阅读说明：本技术 一种基于软件框架集成国密sm4数据加解密技术的方法 (Method for integrating SM4 data encryption and decryption technology based on software framework ) 是由 杨帆 徐清华 肖渝 于 2021-05-25 设计创作，主要内容包括：本发明公开了一种基于软件框架集成国密SM4数据加解密技术的方法,该管理方法包括以下步骤；步骤一：创建加解密配置文件,通过加解密工具在该文件中配置自动加解密、加密密码、密文前缀、密文后缀；本发明所述的一种基于软件框架集成国密SM4数据加解密技术的方法,利用软件框架与SM4密码算法集成,提供标准的程序标记语言和统一的算法,开发者只需要对需要加解密的数据进行标记,系统运行时检查数据项,对标记数据进行加密或解密处理,一方面在用户交互时的明文检索,在集成框架中自动对数据进行解密比对,开发者不需要先对数据进行解密就可以完成检索,提高生产效率和数据检索准确性,另一方面是达到对数据的安全保护,避免敏感数据泄露。(The invention discloses a method for integrating SM4 data encryption and decryption technology based on a software framework, which comprises the following steps; the method comprises the following steps: creating an encryption and decryption configuration file, and configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool; the invention relates to a method for integrating SM4 data encryption and decryption technology based on a software framework, which integrates the software framework and an SM4 cryptographic algorithm to provide a standard program marking language and a uniform algorithm, a developer only needs to mark data needing encryption and decryption, the data items are checked when a system runs to encrypt or decrypt the marked data, on one hand, plaintext retrieval is carried out during user interaction, the data is automatically decrypted and compared in the integrated framework, the developer can complete retrieval without decrypting the data first, the production efficiency and the data retrieval accuracy are improved, on the other hand, the safety protection of the data is achieved, and sensitive data leakage is avoided.)

1. A method for integrating SM4 data encryption and decryption technology based on a software framework is characterized by comprising the following steps:

the method comprises the following steps: creating an encryption and decryption configuration file, configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole program, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, the mark description is preferentially used;

step two: data is encrypted and decrypted and marked, data items needing encryption or decryption are marked in input and output data objects, and whether encryption or decryption is carried out or not can be expanded in the marking options;

step three: establishing a data interaction interceptor, intercepting data during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing a complex data structure by the interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

step four: the data can be intercepted for many times when the program runs, the processed data is cached by utilizing the process ID, whether the processed data exists in the cache is firstly checked during secondary interception, if the processed data exists in the cache, the processing is skipped, the data is ensured to be encrypted only once, and if the processed data is encrypted for many times, data errors can be caused;

step five: processing a plurality of encryption and decryption passwords, if a plurality of passwords exist for different types of data, using an encryption and decryption mark for expansion, and preferentially using the passwords in the mark when encrypting and decrypting the data items after the interception by an interceptor, so that different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

step six: and (3) data tampering verification, namely splicing a plurality of data items, encrypting the spliced data items to obtain a ciphertext, storing the ciphertext together, and calling a tool data verification function from the plaintext spliced by the data items to be verified and the ciphertext stored before to obtain a result of whether the data is tampered.

2. The method for integrating the SM4 data encryption and decryption technology based on the software framework as claimed in claim 1, wherein: the first encryption and decryption tool is used for providing encryption password generation, an encryption algorithm, a decryption algorithm and a data check function.

3. The method for integrating the SM4 data encryption and decryption technology based on the software framework as claimed in claim 1, wherein: the data item specified in the second step means that encryption and decryption are required or both are required.

4. The method for integrating the SM4 data encryption and decryption technology based on the software framework as claimed in claim 1, wherein: the processing of the main complex data structure in the third step includes page data, list data, KEY-VALUE structure and the combination of these structures.

5. The method for integrating the SM4 data encryption and decryption technology based on the software framework as claimed in claim 1, wherein: in the fifth step, different encryption and decryption passwords may exist for different data types of the whole software program.

6. The method for integrating the SM4 data encryption and decryption technology based on the software framework as claimed in claim 1, wherein: the method for integrating the SM4 data encryption and decryption technology based on the software framework comprises the following specific processing steps:

a1: configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole process, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, mark description is preferentially used;

a2: data items which need to be encrypted and only need to be decrypted or both need to be encrypted and decrypted are marked in the input data object and the output data object, and whether encryption and decryption are required or not can be expanded in a marking option;

a3: intercepting during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing the page data, the list data and the KEY-VALUE structure by an interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

a4: the method comprises the steps that when a program runs, the data can be intercepted for many times, processed data is cached by using a process ID, whether the cache exists or not is checked firstly during secondary interception, if the cache exists, processing is skipped to ensure that the data is encrypted only once, if the data is encrypted for many times, data errors can be caused, when multiple passwords exist for different types of data, an encryption and decryption mark is used for expansion, and when the interceptor intercepts the data item, the passwords in the mark are preferentially used, so that the different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

a5: and when data tampering verification is carried out, a tool data verification function is called by a plaintext spliced by the data items to be verified and the previously stored ciphertext to obtain a result of whether the data is tampered.

Technical Field

The invention relates to the field of application of domestic passwords, in particular to a method for integrating a domestic password SM4 data encryption and decryption technology based on a software framework.

Background

The national cipher is a domestic cipher algorithm identified by the national cipher bureau, and corresponding to the national cipher algorithm, the algorithms such as DES, AES and the like are widely used, and the algorithm is called international algorithm, and the national cipher mainly comprises SM1, SM2, SM3 and SM 4. The key length and the packet length are both 128 bits, and the domestic cryptographic algorithm is an important basis for ensuring the network security of China to be independently controllable. At present, China also popularizes the application of the national cryptographic algorithm vigorously and obtains good results, software and hardware cryptographic products supporting the national cryptographic algorithm at present comprise a plurality of types such as SSL gateways, digital certificate authentication systems, key management systems, financial data encryption machines, signature verification servers, intelligent cryptographic keys, intelligent IC cards and PCI cryptographic cards, but software and hardware products such as common operating systems, browsers, network equipment and load balancing equipment still do not support the national cryptographic algorithm and are limited by the compatibility of the national cryptographic algorithm. The scheme particularly relates to a method for integrating the SM4 data encryption and decryption technology based on a software framework.

In software development, a cryptographic algorithm is used, a developer is required to call the algorithm to complete encryption or decryption of data every time, the developer is required to master a complex algorithm process, learning cost is increased, development efficiency is reduced, and the condition that data encryption and decryption processing are inconsistent in the whole software running environment causes system running errors or decryption failure occurs.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: in software development, a cryptographic algorithm is used, a developer is required to call the algorithm to complete encryption or decryption of data every time, the developer is required to master a complex algorithm process, learning cost is increased, development efficiency is reduced, and the condition that data encryption and decryption processing are inconsistent in the whole software running environment causes system running errors or decryption failure occurs.

The invention solves the technical problems through the following technical scheme, and provides a method for integrating the SM4 data encryption and decryption technology based on a software framework, which comprises the following steps:

the method comprises the following steps: creating an encryption and decryption configuration file, configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole program, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, the mark description is preferentially used;

step two: data is encrypted and decrypted and marked, data items needing encryption or decryption are marked in input and output data objects, and whether encryption or decryption is carried out or not can be expanded in the marking options;

step three: establishing a data interaction interceptor, intercepting data during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing a complex data structure by the interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

step four: the data can be intercepted for many times when the program runs, the processed data is cached by utilizing the process ID, whether the processed data exists in the cache is firstly checked during secondary interception, if the processed data exists in the cache, the processing is skipped, the data is ensured to be encrypted only once, and if the processed data is encrypted for many times, data errors can be caused;

step five: processing a plurality of encryption and decryption passwords, if a plurality of passwords exist for different types of data, using an encryption and decryption mark for expansion, and preferentially using the passwords in the mark when encrypting and decrypting the data items after the interception by an interceptor, so that different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

step six: and (3) data tampering verification, namely splicing a plurality of data items, encrypting the spliced data items to obtain a ciphertext, storing the ciphertext together, and calling a tool data verification function from the plaintext spliced by the data items to be verified and the ciphertext stored before to obtain a result of whether the data is tampered.

Preferably, the encryption and decryption tool in the first step is used for providing encryption password generation, an encryption algorithm, a decryption algorithm and a data check function.

Preferably, the data item specified in the second step means that encryption and only decryption or both encryption and decryption are required.

Preferably, the processing of the main complex data structure in the third step includes page data, list data, KEY-VALUE structure and the combination of these structures.

Preferably, in the fifth step, different encryption and decryption passwords may exist for different data types of the whole software program.

Preferably, the specific processing steps of the method for integrating the cryptographic SM4 data encryption and decryption technology based on the software framework are as follows:

a1: configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole process, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, mark description is preferentially used;

a2: data items which need to be encrypted and only need to be decrypted or both need to be encrypted and decrypted are marked in the input data object and the output data object, and whether encryption and decryption are required or not can be expanded in a marking option;

a3: intercepting during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing the page data, the list data and the KEY-VALUE structure by an interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

a4: the method comprises the steps that when a program runs, the data can be intercepted for many times, processed data is cached by using a process ID, whether the cache exists or not is checked firstly during secondary interception, if the cache exists, processing is skipped to ensure that the data is encrypted only once, if the data is encrypted for many times, data errors can be caused, when multiple passwords exist for different types of data, an encryption and decryption mark is used for expansion, and when the interceptor intercepts the data item, the passwords in the mark are preferentially used, so that the different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

a5: and when data tampering verification is carried out, a tool data verification function is called by a plaintext spliced by the data items to be verified and the previously stored ciphertext to obtain a result of whether the data is tampered.

Compared with the prior art, the invention has the following advantages:

the software framework is integrated with the SM4 cryptographic algorithm to provide a standard program marking language and a unified algorithm, a developer only needs to mark data needing encryption and decryption, the data items are checked during system operation, and the marked data are encrypted or decrypted.

Drawings

Fig. 1 is a schematic flow chart of a method for integrating the cryptographic SM4 data encryption and decryption technology based on a software framework.

Detailed Description

The following examples are given for the detailed implementation and specific operation of the present invention, but the scope of the present invention is not limited to the following examples.

As shown in fig. 1, the present embodiment provides a technical solution: a method for integrating SM4 data encryption and decryption technologies based on a software framework comprises the following steps:

the method comprises the following steps: creating an encryption and decryption configuration file, configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole program, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, the mark description is preferentially used;

step two: data is encrypted and decrypted and marked, data items needing encryption or decryption are marked in input and output data objects, and whether encryption or decryption is carried out or not can be expanded in the marking options;

step three: establishing a data interaction interceptor, intercepting data during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing a complex data structure by the interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

step four: the data can be intercepted for many times when the program runs, the processed data is cached by utilizing the process ID, whether the processed data exists in the cache is firstly checked during secondary interception, if the processed data exists in the cache, the processing is skipped, the data is ensured to be encrypted only once, and if the processed data is encrypted for many times, data errors can be caused;

step five: processing a plurality of encryption and decryption passwords, if a plurality of passwords exist for different types of data, using an encryption and decryption mark for expansion, and preferentially using the passwords in the mark when encrypting and decrypting the data items after the interception by an interceptor, so that different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

step six: and (3) data tampering verification, namely splicing a plurality of data items, encrypting the spliced data items to obtain a ciphertext, storing the ciphertext together, and calling a tool data verification function from the plaintext spliced by the data items to be verified and the ciphertext stored before to obtain a result of whether the data is tampered.

And in the first step, the encryption and decryption tool is used for providing an encryption password generation function, an encryption algorithm, a decryption algorithm and a data verification function.

The data item specified in the second step means that encryption and decryption are required or both are required.

The processing of the main complex data structure in step three includes page data, list data, KEY-VALUE structure and the combination of these structures.

In step five, different data types may have different encryption and decryption passwords for the whole software program

The method for integrating the SM4 data encryption and decryption technology based on the software framework specifically comprises the following processing steps:

a1: configuring automatic encryption and decryption, an encryption password, a ciphertext prefix and a ciphertext suffix in the file through an encryption and decryption tool, and setting whether to start encryption and decryption on the whole process, wherein the configuration file is covered by an encryption and decryption mark, and if the data has a mark, mark description is preferentially used;

a2: data items which need to be encrypted and only need to be decrypted or both need to be encrypted and decrypted are marked in the input data object and the output data object, and whether encryption and decryption are required or not can be expanded in a marking option;

a3: intercepting during data input, output and storage, checking whether a data item has a mark, calling a tool function according to the mark to encrypt and decrypt the data, processing the page data, the list data and the KEY-VALUE structure by an interceptor, disassembling layer by layer according to the mark, and finally encrypting and decrypting the data type of the character string;

a4: the method comprises the steps that when a program runs, the data can be intercepted for many times, processed data is cached by using a process ID, whether the cache exists or not is checked firstly during secondary interception, if the cache exists, processing is skipped to ensure that the data is encrypted only once, if the data is encrypted for many times, data errors can be caused, when multiple passwords exist for different types of data, an encryption and decryption mark is used for expansion, and when the interceptor intercepts the data item, the passwords in the mark are preferentially used, so that the different types of data can use different passwords, and the passwords used for encryption and decryption are ensured to be the same;

a5: and when data tampering verification is carried out, a tool data verification function is called by a plaintext spliced by the data items to be verified and the previously stored ciphertext to obtain a result of whether the data is tampered.

Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.