CN109639419A - Cryptographic key protection method, cipher key storage device and terminal device - Google Patents
Cryptographic key protection method, cipher key storage device and terminal device Download PDFInfo
- Publication number
- CN109639419A CN109639419A CN201811643238.0A CN201811643238A CN109639419A CN 109639419 A CN109639419 A CN 109639419A CN 201811643238 A CN201811643238 A CN 201811643238A CN 109639419 A CN109639419 A CN 109639419A
- Authority
- CN
- China
- Prior art keywords
- key
- cipher key
- request message
- terminal device
- cipher
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a kind of cryptographic key protection method, cipher key storage device and terminal devices.The method is applied to cipher key storage device, it is that cipher key list is established in each application in the cipher key storage device, for storing the key of respective application in the cipher key list, it include authorization access control information in the request message the described method includes: receiving the request message for obtaining target application key;Determine whether the terminal device for sending the request message has cipher key access permission according to the authorization access control information;If it is determined that sending the terminal device of the request message has cipher key access permission, then requested key is searched from cipher key list corresponding with the target application, and provide the key.According to the technical solution of the present invention, the safety that can be improved key, avoids Key Exposure.
Description
Technical field
The present embodiments relate to information security field more particularly to a kind of cryptographic key protection method, cipher key storage device and
Terminal device.
Background technique
Stepped into information is social for today's society, meanwhile, also increasingly improve attention of the people to information security.
At present to the key storage of smart machine (such as mobile phone), exist only in a cipher key list KeyChain, such as
Need using key in application, multiple applications are actually the same KeyChain accessed there are multiple on fruit user mobile phone
To obtain oneself key.Therefore, because multiple applications access the same cipher key list KeyChain, just easily cause close
Key leakage.For example, A applies the permission for just possessing access KeyChain when A is applied key storage in KeyChain, it can be with
All keys saved in KeyChain are got, at this point, if A application is got equally by key storage in KeyChain
B application user key, so that it may by B application key obtain B application in user information, thus cause B apply number
According to or the security risks such as privacy leakage.
Summary of the invention
The embodiment of the present invention provides a kind of cryptographic key protection method, cipher key storage device and terminal device, with realize improve it is close
The safety of key, avoids Key Exposure.
In a first aspect, the embodiment of the invention provides a kind of cryptographic key protection method, the method is set applied to key storage
It is standby, it is that cipher key list is established in each application in the cipher key storage device, is used to store respective application in the cipher key list
Key, which comprises
The request message for obtaining target application key is received, includes that authorization access control is believed in the request message
Breath;
Determine whether the terminal device for sending the request message has key visit according to the authorization access control information
Ask permission;
If it is determined that send the request message terminal device have cipher key access permission, then from the target application
Requested key is searched in corresponding cipher key list, and the key is provided.
Second aspect, the embodiment of the invention also provides a kind of cryptographic key protection method, the method is applied to terminal device,
Include:
According to the cipher key service demand of target application, the request message for obtaining the target application key is generated, wherein institute
Stating includes authorization access control information in request message;
The request message is sent to the cipher key storage device of communicative couplings, so that the cipher key storage device is according to institute
It states authorization access control information and determines whether the terminal device for sending the request message has cipher key access permission, and in determination
When sending the terminal device of the request message has cipher key access permission, from cipher key list corresponding with the target application
Requested key is searched, and the key is provided.
The third aspect, the embodiment of the invention also provides a kind of cipher key storage device, which includes:
Data security module is configured as storing the cipher key list of each application, is used to store phase in the cipher key list
The key that should be applied;
Processing module is configured as receiving the request message for obtaining target application key by communication interface, described
It include authorization access control information in request message;It is determined according to the authorization access control information and sends the request message
Whether terminal device has cipher key access permission;
The data security module is additionally configured to determine that the terminal device for sending the request message has when processing module
When having cipher key access permission, requested key is searched from cipher key list corresponding with the target application, and to the place
It manages module and the key is provided.
Fourth aspect, the embodiment of the invention also provides a kind of terminal device, which includes:
Generation module is requested, the cipher key service demand according to target application is configured as, generates and obtains the target application
The request message of key, wherein include authorization access control information in the request message;
Request sending module is configured as the request message being sent to the cipher key storage device of communicative couplings, so that
The cipher key storage device determines whether the terminal device for sending the request message has according to the authorization access control information
Have a cipher key access permission, and when determining that the terminal device for sending the request message has cipher key access permission, from it is described
Requested key is searched in the corresponding cipher key list of target application, and the key is provided.
