Background technology
Along with popularizing of handheld mobile device, need on handheld device, the demand of the storage customizing messages of safety grow with each passing day.Because the restriction of the cost of handheld device is relatively stricter usually, and the people that easier quilt is held various purposes obtains, and disassembles.So, current a kind of economy of market exigence, local data secure memory techniques efficiently.
Development along with symmetric cryptography, the DES data encryption standard algorithm is because key length less (56), incompatible current distributed type open network is to the requirement of data cryptographic security, therefore 1997 USA National Institute of Standard and Technology (NIST) new data encryption standards, i.e. AES are disclosed.This algorithm will become the new data encryption standards of the U.S. and be widely used in the every field.AES has converged strong security, high-performance, high-level efficiency, advantage such as easy-to-use and flexible as the data encryption standards of a new generation.The AES design has three key lengths: 128,192,256, comparatively speaking, 128 keys of AES are stronger 1021 times than 56 keys of DES.Aes algorithm mainly comprises three aspects: wheel variation, the number of turns and cipher key spreading.
Hash algorithm is also referred to as hashing algorithm or message digest (digital digest).Hash algorithm is converted into regular length character sequence with data with arbitrary length.Hash result ties up one all the time.The Hash result of any two sequences is different.Hash result also is called digital finger-print (FingerPrint), and it has fixing length, and identical plaintext summary must be consistent.This string summary makes and can become whether the checking plaintext has been " fingerprint " of " original appearance " like this.
Summary of the invention
Technical matters to be solved by this invention provides a kind of data security storage means, and it can effectively guarantee the security of mobile device stored information.
In order to solve above technical matters, the invention provides a kind of data security storage means, when encrypting, may further comprise the steps: step 1, generation random number; Step 2, random number is carried out HASH conversion; Result after step 3, the use HASH conversion carries out AES to the needs ciphered data and encrypts as key; Step 4, original data plaintext and the AES key of destruction.
Beneficial effect of the present invention is: because the key that carries out the AES encryption and decryption that HASH of the present invention crosses can not be kept at client in any form, all can generate when need carry out encryption and decryption at every turn temporarily, and instant destruction after the encryption and decryption computing.So just farthest guaranteed the security of mobile device stored information.
The present invention also provides a kind of data security storage means, may further comprise the steps when being decrypted: step 1, generation random number; Step 2, random number is carried out HASH conversion; Result after step 3, the use HASH conversion carries out the AES deciphering as key to the needs decrypted data; Step 4, original data plaintext and the AES key of destruction.
Embodiment
At first, with all the information bursts that need preserve, then the information of burst is carried out the AES symmetric cryptography.And the password that AES encrypts is to obtain afterwards according to some the specific automated randomized generations of exclusive information of client and the HASH processing of process hardware HASH chip.The generting machanism of this random number has guaranteed that the random key of each client generation is neither identical.This random coded will be kept at client, use when having got inferior the deciphering ready.Client will trigger according to certain rule, generate new random number.The key that carries out the AES encryption and decryption that HASH crosses can not be kept at client in any form, all can generate when need carry out encryption and decryption at every turn temporarily, and instant destruction after the encryption and decryption computing.So just farthest guaranteed the security of stored information.
Use the HASH chip to carry out unidirectional irreversible HASH computing, this is most economical a kind of in all encryption and decryption modes.In order to improve the difficulty that cracks, method commonly used now is cured to part or all of enciphering and deciphering algorithm among the chip exactly.In the encipher-decipher method commonly used now, the chip that solidifies the HASH algorithm is most economical a kind of, and HASH is irreversible one-way algorithm, one group of data is added the seed data that solidifies in the HASH chip, together by after the HASH, very difficult backstepping goes out the seed data in the HASH chip, even the seed data in the HASH chip has been acquired,, also is difficult to backstepping and goes out raw data expressly by the data after the HASH; The symmetry enciphering and deciphering algorithm is because secret key is consistent in the encryption and decryption process, so if secret key is cured in the chip, in case be cracked, then all data through this chip encryption also just all have been cracked; The symmetry enciphering and deciphering algorithm is as the present higher a kind of security algorithm of degree of safety, on the contrary often be cured among the chip, but the price of this chip is very expensive, is unsuitable for using in handheld device on a large scale, and this mode mainly is applied among the Internet bank at present.
What this programme adopted is exactly a kind of local data method for secure storing that carries out safety guarantee based on the most cheap HASH chip.
Specifically, ciphering process of the present invention may further comprise the steps:
1. taking-up random number.
Client will according to some specific, exclusive information automatically, at random random number of generation.The generting machanism of this random number has guaranteed that the random key of each client generation is neither identical.After the generation, this random coded will be kept in the hard disk or ROM of client, use when having got inferior the deciphering ready.Client will trigger according to certain rule, regenerate new random number.
2. by the HASH chip random number is carried out the HASH conversion.
By the HASH chip, with random number, add the HASH seed that solidifies in the HASH chip, carry out the HASH conversion together.The irreversible HASH result of unidirectional generation.
3. use HASH result afterwards as key, the needs ciphered data is carried out the AES burst encrypt.
To need information encrypted to carry out burst, use the AES symmetric encipherment algorithm then, the data after the burst will be encrypted.The key that uses during the AES encryption and decryption wherein is exactly the HASH result that previous step generates in rapid.
4. in internal memory, destroy original plaintext message and process HASH AES cryptographic algorithm key afterwards.
After encrypting, in internal memory, the AES encryption key after original plaintext and the HASH to be destroyed immediately, these information will not deposited in fixed memory device such as hard disk or ROM in any form.
Decrypting process of the present invention may further comprise the steps:
1. taking-up random number.
Client will according to some specific, exclusive information automatically, at random random number of generation.The generting machanism of this random number has guaranteed that the random key of each client generation is neither identical.After the generation, this random coded will be kept in the hard disk or ROM of client, use when having got inferior the deciphering ready.Client will trigger according to certain rule, regenerate new random number.
2. by the HASH chip random number is carried out the HASH conversion.
By the HASH chip, with random number, add the HASH seed that solidifies in the HASH chip, carry out the HASH conversion together.The irreversible HASH result of unidirectional generation.
3. use HASH result afterwards as key, the needs decrypted data is carried out AES burst decrypt operation handle.
Use AES symmetry enciphering and deciphering algorithm, enciphered data is carried out the burst deciphering, and piece together out current needed data expressly.The information of needs deciphering is carried out burst, use the AES symmetric encipherment algorithm then, the data after the burst are encrypted.The key of the use of using during the AES encryption and decryption wherein is exactly the HASH result that previous step generates in rapid.
4. after the plaintext after deciphering is employed, in internal memory, destroy cleartext information and process HASH AES cryptographic algorithm key afterwards.
In fixed memory device such as hard disk or ROM, do not preserve cleartext information and process HASH AES encryption key afterwards in any form.
This method has been applied in the private key of preserving asymmetric encryption and decryption in the handheld device, and handheld device is carried out distributed secure data exchange if desired, all can adopt asymmetric encipher-decipher method usually.For the enciphered message that can obtain different times in this locality is disassembled, just the private key that different times produces must be carried out this locality storage.Use this method to preserve private key, can make the security of private key storage further improve only increasing seldom under the condition of cost.And can be than using the more frequent replacing public private key pair of asymmetric deciphering chip, and after public private key pair is replaced, continues to allow handheld device to read and be stored in local enciphered message together.
The present invention is not limited to embodiment discussed above.More than the description of embodiment is intended in order to describe and illustrate the technical scheme that the present invention relates to.Based on the conspicuous conversion of the present invention enlightenment or substitute and also should be considered to fall into protection scope of the present invention.Above embodiment is used for disclosing best implementation method of the present invention, so that those of ordinary skill in the art can use numerous embodiments of the present invention and multiple alternative reaches purpose of the present invention.