CN107317677A - Key storage and equipment identities authentication method, device - Google Patents
Key storage and equipment identities authentication method, device Download PDFInfo
- Publication number
- CN107317677A CN107317677A CN201710378389.7A CN201710378389A CN107317677A CN 107317677 A CN107317677 A CN 107317677A CN 201710378389 A CN201710378389 A CN 201710378389A CN 107317677 A CN107317677 A CN 107317677A
- Authority
- CN
- China
- Prior art keywords
- key
- safety chip
- ciphertext
- encryption
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of key storage and equipment identities authentication method, device, wherein the method for storing cipher key includes:The first encryption key is imported inside to safety chip;Export the public key of the first encryption key;The first session key ciphertext and the first session key handle are generated outside safety chip using the public key of the first encryption key;The generation storage key outside safety chip;Using the first session key handle to storage key encryption, obtain storing ciphertext;First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip;First session key ciphertext, which imports safety chip, can obtain the first session key handle.Pass through the present invention, outside can obtain storage key from safety chip, and then processing information can be treated using the storage key outside safety chip signed or decrypted, handled without information to be signed is imported into safety chip by safety chip, thereby reduce the amount of calculation of safety chip.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of key storage and equipment identities authentication method, dress
Put.
Background technology
In order to improve the security of information transfer between equipment, generally using being transmitted after cipher key pair information encryption.For believing
The key of encryption for information includes signature key to, encryption key pair and session key pair, and wherein encryption key is to for protecting session
Key, signature key is to for digital signature and checking, session key is to for data encrypting and deciphering and MAC operation.In order to protect
The security of key, the security for further improving information transfer, generally by key to being stored in can not reading and writing for safety chip
Region, key cannot generally be exported.
Fig. 1 show the application building-block of logic of safety chip, and by the standard formulated of national Password Management office, (state is close for it
Standard) provide.Wherein, using to include a kind of structure of container, device authentication key and file, possesses independent authority pipe
Reason;Container refers in particular to cryptographic key containers, is an object logic for being used to deposit unsymmetrical key pair and session key.Signature key pair
Produced inside safety chip, encryption key is to being produced by outside and being imported safely, and session key can be produced inside safety chip
Life is produced by outside and imported safely.
Digital signature can prevent that sender's transmitted information from being usurped as a kind of conventional Security Data Transmission mode
Change.Specifically, sender (is signed) using signature private key to information encryption, and recipient is using public signature key to encryption information solution
It is close.Signature key pair can be generated in safety chip, but is merely able to export public signature key, and signature private key can not be exported.Therefore,
When there is information to need signature, information to be signed can only be imported safety chip, by being exported inside safety chip after signature processing
Signing messages.
(such as server needs to be communicated with multiple client), safety chip however, when information to be signed is more
Disposal ability become the bottleneck communicated for server.When existing mode solves this bottleneck problem, often through raising
The means such as safety chip performance, the quantity for increasing safety chip.This often increases system cost.
The content of the invention
In view of this, the embodiments of the invention provide a kind of method for storing cipher key and device, and a kind of equipment identities certification
Method and device, to reduce the amount of calculation of safety chip.
First aspect present invention provides a kind of method for storing cipher key, and methods described includes:Imported inside to safety chip
First encryption key;Export the public key of first encryption key;Using the public key of first encryption key in the safety
Chip exterior generates the first session key ciphertext and the first session key handle;Generation storage is close outside the safety chip
Key;Using the first session key handle to the storage key encryption, obtain storing ciphertext;By first session key
Ciphertext and the storage ciphertext store the read-write memory block to safety chip;The first session key ciphertext imports institute
The first session key handle can be obtained by stating safety chip.
Alternatively, it is described to include the step of the first encryption key is imported into safety chip:Control raw inside safety chip
Into and export the first signature key;Second session key is generated inside the safety chip using first signature key,
And export the second session key ciphertext and the second session key handle;The second encryption key is generated outside the safety chip;
Second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained;According to
The second session key ciphertext and the second encryption key ciphertext generate the first encryption key;By first encryption key
Import inside the safety chip.
Second aspect of the present invention provides a kind of equipment identities authentication method, for server, and the server uses the
On the one hand the method for storing cipher key storage signature private key or described in first aspect any one optional embodiment;Methods described
Including:Receive the client certificate and the first encryption data transmitted by the client;First encryption data is using clothes
The public signature key encryption of business device;When the client certificate verification is legal, obtained from the read-write memory block of the safety chip
Take signature private key;First encryption data is decrypted using the signature private key;When successful decryption, the visitor is received
Signature value transmitted by the end of family;Using the public key in the client certificate to the signature value sign test;When sign test by when, really
The fixed client identity certification passes through.
Alternatively, the step of read-write memory block from the safety chip obtains signature private key, including:From described
The read-write memory block of safety chip obtains the first session key ciphertext and the storage ciphertext;First session is close
Key ciphertext imports the safety chip, obtains the first session key handle;Using the first session key handle to institute
Storage ciphertext decryption is stated, the storage key is obtained as the signature private key of the server.
Alternatively, the client certificate received transmitted by the client and the step of the first encryption data it
Before, in addition to:Public signature key and server info are Generated Certificate demand file;Recognized by the certificate request file to certificate
Demonstrate,prove mechanism requests and obtain digital certificate;Receive the digital certificate transmitted by the certificate authority;Store the digital certificate.
Third aspect present invention provides a kind of key storage device, and described device includes:Import unit, for safety
Chip internal imports the first encryption key;Lead-out unit, the public key for exporting first encryption key;First generation is single
Member, the first session key ciphertext and first are generated for the public key using first encryption key outside the safety chip
Session key handle;Second generation unit, for the generation storage key outside the safety chip;Ciphering unit, for adopting
The storage key is encrypted with the first session key handle, obtains storing ciphertext;First memory cell, for by described in
First session key ciphertext and the storage ciphertext store the read-write memory block to safety chip;First session is close
Key ciphertext, which imports the safety chip, can obtain the first session key handle.
Alternatively, the import unit includes:First control subelement, generates and exports inside safety chip for controlling
First signature key;First generation subelement, for generating the inside the safety chip using first signature key
Two session keys, and export the second session key ciphertext and the second session key handle;Second generation subelement, for described
The second encryption key of generation outside safety chip;Encryption sub-unit operable, for using the second session key handle to described the
Two encryption keys are encrypted, and obtain the second encryption key ciphertext;3rd generation subelement, for close according to second session
Key ciphertext and the second encryption key ciphertext generate the first encryption key;First imports subelement, for described first to be added
Key is imported inside the safety chip.
Fourth aspect present invention provides a kind of equipment identities authentication device, for server, and the server uses the
Key storage device storage signature private key described in three aspects or the third aspect any one optional embodiment;Described device
Including:First receiving unit, for receiving client certificate and the first encryption data transmitted by the client;Described
One encryption data is encrypted using the public signature key of server;Acquiring unit, for when the client certificate verification is legal, from
The read-write memory block of the safety chip obtains signature private key;Decryption unit, for using the signature private key to described the
One encryption data is decrypted;Second receiving unit, for when successful decryption, receiving the signature transmitted by the client
Value;Sign test unit, for using the public key in the client certificate to the signature value sign test;Determining unit, is tested for working as
When label pass through, determine that the client identity certification passes through.
Alternatively, the acquiring unit includes:Subelement is obtained, for being obtained from the read-write memory block of the safety chip
Take the first session key ciphertext and the storage ciphertext;Second imports subelement, for first session key is close
Text imports the safety chip, obtains the first session key handle;Subelement is decrypted, for close using first session
Key handle obtains the storage key as the signature private key of the server to the storage ciphertext decryption.
Alternatively, described device also includes:3rd generation unit, for public signature key and server info to be Generated Certificate
Demand file;Request unit, for by the certificate request file to certificate authority acquisition request digital certificate;3rd
Receiving unit, for receiving the digital certificate transmitted by the certificate authority;Second memory cell, for storing the number
Word certificate.
Method for storing cipher key and device that the embodiment of the present invention is provided, generation storage key, profit outside safety chip
Storage key encryption is obtained storing ciphertext with the first session key handle, ciphertext and the first session key ciphertext will be stored together
Storage is to the read-write memory block of safety chip, so that when there is information to need with storing key and being signed or decrypted, can be with
Storage ciphertext and the first session key ciphertext are obtained from the read-write memory block of safety chip, the first session key ciphertext is imported
Safety chip can obtain the first session key handle, and storage ciphertext decryption can be obtained using the first session key handle and deposited
Key is stored up, and then processing information can be treated using the storage key outside safety chip and is signed or is decrypted, without
Information to be signed is imported into safety chip and handled by safety chip, the amount of calculation of safety chip is thereby reduced.
Equipment identities authentication method and device that the embodiment of the present invention is provided, server receive the visitor transmitted by client
After family end certificate and the first encryption data, when client certificate verification is legal, from the read-write memory block of safety chip
Signature private key is obtained, the first encryption data is decrypted using the signature private key, because the signature private key is to use first party
Method for storing cipher key storage described in face or first aspect any one optional embodiment, therefore the authentication
Algorithm can reduce the amount of calculation of safety chip.
Brief description of the drawings
The features and advantages of the present invention can be more clearly understood from by reference to accompanying drawing, accompanying drawing is schematical without that should manage
Solve to carry out any limitation to the present invention, in the accompanying drawings:
Fig. 1 shows the application building-block of logic of safety chip;
Fig. 2 shows a kind of flow chart of method for storing cipher key according to embodiments of the present invention;
Fig. 3 shows the flow chart of another method for storing cipher key according to embodiments of the present invention;
Fig. 4 shows the schematic diagram of method for storing cipher key;
Fig. 5 shows a kind of flow chart of equipment identities authentication method according to embodiments of the present invention;
Fig. 6 shows the flow chart of another equipment identities authentication method according to embodiments of the present invention;
Fig. 7 shows a kind of theory diagram of key storage device according to embodiments of the present invention;
Fig. 8 shows the theory diagram of another key storage device according to embodiments of the present invention;
Fig. 9 shows a kind of theory diagram of equipment identities authentication device according to embodiments of the present invention;
Figure 10 shows the theory diagram of another equipment identities authentication device according to embodiments of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those skilled in the art are not having
There is the every other embodiment made and obtained under the premise of creative work, belong to the scope of protection of the invention.
Embodiment one
Fig. 2 shows a kind of flow chart of method for storing cipher key according to embodiments of the present invention, and this method is used for server.
According to Fig. 2, this method comprises the following steps:
S101:The first encryption key is imported inside to safety chip.Need to use encryption key in this method, and according to peace
Full chip state Data Encryption Standard, encryption key must be produced by outside and imported safely.Unless the public key or private key of encryption key are refered in particular to, it is no
Then the encryption key in the application refers to encryption key pair, i.e., including public key and private key.
S102:Export the public key of the first encryption key.According to safety chip state Data Encryption Standard, the only public key of encryption key
It can export, private key cannot be exported.
S103:The first session key ciphertext and the first meeting are generated outside safety chip using the public key of the first encryption key
Talk about key handles.
S104:The generation storage key outside safety chip.The storage key is this method key to be stored.Need
It should be noted that what the storage password was externally generated, not secure inner is generated.
S105:Using the first session key handle to storage key encryption, obtain storing ciphertext.
S106:First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip.Its
In, the first session key ciphertext, which imports safety chip, can obtain the first session key handle.
It should be added that, above-mentioned steps S104 can before any one step before step S105 or it
Afterwards, the application is not limited step S104 position herein.
Above-mentioned method for storing cipher key, the generation storage key outside safety chip, using the first session key handle to depositing
Storage key encryption obtains storing ciphertext, will store ciphertext and the first session key ciphertext and deposits read-write to safety chip together
Memory block, so that when there is information to need with storing key and being signed or decrypted, can be from the read-write storage of safety chip
Area obtains storage ciphertext and the first session key ciphertext, and the first session key ciphertext importing safety chip can be obtained into the first meeting
Key handles are talked about, storage key can be obtained to storage ciphertext decryption using the first session key handle, and then can be in safety
Chip exterior treats processing information using the storage key and is signed or decrypted, without information to be signed is imported into safety
Handled in chip by safety chip, thereby reduce the amount of calculation of safety chip.
Embodiment two
Fig. 3 shows the flow chart of another method for storing cipher key according to embodiments of the present invention, and this method is used to service
Device.Fig. 4 shows the schematic diagram of the method for storing cipher key.
According to Fig. 3, this method comprises the following steps:
S201:Generated inside control safety chip and export the first signature key.
As shown in figure 4, control generates the first signature key P1 (pu1, pr1) inside safety chip, pu1, pr1 are respectively
First signature key P1 (pu1, pr1) public key and private key.
S202:Second session key is generated inside safety chip using the first signature key, and it is close to export the second session
Key ciphertext and the second session key handle.
It is above-mentioned generate the first signature key P1 (pu1, pr1) inside safety chip after, can directly control safe core
Piece inner utilization the first signature key P1 (pu1, pr1) generates the second session key sek2 (c2, kh2);Or first export first
Signature key P1 (pu1, pr1) public key pu1, then public key pu1 is imported into safety chip, control safety chip inner utilization
Public key pu1 generates the second session key sek2 (c2, kh2).Wherein c2 is the ciphertext of the second session key, and kh2 is the second session
The handle of key.
S203:The second encryption key is generated outside safety chip.
As shown in figure 4, generating the second encryption key KEY2 outside safety chip.
S204:The second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained.
As shown in figure 4, the second encryption key KEY2 is encrypted using the second session key handle kh2, second is obtained
Encryption key ciphertext c2.
S205:First encryption key is generated according to the second session key ciphertext and the second encryption key ciphertext.
As shown in figure 4, generating the first encryption key C1 according to the second session key ciphertext c2 and the second encrypted cipher text c2
(pu1, pr1), wherein pu1, pr1 are respectively first encryption key C1 (pu1, pr1) public key and private key.
S206:First encryption key is imported inside safety chip.
As shown in figure 4, the first encryption key C1 (pu1, pr1) is imported into inside safety chip.
Above-mentioned steps S201 to S206 has implemented the step S101 in embodiment one.
S207:Export the public key of the first encryption key.
As shown in figure 4, the first encryption key C1 (pu1, pr1) of export public key pu1.
S208:The first session key ciphertext and the first meeting are generated outside safety chip using the public key of the first encryption key
Talk about key handles.
As shown in figure 4, being generated using the public key pu1 of above-mentioned first encryption key C1 (pu1, pr1) outside safety chip
First session key sek1 (c1, kh1), wherein c1 are the ciphertext of the first session key, and kh1 is the handle of the first session key.
S209:The generation storage key outside safety chip.
As shown in figure 4, generation stores key KEY1 outside safety chip.
S210:Using the first session key handle to storage key encryption, obtain storing ciphertext.
As shown in figure 4, obtaining storage ciphertext c3 to storage key KEY1 encryptions using the first session key handle kh1.
S211:First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip.The
One session key ciphertext, which imports safety chip, can obtain the first session key handle.
As shown in figure 4, the first session key ciphertext c1 and storage ciphertext c3 are stored into read-write to safety chip
Data in memory block, read-write memory block can be by outside acquisition.
Above-mentioned steps S207 to S211 refers to step S102 in embodiment one to S106, will not be repeated here.
Embodiment three
Fig. 5 shows a kind of flow chart of equipment identities authentication method according to embodiments of the present invention, and this method is used to take
Business device, and server is using the method for storing cipher key storage signature private key described in embodiment one or embodiment two.According to Fig. 5 institutes
Show, this method comprises the following steps:
S301:Receive the client certificate and the first encryption data transmitted by client.First encryption data is using clothes
The public signature key encryption of business device.
S302:When client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip.
S303:The first encryption data is decrypted using signature private key.
Because first encryption data is encrypted using the public signature key of server, therefore according to server
Signature private key successful decryption, then can illustrate the client to hold server certificate that (general public signature key is contained in certificate of service
In).
S304:When successful decryption, the signature value transmitted by client is received.
S305:Using the public key in client certificate to signature value sign test.
Because the signature value transmitted by client is to use the private key in client certificate to be encrypted, if therefore passing through
Public key in client certificate passes through to signature value sign test, then can illustrate the signature value really by the client is sent out and without
More correct one's mistakes, its signature contents is credible.
S306:When sign test by when, determine that client identity certification passes through.
The said equipment identity identifying method, server receives the client certificate and the first encryption number transmitted by client
After, when client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip, using the signature
First encryption data is decrypted private key, because the signature private key is deposited using the key described in embodiment one or embodiment two
Method for storing storage, therefore the authentication algorithm can reduce the amount of calculation of safety chip, specifically see embodiment one.
Example IV
Fig. 6 shows the flow chart of another equipment identities authentication method according to embodiments of the present invention, and this method is used for
Server, and server is using the method for storing cipher key storage signature private key described in embodiment one or embodiment two.According to Fig. 6
Shown, this method comprises the following steps:
S401:Public signature key and server info are Generated Certificate demand file.
S402:By certificate request file to certificate authority acquisition request digital certificate.
S403:Receive the digital certificate transmitted by certificate authority.
S404:Digital certificate.The digital certificate can be stored in safety chip, be stored in safety chip
It is outside.
Above-mentioned steps S401 to S404 is used for server and obtains digital certificate to certificate authority.
S405:During certification request transmitted by customer in response end, server certificate is sent to client.The server certificate
I.e. above-mentioned digital certificate, for the identity of client validation server, realizes the two-way authentication of client and server.
S406:Receive the client certificate and the first encryption data transmitted by client.First encryption data is using clothes
The public signature key encryption of business device.
S407:Verify whether client certificate is legal.When client certificate verification is legal, step S408 is performed.
S408:The first session key ciphertext and storage ciphertext are obtained from the read-write memory block of safety chip.
S409:First session key ciphertext is imported into safety chip, the first session key handle is obtained.
S410:Using the first session key handle to storage ciphertext decryption, obtain storing key as the signature of server
Private key.
Above-mentioned steps S408 to S410 has implemented " being obtained from the read-write memory block of safety chip in embodiment three
Signature private key ".When there is information to need to be signed or decrypted with the signature private key of server, by above-mentioned steps S408 extremely
S410 can make outside get signature private key, so that treating the signature of processing information or decryption oprerations can be by safe core
Processor outside piece is performed, and reduces the amount of calculation of safety chip.
S411:The first encryption data is decrypted using signature private key.
S412:When successful decryption, the signature value transmitted by client is received.
S413:Using the public key in client certificate to signature value sign test.
S414:When sign test by when, determine that client identity certification passes through.
Above-mentioned steps S411 to S414 refers to step S303 in embodiment three to S306, will not be repeated here.
Embodiment five
Fig. 7 shows a kind of theory diagram of key storage device according to embodiments of the present invention, and the device is used to service
Device, the method for storing cipher key described in execution embodiment one or embodiment two.According to Fig. 7, this method include import unit 10,
Lead-out unit 20, the first generation unit 30, the second generation unit 40, the memory cell 60 of ciphering unit 50 and first.
Import unit 10 is used to import the first encryption key to the inside of safety chip.
Lead-out unit 20 is used for the public key for exporting the first encryption key.
It is close that first generation unit 30 generates the first session for the public key using the first encryption key outside safety chip
Key ciphertext and the first session key handle.
Second generation unit 40 is used for the generation storage key outside safety chip.
Ciphering unit 50 is used for using the first session key handle to storage key encryption, obtains storing ciphertext.
First memory cell 60 be used for by the first session key ciphertext and storage ciphertext store to safety chip can
Read and write memory block.First session key ciphertext, which imports safety chip, can obtain the first session key handle.
Above-mentioned key storage device, the generation storage key outside safety chip, using the first session key handle to depositing
Storage key encryption obtains storing ciphertext, will store ciphertext and the first session key ciphertext and deposits read-write to safety chip together
Memory block, so that when there is information to need with storing key and being signed or decrypted, can be from the read-write storage of safety chip
Area obtains storage ciphertext and the first session key ciphertext, and the first session key ciphertext importing safety chip can be obtained into the first meeting
Key handles are talked about, storage key can be obtained to storage ciphertext decryption using the first session key handle, and then can be in safety
Chip exterior treats processing information using the storage key and is signed or decrypted, without information to be signed is imported into safety
Handled in chip by safety chip, thereby reduce the amount of calculation of safety chip.
As a kind of optional embodiment of the present embodiment, as shown in figure 8, import unit 10 includes the first control subelement
11st, the first generation generation of subelement 12, second subelement 13, the generation subelement 15 and first of encryption sub-unit operable the 14, the 3rd are imported
Subelement 16.
First control subelement 11, for controlling to generate inside safety chip and exporting the first signature key.
First generation subelement 12, for generating the second session key inside safety chip using the first signature key,
And export the second session key ciphertext and the second session key handle.
Second generation subelement 13, for generating the second encryption key outside safety chip.
Encryption sub-unit operable 14, for the second encryption key to be encrypted using the second session key handle, obtains second
Encryption key ciphertext.
3rd generation subelement 15, for being added according to the second session key ciphertext and the second encryption key ciphertext generation first
Key.
First imports subelement 16, for the first encryption key to be imported inside safety chip.
Embodiment six
Fig. 9 shows a kind of theory diagram of equipment identities authentication device according to embodiments of the present invention, and the device is used for
Server, performs embodiment three or the equipment identities authentication method described in example IV, and server using embodiment five or
Key storage device storage signature private key described in its any one optional embodiment of person.According to Fig. 9, the device includes
First receiving unit 70, acquiring unit 80, decryption unit 90, the second receiving unit 100, sign test unit 110 and determining unit
120。
First receiving unit 70 is used to receive the client certificate and the first encryption data transmitted by client.First adds
Ciphertext data is encrypted using the public signature key of server.
Acquiring unit 80 is used for when client certificate verification is legal, and signature is obtained from the read-write memory block of safety chip
Private key.
Decryption unit 90 is used to the first encryption data is decrypted using signature private key.
Second receiving unit 100 is used for when successful decryption, receives the signature value transmitted by client.
Sign test unit 110 is used for using the public key in client certificate to signature value sign test.
Determining unit 120 be used for when sign test by when, determine that client identity certification passes through.
The said equipment identification authentication system, server receives the client certificate and the first encryption number transmitted by client
After, when client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip, using the signature
First encryption data is decrypted private key, because the signature private key is deposited using the key described in embodiment one or embodiment two
Method for storing storage, therefore the authentication algorithm can reduce the amount of calculation of safety chip, specifically see embodiment one.
As a kind of optional embodiment of the present embodiment, as shown in Figure 10, acquiring unit 80 include obtaining subelement 81,
Second imports subelement 82 and decryption subelement 83.
The read-write memory block that obtaining subelement 81 is used for from safety chip obtains the first session key ciphertext and stored close
Text.
Second, which imports subelement 82, is used to the first session key ciphertext importing safety chip, obtains the first session key sentence
Handle.
Decrypting subelement 83 is used for using the first session key handle to storage ciphertext decryption, obtains storage key as clothes
The signature private key of business device.
As a kind of optional embodiment of the present embodiment, as shown in Figure 10, the device also includes the 3rd generation unit
130th, request unit 140, the 3rd receiving unit 150 and the second memory cell 160.
3rd generation unit 130 is used to Generate Certificate public signature key and server info demand file.
Request unit 140 is used to pass through certificate request file to certificate authority acquisition request digital certificate.
3rd receiving unit 150 is used to receive the digital certificate transmitted by certificate authority.
Second memory cell 160 is used for digital certificate.
It is to lead to it will be understood by those skilled in the art that realizing all or part of flow in above-described embodiment method
Cross computer program to instruct the hardware of correlation to complete, described program can be stored in a computer read/write memory medium
In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic
Dish, CD, read-only memory (ROM) or random access memory (RAM) etc..
Although being described in conjunction with the accompanying embodiments of the invention, those skilled in the art can not depart from the present invention
Spirit and scope in the case of various modification can be adapted and modification, such modifications and variations are each fallen within by appended claims institute
Within the scope of restriction.
Claims (10)
1. a kind of method for storing cipher key, it is characterised in that methods described includes:
The first encryption key is imported inside to safety chip;
Export the public key of first encryption key;
The first session key ciphertext and the first meeting are generated outside the safety chip using the public key of first encryption key
Talk about key handles;
The generation storage key outside the safety chip;
Using the first session key handle to the storage key encryption, obtain storing ciphertext;
The first session key ciphertext and the storage ciphertext are stored to the read-write memory block to safety chip;It is described
First session key ciphertext, which imports the safety chip, can obtain the first session key handle.
2. method for storing cipher key according to claim 1, it is characterised in that described that the first encryption is imported into safety chip
The step of key, includes:
Generated inside control safety chip and export the first signature key;
Second session key is generated inside the safety chip using first signature key, and exports the second session key
Ciphertext and the second session key handle;
The second encryption key is generated outside the safety chip;
Second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained;
First encryption key is generated according to the second session key ciphertext and the second encryption key ciphertext;
First encryption key is imported inside the safety chip.
3. a kind of equipment identities authentication method, it is characterised in that for server, the server uses the institute of claim 1 or 2
The method for storing cipher key storage signature private key stated;Methods described includes:
Receive the client certificate and the first encryption data transmitted by the client;First encryption data is using service
The public signature key encryption of device;
When the client certificate verification is legal, signature private key is obtained from the read-write memory block of the safety chip;
First encryption data is decrypted using the signature private key;
When successful decryption, the signature value transmitted by the client is received;
Using the public key in the client certificate to the signature value sign test;
When sign test by when, determine that the client identity certification passes through.
4. equipment identities authentication method according to claim 3, it is characterised in that described from the readable of the safety chip
The step of memory block obtains signature private key is write, including:
The first session key ciphertext and the storage ciphertext are obtained from the read-write memory block of the safety chip;
The first session key ciphertext is imported into the safety chip, the first session key handle is obtained;
Using the first session key handle to the storage ciphertext decryption, the storage key is obtained as the server
Signature private key.
5. equipment identities authentication method according to claim 3, it is characterised in that transmitted by the reception client
Client certificate and the step of the first encryption data before, in addition to:
Public signature key and server info are Generated Certificate demand file;
By the certificate request file to certificate authority acquisition request digital certificate;
Receive the digital certificate transmitted by the certificate authority;
Store the digital certificate.
6. a kind of key storage device, it is characterised in that described device includes:
Import unit, for importing the first encryption key to inside safety chip;
Lead-out unit, the public key for exporting first encryption key;
First generation unit, the first session is generated for the public key using first encryption key outside the safety chip
Key ciphertext and the first session key handle;
Second generation unit, for the generation storage key outside the safety chip;
Ciphering unit, for, to the storage key encryption, obtaining storing ciphertext using the first session key handle;
First memory cell, for the first session key ciphertext and the storage ciphertext to be stored to safety chip
Read-write memory block;The first session key ciphertext, which imports the safety chip, can obtain the first session key sentence
Handle.
7. key storage device according to claim 6, it is characterised in that the import unit includes:
First control subelement, for controlling to generate inside safety chip and exporting the first signature key;
First generation subelement, it is close for generating the second session inside the safety chip using first signature key
Key, and export the second session key ciphertext and the second session key handle;
Second generation subelement, for generating the second encryption key outside the safety chip;
Encryption sub-unit operable, for second encryption key being encrypted using the second session key handle, obtains the
Two encryption key ciphertexts;
3rd generation subelement, for according to the second session key ciphertext and the second encryption key ciphertext generation first
Encryption key;
First imports subelement, for first encryption key to be imported inside the safety chip.
8. a kind of equipment identities authentication device, it is characterised in that for server, the server uses the institute of claim 6 or 7
The key storage device storage signature private key stated;Described device includes:
First receiving unit, for receiving client certificate and the first encryption data transmitted by the client;Described
One encryption data is encrypted using the public signature key of server;
Acquiring unit, for when the client certificate verification is legal, being obtained from the read-write memory block of the safety chip
Signature private key;
Decryption unit, for first encryption data to be decrypted using the signature private key;
Second receiving unit, for when successful decryption, receiving the signature value transmitted by the client;
Sign test unit, for using the public key in the client certificate to the signature value sign test;
Determining unit, for when sign test by when, determine that the client identity certification passes through.
9. equipment identities authentication device according to claim 8, it is characterised in that the acquiring unit includes:
Subelement is obtained, for obtaining the first session key ciphertext and described from the read-write memory block of the safety chip
Store ciphertext;
Second imports subelement, for the first session key ciphertext to be imported into the safety chip, obtains first meeting
Talk about key handles;
Subelement is decrypted, for, to the storage ciphertext decryption, obtaining the storage close using the first session key handle
Key as the server signature private key.
10. equipment identities authentication device according to claim 8, it is characterised in that described device also includes:
3rd generation unit, for public signature key and server info to be Generated Certificate demand file;
Request unit, for by the certificate request file to certificate authority acquisition request digital certificate;
3rd receiving unit, for receiving the digital certificate transmitted by the certificate authority;
Second memory cell, for storing the digital certificate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710378389.7A CN107317677B (en) | 2017-05-25 | 2017-05-25 | Secret key storage and equipment identity authentication method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710378389.7A CN107317677B (en) | 2017-05-25 | 2017-05-25 | Secret key storage and equipment identity authentication method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107317677A true CN107317677A (en) | 2017-11-03 |
CN107317677B CN107317677B (en) | 2020-02-07 |
Family
ID=60181971
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710378389.7A Active CN107317677B (en) | 2017-05-25 | 2017-05-25 | Secret key storage and equipment identity authentication method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107317677B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888381A (en) * | 2017-11-09 | 2018-04-06 | 飞天诚信科技股份有限公司 | A kind of implementation method of key importing, apparatus and system |
CN109343515A (en) * | 2018-11-30 | 2019-02-15 | 深圳市元征科技股份有限公司 | Car fault diagnosis method, system, equipment and computer readable storage medium |
CN110166236A (en) * | 2019-05-31 | 2019-08-23 | 北京中金国信科技有限公司 | Cipher key processing method, device and system and electronic equipment |
CN110602140A (en) * | 2019-09-29 | 2019-12-20 | 苏州思必驰信息科技有限公司 | Encryption and decryption method and system for chip authorization |
CN110635901A (en) * | 2019-09-11 | 2019-12-31 | 北京方研矩行科技有限公司 | Local Bluetooth dynamic authentication method and system for Internet of things equipment |
CN111031047A (en) * | 2019-12-16 | 2020-04-17 | 中国南方电网有限责任公司 | Device communication method, device, computer device and storage medium |
CN111241605A (en) * | 2019-12-31 | 2020-06-05 | 航天信息股份有限公司 | Safety storage device and method based on tax digital certificate |
CN111414638A (en) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
CN113010908A (en) * | 2019-12-20 | 2021-06-22 | 北京紫光青藤微***有限公司 | Safe storage method suitable for high-capacity SIM card |
CN114244505A (en) * | 2021-12-09 | 2022-03-25 | 武汉天喻信息产业股份有限公司 | Safety communication method based on safety chip |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
US20110243332A1 (en) * | 2010-03-30 | 2011-10-06 | Shunsuke Akimoto | Data processing system, data processing method, source data processing device, destination data processing device, and storage medium |
CN105553661A (en) * | 2014-10-29 | 2016-05-04 | 航天信息股份有限公司 | Key management method and apparatus |
-
2017
- 2017-05-25 CN CN201710378389.7A patent/CN107317677B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110243332A1 (en) * | 2010-03-30 | 2011-10-06 | Shunsuke Akimoto | Data processing system, data processing method, source data processing device, destination data processing device, and storage medium |
CN101989991A (en) * | 2010-11-24 | 2011-03-23 | 北京天地融科技有限公司 | Method for importing secret keys safely, electronic signature tool, authentication device and system |
CN105553661A (en) * | 2014-10-29 | 2016-05-04 | 航天信息股份有限公司 | Key management method and apparatus |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888381A (en) * | 2017-11-09 | 2018-04-06 | 飞天诚信科技股份有限公司 | A kind of implementation method of key importing, apparatus and system |
CN109343515A (en) * | 2018-11-30 | 2019-02-15 | 深圳市元征科技股份有限公司 | Car fault diagnosis method, system, equipment and computer readable storage medium |
CN110166236A (en) * | 2019-05-31 | 2019-08-23 | 北京中金国信科技有限公司 | Cipher key processing method, device and system and electronic equipment |
CN110635901A (en) * | 2019-09-11 | 2019-12-31 | 北京方研矩行科技有限公司 | Local Bluetooth dynamic authentication method and system for Internet of things equipment |
CN110602140A (en) * | 2019-09-29 | 2019-12-20 | 苏州思必驰信息科技有限公司 | Encryption and decryption method and system for chip authorization |
CN111031047B (en) * | 2019-12-16 | 2022-08-12 | 中国南方电网有限责任公司 | Device communication method, device, computer device and storage medium |
CN111031047A (en) * | 2019-12-16 | 2020-04-17 | 中国南方电网有限责任公司 | Device communication method, device, computer device and storage medium |
CN113010908B (en) * | 2019-12-20 | 2023-11-14 | 紫光同芯微电子有限公司 | Safe storage method suitable for large-capacity SIM card |
CN113010908A (en) * | 2019-12-20 | 2021-06-22 | 北京紫光青藤微***有限公司 | Safe storage method suitable for high-capacity SIM card |
CN111241605A (en) * | 2019-12-31 | 2020-06-05 | 航天信息股份有限公司 | Safety storage device and method based on tax digital certificate |
CN111414638B (en) * | 2020-04-23 | 2023-03-24 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
CN111414638A (en) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | Method and device for realizing distinguishing key generation mode |
CN114244505A (en) * | 2021-12-09 | 2022-03-25 | 武汉天喻信息产业股份有限公司 | Safety communication method based on safety chip |
CN114244505B (en) * | 2021-12-09 | 2024-02-20 | 武汉天喻信息产业股份有限公司 | Safety communication method based on safety chip |
Also Published As
Publication number | Publication date |
---|---|
CN107317677B (en) | 2020-02-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107317677A (en) | Key storage and equipment identities authentication method, device | |
US20200213283A1 (en) | Key rotation techniques | |
US10404670B2 (en) | Data security service | |
US9547771B2 (en) | Policy enforcement with associated data | |
US8806200B2 (en) | Method and system for securing electronic data | |
CA2899027C (en) | Data security service | |
US9300639B1 (en) | Device coordination | |
CN108737374A (en) | The method for secret protection that data store in a kind of block chain | |
CN106059760B (en) | A kind of cryptographic system from user terminal crypto module calling system private key | |
US20200082110A1 (en) | Automatic key rotation | |
CN109858255A (en) | Data encryption storage method, device and realization device | |
CN103973698B (en) | User access right revoking method in cloud storage environment | |
US11436351B1 (en) | Homomorphic encryption of secure data | |
CN107040534B (en) | A kind of communication encrypting method and system | |
CN116132185B (en) | Data calling method, system, device, equipment and medium | |
US20240048532A1 (en) | Data exchange protection and governance system | |
EP4123486A1 (en) | Systems and methods for improved researcher privacy in distributed ledger-based query logging systems | |
US20240048361A1 (en) | Key Management for Cryptography-as-a-service and Data Governance Systems | |
CN117272346A (en) | Disk data access method, device, equipment and storage medium | |
Ramya | User Level Runtime Security Auditing for the Cloud Using Aes | |
Pujol et al. | A Secure and User Friendly Multi-Purpose Asymmetric Key Derivation System (MPKDS) | |
CN116132185A (en) | Data calling method, system, device, equipment and medium | |
CN115086020A (en) | Cloud evidence obtaining method and system and computer storage medium | |
CN103425786A (en) | Method and device for storing data and device and method for accessing encrypted data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |