CN111464486A - Information interaction method and device and computing equipment - Google Patents

Information interaction method and device and computing equipment Download PDF

Info

Publication number
CN111464486A
CN111464486A CN201910059455.3A CN201910059455A CN111464486A CN 111464486 A CN111464486 A CN 111464486A CN 201910059455 A CN201910059455 A CN 201910059455A CN 111464486 A CN111464486 A CN 111464486A
Authority
CN
China
Prior art keywords
key
information
uuid
server
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910059455.3A
Other languages
Chinese (zh)
Other versions
CN111464486B (en
Inventor
章伟明
于志斌
薛亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910059455.3A priority Critical patent/CN111464486B/en
Publication of CN111464486A publication Critical patent/CN111464486A/en
Application granted granted Critical
Publication of CN111464486B publication Critical patent/CN111464486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method, a device and a computing device for information interaction, wherein the method comprises the following steps: the terminal equipment sends a registration request to a server; the server generates a unique identifier uuid of the terminal device according to the registration request, and generates a first key pair and a second key pair which are associated with the uuid, wherein the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server; the server encrypts the uuid, the first key pair and the second public key by using the first key to generate first encryption information, and sends a registration response carrying the first encryption information to the terminal equipment; and the terminal equipment encrypts the first encryption information by using a second key to generate second encryption information, and stores the second encryption information.

Description

Information interaction method and device and computing equipment
Technical Field
The present invention relates to the field of data communication, and in particular, to a method, an apparatus, and a computing device for information interaction between a terminal device and a server.
Background
Currently, with the rapid development of the internet of things and the intelligence, some intelligent devices, such as smart speakers and various intelligent electronic devices (e.g., mobile devices, smart televisions, smart refrigerators, etc.) including an intelligent interaction module, appear in the market, but the security problem comes with the smart speakers.
Generally, encrypted communication is performed between the intelligent device and a server, such as a cloud server, in an asymmetric encryption manner, key information is stored in a persistent storage area of the intelligent device, and no safe storage is performed, so that potential safety hazards exist. Under the condition, hackers and developers can easily crack the equipment, obtain the key information, and then attack and threaten the server side.
Disclosure of Invention
In view of the above problems, the present invention is proposed to provide a method, an apparatus and a computing device for information interaction between a terminal device and a server side, which overcome the above problems or at least partially solve the above problems.
According to one aspect of the invention, an information interaction method is provided, wherein terminal equipment sends a registration request to a server;
the server generates a unique identifier uuid of the terminal device according to the registration request, and generates a first key pair and a second key pair which are associated with the uuid, wherein the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
the server encrypts the uuid, the first key pair and the second public key by using the first key to generate first encryption information, and sends a registration response carrying the first encryption information to the terminal equipment;
and the terminal equipment encrypts the first encryption information by using a second key to generate second encryption information, and stores the second encryption information.
Optionally, in the information interaction method according to the present invention, the first key is a unique identifier corresponding to a chip type of the terminal device, and the second key is a unique identifier corresponding to a chip of the terminal device.
Optionally, in the information interaction method according to the present invention, the step of encrypting to generate the second encrypted information is performed in a trusted execution environment TEE of the terminal device.
Optionally, in the information interaction method according to the present invention, the storing the second encrypted information includes: and burning the second encryption information to a trusted storage area in the TEE.
Optionally, in the information interaction method according to the present invention, the method further includes: the terminal equipment decrypts the second encrypted information by using a second key to obtain first encrypted information; the terminal equipment decrypts the first encrypted information by using the first secret key to obtain the uuid, the first secret key pair and the second public key; and the terminal equipment generates a first shared key for communicating with the server according to the first private key and the second public key by adopting a key negotiation algorithm.
Optionally, in the information interaction method according to the present invention, the method further includes: the terminal equipment sends a data request to a server, wherein the data request carries a uuid and a first signature, and the first signature is a signature obtained by calculating parameters of the data request according to the first shared key; the server side obtains a corresponding first public key and a corresponding second private key according to the uuid, and generates a second shared key according to the first public key and the second private key by adopting a key negotiation algorithm; and the server calculates the parameters of the data request according to the second shared secret key to obtain a second signature, and verifies whether the data request is legal or not by comparing the first signature with the second signature.
Optionally, in the information interaction method according to the present invention, the key agreement algorithm includes a Curve25519 algorithm.
According to another aspect of the present invention, there is also provided an information interaction method, including:
sending a registration request to a server;
receiving a registration response which is sent by a server and carries first encryption information, wherein the first encryption information is generated by encrypting a unique identifier uuid, a first key pair and a second public key of a terminal device by using a first key, the uuid is associated with the first key pair and the second key pair, the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
and encrypting the first encryption information by using a second key to generate second encryption information, and storing the second encryption information.
Optionally, in the information interaction method according to the present invention, the first key is a unique identifier corresponding to a chip type of the terminal device, and the second key is a unique identifier corresponding to a chip of the terminal device.
Optionally, in the information interaction method according to the present invention, the step of encrypting to generate the second encrypted information is performed in a trusted execution environment TEE of the terminal device.
Optionally, in the information interaction method according to the present invention, the storing the second encrypted information includes: and burning the second encryption information to a trusted storage area in the TEE.
Optionally, in the information interaction method according to the present invention, the method further includes: decrypting the second encrypted information by using a second key to obtain first encrypted information; decrypting the first encrypted information by using a first key to obtain the uuid, a first key pair and a second public key; and generating a first shared key for communicating with the server side according to the first private key and the second public key by adopting a key negotiation algorithm.
Optionally, in the information interaction method according to the present invention, the method further includes: and sending a data request to a server, wherein the data request carries the uuid and a first signature, and the first signature is a signature obtained by calculating the parameters of the data request according to the first shared key.
Optionally, in the information interaction method according to the present invention, the key agreement algorithm includes a Curve25519 algorithm.
According to another aspect of the present invention, there is also provided an information interaction method, including:
receiving a registration request sent by a terminal device, generating a unique identifier uuid of the terminal device according to the registration request, and generating a first key pair and a second key pair associated with the uuid, wherein the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of a server side;
encrypting the uuid, the first key pair and the second public key by using a first key to generate first encryption information;
and sending a registration response carrying the first encryption information to the terminal equipment.
Optionally, in the information interaction method according to the present invention, the first key is a unique identifier corresponding to a chip type of the terminal device.
Optionally, in the information interaction method according to the present invention, the method further includes: receiving a data request sent by a terminal device, wherein the data request carries a uuid and a first signature, the first signature is a signature obtained by calculating parameters of the data request according to a first shared key, and the first shared key is a secret key generated according to a first private key and a second public key by adopting a key negotiation algorithm; and acquiring a corresponding first public key and a second private key according to the uuid, generating a second shared key according to the first public key and the second private key by adopting a key agreement algorithm, calculating parameters of the data request according to the second shared key to obtain a second signature, and verifying whether the data request is legal or not by comparing the first signature with the second signature.
Optionally, in the information interaction method according to the present invention, the key agreement algorithm includes a Curve25519 algorithm.
According to another aspect of the present invention, there is also provided an information interaction apparatus, including:
the registration request module is suitable for sending a registration request to the server;
the first receiving module is suitable for receiving a registration response which is sent by a server and carries first encryption information, wherein the first encryption information is information generated by encrypting a unique identifier uuid, a first key pair and a second public key of a terminal device by using a first key, the uuid is associated with the first key pair and the second key pair, the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
and the first encryption module is suitable for encrypting the first encryption information by using a second key to generate second encryption information and storing the second encryption information.
Optionally, in the information interaction apparatus according to the present invention, further comprising: the first decryption module is suitable for decrypting the second encrypted information by using a second secret key to obtain first encrypted information, and decrypting the first encrypted information by using a first secret key to obtain the uuid, a first secret key pair and a second public key; and the first negotiation module is suitable for generating a first shared key for communicating with the server side according to the first private key and the second public key by adopting a key negotiation algorithm.
Optionally, in the information interaction apparatus according to the present invention, further comprising: and the data request module is suitable for sending a data request to a server, wherein the data request carries the uuid and a first signature, and the first signature is a signature obtained by calculating the parameters of the data request according to the first shared key.
According to another aspect of the present invention, there is also provided an information interaction apparatus, including:
the second receiving module is suitable for receiving a registration request sent by the terminal equipment, wherein the registration request at least carries the physical address of the terminal equipment;
the registration processing module is suitable for generating a unique identifier uuid of the terminal device according to the registration request, generating a first secret key pair and a second secret key pair which are associated with the uuid, wherein the first secret key pair comprises a first private key and a first public key of the terminal device, the second secret key pair comprises a second private key and a second public key of the server, and encrypting the uuid, the first secret key pair and the second public key by using the first secret key to generate first encryption information;
and the registration response module is suitable for sending a registration response carrying the first encryption information to the terminal equipment.
Optionally, in the information interaction apparatus according to the present invention, further comprising: a third receiving module, adapted to receive a data request sent by a terminal device, where the data request carries a uuid and a first signature, the first signature is a signature obtained by calculating parameters of the data request according to a first shared key, and the first shared key is a secret key generated according to a first private key and a second public key by using a key agreement algorithm; the second negotiation module is suitable for acquiring a corresponding first public key and a second private key according to the uuid, and generating a second shared key according to the first public key and the second private key by adopting a key negotiation algorithm; and the request processing module is suitable for calculating the parameters of the data request according to the second shared key to obtain a second signature, and verifying whether the data request is legal or not by comparing the first signature with the second signature.
According to yet another aspect of the present invention, there is also provided a computing device comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for performing any of the methods described above.
According to yet another aspect of the invention, there is also provided a computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform any of the methods according to the above.
According to the information interaction scheme provided by the embodiment of the invention, information processing is carried out by adopting two pairs of asymmetric keys, so that an attacker can be effectively puzzled, and the safety of the terminal equipment is improved.
Further, the TEE environment is utilized to perform related operations of the key information, all the confidential information is completely processed in the TEE environment, the outer layer software only can obtain the finally signed data, the intermediate data cannot be obtained, and the difficulty in breaking is high; moreover, even if the key is intercepted, the difficulty of cracking is further increased because the finally used key is not the key but a new shared key which utilizes key negotiation.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 shows a block diagram of an information interaction system 100, according to one embodiment of the invention;
FIG. 2 shows a schematic diagram of a computing device 200, according to one embodiment of the invention;
FIG. 3 shows a flow diagram of an information interaction method 300 according to one embodiment of the invention;
FIG. 4 shows a flow diagram of an information interaction method 400 according to another embodiment of the invention;
FIG. 5 shows a schematic diagram of an information interaction device 500, according to one embodiment of the invention;
fig. 6 shows a schematic diagram of an information interaction device 600 according to another embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 shows a schematic diagram of an information interaction system 100, according to one embodiment of the invention. As shown in fig. 1, the information interaction system 100 includes terminal devices 110 (2 are shown in the figure) and a server 120. It should be noted that the information interaction system 100 shown in fig. 1 is only an example, and those skilled in the art can understand that, in practical applications, the information interaction system 100 generally includes a plurality of terminal devices 110 and servers 120, and the present invention does not limit the number of the terminal devices 110 and the servers 120 included in the information interaction system 100.
The terminal device 110 may be various intelligent electronic devices, such as a smart speaker, a smart robot, a smart appliance (including a smart television, a smart refrigerator, a smart microwave oven, etc.), but is not limited thereto. The server 120 communicates with the terminal device 110 over a network, which may be, for example, a cloud server physically located at one or more sites.
It should be noted that in other embodiments according to the present invention, the server 120 may also be implemented as other electronic devices connected to the terminal device 110 via a network (e.g., other computing devices in an internet of things environment). Even, the server 120 can be implemented as the terminal device 110 itself when the terminal device 110 (e.g., smart speaker) has sufficient storage space and is computationally intensive.
According to an embodiment of the present invention, the terminal device 110 and the server 120 may each be implemented by the computing device 200 as described below. FIG. 2 shows a schematic diagram of a computing device 200, according to one embodiment of the invention. As shown in FIG. 2, in a basic configuration 202, a computing device 200 typically includes a system memory 206 and one or more processors 204. A memory bus 208 may be used for communication between the processor 204 and the system memory 206.
Depending on the desired configuration, the processor 204 may be any type of processing, including but not limited to a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof the processor 204 may include one or more levels of cache, such as a level one cache 210 and a level two cache 212, a processor core 214, and registers 216 the example processor core 214 may include an arithmetic logic unit (A L U), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof the example memory controller 218 may be used with the processor 204 or, in some implementations, the memory controller 218 may be an internal part of the processor 204.
Depending on the desired configuration, system memory 206 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 206 may include an operating system 220, one or more applications 222, and program data 224. The application 222 is actually a plurality of program instructions that direct the processor 204 to perform corresponding operations. In some embodiments, application 222 may be arranged to cause processor 204 to operate with program data 224 on an operating system.
Computing device 200 may also include an interface bus 240 that facilitates communication from various interface devices (e.g., output devices 242, peripheral interfaces 244, and communication devices 246) to the basic configuration 202 via the bus/interface controller 230. The example output device 242 includes a graphics processing unit 248 and an audio processing unit 250. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 252. Example peripheral interfaces 244 can include a serial interface controller 254 and a parallel interface controller 256, which can be configured to facilitate communications with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 258. An example communication device 246 may include a network controller 260, which may be arranged to facilitate communications with one or more other computing devices 262 over a network communication link via one or more communication ports 264.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
In the computing device 200 according to the present invention, the application 222 comprises the information interaction apparatus 500 or 600, and the apparatus 500 or 600 comprises a plurality of program instructions that can instruct the processor 204 to perform the information interaction 300 or 400.
FIG. 3 shows a flow diagram of an information interaction method 300 according to one embodiment of the invention. The method 300 is suitable for execution in a computing device, such as the computing device 200 described above. Before the terminal device leaves the factory, a manufacturer of the terminal device needs to register the terminal device at the server, and the method 300 is a registration process of the terminal device. As shown in fig. 3, the method 300 begins at step S310. In step S310, the terminal device sends a registration request to the server to obtain a unique identifier (uuid) of the terminal device and related key information from the server. The registration request may carry a product identifier (produced) and a physical address (mac address) of the terminal device.
The terminal device has internet access capability and has its own physical address (mac address) for defining the location of the device in the network. In addition, the terminal device is a hardware device, and a chip (IC) is used inside the terminal device, and the chip has a globally unique identifier (unique key).
In the embodiment of the present invention, before registering a terminal device, a manufacturer may provide a chip type (chip model) used by a batch of terminal devices to a server in advance, and then the server may assign a unique identifier (vendor key) to the chip type, that is, the terminal devices using the same chip type also have the same vendor key, and the vendor writes the vendor key into the chip of the terminal device. In one implementation, the write operation is executed in a Trusted Execution Environment (TEE) of the terminal device, and the vendor key is written into a trusted storage area in the TEE, so that the cpu code of the terminal device cannot acquire the vendor key. In addition, the server assigns a product identifier (product id) to each terminal device in the batch of terminal devices, and provides the product identifier to the manufacturer. Therefore, the server can determine the vendor key of the terminal equipment according to the product identification.
After the server receives the registration request sent by the terminal device, the method 300 proceeds to step S320. In step S320, in response to the registration request, the server generates a unique identifier (uuid) of the terminal device and two pairs of asymmetric keys, and stores uuid and the two pairs of asymmetric keys in association with each other. The two pairs of asymmetric keys are respectively a first key pair and a second key pair, the first key pair comprises a first private key and a first public key of the terminal equipment, and the second key pair comprises a second private key and a second public key of the server.
There are various algorithms for generating uuid, including name-based algorithm, node-based algorithm, random number-based algorithm, time-based algorithm, and the like. For example, the server may generate the uuid according to the mac address of the terminal, or may generate the uuid according to the mac address and the product id of the terminal, and generate the uuid in an idempotent manner. Subsequently, the uuid is carried by the terminal device when the terminal device communicates with the server, and the uuid does not need to be encrypted in the communication process.
Asymmetric encryption is a way that an encryption party and a decryption party adopt different keys for encryption and decryption, and the keys are divided into public keys and private keys. In the embodiment of the present invention, two pairs of asymmetric keys generated by the server are used for the terminal device and the server, respectively, where the first key pair (key pair a) is a device-side key pair, and the second key pair (key pair B) is a server-side key pair. The expression form of the key pair a is, for example: a (a.privatekey, a.publickey), where a.privatekey is a first private key and a.publickey is a first public key. The representation of the key pair B is for example: b (b.privatekey, b.publickey), where b.privatekey is the second private key and b.publickey is the second public key.
Subsequently, in step S330, the server issues the uuid, the key pair a, and the public key of the key pair B to the terminal device through the registration response, that is, the server issues (uuid, a.privatekey, a.publickey, b.publickey) to the terminal device.
In the embodiment of the present invention, the server encrypts the information first and then sends the information to the mobile terminal, where the Encryption may be symmetric Encryption, for example, using Advanced Encryption Standard (AES) to perform symmetric Encryption. The key (first key) used for encryption is, for example, a vendor key of the terminal device, that is, a unique identifier corresponding to the chip type of the terminal device. As described above, the server can determine the vendor key of the terminal device according to the product key carried in the registration request. AES encryption may be expressed as AES (uuid, a.privatekey, a.publickey, b.publickey, vendor key) - > SS, and the obtained first encryption information may be expressed as SS.
After the terminal device receives the registration response sent by the server, the method 300 proceeds to step S340. In step S340, the terminal device encrypts the first encryption information by using a second key (e.g., a unique identifier unique key corresponding to a chip of the terminal device) to generate second encryption information, and stores the second encryption information.
The terminal device may encrypt the first encrypted information again in a symmetric encryption manner, and the encryption is performed in a Trusted Execution Environment (TEE). For example, the encryption uses AES algorithm, the key used is unique key, which may be expressed as AES (SS, unique key) > BB, and the obtained second encryption information may be expressed as BB. And then burning the second encryption information BB to a trusted storage area of the terminal equipment.
Here, the TEE technique is briefly described. The TEE stores sensitive information such as the user's identity, keys and certificates in a secure area, which can only be accessed or modified by trusted applications authorized by the TEE, and provides encryption and integrity protection mechanisms for the handling of these sensitive information. Meanwhile, the secret key stored in the TEE can be used for encrypting the information of the user under the common execution environment, such as sensitive information of an address list, a short message and the like, so that the safety of the sensitive information stored under the common execution environment is ensured.
The terminal equipment can be provided for the user to use after the registration is completed at the server side. When the user uses the terminal device, the user can carry out encryption communication with the server side through the second encryption information stored in the terminal device, and various service functions of the terminal device are realized.
FIG. 4 shows a flow diagram of an information interaction method 400 according to one embodiment of the invention. The method 400 is suitable for execution in a computing device, such as the computing device 200 described above. As shown in fig. 4, the method 400 begins at step S410. In step S410, the terminal device decrypts the second encrypted information by using the second key to obtain the first encrypted information.
When a user takes own terminal equipment, and wants to activate and use the equipment, the equipment terminal firstly performs first decryption, namely decryption according to the unique key, and decrypts the second encrypted information BB into the first encrypted information SS, the process can be executed in the TEE, the decryption process can be expressed as de _ AES (unique key, BB) - > SS, namely, the SS is obtained by AES decryption.
In step S420, the terminal device decrypts the first encrypted information by using the first key to obtain uuid, the first key pair, and the second public key.
After SS is obtained, AES is used for secondary decryption, and the secondary decryption is carried out by using a vendor key, which can be expressed as de _ AES (vendor Key, SS) - > (uuid, A.privateKey, A.publicKey, B.publicKe). This results in the original uuid and key information, which can still be done in the TEE.
In step S430, the terminal device generates a first shared key for communicating with the server according to the first private key and the second public key by using a key agreement algorithm. Various key agreement algorithms may be employed to generate the shared key, such as the Curve25519 algorithm.
The Curve25519 algorithm is the Diffie-Hellman function at the highest level at present, is suitable for a wide range of scenes, and is designed by professor Daniel j. Here, the shared key (shareKey) is generated using the local private key and the cloud public key, and may be represented as Curve25519(a. privatekey, b. public key) - > shareKey. After the shareKey is obtained, the shareKey can be used for signing in the process of communication between the equipment side and the server side.
In step S440, the terminal device sends a data request to the server, where the data request carries the uuid and the first signature.
The terminal device can send various data requests to the server to request the server to perform corresponding service processing. In the embodiment of the present invention, on one hand, the requested content may be encrypted by using the first shared key, and on the other hand, the data request may also carry signature information (the first signature) and uuid (unencrypted). Specifically, the first signature may be obtained by calculating parameters of the data request according to the first shared key, that is, performing signature processing on the request parameters by using a sharekey to obtain the first signature SA.
After the server receives the data request sent by the terminal device, the method 400 proceeds to step S450. In step S450, the server obtains the uuid from the data request, then obtains the corresponding first public key and second private key according to the uuid, and generates a second shared key according to the first public key and the second private key by using a key agreement algorithm.
As described above, the server stores the correspondence between the uuid and the first key pair and the second key pair, so that the first key pair used by the device and the second key pair used by the server can be queried according to the uuid, and the server private key and the device private key (i.e., (b.privatekey, a.publickey) therein are obtained. According to the server-side private key and the device-side private key, a key agreement algorithm, such as the Curve25519 algorithm, is adopted to calculate a second shared key, which is denoted as urce 25519(b.privatekey, a.publickey) - > shareKey.
In step S460, the server calculates the parameter of the data request according to the second shared key to obtain a second signature, and verifies whether the data request is legal by comparing the first signature and the second signature.
The server side carries out signature calculation on the request parameters according to the local shareKey to obtain a second signature SB, the SB is compared with the signature SA carried by the data request, if the two signatures are consistent, the request is a correct request, the server side carries out correct service processing, and if the request is an illegal request, the server side rejects the request.
In step S470, the server returns a data response to the client, that is, returns a corresponding response result after performing service processing according to the data request.
FIG. 5 shows a schematic diagram of an information interaction device 500, according to one embodiment of the invention. The apparatus 500 is adapted to perform corresponding processing at the terminal device side during the information interaction process. Referring to fig. 5, the apparatus 500 includes:
a registration request module 510, adapted to send a registration request to the server;
a first receiving module 520, adapted to receive a registration response carrying first encrypted information sent by a server, where the first encrypted information is information generated by encrypting, by using a first key, a unique identifier uuid of a terminal device, a first key pair, and a second public key, where uuid is associated with the first key pair and the second key pair, the first key pair includes a first private key and a first public key of the terminal device, and the second key pair includes a second private key and a second public key of the server;
the first encryption module 530 is adapted to encrypt the first encrypted information by using a second key to generate second encrypted information, and store the second encrypted information.
In one embodiment, the apparatus 500 further comprises:
a first decryption module 540, adapted to decrypt the second encrypted information by using the second key to obtain first encrypted information, and decrypt the first encrypted information by using the first key to obtain uuid, the first key pair, and the second public key;
the first negotiation module 550 is adapted to generate a first shared key for communicating with the server according to the first private key and the second public key by using a key negotiation algorithm.
In one embodiment, the apparatus 500 further comprises:
the data request module 560 is adapted to send a data request to a server, where the data request carries a uuid and a first signature, and the first signature is a signature obtained by calculating a parameter of the data request according to the first shared key.
Fig. 6 shows a schematic diagram of an information interaction device 600 according to another embodiment of the invention. The device 600 is adapted to perform corresponding processing of the server side in the information interaction process. Referring to fig. 6, the apparatus 600 includes:
a second receiving module 610, adapted to receive a registration request sent by a terminal device, where the registration request at least carries a physical address of the terminal device;
a registration processing module 620, adapted to generate a unique identifier uuid of the terminal device according to the registration request, and generate a first key pair and a second key pair associated with uuid, where the first key pair includes a first private key and a first public key of the terminal device, the second key pair includes a second private key and a second public key of the server, and encrypt the uuid, the first key pair, and the second public key by using the first key to generate first encrypted information;
the registration response module 630 is adapted to send a registration response carrying the first encryption information to the terminal device.
In one embodiment, the apparatus 600 further comprises:
a third receiving module 640, adapted to receive a data request sent by a terminal device, where the data request carries a uuid and a first signature, where the first signature is a signature obtained by calculating a parameter of the data request according to a first shared key, and the first shared key is a secret key generated according to a first private key and a second public key by using a key agreement algorithm;
the second negotiation module 650 is adapted to obtain the corresponding first public key and second private key according to the uuid, and generate a second shared key according to the first public key and the second private key by using a key negotiation algorithm;
the request processing module 660 is adapted to calculate the parameter of the data request according to the second shared key to obtain a second signature, and verify whether the data request is legal by comparing the first signature with the second signature.
It should be noted that, for specific operations performed by each module in the apparatus 500 and the apparatus 600, reference may be made to the method 300 and the method 400, which are not described herein again.
The embodiment of the invention also provides an intelligent sound box, which comprises a voice interaction module and the information interaction device 500, wherein the voice interaction module can receive a voice instruction sent by a user and return voice or non-voice information to the user. For example, the user may indicate to the smart speaker a voice to perform certain functions, such as surfing the internet, ordering songs, shopping, learning about weather forecasts, controlling other smart home devices in the home, and so forth. A typical voice interaction module includes a voice input unit such as a microphone, a voice output unit such as a speaker, and a processor.
In some scenarios, the smart speaker needs to register at the server, and the server assigns a device unique identifier (uuid) and related key information to the smart speaker. After the registration is completed, the intelligent sound box carries out encryption communication with the server based on the key distributed by the server. The above-mentioned registration process and the encrypted communication process can be performed by the information interaction device 500 in the smart speaker.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.

Claims (25)

1. An information interaction method comprises the following steps:
the terminal equipment sends a registration request to a server;
the server generates a unique identifier uuid of the terminal device according to the registration request, and generates a first key pair and a second key pair which are associated with the uuid, wherein the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
the server encrypts the uuid, the first key pair and the second public key by using the first key to generate first encryption information, and sends a registration response carrying the first encryption information to the terminal equipment;
and the terminal equipment encrypts the first encryption information by using a second key to generate second encryption information, and stores the second encryption information.
2. The information interaction method as claimed in claim 1, wherein the first key is a unique identifier corresponding to a chip type of the terminal device, and the second key is a unique identifier corresponding to a chip of the terminal device.
3. The information interaction method according to claim 1, wherein the step of encrypting to generate the second encrypted information is performed in a trusted execution environment TEE of the terminal device.
4. The information interaction method of claim 3, wherein the storing the second encryption information comprises: and burning the second encryption information to a trusted storage area in the TEE.
5. The information interaction method of claim 1, further comprising:
the terminal equipment decrypts the second encrypted information by using a second key to obtain first encrypted information;
the terminal equipment decrypts the first encrypted information by using the first secret key to obtain the uuid, the first secret key pair and the second public key;
and the terminal equipment generates a first shared key for communicating with the server according to the first private key and the second public key by adopting a key negotiation algorithm.
6. The information interaction method of claim 5, further comprising:
the terminal equipment sends a data request to a server, wherein the data request carries a uuid and a first signature, and the first signature is a signature obtained by calculating parameters of the data request according to the first shared key;
the server side obtains a corresponding first public key and a corresponding second private key according to the uuid, and generates a second shared key according to the first public key and the second private key by adopting a key negotiation algorithm;
and the server calculates the parameters of the data request according to the second shared secret key to obtain a second signature, and verifies whether the data request is legal or not by comparing the first signature with the second signature.
7. The information interaction method as claimed in claim 5 or 6, wherein the key agreement algorithm comprises the Curve25519 algorithm.
8. An information interaction method comprises the following steps:
sending a registration request to a server;
receiving a registration response which is sent by a server and carries first encryption information, wherein the first encryption information is generated by encrypting a unique identifier uuid, a first key pair and a second public key of a terminal device by using a first key, the uuid is associated with the first key pair and the second key pair, the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
and encrypting the first encryption information by using a second key to generate second encryption information, and storing the second encryption information.
9. The information interaction method as claimed in claim 8, wherein the first key is a unique identifier corresponding to a chip type of the terminal device, and the second key is a unique identifier corresponding to a chip of the terminal device.
10. The information interaction method according to claim 8, wherein the step of encrypting to generate the second encrypted information is performed in a trusted execution environment TEE of the terminal device.
11. The information interaction method of claim 10, wherein the storing the second encryption information comprises: and burning the second encryption information to a trusted storage area in the TEE.
12. The information interaction method of claim 8, further comprising:
decrypting the second encrypted information by using a second key to obtain first encrypted information;
decrypting the first encrypted information by using a first key to obtain the uuid, a first key pair and a second public key;
and generating a first shared key for communicating with the server side according to the first private key and the second public key by adopting a key negotiation algorithm.
13. The information interaction method of claim 12, further comprising:
and sending a data request to a server, wherein the data request carries the uuid and a first signature, and the first signature is a signature obtained by calculating the parameters of the data request according to the first shared key.
14. The information interaction method as claimed in claim 12 or 13, wherein the key agreement algorithm comprises Curve25519 algorithm.
15. An information interaction method comprises the following steps:
receiving a registration request sent by a terminal device, generating a unique identifier uuid of the terminal device according to the registration request, and generating a first key pair and a second key pair associated with the uuid, wherein the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of a server side;
encrypting the uuid, the first key pair and the second public key by using a first key to generate first encryption information;
and sending a registration response carrying the first encryption information to the terminal equipment.
16. The information interaction method as claimed in claim 15, wherein the first key is a unique identifier corresponding to a chip type of the terminal device.
17. The information interaction method of claim 15, further comprising:
receiving a data request sent by a terminal device, wherein the data request carries a uuid and a first signature, the first signature is a signature obtained by calculating parameters of the data request according to a first shared key, and the first shared key is a secret key generated according to a first private key and a second public key by adopting a key negotiation algorithm;
and acquiring a corresponding first public key and a second private key according to the uuid, generating a second shared key according to the first public key and the second private key by adopting a key agreement algorithm, calculating parameters of the data request according to the second shared key to obtain a second signature, and verifying whether the data request is legal or not by comparing the first signature with the second signature.
18. The information interaction method as claimed in claim 17, wherein the key agreement algorithm comprises a Curve25519 algorithm.
19. An information interaction device, comprising:
the registration request module is suitable for sending a registration request to the server;
the first receiving module is suitable for receiving a registration response which is sent by a server and carries first encryption information, wherein the first encryption information is information generated by encrypting a unique identifier uuid, a first key pair and a second public key of a terminal device by using a first key, the uuid is associated with the first key pair and the second key pair, the first key pair comprises a first private key and a first public key of the terminal device, and the second key pair comprises a second private key and a second public key of the server;
and the first encryption module is suitable for encrypting the first encryption information by using a second key to generate second encryption information and storing the second encryption information.
20. The information interaction apparatus of claim 19, further comprising:
the first decryption module is suitable for decrypting the second encrypted information by using a second secret key to obtain first encrypted information, and decrypting the first encrypted information by using a first secret key to obtain the uuid, a first secret key pair and a second public key;
and the first negotiation module is suitable for generating a first shared key for communicating with the server side according to the first private key and the second public key by adopting a key negotiation algorithm.
21. The information interaction apparatus of claim 20, further comprising:
and the data request module is suitable for sending a data request to a server, wherein the data request carries the uuid and a first signature, and the first signature is a signature obtained by calculating the parameters of the data request according to the first shared key.
22. An information interaction device, comprising:
the second receiving module is suitable for receiving a registration request sent by the terminal equipment, wherein the registration request at least carries the physical address of the terminal equipment;
the registration processing module is suitable for generating a unique identifier uuid of the terminal device according to the registration request, generating a first secret key pair and a second secret key pair which are associated with the uuid, wherein the first secret key pair comprises a first private key and a first public key of the terminal device, the second secret key pair comprises a second private key and a second public key of the server, and encrypting the uuid, the first secret key pair and the second public key by using the first secret key to generate first encryption information;
and the registration response module is suitable for sending a registration response carrying the first encryption information to the terminal equipment.
23. The information interaction apparatus of claim 22, further comprising:
a third receiving module, adapted to receive a data request sent by a terminal device, where the data request carries a uuid and a first signature, the first signature is a signature obtained by calculating parameters of the data request according to a first shared key, and the first shared key is a secret key generated according to a first private key and a second public key by using a key agreement algorithm;
the second negotiation module is suitable for acquiring a corresponding first public key and a second private key according to the uuid, and generating a second shared key according to the first public key and the second private key by adopting a key negotiation algorithm;
and the request processing module is suitable for calculating the parameters of the data request according to the second shared key to obtain a second signature, and verifying whether the data request is legal or not by comparing the first signature with the second signature.
24. A computing device, comprising:
one or more processors;
a memory; and
one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs comprising instructions for performing any of the methods of claims 8-14, or performing any of the methods of claims 15-18.
25. A computer readable storage medium storing one or more programs, the one or more programs comprising instructions, which when executed by a computing device, cause the computing device to perform any of the methods of claims 8-14 or to perform any of the methods of claims 15-18.
CN201910059455.3A 2019-01-22 2019-01-22 Information interaction method and device and computing equipment Active CN111464486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910059455.3A CN111464486B (en) 2019-01-22 2019-01-22 Information interaction method and device and computing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910059455.3A CN111464486B (en) 2019-01-22 2019-01-22 Information interaction method and device and computing equipment

Publications (2)

Publication Number Publication Date
CN111464486A true CN111464486A (en) 2020-07-28
CN111464486B CN111464486B (en) 2023-04-07

Family

ID=71683059

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910059455.3A Active CN111464486B (en) 2019-01-22 2019-01-22 Information interaction method and device and computing equipment

Country Status (1)

Country Link
CN (1) CN111464486B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014670A (en) * 2021-03-25 2021-06-22 上海盛付通电子支付服务有限公司 Method, device, medium and program product for pushing order information
CN113115435A (en) * 2021-03-12 2021-07-13 武汉慧联无限科技有限公司 Activation processing method, device, equipment and storage medium
CN113204757A (en) * 2021-04-30 2021-08-03 北京明朝万达科技股份有限公司 Information interaction method, device and system
CN113938279A (en) * 2021-12-15 2022-01-14 阿里云计算有限公司 Key exchange method, device and system
WO2022041473A1 (en) * 2020-08-31 2022-03-03 Oppo广东移动通信有限公司 Authentication method, electronic device, and storage medium
CN114172692A (en) * 2021-11-12 2022-03-11 新开普电子股份有限公司 Security authentication method for accessing terminal to Internet of things
CN114531225A (en) * 2020-11-02 2022-05-24 深圳Tcl新技术有限公司 End-to-end communication encryption method, device, storage medium and terminal equipment
CN114697017A (en) * 2020-12-31 2022-07-01 华为技术有限公司 Key agreement method and related equipment thereof
WO2024044965A1 (en) * 2022-08-30 2024-03-07 京东方科技集团股份有限公司 Security management system and security management method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515768A (en) * 2016-01-08 2016-04-20 腾讯科技(深圳)有限公司 Method, device and system for updating secret key
CN106101150A (en) * 2016-08-17 2016-11-09 北京锐安科技有限公司 The method and system of AES
CN106603485A (en) * 2016-10-31 2017-04-26 美的智慧家居科技有限公司 Secret key negotiation method and device
CN107040369A (en) * 2016-10-26 2017-08-11 阿里巴巴集团控股有限公司 Data transmission method, apparatus and system
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
US20180248969A1 (en) * 2015-10-23 2018-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for secure content caching and delivery
CN108989325A (en) * 2018-08-03 2018-12-11 华数传媒网络有限公司 Encryption communication method, apparatus and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180248969A1 (en) * 2015-10-23 2018-08-30 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for secure content caching and delivery
CN105515768A (en) * 2016-01-08 2016-04-20 腾讯科技(深圳)有限公司 Method, device and system for updating secret key
CN106101150A (en) * 2016-08-17 2016-11-09 北京锐安科技有限公司 The method and system of AES
CN107040369A (en) * 2016-10-26 2017-08-11 阿里巴巴集团控股有限公司 Data transmission method, apparatus and system
CN106603485A (en) * 2016-10-31 2017-04-26 美的智慧家居科技有限公司 Secret key negotiation method and device
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
CN108989325A (en) * 2018-08-03 2018-12-11 华数传媒网络有限公司 Encryption communication method, apparatus and system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022041473A1 (en) * 2020-08-31 2022-03-03 Oppo广东移动通信有限公司 Authentication method, electronic device, and storage medium
CN114531225A (en) * 2020-11-02 2022-05-24 深圳Tcl新技术有限公司 End-to-end communication encryption method, device, storage medium and terminal equipment
WO2022143157A1 (en) * 2020-12-31 2022-07-07 华为技术有限公司 Key negotiation method and related device therefor
CN114697017A (en) * 2020-12-31 2022-07-01 华为技术有限公司 Key agreement method and related equipment thereof
CN114697017B (en) * 2020-12-31 2024-01-16 华为技术有限公司 Key negotiation method and related equipment thereof
CN113115435A (en) * 2021-03-12 2021-07-13 武汉慧联无限科技有限公司 Activation processing method, device, equipment and storage medium
CN113014670A (en) * 2021-03-25 2021-06-22 上海盛付通电子支付服务有限公司 Method, device, medium and program product for pushing order information
CN113014670B (en) * 2021-03-25 2023-04-07 上海盛付通电子支付服务有限公司 Method, device, medium and program product for pushing order information
CN113204757A (en) * 2021-04-30 2021-08-03 北京明朝万达科技股份有限公司 Information interaction method, device and system
CN114172692A (en) * 2021-11-12 2022-03-11 新开普电子股份有限公司 Security authentication method for accessing terminal to Internet of things
CN113938279A (en) * 2021-12-15 2022-01-14 阿里云计算有限公司 Key exchange method, device and system
CN113938279B (en) * 2021-12-15 2022-06-14 阿里云计算有限公司 Key exchange method, device and system
WO2024044965A1 (en) * 2022-08-30 2024-03-07 京东方科技集团股份有限公司 Security management system and security management method

Also Published As

Publication number Publication date
CN111464486B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN111464486B (en) Information interaction method and device and computing equipment
KR102451109B1 (en) Generate key proofs that provide device anonymity
JP6547079B1 (en) Registration / authorization method, device and system
US7574747B2 (en) Proximity detection employed in connection with rights management system or the like
TWI734854B (en) Information security verification method, device and system
US9697371B1 (en) Remote authorization of usage of protected data in trusted execution environments
CN106487765B (en) Authorized access method and device using the same
CN112182550A (en) Authorization method, authorization system, activation device and computing equipment for application program
CN112187803B (en) Remote cryptographic service of TPM using server
TW201814578A (en) Data security protection system, method and device wherein a shared quantum key is negotiated by the server and the trusted user terminal to exchange data therebetween
JP4740885B2 (en) Method and apparatus for roaming and using DRM content on a device in a remote domain
US10454910B2 (en) Management apparatus, computer program product, system, device, method, information processing apparatus, and server
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US9749130B2 (en) Distributing keys for decrypting client data
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
WO2024031868A1 (en) Attribute encryption-based device security authentication method and related apparatus thereof
CN111510426A (en) Internet of things distribution network encryption method, device and system, electronic equipment and storage medium
CN116847341A (en) Network connection method, terminal, network equipment to be distributed and storage medium
CN106992978B (en) Network security management method and server
CN107026730B (en) Data processing method, device and system
WO2021082222A1 (en) Communication method and apparatus, storage method and apparatus, and operation method and apparatus
CN110659474B (en) Inter-application communication method, device, terminal and storage medium
US20050021469A1 (en) System and method for securing content copyright
WO2023284691A1 (en) Account opening method, system, and apparatus
US8755521B2 (en) Security method and system for media playback devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant