1. A password management method, comprising the steps of:

inputting password data; recording interface information when the password data is normally input, storing the password data and the interface information, and encrypting the password data;

receiving a password input request, wherein the password input request comprises a password index number and interface information of password input at this time, judging whether the interface information of password input at this time accords with the interface information of normal input of the password data recorded in advance, and if so, sending encrypted password data according to the password input request; and if the password input request does not conform to the password input request, rejecting the password input request.

2. The password management method according to claim 1, wherein the interface information during normal password data input and the interface information during the current password input include interface screenshots and/or full-course video during password input, and the interface screenshots at least include front, middle and rear interface screenshots during the input process.

3. The password management method according to claim 1, wherein the password input process is recorded in a whole course, and the whole course video file is audited to judge whether the input process has a password violation use risk; if the password input request is in risk, the source of the password input request is listed in a blacklist, the password input request is refused to obtain other password data again, and password use risk early warning is sent out; the risk early warning comprises mails and/or instant messages.

4. The password management method of claim 2 or 3, wherein the full-range video recording comprises automatic video recording or off-screen video recording.

5. The password management method according to claim 1, wherein the data structure for storing the password data and the interface information comprises a password index number, a password name description, a password ciphertext, a password input interface screenshot and/or a full-stroke video.

6. The password management method of claim 1, wherein the encrypted password data is decrypted by hardware and directly input in a keyboard signal mode after being sent to the password input terminal.

7. A password management apparatus, comprising:

the password maintenance module is used for inputting and updating password data and acquiring interface information when the password data is normally input;

the log recording module is used for recording password data input process data, and the input process data comprises interface screenshots and/or whole-course video in the input process;

the password storage module is used for storing password data and interface information when the password data is normally input;

the risk monitoring and early warning module is used for monitoring whether a risk exists in the password data input process and sending out risk early warning;

the password input agent module is used for receiving a password input request, acquiring an interface screenshot of the password input request, recording the whole password input process, and sending the password input request, the interface screenshot and/or the whole record file to the risk monitoring and early warning module and the log recording module;

and the password input module is used for carrying out hardware decryption on password data and directly inputting the password data in a keyboard signal mode.

8. The password management device of claim 7, wherein the password storage module, the risk monitoring and early warning module and the log recording module are arranged at the server terminal; the server terminal is deployed by adopting a cloud terminal or privatized deployment.

9. The password management apparatus according to claim 8, wherein a network security device is provided between the server terminal and the password maintenance module and the password input agent module.

10. A password input terminal, comprising: the USB interface unit, USB concentrator, USB mouse keyboard protocol control module, decipher module, password decipher and input controller, power management module, private key encryption module and private key cryptograph memory.

Background

In order to meet the pursuit of cost reduction and efficiency improvement, a self-built sharing service center of a large enterprise or a sharing service mechanism facing small and medium enterprises develops vigorously; in particular, various financial and human resource sharing service centers have been rapidly developed. In order to further improve the operation efficiency, most of the shared service centers have more and more obvious tendency that a software robot (or digital staff) is established to assist in handling business by adopting a robot flow automation technology; for example, the software robot can automatically log in an online bank, download transaction flow, automatically download a statement, automatically download a transaction receipt, and automatically pay social security for employees. In the process, various original manually-stored account passwords need to be stored in a configuration file of the software robot, and the software robot reads the passwords from the configuration file and then inputs the passwords into a password input box corresponding to the business system. In the process, the risk points of sensitive information leakage are as follows:

(1) the process that the service personnel transmit the sensitive information to the software robot developer; (2) the sensitive information is received by a developer and then stored and used; (3) sensitive information is stored in the configuration file of the software robot, and the risk of unauthorized access leakage is easy to occur.

In the existing solutions, there are also schemes for encrypting, storing and decrypting the password. However, most solutions require the cryptographic user to be informed of the decryption algorithm or the private key required for decryption. The exposure of the password decryption algorithm or the private key becomes the link with the highest exposure risk. In addition, the use record of the password and the audit link are lacked, and the responsibility of the accident cannot be traced.

Therefore, the encryption storage and the encryption use of the password are realized, the realization is available and invisible, and the recording and the auditing of the password use condition are carried out in real time, which is necessary for the development of the software robot.

Disclosure of Invention

The invention provides a password management method, a password management device and an input terminal, which are used for solving the problem that sensitive information such as large-scale account passwords and the like is easy to leak.

The embodiment of the invention is as follows:

in a first aspect, the present invention provides a password management method, including the following steps: inputting password data; recording interface information when the password data is normally input, storing the password data and the interface information, and encrypting the password data; receiving a password input request, wherein the password input request comprises a password index number and interface information of password input at this time, judging whether the interface information of password input at this time accords with the interface information of normal input of the password data recorded in advance, and if so, sending encrypted password data according to the password input request; and if the password input request does not conform to the password input request, rejecting the password input request.

Further, the interface information during normal input of the password data and the interface information during the current password input include interface screenshots and/or whole-course videos during the password input process, and the interface screenshots at least include front, middle and rear interface screenshots during the input process.

Further, recording the whole password input process, auditing the video file, and judging whether the input process has the password illegal use risk; if the password input request is in risk, the source of the password input request is listed in a blacklist, the password input request is refused to obtain other password data again, and password use risk early warning is sent out; the risk early warning mode comprises sending mails and instant messages.

Further, the whole-course video recording comprises automatic screen recording or shooting by an off-screen video recording device.

Further, the data structure for storing the password data and the interface information comprises a password index number, password name description, a password ciphertext, a password input interface screenshot and/or a whole-course video file.

Further, after the encrypted password data is sent to a password input terminal, hardware decryption is adopted, and the encrypted password data is directly input in a keyboard signal mode.

In a second aspect, the present invention provides a password management apparatus, including: the password maintenance module is used for inputting and updating password data and acquiring interface information when the password data is normally input; the log recording module is used for recording password data input process data, and the input process data comprises interface screenshots and/or whole-course video in the input process; the password storage module is used for storing password data and interface information when the password data is normally input; the risk monitoring and early warning module is used for monitoring whether a risk exists in the password data input process and sending out risk early warning; the password input agent module is used for receiving a password input request, acquiring an interface screenshot of the password input request, recording the whole password input process, and sending the password input request, the interface screenshot and/or the whole record file to the risk monitoring and early warning module and the log recording module; and the password input module is used for carrying out hardware decryption on password data and directly inputting the password data in a keyboard signal mode.

Furthermore, the password storage module, the risk monitoring and early warning module and the log recording module are arranged at the server terminal; the server terminal is deployed by adopting a cloud terminal or privatized deployment.

Furthermore, network security equipment is arranged between the server terminal and the password maintenance module and between the server terminal and the password input agent module.

In a third aspect, the present invention provides a password input terminal, including: the USB interface unit, USB concentrator, USB mouse keyboard protocol control module, decipher module, password decipher and input controller, power management module, private key encryption module and private key cryptograph memory.

The password management method, the password management device and the input terminal have the advantages that the effect of being usable and invisible for sensitive information such as passwords is achieved; by adopting an intelligent hardware technology for synchronously completing decryption and input, the possibility that a password using link contacts a decryption algorithm or decrypts a private key is eliminated, and a leakage point with highest risk in the password using process is eliminated; data acquisition in the password use process is automatically completed, tracing and auditing in the password use process are realized, and sensitive information leakage risk monitoring and early warning are automatically realized.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

FIG. 1 is a flow diagram of a method of password management;

FIG. 2 is a general schematic diagram of a password management device;

FIG. 3 is a flow chart of the execution of the modules of the password management apparatus;

FIG. 4 is a flow diagram of a cryptographic storage module execution;

FIG. 5 is a flowchart of password entry agent module execution;

FIG. 6 is a flow chart of risk monitoring and pre-warning module execution;

fig. 7 is a general schematic diagram of a password input terminal.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

According to an embodiment of the present invention, a method for password management is provided, and fig. 1 is a flowchart of the method for password management, including the following steps: inputting password data; recording interface information when the password data is normally input, storing the password data and the interface information, and encrypting the password data; receiving a password input request, wherein the password input request comprises a password index number and interface information of password input at this time, judging whether the interface information of password input at this time accords with the interface information of normal input of the password data recorded in advance, and if so, sending encrypted password data according to the password input request; and if the password input request does not conform to the password input request, rejecting the password input request.

In a preferred embodiment of the present invention, the interface information during normal password data input and the interface information during the current password input include interface screenshots and/or full-process video during password input, the interface screenshots at least include three interface screenshots before, during, and after the input process, and the full-process video includes automatic screen recording or shooting by an off-screen video recording device.

In a preferred embodiment of the invention, the password input process is recorded in the whole process, the recorded video file is audited, and whether the input process has the password violation use risk is judged; and if the risk exists, listing the source of the password input request into a blacklist, refusing to obtain other password data again, and sending out a password use risk early warning, wherein the risk early warning comprises sending mails and instant messages.

In a preferred embodiment of the present invention, the data structure for storing the password data and the interface information includes a password index number, a password name description, a password ciphertext, a password input interface screenshot, and/or a whole-process video file.

In a preferred embodiment of the present invention, after sending the encrypted password data to the password input terminal, the encrypted password data is decrypted by hardware and directly input in a keyboard signal mode.

In a preferred embodiment of the present invention, there is provided a password management apparatus, a general schematic diagram of which is shown in fig. 2, including: the system comprises at least one administrator operation terminal, a password maintenance module and a password data processing module, wherein the administrator operation terminal is used for operating the password maintenance module and is used for inputting and updating password data and acquiring interface information when the password data is normally input; the log recording module is used for recording password data input process data, and the process data comprise a whole-course video of an input process; the password storage module is used for storing password data and interface information when the password data is normally input; the risk monitoring and early warning module is used for monitoring whether a risk exists in the password data input process and sending out risk early warning; the system comprises a plurality of software robot operation terminals, a password input agent module, a risk monitoring and early warning module and a log recording module, wherein the software robot operation terminals are used for receiving a password input request, acquiring an interface screenshot of the password input request, recording the whole password input process, sending the password input request and the interface screenshot to the risk monitoring and early warning module, and sending the whole input process video to the log recording module; and the password input module is used for carrying out hardware decryption on password data and directly inputting the password data in a keyboard signal mode. The password storage module, the risk monitoring and early warning module and the log recording module are arranged on the server terminal, and the server terminal can adopt cloud computing resources or privatized deployment. In order to guarantee network security, network security equipment is arranged between the server terminal and modules such as password maintenance and password input agent.

The execution flow of each module of the password management device is shown in fig. 3. The password maintenance module performs password input or update operation; the password input agent module receives a password input request sent by the software robot, inquires whether a password is allowed to be input into a current window or not from a risk monitoring and early warning module of the server, inquires encrypted password data according to a password index after input authorization is obtained, and sends the encrypted password data to a password input terminal; after receiving the cipher text, the cipher input terminal executes hardware decryption and inputs the decrypted cipher into the current active window; the password input agent module writes a password use log into a log recording module of the server terminal according to an execution result of the password input terminal, wherein the log is a video and data part; and the risk monitoring and early warning module analyzes whether the secret input process has risks such as embezzlement and the like by adopting a video auditing technology, if so, the terminal is listed in a blacklist, ciphertext data of other passwords cannot be obtained again, and safety early warning is sent out.

After the password maintenance module is started, the encryption public key is loaded from the server at first, the user is guided to enter the password original text and the password description, and the public key is adopted to encrypt the password. The encryption algorithm adopted by the invention preferably adopts the asymmetric encryption algorithm disclosed by RSA256, the national secret SM2 and the like.

The password storage module adopts a B/S structure, and the flow is shown in FIG. 4. After the module is started, firstly guiding an administrator to identify and log in a password management page; guiding an administrator to select a password index number and input a password and a password description; guiding an administrator to enter at least three screenshots of the front interface, the middle interface and the rear interface before and after the password is normally input; and calling the server-side interface, and updating the ciphertext machine input interface screenshot corresponding to the currently selected index.

The password input agent module execution flow is shown in fig. 5. Receiving a password input request of the software robot, requesting a password ciphertext corresponding to the index from the service terminal, and inputting a password index number when the software robot initiates the request; after receiving the request, the password input module automatically intercepts the current screen, transmits two parameters of password index number and current interface screenshot into the risk monitoring and early warning module together, and requests to acquire ciphertext data corresponding to the password index; recording the whole password input process and the feedback action of the page after the password is input, and recording the obtained video file as a log file of the password input; transmitting the log file to a risk monitoring and early warning module for auditing whether the password violation risk exists or not; if the password input process video is not completely fed back after the password is input, the software robot operation terminal is listed in a blacklist by the risk monitoring and early warning module, and ciphertext data of other passwords cannot be obtained again.

The execution flow of the risk monitoring and early warning module is shown in fig. 6. Receiving a request of a password input agent module; judging whether the screenshot of the password input interface is consistent with the prestored screenshot, and feeding back the ciphertext to the password input agent module when the screenshot of the password input interface is consistent with the prestored screenshot; if the condition is not met, the feedback request is refused; receiving a log file, wherein the log file comprises a password input whole-process video, and examining whether normal page skipping behaviors exist before and after password input and whether a skipped page is an expected page by using a video auditing technology based on artificial intelligence so as to judge whether the password is abnormally used; and if the abnormality exists, listing the terminal in a blacklist and sending out an early warning.

In a preferred embodiment of the present invention, a password input terminal is provided, and a schematic structural diagram thereof is shown in fig. 7. The terminal comprises a USB connector and a USB concentrator module, and a USB mouse keyboard protocol module and a password decryption and input controller are connected to the software robot running terminal; the module also comprises a private key encryption module which is used for carrying out secondary encryption storage on the private key required by ciphertext decryption so as to prevent the private key from being stolen by maliciously damaging the device; the device also comprises a private key ciphertext storage module which is used for storing the ciphertext encrypted by the private key; the decryption module decrypts the private key through a built-in algorithm and then decrypts the cipher text by using the private key obtained after decryption; the terminal also comprises a USB mouse keyboard protocol control module which directly inputs the password character string output by the decryption module into the password input box by a keyboard signal. The module also comprises a power supply module, and the module acquires 5V power supply input from the USB bus and converts the input into 3.3V power supply required by the work of each module.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.