CN100561916C - A kind of method and system that upgrades authenticate key - Google Patents

A kind of method and system that upgrades authenticate key Download PDF

Info

Publication number
CN100561916C
CN100561916C CNB2006101697598A CN200610169759A CN100561916C CN 100561916 C CN100561916 C CN 100561916C CN B2006101697598 A CNB2006101697598 A CN B2006101697598A CN 200610169759 A CN200610169759 A CN 200610169759A CN 100561916 C CN100561916 C CN 100561916C
Authority
CN
China
Prior art keywords
key
authenticate key
safety devices
client
information safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2006101697598A
Other languages
Chinese (zh)
Other versions
CN101005357A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Beijing Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Feitian Technologies Co Ltd filed Critical Beijing Feitian Technologies Co Ltd
Priority to CNB2006101697598A priority Critical patent/CN100561916C/en
Publication of CN101005357A publication Critical patent/CN101005357A/en
Application granted granted Critical
Publication of CN100561916C publication Critical patent/CN100561916C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and system that upgrades authenticate key, belong to information security field.In order to solve with the insecurity of plaintext form by the Network Transmission authenticate key, and management trouble and the high problem of cost brought with ciphertext form certified transmission key, the present invention proposes the method for remote update authenticate key, method comprises: server end carries out computing to random seed and random number, produces verification msg; Server end carries out cryptographic calculation to original authentication key and verification msg, and sends random seed and cryptographic calculation result to client; The correctness of information safety devices checking random seed; In information safety devices, random seed is carried out identical cryptographic calculation with the original authentication key respectively, generate new authenticate key, in the lastest imformation safety means and the authenticate key in the server client database with server end.The present invention also provides the system that upgrades authenticate key.

Description

A kind of method and system that upgrades authenticate key
Technical field
The present invention relates to information security field, particularly a kind of method and system that upgrades authenticate key.
Background technology
In recent years, fast development along with Internet technology and ecommerce, increasing commercial activity is transferred on the network and is carried out, for example online government office, Web bank, shopping online or the like, meanwhile, more and more informational needs that relate to individual privacy and business secret pass through network delivery.Yet deliberate threats such as virus, hacker and the counterfeit swindle of webpage have brought great challenge for the fail safe of online transaction, cause network security problem to become very important.
Along with improving constantly of people's awareness of safety, various cryptographic algorithm are also arisen at the historic moment, and cryptographic algorithm commonly used mainly contains hashing algorithm, symmetric encipherment algorithm and rivest, shamir, adelman.Hashing algorithm is a kind of one-way algorithm that key participates in that need not, and the data of random length can be carried out conversion, is output into the data summarization of regular length, and it has long hash code and the characteristic that can resist the special password analytical attack.Hashing algorithm relatively more commonly used at present has hmac algorithm, MD5 algorithm, MD2 algorithm, SHA1 algorithm, SHA256 algorithm etc.In the symmetric encipherment algorithm (or being single secret key cryptographic algorithm), have only a key to be used for encryption and decryption information, although single secret key encryption is a simple process, but both sides must believe the other side completely, and all hold the backup of this key, after by symmetric encipherment algorithm data being encrypted, can utilize this key that encrypted result is decrypted.Symmetric encipherment algorithm relatively more commonly used at present has DES algorithm, 3DES algorithm, RC4 algorithm, RC5 algorithm etc.Rivest, shamir, adelman (public key encryption algorithm) uses pair of secret keys in encrypted process, and only uses an independent key unlike symmetric cryptography, and one is used for encrypting in the pair of secret keys, and another is used for deciphering, and promptly as with A encrypts, and then deciphers with B; If encrypt with B, then will decipher with A.Rivest, shamir, adelman relatively more commonly used at present has RSA Algorithm, DSA algorithm, elliptic curve etc.
Usually the operand that participates in computing in cryptographic algorithm has two: one can be random number, and another is default in advance algorithm factor.The variation of one-bit digital even only take place in two operands, and it is different fully that operation result also can become.If participating in one of them operand of computing is random number, so each operation result also is a change at random, guarantees thus that operation result is not afraid of to be intercepted and captured in transmission.In addition, we also can adopt random seed to generate new operand in actual applications and participate in computing, and to reach higher fail safe, wherein random seed also is a random number, generally is used to produce new operand.
Information safety devices is a kind of small hardware device that has processor and memory, and it is connected with computer by the data communication interface of computer.It has that key generates, safe storage key and preset function such as cryptographic algorithm.The information safety devices computing relevant with key be fully at the device internal operation, and information safety devices has anti-characteristic of attacking, and fail safe is high.Information safety devices generally links to each other with computer by USB interface, is commonly called USB KEY or USB Token.Information safety devices manufacturer, software system development merchant or end user can store some important informations in the information safety devices into, in order to guarantee fail safe or to prevent to forget.At present, the information safety devices of higher-end is programmable, promptly can be implemented in and move the code that pre-deposits wherein in the information safety devices.
Hardware identifier comprises hardware sequence number, is a kind of globally unique identification number by device fabrication merchant oneself definition that is stored in information safety devices inside, can be read.The unique hardware sign is generally used for distinguishing different information safety devices.
Information security is more and more paid close attention to by people, and wherein identity identifying technology is an important component part of information security.Authentication is meant the process of computer and network system affirmation operator identity.The computer system and computer network is a virtual digital world, in this digital world, all information comprise that user's identity information all is to represent with one group of specific data, computer can only be discerned user's digital identity, and all mandates to the user also are the mandates at the number identity.
The key that is used for authentication is called as authenticate key, and when utilizing information safety devices to carry out authentication, our common way is that authenticate key is stored in the information safety devices.The process of authentication is specially: client sends the authenticate key in the information safety devices to server end, and server end is compared the authenticate key in itself and the database, and unanimity is authentication success then.As seen, authenticate key plays crucial effects in the process of whole authentication, and the user also needs often it to be upgraded simultaneously, to guarantee fail safe.The authenticate key method for updating mainly contains following dual mode usually at present:
1. online updating mode: user's networking, upgrade authenticate key to server requests, this moment, server generated new authenticate key, and sent subscription client to by network, and subscription client is updated to it in information safety devices; User's networking is upgraded authenticate key to server requests, oneself sends amended authenticate key to server end by network simultaneously, and server end is updated to it in database.
2. off-line update mode: the user please operator makes amendment or the user applies for a new authenticate key again by the mode of reporting the loss.
The off-line update mode is brought a lot of inconvenience to the user, can not accomplish in time; And need transmit by network owing to authenticate key in the online updating mode, if authenticate key passes through Network Transmission in mode expressly, because authenticate key is highstrung information, transmit on network in mode expressly and to be easy to be intercepted and captured, if emitted and recognized use, will can cause damage to validated user, so be very unsafe; If authenticate key passes through Network Transmission in the mode of ciphertext, utilize the asymmetric-key encryption algorithm to realize in the prior art, specifically be after the new authenticate key that client produces is carried out encryption with private key, by network it is transferred to server end, thereby server end utilizes corresponding PKI to be decrypted again to be obtained new authenticate key and upgrades, though this kind implementation method comparison safety but will spend higher cost, management is simultaneously got up also cumbersome.
Summary of the invention
The method and system of the remote update authenticate key that the present invention proposes has solved with the insecurity of plaintext form by the Network Transmission authenticate key, and management trouble and the high problem of cost brought with ciphertext form certified transmission key.
The present invention proposes a kind of method of remote update authenticate key, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of random number and information safety devices from client, and produces random seed; Wherein, described server end from described information safety devices that described client links to each other obtain described random number;
Step B: described server end carries out computing to described random seed and described random number, produces verification msg;
Step C: described server end is according to the hardware identifier of described information safety devices, from its database, read out the original authentication key, described original authentication key and described verification msg are carried out cryptographic calculation, and send described random seed and cryptographic calculation result to described client by network;
Step D: described information safety devices obtains described random seed and described cryptographic calculation result from described client, and verify the correctness of described random seed, wherein, the correctness of the described random seed of described checking comprises: described information safety devices carries out the computing identical with described server end to described random seed and described random number, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic calculation identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if unanimity as a result, then described random seed is correct, if comparison result is inconsistent, then failure is upgraded in prompting;
Step e: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key.
Described random number produces in described information safety devices in advance, and is stored in the described information safety devices.
Described computing comprise combination, with or, non-, XOR, addition, subtraction and/or multiplying.
Described step e specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, and obtains new authenticate key, and upgrades the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
Described method comprises that also authenticate key upgrades synchronous step: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical cryptographic calculation, cryptographic calculation result and the cryptographic calculation result who obtains are compared, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then the authenticate key of the old value of its database position and described random number are carried out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
Described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
The invention allows for a kind of method of upgrading authenticate key, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of information safety devices from client, and produces random seed;
Step B: described server end sends described random seed to described client by network;
Step C: described information safety devices obtains described random seed from described client;
Step D: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key, wherein, upgrade with described new authenticate key in the described information safety devices and the server client database in authenticate key the time comprise: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical computing, operation result is compared with the cryptographic calculation result who obtains, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then to the authenticate key of the old value of its database position and described random number carry out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
Described step D specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, and obtains new authenticate key, and upgrades the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
Described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
The invention provides a kind of system that upgrades authenticate key, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises authentication module, client authentication key generation module and client authentication key memory module; The random seed that described pretreatment module is used for utilizing server end to produce carries out computing with the random number that the information safety devices that links to each other from client obtains, produce verification msg, wherein, described random number is for producing and be stored in the described information safety devices in described information safety devices inside in advance; The hardware identifier of the described information safety devices that obtains according to server end, from the server authentication cipher key storage block of server database, read the original authentication key, described verification msg and described original authentication key are carried out cryptographic calculation, obtain the cryptographic calculation result, and send described random seed and described cryptographic calculation result to client by network; Described server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key; Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage; Described authentication module is used for described random seed and described random number are carried out the computing identical with described server end, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic algorithm identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if comparison result unanimity, then the random seed that obtains from client is correct, after the random seed that obtains from client is correct, the original authentication key that prestores in the client authentication key memory module to the random seed that obtains and information safety devices carries out the cryptographic calculation identical with described server end, generates new authenticate key; Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.
Described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.The present invention also provides a kind of system that upgrades authenticate key, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises client authentication key generation module and client authentication key memory module;
Described pretreatment module is used for producing random seed and obtaining the hardware identifier of information safety devices from client at server end, and by network random seed is sent to client; Described server authentication key production module is used for the original authentication key of random seed and described server authentication cipher key storage block is carried out cryptographic calculation, generates new authenticate key; Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage; Described client authentication key generation module is used for the original authentication key that client authentication key memory module in the random seed that obtains and the information safety devices prestores is carried out the cryptographic calculation identical with described server end, generates new authenticate key; Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.Described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Beneficial effect: the present invention has avoided in the past with the insecurity of plaintext form by the Network Transmission authenticate key, with management trouble of bringing with ciphertext form certified transmission key and the high problem of cost, the not convenient property that has existed when also having avoided simultaneously off-line to upgrade authenticate key.
Description of drawings
Fig. 1 is first kind of method flow diagram that upgrades authenticate key of the embodiment of the invention;
Fig. 2 is second kind of method flow diagram that upgrades authenticate key of the embodiment of the invention;
Fig. 3 is that embodiment of the invention authenticate key upgrades synchronous flow chart;
Fig. 4 is first kind of system construction drawing that upgrades authenticate key of the embodiment of the invention;
Fig. 5 is second kind of system construction drawing that upgrades authenticate key of the embodiment of the invention.
Embodiment
The invention will be further described below in conjunction with the drawings and specific embodiments, but not as a limitation of the invention.
The hardware identifier that comprises hardware sequence number, it is a kind of globally unique identification number that is stored in information safety devices inside by device fabrication merchant oneself definition, can be read, the unique hardware sign of each information safety devices can be in order to distinguish different information safety devices.In following examples, adopt hardware sequence number to be described further.
Embodiment 1
As shown in Figure 1, a kind of method of upgrading authenticate key that the embodiment of the invention proposes specifically may further comprise the steps:
Step 101: server end obtains the hardware sequence number HSN of a random number ChallengeRand and information safety devices from client, and produces a random seed SEED.
Random number ChallengeRand produces in the information safety devices inside that links to each other with client computer in advance, and is stored in the information safety devices.
Step 102: server end carries out computing to random seed SEED and random number ChallengeRand, produces verification msg.
Computing comprise combination, with or, non-, XOR, addition, subtraction and multiplying etc.
Step 103: server end reads original authentication key A KEY according to the hardware sequence number of the information safety devices that gets access to from server database, and verification msg and original authentication key A KEY are done cryptographic calculation, obtains cryptographic calculation Response as a result.
Cryptographic calculation mainly comprises hash computing, symmetric cryptography computing and asymmetric encryption computing etc.
Step 104: server end with random seed SEED and cryptographic calculation as a result Response send client to by network.
Step 105: information safety devices obtains random seed SEED and cryptographic calculation Response as a result from client, the correctness of checking random seed SEED.
The method of checking random seed SEED correctness: in information safety devices to the random number ChallengeRand of the random seed SEED that obtains and information safety devices stored to produce verification msg with the same computing of step 102, the original authentication key that prestores in verification msg and the information safety devices is done the cryptographic calculation same with step 103, with cryptographic calculation result and the cryptographic calculation that obtains from client as a result Response compare, if two cryptographic calculations are unanimity as a result, illustrate that the random seed SEED that obtains is correct.
Step 106: respectively in information safety devices and server end, random seed SEED is done identical cryptographic calculation with the original authentication key, produce new authenticate key NEW_AKEY, and with in the new authenticate key NEW_AKEY lastest imformation safety means and the authenticate key in the server client database.
In information safety devices, generate and upgrade the method for authenticate key NEW_AKEY: in information safety devices, the original authentication key that prestores in the random seed SEED that obtains from client and the information safety devices is done cryptographic calculation, obtain new authenticate key, and new authenticate key is substituted into authenticate key memory location in the information safety devices.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
Generate and upgrade the method for authenticate key at server end: server end in the random seed SEED of its generation and the server client database in advance the original authentication key of storage do with information safety devices in same cryptographic calculation, obtain new authenticate key, the original authentication key is substituted into the position of old value in the server database, new authenticate key is substituted into the position of server database currency.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
In order more clearly to describe the technical scheme of present embodiment, further specify with concrete example below:
Server end produces a random seed SEED, obtains the hardware sequence number HSN of information safety devices and obtains a random number ChallengeRand from client from client; Server end carries out combinatorial operation with random seed SEED and random number ChallengeRand, promptly carries out combined and splicedly, is verified data ChallengeRand|SEED, resists the attack that special password is analyzed to obtain longer hash code; Server end is done the hash computing to the original authentication key A KEY that verification msg ChallengeRand|SEED and hardware identifier HSN according to the information safety devices that obtains read from server database, obtain operation result Response, be Response=HMAC (AKEY, ChallengeRand|SEED); Server end sends random seed SEED and operation result Response to client by network; After information safety devices gets access to random seed SEED and operation result Response from client, same hash computing is done by portion within it, obtain operation result Response ', be Response '=HMAC (AKEY, ChallengeRand|SEED), if Response ' is inconsistent with the Response that gets access to from client, then the random seed SEED that receives of descriptive information safety means is incorrect, and failure is upgraded in prompting; If Response ' is consistent with the Response that gets access to from client, then the random seed SEED that receives of descriptive information safety means is correct; (AKEY SEED), use the original authentication key A KEY in the NEW_AKEY lastest imformation safety means, and the announcement server end upgrades successfully to utilize hashing algorithm to obtain new authenticate key NEW_AKEY=HMAC in information safety devices; After server end obtains the successful notice of client renewal, do same hash computing at server end and obtain new authenticate key NEW_AKEY=HMAC (AKEY, SEED), currency in the server end database is copied in the old value memory cell, new authenticate key NEW_AKEY is substituted in the database in the currency memory cell, finishes remote authentication key updating process.
Embodiment 2
As shown in Figure 2, the embodiment of the invention has also proposed a kind of method of upgrading authenticate key, specifically may further comprise the steps:
Step 201: server end obtains the hardware sequence number HSN of information safety devices from client, and produces a random seed SEED.
Step 202: server end sends random seed SEED to client by network.
Step 203: information safety devices obtains random seed SEED from client.
Step 204: respectively in information safety devices and server end, random seed SEED is done identical cryptographic calculation with the original authentication key, produce new authenticate key NEW_AKEY, and with in the new authenticate key NEW_AKEY lastest imformation safety means and the authenticate key in the server client database.
In information safety devices, generate and upgrade the method for authenticate key NEW_AKEY: in information safety devices, the original authentication key that prestores in the random seed SEED that obtains from client and the information safety devices is done cryptographic calculation, obtain new authenticate key, and new authenticate key is substituted into authenticate key memory location in the information safety devices.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
Generate and upgrade the method for authenticate key at server end: server end in the random seed SEED of its generation and the server client database in advance the original authentication key of storage do with information safety devices in identical cryptographic calculation, obtain new authenticate key, the original authentication key is substituted into the position of old value in the server database, new authenticate key is substituted into the position of server database currency.Cryptographic calculation comprises hash computing, symmetric cryptography computing or asymmetric encryption computing etc.
In order more clearly to describe the technical scheme of present embodiment, further specify with concrete example below:
Server end at first produces a random seed SEED, and obtains the hardware sequence number HSN of information safety devices from client; Server end is sent to client with random seed SEED by network; After information safety devices gets access to random seed SEED from client, portion's original authentication key that random seed SEED and Qi Nei are prestored is done the hash computing and is obtained new authenticate key NEW_AKEY=HMAC (AKEY within it, SEED), with original authenticate key AKEY in the NEW_AKEY lastest imformation safety means, and the announcement server end upgrades successfully; After server end obtains the successful notice of client renewal, at server end the random seed of its generation is done identical hash computing with the original authentication key A KEY that hardware sequence number HSN according to the information safety devices that obtains reads from server database, obtain new authenticate key NEW_AKEY=HMAC (AKEY, SEED), currency in the server end database is copied in the old value memory cell, then new authenticate key NEW_AKEY is substituted in the database in the currency memory cell, finishes the process of remote authentication key updating.
In the process of carrying out the authenticate key renewal, sometimes because client authentication key renewal and the nonsynchronous situation of server-side certificate key updating appear in network problem, for example when server end sends random seed to client, network interrupts, random seed successfully is not sent to client, the authenticate key of information safety devices upgrades and can't normally finish, the authenticate key that is its storage inside still is the original authentication key, and server end has carried out the operation that authenticate key upgrades, be authenticate key in its database for the authenticate key after upgrading, upgrade nonsynchronous problem with regard to authenticate key having occurred like this.Utilize the method that keeps nearest double probate key in the server end database simultaneously, can solve authenticate key and upgrade nonsynchronous problem, 2 memory locations are promptly arranged in order to deposit authenticate key, value memory location, a Geju City and a currency memory location in the server end database.When authentication, utilize the method for preserving nearest double probate key in the server database simultaneously to realize that the process that client authentication key is upgraded and the server-side certificate key updating is synchronous may further comprise the steps, as shown in Figure 3:
Step 301: server end produces a random number, and random number is sent to client after receiving the ID authentication request that client sends.
Step 302: information safety devices obtains random number from client.
Step 303: authenticate key and random number in information safety devices inside to its storage inside are carried out cryptographic calculation, and the cryptographic calculation result is sent it back server end.
Cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing etc.
Step 304: server end carries out the cryptographic calculation same with step 303 to the authenticate key and the random number of its database currency position, cryptographic calculation result and the cryptographic calculation result who obtains from information safety devices are compared, if comparison result unanimity, then execution in step 307, otherwise execution in step 305.
Step 305: server end carries out the cryptographic calculation same with step 303 to the authenticate key and the random number of the old value of its database position, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if the comparison result unanimity, then execution in step 306, otherwise execution in step 308.
Step 306: the authenticate key on the old value memory location in the server end database is substituted on the currency memory location, finishes synchronously, use the authenticate key of currency position to get final product during authentication afterwards.
Step 307: the authentication success, finish.
Step 308: the authentication failure, finish.
Referring to Fig. 4, the embodiment of the invention provides a kind of system that upgrades authenticate key, system comprises server computer and the information safety devices that links to each other with client computer, server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and information safety devices comprises authentication module, client authentication key generation module and client authentication key memory module;
Pretreatment module is used to utilize the random seed of server end generation and produces verification msg from the random number that client is obtained, the hardware identifier of the information safety devices that obtains according to server end, from server database, read the original authentication key, verification msg and original authentication key are carried out cryptographic calculation, obtain operation result, and send random seed and operation result to client by network;
The server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key;
The server authentication cipher key storage block is used for storage and upgrades authenticate key;
Authentication module is used to verify the correctness of the random seed that obtains from client;
The client authentication key generation module is used for the original authentication key that prestores in random seed that obtains and the information safety devices is carried out cryptographic calculation, generates new authenticate key;
The client authentication key memory module is used for storage and upgrades authenticate key.
System comprises that also authenticate key upgrades synchronization module, and authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Referring to Fig. 5, the embodiment of the invention also provides a kind of system that upgrades authenticate key, system comprises server computer and the information safety devices that links to each other with client computer, server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and information safety devices comprises client authentication key generation module and client authentication key memory module;
Pretreatment module is used for producing random seed and obtaining the hardware identifier of information safety devices from client at server end, and by network random seed is sent to client;
The server authentication key production module is used for random seed and original authentication key are carried out cryptographic calculation, generates new authenticate key;
The server authentication cipher key storage block is used for storage and upgrades authenticate key;
The client authentication key generation module is used for the original authentication key that prestores in random seed that obtains and the information safety devices is carried out cryptographic calculation, generates new authenticate key;
The client authentication key memory module is used for storage and upgrades authenticate key.
System comprises that also authenticate key upgrades synchronization module, and authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
Above-described embodiment is more preferably embodiment several of the present invention, and the common variation that those skilled in the art carries out in the technical solution of the present invention scope and replacing all should be included in protection scope of the present invention.

Claims (13)

1. a method of upgrading authenticate key is characterized in that, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of random number and information safety devices from client, and produces random seed;
Wherein, described server end from described information safety devices that described client links to each other obtain described random number;
Step B: described server end carries out computing to described random seed and described random number, produces verification msg;
Step C: described server end is according to the hardware identifier of described information safety devices, from its database, read out the original authentication key, described original authentication key and described verification msg are carried out cryptographic calculation, and send described random seed and cryptographic calculation result to described client by network;
Step D: described information safety devices obtains described random seed and described cryptographic calculation result from described client, and verify the correctness of described random seed, wherein, the correctness of the described random seed of described checking comprises: described information safety devices carries out the computing identical with described server end to described random seed and described random number, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic calculation identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if unanimity as a result, then described random seed is correct, if comparison result is inconsistent, then failure is upgraded in prompting;
Step e: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key.
2. the method for renewal authenticate key as claimed in claim 1 is characterized in that, described random number produces in described information safety devices in advance, and is stored in the described information safety devices.
3. the method for renewal authenticate key as claimed in claim 1 is characterized in that, described computing comprise combination, with or, non-, XOR, addition, subtraction and/or multiplying.
4. the method for renewal authenticate key as claimed in claim 1, it is characterized in that, described step e specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, obtain new authenticate key, and upgrade the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
5. the method for renewal authenticate key as claimed in claim 1, it is characterized in that, described method comprises that also authenticate key upgrades synchronous step: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical cryptographic calculation, cryptographic calculation result and the cryptographic calculation result who obtains are compared, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then the authenticate key of the old value of its database position and described random number are carried out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
6. as the method for claim 1 or 4 or 5 described renewal authenticate keys, it is characterized in that described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
7. a method of upgrading authenticate key is characterized in that, said method comprising the steps of:
Steps A: server end obtains the hardware identifier of information safety devices from client, and produces random seed;
Step B: described server end sends described random seed to described client by network;
Step C: described information safety devices obtains described random seed from described client;
Step D: respectively in described information safety devices and server end, described random seed is carried out identical cryptographic calculation with the original authentication key, generate new authenticate key, and upgrade in the described information safety devices and the authenticate key in the server client database with described new authenticate key, wherein, upgrade with described new authenticate key in the described information safety devices and the server client database in authenticate key the time comprise: after described server end receives the ID authentication request that described client sends, produce random number, and described random number sent to described client, described information safety devices obtains described random number from described client, portion carries out cryptographic calculation to the authenticate key and the described random number of its storage within it, and the cryptographic calculation result is sent to described server end; Described server end to the authenticate key of its database currency position and described random number carry out with described information safety devices in identical computing, operation result is compared with the cryptographic calculation result who obtains, if the comparison result unanimity, then authentication success; If comparison result is inconsistent, then to the authenticate key of the old value of its database position and described random number carry out with described information safety devices in identical cryptographic calculation, with cryptographic calculation result and the cryptographic calculation result comparison of obtaining, if comparison result is inconsistent, then authentication failure; If the comparison result unanimity, then the authenticate key with the old value of its database position is substituted into its database currency position.
8. the method for renewal authenticate key as claimed in claim 7, it is characterized in that, described step D specifically comprises: described information safety devices carries out cryptographic calculation to the original authentication key that the described random seed that gets access to and Qi Nei prestore, obtain new authenticate key, and upgrade the authenticate key that prestores in it with described new authenticate key; Described server end in described random seed and its database in advance the original authentication key of storage carry out with described information safety devices in identical cryptographic calculation, obtain new authenticate key, and with in its database in advance the original authentication key of storage be substituted into the position of old value in the server end database, described new authenticate key is substituted into the position of currency in the server end database.
9. as the method for claim 7 or 8 described renewal authenticate keys, it is characterized in that described cryptographic calculation comprises hash computing, symmetric cryptography computing and asymmetric encryption computing.
10. system that upgrades authenticate key, it is characterized in that, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises authentication module, client authentication key generation module and client authentication key memory module;
The random seed that described pretreatment module is used for utilizing server end to produce carries out computing with the random number that the information safety devices that links to each other from client obtains, produce verification msg, wherein, described random number is for producing and be stored in the described information safety devices in described information safety devices inside in advance; The hardware identifier of the described information safety devices that obtains according to server end, from the server authentication cipher key storage block of server database, read the original authentication key, described verification msg and described original authentication key are carried out cryptographic calculation, obtain the cryptographic calculation result, and send described random seed and described cryptographic calculation result to described client by network;
Described server authentication key production module is used for described random seed and described original authentication key are carried out cryptographic calculation, generates new authenticate key;
Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage;
Described authentication module is used for described random seed and described random number are carried out the computing identical with described server end, produce verification msg, the original authentication key that prestores in described verification msg and the described information safety devices is carried out the cryptographic algorithm identical with described server end, and cryptographic calculation result and the cryptographic calculation result that gets access to from described client compared, if the comparison result unanimity is correct from the described random seed that described client is obtained then;
Described client authentication key generation module is used for after the described random seed that obtains from client of described authentication module checking is correct, the original authentication key that prestores in the client authentication key memory module to the random seed that obtains and information safety devices carries out the cryptographic calculation identical with described server end, generates new authenticate key;
Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.
11. the system of renewal authenticate key as claimed in claim 10, it is characterized in that, described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
12. system that upgrades authenticate key, it is characterized in that, described system comprises server computer and the information safety devices that links to each other with client computer, described server computer comprises pretreatment module, server authentication key production module and server authenticate key memory module, and described information safety devices comprises client authentication key generation module and client authentication key memory module;
Described pretreatment module is used for producing random seed and obtaining the hardware identifier of information safety devices from client at server end, and by network random seed is sent to client;
Described server authentication key production module is used for the original authentication key of described random seed and described server authentication cipher key storage block is carried out cryptographic calculation, generates new authenticate key;
Described server authentication cipher key storage block is used for the authentication storage key, and according to the new authenticate key that described server authentication key production module generates, upgrades the authenticate key of described storage;
Described client authentication key generation module is used for the original authentication key that client authentication key memory module in the random seed that obtains and the information safety devices prestores is carried out the cryptographic calculation identical with described server end, generates new authenticate key;
Described client authentication key memory module is used for the authentication storage key, and according to the new authenticate key that described client authentication key generation module generates, upgrades the authenticate key of described storage.
13. the system of renewal authenticate key as claimed in claim 12, it is characterized in that, described system comprises that also authenticate key upgrades synchronization module, and described authenticate key renewal synchronization module is used for keeping simultaneously by server end when authentication nearest double probate key carries out authenticate key to be upgraded synchronously.
CNB2006101697598A 2006-12-28 2006-12-28 A kind of method and system that upgrades authenticate key Active CN100561916C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101697598A CN100561916C (en) 2006-12-28 2006-12-28 A kind of method and system that upgrades authenticate key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101697598A CN100561916C (en) 2006-12-28 2006-12-28 A kind of method and system that upgrades authenticate key

Publications (2)

Publication Number Publication Date
CN101005357A CN101005357A (en) 2007-07-25
CN100561916C true CN100561916C (en) 2009-11-18

Family

ID=38704253

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101697598A Active CN100561916C (en) 2006-12-28 2006-12-28 A kind of method and system that upgrades authenticate key

Country Status (1)

Country Link
CN (1) CN100561916C (en)

Families Citing this family (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8230035B2 (en) * 2007-10-04 2012-07-24 Alcatel Lucent Method for authenticating mobile units attached to a femtocell that operates according to code division multiple access
CN101197667B (en) * 2007-12-26 2010-07-14 北京飞天诚信科技有限公司 Dynamic password authentication method
CN101588351B (en) * 2008-05-21 2012-06-27 飞天诚信科技股份有限公司 Method for information security device for binding network software
CN101527706B (en) * 2008-06-13 2012-02-15 珠海市顺生科技实业有限公司 Digital authentication method for improving network security
CN101739756B (en) * 2008-11-10 2012-01-11 中兴通讯股份有限公司 Method for generating secrete key of smart card
US8347096B2 (en) * 2009-07-10 2013-01-01 Vasco Data Security, Inc. Authentication token with incremental key establishment capacity
CN101808089A (en) * 2010-03-05 2010-08-18 中国人民解放军国防科学技术大学 Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm
CN102196436B (en) * 2010-03-11 2014-12-17 华为技术有限公司 Security authentication method, device and system
CN102202040B (en) * 2010-03-26 2014-06-04 联想(北京)有限公司 Client authentication method and device
CN102025504A (en) * 2010-11-23 2011-04-20 深圳市文鼎创数据科技有限公司 Security authentication method and security authentication device
CN102111265B (en) * 2011-01-13 2014-03-26 中国电力科学研究院 Method for encrypting secure chip of power system acquisition terminal
CN102307095B (en) * 2011-04-27 2014-08-27 上海动联信息技术股份有限公司 Injection and deformation method for seed key of dynamic token
CN102255917B (en) * 2011-08-15 2014-09-03 北京宏基恒信科技有限责任公司 Method, system and device for updating and synchronizing keys of dynamic token
CN102307193A (en) * 2011-08-22 2012-01-04 北京宏基恒信科技有限责任公司 Key updating and synchronizing method, system and device for dynamic token
CN102510374B (en) * 2011-10-08 2015-01-14 北京视博数字电视科技有限公司 License management method and device capable of detecting clone for front-end system
CN102315933B (en) * 2011-10-18 2014-02-05 飞天诚信科技股份有限公司 Method for updating key and system
CN102404119B (en) * 2011-10-27 2016-03-16 深圳市文鼎创数据科技有限公司 The method to set up of cryptographic key factors of dynamic tokens, dynamic token and server
CN102571356A (en) * 2012-02-23 2012-07-11 深圳市乐讯科技有限公司 Method and device for authenticating user identity
CN102882684A (en) * 2012-09-26 2013-01-16 长城瑞通(北京)科技有限公司 Method and device for implementation of multi-key dynamic password
CN103078731B (en) * 2013-01-05 2016-01-06 深圳市思乐数据技术有限公司 The encryption method of lottery data and system
CN103220271A (en) * 2013-03-15 2013-07-24 福建联迪商用设备有限公司 Downloading method, management method, downloading management method, downloading management device and downloading management system for secret key
CN103491094B (en) * 2013-09-26 2016-10-05 成都三零瑞通移动通信有限公司 A kind of rapid identity authentication method based on C/S model
CN103516524A (en) * 2013-10-21 2014-01-15 北京旋极信息技术股份有限公司 Security authentication method and system
KR101451639B1 (en) * 2014-02-18 2014-10-16 주식회사 시큐브 Identification and theft prevention system using one times random key, and method thereof
CN103888243B (en) * 2014-04-15 2017-03-22 飞天诚信科技股份有限公司 Seed key safe transmission method
CN104168110B (en) * 2014-08-28 2018-08-14 北京海泰方圆科技股份有限公司 A kind of method of symmetric key online updating
CN104537300B (en) * 2014-12-25 2019-05-17 绵阳艾佳科技有限公司 Security password setting and verification mode
CN106034028B (en) * 2015-03-17 2019-06-28 阿里巴巴集团控股有限公司 A kind of terminal device authentication method, apparatus and system
CN106034134B (en) * 2015-03-19 2019-12-20 腾讯科技(深圳)有限公司 Method, auxiliary method and device for carrying out identity authentication request in webpage application program
CN106302379B (en) * 2015-06-26 2020-02-21 比亚迪股份有限公司 Authentication method, system and device for vehicle-mounted electric appliance
CN106656923A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Device association method, key update method and apparatuses
CN105391549B (en) * 2015-12-10 2018-10-12 四川长虹电器股份有限公司 Communication dynamics key implementation method between client and server
CN107566112A (en) * 2016-06-30 2018-01-09 中国电信股份有限公司 Dynamic encryption and decryption method and server
CN106027263B (en) * 2016-07-22 2019-10-18 北京信安世纪科技股份有限公司 A kind of update method, device and the relevant device of token seed
CN106255108A (en) * 2016-08-31 2016-12-21 华自科技股份有限公司 Radio communication method and frequency communication devices
CN106571915A (en) * 2016-11-15 2017-04-19 ***股份有限公司 Terminal master key setting method and apparatus
CN107222306A (en) * 2017-01-22 2017-09-29 天地融科技股份有限公司 A kind of key updating method, apparatus and system
CN108964885B (en) * 2017-05-27 2021-03-05 华为技术有限公司 Authentication method, device, system and storage medium
CN107645488A (en) * 2017-05-27 2018-01-30 安徽师范大学 Web data storage and data transmission method based on U-shield
CN107454115B (en) * 2017-10-10 2020-01-31 北京奇艺世纪科技有限公司 digest authentication method and digest authentication system
CN107547572B (en) * 2017-10-13 2021-03-02 北京梆梆安全科技有限公司 CAN bus communication method based on pseudo-random number
CN107733936B (en) * 2017-12-04 2020-08-07 国家电网公司 Encryption method for mobile data
US10742410B2 (en) 2018-02-13 2020-08-11 Fingerprint Cards Ab Updating biometric template protection keys
CN109067742B (en) * 2018-08-01 2021-06-29 苏州汇川技术有限公司 Peripheral equipment authentication method, elevator control equipment and elevator peripheral equipment
WO2020035009A1 (en) 2018-08-15 2020-02-20 飞天诚信科技股份有限公司 Authentication system and working method therefor
CN109150541B (en) * 2018-08-15 2020-05-19 飞天诚信科技股份有限公司 Authentication system and working method thereof
CN110059466B (en) * 2019-04-03 2023-04-18 超越科技股份有限公司 Method for realizing secure trusted card, secure trusted card and system
CN110113153B (en) * 2019-04-23 2022-05-13 深圳数字电视国家工程实验室股份有限公司 NFC secret key updating method, terminal and system
CN110378105B (en) * 2019-07-02 2021-06-04 广州小鹏汽车科技有限公司 Security upgrading method, system, server and vehicle-mounted terminal
CN110460436A (en) * 2019-07-12 2019-11-15 山东三未信安信息科技有限公司 Hardware device key management method, system, storage medium and computer equipment
CN110555311A (en) * 2019-07-22 2019-12-10 航天信息股份有限公司 Electronic signature system security design method and system based on pure soft cryptographic operation
CN112565156B (en) * 2019-09-10 2023-06-27 北京京东尚科信息技术有限公司 Information registration method, device and system
CN110602146A (en) * 2019-09-30 2019-12-20 北京大米科技有限公司 Data encryption and decryption method, readable storage medium and electronic equipment
CN112235100B (en) * 2019-12-20 2022-10-14 青岛鼎信通讯股份有限公司 Electric energy meter soft encryption authentication method and remote authentication system thereof
CN111460483A (en) * 2020-04-16 2020-07-28 郑州铁路职业技术学院 Financial informatization data processing method based on encryption
CN114866253B (en) * 2022-04-27 2024-05-28 北京计算机技术及应用研究所 Reliable cloud host login system and cloud host login method implemented by same
CN114697738B (en) * 2022-06-02 2022-08-02 深圳憨厚科技有限公司 HDCP KEY value encoding and decoding method, device, equipment and storage medium
CN115941204B (en) * 2022-12-06 2024-04-12 镁佳(北京)科技有限公司 Data anti-replay method and system based on HSE

Also Published As

Publication number Publication date
CN101005357A (en) 2007-07-25

Similar Documents

Publication Publication Date Title
CN100561916C (en) A kind of method and system that upgrades authenticate key
Bera et al. Designing blockchain-based access control protocol in IoT-enabled smart-grid system
KR102392420B1 (en) Program execution and data proof scheme using multi-key pair signatures
AU2019204708B2 (en) Retrieving public data for blockchain networks using highly available trusted execution environments
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
WO2021073170A1 (en) Method and apparatus for data provision and fusion
CN100432889C (en) System and method providing disconnected authentication
US9704159B2 (en) Purchase transaction system with encrypted transaction information
EP1750389B1 (en) System and method for updating keys used for public key cryptography
US20170214664A1 (en) Secure connections for low power devices
TW202015378A (en) Cryptographic operation method, method for creating work key, and cryptographic service platform and device
TWI724555B (en) Key management method, security chip, business server and information system
WO2020065633A1 (en) Method, user device, management device, storage medium and computer program product for key management
CN111464315B (en) Digital signature processing method, device, computer equipment and storage medium
CN111080299B (en) Anti-repudiation method for transaction information, client and server
EP3292654B1 (en) A security approach for storing credentials for offline use and copy-protected vault content in devices
CN109005184A (en) File encrypting method and device, storage medium, terminal
CN110138548A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system
CN112765626A (en) Authorization signature method, device and system based on escrow key and storage medium
Sathya et al. A comprehensive study of blockchain services: future of cryptography
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN116340331A (en) Large instrument experimental result evidence-storing method and system based on blockchain
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
CN116210199A (en) Data management and encryption in a distributed computing system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: FEITIAN CHENGXIN TECHNOLOGIES CO., LTD.

Free format text: FORMER NAME: BEIJING FEITIAN CHENGXIN SCIENCE + TECHNOLOGY CO. LTD.

CP03 Change of name, title or address

Address after: 100085 Beijing city Haidian District Xueqing Road No. 9 Ebizal building B block 17 layer

Patentee after: Feitian Technologies Co.,Ltd.

Address before: 100083, Haidian District, Xueyuan Road, No. 40 research, 7 floor, 5 floor, Beijing

Patentee before: FEITIAN TECHNOLOGIES Co.,Ltd.

CP03 Change of name, title or address

Address after: 17th floor, building B, Huizhi building, No.9, Xueqing Road, Haidian District, Beijing 100085

Patentee after: Feitian Technologies Co.,Ltd.

Country or region after: China

Address before: 100085 17th floor, block B, Huizhi building, No.9 Xueqing Road, Haidian District, Beijing

Patentee before: Feitian Technologies Co.,Ltd.

Country or region before: China

CP03 Change of name, title or address