CN105959112B - A kind of offline key injected system and method - Google Patents
A kind of offline key injected system and method Download PDFInfo
- Publication number
- CN105959112B CN105959112B CN201610522275.0A CN201610522275A CN105959112B CN 105959112 B CN105959112 B CN 105959112B CN 201610522275 A CN201610522275 A CN 201610522275A CN 105959112 B CN105959112 B CN 105959112B
- Authority
- CN
- China
- Prior art keywords
- key
- module
- library
- injection gun
- central
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0827—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of offline key injected systems, including key injection gun and central key library;Key injection gun includes identification code reader, display module, Keysheet module, connection transmission module, network communication module;It preserves in central key library: the public key of the public and private key of central distributor and the equipment or module that are managed.A kind of offline key method for implanting is also disclosed, this method can ensure under non-reliable environment, the reliable importing of equipment public key.In whole flow process, key gun itself is not involved in the generation and modification of data content, which strongly simplifies maintenance of equipment/replacement place and personnel requirements as just the carrier with central key library interaction data.
Description
Technical field
The invention belongs to technical field of security authentication more particularly to a kind of offline key injected systems and method.
Background technique
In industrial circle, certain equipment A booting operation must be under effective supervision, and serve as this supervision function is to set
Detachable module B on standby A, module B is positioned by GPS/ Beidou or the modes such as short-wave reception, when detecting that equipment A currently transports
When row environment meets operation expectation, equipment A is allowed to start, otherwise, module B will pass through the modes such as cutting circuit/stopping response, resistance
Only equipment A starts.Obviously, one-way or bi-directional identification and authentication condition should be met between equipment A and module B, to keep away
Exempt to forge or distort module B instruction/response, to bypass oversight mechanism.
It, can be in factory by the public key to module B importing equipment A, to equipment A import modul B's when factory
The mode of public key, to initialize trusting relationship between the two.
Such as: as shown in Figure 1, the mode being mutually authenticated between module B and equipment A is as follows: module B timing is (such as: every 1
Minute) signal for passing through coding is sent to equipment A, from the point of view of equipment A, if every 1 minute can receive correct signal, just
It continues to run, it is out of service if signal interruption.
It is illustrated with process needed for equipment A authentication module B, including initial phase and operation phase:
Initial phase:
Step 1.1, central key library public key (PUBK (c)) is imported into equipment A;
Step 1.2, (optional) when leaving the factory, imports central key library public key (PUBK (c)) into module B;
Step 1.3, a (with b alternative) is externally generated the public private key pair of module B, the import modul B itself into module B
Public private key pair;
B (with a alternative) public private key pair of generation module B itself in module B, and export public key therein;
Step 1.3, into equipment A import modul B public key.
Operation phase, comprising the following steps:
Step 2.1, module B requests random number to equipment A;
Step 2.2, equipment A returns to random number N (a) to module B;
Step 2.3, module B is digitally signed random number N (a) using own private key PRIVK (b), obtains result S
(b)=sign (N (a), PRIVK (b));
Step 2.4, S (b) is issued equipment A as the signal after coding by module B;
Step 2.5, equipment A verifies S (b) using the public key PUBK (b) of the module B saved in advance: if verifying is logical
It crosses, continues to run, it is otherwise out of service.
By public-key mechanism, guarantee that signature must be from specified private key.Since the random number N (a) signed every time is all different
Sample can play the mechanism of anti-replay in this way.
It is the process of equipment A authentication module B above.The mechanism can also be random from equipment A to module B request in turn
Number completes the process of module B authenticating device A.
Therefore, above-mentioned security mechanism can be effective crucial, is to ensure module B's by mode as shown in Figure 1
Signal can not be forged, it is contemplated however that in use, failure occurs in module B, take out new module B from storehouse at this time, but
Be between new module B and old equipment A and there is no preset trusting relationship, if cannot new module B and used equipment A it
Between set up reliable authentication relationship, it is possible to occur forging or distorting instruction/response, make oversight mechanism fail risk.
If the other side's public key obtained at the beginning is forged, all authentication results all will be false below.
Therefore, it is necessary to one kind in the case where target device can not be online, how safe and reliable easily to needed for target device importing
Data (key) help target device and other equipment to set up the system and method for the trusting relationship based on certification.