The embodiment of the present invention is by being that cipher key list is established in each application in cipher key storage device, wherein storage is accordingly answered
Key receives the request message for obtaining target application key, includes authorization access control information in the request message,
If according to the authorization access control information determine send the request message terminal device have cipher key access permission, from mesh
Search requested key in the corresponding cipher key list of mark application, and provide the key, be utilized by the key of multiple applications into
The advantages of row isolated storage and access, the safety for improving key is realized, the effect of Key Exposure is avoided.
Detailed description of the invention
Fig. 1 is a kind of flow diagram for cryptographic key protection method that the embodiment of the present invention one provides;
Fig. 2 a is a kind of flow diagram of cryptographic key protection method provided by Embodiment 2 of the present invention;
Fig. 2 b is that the key between a kind of terminal device that the embodiment of the present invention two is applicable in and cipher key storage device generates stream
Journey schematic diagram;
Fig. 3 is a kind of structural schematic diagram for cipher key storage device that the embodiment of the present invention three provides;
Fig. 4 is a kind of structural schematic diagram for terminal device that the embodiment of the present invention four provides.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention rather than limiting the invention.It also should be noted that in order to just
Only the parts related to the present invention are shown in description, attached drawing rather than entire infrastructure.
Embodiment one
Fig. 1 is a kind of flow diagram for cryptographic key protection method that the embodiment of the present invention one provides.This method is applicable to
It accesses the case where protecting to key, this method can be executed by cipher key storage device.It, can before carrying out cipher key access
It is first that cipher key list is established in each application in cipher key storage device, for storing the close of respective application in the cipher key list
Key.Wherein, the key stored in a cipher key list can be one or more corresponding key of same application, key storage
Equipment for example can be the equipment such as Intelligent bracelet, smartwatch, intelligent encryption lock.
This method specifically includes as follows:
S110, request message for obtaining target application key is received, includes authorization access control in the request message
Information processed.
In the present embodiment, cipher key storage device can be communicatively coupled with terminal device first, wherein the side of communicative couplings
Formula includes but is not limited to bluetooth connection, WIFI etc..Mountable on terminal device to have multiple applications, each application is owned by oneself
Key, terminal device can be by the corresponding applications of cipher key access, to obtain this using interior hiding user information or private data
Deng.It is stored on the terminal device where application due to the key of each application in the prior art, and is stored in one
In cipher key list, so, user is on the terminal device using one of them in application, easily causing the close of other application
Key leakage.
In order to guarantee each application key safety, it is ensured that current application can only access oneself application inside key,
The present embodiment is stored key strange land and mostly using by way of Key-insulated, current application key is avoided to be obtained by other application
It takes.
Illustratively, the key storage for the application that terminal device is installed realizes key in cipher key storage device
Strange land storage.Wherein, terminal device, which for example can be mobile phone, plate etc. and can install the intelligent mobile terminal of application software, sets
It is standby.
Cipher key storage device when being communicatively coupled to terminal device, can real-time monitoring whether receive terminal device transmission
For obtaining the request message of target application key, and when receiving the request message, include in extraction request message is awarded
Access control information is weighed, whether there is the access authority of target application key to verify terminal device.
S120, determine whether the terminal device for sending request message has cipher key access power according to authorization access control information
Limit.
In the present embodiment, different applications can correspond to different authorization access control information, authorization access control information
The identification code that can be application software internal rules, for controlling the permission for accessing the application software counterpart keys list.Specifically
, it can determine whether the terminal device for sending request message has cipher key access permission by authorization access control information, for example,
By the way that the authorization access control information prestored in received authorization access control information and cipher key storage device is compared, root
Determine whether the terminal device has the cipher key access permission of target application according to comparison result.
Illustratively, it can be built between cipher key storage device and the terminal device for sending the key before storing key
Vertical binding relationship, when cipher key storage device receives cipher key acquisition request message, can first determine that the terminal device whether be
The terminal device of binding, then determine whether the terminal device has the access authority of target application counterpart keys list.
Optionally, authorization access control information includes: first verification data;Correspondingly, according to authorization access control information
Determine whether the terminal device for sending request message has cipher key access permission, comprising: by first verification data or will be based on
The second verify data that first verification data generates is compared with the reserved check information of target application, and after comparing successfully
Determine that the terminal device for sending request message has cipher key access permission.
Wherein, first verification data can be a character string.It can be previously stored in cipher key storage device each close
Key list is corresponding to apply the check information reserved, which may be a character string, for reception
First verification data verification is compared.Specifically, when first verification data is consistent with the reserved check information of target application
When, it may be determined that the terminal device for sending request message has the access authority of target application counterpart keys list, namely has close
Key access authority, alternatively, when the reserved check information of the second verify data and target application generated based on first verification data
When consistent, it may be determined that the terminal device for sending request message has the access authority of target application counterpart keys list, namely tool
There is cipher key access permission.Wherein, the second verify data generated based on first verification data can be, and be arranged using target application
Private key, the data generated after first verification data is encrypted or decrypted.
Optionally, first verification data includes one or more of: logging in the account number cipher information of target application;Target
Using the facility information of place terminal device;The verification code information obtained based on default communication mode.
Wherein, the account number cipher information for logging in target application, can be used for verifying whether terminal device has target application pair
Answer the access authority of cipher key list;The facility information of terminal device where target application can be used for verifying transmission request message
Whether terminal device is the terminal device bound with cipher key storage device namely legitimate device;It is obtained based on default communication mode
Verification code information, can be the verification code information that target application is obtained from the application server, be equally useful for verifying eventually
Whether end equipment has the access authority of target application counterpart keys list.
S130, if it is determined that send request message terminal device have cipher key access permission, then from target application pair
Requested key is searched in the cipher key list answered, and key is provided.
When determining that the terminal device for sending request message does not have cipher key access permission, refuse the cipher key acquisition request,
To prevent key stolen.It, can be according to the request when determining that the terminal device for sending request message has cipher key access permission
Message finds requested key from the corresponding cipher key list of target application.Since different cipher key lists is with different
Therefore cipher key access permission when determining that terminal device has the cipher key access permission of target application, is only capable of to target application pair
The cipher key list answered accesses, and can not access the corresponding cipher key list of other application, so as to ensure each application
The independence of cipher key list improves the safety of key.
By taking Intelligent bracelet as an example, Intelligent bracelet is obtained with A using corresponding key what the mobile phone for receiving connection was sent
After request message, can according to including authorization access control information AccessCode_A obtain with A using corresponding key
Key in list KeyChain_A.
It optionally, include: data security module in cipher key storage device;Cipher key list is stored in data security module;
Correspondingly, after determining that the terminal device for sending request message has cipher key access permission, is determined by data security module and
The corresponding cipher key list of target application simultaneously therefrom searches requested key.
Specifically, may be provided with two data processing modules in cipher key storage device, one of data processing module is
For handling the processing module of general data, another data processing module is the data safety for special disposal key data
Module.Specifically, the data security module for example can be the safety chip authenticated by relevant departments, cipher key list is stored
It can ensure that the sensitive informations such as key can not be illegally accessed in the data security module, and by data security module come really
Fixed cipher key list corresponding with target application simultaneously therefrom searches requested key, can effectively prevent the process in cipher key lookup
In the problem of being attacked and leading to Key Exposure, further improve the safety of key.
Optionally, in request message further include: virtual key mapping table;It is looked into from cipher key list corresponding with target application
Look for requested key, comprising: extract the key ID information for including in virtual key mapping table;According to key ID information,
Requested key is searched from cipher key list corresponding with target application.
Wherein, different applications can correspond to different virtual key mapping tables, can correspond to and deposit in virtual key mapping table
Mark, number, the virtual memory address etc. of key needed for respective services in application are contained, in order to search cipher key list, and from
Required key is searched in cipher key list.
By taking Intelligent bracelet as an example, Intelligent bracelet is obtained with A using corresponding key what the mobile phone for receiving connection was sent
After request message, corresponding authorization access control information AccessCode_A and virtual key mapping column are extracted from request message
Table V irtual_A.Processor in Intelligent bracelet verifies whether current phone is that the binding that A is applied is set according to AccessCode_A
It is standby, if it is, by virtual map list or Intelligent bracelet will be sent to from the key ID information in virtual map list
In data security module, as include in virtual key map listing Virtual_A key to be checked key identification, compile
Number, virtual memory address etc., after data security module gets virtual map list, according to the key identification of key to be checked,
Number or virtual memory address search corresponding key from the cipher key list of application A.For example, in Virtual_A carry to
Query key a mark, data security module are determined according to the corresponding relationship that key storage identifies in key identification and cipher key list
Storage number of the key to be checked in cipher key list, and key to be checked is found according to storage number.In another example
The virtual memory address of key to be checked is carried in Virtual_A, data security module gets virtually depositing for key to be checked
After storing up address, virtual memory address is mapped to the key memory location of the cipher key list of respective application, and store position from corresponding
It sets and obtains key to be checked.
