CN107872312B - Method, device, equipment and system for dynamically generating symmetric key - Google Patents
Method, device, equipment and system for dynamically generating symmetric key Download PDFInfo
- Publication number
- CN107872312B CN107872312B CN201610849888.5A CN201610849888A CN107872312B CN 107872312 B CN107872312 B CN 107872312B CN 201610849888 A CN201610849888 A CN 201610849888A CN 107872312 B CN107872312 B CN 107872312B
- Authority
- CN
- China
- Prior art keywords
- key
- unique identifier
- globally unique
- client
- symmetric key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
Abstract
The application discloses a method, a device, equipment and a system for dynamically generating a symmetric key. The method comprises the following steps: receiving an initial global unique identifier generated when the interconnection equipment is started; recording the initial globally unique identifier as a key globally unique identifier; authorizing the interconnection equipment, and sending a first authorization indication message to the interconnection equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment; receiving a first authorization response message sent by the interconnection equipment; determining a symmetric key according to the global unique identifier of the key and the first key parameter; the update key globally unique identifier is a first globally unique identifier; and encrypting and decrypting the communication data using the symmetric key in subsequent communication with the interconnected device. The method can dynamically generate the used symmetric key for many times in the life cycle of the system, and improves the safety and the reliability of the system.
Description
Technical Field
The invention relates to the technical field of computer network application, in particular to a method, a device, equipment and a system for dynamically generating a symmetric key.
Background
With the popularization of the internet of things technology, a user can control various internet devices by installing corresponding client software on terminal devices (such as a smart phone, a PAD and the like). For example, in the smart home technology, the control of the interconnected devices such as a television, an air conditioner and a refrigerator in a family can be realized through client software. In order to ensure the communication security between the client and the interconnection device, a symmetric encryption method is usually adopted for encryption between the client and the interconnection device.
In cryptography, encryption is the hiding of plaintext information so that it is unreadable in the absence of special information, i.e., the key used for encryption. For symmetric cryptography, the same symmetric key is used for the encryption operation and the decryption operation. The method has the greatest advantages of high encryption and decryption speed and suitability for encrypting large data volume. The commonly used symmetric encryption algorithm is simple, convenient and efficient, and the used symmetric key is short and has high deciphering difficulty, so that the symmetric encryption is widely applied to the system.
Since the confidentiality of the system depends on the security of the key, the security and reliability in the key generation and management process directly determine the security and reliability of the whole system. In the existing symmetric key generation method, the symmetric key is not changed in the whole system life cycle after being generated, and if the symmetric key is captured by a third party, the whole encryption system has no security.
The above information disclosed in this background section is only for enhancement of understanding of the background of the invention and therefore it may contain information that does not constitute prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, a device, and a system for dynamically generating a symmetric key, which can dynamically generate a symmetric key for use for multiple times within a life cycle of the system, thereby improving security and reliability of the system.
Additional features and advantages of the invention will be set forth in the detailed description which follows, or may be learned by practice of the invention.
According to an aspect of the present invention, there is provided a method for dynamically generating a symmetric key, including: receiving an initial global unique identifier generated when the interconnection equipment is started; recording the initial globally unique identifier as a key globally unique identifier; authorizing the interconnection equipment, and sending a first authorization indication message to the interconnection equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment; receiving a first authorization response message sent by the interconnection equipment; determining a symmetric key according to the global unique identifier of the key and the first key parameter; the update key globally unique identifier is a first globally unique identifier; and encrypting and decrypting the communication data using the symmetric key in subsequent communication with the interconnected device.
According to an embodiment of the present invention, the method further includes: authorizing the interconnection equipment again, and sending a second authorization indication message to the interconnection equipment, wherein the second authorization indication message comprises: a second globally unique identifier and a second key parameter newly generated for the interconnection equipment; receiving a second authorization response message sent by the interconnection equipment; determining a new symmetric key according to the key global unique identifier and the second key parameter; the update key globally unique identifier is a second globally unique identifier; and encrypting and decrypting the communication data using the new symmetric key in subsequent communication with the interconnected device.
According to an embodiment of the present invention, determining the symmetric key according to the key globally unique identifier and the first key parameter includes: carrying out XOR operation on the global unique identifier of the key and the first key parameter, and taking the result of the XOR operation as a symmetric key; and/or, determining a new symmetric key based on the key globally unique identifier and the second key parameter comprises: and carrying out exclusive-OR operation on the key global unique identifier and the second key parameter, and taking the result of the exclusive-OR operation as a new symmetric key.
According to another aspect of the present invention, there is provided a symmetric key dynamic generation method, including: generating an initial globally unique identifier at startup; broadcasting an initial globally unique identifier to a client; recording the initial globally unique identifier as a key globally unique identifier; receiving a first authorization indication message sent by a client, wherein the first authorization indication message comprises: a newly generated first globally unique identifier and a first key parameter; sending a first authorization response message to the client; determining a symmetric key according to the global unique identifier of the key and the first key parameter; the update key globally unique identifier is a first globally unique identifier; and encrypting and decrypting the communication data by using the symmetric key in subsequent communication with the client.
According to an embodiment of the present invention, the method further includes: receiving a second authorization indication message sent by the client, wherein the second authorization indication message comprises: a newly generated second globally unique identifier and a second key parameter; sending a second authorization response message to the client; determining a new symmetric key according to the key global unique identifier and the second key parameter; the update key globally unique identifier is a second globally unique identifier; and encrypting and decrypting the communication data by using the new symmetric key in subsequent communication with the client.
According to an embodiment of the present invention, determining the symmetric key according to the key globally unique identifier and the first key parameter includes: carrying out XOR operation on the global unique identifier of the key and the first key parameter, and taking the result of the XOR operation as a symmetric key; and/or, determining a new symmetric key based on the key globally unique identifier and the second key parameter comprises: and carrying out exclusive-OR operation on the key global unique identifier and the second key parameter, and taking the result of the exclusive-OR operation as a new symmetric key.
According to yet another aspect of the present invention, there is provided a client device for dynamic generation of symmetric keys, comprising: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the following operations via execution of the executable instructions: receiving an initial global unique identifier generated when the interconnection equipment is started; recording the initial globally unique identifier as a key globally unique identifier; authorizing the interconnection equipment, and sending a first authorization indication message to the interconnection equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment; receiving a first authorization response message sent by the interconnection equipment; determining a symmetric key according to the global unique identifier of the key and the first key parameter; the update key globally unique identifier is a first globally unique identifier; and encrypting and decrypting the communication data using the symmetric key in subsequent communication with the interconnected device.
According to an embodiment of the invention, the operations further comprise: authorizing the interconnection equipment again, and sending a second authorization indication message to the interconnection equipment, wherein the second authorization indication message comprises: a second globally unique identifier and a second key parameter newly generated for the interconnection equipment; receiving a second authorization response message sent by the interconnection equipment; determining a new symmetric key according to the key global unique identifier and the second key parameter; the update key globally unique identifier is a second globally unique identifier; and encrypting and decrypting the communication data using the new symmetric key in subsequent communication with the interconnected device.
According to yet another aspect of the present invention, there is provided an interconnect device for dynamic generation of symmetric keys, comprising: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the following operations via execution of the executable instructions: generating an initial globally unique identifier at startup; broadcasting an initial globally unique identifier to a client; recording the initial globally unique identifier as a key globally unique identifier; receiving a first authorization indication message sent by a client, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment; sending a first authorization response message to the client; determining a symmetric key according to the global unique identifier of the key and the first key parameter; the update key globally unique identifier is a first globally unique identifier; and encrypting and decrypting the communication data by using the symmetric key in subsequent communication with the client.
According to an embodiment of the invention, the operations further comprise: receiving a second authorization indication message sent by the client, wherein the second authorization indication message comprises: a second globally unique identifier and a second key parameter newly generated for the interconnection equipment; sending a second authorization response message to the client; determining a new symmetric key according to the key global unique identifier and the second key parameter; the update key globally unique identifier is a second globally unique identifier; and encrypting and decrypting the communication data by using the new symmetric key in subsequent communication with the client.
According to still another aspect of the present invention, there is provided a symmetric key dynamic generation system, including: any of the above client devices and any of the above interconnect devices.
According to still another aspect of the present invention, there is provided a symmetric key dynamic generation apparatus, including: the device comprises a sending module, an identifier recording module, a receiving module and a key determining module; the receiving module receives an initial global unique identifier generated when the interconnection equipment is started; the identifier recording module records the initial globally unique identifier as a key globally unique identifier; the sending module authorizes the interconnected equipment and sends a first authorization indication message to the interconnected equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment; the receiving module receives a first authorization response message sent by the interconnection equipment; the key determining module determines a symmetric key according to the global unique identifier of the key and the first key parameter; the identifier recording module updates the key global unique identifier to be a first global unique identifier; and the sending module and the receiving module use the symmetric key to encrypt and decrypt the communication data in subsequent communication with the interconnection equipment.
According to an embodiment of the present invention, the sending module authorizes the internet device again, and sends a second authorization indication message to the internet device, where the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnection equipment; the receiving module receives a second authorization response message sent by the interconnection equipment; the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter; the identifier recording module updates the key global unique identifier to be a second global unique identifier; and the sending module and the receiving module use the new symmetric key to encrypt and decrypt the communication data in subsequent communication with the interconnection equipment.
According to still another aspect of the present invention, there is provided a symmetric key dynamic generation apparatus, including: the device comprises an identifier generating module, a sending module, a receiving module, an identifier recording module and a key determining module; the identifier generation module generates an initial globally unique identifier when starting; the sending module broadcasts an initial global unique identifier to the client; the identifier recording module records the initial globally unique identifier as a key globally unique identifier; the receiving module receives a first authorization indication message sent by a client, wherein the first authorization indication message comprises: a newly generated first globally unique identifier and a first key parameter; the sending module sends a first authorization response message to the client; the key determining module determines a symmetric key according to the global unique identifier of the key and the first key parameter; the identifier recording module updates the key global unique identifier to be a first global unique identifier; and the sending module and the receiving module use the symmetric key to encrypt and decrypt the communication data in subsequent communication with the client.
According to an embodiment of the present invention, the receiving module receives a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second globally unique identifier and a second key parameter; the sending module sends a second authorization response message to the client; the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter; the identifier recording module updates the key global unique identifier to be a second global unique identifier; and the sending module and the receiving module use the new symmetric key to encrypt and decrypt the communication data in subsequent communication with the client.
According to the dynamic generation method of the symmetric key of the present invention, the local symmetric cipher used can be dynamically updated each time authorization is made by the client device to the interconnect device. Therefore, the dynamic updating of the used symmetric key for a plurality of times in the life cycle of the system can be realized, and the safety and the reliability of the system are greatly improved. In addition, each time the local symmetric cipher is generated, the key GUID used for generating the local symmetric key is replaced, and the replaced key GUID is generated irreversibly in theory, so that the security of the symmetric key is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings.
Fig. 1 is a schematic diagram illustrating a symmetric key dynamic generation system according to an exemplary embodiment.
Fig. 2 is a flow chart illustrating a method for dynamic generation of symmetric keys, according to an example embodiment.
FIG. 3 is a flow diagram illustrating another method for dynamic generation of symmetric keys, according to an example embodiment.
Fig. 4 is a flow chart illustrating yet another method for dynamic generation of symmetric keys, according to an example embodiment.
Fig. 5 is a flow chart illustrating yet another method for dynamic generation of symmetric keys, according to an example embodiment.
Fig. 6 is a block diagram illustrating a symmetric key dynamic generation apparatus according to an example embodiment.
Fig. 7 is a block diagram illustrating another symmetric-key dynamic generation apparatus according to an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The drawings are merely schematic illustrations of the invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known structures, methods, devices, implementations, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
Fig. 1 is a schematic diagram illustrating a symmetric key dynamic generation system according to an exemplary embodiment. As shown in fig. 1, the system 1 includes: a client 11 and an interconnect device 12. The client 11 may be, for example, a terminal device loaded with client software, such as a smart phone, a PAD, and the like. The interconnection device 12 may be, for example, a device interconnected with the client 11 and controlled by the client 11, such as a smart television in a smart home, a smart refrigerator, a smart air conditioner, and the like, but the present invention is not limited thereto. Wherein, the data is encrypted and transmitted when the client 11 and the interconnection device 12 communicate. Further, the system 1 may further include: and the cloud server 13 is in communication connection with the client 11.
Fig. 2 is a flow chart illustrating a method for dynamic generation of symmetric keys, according to an example embodiment. The method may be applied to the client 11 shown in fig. 1, and as shown in fig. 2, the method 10 includes:
in step S102, an initial Globally Unique Identifier (GUID) generated when the interconnect device is started is received.
For example, the interconnect device 12 shown in fig. 1 generates an initial GUID (e.g. GUID _ I) for itself when it is first started, and the initial GUID is generated by the interconnect device 12 itself and has uniqueness and randomness.
A GUID is an algorithmically generated 128-bit binary-length numeric identifier that finds primary application in networks or systems having multiple nodes, multiple computers. Ideally, no computer or cluster of computers will generate two identical GUIDs. The total number of GUIDs can reach 2^128 and since non-random parameters (such as time) are usually added to the algorithm generating the GUIDs, the probability of randomly generating two identical GUIDs is very small.
The interconnected device 12, after first generating its initial GUID, broadcasts the initial GUID in a network announcement message. The network advertisement message may include related interface information, etc. in addition to the initial GUID.
In step S104, the initial GUID is recorded as the key GUID.
The client 11 may set a key GUID locally and record the value of the initial GUID in the key GUID after receiving the initial GUID broadcast by the interconnect device 12.
In step S106, the interconnection device is authorized, and a first authorization indication message is sent to the interconnection device.
The client 11 will authorize the service provided by the interconnection device 12 before using it. The authorization operation is typically an action actively initiated by the user, and the client 11 may perform multiple authorization operations on the interconnect device 12.
In the authorization operation, the client 11 sends a first authorization indication message to the interconnection device, where the message includes a first GUID and a first key parameter (acckey _1) newly generated by the client 11 for the interconnection device 12. Wherein the first key parameter is used to generate a symmetric key.
The first GUID and the first key parameter newly generated for the internet device 12 are the first GUID newly generated for the internet device 12 that is applied by the client 11 to the cloud server 13. When the client 11 passes the newly applied first GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new first GUID into its device.
In step S108, a first authorization response message sent by the interconnection device is received.
In the authorization process, after receiving the authorization indication message, the interconnection device 12 correspondingly returns an authorization response message to the client 11 to respond to the authorization operation initiated by the authorization client 11.
In step S110, a local symmetric key is determined according to the recorded key GUID and the first key parameter.
The client 11 determines a local symmetric key (localKey) used in subsequent communication according to the key GUID and the first key parameter recorded at present.
For example, currently recorded in the key GUID is the initial GUID (GUID _ I) generated by the interconnect device 12, so the localKey is GUID _ I ⊕ acKey _ 1.
In step S112, the key GUID is updated to the first GUID.
Immediately after the local symmetric key is generated, the initial GUID is overwritten with the first GUID, i.e., the key GUID is updated to the first GUID. Since the key GUID used for generating the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced key GUID is generated irreversibly theoretically, the generated local symmetric key is secure, thereby improving the security of the system.
In step S114, the communication data is encrypted and decrypted using the local symmetric key in the subsequent communication with the interconnection apparatus.
After generating the local symmetric key, the client 11 encrypts the transmitted data by using the local symmetric key and decrypts the received data by using the local symmetric key in the subsequent communication process with the interconnection device 12.
FIG. 3 is a flow diagram illustrating another method for dynamic generation of symmetric keys, according to an example embodiment. The method may be applied to the interconnect device 12 shown in fig. 1, and as shown in fig. 3, the method 20 includes:
in step S202, an initial GUID is generated at startup.
For example, the interconnect device 12 shown in fig. 1 generates an initial GUID (which may be denoted GUID _ I) by itself when it is first started.
In step S204, the initial GUID is broadcast to the client.
After generating the initial GUID, the interconnection device 12 broadcasts the initial GUID through a network announcement message, for example, which may further include related interface information.
In step S206, the initial GUID is recorded as the key GUID.
The interconnect device 12 may set a key GUID locally for calculating the local symmetric key. First, the interconnection device 12 records the value of the initial GUID as the key GUID.
In step S208, a first authorization indication message sent by the client is received.
When the client 11 authorizes the interconnect device 12, an authorization indication message is sent to the interconnect device 12. The first authorization indication message includes a first GUID and a first key parameter (acckey _1) newly generated for the interconnected device 12.
The first GUID and the first key parameter newly generated for the internet device 12 are the first GUID newly generated for the internet device 12 that is applied by the client 11 to the cloud server 13. When the client 11 passes the newly applied first GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new first GUID into its device.
In step S210, a first authorization response message is sent to the client.
In response to the authorization indication message, the interconnect device 12 sends a first authorization response message to the client 11.
In step S212, a local symmetric key is determined based on the key GUID and the first key parameter.
The interconnection device 12 calculates a local symmetric key according to the currently recorded key GUID and the first key parameter.
For example, what is currently recorded in the key GUID is the initial GUID (GUID _ I) generated by the interconnect device 12, so the localKey is GUID _ I ⊕ acKey _ 1.
In step S214, the key GUID is updated to the first GUID.
Immediately after the local symmetric key is generated, the initial GUID is overwritten with the first GUID, i.e., the key GUID is updated to the first GUID. Since the key GUID used for generating the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced key GUID is generated irreversibly theoretically, the generated local symmetric key is secure, thereby improving the security of the system.
In step S216, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
After generating the local symmetric key, the interconnection device 12 encrypts the transmitted data using the local symmetric key and decrypts the received data using the local symmetric key in the subsequent communication process with the client 11.
The dynamic generation method of the symmetric key provided by the embodiment of the invention can dynamically update the used local symmetric password when the client device authorizes the interconnection device every time. Therefore, the dynamic updating of the used symmetric key for a plurality of times in the life cycle of the system can be realized, and the safety and the reliability of the system are greatly improved. In addition, each time the local symmetric cipher is generated, the key GUID used for generating the local symmetric key is replaced, and the replaced key GUID is generated irreversibly in theory, so that the security of the symmetric key is further improved.
It should be clearly understood that the present disclosure describes how to make and use particular examples, but the principles of the present disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 4 is a flow chart illustrating yet another method for dynamic generation of symmetric keys, according to an example embodiment. The method may be applied to the client 11 shown in fig. 1. The method is used to generate a new local key during the next authorization process. As shown in fig. 4, the method 30 includes:
in step S302, the interconnection device is authorized again, and a second authorization indication message is sent to the interconnection device.
The second authorization indication message includes: a second GUID (which may be denoted GUID _2) and a second key parameter (which may be denoted acckey _2) newly generated for the interconnected device 12.
The second GUID and the second key parameter newly generated for the internet device 12 are the newly generated second GUID applied by the client 11 to the cloud server 13 for the internet device 12. When the client 11 passes the newly applied second GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new second GUID into its device.
In step S304, a second authorization response message sent by the interconnection device is received.
The client 11 receives a second authorization response message sent by the interconnection device 12 in response to the authorization operation.
In step S306, a new local symmetric key is determined based on the key GUID and the second key parameter.
The client 11 determines a new local symmetric key according to the currently recorded key GUID and the second key parameter.
For example, currently recorded in the key GUID is the first GUID (GUID _1) generated by the client 11 for the interconnect device 12 in the previous authorization operation, so the localKey is GUID _1 ⊕ acKey _ 2.
In step S308, the key GUID is updated to the second GUID.
Immediately after the local symmetric key is generated, the first GUID is overwritten with the second GUID, i.e., the key GUID is updated to the second GUID. Since the key GUID used for generating the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced key GUID is generated irreversibly theoretically, the generated local symmetric key is secure, thereby improving the security of the system.
In step S310, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the interconnection apparatus.
After generating the local symmetric key, the client 11 encrypts the transmitted data by using the local symmetric key and decrypts the received data by using the local symmetric key in the subsequent communication process with the interconnection device 12.
Fig. 5 is a flow chart illustrating yet another method for dynamic generation of symmetric keys, according to an example embodiment. The method may be applied to the interconnect device 12 shown in fig. 1. The method is used to generate a new local key during the next authorization process. As shown in fig. 5, the method 40 includes:
in step S402, a second authorization indication message sent by the client is received.
In the new authorization process, the interconnection device 12 receives the second authorization indication message sent by the client 11. The message includes a second GUID (which may be denoted as GUID _2) and a second key parameter (acckey _2) newly generated for the interconnection device 12.
The second GUID and the second key parameter newly generated for the internet device 12 are the newly generated second GUID applied by the client 11 to the cloud server 13 for the internet device 12. When the client 11 passes the newly applied second GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new second GUID into its device.
In step S404, a second authorization response message is sent to the client.
In response to the received second authorization indication message, the interconnect device 12 sends a second authorization response message to the client 11.
In step S406, a new local symmetric key is determined based on the key GUID and the second key parameter.
The server device 12 calculates a new local symmetric key based on the currently recorded GUID and the second key parameters.
For example, the current record in the key GUID is the first GUID (GUID _1) generated by the client 11 for the interconnect device 12 during the last authorization, so the localKey is GUID _1 ⊕ acKey _ 2.
In step S408, the key GUID is updated to the second GUID.
Immediately after the new local symmetric key is generated, the first GUID is overwritten with the second GUID, i.e., the key GUID is updated to the second GUID. Since the key GUID used for generating the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced key GUID is generated irreversibly theoretically, the generated local symmetric key is secure, thereby improving the security of the system.
In step S410, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
After generating the new local symmetric key, the interconnection device 12 encrypts the transmitted data using the new local symmetric key and decrypts the received data using the new local symmetric key in the subsequent communication process with the client 11.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. The computer program, when executed by the CPU, performs the functions defined by the method provided by the present invention. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
The following are embodiments of the apparatus of the present invention that may be used to perform embodiments of the method of the present invention. For details which are not disclosed in the embodiments of the apparatus of the present invention, reference is made to the embodiments of the method of the present invention.
Fig. 6 is a block diagram illustrating a symmetric key dynamic generation apparatus according to an example embodiment. The symmetric key dynamic generation apparatus can be applied to the client 11 shown in fig. 1. As shown in fig. 6, the apparatus 50 includes: a receiving module 502, an identifier recording module 504, a sending module 506, and a key determination module 508.
Wherein the receiving module 502 receives an initial globally unique identifier generated upon startup of the interconnect device.
The identifier recording module 504 records the initial globally unique identifier as a key globally unique identifier.
The sending module 506 authorizes the internet device, and sends a first authorization indication message to the internet device, where the first authorization indication message includes: a first globally unique identifier and a first key parameter newly generated for the interconnected device.
The first GUID and the first key parameter newly generated for the internet device 12 are the first GUID newly generated for the internet device 12 that is applied by the client 11 to the cloud server 13. When the client 11 passes the newly applied first GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new first GUID into its device.
The receiving module 502 receives a first authorization response message sent by an interconnection device.
The key determination module 508 determines a symmetric key based on the key globally unique identifier and the first key parameter.
The identifier recording module 504 updates the key globally unique identifier to the first globally unique identifier.
The sending module 506 and the receiving module 502 encrypt and decrypt communication data using the symmetric key in subsequent communication with the interconnection device.
In some embodiments, the sending module 506 authorizes the internet device again, and sends a second authorization indication message to the internet device, where the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnected device. The receiving module 502 receives a second authorization response message sent by the interconnect device. The key determination module 508 determines a new symmetric key based on the key globally unique identifier and the second key parameter. The identifier recording module 504 updates the key globally unique identifier to a second globally unique identifier. The sending module 506 and the receiving module 502 encrypt and decrypt the communication data using the new symmetric key in subsequent communication with the interconnection device.
Fig. 7 is a block diagram illustrating another symmetric-key dynamic generation apparatus according to an example embodiment. The symmetric key dynamic generation apparatus can be applied to the interconnection device 12 shown in fig. 1. As shown in fig. 7, the apparatus 60 includes: an identifier generation module 602, a sending module 604, a receiving module 606, an identifier recording module 608, and a key determination module 610.
Wherein the identifier generation module 602 generates an initial globally unique identifier upon startup.
The sending module 604 broadcasts the initial globally unique identifier to the client.
The identifier recording module 608 records the initial globally unique identifier as a key globally unique identifier.
The receiving module 606 receives a first authorization indication message sent by the client, where the first authorization indication message includes: a first globally unique identifier and a first key parameter newly generated for the interconnected device.
The first GUID and the first key parameter newly generated for the internet device 12 are the first GUID newly generated for the internet device 12 that is applied by the client 11 to the cloud server 13. When the client 11 passes the newly applied first GUID to the interconnect device 12 in the authorization indication message, the interconnect device 12 writes the new first GUID into its device.
The sending module 604 sends a first authorization response message to the client.
The key determination module 610 determines a symmetric key based on the key globally unique identifier and the first key parameter.
The identifier recording module 608 updates the key globally unique identifier to a first globally unique identifier.
The sending module 604 and the receiving module 606 encrypt and decrypt communication data using the symmetric key in subsequent communication with the client.
In some embodiments, the receiving module 606 receives a second authorization indication message sent by the client, where the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnected device. The sending module 604 sends a second authorization response message to the client. And the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter. The identifier recording module 608 updates the key globally unique identifier to a second globally unique identifier. The sending module 604 and the receiving module 606 encrypt and decrypt communication data using the new symmetric key in subsequent communication with the client.
It is noted that the block diagrams shown in the above figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to make a computing device (which can be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiment of the present invention.
Exemplary embodiments of the present invention are specifically illustrated and described above. It is to be understood that the invention is not limited to the precise construction, arrangements, or instrumentalities described herein; on the contrary, the invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (15)
1. A method for dynamically generating a symmetric key, comprising:
receiving an initial global unique identifier generated when the interconnection equipment is started;
recording the initial globally unique identifier as a key globally unique identifier;
authorizing the interconnection equipment, and sending a first authorization indication message to the interconnection equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment;
receiving a first authorization response message sent by the interconnection equipment;
determining a symmetric key according to the key global unique identifier and the first key parameter;
updating the key globally unique identifier to the first globally unique identifier; and
and encrypting and decrypting communication data by using the symmetric key in subsequent communication with the interconnection equipment.
2. The method of claim 1, further comprising:
authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, wherein the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnection device;
receiving a second authorization response message sent by the interconnection equipment;
determining a new symmetric key according to the key global unique identifier and the second key parameter;
updating the key globally unique identifier to the second globally unique identifier; and
and encrypting and decrypting communication data by using the new symmetric key in subsequent communication with the interconnection equipment.
3. The method of claim 2, wherein determining a symmetric key based on the key globally unique identifier and the first key parameter comprises: performing exclusive-or operation on the key global unique identifier and the first key parameter, and taking the result of the exclusive-or operation as the symmetric key; and/or the presence of a gas in the gas,
determining a new symmetric key based on the key globally unique identifier and the second key parameter comprises: and carrying out exclusive-OR operation on the key global unique identifier and the second key parameter, and taking the result of the exclusive-OR operation as the new symmetric key.
4. A method for dynamically generating a symmetric key, comprising:
generating an initial globally unique identifier at startup;
broadcasting the initial globally unique identifier to a client;
recording the initial globally unique identifier as a key globally unique identifier;
receiving a first authorization indication message sent by the client, wherein the first authorization indication message comprises: a newly generated first globally unique identifier and a first key parameter;
sending a first authorization response message to the client;
determining a symmetric key according to the key global unique identifier and the first key parameter;
updating the key globally unique identifier to the first globally unique identifier; and
and encrypting and decrypting communication data by using the symmetric key in subsequent communication with the client.
5. The method of claim 4, further comprising:
receiving a second authorization indication message sent by the client, wherein the second authorization indication message comprises: a newly generated second globally unique identifier and a second key parameter;
sending a second authorization response message to the client;
determining a new symmetric key according to the key global unique identifier and the second key parameter;
updating the key globally unique identifier to the second globally unique identifier; and
and encrypting and decrypting communication data by using the new symmetric key in subsequent communication with the client.
6. The method of claim 5, wherein determining a symmetric key based on the key globally unique identifier and the first key parameter comprises: performing exclusive-or operation on the key global unique identifier and the first key parameter, and taking the result of the exclusive-or operation as the symmetric key; and/or the presence of a gas in the gas,
determining a new symmetric key based on the key globally unique identifier and the second key parameter comprises: and carrying out exclusive-OR operation on the key global unique identifier and the second key parameter, and taking the result of the exclusive-OR operation as the new symmetric key.
7. A client device for dynamic generation of symmetric keys, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the following operations via execution of the executable instructions:
receiving an initial global unique identifier generated when the interconnection equipment is started;
recording the initial globally unique identifier as a key globally unique identifier;
authorizing the interconnection equipment, and sending a first authorization indication message to the interconnection equipment, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment;
receiving a first authorization response message sent by the interconnection equipment;
determining a symmetric key according to the key global unique identifier and the first key parameter;
updating the key globally unique identifier to the first globally unique identifier; and
and encrypting and decrypting communication data by using the symmetric key in subsequent communication with the interconnection equipment.
8. The client device of claim 7, wherein the operations further comprise:
authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, wherein the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnection device;
receiving a second authorization response message sent by the interconnection equipment;
determining a new symmetric key according to the key global unique identifier and the second key parameter;
updating the key globally unique identifier to the second globally unique identifier; and
and encrypting and decrypting communication data by using the new symmetric key in subsequent communication with the interconnection equipment.
9. An interconnect device for dynamic generation of symmetric keys, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the following operations via execution of the executable instructions:
generating an initial globally unique identifier at startup;
broadcasting the initial globally unique identifier to a client;
recording the initial globally unique identifier as a key globally unique identifier;
receiving a first authorization indication message sent by the client, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment;
sending a first authorization response message to the client;
determining a symmetric key according to the key global unique identifier and the first key parameter;
updating the key globally unique identifier to the first globally unique identifier; and
and encrypting and decrypting communication data by using the symmetric key in subsequent communication with the client.
10. The interconnect device of claim 9, wherein the operations further comprise:
receiving a second authorization indication message sent by the client, wherein the second authorization indication message comprises: a second globally unique identifier and a second key parameter newly generated for the interconnection device;
sending a second authorization response message to the client;
determining a new symmetric key according to the key global unique identifier and the second key parameter;
updating the key globally unique identifier to the second globally unique identifier; and
and encrypting and decrypting communication data by using the new symmetric key in subsequent communication with the client.
11. A system for dynamic generation of symmetric keys, comprising: a client device according to claim 7 or 8 and an interconnect device according to claim 9 or 10.
12. A symmetric key dynamic generation apparatus, comprising: the device comprises a sending module, an identifier recording module, a receiving module and a key determining module;
the receiving module receives an initial globally unique identifier generated when the interconnection equipment is started;
the identifier recording module records the initial globally unique identifier as a key globally unique identifier;
the sending module authorizes the interconnection device and sends a first authorization indication message to the interconnection device, wherein the first authorization indication message comprises: a first globally unique identifier and a first key parameter which are newly generated for the interconnection equipment;
the receiving module receives a first authorization response message sent by the interconnection equipment;
the key determining module determines a symmetric key according to the key global unique identifier and the first key parameter;
the identifier recording module updates the key globally unique identifier to the first globally unique identifier; and
and the sending module and the receiving module use the symmetric key to encrypt and decrypt communication data in subsequent communication with the interconnection equipment.
13. The apparatus of claim 12,
the sending module authorizes the interconnection device again, and sends a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second globally unique identifier and a second key parameter newly generated for the interconnection device;
the receiving module receives a second authorization response message sent by the interconnection equipment;
the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter;
the identifier recording module updates the key globally unique identifier to the second globally unique identifier; and
and the sending module and the receiving module use the new symmetric key to encrypt and decrypt communication data in subsequent communication with the interconnection equipment.
14. A symmetric key dynamic generation apparatus, comprising: the device comprises an identifier generating module, a sending module, a receiving module, an identifier recording module and a key determining module;
wherein the identifier generation module generates an initial globally unique identifier upon startup;
the sending module broadcasts the initial globally unique identifier to a client;
the identifier recording module records the initial globally unique identifier as a key globally unique identifier;
the receiving module receives a first authorization indication message sent by the client, wherein the first authorization indication message comprises: a newly generated first globally unique identifier and a first key parameter;
the sending module sends a first authorization response message to the client;
the key determining module determines a symmetric key according to the key global unique identifier and the first key parameter;
the identifier recording module updates the key globally unique identifier to the first globally unique identifier; and
and the sending module and the receiving module use the symmetric key to encrypt and decrypt communication data in subsequent communication with the client.
15. The apparatus of claim 14,
the receiving module receives a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second globally unique identifier and a second key parameter;
the sending module sends a second authorization response message to the client;
the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter;
the identifier recording module updates the key globally unique identifier to the second globally unique identifier; and
and the sending module and the receiving module use the new symmetric key to encrypt and decrypt communication data in subsequent communication with the client.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610849888.5A CN107872312B (en) | 2016-09-26 | 2016-09-26 | Method, device, equipment and system for dynamically generating symmetric key |
| PCT/CN2017/092995 WO2018054144A1 (en) | 2016-09-26 | 2017-07-14 | Method, apparatus, device and system for dynamically generating symmetric key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610849888.5A CN107872312B (en) | 2016-09-26 | 2016-09-26 | Method, device, equipment and system for dynamically generating symmetric key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107872312A CN107872312A (en) | 2018-04-03 |
| CN107872312B true CN107872312B (en) | 2020-02-07 |
Family
ID=61690111
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610849888.5A Active CN107872312B (en) | 2016-09-26 | 2016-09-26 | Method, device, equipment and system for dynamically generating symmetric key |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107872312B (en) |
| WO (1) | WO2018054144A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114024724B (en) * | 2021-10-25 | 2023-06-13 | 四川启睿克科技有限公司 | Symmetric key dynamic generation method based on Internet of things |
| CN117597891A (en) * | 2022-06-17 | 2024-02-23 | 北京小米移动软件有限公司 | Data communication method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268456A (en) * | 2013-05-31 | 2013-08-28 | 杭州华三通信技术有限公司 | Method and device for file safety control |
| CN104065652A (en) * | 2014-06-09 | 2014-09-24 | 韩晟 | Method, device and system for identity verification and related device |
| CN105100052A (en) * | 2015-05-29 | 2015-11-25 | 北京奇虎科技有限公司 | Server, mobile phone terminal and account and equipment binding execution and control methods thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8555059B2 (en) * | 2010-04-16 | 2013-10-08 | Microsoft Corporation | Secure local update of content management software |
-
2016
- 2016-09-26 CN CN201610849888.5A patent/CN107872312B/en active Active
-
2017
- 2017-07-14 WO PCT/CN2017/092995 patent/WO2018054144A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268456A (en) * | 2013-05-31 | 2013-08-28 | 杭州华三通信技术有限公司 | Method and device for file safety control |
| CN104065652A (en) * | 2014-06-09 | 2014-09-24 | 韩晟 | Method, device and system for identity verification and related device |
| CN105100052A (en) * | 2015-05-29 | 2015-11-25 | 北京奇虎科技有限公司 | Server, mobile phone terminal and account and equipment binding execution and control methods thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018054144A1 (en) | 2018-03-29 |
| CN107872312A (en) | 2018-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110650010B (en) | Method, device and equipment for generating and using private key in asymmetric key | |
| KR101982237B1 (en) | Method and system for data sharing using attribute-based encryption in cloud computing | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| JP2005520395A (en) | Multi-user key generation and authentication method and authentication system based on polynomial | |
| CN112738051B (en) | Data information encryption method, system and computer readable storage medium | |
| JP2006174356A (en) | Pseudo public key encryption method and system | |
| CN111404952B (en) | Transformer substation data encryption transmission method and device, computer equipment and storage medium | |
| CN109067517B (en) | Encryption and decryption device, encryption and decryption method and communication method of hidden key | |
| CN112118245B (en) | Key management method, system and equipment | |
| CN114793184B (en) | Security chip communication method and device based on third-party key management node | |
| CN114443718A (en) | Data query method and system | |
| CN107872312B (en) | Method, device, equipment and system for dynamically generating symmetric key | |
| JP6294882B2 (en) | Key storage device, key storage method, and program thereof | |
| TW202231014A (en) | Message transmitting system, user device and hardware security module for use therein | |
| CN109361506B (en) | Information processing method | |
| CN117155549A (en) | Key distribution method, key distribution device, computer equipment and storage medium | |
| US20220407690A1 (en) | Key ladder generating a device public key | |
| KR101812311B1 (en) | User terminal and data sharing method of user terminal based on attributed re-encryption | |
| CN115412246A (en) | Method, device, equipment and storage medium for inadvertent transmission | |
| CN111431846B (en) | Data transmission method, device and system | |
| JPWO2018043466A1 (en) | Data extraction system, data extraction method, registration device and program | |
| KR101865703B1 (en) | Apparatus and method for generating key, apparatus and method for encryption | |
| CN104363584A (en) | Method, device and terminal for encrypting and decrypting short message | |
| CN110830252A (en) | Data encryption method, device, equipment and storage medium | |
| CN116599771B (en) | Data hierarchical protection transmission method and device, storage medium and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |