WO2018133686A1

WO2018133686A1 - Method and device for password protection, and storage medium

Info

Publication number: WO2018133686A1
Application number: PCT/CN2018/071734
Authority: WO
Inventors: 吴晓麟
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2017-01-18
Filing date: 2018-01-08
Publication date: 2018-07-26
Anticipated expiration: 2019-07-18
Also published as: CN106656476B; CN106656476A

Abstract

Disclosed are a method and device for password protection. The method for password protection comprises: a server obtaining a user identifier and a first plaintext password; using a pre-set salt value to salt the first plaintext password to obtain a first key; taking the first key as an encryption key for a hash-based message authentication code (HMAC) operation, and taking a secure hash algorithm (SHA) as a cryptographic hash function for the HMAC operation to carry out the HMAC operation so as to obtain a first ciphertext password; and correspondingly storing the user identifier and the first ciphertext password in a database.

Description

Password protection method, device and storage medium

本申请要求于2017年01月18日提交中国专利局、申请号为201710036798.9、发明名称为“一种密码保护方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. PCT Application No. No. No. No. No. No. No. No. No. No. No. No. No. No. No. .

Technical field

本申请实施例涉及信息安全技术领域，具体涉及一种密码保护方法、装置及存储介质。The embodiment of the present invention relates to the field of information security technologies, and in particular, to a password protection method, apparatus, and storage medium.

背景background

现有的账号系统，一般会将密码明文存储，这种存储方式很容易导致密码泄露，给用户带来极大的安全隐患。为保障密码安全，有些账号系统会将密码采用消息摘要算法第五版(Message Digest Algorithm 5，MD5)加密后存储，而经证实，MD5加密算法可以被破解，且MD5算法无法防止碰撞，拿到MD5密码后，破解只是时间的问题，即这种方式还是无法保障密码的安全，密码遭遇泄露的风险还是很大。The existing account system generally stores the password in plain text. This storage method can easily lead to password leakage, which brings great security risks to users. In order to protect the password security, some account systems encrypt and store the password using Message Digest Algorithm 5 (MD5). It is confirmed that the MD5 encryption algorithm can be cracked, and the MD5 algorithm cannot prevent collisions. After the MD5 password, the crack is only a matter of time, that is, the security of the password cannot be guaranteed in this way, and the risk of the password being compromised is still very large.

技术内容Technical content

本申请实施例提供了一种密码保护方法，包括：The embodiment of the present application provides a password protection method, including:

服务器获取用户标识及第一明文密码；The server obtains the user identifier and the first plaintext password;

所述服务器利用预设盐值对所述第一明文密码加盐得到第一密钥；The server uses a preset salt value to add salt to the first plaintext password to obtain a first key;

所述服务器将所述第一密钥作为哈希消息认证码HMAC运算的加密密钥，将安全哈希算法SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到第一密文密码；The server uses the first key as an encryption key for the hash message authentication code HMAC operation, and uses the secure hash algorithm SHA as a hash function for HMAC operation to perform an HMAC operation to obtain a first ciphertext password;

所述服务器将所述用户标识与所述第一密文密码对应存储在数据库中。The server stores the user identifier in the database corresponding to the first ciphertext password.

本申请实施例还提供了一种密码保护装置，包括：The embodiment of the present application further provides a password protection apparatus, including:

获取单元，用于获取用户标识及第一明文密码；An obtaining unit, configured to obtain a user identifier and a first plaintext password;

加盐单元，用于利用预设盐值对所述第一明文密码加盐得到第一密钥；a salt adding unit, configured to add a salt to the first plaintext password by using a preset salt value to obtain a first key;

第一加密单元，用于将所述第一密钥作为哈希消息认证码HMAC运算的加密密钥，将安全哈希算法SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到第一密文密码；a first encryption unit, configured to use the first key as an encryption key of a hash message authentication code HMAC operation, and use a secure hash algorithm SHA as an encryption hash function for HMAC operation, and perform an HMAC operation to obtain a first Ciphertext password;

存储单元，用于将所述用户标识与所述第一密文密码对应存储在数据库中。And a storage unit, configured to store the user identifier in the database corresponding to the first ciphertext password.

本申请还提出了一种非易失性计算机可读存储介质，存储有计算机可读指令，可以使至少一个处理器执行以上所述的方法。The present application also proposes a non-transitory computer readable storage medium storing computer readable instructions that cause at least one processor to perform the methods described above.

附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例中的技术方案，下面将对实施例描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请的一些实施例，对于本领域技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present application. Other drawings can also be obtained from those skilled in the art based on these drawings without paying any creative effort.

图1是本申请实施例所提供的密码保护方法的一个场景示意图；1 is a schematic diagram of a scenario of a password protection method provided by an embodiment of the present application;

图2是本申请实施例所提供的密码保护方法的一个流程示意图；2 is a schematic flowchart of a password protection method provided by an embodiment of the present application;

图3a是本申请实施例所提供的一个注册流程示意图；FIG. 3a is a schematic diagram of a registration process provided by an embodiment of the present application; FIG.

图3b是本申请实施例所提供的一个原始密文密码生成过程示意图；FIG. 3b is a schematic diagram of an original ciphertext password generation process provided by an embodiment of the present application; FIG.

图4a是本申请实施例所提供的一个验证流程示意图；4a is a schematic diagram of a verification process provided by an embodiment of the present application;

图4b是本申请实施例所提供的一个实时密文密码生成过程示意图；4b is a schematic diagram of a real-time ciphertext password generation process provided by an embodiment of the present application;

图5是本申请实施例所提供的密码保护装置的一个结构示意图；FIG. 5 is a schematic structural diagram of a password protection apparatus according to an embodiment of the present application; FIG.

图6是本申请实施例所提供的密码保护装置的另一结构示意图。FIG. 6 is another schematic structural diagram of a password protection apparatus according to an embodiment of the present application.

detailed description

下面将结合本申请实施例中的附图，对本申请实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments of the present application without creative efforts are within the scope of the present application.

由于现有的密码存储方法，存在很大的密码泄露风险，无法保障密码安全。因而，本申请实施例提供了一种密码保护方法及装置，能够保障密码安全，降低密码被泄露的风险。本申请实施例提供的密码保护方法可实现于密码保护装置中，密码保护装置可为服务器。本申请实施例密码保护方法一个实施场景可如图1所示，包括服务器101与客户端102，服务器101可以从客户端102获取用户标识及原始明文密码，利用预设盐值对所述原始明文密码加盐得到原始密钥，然后将所述原始密钥作为哈希消息认证码(Hash-based Message Authentication Code，HMAC)运算的加密密钥，将安全哈希算法(Secure Hash Algorithm，SHA)作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码，最后将所述用户标识与所述原始密文密码对应存储在数据库中。经验证，SHA算法本身就很难被破解，而将原始明文密码加盐之后得到的原始密钥已相当复杂，所以以所述原始密钥为加密密钥，以所述SHA作为加密用散列函数进行HMAC运算得到的原始密文密码，即使穷举，也很难破解出原始明文密码，因而本申请实施例的方法，能够保障密码安全，降低密码被泄露的风险，这里，上述原始明文密码也可以称为第一明文密码，上述原始密文密码也可以称为第一密文密码，上述原始密钥也可以称为第一密钥。Due to the existing password storage method, there is a large risk of password leakage, and password security cannot be guaranteed. Therefore, the embodiment of the present application provides a password protection method and device, which can protect password security and reduce the risk of password being leaked. The password protection method provided by the embodiment of the present application can be implemented in a password protection device, and the password protection device can be a server. An implementation scenario of the password protection method in this embodiment may be as shown in FIG. 1 , including a server 101 and a client 102. The server 101 may obtain a user identifier and an original plaintext password from the client 102, and use the preset salt value to the original plaintext. The password is added to the salt to obtain the original key, and then the original key is used as an encryption key of a Hash-based Message Authentication Code (HMAC) operation, and a Secure Hash Algorithm (SHA) is used as a security hash algorithm (SHA). The hash function of the HMAC operation is performed by performing an HMAC operation to obtain an original ciphertext password, and finally storing the user identifier in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash. The original ciphertext password obtained by the function of the HMAC operation, even if it is exhaustive, it is difficult to crack the original plaintext password. Therefore, the method of the embodiment of the present application can protect the password security and reduce the risk of the password being leaked. Here, the original plaintext password is used. It may also be referred to as a first plaintext password, and the original ciphertext password may also be referred to as a first ciphertext password, and the original key may also be referred to as a first key.

如图2所示，本申请实施例的方法包括以下步骤：As shown in FIG. 2, the method in this embodiment of the present application includes the following steps:

步骤201、获取用户标识及原始明文密码；Step 201: Obtain a user identifier and an original plaintext password.

在一些实施例中，可以在客户端注册时，服务器从客户端获取用户标识及原始明文密码，用户标识也可以称为用户名、注册账号等，原始明文密码即注册时客户端提供的注册密码。In some embodiments, when the client registers, the server obtains the user identifier and the original plaintext password from the client, and the user identifier may also be referred to as a user name, a registered account, etc., and the original plaintext password is the registration password provided by the client when registering. .

客户端可以将用户标识及原始明文密码直接携带在注册请求中，服务器直接从注册请求中获取用户标识及原始明文密码。但是，这种方式，密码会以明文的形式在客户端与服务器之间传递，容易被第三方截获，导致密码泄露。因而，本申请实施例中，客户端还可以将原始明文密码加密，将加密后的原始明文密码及用户标识携带在注册请求中发送给服务器，在一些实施例中：The client can directly carry the user identifier and the original plaintext password in the registration request, and the server directly obtains the user identifier and the original plaintext password from the registration request. However, in this way, the password is transmitted between the client and the server in clear text, which is easily intercepted by a third party, resulting in a password leak. Therefore, in the embodiment of the present application, the client may also encrypt the original plaintext password, and carry the encrypted original plaintext password and the user identifier in the registration request to the server. In some embodiments:

客户端可以先采用不对称加密算法RSA公钥加密原始明文密码，然后采用安全版超文本传输协议(Hyper Text Transfer Protocol over Secure Socket Layer，HTTPS)公钥对加密后的所述原始明文密码再次加密得到第一密文，将第一密文及用户标识携带在注册请求中发送给服务器。服务器接收到所述注册请求之后，从注册请求中提取用户标识及第一密文，采用HTTPS私钥解密所述第一密文，然后采用RSA私钥对解密后的所述第一密文再次解密以获取所述原始明文密码。这样，密码以密文的形式在客户端与服务器之间传递，即使被第三方截获，第三方也无法轻易得到原始明文密码，进一步保障了密码安全。这里，公钥和私钥就是不对称加密算法中的两种密钥，二者是一对互相匹配的密钥进行加密、解密，比如HTTPS私钥可以解密由HTTPS公钥加密的第一密文。The client can first encrypt the original plaintext password by using the asymmetric encryption algorithm RSA public key, and then encrypt the encrypted original plaintext password again by using the Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) public key. The first ciphertext is obtained, and the first ciphertext and the user identifier are carried in the registration request and sent to the server. After receiving the registration request, the server extracts the user identifier and the first ciphertext from the registration request, decrypts the first ciphertext by using an HTTPS private key, and then uses the RSA private key to decrypt the decrypted first ciphertext again. Decrypt to obtain the original plaintext password. In this way, the password is transmitted between the client and the server in the form of cipher text. Even if intercepted by a third party, the third party cannot easily obtain the original plaintext password, thereby further ensuring the password security. Here, the public key and the private key are two kinds of keys in the asymmetric encryption algorithm. The two are a pair of mutually matching keys for encryption and decryption. For example, the HTTPS private key can decrypt the first ciphertext encrypted by the HTTPS public key. .

步骤202、利用预设盐值对所述原始明文密码加盐得到原始密钥；Step 202: Adding a salt to the original plaintext password by using a preset salt value to obtain an original key;

所谓“加盐”指的是，通过在密码任意固定位置插入特定的字符串，让散列后的结果和使用原始密码的散列结果不相符，以保障密码的安全。The so-called "salt" refers to the security of the password by inserting a specific character string at any fixed position of the password so that the hashed result does not match the hash result of the original password.

在执行步骤202之前，需要先获取预设盐值，预设盐值可以随机生成，当然也可以按照预设规则生成，下面介绍本申请实施例提供的，按照预设规则生成预设盐值的方法，如下：Before the step 202 is performed, the preset salt value needs to be obtained first, and the preset salt value may be generated randomly, and may also be generated according to a preset rule. The following describes the preset salt value generated according to the preset rule provided by the embodiment of the present application. Methods as below:

(1)生成随机盐值和随机数。(1) Generate random salt values and random numbers.

随机盐值可以是任意方式生成的一个字符串，字符串长度可根据实际需求自定义，为兼顾安全性及加密效率，本申请实施例中，代表随机盐值的字符串的长度可以取32位，例如随机盐值可以为：fw14Qpl79E6z4&q3！tD0#D2lVT):UNT。随机数可以使用马特赛特旋转演算法(Mersenne Twister)生成，例如随机数可以为：2101077161。当然，上述随机盐值及随机数仅为举例，并不构成对具体实施的限定。The random salt value may be a string generated in any manner, and the length of the string may be customized according to actual needs, in order to balance security and encryption efficiency. In the embodiment of the present application, the length of the string representing the random salt value may be 32 bits. For example, the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT. The random number can be generated using the Martsett Rotation algorithm (Mersenne Twister), for example, the random number can be: 2101077161. Of course, the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.

(2)将所述随机盐值作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，使用所述随机数进行HMAC运算，得到所述预设盐值。(2) The random salt value is used as an encryption key for HMAC calculation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value.

HMAC是密钥相关的哈希运算消息认证码，HMAC运算利用哈希算法，以一个密钥和一个消息为输入，生成一个消息摘要作为输出。定义HMAC需要一个加密用散列函数和一个加密密钥。在本申请实施例中，可以以所述随机盐值作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，使用所述随机数进行HMAC运算，得到所述预设盐值。HMAC is a key-related hash operation message authentication code. The HMAC operation uses a hash algorithm to input a message digest as an output with a key and a message as input. Defining HMAC requires an encryption hash function and an encryption key. In the embodiment of the present application, the random salt value may be used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value. .

SHA是一个密码散列函数家族，是联邦信息处理标准(Federal Information Processing Standards，FIPS)所认证的安全散列算法。散列函数可以将数据打乱混合，重新创建一个叫做散列值的指纹，散列值通常用来代表一个短的随机字母和数字组成的字符串。SHA是能计算出一个数字消息所对应的，长度固定的字符串(又称消息摘要)的算法，且若输入的消息不同，将得到不同的字符串，且得到不同字符串的概率很高。SHA算法之所以称作“安全”，主要基于以下两点：SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by Federal Information Processing Standards (FIPS). The hash function can shuffle the data and recreate a fingerprint called a hash value, which is usually used to represent a string of short random letters and numbers. SHA is an algorithm that can calculate a fixed-length string (also known as a message digest) corresponding to a digital message. If the input message is different, different strings will be obtained, and the probability of obtaining different strings is very high. The SHA algorithm is called "security" and is mainly based on the following two points:

第一，由消息摘要反推原输入消息，从计算理论上来说是很困难的；First, it is computationally difficult to reverse the original input message from the message digest;

第二，想要使两组不同的消息对应到相同的消息摘要，从计算理论上来说也是很困难的，对输入消息的任何变动，都有很高的概率导致其产生的消息摘要迥异Second, it is computationally difficult to make two sets of different messages corresponding to the same message digest. Any change to the input message has a high probability of causing a different message digest.

SHA家族包括SHA-1、SHA-224、SHA-256、SHA-384、SHA-512和SHA-3，由美国国家安全局(National Security Agency，NSA)所设计，并由美国国家标准与技术研究院(National Institute of Standards and Technology，NIST)发布，是美国的政府标准。其中，SHA-224、SHA-256、SHA-384、SHA-512有时并称为SHA-2。The SHA family includes SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and SHA-3, designed by the National Security Agency (NSA) and studied by the US National Standards and Technology. Published by the National Institute of Standards and Technology (NIST), is the government standard of the United States. Among them, SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2.

为了兼顾安全性与计算代价，本申请实施例中，SHA-2类算法可以作为HMAC运算的加密用散列函数。In order to balance security and computational cost, in the embodiment of the present application, the SHA-2 type algorithm can be used as an encryption hash function for HMAC operations.

在得到所述预设盐值之后，可以利用所述预设盐值对所述原始明文密码加盐得到原始密钥。After the predetermined salt value is obtained, the original plaintext password may be salted with the preset salt value to obtain an original key.

步骤203、将所述原始密钥作为哈希消息认证码HMAC运算的加密密钥，将安全哈希算法SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码；Step 203: The original key is used as an encryption key for the hash message authentication code HMAC operation, and the secure hash algorithm SHA is used as an encryption hash function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password;

步骤204、将所述用户标识与所述原始密文密码对应存储在数据库中。Step 204: Store the user identifier corresponding to the original ciphertext password in a database.

后续，在客户端向服务器发送验证请求时，服务器可以使用数据库中存储的原始密文密码对客户端进行验证，以识别客户端是否为合法用户。Subsequently, when the client sends an authentication request to the server, the server can use the original ciphertext password stored in the database to authenticate the client to identify whether the client is a legitimate user.

本申请实施例中，在获取用户标识及原始明文密码之后，会利用预设盐值对所述原始明文密码加盐得到原始密钥，然后将所述原始密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码，最后将所述用户标识与所述原始密文密码对应存储在数据库中。经验证，SHA算法本身就很难被破解，而将原始明文密码加盐之后得到的原始密钥已相当复杂，所以以所述原始密钥为加密密钥，以所述SHA作为加密用散列函数进行HMAC运算得到的原始密文密码，即使穷举，也很难破解出原始明文密码，因而本申请实施例的方法，能够保障密码安全，降低密码被泄露的风险。In the embodiment of the present application, after obtaining the user identifier and the original plaintext password, the original plaintext password is salted by using a preset salt value to obtain an original key, and then the original key is used as an encryption key of the HMAC operation. The SHA is used as the hash function for the HMAC operation, and the HMAC operation is performed to obtain the original ciphertext password. Finally, the user identifier is stored in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash. The original ciphertext password obtained by the function of the HMAC operation is difficult to crack out the original plaintext password even if it is exhaustive. Therefore, the method of the embodiment of the present application can protect the password security and reduce the risk of the password being leaked.

下面本申请实施例将举例对本申请提供的密码保护方法进一步详细说明，本申请实施例的描述过程将分为两个阶段，即注册阶段与验证阶段。下面先描述注册阶段的流程，如图3a所示，注册阶段包括以下步骤：The following is a detailed description of the password protection method provided by the present application. The description process of the embodiment of the present application is divided into two phases, namely, a registration phase and a verification phase. The process of the registration phase will be described below, as shown in Figure 3a. The registration phase includes the following steps:

步骤301、接收客户端发送的注册请求，注册请求中包括用户标识及第一密文，第一密文由客户端采用预设加密算法加密原始明文密码得到；Step 301: Receive a registration request sent by a client, where the registration request includes a user identifier and a first ciphertext, where the first ciphertext is obtained by the client encrypting the original plaintext password by using a preset encryption algorithm.

用户标识也可以称为用户名、注册账号等，原始明文密码即注册时客户端提供的注册密码。The user ID can also be called a user name, a registered account, etc., and the original plain text password is the registration password provided by the client at the time of registration.

在一些实施例中，客户端可以先采用RSA公钥加密原始明文密码，然后采用HTTPS公钥对加密后的所述原始明文密码再次加密得到第一密文，将第一密文及用户标识携带在注册请求中发送给服务器，服务器接收客户端发送的注册请求。In some embodiments, the client may first encrypt the original plaintext password by using the RSA public key, and then encrypt the encrypted original plaintext password with the HTTPS public key to obtain the first ciphertext, and carry the first ciphertext and the user identifier. Sent to the server in the registration request, the server receives the registration request sent by the client.

步骤302、从注册请求中获取用户标识，以及采用与预设加密算法对应的预设解密算法，解密注册请求中包括的第一密文以获取原始明文密码；Step 302: Obtain a user identifier from the registration request, and use a preset decryption algorithm corresponding to the preset encryption algorithm to decrypt the first ciphertext included in the registration request to obtain the original plaintext password.

服务器接收到所述注册请求之后，可以从所述注册请求中提取用户标识及第一密文，采用HTTPS私钥解密所述第一密文，然后采用RSA私钥对解密后的所述第一密文再次解密以获取所述原始明文密码。这样，密码以密文的形式在客户端与服务器之间传递，即使被第三方截获，第三方也无法轻易得到原始明文密码，进一步保障了密码的安全。After receiving the registration request, the server may extract the user identifier and the first ciphertext from the registration request, decrypt the first ciphertext by using an HTTPS private key, and then use the RSA private key pair to decrypt the first The ciphertext is decrypted again to obtain the original plaintext password. In this way, the password is transmitted between the client and the server in the form of cipher text. Even if intercepted by a third party, the third party cannot easily obtain the original plaintext password, thereby further ensuring the security of the password.

步骤303、生成随机盐值和随机数；Step 303: Generate a random salt value and a random number;

随机盐值可以是任意方式生成的一个字符串，字符串长度可根据实际需求自定义，为兼顾安全性及加密效率，本申请实施例中，代表随机盐值的字符串长度可以取32位，例如随机盐值可以为：fw14Qpl79E6z4&q3！tD0#D2lVT):UNT。随机数可以使用马特赛特旋转演算法(Mersenne Twister)生成，例如随机数可以为：2101077161。当然，上述随机盐值及随机数仅为举例，并不构成对具体实施的限定。The random salt value may be a string generated in any manner, and the length of the string may be customized according to actual requirements. For the sake of security and encryption efficiency, in the embodiment of the present application, the length of the string representing the random salt value may be 32 bits. For example, the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT. Random numbers can be generated using the Marsett Rotation algorithm (Mersenne Twister). For example, the random number can be: 2101077161. Of course, the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.

步骤304、将随机盐值作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，使用所述随机数进行HMAC运算，得到预设盐值；Step 304: Using a random salt value as an encryption key for HMAC operation, using SHA as a hash function for HMAC operation, and performing HMAC operation using the random number to obtain a preset salt value;

SHA是一个密码散列函数家族，是联邦信息处理标准FIPS所认证的安全散列算法。SHA算法之所以称作“安全”，主要基于以下两点：SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by the Federal Information Processing Standard FIPS. The SHA algorithm is called "security" and is mainly based on the following two points:

第二，想要使两组不同的消息对应到相同的消息摘要，从计算理论上来说也是很困难的，对输入消息的任何变动，都有很高的概率导致其产生的消息摘要迥异。Second, it is computationally difficult to make two sets of different messages corresponding to the same message digest. Any change to the input message has a high probability of causing a different message digest.

因而，本申请实施例采用SHA作为HMAC运算的加密用散列函数。Therefore, the embodiment of the present application adopts SHA as a hash function for encryption of HMAC operation.

SHA家族包括SHA-1、SHA-224、SHA-256、SHA-384、SHA-512和SHA-3。其中，SHA-224、SHA-256、SHA-384、SHA-512有时并称为SHA-2。为了兼顾安全性与计算代价，本申请实施例中，SHA-2类算法可以作为HMAC运算的加密用散列函数。The SHA family includes SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and SHA-3. Among them, SHA-224, SHA-256, SHA-384, and SHA-512 are sometimes referred to as SHA-2. In order to balance security and computational cost, in the embodiment of the present application, the SHA-2 type algorithm can be used as an encryption hash function for HMAC operations.

步骤305、利用预设盐值对原始明文密码加盐得到原始密钥；Step 305: Adding a salt to the original plaintext password by using a preset salt value to obtain an original key;

在一些实施例中，可以以：“预设盐值+原始明文密码”这样的拼接串作为原始密钥。In some embodiments, a spliced string such as "preset salt value + original plaintext password" may be used as the original key.

步骤306、将原始密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码；Step 306: The original key is used as an encryption key for HMAC operation, and SHA is used as an encryption function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password.

生成原始密文密码的过程可参阅图3b的示意图。The process of generating the original ciphertext password can be seen in the schematic diagram of Figure 3b.

步骤307、将用户标识与原始密文密码对应存储在数据库中。Step 307: Store the user identifier in the database corresponding to the original ciphertext password.

经验证，SHA算法本身就很难被破解，在注册流程中，经两步加盐将原始明文密码变为原始密钥，原始密钥已相当复杂，所以将所述原始密钥作为加密密钥，将所述SHA作为加密用散列函数进行HMAC运算得到的原始密文密码，即使穷举也很难破解出原始明文密码，因而本申请实施例的方法，能够保障密码安全，降低密码被泄露的风险，特别对防御暴利破解、中间人攻击、劫持和反向解密都有很好的效果。It is verified that the SHA algorithm itself is difficult to be cracked. In the registration process, the original plaintext password is changed to the original key through two steps of salting. The original key is quite complicated, so the original key is used as the encryption key. The original ciphertext password obtained by performing the HMAC operation by using the SHA as a hash function for encryption, and it is difficult to crack the original plaintext password even if it is exhaustive. Therefore, the method of the embodiment of the present application can ensure password security and reduce password leakage. The risks, especially for defensive profit cracking, man-in-the-middle attacks, hijacking and reverse decryption have a good effect.

下面描述验证阶段的流程，如图4a所示，验证阶段包括以下步骤：The flow of the verification phase is described below. As shown in Figure 4a, the verification phase includes the following steps:

步骤401、接收客户端发送的验证请求，验证请求中包括用户标识及第二密文，第二密文由客户端采用预设加密算法加密实时明文密码得到；Step 401: Receive an authentication request sent by the client, where the verification request includes a user identifier and a second ciphertext, where the second ciphertext is obtained by the client using a preset encryption algorithm to encrypt the real-time plaintext password.

在一些实施例中，当客户端需要执行某些操作时，可以向服务器发送验证请求，所述操作例如登陆、充值等，此处不作具体限定。实时明文密码，即验证时客户端提供的待验证密码，其中，上述实时明文密码也可以称为第二明文密码。In some embodiments, when the client needs to perform certain operations, the verification request may be sent to the server, such as login, recharge, etc., which is not specifically limited herein. The real-time plaintext password, that is, the password to be verified provided by the client during verification, wherein the real-time plaintext password may also be referred to as a second plaintext password.

在一些实施例中，客户端可以先采用RSA公钥加密实时明文密码，然后采用HTTPS公钥对加密后的所述实时明文密码再次加密得到第二密文，将第二密文及用户标识携带在验证请求中发送给服务器，服务器接收客户端发送的验证请求。In some embodiments, the client may first encrypt the real-time plaintext password by using the RSA public key, and then encrypt the encrypted real-time plaintext password with the HTTPS public key to obtain the second ciphertext, and carry the second ciphertext and the user identifier. Sent to the server in the verification request, the server receives the verification request sent by the client.

步骤402、从验证请求中获取用户标识，采用与预设加密算法对应的预设解密算法，解密验证请求中包括的第二密文以获取实时明文密码；Step 402: Obtain a user identifier from the verification request, and use a preset decryption algorithm corresponding to the preset encryption algorithm to decrypt the second ciphertext included in the verification request to obtain a real-time plaintext password.

服务器接收到所述验证请求之后，可以从所述验证请求中提取用户标识及第二密文，采用HTTPS私钥解密所述第二密文，然后采用RSA私钥对解密后的所述第二密文再次解密以获取所述实时明文密码。After receiving the verification request, the server may extract the user identifier and the second ciphertext from the verification request, decrypt the second ciphertext by using an HTTPS private key, and then use the RSA private key pair to decrypt the second ciphertext. The ciphertext is decrypted again to obtain the real-time plaintext password.

步骤403、利用预设盐值对实时明文密码加盐得到实时密钥；Step 403: Add a salt to the real-time plaintext password by using a preset salt value to obtain a real-time key;

预设盐值即步骤304所得到的预设盐值，在一些实施例中，可以以：“预设盐值+实时明文密码”这样的拼接串作为实时密钥，其中，上述实时密钥也可以称为第二密钥。The preset salt value is the preset salt value obtained in step 304. In some embodiments, the splicing string such as “preset salt value + real-time plaintext password” may be used as the real-time key, wherein the real-time key is also It can be called a second key.

步骤404、将实时密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到实时密文密码；Step 404: The real-time key is used as an encryption key for HMAC operation, and the SHA is used as an encryption function for HMAC operation, and an HMAC operation is performed to obtain a real-time ciphertext password.

这里，实时密文密码也可以称为第二密文密码，生成实时密文密码的过程可参阅图4b的示意图。Here, the real-time ciphertext password can also be referred to as a second ciphertext password, and the process of generating a real-time ciphertext password can be referred to the schematic diagram of FIG. 4b.

步骤405、从数据库中取出用户标识对应的原始密文密码；Step 405: Obtain an original ciphertext password corresponding to the user identifier from the database.

步骤406、判断实时密文密码与原始密文密码是否相同，若相同，则执行步骤407，否则，执行步骤408；Step 406, it is determined whether the real-time ciphertext password and the original ciphertext password are the same, if the same, step 407 is performed, otherwise, step 408 is performed;

步骤407、确认验证成功；Step 407, confirming that the verification is successful;

若验证成功，则允许客户端执行相应的操作。If the verification is successful, the client is allowed to perform the corresponding operation.

步骤408、确认验证失败。Step 408, confirming that the verification fails.

若验证成功，则不允许客户端执行相应的操作。If the verification is successful, the client is not allowed to perform the corresponding operation.

本申请实施例中，在验证的过程中，客户端与服务器之间传递的都是密文，因而可以防止密码被第三方截获、破解，且验证的时候，直接比对的是实时密码的密文与数据库存储的原始密码的密文，因而能够保障密码安全，降低密码被泄露的风险。In the embodiment of the present application, in the process of verification, the ciphertext is transmitted between the client and the server, so that the password can be prevented from being intercepted and cracked by the third party, and when the verification is performed, the password of the real-time password is directly compared. The ciphertext of the original password stored in the text and the database, thus ensuring password security and reducing the risk of the password being leaked.

为了更好地实施以上方法，本申请实施例还提供一种密码保护装置，如图5所示，本实施例的密码保护装置包括：一个或一个以上存储器；一个或一个以上处理器；其中，所述一个或一个以上存储器存储有一个或者一个以上指令模块，经配置由所述一个或者一个以上处理器执行；其中，所述一个或者一个以上指令模块包括：获取单元501、加盐单元502、第一加密单元503及存储单元504，如下：In order to better implement the above method, the embodiment of the present application further provides a password protection apparatus. As shown in FIG. 5, the password protection apparatus of this embodiment includes: one or more memories; one or more processors; The one or more memory modules are stored by one or more instruction modules, and are configured to be executed by the one or more processors; wherein the one or more instruction modules include: an obtaining unit 501, a salting unit 502, The first encryption unit 503 and the storage unit 504 are as follows:

获取单元501，用于获取用户标识及原始明文密码。The obtaining unit 501 is configured to obtain a user identifier and an original plaintext password.

在一些实施例中，获取单元501可以在客户端注册时，从客户端获取用户标识及原始明文密码，用户标识也可以称为用户名、注册账号等，原始明文密码即注册时客户端提供的注册密码。In some embodiments, the obtaining unit 501 may obtain the user identifier and the original plaintext password from the client when the client registers, and the user identifier may also be referred to as a user name, a registered account, etc., and the original plaintext password is provided by the client when registering. sign up password.

本申请实施例的装置还可以包括接收单元，客户端可以将用户标识及原始明文密码直接携带在注册请求中，接收单元接收所述注册请求，获取单元501直接从注册请求中获取用户标识及原始明文密码。但是，这种方式，密码会以明文的形式在客户端与服务器之间传递，容易被第三方截获，导致密码泄露。因而，本申请实施例中，客户端还可以将原始明文密码加密，将加密后的原始明文密码及用户标识携带在注册请求中发送给服务器，在一些实施例中：The device of the embodiment of the present application may further include a receiving unit, where the client may directly carry the user identifier and the original plaintext password in the registration request, the receiving unit receives the registration request, and the obtaining unit 501 directly obtains the user identifier and the original from the registration request. Clear text password. However, in this way, the password is transmitted between the client and the server in clear text, which is easily intercepted by a third party, resulting in a password leak. Therefore, in the embodiment of the present application, the client may also encrypt the original plaintext password, and carry the encrypted original plaintext password and the user identifier in the registration request to the server. In some embodiments:

客户端可以先采用不对称加密算法RSA公钥加密原始明文密码，然后采用安全版超文本传输协议(Hyper Text Transfer Protocol over Secure Socket Layer，HTTPS)公钥对加密后的所述原始明文密码再次加密得到第一密文，将第一密文及用户标识携带在注册请求中发送给服务器。接收单元接收到所述注册请求之后，获取单元501可以从所述注册请求中提取用户标识及第一密文，采用HTTPS私钥解密所述第一密文，然后采用RSA私钥对解密后的所述第一密文再次解密以获取所述原始明文密码。这样，密码以密文的形式在客户端与服务器之间传递，即使被第三方截获，第三方也无法轻易得到原始明文密码。The client can first encrypt the original plaintext password by using the asymmetric encryption algorithm RSA public key, and then encrypt the encrypted original plaintext password again by using the Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) public key. The first ciphertext is obtained, and the first ciphertext and the user identifier are carried in the registration request and sent to the server. After the receiving unit receives the registration request, the obtaining unit 501 may extract the user identifier and the first ciphertext from the registration request, decrypt the first ciphertext by using an HTTPS private key, and then decrypt the decrypted using the RSA private key pair. The first ciphertext is decrypted again to obtain the original plaintext password. In this way, the password is transmitted between the client and the server in the form of ciphertext, and even if intercepted by a third party, the third party cannot easily obtain the original plaintext password.

加盐单元502，用于利用预设盐值对所述原始明文密码加盐得到原始密钥。The salt adding unit 502 is configured to add the salt to the original plaintext password by using a preset salt value to obtain an original key.

在加盐之前，需要先生成预设盐值。预设盐值可以随机生成，当然也可以按照预设规则生成，下面介绍本申请实施例提供的，按照预设规则生成预设盐值的方法，即本申请实施例的装置还包括生成单元和第二加密单元，如下：Before adding salt, you need to make a preset salt value. The preset salt value may be randomly generated, and may be generated according to a preset rule. The following describes the method for generating a preset salt value according to the preset rule provided by the embodiment of the present application, that is, the device of the embodiment of the present application further includes a generating unit and The second encryption unit is as follows:

生成单元，用于生成随机盐值和随机数。A generating unit for generating random salt values and random numbers.

随机盐值可以是任意方式生成的一个字符串，字符串长度可根据实际需求自定义，为兼顾安全性及加密效率，本申请实施例中，代表随机盐值的字符串长度可以取32位，例如随机盐值可以为：fw14Qpl79E6z4&q3！tD0#D2lVT):UNT。随机数可以使用马特赛特旋转演算法(Mersenne Twister)生成，例如随机数可以为：2101077161。当然，上述随机盐值及随机数仅为举例，并不构成对具体实施的限定。The random salt value may be a string generated in any manner, and the length of the string may be customized according to actual requirements. For the sake of security and encryption efficiency, in the embodiment of the present application, the length of the string representing the random salt value may be 32 bits. For example, the random salt value can be: fw14Qpl79E6z4&q3! tD0#D2lVT): UNT. The random number can be generated using the Martsett Rotation algorithm (Mersenne Twister), for example, the random number can be: 2101077161. Of course, the above random salt values and random numbers are merely examples and do not constitute a limitation on the specific implementation.

第二加密单元，用于将所述随机盐值作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，使用所述随机数进行HMAC运算，得到所述预设盐值。The second encryption unit is configured to use the random salt value as an encryption key for HMAC operation, and use SHA as an encryption hash function for HMAC operation, and perform HMAC operation using the random number to obtain the preset salt value.

SHA是一个密码散列函数家族，是联邦信息处理标准(Federal Information Processing Standards，FIPS)所认证的安全散列算法。SHA为能计算出一个数字消息所对应的，长度固定的字符串(又称消息摘要)的算法，且若输入的消息不同，将得到不同的字符串，且得到不同字符串的概率很高。SHA算法之所以称作“安全”，主要基于以下两点：SHA is a family of cryptographic hash functions and is a secure hash algorithm certified by Federal Information Processing Standards (FIPS). SHA is an algorithm that can calculate a fixed length string (also known as a message digest) corresponding to a digital message. If the input message is different, different strings will be obtained, and the probability of obtaining different strings is very high. The SHA algorithm is called "security" and is mainly based on the following two points:

在得到所述预设盐值之后，加盐单元502可以利用所述预设盐值对所述原始明文密码加盐得到原始密钥。After the predetermined salt value is obtained, the salting unit 502 can salt the original plaintext password with the preset salt value to obtain the original key.

第一加密单元503，用于将所述原始密钥作为哈希消息认证码HMAC运算的加密密钥，将安全哈希算法SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码。The first encryption unit 503 is configured to use the original key as an encryption key for the hash message authentication code HMAC operation, and use the secure hash algorithm SHA as a hash function for HMAC operation to perform an HMAC operation to obtain an original secret. Text password.

存储单元504，用于将所述用户标识与所述原始密文密码对应存储在数据库中。The storage unit 504 is configured to store the user identifier in the database corresponding to the original ciphertext password.

进一步地，所述接收单元还用于，接收所述客户端发送的验证请求，所述验证请求中包括所述用户标识及第二密文，所述第二密文由所述客户端采用所述预设加密算法加密实时明文密码得到。Further, the receiving unit is further configured to receive an authentication request sent by the client, where the verification request includes the user identifier and a second ciphertext, where the second ciphertext is adopted by the client The preset encryption algorithm encrypts the real-time plaintext password.

在一些实施例中，当客户端需要执行某些操作时，可以向服务器发送验证请求，所述操作例如登陆、充值等，此处不作具体限定。实时明文密码，即验证时客户端提供的待验证密码。In some embodiments, when the client needs to perform certain operations, the verification request may be sent to the server, such as login, recharge, etc., which is not specifically limited herein. Real-time plaintext password, which is the password to be verified provided by the client during authentication.

所述获取单元501还用于，从所述验证请求中获取所述用户标识，采用与所述预设加密算法对应的预设解密算法，解密所述验证请求中包括的所述第二密文以获取所述实时明文密码；The obtaining unit 501 is further configured to: obtain the user identifier from the verification request, and decrypt the second ciphertext included in the verification request by using a preset decryption algorithm corresponding to the preset encryption algorithm. Obtaining the real-time plaintext password;

所述加盐单元502还用于，利用所述预设盐值对所述实时明文密码加盐得到实时密钥；The salting unit 502 is further configured to: obtain a real-time key by adding salt to the real-time plaintext password by using the preset salt value;

所述第一加密单元503还用于，将所述实时密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到实时密文密码；The first encryption unit 503 is further configured to use the real-time key as an encryption key for HMAC operation, and use the SHA as a hash function for HMAC operation to perform an HMAC operation to obtain a real-time ciphertext password;

所述装置还包括：The device also includes:

提取单元505，用于从所述数据库中取出所述用户标识对应的所述原始密文密码；The extracting unit 505 is configured to retrieve the original ciphertext password corresponding to the user identifier from the database;

判断单元506，用于判断所述实时密文密码与所述原始密文密码是否相同；The determining unit 506 is configured to determine whether the real-time ciphertext password is the same as the original ciphertext password;

确认单元507，用于在所述实时密文密码与所述原始密文密码相同时，确认验证成功，验证成功则允许客户端执行相应的操作；在所述实时密文密码与所述原始密文密码不相同时，确认验证失败，验证失败则不允许客户端执行相应的操作。The confirmation unit 507 is configured to confirm that the verification is successful when the real-time ciphertext password is the same as the original ciphertext password, and the verification succeeds to allow the client to perform a corresponding operation; and the real-time ciphertext password and the original secret If the passwords are different, the verification fails. If the verification fails, the client is not allowed to perform the corresponding operations.

需要说明的是，上述申请实施例提供的密码保护装置在实现密码保护时，仅以上述各功能模块的划分进行举例说明，实际应用中，可以根据需要而将上述功能分配由不同的功能模块完成，即将设备的内部结构划分成不同的功能模块，以完成以上描述的全部或者部分功能。另外，上述申请实施例提供的密码保护装置与密码保护方法属于同一构思，其实现过程详见方法申请实施例，此处不再赘述。It should be noted that, when the password protection device provided by the foregoing application embodiment implements password protection, only the division of each functional module described above is used for example. In an actual application, the function distribution may be completed by different functional modules as needed. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the password protection device and the password protection method provided by the foregoing application embodiments are in the same concept, and the implementation process thereof is described in the method application embodiment, and details are not described herein again.

本申请实施例中，在获取单元获取用户标识及原始明文密码之后，加盐单元会利用预设盐值对所述原始明文密码加盐得到原始密钥，然后第一加密单元将所述原始密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码，最后存储单元将所述用户标识与所述原始密文密码对应存储在数据库中。经验证，SHA算法本身就很难被破解，而将原始明文密码加盐之后得到的原始密钥已相当复杂，所以以所述原始密钥为加密密钥，以所述SHA作为加密用散列函数进行HMAC运算得到的原始密文密码，即使穷举，也很难破解出原始明文密码，因而本申请实施例的装置，能够保障密码安全，降低密码被泄露的风险，特别对防御暴利破解、中间人攻击、劫持和反向解密都有很好的效果。In the embodiment of the present application, after the obtaining unit obtains the user identifier and the original plaintext password, the salting unit may use the preset salt value to add salt to the original plaintext password to obtain the original key, and then the first encryption unit will use the original secret. The key is used as the encryption key of the HMAC operation, and the SHA is used as the hash function for the HMAC operation to perform the HMAC operation to obtain the original ciphertext password. Finally, the storage unit stores the user identifier and the original ciphertext password in the database. in. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash. The function of the original ciphertext password obtained by the HMAC operation, even if it is exhaustive, it is difficult to crack the original plaintext password. Therefore, the device in the embodiment of the present application can protect the password security and reduce the risk of the password being leaked, especially for the defensive profit cracking, Man-in-the-middle attacks, hijacking, and reverse decryption all have good results.

本申请实施例还提供一种密码保护装置，如图6所示，其示出了本申请实施例所涉及的装置的结构示意图，具体来讲：The embodiment of the present application further provides a password protection device, as shown in FIG. 6 , which shows a schematic structural diagram of a device involved in the embodiment of the present application, specifically:

该装置可以包括一个或者一个以上处理核心的处理器601、一个或一个以上计算机可读存储介质的存储器602、射频(Radio Frequency，RF)电路603、电源604、输入单元605、以及显示单元 606等部件。本领域技术人员可以理解，图6中示出的装置结构并不构成对装置的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件布置。其中：The apparatus may include one or more processing core processor 601, one or more computer readable storage medium memories 602, a radio frequency (RF) circuit 603, a power source 604, an input unit 605, and a display unit 606, etc. component. It will be understood by those skilled in the art that the device structure illustrated in FIG. 6 does not constitute a limitation to the device, and may include more or less components than those illustrated, or some components may be combined, or different component arrangements. among them:

处理器601是该装置的控制中心，利用各种接口和线路连接整个装置的各个部分，通过运行或执行存储在存储器602内的软件程序和/或模块，以及调用存储在存储器602内的数据，执行装置的各种功能和处理数据，从而对装置进行整体监控在一些实例中，处理器601可包括一个或多个处理核心；在一些实例中，处理器601可集成应用处理器和调制解调处理器，其中，应用处理器主要处理操作系统、用户界面和应用程序等，调制解调处理器主要处理无线通信。可以理解的是，上述调制解调处理器也可以不集成到处理器601中。Processor 601 is the control center of the device, connecting various portions of the entire device using various interfaces and lines, by running or executing software programs and/or modules stored in memory 602, and recalling data stored in memory 602, Performing various functions and processing data of the device to thereby perform overall monitoring of the device. In some examples, the processor 601 can include one or more processing cores; in some examples, the processor 601 can integrate the application processor and modem A processor, wherein the application processor primarily processes an operating system, a user interface, an application, etc., and the modem processor primarily processes wireless communications. It can be understood that the above modem processor may not be integrated into the processor 601.

存储器602可用于存储软件程序以及模块，处理器601通过运行存储在存储器602的软件程序以及模块，从而执行各种功能应用以及数据处理。存储器602可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等；存储数据区可存储根据装置的使用所创建的数据等。此外，存储器602可以包括高速随机存取存储器，还可以包括非易失性存储器，例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。相应地，存储器602还可以包括存储器控制器，以提供处理器601对存储器602的访问。The memory 602 can be used to store software programs and modules, and the processor 601 executes various functional applications and data processing by running software programs and modules stored in the memory 602. The memory 602 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be stored according to Data created by the use of the device, etc. Moreover, memory 602 can include high speed random access memory, and can also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, memory 602 can also include a memory controller to provide processor 601 access to memory 602.

RF电路603可用于收发信息过程中，信号的接收和发送，特别地，将基站的下行信息接收后，交由一个或者一个以上处理器601处理；另外，将涉及上行的数据发送给基站。通常，RF电路603包括但不限于天线、至少一个放大器、调谐器、一个或多个振荡器、用户身份模块(SIM)卡、收发信机、耦合器、低噪声放大器(LNA，Low Noise Amplifier)、双工器等。此外，RF电路603还可以通过无线通信与网络和其他设备通信。所述无线通信可以使用任一通信标准或协议，包括但不限于全球移动通讯系统(GSM，Global System of Mobile communication)、通用分组无线服务(GPRS，General Packet Radio Service)、码分多址(CDMA，Code Division Multiple Access)、宽带码分多址(WCDMA，Wideband Code Division Multiple Access)、长期演进(LTE，Long Term Evolution)、电子邮件、短消息服务(SMS，Short Messaging Service)等。The RF circuit 603 can be used for receiving and transmitting signals during the process of transmitting and receiving information. Specifically, after receiving the downlink information of the base station, the downlink information is processed by one or more processors 601. In addition, the data related to the uplink is sent to the base station. Generally, the RF circuit 603 includes, but is not limited to, an antenna, at least one amplifier, a tuner, one or more oscillators, a Subscriber Identity Module (SIM) card, a transceiver, a coupler, and a Low Noise Amplifier (LNA). , duplexer, etc. In addition, RF circuit 603 can also communicate with the network and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), and Code Division Multiple Access (CDMA). , Code Division Multiple Access), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), e-mail, Short Messaging Service (SMS), and the like.

装置还包括给各个部件供电的电源604(比如电池)，在一些实例中，电源604可以通过电源管理系统与处理器601逻辑相连，从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。电源604还可以包括一个或一个以上的直流或交流电源、再充电系统、电源故障检测电路、电源转换器或者逆变器、电源状态指示器等任意组件。The apparatus also includes a power source 604 (such as a battery) that supplies power to the various components. In some examples, the power source 604 can be logically coupled to the processor 601 via a power management system to manage charging, discharging, and power management through the power management system. Features. The power supply 604 can also include any one or more of a DC or AC power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

该装置还可包括输入单元605，该输入单元605可用于接收输入的数字或字符信息，以及产生与用户设置以及功能控制有关的键盘、鼠标、操作杆、光学或者轨迹球信号输入。在一个实施例中，输入单元605可包括触敏表面以及其他输入设备。触敏表面，也称为触摸显示屏或者触控板，可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触敏表面上或在触敏表面附近的操作)，并根据预先设定的程式驱动相应的连接装置。在一些实例中，触敏表面可包括触摸检测装置和触摸控制器两个部分。其中，触摸检测装置检测用户的触摸方位，并检测触摸操作带来的信号，将信号传送给触摸控制器；触摸控制器从触摸检测装置上接收触摸信息，并将它转换成触点坐标，再送给处理器601，并能接收处理器601发来的命令并加以执行。此外，可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触敏表面。除了触敏表面，输入单元605还可以包括其他输入设备。在一些实施例中，其他输入设备可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The apparatus can also include an input unit 605 that can be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function controls. In one embodiment, input unit 605 can include a touch-sensitive surface as well as other input devices. Touch-sensitive surfaces, also known as touch screens or trackpads, collect touch operations on or near the user (such as the user using a finger, stylus, etc., any suitable object or accessory on a touch-sensitive surface or touch-sensitive Operation near the surface), and drive the corresponding connecting device according to a preset program. In some examples, the touch sensitive surface can include both portions of the touch detection device and the touch controller. Wherein, the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into contact coordinates, and sends the touch information. The processor 601 is provided and can receive commands from the processor 601 and execute them. In addition, touch-sensitive surfaces can be implemented in a variety of types, including resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch-sensitive surface, the input unit 605 can also include other input devices. In some embodiments, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.

该装置还可包括显示单元606，该显示单元606可用于显示由用户输入的信息或提供给用户的信息以及装置的各种图形用户接口，这些图形用户接口可以由图形、文本、图标、视频和其任意组合来构成。显示单元606可包括显示面板，在一些实例中，可以采用液晶显示器(LCD，Liquid Crystal Display)、有机发光二极管(OLED，Organic Light-Emitting Diode)等形式来配置显示面板。进一步的，触敏表面可覆盖显示面板，当触敏表面检测到在其上或附近的触摸操作后，传送给处理器601以确定触摸事件的类型，随后处理器601根据触摸事件的类型在显示面板上提供相应的视觉输出。虽然在图6中，触敏表面与显示面板是作为两个独立的部件来实现输入和输入功能，但是在某些实施例中，可以将触敏表面与显示面板集成而实现输入和输出功能。The apparatus can also include a display unit 606 that can be used to display information entered by the user or information provided to the user and various graphical user interfaces of the device, which can be represented by graphics, text, icons, video, and It is composed of any combination. The display unit 606 can include a display panel. In some examples, the display panel can be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like. Further, the touch-sensitive surface may cover the display panel, and when the touch-sensitive surface detects a touch operation thereon or nearby, it is transmitted to the processor 601 to determine the type of the touch event, and then the processor 601 displays the type according to the touch event. A corresponding visual output is provided on the panel. Although in FIG. 6, the touch-sensitive surface and display panel are implemented as two separate components to implement input and input functions, in some embodiments, the touch-sensitive surface can be integrated with the display panel to implement input and output functions.

尽管未示出，装置还可以包括摄像头、蓝牙模块等，在此不再赘述。在本申请实施例中，装置中的处理器601会按照如下的指令，将一个或一个以上的应用程序的进程对应的可执行文件加载到存储器602中，并由处理器601来运行存储在存储器602中的应用程序，从而实现各种功能，如下：Although not shown, the device may further include a camera, a Bluetooth module, and the like, and details are not described herein again. In the embodiment of the present application, the processor 601 in the device loads the executable file corresponding to the process of one or more application programs into the memory 602 according to the following instructions, and is executed by the processor 601 to be stored in the memory. The application in 602, thus implementing various functions, as follows:

获取用户标识及原始明文密码；Obtain the user ID and the original plain text password;

利用预设盐值对所述原始明文密码加盐得到原始密钥；Extracting the original plaintext password by using a preset salt value to obtain an original key;

将所述原始密钥作为哈希消息认证码HMAC运算的加密密钥，将安全哈希算法SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码；The original key is used as an encryption key for the hash message authentication code HMAC operation, and the secure hash algorithm SHA is used as an encryption hash function for HMAC operation, and an HMAC operation is performed to obtain an original ciphertext password;

将所述用户标识与所述原始密文密码对应存储在数据库中。The user identifier is stored in the database corresponding to the original ciphertext password.

进一步地，处理器601还用于，Further, the processor 601 is further configured to:

在获取用户标识及原始明文密码之前，接收客户端发送的注册请求，所述注册请求中包括所述用户标识及第一密文，所述第一密文由所述客户端采用预设加密算法加密所述原始明文密码得到；Before the user identifier and the original plaintext password are obtained, the registration request sent by the client is received, where the registration request includes the user identifier and the first ciphertext, and the first ciphertext adopts a preset encryption algorithm by the client. Encrypting the original plaintext password to obtain;

在一些实施例中，处理器601可按照如下方式获取用户标识及原始明文密码：In some embodiments, the processor 601 can obtain the user identification and the original plaintext password as follows:

处理器601从所述注册请求中获取所述用户标识，以及采用与所述预设加密算法对应的预设解密算法，解密所述注册请求中包括的所述第一密文以获取所述原始明文密码。The processor 601 obtains the user identifier from the registration request, and decrypts the first ciphertext included in the registration request to obtain the original by using a preset decryption algorithm corresponding to the preset encryption algorithm. Clear text password.

在一些实施例中，所述客户端采用预设加密算法加密所述原始明文密码得到所述第一密文包括：In some embodiments, the encrypting the original plaintext password by the client by using a preset encryption algorithm to obtain the first ciphertext includes:

所述客户端采用不对称加密算法RSA公钥加密所述原始明文密码，然后采用安全版超文本传输协议HTTPS公钥对加密后的所述原始明文密码再次加密得到所述第一密文；The client encrypts the original plaintext password by using an asymmetric encryption algorithm RSA public key, and then encrypts the encrypted original plaintext password by using a secure hypertext transfer protocol HTTPS public key to obtain the first ciphertext;

在一些实施例中，处理器601采用与所述预设加密算法对应的预设解密算法，解密所述注册请求中包括的所述第一密文以获取所述原始明文密码包括：In some embodiments, the processor 601 uses a preset decryption algorithm corresponding to the preset encryption algorithm, and the decrypting the first ciphertext included in the registration request to obtain the original plaintext password includes:

处理器601采用HTTPS私钥解密所述第一密文，然后采用RSA私钥对解密后的所述第一密文再次解密以获取所述原始明文密码。The processor 601 decrypts the first ciphertext by using an HTTPS private key, and then decrypts the decrypted first ciphertext again by using an RSA private key to obtain the original plaintext password.

进一步地，处理器601还用于，在获取用户标识及原始明文密码之后，Further, the processor 601 is further configured to: after obtaining the user identifier and the original plaintext password,

生成随机盐值和随机数；Generate random salt values and random numbers;

将所述随机盐值作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，使用所述随机数进行HMAC运算，得到所述预设盐值。The random salt value is used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value.

接收所述客户端发送的验证请求，所述验证请求中包括所述用户标识及第二密文，所述第二密文由所述客户端采用所述预设加密算法加密实时明文密码得到；Receiving the verification request sent by the client, where the verification request includes the user identifier and the second ciphertext, and the second ciphertext is obtained by the client by using the preset encryption algorithm to encrypt the real-time plaintext password;

从所述验证请求中获取所述用户标识，采用与所述预设加密算法对应的预设解密算法，解密所述验证请求中包括的所述第二密文以获取所述实时明文密码；Acquiring the user identifier from the verification request, and using the preset decryption algorithm corresponding to the preset encryption algorithm, decrypting the second ciphertext included in the verification request to obtain the real-time plaintext password;

利用所述预设盐值对所述实时明文密码加盐得到实时密钥；And realizing a real-time key by adding salt to the real-time plaintext password by using the preset salt value;

将所述实时密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到实时密文密码；The real-time key is used as an encryption key for HMAC operation, and SHA is used as an encryption hash function for HMAC operation, and HMAC operation is performed to obtain a real-time ciphertext password;

从所述数据库中取出所述用户标识对应的所述原始密文密码；Extracting, from the database, the original ciphertext password corresponding to the user identifier;

判断所述实时密文密码与所述原始密文密码是否相同；Determining whether the real-time ciphertext password is the same as the original ciphertext password;

若相同，则确认验证成功，若不同，则确认验证失败。If they are the same, confirm that the verification is successful. If they are different, confirm that the verification failed.

在一些实施例中，所述SHA包括：SHA-1类算法、SHA-2类算法或SHA-3类算法。In some embodiments, the SHA includes: a SHA-1 class algorithm, a SHA-2 class algorithm, or a SHA-3 class algorithm.

由上可知，本申请实施例的装置在获取用户标识及原始明文密码之后，会利用预设盐值对所述原始明文密码加盐得到原始密钥，然后将所述原始密钥作为HMAC运算的加密密钥，将SHA作为HMAC运算的加密用散列函数，进行HMAC运算，得到原始密文密码，最后将所述用户标识与所述原始密文密码对应存储在数据库中。经验证，SHA算法本身就很难被破解，而将原始明文密码加盐之后得到的原始密钥已相当复杂，所以以所述原始密钥为加密密钥，以所述SHA作为加密用散列函数进行HMAC运算得到的原始密文密码，即使穷举，也很难破解出原始明文密码，因而本申请实施例的装置，能够保障密码安全，降低密码被泄露的风险，特别对防御暴利破解、中间人攻击、劫持和反向解密都有很好的效果。It can be seen that, after obtaining the user identifier and the original plaintext password, the device in the embodiment of the present application adds the salt to the original plaintext password by using a preset salt value to obtain the original key, and then uses the original key as the HMAC operation. The encryption key is used as an encryption function for HMAC operation, and the HMAC operation is performed to obtain an original ciphertext password. Finally, the user identifier is stored in the database corresponding to the original ciphertext password. It is verified that the SHA algorithm itself is difficult to be cracked, and the original key obtained by adding the original plaintext password is quite complicated. Therefore, the original key is used as an encryption key, and the SHA is used as an encryption hash. The function of the original ciphertext password obtained by the HMAC operation, even if it is exhaustive, it is difficult to crack the original plaintext password. Therefore, the device in the embodiment of the present application can protect the password security and reduce the risk of the password being leaked, especially for the defensive profit cracking, Man-in-the-middle attacks, hijacking, and reverse decryption all have good results.

在本申请所提供的几个实施例中，应该理解到，所揭露的系统，装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，所述单元的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。所述作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form. The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the object of the embodiment.

另外，在本申请各个实施例中的各功能单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件功能单元的形式实现。所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，装置，或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit. The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, device, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

因此，本申请实施例还提供了一种存储介质，其中存储有数据处理程序，该数据处理程序用于执行本申请实施例上述方法的任何一种实施例。Therefore, the embodiment of the present application further provides a storage medium in which a data processing program is stored, and the data processing program is used to execute any one of the foregoing methods in the embodiments of the present application.

以上所述，以上实施例仅用以说明本申请的技术方案，而非对其限制；尽管参照前述实施例对本申请进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims

A password protection method, the method comprising:

The server obtains the user identifier and the first plaintext password;

The server uses a preset salt value to add salt to the first plaintext password to obtain a first key;

The server uses the first key as an encryption key of a hash message authentication code HMAC operation, and uses a secure hash algorithm SHA as an encryption hash function of the HMAC operation to perform an HMAC operation to obtain a first ciphertext. Password; and

The server stores the user identifier in the database corresponding to the first ciphertext password.

The method according to claim 1, before the obtaining the user identifier and the first plaintext password, the method further includes:

Receiving a registration request sent by the client, where the registration request includes the user identifier and the first ciphertext, where the first ciphertext is encrypted by the client by using a preset encryption algorithm to encrypt the first plaintext password. get;

The obtaining the user identifier and the first plaintext password includes:

Obtaining the user identifier from the registration request;

The first ciphertext included in the registration request is decrypted to obtain the first plaintext password by using a preset decryption algorithm, where the preset decryption algorithm corresponds to the preset encryption algorithm.

The method of claim 2, wherein

Decrypting the first ciphertext included in the registration request to acquire the first plaintext password includes: using a preset decryption algorithm corresponding to the preset encryption algorithm:

Decrypting the first ciphertext by using a secure hypertext transfer protocol HTTPS private key, and then decrypting the decrypted first ciphertext again by using an asymmetric encryption algorithm RSA private key to obtain the first plaintext password, where The first ciphertext is encrypted by the client by using the RSA public key to encrypt the first plaintext password, and then the encrypted first plaintext password is encrypted again by using an HTTPS public key.

The method of claim 1, wherein after obtaining the user identifier and the first plaintext password, the method further comprises:

Generate random salt values and random numbers;

The random salt value is used as an encryption key for HMAC operation, and the SHA is used as an encryption hash function for HMAC operation, and the random number is used for HMAC operation to obtain the preset salt value.

The method of claim 2 or 3, wherein the method further comprises:

Receiving the verification request sent by the client, where the verification request includes the user identifier and the second ciphertext, where the second ciphertext is encrypted by the client by using the preset encryption algorithm. Clear text password to;

Obtaining the user identifier from the verification request, and using the preset decryption algorithm corresponding to the preset encryption algorithm, decrypting the second ciphertext included in the verification request to obtain the second plaintext password;

Adding a salt to the second plaintext password by using the preset salt value to obtain a second key;

Using the second key as an encryption key for HMAC operation, and using SHA as an encryption hash function for HMAC operation, performing HMAC operation to obtain a second ciphertext password;

Extracting, by the database, the first ciphertext password corresponding to the user identifier;

Determining whether the second ciphertext password is the same as the first ciphertext password;

If they are the same, confirm that the verification is successful. If they are different, confirm that the verification failed.

The method of claim 1, wherein the SHA comprises: a SHA-1 class algorithm, a SHA-2 class algorithm, or a SHA-3 class algorithm.

A password protection device comprising:

One or more memories;

One or more processors; among them,

The one or more memories storing one or more instruction modules configured to be executed by the one or more processors; wherein

The one or more instruction modules include:

An obtaining unit, configured to obtain a user identifier and a first plaintext password;

a salt adding unit, configured to add a salt to the first plaintext password by using a preset salt value to obtain a first key;

a first encryption unit, configured to use the first key as an encryption key of a hash message authentication code HMAC operation, and use a secure hash algorithm SHA as an encryption hash function of the HMAC operation, and perform an HMAC operation to obtain an HMAC operation. First ciphertext password;

And a storage unit, configured to store the user identifier in the database corresponding to the first ciphertext password.

The apparatus of claim 7 wherein said apparatus further comprises:

a receiving unit, configured to receive a registration request sent by the client, where the registration request includes the user identifier and the first ciphertext, where the first ciphertext is encrypted by the client by using a preset encryption algorithm. The first plaintext password is obtained;

The obtaining unit is configured to: obtain the user identifier from the registration request, and decrypt the first ciphertext included in the registration request to obtain the first plaintext password by using a preset decryption algorithm, where The preset decryption algorithm corresponds to the preset encryption algorithm.

The device according to claim 8, wherein

The obtaining unit further decrypts the first ciphertext by using a secure hypertext transfer protocol HTTPS private key, and then decrypts the decrypted first ciphertext again by using an asymmetric encryption algorithm RSA private key to obtain the first ciphertext. A plaintext password, wherein the first ciphertext is encrypted by the client by using an RSA public key, and then the encrypted first plaintext password is encrypted again by using an HTTPS public key.

The apparatus of claim 7 wherein said apparatus further comprises:

a generating unit, configured to generate a random salt value and a random number after the obtaining unit acquires the user identifier and the first plaintext password;

The second encryption unit is configured to use the random salt value as an encryption key for HMAC operation, and use SHA as an encryption hash function for HMAC operation, and perform HMAC operation using the random number to obtain the preset salt value.

The device according to claim 8 or 9, wherein

The receiving unit is further configured to receive the verification request sent by the client, where the verification request includes the user identifier and the second ciphertext, and the second ciphertext is adopted by the client by using the preset The encryption algorithm encrypts the second plaintext password to obtain;

The obtaining unit is further configured to: obtain the user identifier from the verification request, and decrypt the second ciphertext included in the verification request by using a preset decryption algorithm corresponding to the preset encryption algorithm. Obtaining the second plaintext password;

The salting unit is further configured to: add a salt to the second plaintext password by using the preset salt value to obtain a second key;

The first encryption unit is further configured to use the second key as an encryption key for HMAC operation, and use the SHA as a hash function for HMAC operation to perform an HMAC operation to obtain a second ciphertext password;

The device also includes:

An extracting unit, configured to retrieve, from the database, the first ciphertext password corresponding to the user identifier;

a determining unit, configured to determine whether the second ciphertext password is the same as the first ciphertext password;

a confirming unit, configured to confirm that the verification is successful when the second ciphertext password is the same as the first ciphertext password, and confirm the verification when the second ciphertext password is different from the first ciphertext password failure.

The apparatus of claim 7, wherein the SHA comprises: a SHA-1 class algorithm, a SHA-2 class algorithm, or a SHA-3 class algorithm.

A non-transitory computer readable storage medium storing computer readable instructions for causing at least one processor to perform the method of any of claims 1-6.