Data security module is according to the place for being sent to data storage device after virtual map list lookup to key to be checked
Manage device, provide key by processor, wherein provide key mode include: shown in the display screen of cipher key storage device it is close
Key;And/or key is sent to terminal device so that target application in terminal device to key carry out using.
Specifically, the key that can be only obtained by the display screen display of cipher key storage device, it can also be only by will acquire
Key be sent to terminal device, so that terminal device directly uses, certainly, can also in such a way that said two devices combine come
Key is provided, is not limited thereto.
The technical solution of the present embodiment, by being that cipher key list is established in each application in cipher key storage device, wherein depositing
The key for storing up respective application receives the request message for obtaining target application key, includes authorization access in the request message
Information is controlled, the terminal device for sending the request message is weighed with cipher key access if determining according to the authorization access control information
Limit, then search requested key from cipher key list corresponding with target application, and provide the key, be utilized and answer multiple
Key carries out the advantages of isolated storage and access, realizes the safety for improving key, avoids the effect of Key Exposure.
Embodiment two
Fig. 2 a is a kind of flow diagram of cryptographic key protection method provided by Embodiment 2 of the present invention.This method is applicable to
Access the case where protecting to key, this method can be executed by terminal device, the terminal device for example can be mobile phone,
Plate etc. can install the intelligent mobile terminal equipment of application software.
This method specifically includes as follows:
S210, the cipher key service demand according to target application generate the request message for obtaining target application key, wherein
It include authorization access control information in request message.
In the present embodiment, terminal device can be communicatively coupled with cipher key storage device first, will pacify on mobile terminal
The key storage of the application software of dress in an intelligent terminal, realizes the strange land storage of key.Wherein, the mode of communicative couplings includes
But be not limited to bluetooth connection, WIFI etc..The communication connection that terminal device and cipher key storage device are established can be one-to-one company
It connects, is also possible to one-to-many connection or many-to-one connection, set that is, terminal device can correspond to one key storage of binding
It is standby, for storing the key for the one or more application installed thereon, the multiple applications installed on terminal device can also be divided
Not corresponding key dispersion is stored in multiple cipher key storage devices, is not limited thereto.
It can first be that cipher key list is established in each application in cipher key storage device before carrying out cipher key access, the key
For storing the key of respective application in list.Wherein, it is corresponding that the key stored in a cipher key list can be same application
One or more key, cipher key storage device for example can be Intelligent bracelet, smartwatch, intelligent encryption lock etc. equipment.
Illustratively, the request message for obtaining target application key can be by target application according to specific service request
It generates, which includes the authorization access control information of target application counterpart keys list.
In cipher key storage device, since the key pair of different application should be stored in different cipher key lists, no
Same application can correspond to different authorization access control information, wherein authorization access control information can be in application software
Identification code as defined in portion, for controlling the permission for accessing the application software counterpart keys list.
Optionally, in request message further include: the virtual key mapping table comprising key ID information is used for key storage
Equipment searches requested key from cipher key list corresponding with target application according to key ID information.
Wherein, different applications can correspond to different virtual key mapping tables, can correspond to and deposit in virtual key mapping table
Mark, number, the virtual memory address etc. of key needed for respective services in application are contained, in order to which cipher key storage device is found
The corresponding cipher key list of target application, and required key is searched from the cipher key list.
A concrete instance is lifted, the A in mobile phone is applied when needing to obtain key a, and generate includes that authorization is visited accordingly
It asks the request message of control information AccessCode_A and virtual key map listing Virtual_A, and sends the message to
After the cipher key storage device of communicative couplings, cipher key storage device extracts corresponding authorization access control information from request message
AccessCode_A and virtual key map listing Virtual_A, wherein include in Virtual_A required key mark,
Number, virtual memory address etc., such as the true identity a in Virtual_A comprising the key a or mark x* after encryption conversion
Or key a, in the virtual storage location of the cipher key list of application A, Intelligent bracelet can be close according to include in Virtual_A
The relevant information of key a is applied in corresponding cipher key list KeyChain_A from A and obtains corresponding key.
S220, the cipher key storage device that request message is sent to communicative couplings, so that cipher key storage device is according to authorization
Access control information determines whether the terminal device for sending request message has cipher key access permission, and is determining that sending request disappears
When the terminal device of breath has cipher key access permission, requested key is searched from cipher key list corresponding with target application,
And provide key.
Illustratively, when terminal device by target application generate include authorization access control information key acquisition ask
When seeking message, which is sent to the cipher key storage device of communicative couplings immediately, cipher key storage device can be close by this
The authorization access control information for including in key acquisition request message, determines whether the terminal device there is access target application to correspond to
The cipher key access permission of cipher key list, and obtain and correspond to from the corresponding cipher key list of target application when determining has the permission
Key.
It is close to generate acquisition target application by the cipher key service demand according to target application for the technical solution of the present embodiment
The request message of key, wherein include authorization access control information in the request message, request message is finally sent to communication coupling
The cipher key storage device of conjunction, so that cipher key storage device determines that the terminal for sending request message is set according to authorization access control information
It is standby that whether there is cipher key access permission, and when determining that the terminal device for sending request message has cipher key access permission, from
Search requested key in the corresponding cipher key list of target application, and key be provided, be utilized by the key of multiple applications into
The advantages of row isolated storage and access, the safety for improving key is realized, the effect of Key Exposure is avoided.
On the basis of the various embodiments described above, key generation process between terminal device and cipher key storage device, with hand
For machine and bracelet, as shown in Figure 2 b, communication connection is established first between terminal device and cipher key storage device, then, eventually
The authorization access control code corresponding with each application software and virtual key mapping table of end equipment creation, and it is sent to key
Equipment is stored, the corresponding cipher key list of each application software is respectively created in cipher key storage device, and feedback information is sent to terminal
Equipment sends corresponding authorization access control code and correspondence when a certain application software on terminal device is needed using key
Virtual key mapping table to cipher key storage device, cipher key storage device is after finding corresponding cipher key list, by the key
Corresponding user key is sent to terminal device in list, so that terminal device carries out corresponding operation using the user key.
A concrete instance is lifted, after user mobile phone and bracelet are bound, the authorization access control of oneself is established in firmail application
Code firmail_AccessCode and virtual key mapping table firmail_Virtual, creates corresponding key in Intelligent bracelet
List firmail_KeyChain.Hotmail application equally creates oneself corresponding hotmail_AccessCode, hotmail_
Virtual and hotmail_KeyChain.When firmail is using key, pass through the firmail_ of oneself
AccessCode and firmail_Virtual, it is corresponding to obtain to access the cipher key list firmail_KeyChain of oneself
Key, can not obtain or access the hotmail_KeyChain of hotmail, it is ensured that the key of firmail and hotmail is only
Vertical property and safety.
For another example A bank and B Bank application are owned by the cipher key list of oneself to ensure the information security of oneself user,
Possess corresponding authorization access control code and virtual key mapping table simultaneously, Liang Ge bank is stored in the key in Intelligent bracelet
KeyChain is mutually indepedent, and access safety, improves user account safety.
Embodiment three
Fig. 3 is a kind of structural schematic diagram for cipher key storage device that the embodiment of the present invention three provides.With reference to Fig. 3, the key
Storing equipment includes: data security module 310 and processing module 320, and each module is specifically described below.
Data security module 310 is configured as storing the cipher key list of each application, is used to store in the cipher key list
The key of respective application;
Processing module 320 is configured as receiving the request message for obtaining target application key, institute by communication interface
Stating includes authorization access control information in request message;It is determined according to the authorization access control information and sends the request message
Terminal device whether there is cipher key access permission;
Data security module 310 is additionally configured to determine that the terminal device for sending the request message has when processing module
When having cipher key access permission, requested key is searched from cipher key list corresponding with the target application, and to the place
It manages module and the key is provided.
Wherein, processing module 320 can be the central controller for carrying out general data processing, data security module
310 can be the safety chip for carrying out key data processing.
Terminal device provided in this embodiment establishes cipher key list by data security module 310 for each application, wherein
The key of respective application is stored, and the request message for obtaining target application key, the request are received by processing module 320
It include authorization access control information in message, meanwhile, the end for sending the request message is determined according to the authorization access control information
Whether end equipment has cipher key access permission, when processing module 320 determines that the terminal device for sending the request message has key
When access authority, then passes through data security module 310 and searches requested key from cipher key list corresponding with target application,
And the key is provided to processing module 320, it is utilized and separately handles key data with general data, and by the close of multiple applications
Key carries out the advantages of isolated storage and access, realizes the safety for improving key, avoids the effect of Key Exposure.
Optionally, in the request message further include: virtual key mapping table;
Correspondingly, data security module 310 specifically can be configured to be used for:
Extract the key ID information for including in the virtual key mapping table;
According to the key ID information, searched from cipher key list corresponding with the target application requested close
Key.
Optionally, the authorization access control information includes: first verification data;
Correspondingly, processing module 320 specifically can be configured to be used for:
By the first verification data or by the second verify data generated based on the first verification data with it is described
The reserved check information of target application is compared, and the terminal device tool for sending the request message is determined after comparing successfully
There is cipher key access permission.
Optionally, the first verification data includes one or more of:
Log in the account number cipher information of the target application;
The facility information of terminal device where the target application;
The verification code information obtained based on default communication mode.
Optionally, processing module 320 specifically is also configured to be used for:
The key is shown in the display screen of the cipher key storage device;And/or
The key is sent to the terminal device so that the target application in the terminal device to the key into
It exercises and uses.
Method provided by any embodiment of the invention can be performed in the said goods, has the corresponding functional module of execution method
And beneficial effect.
Example IV
Fig. 4 is a kind of structural schematic diagram for terminal device that the embodiment of the present invention four provides.With reference to Fig. 4, the terminal device
Include: request generation module 410 and request sending module 420, each module is specifically described below.
Generation module 410 is requested, the cipher key service demand according to target application is configured as, the acquisition target is generated and answers
With the request message of key, wherein include authorization access control information in the request message;
Request sending module 420 is configured as the request message being sent to the cipher key storage device of communicative couplings, with
Make the cipher key storage device determined according to the authorization access control information send the request message terminal device whether
With cipher key access permission, and when determining that the terminal device for sending the request message has cipher key access permission, from institute
It states in the corresponding cipher key list of target application and searches requested key, and the key is provided.
Terminal device provided in this embodiment, by request generation module 410 and request sending module 420, according to target
The cipher key service demand of application generates the request message for obtaining target application key, wherein includes that authorization is visited in the request message
It asks control information, request message is finally sent to the cipher key storage device of communicative couplings, so that cipher key storage device is according to awarding
Power access control information determines whether the terminal device for sending request message has cipher key access permission, and sends request determining
When the terminal device of message has cipher key access permission, searched from cipher key list corresponding with target application requested close
Key, and key is provided, the advantages of key of multiple applications is subjected to isolated storage and access is utilized, realizes and improves key
Safety avoids the effect of Key Exposure.
Optionally, in the request message further include: the virtual key mapping table comprising key ID information, for described
Cipher key storage device is searched requested according to the key ID information from cipher key list corresponding with the target application
Key.
Method provided by any embodiment of the invention can be performed in the said goods, has the corresponding functional module of execution method
And beneficial effect.
Note that the above is only a better embodiment of the present invention and the applied technical principle.It will be appreciated by those skilled in the art that
The invention is not limited to the specific embodiments described herein, be able to carry out for a person skilled in the art it is various it is apparent variation,
It readjusts and substitutes without departing from protection scope of the present invention.Therefore, although being carried out by above embodiments to the present invention
It is described in further detail, but the present invention is not limited to the above embodiments only, without departing from the inventive concept, also
It may include more other equivalent embodiments, and the scope of the invention is determined by the scope of the appended claims.
Claims (10)
1. a kind of cryptographic key protection method, which is characterized in that the method is applied to cipher key storage device, sets in the key storage
It is that cipher key list is established in each application in standby, is used to store the key of respective application in the cipher key list, which comprises
The request message for obtaining target application key is received, includes authorization access control information in the request message;
Determine whether the terminal device for sending the request message has cipher key access power according to the authorization access control information
Limit;
If it is determined that sending the terminal device of the request message has cipher key access permission, then from corresponding with the target application
Cipher key list in search requested key, and provide the key.
2. the method according to claim 1, wherein including: data security module in the cipher key storage device;
The cipher key list is stored in the data security module;
Correspondingly, being pacified after determining that the terminal device for sending the request message has cipher key access permission by the data
Full module determines cipher key list corresponding with the target application and therefrom searches requested key.
3. method according to claim 1 or 2, which is characterized in that in the request message further include: virtual key mapping
Table;
Requested key is searched from cipher key list corresponding with the target application, comprising:
Extract the key ID information for including in the virtual key mapping table;
According to the key ID information, requested key is searched from cipher key list corresponding with the target application.
4. the method according to claim 1, wherein the authorization access control information includes: the first verifying number
According to;
Correspondingly, determining whether the terminal device for sending the request message has key according to the authorization access control information
Access authority, comprising:
By the first verification data or by the second verify data generated based on the first verification data and the target
The reserved check information of application is compared, and determines the terminal device for sending the request message with close after comparing successfully
Key access authority.
5. according to the method described in claim 4, it is characterized in that, the first verification data includes one or more of:
Log in the account number cipher information of the target application;
The facility information of terminal device where the target application;
The verification code information obtained based on default communication mode.
6. the method according to claim 1, wherein the mode for providing the key includes:
The key is shown in the display screen of the cipher key storage device;And/or
The key is sent to the terminal device, so that the target application in the terminal device makes the key
With.
7. a kind of cryptographic key protection method, which is characterized in that the method is applied to terminal device, comprising:
According to the cipher key service demand of target application, the request message for obtaining the target application key is generated, wherein described to ask
Asking includes authorization access control information in message;
The request message is sent to the cipher key storage device of communicative couplings, so that the cipher key storage device is awarded according to
Power access control information determines whether the terminal device for sending the request message has cipher key access permission, and sends determining
When the terminal device of the request message has cipher key access permission, searched from cipher key list corresponding with the target application
Requested key, and the key is provided.
8. the method according to the description of claim 7 is characterized in that in the request message further include: believe comprising key identification
The virtual key mapping table of breath, for the cipher key storage device according to the key ID information, from the target application
Requested key is searched in corresponding cipher key list.
9. a kind of cipher key storage device characterized by comprising
Data security module is configured as storing the cipher key list of each application, accordingly answer in the cipher key list for storing
Key;
Processing module is configured as receiving the request message for obtaining target application key, the request by communication interface
It include authorization access control information in message;The terminal for sending the request message is determined according to the authorization access control information
Whether equipment has cipher key access permission;
The data security module is additionally configured to determine the terminal device for sending the request message with close when processing module
When key access authority, requested key is searched from cipher key list corresponding with the target application, and to the processing mould
Block provides the key.
10. a kind of terminal device characterized by comprising
Generation module is requested, the cipher key service demand according to target application is configured as, generates and obtains the target application key
Request message, wherein in the request message include authorization access control information;
Request sending module is configured as the request message being sent to the cipher key storage device of communicative couplings, so that described
It is close whether cipher key storage device has according to the determining terminal device for sending the request message of the authorization access control information
Key access authority, and when determining that the terminal device for sending the request message has cipher key access permission, from the target
Using searching requested key in corresponding cipher key list, and provide the key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643238.0A CN109639419A (en) | 2018-12-29 | 2018-12-29 | Cryptographic key protection method, cipher key storage device and terminal device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643238.0A CN109639419A (en) | 2018-12-29 | 2018-12-29 | Cryptographic key protection method, cipher key storage device and terminal device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109639419A true CN109639419A (en) | 2019-04-16 |
Family
ID=66054790
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811643238.0A Pending CN109639419A (en) | 2018-12-29 | 2018-12-29 | Cryptographic key protection method, cipher key storage device and terminal device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109639419A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112671534A (en) * | 2020-12-18 | 2021-04-16 | 北京深思数盾科技股份有限公司 | Service key management method, service terminal and system based on biological characteristics |
| WO2021169747A1 (en) * | 2020-02-27 | 2021-09-02 | Oppo广东移动通信有限公司 | File secret key storage method, system and apparatus, electronic device, and storage medium |
| CN114443161A (en) * | 2021-12-31 | 2022-05-06 | 北京达佳互联信息技术有限公司 | Application docking method, device, equipment and storage medium |
| WO2023160521A1 (en) * | 2022-02-22 | 2023-08-31 | International Business Machines Corporation | Protecting api keys for accessing services |
| CN117395466A (en) * | 2023-10-11 | 2024-01-12 | 深邦智能科技集团(青岛)有限公司 | Video transmission real-time monitoring method and system and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110258326A1 (en) * | 2008-12-31 | 2011-10-20 | Lixin Hu | Method, device, and system for implementing resource sharing |
| CN104243165A (en) * | 2014-08-28 | 2014-12-24 | 电子科技大学 | Intelligent movable terminal privacy protection system and method based on intelligent bracelet |
| CN104579659A (en) * | 2013-10-18 | 2015-04-29 | ***股份有限公司 | Device for safety information interaction |
| CN107609870A (en) * | 2017-09-02 | 2018-01-19 | 福建新大陆支付技术有限公司 | More application key management method, system and POS terminals for POS |
-
2018
- 2018-12-29 CN CN201811643238.0A patent/CN109639419A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110258326A1 (en) * | 2008-12-31 | 2011-10-20 | Lixin Hu | Method, device, and system for implementing resource sharing |
| CN104579659A (en) * | 2013-10-18 | 2015-04-29 | ***股份有限公司 | Device for safety information interaction |
| CN104243165A (en) * | 2014-08-28 | 2014-12-24 | 电子科技大学 | Intelligent movable terminal privacy protection system and method based on intelligent bracelet |
| CN107609870A (en) * | 2017-09-02 | 2018-01-19 | 福建新大陆支付技术有限公司 | More application key management method, system and POS terminals for POS |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021169747A1 (en) * | 2020-02-27 | 2021-09-02 | Oppo广东移动通信有限公司 | File secret key storage method, system and apparatus, electronic device, and storage medium |
| CN112671534A (en) * | 2020-12-18 | 2021-04-16 | 北京深思数盾科技股份有限公司 | Service key management method, service terminal and system based on biological characteristics |
| CN112671534B (en) * | 2020-12-18 | 2022-02-01 | 北京深思数盾科技股份有限公司 | Service key management method, service terminal and system based on biological characteristics |
| CN114443161A (en) * | 2021-12-31 | 2022-05-06 | 北京达佳互联信息技术有限公司 | Application docking method, device, equipment and storage medium |
| CN114443161B (en) * | 2021-12-31 | 2024-05-28 | 北京达佳互联信息技术有限公司 | Application docking method, device, equipment and storage medium |
| WO2023160521A1 (en) * | 2022-02-22 | 2023-08-31 | International Business Machines Corporation | Protecting api keys for accessing services |
| CN117395466A (en) * | 2023-10-11 | 2024-01-12 | 深邦智能科技集团(青岛)有限公司 | Video transmission real-time monitoring method and system and electronic equipment |
| CN117395466B (en) * | 2023-10-11 | 2024-04-30 | 深邦智能科技集团(青岛)有限公司 | Video transmission real-time monitoring method and system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109639419A (en) | Cryptographic key protection method, cipher key storage device and terminal device | |
| CN104012132B (en) | Two-factor authentication system and method | |
| CN1714529B (en) | Domain-based digital-rights management system with easy and secure device enrollment | |
| CN104065652B (en) | A kind of auth method, device, system and relevant device | |
| US20190092279A1 (en) | Identity Management for Implementing Vehicle Access and Operation Management | |
| CN106134143B (en) | Method, apparatus and system for dynamic network access-in management | |
| CN102262793B (en) | Entrance guard control method and entrance guard control system | |
| US11443024B2 (en) | Authentication of a client | |
| CN104754582B (en) | Safeguard the client and method of BYOD safety | |
| US7672483B2 (en) | Controlling and customizing access to spatial information | |
| CN109314635A (en) | Resource management based on block chain | |
| CN107113613B (en) | Server, mobile terminal, network real-name authentication system and method | |
| JP2017210862A (en) | Methods, programs and systems for location enabled electronic lock control | |
| CN104767616B (en) | A kind of information processing method, system and relevant device | |
| CN106534199A (en) | Distributed system authentication and permission management platform based on XACML and SAML under big data environment | |
| CN101321064A (en) | Information system access control method and apparatus based on digital certificate technique | |
| CN105099690A (en) | OTP and user behavior-based certification and authorization method in mobile cloud computing environment | |
| CN105703910B (en) | Dynamic token verification method based on wechat service number | |
| CN109756446A (en) | A kind of access method and system of mobile unit | |
| US20220255929A1 (en) | Systems and methods for preventing unauthorized network access | |
| CN104506527A (en) | Multidimensional information pointer platform and data access method thereof | |
| CN104767617A (en) | Message processing method, system and related device | |
| CN104660417B (en) | Verification method, checking device and electronic equipment | |
| CN109274653A (en) | Data management-control method, system, equipment and storage medium based on user right | |
| CN110071813A (en) | A kind of account permission change method system, account platform and user terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190416 |