A kind of method and system that upgrades authenticate key
Technical field
The present invention relates to information security field, particularly a kind of method and system that upgrades authenticate key.
Background technology
In recent years, fast development along with Internet technology and ecommerce, increasing commercial activity is transferred on the network and is carried out, for example online government office, Web bank, shopping online or the like, meanwhile, more and more informational needs that relate to individual privacy and business secret pass through network delivery.Yet deliberate threats such as virus, hacker and the counterfeit swindle of webpage have brought great challenge for the fail safe of online transaction, cause network security problem to become very important.
Along with improving constantly of people's awareness of safety, various cryptographic algorithm are also arisen at the historic moment, and cryptographic algorithm commonly used mainly contains hashing algorithm, symmetric encipherment algorithm and rivest, shamir, adelman.Hashing algorithm is a kind of one-way algorithm that key participates in that need not, and the data of random length can be carried out conversion, is output into the data summarization of regular length, and it has long hash code and the characteristic that can resist the special password analytical attack.Hashing algorithm relatively more commonly used at present has hmac algorithm, MD5 algorithm, MD2 algorithm, SHA1 algorithm, SHA256 algorithm etc.In the symmetric encipherment algorithm (or being single secret key cryptographic algorithm), have only a key to be used for encryption and decryption information, although single secret key encryption is a simple process, but both sides must believe the other side completely, and all hold the backup of this key, after by symmetric encipherment algorithm data being encrypted, can utilize this key that encrypted result is decrypted.Symmetric encipherment algorithm relatively more commonly used at present has DES algorithm, 3DES algorithm, RC4 algorithm, RC5 algorithm etc.Rivest, shamir, adelman (public key encryption algorithm) uses pair of secret keys in encrypted process, and only uses an independent key unlike symmetric cryptography, and one is used for encrypting in the pair of secret keys, and another is used for deciphering, and promptly as with A encrypts, and then deciphers with B; If encrypt with B, then will decipher with A.Rivest, shamir, adelman relatively more commonly used at present has RSA Algorithm, DSA algorithm, elliptic curve etc.
Usually the operand that participates in computing in cryptographic algorithm has two: one can be random number, and another is default in advance algorithm factor.The variation of one-bit digital even only take place in two operands, and it is different fully that operation result also can become.If participating in one of them operand of computing is random number, so each operation result also is a change at random, guarantees thus that operation result is not afraid of to be intercepted and captured in transmission.In addition, we also can adopt random seed to generate new operand in actual applications and participate in computing, and to reach higher fail safe, wherein random seed also is a random number, generally is used to produce new operand.
Information safety devices is a kind of small hardware device that has processor and memory, and it is connected with computer by the data communication interface of computer.It has that key generates, safe storage key and preset function such as cryptographic algorithm.The information safety devices computing relevant with key be fully at the device internal operation, and information safety devices has anti-characteristic of attacking, and fail safe is high.Information safety devices generally links to each other with computer by USB interface, is commonly called USB KEY or USB Token.Information safety devices manufacturer, software system development merchant or end user can store some important informations in the information safety devices into, in order to guarantee fail safe or to prevent to forget.At present, the information safety devices of higher-end is programmable, promptly can be implemented in and move the code that pre-deposits wherein in the information safety devices.
Hardware identifier comprises hardware sequence number, is a kind of globally unique identification number by device fabrication merchant oneself definition that is stored in information safety devices inside, can be read.The unique hardware sign is generally used for distinguishing different information safety devices.
Information security is more and more paid close attention to by people, and wherein identity identifying technology is an important component part of information security.Authentication is meant the process of computer and network system affirmation operator identity.The computer system and computer network is a virtual digital world, in this digital world, all information comprise that user's identity information all is to represent with one group of specific data, computer can only be discerned user's digital identity, and all mandates to the user also are the mandates at the number identity.
The key that is used for authentication is called as authenticate key, and when utilizing information safety devices to carry out authentication, our common way is that authenticate key is stored in the information safety devices.The process of authentication is specially: client sends the authenticate key in the information safety devices to server end, and server end is compared the authenticate key in itself and the database, and unanimity is authentication success then.As seen, authenticate key plays crucial effects in the process of whole authentication, and the user also needs often it to be upgraded simultaneously, to guarantee fail safe.The authenticate key method for updating mainly contains following dual mode usually at present:
1. online updating mode: user's networking, upgrade authenticate key to server requests, this moment, server generated new authenticate key, and sent subscription client to by network, and subscription client is updated to it in information safety devices; User's networking is upgraded authenticate key to server requests, oneself sends amended authenticate key to server end by network simultaneously, and server end is updated to it in database.
2. off-line update mode: the user please operator makes amendment or the user applies for a new authenticate key again by the mode of reporting the loss.
The off-line update mode is brought a lot of inconvenience to the user, can not accomplish in time; And need transmit by network owing to authenticate key in the online updating mode, if authenticate key passes through Network Transmission in mode expressly, because authenticate key is highstrung information, transmit on network in mode expressly and to be easy to be intercepted and captured, if emitted and recognized use, will can cause damage to validated user, so be very unsafe; If authenticate key passes through Network Transmission in the mode of ciphertext, utilize the asymmetric-key encryption algorithm to realize in the prior art, specifically be after the new authenticate key that client produces is carried out encryption with private key, by network it is transferred to server end, thereby server end utilizes corresponding PKI to be decrypted again to be obtained new authenticate key and upgrades, though this kind implementation method comparison safety but will spend higher cost, management is simultaneously got up also cumbersome.
Summary of the invention
The method and system of the remote update authenticate key that the present invention proposes has solved with the insecurity of plaintext form by the Network Transmission authenticate key, and management trouble and the high problem of cost brought with ciphertext form certified transmission key.
The present invention proposes a kind of method of remote update authenticate key, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of random number and information safety devices from client, and produces random seed; Wherein, described server end from described information safety devices that described client links to each other obtain described random number;
Step B: described server end carries out computing to described random seed and described random number, produces verification msg;
Step C: described server end is according to the hardware identifier of described information safety devices, from its database, read out the original authentication key, described original authentication key and described verification msg are carried out cryptographic calculation, and send described random seed and cryptographic calculation result to described client by network;
Step D: described information safety devices obtains described random seed and described cryptographic calculation result from described client, and verify the correctness of described random seed, wherein, the correctness of the described random seed of described checking comprises: described information safety devices carries out the computing identical with described server end to described random seed and described random number, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic calculation identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if unanimity as a result, then described random seed is correct, if comparison result is inconsistent, then failure is upgraded in prompting;
Step e: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key.
Described random number produces in described information safety devices in advance, and is stored in the described information safety devices.
Described computing comprise combination, with or, non-, XOR, addition, subtraction and/or multiplying.
Described step e specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, and obtains new authenticate key, and upgrades the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
Described method comprises that also authenticate key upgrades synchronous step: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical cryptographic calculation, cryptographic calculation result and the cryptographic calculation result who obtains are compared, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then the authenticate key of the old value of its database position and described random number are carried out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
Described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
The invention allows for a kind of method of upgrading authenticate key, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of information safety devices from client, and produces random seed;
Step B: described server end sends described random seed to described client by network;
Step C: described information safety devices obtains described random seed from described client;
Step D: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key, wherein, upgrade with described new authenticate key in the described information safety devices and the server client database in authenticate key the time comprise: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical computing, operation result is compared with the cryptographic calculation result who obtains, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then to the authenticate key of the old value of its database position and described random number carry out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
Described step D specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, and obtains new authenticate key, and upgrades the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
Described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
The invention provides a kind of system that upgrades authenticate key, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises authentication module, client authentication key generation module and client authentication key memory module; The random seed that described pretreatment module is used for utilizing server end to produce carries out computing with the random number that the information safety devices that links to each other from client obtains, produce verification msg, wherein, described random number is for producing and be stored in the described information safety devices in described information safety devices inside in advance; The hardware identifier of the described information safety devices that obtains according to server end, from the server authentication cipher key storage block of server database, read the original authentication key, described verification msg and described original authentication key are carried out cryptographic calculation, obtain the cryptographic calculation result, and send described random seed and described cryptographic calculation result to client by network; Described server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key; Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage; Described authentication module is used for described random seed and described random number are carried out the computing identical with described server end, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic algorithm identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if comparison result unanimity, then the random seed that obtains from client is correct, after the random seed that obtains from client is correct, the original authentication key that prestores in the client authentication key memory module to the random seed that obtains and information safety devices carries out the cryptographic calculation identical with described server end, generates new authenticate key; Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.
Described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.The present invention also provides a kind of system that upgrades authenticate key, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises client authentication key generation module and client authentication key memory module;
Described pretreatment module is used for producing random seed and obtaining the hardware identifier of information safety devices from client at server end, and by network random seed is sent to client; Described server authentication key production module is used for the original authentication key of random seed and described server authentication cipher key storage block is carried out cryptographic calculation, generates new authenticate key; Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage; Described client authentication key generation module is used for the original authentication key that client authentication key memory module in the random seed that obtains and the information safety devices prestores is carried out the cryptographic calculation identical with described server end, generates new authenticate key; Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.Described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Beneficial effect: the present invention has avoided in the past with the insecurity of plaintext form by the Network Transmission authenticate key, with management trouble of bringing with ciphertext form certified transmission key and the high problem of cost, the not convenient property that has existed when also having avoided simultaneously off-line to upgrade authenticate key.
Description of drawings
Fig. 1 is first kind of method flow diagram that upgrades authenticate key of the embodiment of the invention;
Fig. 2 is second kind of method flow diagram that upgrades authenticate key of the embodiment of the invention;
Fig. 3 is that embodiment of the invention authenticate key upgrades synchronous flow chart;
Fig. 4 is first kind of system construction drawing that upgrades authenticate key of the embodiment of the invention;
Fig. 5 is second kind of system construction drawing that upgrades authenticate key of the embodiment of the invention.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
The hardware identifier that comprises hardware sequence number, it is a kind of globally unique identification number that is stored in information safety devices inside by device fabrication merchant oneself definition, can be read, the unique hardware sign of each information safety devices can be in order to distinguish different information safety devices.In following examples, adopt hardware sequence number to be described further.
Embodiment 1
As shown in Figure 1, a kind of method of upgrading authenticate key that the embodiment of the invention proposes specifically may further comprise the steps:
Step 101: server end obtains the hardware sequence number HSN of a random number ChallengeRand and information safety devices from client, and produces a random seed SEED.
Random number ChallengeRand produces in the information safety devices inside that links to each other with client computer in advance, and is stored in the information safety devices.
Step 102: server end carries out computing to random seed SEED and random number ChallengeRand, produces verification msg.
Computing comprise combination, with or, non-, XOR, addition, subtraction and multiplying etc.
Step 103: server end reads original authentication key A KEY according to the hardware sequence number of the information safety devices that gets access to from server database, and verification msg and original authentication key A KEY are done cryptographic calculation, obtains cryptographic calculation Response as a result.
Cryptographic calculation mainly comprises hash computing, symmetric cryptography computing and asymmetric encryption computing etc.
Step 104: server end with random seed SEED and cryptographic calculation as a result Response send client to by network.
Step 105: information safety devices obtains random seed SEED and cryptographic calculation Response as a result from client, the correctness of checking random seed SEED.
The method of checking random seed SEED correctness: in information safety devices to the random number ChallengeRand of the random seed SEED that obtains and information safety devices stored to produce verification msg with the same computing of step 102, the original authentication key that prestores in verification msg and the information safety devices is done the cryptographic calculation same with step 103, with cryptographic calculation result and the cryptographic calculation that obtains from client as a result Response compare, if two cryptographic calculations are unanimity as a result, illustrate that the random seed SEED that obtains is correct.
Step 106: respectively in information safety devices and server end, random seed SEED is done identical cryptographic calculation with the original authentication key, produce new authenticate key NEW_AKEY, and with in the new authenticate key NEW_AKEY lastest imformation safety means and the authenticate key in the server client database.
In information safety devices, generate and upgrade the method for authenticate key NEW_AKEY: in information safety devices, the original authentication key that prestores in the random seed SEED that obtains from client and the information safety devices is done cryptographic calculation, obtain new authenticate key, and new authenticate key is substituted into authenticate key memory location in the information safety devices.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
Generate and upgrade the method for authenticate key at server end: server end in the random seed SEED of its generation and the server client database in advance the original authentication key of storage do with information safety devices in same cryptographic calculation, obtain new authenticate key, the original authentication key is substituted into the position of old value in the server database, new authenticate key is substituted into the position of server database currency.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
In order more clearly to describe the technical scheme of present embodiment, further specify with concrete example below:
Server end produces a random seed SEED, obtains the hardware sequence number HSN of information safety devices and obtains a random number ChallengeRand from client from client; Server end carries out combinatorial operation with random seed SEED and random number ChallengeRand, promptly carries out combined and splicedly, is verified data ChallengeRand|SEED, resists the attack that special password is analyzed to obtain longer hash code; Server end is done the hash computing to the original authentication key A KEY that verification msg ChallengeRand|SEED and hardware identifier HSN according to the information safety devices that obtains read from server database, obtain operation result Response, be Response=HMAC (AKEY, ChallengeRand|SEED); Server end sends random seed SEED and operation result Response to client by network; After information safety devices gets access to random seed SEED and operation result Response from client, same hash computing is done by portion within it, obtain operation result Response ', be Response '=HMAC (AKEY, ChallengeRand|SEED), if Response ' is inconsistent with the Response that gets access to from client, then the random seed SEED that receives of descriptive information safety means is incorrect, and failure is upgraded in prompting; If Response ' is consistent with the Response that gets access to from client, then the random seed SEED that receives of descriptive information safety means is correct; (AKEY SEED), use the original authentication key A KEY in the NEW_AKEY lastest imformation safety means, and the announcement server end upgrades successfully to utilize hashing algorithm to obtain new authenticate key NEW_AKEY=HMAC in information safety devices; After server end obtains the successful notice of client renewal, do same hash computing at server end and obtain new authenticate key NEW_AKEY=HMAC (AKEY, SEED), currency in the server end database is copied in the old value memory cell, new authenticate key NEW_AKEY is substituted in the database in the currency memory cell, finishes remote authentication key updating process.
Embodiment 2
As shown in Figure 2, the embodiment of the invention has also proposed a kind of method of upgrading authenticate key, specifically may further comprise the steps:
Step 201: server end obtains the hardware sequence number HSN of information safety devices from client, and produces a random seed SEED.
Step 202: server end sends random seed SEED to client by network.
Step 203: information safety devices obtains random seed SEED from client.
Step 204: respectively in information safety devices and server end, random seed SEED is done identical cryptographic calculation with the original authentication key, produce new authenticate key NEW_AKEY, and with in the new authenticate key NEW_AKEY lastest imformation safety means and the authenticate key in the server client database.
In information safety devices, generate and upgrade the method for authenticate key NEW_AKEY: in information safety devices, the original authentication key that prestores in the random seed SEED that obtains from client and the information safety devices is done cryptographic calculation, obtain new authenticate key, and new authenticate key is substituted into authenticate key memory location in the information safety devices.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
Generate and upgrade the method for authenticate key at server end: server end in the random seed SEED of its generation and the server client database in advance the original authentication key of storage do with information safety devices in identical cryptographic calculation, obtain new authenticate key, the original authentication key is substituted into the position of old value in the server database, new authenticate key is substituted into the position of server database currency.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
In order more clearly to describe the technical scheme of present embodiment, further specify with concrete example below:
Server end at first produces a random seed SEED, and obtains the hardware sequence number HSN of information safety devices from client; Server end is sent to client with random seed SEED by network; After information safety devices gets access to random seed SEED from client, portion's original authentication key that random seed SEED and Qi Nei are prestored is done the hash computing and is obtained new authenticate key NEW_AKEY=HMAC (AKEY within it, SEED), with original authenticate key AKEY in the NEW_AKEY lastest imformation safety means, and the announcement server end upgrades successfully; After server end obtains the successful notice of client renewal, at server end the random seed of its generation is done identical hash computing with the original authentication key A KEY that hardware sequence number HSN according to the information safety devices that obtains reads from server database, obtain new authenticate key NEW_AKEY=HMAC (AKEY, SEED), currency in the server end database is copied in the old value memory cell, then new authenticate key NEW_AKEY is substituted in the database in the currency memory cell, finishes the process of remote authentication key updating.
In the process of carrying out the authenticate key renewal, sometimes because client authentication key renewal and the nonsynchronous situation of server-side certificate key updating appear in network problem, for example when server end sends random seed to client, network interrupts, random seed successfully is not sent to client, the authenticate key of information safety devices upgrades and can't normally finish, the authenticate key that is its storage inside still is the original authentication key, and server end has carried out the operation that authenticate key upgrades, be authenticate key in its database for the authenticate key after upgrading, upgrade nonsynchronous problem with regard to authenticate key having occurred like this.Utilize the method that keeps nearest double probate key in the server end database simultaneously, can solve authenticate key and upgrade nonsynchronous problem, 2 memory locations are promptly arranged in order to deposit authenticate key, value memory location, a Geju City and a currency memory location in the server end database.When authentication, utilize the method for preserving nearest double probate key in the server database simultaneously to realize that the process that client authentication key is upgraded and the server-side certificate key updating is synchronous may further comprise the steps, as shown in Figure 3:
Step 301: server end produces a random number, and random number is sent to client after receiving the ID authentication request that client sends.
Step 302: information safety devices obtains random number from client.
Step 303: authenticate key and random number in information safety devices inside to its storage inside are carried out cryptographic calculation, and the cryptographic calculation result is sent it back server end.
Cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing etc.
Step 304: server end carries out the cryptographic calculation same with step 303 to the authenticate key and the random number of its database currency position, cryptographic calculation result and the cryptographic calculation result who obtains from information safety devices are compared, if comparison result unanimity, then execution in step 307, otherwise execution in step 305.
Step 305: server end carries out the cryptographic calculation same with step 303 to the authenticate key and the random number of the old value of its database position, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if the comparison result unanimity, then execution in step 306, otherwise execution in step 308.
Step 306: the authenticate key on the old value memory location in the server end database is substituted on the currency memory location, finishes synchronously, use the authenticate key of currency position to get final product during authentication afterwards.
Step 307: the authentication success, finish.
Step 308: the authentication failure, finish.
Referring to Fig. 4, the embodiment of the invention provides a kind of system that upgrades authenticate key, system comprises server computer and the information safety devices that links to each other with client computer, server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and information safety devices comprises authentication module, client authentication key generation module and client authentication key memory module;
Pretreatment module is used to utilize the random seed of server end generation and produces verification msg from the random number that client is obtained, the hardware identifier of the information safety devices that obtains according to server end, from server database, read the original authentication key, verification msg and original authentication key are carried out cryptographic calculation, obtain operation result, and send random seed and operation result to client by network;
The server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key;
The server authentication cipher key storage block is used for storage and upgrades authenticate key;
Authentication module is used to verify the correctness of the random seed that obtains from client;
The client authentication key generation module is used for the original authentication key that prestores in random seed that obtains and the information safety devices is carried out cryptographic calculation, generates new authenticate key;
The client authentication key memory module is used for storage and upgrades authenticate key.
System comprises that also authenticate key upgrades synchronization module, and authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Referring to Fig. 5, the embodiment of the invention also provides a kind of system that upgrades authenticate key, system comprises server computer and the information safety devices that links to each other with client computer, server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and information safety devices comprises client authentication key generation module and client authentication key memory module;
Pretreatment module is used for producing random seed and obtaining the hardware identifier of information safety devices from client at server end, and by network random seed is sent to client;
The server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key;
The server authentication cipher key storage block is used for storage and upgrades authenticate key;
The client authentication key generation module is used for the original authentication key that prestores in random seed that obtains and the information safety devices is carried out cryptographic calculation, generates new authenticate key;
The client authentication key memory module is used for storage and upgrades authenticate key.
System comprises that also authenticate key upgrades synchronization module, and authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Above-described embodiment is more preferably embodiment several of the present invention, and the common variation that those skilled in the art carries out in the technical solution of the present invention scope and replacing all should be included in protection scope of the present invention.