CN114499888A - Private key protection and analysis method and device for signature service - Google Patents
Private key protection and analysis method and device for signature service Download PDFInfo
- Publication number
- CN114499888A CN114499888A CN202210146909.2A CN202210146909A CN114499888A CN 114499888 A CN114499888 A CN 114499888A CN 202210146909 A CN202210146909 A CN 202210146909A CN 114499888 A CN114499888 A CN 114499888A
- Authority
- CN
- China
- Prior art keywords
- private key
- hardware code
- encryption factor
- hash value
- authorization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 6
- 238000013475 authorization Methods 0.000 claims abstract description 89
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000012795 verification Methods 0.000 claims description 16
- 238000012423 maintenance Methods 0.000 claims description 12
- 230000004931 aggregating effect Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a private key protection and analysis method and device. Compared with the prior art, this application is through obtaining the hardware code ciphertext that signature service equipment sent, wherein, the hardware code ciphertext is passed through signature service equipment confirms after encrypting the hardware code based on first encryption factor, and based on first encryption factor is right hardware code ciphertext deciphering is confirmed to correspond the hardware code to obtain the hardware code hash value that the hardware code corresponds and will hardware code hash value sends private key authorization equipment, so that private key authorization equipment is based on hardware code hash value generates corresponding random encryption factor, then, receives the random encryption factor that private key authorization equipment sent, and based on first encryption factor, random encryption factor and the hardware code generates the pseudo-private key package, wherein, pass through the pseudo-private key package can confirm the corresponding private key that is used for the signature. By the method, safety risks caused by human intervention can be avoided, and the private key is prevented from being leaked.
Description
Technical Field
The application relates to the technical field of computers, in particular to a private key protection and analysis technology for signature service.
Background
Large systems in the field of existing blockchains are typically built in a distributed service manner, wherein a signature service component for message signature of the blockchain is indispensable. In a conventional system, in order to ensure the security of the private key, the private key is encrypted, and this processing method prevents the risk that the private key is directly exposed, but still has the following problems:
firstly, the operation and maintenance personnel directly grasp the condition of the source code and can find the source code or restore the secret key of the encrypted signature private key so as to decrypt the encrypted private key;
secondly, the operation and maintenance personnel can directly redeploy the signature service under the condition that the operation and maintenance personnel cannot master the source code, so that the illegal signature service is provided.
The above human-induced security risks cannot be avoided in the conventional system, and therefore, how to avoid the above security risks becomes an urgent problem to be solved.
Disclosure of Invention
The application aims to provide a private key protection and analysis method and device for signature service.
According to one aspect of the application, a private key protection method for signature service at a private key management device is provided, wherein the method comprises the following steps:
acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by encrypting a hardware code by the signature service equipment based on a first encryption factor;
decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code;
sending the hardware code hash value to a private key authorization device so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value;
and receiving a random encryption factor sent by the private key authorization device, and generating a pseudo private key packet based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
Further, wherein the sending the hardware code hash value to a private key authorization device comprises:
and sending the hardware code hash value and the administrator authorization code to a private key authorization device so that the private key authorization device verifies based on the administrator authorization code and generates a corresponding random encryption factor based on the hardware code hash value after the verification is passed.
Further, wherein the generating a pseudo private key package based on the first encryption factor, a random encryption factor, and the hardware code:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on the encryption key using a pseudorandom seed based on a preset rule;
and generating a pseudo private key packet based on the pseudo random seeds corresponding to the plurality of private keys, the public key of the private key and a preset rule.
According to another aspect of the present application, there is also provided a private key protection method for signing services at a private key authorization device side, where the method includes:
receiving a hardware code hash value sent by private key management equipment, wherein the hardware code hash value is determined after the private key management equipment decrypts a hardware code ciphertext on the basis of a first encryption factor;
binding a randomly generated random encryption factor with the hardware code hash value;
and sending the random encryption factor to the private key management device so that the private key management device generates a pseudo private key packet based on the random encryption factor, the first encryption factor and a hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
Further, the receiving the hardware code hash value sent by the private key management device includes:
receiving a hardware code hash value and an administrator authorization code sent by private key management equipment;
wherein the method further comprises:
performing verification based on the administrator authorization code, wherein the binding the randomly generated random encryption factor to the hardware code hash value comprises:
and when the verification is passed, binding the randomly generated random encryption factor with the hardware code hash value.
According to another aspect of the present application, there is also provided a private key parsing method for a signature service at a signature service device, where the method includes:
acquiring a pseudo private key packet and an operation and maintenance personnel authorization code for determining a private key, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code;
when the operation and maintenance personnel authorization code passes verification, acquiring a hardware code hash value corresponding to the hardware code;
acquiring a corresponding random encryption factor from the private key authorization equipment based on the hardware code hash value, wherein the private key authorization equipment stores a corresponding relation between the hardware code hash value and the random encryption factor;
the first encryption factor, the random encryption factor and the hardware code are aggregated to decrypt the pseudo private key packet so as to determine a private key for signing services through the pseudo private key packet.
According to yet another aspect of the present application, there is also provided a computer readable medium having computer readable instructions stored thereon, the computer readable instructions being executable by a processor to implement the operations of the method as described above.
Compared with the prior art, this application is through obtaining the hardware code ciphertext that signature service equipment sent, wherein, the hardware code ciphertext is passed through signature service equipment is based on first encryption factor and confirms after encrypting the hardware code, and is based on first encryption factor is right hardware code ciphertext decryption is confirmed to correspond the hardware code to obtain the hardware code hash value that the hardware code corresponds and will hardware code hash value sends private key authorization equipment, so that private key authorization equipment is based on hardware code hash value generates corresponding random encryption factor, then, receives the random encryption factor that private key authorization equipment sent, and is based on first encryption factor, random encryption factor and the hardware code generates the pseudo private key package, wherein, pass through the pseudo private key package can confirm the corresponding private key that is used for the signature. By the method, the safety risk caused by human intervention can be avoided, and the private key is prevented from being leaked.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 illustrates a flow diagram of a method for private key protection for signature services in accordance with an aspect of the subject application;
FIG. 2 illustrates a flow diagram of a method for private key resolution for signature services provided in accordance with another aspect of the subject application;
fig. 3 shows a flowchart of a private key protection and parsing method for signature service according to a preferred embodiment of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
To further illustrate the technical means and effects adopted by the present application, the following description clearly and completely describes the technical solution of the present application with reference to the accompanying drawings and preferred embodiments.
Fig. 1 shows a flowchart of a private key protection method for a signature service between a private key management device 1, a signature service device 2 and a private key authorization device 3 according to an aspect of the present application. The private key management device 1, the signature service device 2 and the private key authorization device 3 cooperate with each other to realize private key protection for signature service. The method comprises the following steps:
s11, the private key management device 1 acquires a hardware code ciphertext sent by the signature service device 2, wherein the hardware code ciphertext is determined by the signature service device 2 after encrypting a hardware code based on a first encryption factor;
s12, the private key management device 1 decrypts the hardware code ciphertext to determine the corresponding hardware code based on the first encryption factor, and obtains a hardware code hash value corresponding to the hardware code;
s13 the private key management device 1 sends the hardware code hash value to the private key authorization device 3, so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value, and accordingly, the private key authorization device 3 receives the hardware code hash value sent by the private key management device 1;
s14, the private key authorization device 3 binds the random encryption factor generated randomly with the hardware code hash value;
s15 the private key authorization apparatus 3 sends the random encryption factor to the private key management apparatus 1, so that the private key management apparatus 1 generates a pseudo private key package based on the random encryption factor, the first encryption factor and the hardware code, wherein the corresponding private key for signature can be determined by the pseudo private key package, and accordingly, the private key management apparatus 1 receives the random encryption factor sent by the private key authorization apparatus;
s16 the private key management device 1 generates a pseudo private key package based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signature can be determined by the pseudo private key package.
In this embodiment, in step S11, the private key management device 1 obtains a hardware code ciphertext sent by the signature service device 2, where the hardware code ciphertext is determined by encrypting a hardware code, where the hardware code represents a unique identifier of a device, for example, the hardadd code is a device identification code of the signature service device 2, and the signature service device 2 encrypts the hardware code based on a first encryption factor to determine the hardware code ciphertext. Here, the first encryption factor includes an encryption factor preset at the signing service device 2 side, and is used for encrypting a hardware code. In this case, the transmission of the hardware code can be secured by encryption.
In this embodiment, in step S12, the private key management apparatus 1 decrypts the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and obtains a hardware code hash value corresponding to the hardware code. Here, the private key management device 1 and the signature service device 2 may have a first encryption factor in synchronization based on a preset encryption rule, and therefore, the private key management device 1 may obtain the first encryption factor from the local to decrypt the hardware code ciphertext, further obtain the hardware code, and further obtain a hardware code hash value corresponding to the hardware code.