Summary of the invention
In view of the above technical problems, the present invention proposes a kind of offline key injected system and method, for offline at two
The initial trust relationships based on public key architecture, equipment and mould for solving not networking are established between equipment or module
The problem of being mutually authenticated between block.
In order to achieve the above objectives, the technical solution adopted by the present invention is as follows.
In the case that equipment A, module B are offline, realize as follows to the key step of equipment A import modul B:
A kind of offline key injected system, comprising: key injection gun and central key library.
Offline key injection shares 4 participants:
1, equipment A
2, module B
3, key injection gun includes following component part:
A) the identification codes reader such as two dimensional code/bar code/electronic tag, for obtaining the identification code of equipment or module.
B) display screen or indicator light give the Operating Guideline of user's operational feedback or next step;
C) keyboard or touch screen, input operation instruction for user;
D) transmission module is connected, the data interaction being responsible between key injection gun and equipment A or module B;
E) network communication module, the interaction being responsible between central key library;
4, central key library, central key library are preserved:
E) the public and private key of central distributor;
F) institute's management equipment/module public key.
A kind of offline key method for implanting, which comprises the following steps:
Step 11, key injection gun obtains the identification code ID (b) of module B;
Step 12, key injection gun obtains the access address in central key library;
Step 13, ID (b) is sent to central key library by key injection gun;
Step 14, central key library is according to ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs to PUBK (b), obtains result S (c)=sign (PUBK (b), PRIVK (c));
Step 15, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 16, R is imported and is given equipment A by key injection gun;
Step 17, equipment A verifies the signature S (c) in central key library, if signature meets, imports PUBK (b);Otherwise
Refusal imports.
Preferably, the process that random number is obtained from equipment A can be added in the above-mentioned methods, it is anti-heavy to enhance whole system
The ability of hair, specifically includes the following steps:
Step 21, key injection gun obtains the identification code ID (b) of module B;
Step 211, key injection gun is to equipment A request random number;
Step 212, equipment A returns to random number N (a) to key injection gun;
Step 22, key injection gun obtains the access address in central key library;
Step 23, key injection gun sends ID (b) and N (a) to central key library;
Step 24, central key library is according to ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs to the public key and random number N (a) of module B, obtains result S (c)=sign (PUBK (b)+N (a), PRIVK
(c));
Step 25, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 26, R is imported and is given equipment A by key injection gun;
Step 27, equipment A verifies central key library using the central key library public key PUBK (c) and N (a) that are locally stored
Signature S (c), if signature meet, import PUBK (b);Otherwise refusal imports.
Preferably, equipment A public key+private key signature information can also be added, in the above-mentioned methods to realize central key library
Management to device keys pairing situation, specifically includes the following steps:
Step 31, key injection gun obtains the identification code ID (b) of module B;
Step 311, key injection gun requests random number and the identification code of equipment A to equipment A;
Step 312, equipment A returns to the identification code ID (a) of random number N (a) and equipment A to key injection gun, and using certainly
Oneself private key PRIVK (a) carries out signature S (a)=sign (N (a)+ID (a), PRIVK (a)) data of return, while will label
Name S (a) also returns to key injection gun;
Step 32, key injection gun obtains the access address in central key library;
Step 33, key injection gun sends ID (b) to central key library, N (a), ID (a), S (a);
Step 341, central key library is set according to ID (a), the public key PUBK (a) of searching module A using PUBK (a) verifying
The private key signature S (a) of standby A;
Step 342, central key library is according to ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs S (c)=sign (PUBK (b)+N (a), PRIVK (c)) to the public key and random number N (a) of module B;
Step 343, the management information of central key library recording equipment A and module B;
Step 35, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 36, R is imported and is given equipment A by key injection gun;
Step 37, equipment A verifies central key library using the central key library public key PUBK (c) and N (a) that are locally stored
Signature S (c), if signature meet, import PUBK (b);Otherwise refusal imports.
The process of module B authenticating device A is realized to module B in the case that equipment A, module B are offline and imports equipment A
Key step it is as follows: a kind of offline key method for implanting, comprising the following steps:
Step 41, key injection gun obtains the identification code ID (a) of equipment A;
Step 42, key injection gun obtains the access address in central key library;
Step 43, ID (a) is sent to central key library by key injection gun;
Step 44, central key library is according to ID (a), the public key PUBK (a) of searching module B, and uses the private key of oneself
PRIVK (c) signs to PUBK (a), obtains result S (c)=sign (PUBK (a), PRIVK (c));
Step 45, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 46, R is imported and is given module B by key injection gun;
Step 47, module B verifies the signature S (c) in central key library, if signature meets, imports PUBK (a);Otherwise
Refusal imports.
Preferably, the process that random number is obtained from module B can be added in the above-mentioned methods, it is anti-heavy to enhance whole system
The ability of hair, specifically includes the following steps:
Step 51, key injection gun obtains the identification code ID (a) of equipment A;
Step 511, key injection gun is to module B request random number;
Step 512, module B returns to random number N (b) to key injection gun;
Step 52, key injection gun obtains the access address in central key library;
Step 53, key injection gun sends ID (a) and N (b) to central key library;
Step 54, the public key PUBK (a) of equipment A is searched according to ID (a) in central key library, and uses the private key of oneself
PRIVK (c) signs to the public key and random number N (b) of equipment A, obtains result S (c)=sign (PUBK (a)+N (b), PRIVK
(c));
Step 55, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 56, R is imported and is given module B by key injection gun;
Step 57, module B verifies central key library using the central key library public key PUBK (c) and N (b) that are locally stored
Signature S (c), if signature meet, import PUBK (a);Otherwise refusal imports.
Preferably, module B public key+private key signature information can also be added, in the above-mentioned methods to realize central key library
Management to device keys pairing situation, specifically includes the following steps:
Step 61, key injection gun obtains the identification code ID (a) of equipment A;
Step 611, key injection gun requests random number and the identification code of module B to module B;
Step 612, module B returns to the identification code ID (b) of random number N (b) and module B to key injection gun, and using certainly
Oneself private key PRIVK (b) carries out signature S (b)=sign (N (b)+ID (b), PRIVK (b)) data of return, while will label
Name S (b) also returns to key injection gun;
Step 62, key injection gun obtains the access address in central key library;
Step 63, key injection gun sends ID (a) to central key library, N (b), ID (b), S (b);
Step 641, mould is verified using PUBK (b) according to ID (b), the public key PUBK (b) of searching module B in central key library
The private key signature S (b) of block B;
Step 642, the public key PUBK (a) of equipment A is searched according to ID (a) in central key library, and uses the private key of oneself
PRIVK (c) signs S (c)=sign (PUBK (a)+N (b), PRIVK (c)) to the public key and random number N (b) of equipment A;
Step 643, the management information of central key library recording equipment A and module B;
Step 65, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 66, R is imported and is given module B by key injection gun;
Step 67, module B verifies central key library using the central key library public key PUBK (c) and N (b) that are locally stored
Signature S (c), if signature meet, import PUBK (a);Otherwise refusal imports.
The invention has the following advantages:
In industrial environment, most equipment works in off-line case, mutual when needing to occur between equipment and equipment
Certification, when mutually linking, we can conveniently realize the letter between equipment by public key mechanisms+digital signature
Breath is recognized each other.But using a premise of public key mechanisms is exactly that the trusting relationship of most initial must be under reliable environment
It establishes.
In equipment factory, it is reliable that we, which can set environment in factory, but after equipment factory, spreads various regions, when
When wherein some module needs replacing, we can not determine replacement environment whether be it is safe and reliable, therefore, Wo Menshe
The mechanism that key gun injects public key offline has been counted, to ensure under non-reliable environment, the reliable importing of equipment public key.
In whole flow process, for key gun as just the carrier with central key library interaction data, itself is not involved in data
The generation and modification of content, therefore, key gun itself can be with widespread deployments, without resting in specific people's hand.This is greatly
Simplify maintenance of equipment/replacement place and personnel requirement.
Based on above scheme, we not only can solve equipment how credible the problem of recognizing each other, while also mutual for equipment
Recognize middle opposite end public key and import offline and devises perfect scheme.
Detailed description of the invention
The mode that Fig. 1 is mutually authenticated between module B and equipment A.
Fig. 2 is the offline key method for implanting one of the embodiment of the present invention.
Fig. 3 is the offline key method for implanting two of the embodiment of the present invention.
Fig. 4 is the offline key method for implanting three of the embodiment of the present invention.
Specific embodiment
For the ease of the understanding of those skilled in the art, the present invention is made further below with reference to embodiment and attached drawing
It is bright.
Offline key injection shares 4 participants:
1. equipment A
2. module B
3. key injection gun.Key injection gun can be made of common apparatus it is (such as mobile phone+transmission line) or special
Equipment.Key injection gun should include following component part:
A) two dimensional code/bar code/e-tag reader
B) display screen or indicator light give the Operating Guideline of user's operational feedback or next step
C) keyboard or touch screen, input operation instruction for user;
D) transmission module is connected, the data interaction being responsible between equipment A or module B
4. central key library.It preserves in central key library:
A) the public and private key of central distributor;
B) institute's management equipment/module public key;
Embodiment 1, the process one imported offline as shown in Fig. 2, specifically includes the following steps:
Step 1, key injection gun obtains the identification code ID (b) of module B;
Step 2, key injection gun obtains the access address in central key library;
Step 3, ID (b) is sent to central key library by key injection gun;
Step 4, central key library is according to ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs to PUBK (b), obtains result S (c)=sign (PUBK (b), PRIVK (c));
Step 5, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 6, R is imported and is given equipment A by key injection gun;
Step 7, equipment A verifies the signature S (c) in central key library, if signature meets, imports PUBK (b);Otherwise it refuses
It imports absolutely.
Embodiment 2, as shown in figure 3, the process for obtaining random number from equipment A can also be added in embodiment 1, with enhancing
The ability of whole system anti-replay, process two such as Fig. 3.
Embodiment 3, as shown in figure 4, equipment A public key+private key signature information can also be added in example 2, to realize
Management of the central key library to device keys pairing situation (equipment X and module Y have been matched).
Above embodiment is merely illustrative of the invention's technical idea, and this does not limit the scope of protection of the present invention, all
It is any changes made on the basis of the technical scheme according to the technical idea provided by the invention, each falls within present invention protection model
Within enclosing.The technology that the present invention is not directed to can be realized by existing technology.
Claims (10)
1. a kind of offline key method for implanting, is related to off-line device A and off-line module B, which comprises the following steps:
Step 11, key injection gun obtains the identification code ID (b) of module B;
Step 12, key injection gun obtains the access address in central key library;
Step 13, identification code ID (b) is sent to central key library by key injection gun;
Step 14, central key library is according to identification code ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs to PUBK (b), obtains result S (c)=sign (PUBK (b), PRIVK (c));
Step 15, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 16, R is imported and is given equipment A by key injection gun;
Step 17, equipment A verifies the signature S (c) in central key library, if signature meets, imports PUBK (b);Otherwise refuse
It imports.
2. offline key method for implanting according to claim 1, which is characterized in that be added from equipment A and obtain random number
Process, to enhance the ability of whole system anti-replay, specifically includes the following steps:
Step 21, key injection gun obtains the identification code ID (b) of module B;
Step 211, key injection gun is to equipment A request random number;
Step 212, equipment A returns to random number N (a) to key injection gun;
Step 22, key injection gun obtains the access address in central key library;
Step 23, key injection gun sends identification code ID (b) and random number N (a) to central key library;
Step 24, central key library is according to identification code ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs to the public key and random number N (a) of module B, obtains result S (c)=sign (PUBK (b)+N (a), PRIVK
(c));
Step 25, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 26, R is imported and is given equipment A by key injection gun;
Step 27, equipment A verifies central key using the central key library public key PUBK (c) and random number N (a) that are locally stored
The signature S (c) in library imports PUBK (b) if signature meets;Otherwise refusal imports.
3. offline key method for implanting according to claim 2, which is characterized in that equipment A public key and private key signature is added
Information, to realize management of the central key library to device keys pairing situation, specifically includes the following steps:
Step 31, key injection gun obtains the identification code ID (b) of module B;
Step 311, key injection gun requests random number and the identification code of equipment A to equipment A;
Step 312, equipment A returns to the identification code ID (a) of random number N (a) and equipment A to key injection gun, and uses oneself
Private key PRIVK (a) carries out signature S (a)=sign (N (a)+ID (a), PRIVK (a)) data of return, while the S that will sign
(a) key injection gun is also returned to;
Step 32, key injection gun obtains the access address in central key library;
Step 33, key injection gun sends identification code ID (b) to central key library, random number N (a), identification code ID (a), label
Name S (a);
Step 341, the public key PUBK (a) of equipment A is searched according to identification code ID (a) in central key library, is verified using PUBK (a)
The private key signature S (a) of equipment A;
Step 342, central key library is according to identification code ID (b), the public key PUBK (b) of searching module B, and uses the private key of oneself
PRIVK (c) signs S (c)=sign (PUBK (b)+N (a), PRIVK (c)) to the public key and random number N (a) of module B;
Step 343, the management information of central key library recording equipment A and module B;
Step 35, central key library returns to R=PUBK (b)+S (c) to key injection gun;
Step 36, R is imported and is given equipment A by key injection gun;
Step 37, equipment A verifies central key using the central key library public key PUBK (c) and random number N (a) that are locally stored
The signature S (c) in library imports PUBK (b) if signature meets;Otherwise refusal imports.
4. according to claim 1 to offline key method for implanting described in one of 3, it is characterised in that:
The key injection gun, comprising:
Identification code reader;The identification code is two dimensional code, bar code or electronic tag;
Display module gives the Operating Guideline of user's operational feedback or next step;
Keysheet module is input operation instruction for user;
Transmission module is connected, the data being responsible between key injection gun and equipment to be implanted are transmitted;
Network communication module: it is responsible for interacting with central key library;
It preserves in the central key library:
The central public and private key of distributor;
The public key of the equipment or module that are managed.
5. a kind of offline key injected system for being used in offline key method for implanting described in one of claims 1 to 3, special
Sign is, comprising: key injection gun and central key library;
Key injection gun, comprising:
Identification code reader;The identification code is two dimensional code, bar code or electronic tag;
Display module gives the Operating Guideline of user's operational feedback or next step;
Keysheet module is input operation instruction for user;
Transmission module is connected, the data being responsible between key injection gun and equipment to be implanted are transmitted;
Network communication module: it is responsible for interacting with central key library;
It preserves in central key library:
The central public and private key of distributor;
The public key of the equipment or module that are managed.
6. a kind of offline key method for implanting, is related to off-line device A and off-line module B, which comprises the following steps:
Step 41, key injection gun obtains the identification code ID (a) of equipment A;
Step 42, key injection gun obtains the access address in central key library;
Step 43, identification code ID (a) is sent to central key library by key injection gun;
Step 44, central key library is according to identification code ID (a), the public key PUBK (a) of searching module B, and uses the private key of oneself
PRIVK (c) signs to PUBK (a), obtains result S (c)=sign (PUBK (a), PRIVK (c));
Step 45, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 46, R is imported and is given module B by key injection gun;
Step 47, module B verifies the signature S (c) in central key library, if signature meets, imports PUBK (a);Otherwise refuse
It imports.
7. offline key method for implanting according to claim 6, which is characterized in that be added from module B and obtain random number
Process, to enhance the ability of whole system anti-replay, specifically includes the following steps:
Step 51, key injection gun obtains the identification code ID (a) of equipment A;
Step 511, key injection gun is to module B request random number;
Step 512, module B returns to random number N (b) to key injection gun;
Step 52, key injection gun obtains the access address in central key library;
Step 53, key injection gun sends identification code ID (a) and random number N (b) to central key library;
Step 54, the public key PUBK (a) of equipment A is searched according to identification code ID (a) in central key library, and uses the private key of oneself
PRIVK (c) signs to the public key and random number N (b) of equipment A, obtains result S (c)=sign (PUBK (a)+N (b), PRIVK
(c));
Step 55, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 56, R is imported and is given module B by key injection gun;
Step 57, module B verifies central key using the central key library public key PUBK (c) and random number N (b) that are locally stored
The signature S (c) in library imports PUBK (a) if signature meets;Otherwise refusal imports.
8. according to the method described in claim 6, it is characterized in that, module B public key and private key signature information is added, in realizing
Management of the cipher key store to device keys pairing situation is entreated, specifically includes the following steps:
Step 61, key injection gun obtains the identification code ID (a) of equipment A;
Step 611, key injection gun requests random number and the identification code of module B to module B;
Step 612, module B returns to the identification code ID (b) of random number N (b) and module B to key injection gun, and uses oneself
Private key PRIVK (b) carries out signature S (b)=sign (N (b)+ID (b), PRIVK (b)) data of return, while the S that will sign
(b) key injection gun is also returned to;
Step 62, key injection gun obtains the access address in central key library;
Step 63, key injection gun sends identification code ID (a) to central key library, random number N (b), identification code ID (b), label
Name S (b);
Step 641, central key library is verified according to identification code ID (b), the public key PUBK (b) of searching module B using PUBK (b)
The private key signature S (b) of module B;
Step 642, the public key PUBK (a) of equipment A is searched according to identification code ID (a) in central key library, and uses the private key of oneself
PRIVK (c) signs S (c)=sign (PUBK (a)+N (b), PRIVK (c)) to the public key and random number N (b) of equipment A;
Step 643, the management information of central key library recording equipment A and module B;
Step 65, central key library returns to R=PUBK (a)+S (c) to key injection gun;
Step 66, R is imported and is given module B by key injection gun;
Step 67, module B verifies central key using the central key library public key PUBK (c) and random number N (b) that are locally stored
The signature S (c) in library imports PUBK (a) if signature meets;Otherwise refusal imports.
9. the offline key method for implanting according to one of claim 6 to 8, it is characterised in that:
The key injection gun, comprising:
Identification code reader;The identification code is two dimensional code, bar code or electronic tag;
Display module gives the Operating Guideline of user's operational feedback or next step;
Keysheet module is input operation instruction for user;
Transmission module is connected, the data being responsible between key injection gun and equipment to be implanted are transmitted;
Network communication module: it is responsible for interacting with central key library;
It preserves in the central key library:
The central public and private key of distributor;
The public key of the equipment or module that are managed.
10. a kind of offline key injected system for being used in offline key method for implanting described in one of claim 6 to 8,
It is characterized in that, comprising: key injection gun and central key library;
Key injection gun, comprising:
Identification code reader;The identification code is two dimensional code, bar code or electronic tag;
Display module gives the Operating Guideline of user's operational feedback or next step;
Keysheet module is input operation instruction for user;
Transmission module is connected, the data being responsible between key injection gun and equipment to be implanted are transmitted;
Network communication module: it is responsible for interacting with central key library;
It preserves in central key library:
The central public and private key of distributor;
The public key of the equipment or module that are managed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610522275.0A CN105959112B (en) | 2016-07-05 | 2016-07-05 | A kind of offline key injected system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610522275.0A CN105959112B (en) | 2016-07-05 | 2016-07-05 | A kind of offline key injected system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105959112A CN105959112A (en) | 2016-09-21 |
| CN105959112B true CN105959112B (en) | 2019-01-22 |
Family
ID=56903203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610522275.0A Active CN105959112B (en) | 2016-07-05 | 2016-07-05 | A kind of offline key injected system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105959112B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888381B (en) * | 2017-11-09 | 2020-08-07 | 飞天诚信科技股份有限公司 | Method, device and system for realizing key import |
| CN114710345A (en) * | 2022-03-31 | 2022-07-05 | 惠州华阳通用电子有限公司 | Authentication feature information writing method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783732A (en) * | 2010-03-12 | 2010-07-21 | 西安西电捷通无线网络通信股份有限公司 | Offline mutual authentication method and system based on pre-shared key |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
| CN102315944A (en) * | 2011-09-29 | 2012-01-11 | 上海动联信息技术有限公司 | Seed key multi-time injection dynamic token, dynamic password authentication system and method |
| CN102571355A (en) * | 2012-02-02 | 2012-07-11 | 飞天诚信科技股份有限公司 | Method and device for importing secret key without landing |
| CN103944717A (en) * | 2013-01-22 | 2014-07-23 | 国民技术股份有限公司 | Audio secret key generation apparatus, audio secret key system and audio secret key injection method |
| CN104796264A (en) * | 2015-05-05 | 2015-07-22 | 苏州海博智能***有限公司 | Seed key update method based on non-contact manner, dynamic token and system |
| CN105681034A (en) * | 2016-02-24 | 2016-06-15 | 山东超越数控电子有限公司 | Document secret management method and system based on digital labels |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8634561B2 (en) * | 2011-05-04 | 2014-01-21 | International Business Machines Corporation | Secure key management |
| US9602500B2 (en) * | 2013-12-20 | 2017-03-21 | Intel Corporation | Secure import and export of keying material |
-
2016
- 2016-07-05 CN CN201610522275.0A patent/CN105959112B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101783732A (en) * | 2010-03-12 | 2010-07-21 | 西安西电捷通无线网络通信股份有限公司 | Offline mutual authentication method and system based on pre-shared key |
| CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
| CN102315944A (en) * | 2011-09-29 | 2012-01-11 | 上海动联信息技术有限公司 | Seed key multi-time injection dynamic token, dynamic password authentication system and method |
| CN102571355A (en) * | 2012-02-02 | 2012-07-11 | 飞天诚信科技股份有限公司 | Method and device for importing secret key without landing |
| CN103944717A (en) * | 2013-01-22 | 2014-07-23 | 国民技术股份有限公司 | Audio secret key generation apparatus, audio secret key system and audio secret key injection method |
| CN104796264A (en) * | 2015-05-05 | 2015-07-22 | 苏州海博智能***有限公司 | Seed key update method based on non-contact manner, dynamic token and system |
| CN105681034A (en) * | 2016-02-24 | 2016-06-15 | 山东超越数控电子有限公司 | Document secret management method and system based on digital labels |
Non-Patent Citations (2)
| Title |
|---|
| 密钥管理技术;李永田;《计算机与网络》;20010223(第04期);正文第28、31页 |
| 量子密钥注入方案;陈燕彬等;《南昌大学学报(理科版)》;20131225;第37卷(第06期);正文第581-583页 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105959112A (en) | 2016-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1833219B1 (en) | Methods, apparatus and software for using a token to calculate time-limited password within cellular telephone | |
| CN104521216B (en) | Authorized by portable communication equipment for user | |
| US8453223B2 (en) | Method, device and system for secure transactions | |
| US20120066749A1 (en) | Method and computer program for generation and verification of otp between server and mobile device using multiple channels | |
| CN107220820A (en) | Resource transfers method, device and storage medium | |
| US20090119759A1 (en) | Method and Arrangement for Secure Authentication | |
| CN101163014A (en) | Dynamic password identification authenticating system and method | |
| CN102685093A (en) | Mobile-terminal-based identity authentication system and method | |
| CN1614924A (en) | Identity certifying system based on intelligent card and dynamic coding | |
| MX2015002929A (en) | Method and system for verifying an access request. | |
| CN108259502A (en) | For obtaining the identification method of interface access rights, server-side and storage medium | |
| CN106385506A (en) | Information notification management method and device | |
| KR101202245B1 (en) | System and Method For Transferring Money Using OTP Generated From Account Number | |
| CN103139179A (en) | Multi-channel active type network identity verification system and network identity verification device | |
| CN105959112B (en) | A kind of offline key injected system and method | |
| EP2436164B1 (en) | Method and equipment for establishing secure connection on a communication network | |
| CN102238135A (en) | Security authentication server | |
| CN105160736A (en) | Password unlocking system, hotel equipment, door lock terminal and method | |
| JP2001350724A (en) | User authentication system | |
| US10972286B2 (en) | Token-based authentication with signed message | |
| KR101958189B1 (en) | Smart locking device and locking service method thereof | |
| KR101187414B1 (en) | System and method for authenticating card issued on portable terminal | |
| Sudha et al. | An Improved Graphical Authentication System to Resist the Shoulder Surfing Attack | |
| US9462467B2 (en) | Secure processing system for use with a portable communication device | |
| KR101257761B1 (en) | Image based authentication system and method therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |