back end in S3 receives the request: S31, submitting from the front end, and acquiring corresponding dynamic factors from a database and a context; S32, acquiring a system-level fixed factor, wherein the system-level fixed factor comprises a system name and a current date; S33, splicing and calculating a Key Key according to the same rule; s34, decrypting the ciphertext by using an SM4 algorithm; Plaintext=SM4_Decrypt(Key,Ciphertext) s35, the decrypted plaintext is used for subsequent business processing.
  6. 6. The Web application dynamic key encryption method based on SM3 and SM4 according to claim 1, wherein the security enhancement mechanism further comprises: the back end carries out log record and alarm on key calculation failure and decryption abnormality; The front end uses obfuscation techniques to protect the core encryption logic.
  7. 7. The Web application dynamic key encryption method based on SM3 and SM4 as claimed in claim 1, wherein the specific procedure of how to execute the security enhancement mechanism is as follows: S41, the client acquires a current Unix timestamp as an additional factor T at the moment of initiating an encryption request, wherein the additional factor T is used for limiting the life cycle of a ciphertext; s42, the client generates a random number with 16 bits and more as an additional factor R, wherein the additional factor R is used for ensuring that even two requests generated in the same second are completely different in encryption input stream, so that uniqueness is realized; S43, taking the additional factors T and R as the complements of dynamic factors, inputting the complements of dynamic factors into an SM3 algorithm, and generating an SM4 key with instantaneity; s44, as a plaintext load, splicing the additional factor T and the additional factor R to the original plaintext data P to form a new block P' to be encrypted; s45, after decryption, the back end executes the following verification logic: The back end obtains the current server time Ti, calculates |Ti-T| < deltat, and if deltat exceeds a preset threshold, determines that the request is an expiration request and directly discards the request; The rear end maintains a random number buffer pool, and if the solved random number R exists in the buffer pool, the replay attack is judged; if not, the request is processed and the random number R is stored in the cache.
  8. 8. The Web application dynamic key encryption method based on SM3 and SM4 as claimed in claim 1, wherein a set of factor mapping tables is agreed in advance between the front end and the back end before S1 is executed, and the specific process is as follows: S01, defining a standardized factor library, and distributing a unique identification index for each factor, wherein in order to prevent the mapping rule from being fixed, in a handshake message of session initialization, a factor mapping instruction set of the session is dynamically generated by a back end: Generating an instruction, namely generating a random permutation and combination at the back end; The safe issuing, wherein the instruction set is issued to the front end through an HTTPS safe channel, and the front end extracts corresponding factors from the local environment according to the instruction set; s02, a refinement processing rule of a front-end and back-end pre-agreed factor comprises the following steps: Intercepting rules, which bits of the extraction factor character string are specified; A conversion rule, which prescribes the coding mode after factor extraction; The sequencing algorithm is used for defining the sequence of factor splicing and ensuring that the original character strings are completely consistent when the SM3 hash function is input; S03, a user accesses the Web application, the front end initiates an initialization request, and the rear end randomly selects n fixed factors and m dynamic factors to generate a unique mapping mask of the session; S04, after the front end receives the mapping mask, calling an internally defined factor analysis engine, acquiring environmental parameters according to a path pointed by the mask, transmitting certain characteristics of the factors to the rear end by the front end for comparison, and formally starting key generation logic in S1 if the fingerprints are consistent.

Description

Web application dynamic key encryption method based on SM3 and SM4 Technical Field The invention relates to the technical field of data security, in particular to a Web application dynamic key encryption method based on SM3 and SM 4. Background With the wide popularization of internet applications, web applications are bearing more and more core business functions in the fields of government affairs, finance, medical treatment and the like, and user sensitive information (such as login passwords, identification card numbers, bank card numbers and the like) is frequently transmitted between a front end and a back end. Such data is extremely vulnerable to security threats if no effective encryption measures are taken. The common front-end data protection mode in the prior art mainly comprises the following steps: the plaintext transmission is that the data is directly submitted in a plaintext form, the safety is extremely low, and the data is eliminated by the modern safety standard; the coding protection is that Base64 coding or hexadecimal coding is adopted to carry out 'confusion' on data, but the method is not encryption, only changes the data representation form, and cannot resist decoding attack; The fixed key encryption is that a preset fixed symmetric key (such as an AES key) is used for encrypting the data, but the key is hard-coded in a front-end code and is easy to be obtained by reverse analysis, so that the security is poor; asymmetric encryption, namely encryption by adopting public key algorithms such as RSA and the like, can avoid the exposure of a key, but has the problems of high performance overhead, complex key management and the like, and the front-end JavaScript implementation is easy to be attacked by a side channel. In addition, most of the methods are not combined with a domestic cryptographic algorithm system, and under the background of 'autonomous and controllable, safe and reliable' advocated by the country, effective support for a national cryptographic algorithm (SM 2/SM3/SM 4) is lacking; In view of the technical drawbacks described above, solutions are now proposed. Disclosure of Invention The invention aims to ensure the security of the transmission of sensitive data such as user passwords, identity information and the like between the front end and the back end under the off-line or unreliable network environment. In order to achieve the purpose, the invention adopts the following technical scheme that the Web application dynamic key encryption method based on SM3 and SM4 comprises the following steps: S1, a key dynamic generation mechanism is used for acquiring a fixed factor and a dynamic factor in a system and generating a defined key based on the joint participation calculation of the fixed factor and the dynamic factor; S2, a front-end data encryption flow is based on a fixed factor and a dynamic factor, dynamic keys are spliced and calculated according to a stipulated rule, and sensitive data plaintext is encrypted by using an SM4 algorithm to obtain encrypted secret; s3, a back-end data decryption flow is that a fixed factor and a dynamic factor are acquired again, after the secret key is spliced and calculated according to the same rule, a ciphertext is decrypted by using an SM4 algorithm, and a decrypted plaintext is obtained; S4, a security enhancement mechanism, namely introducing a time stamp and a random number as additional factors to prevent replay attack. Further, the fixed factor in the S1 is a constant parameter preset by the system, including a system name, a module identifier and a current date; the dynamic factors are publicable attribute data input by a user; the specific key generation formula is as follows: Key=Substr(SM3(FF1+FF2+...+DF1+DF2+...),n,16) SM3 (the term.) is to perform SM3 hash operation on the spliced character strings and output 256-bit abstracts; Substr (..n, 16) is to intercept the first 16 bytes of the hash value as an SM4 encryption key, n represents the start coordinate, and the value is 0-15; all factors are spliced in a defined order and encoded using UTF-8. 2. Further, the specific process of obtaining the fixed factor and the dynamic factor in the system in S1 is as follows: s11, obtaining a fixed factor path comprises the following steps: collecting specific hardware information of a server end, such as a CPU serial number, a network card MAC address or a motherboard UUID; presetting a confusion salt value, namely in the system initialization stage, generating a globally unique random character string by the rear end and storing the globally unique random character string in a security configuration module; application metadata including a unique identifier of the Web application; S12, the dynamic factor refers to a parameter which changes with time and session state in real time, is used for ensuring the one-time pad characteristic of the secret key, and comprises the following steps: capturing a unique identifier of a curren