In this embodiment, in step S13, the private key management device 1 sends the hardware code hash value to the private key authorization device 3, so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value, and accordingly, the private key authorization device 3 receives the hardware code hash value sent by the private key management device 1.
Sending the hardware code hash value to a private key authorization device 3, so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value includes:
and sending the hardware code hash value and the administrator authorization code to a private key authorization device 3, so that the private key authorization device 3 performs verification based on the administrator authorization code and generates a corresponding random encryption factor based on the hardware code hash value after the verification is passed. Correspondingly, the private key authorization device 3 receives the hardware code hash value and the administrator authorization code sent by the private key management device, and performs verification based on the administrator authorization code.
In this embodiment, to further ensure security, the administrator authorization code is sent to the private key authorization device 3 for verification, and the private key authorization device 3 randomly generates a random encryption factor after the verification is passed.
Continuing in this embodiment, in said step 14, the private key authorization device 3 binds a randomly generated random encryption factor to said hardware code hash value. Here, the random encryption factor is bound to the hardware code hash value for subsequent decryption.
Continuing in this embodiment, in step S15, the private key authorization apparatus 3 sends the random encryption factor to the private key management apparatus 1, so that the private key management apparatus 1 generates a pseudo private key packet based on the random encryption factor, the first encryption factor and the hardware code, and accordingly, the private key management apparatus 1 receives the random encryption factor sent by the private key authorization apparatus 3.
Continuing in this embodiment, in step S16, the private key management device 1 generates a pseudo private key package based on the first encryption factor, the random encryption factor, and the hardware code, wherein the corresponding private key for signature can be determined by the pseudo private key package.
Preferably, wherein the generating a pseudo private key package based on the first encryption factor, a random encryption factor, and the hardware code:
s161 (not shown) aggregating the first encryption factor, the random encryption factor, and the hardware code to generate an encryption key of a private signature key package;
s162 (not shown) generating a plurality of private keys based on the encryption key using a pseudo random seed based on a preset rule;
s163 (not shown) generates a pseudo private key packet based on the pseudo random seeds corresponding to the plurality of private keys, the public key of the private key, and a preset rule.
By the method, the pseudo private key packet does not directly contain the corresponding private key, so that the security in private key transmission is improved.
Fig. 2 illustrates a private key parsing method for a signature service at a signature service device 2 end according to another aspect of the present application, where the method includes:
s21, acquiring a pseudo private key packet and an operation and maintenance personnel authorization code for determining a private key, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code;
s22, when the operation and maintenance personnel authorization code passes verification, acquiring a hardware code hash value corresponding to the hardware code;
s23, acquiring a corresponding random encryption factor from the private key authorization equipment based on the hardware code hash value, wherein the private key authorization equipment stores the corresponding relation between the hardware code hash value and the random encryption factor;
s24 aggregates the first encryption factor, the random encryption factor, and the hardware code to decrypt the pseudo private key package to determine a private key for the signing service from the pseudo private key package.
In this embodiment, when the private key for the signature service needs to be obtained, in step S21, the signature service device 2 obtains a pseudo private key package for determining the private key and an operation and maintenance personnel authorization code, where the pseudo private key package is generated based on the method as described in fig. 1, that is, based on the local first encryption factor, the random encryption factor generated by the private key authorization device, and the local hardware code.
After the verification is passed, in the step S22, the signature service device 2 obtains a hardware code hash value corresponding to the hardware code, specifically, first obtains the hardware code corresponding to the signature service device 2 from the local, and further converts the hardware code into the hardware code hash value.
In this embodiment, in step S23, the corresponding random encryption factor is obtained from the private key authorization apparatus 3 based on the hardware code hash value, wherein the private key authorization apparatus stores the corresponding relationship between the hardware code hash value and the random encryption factor, and therefore, the random encryption factor can be determined by the hardware code hash value based on the corresponding relationship.
Continuing in this embodiment, in the step S24, the pseudo private key package is decrypted by aggregating the first encryption factor, the random encryption factor, and the hardware code to determine a private key for signing the service through the pseudo private key package.
Because the pseudo private key package is determined by the first encryption factor, the random encryption factor and the hardware code when being generated, when the pseudo private key package is decrypted, the pseudo private key package can be decrypted by obtaining the first encryption factor, the random encryption factor and the hardware code, so that a corresponding private key for signature service is determined.
Fig. 3 shows a flowchart of a private key protection and parsing method for signature service according to a preferred embodiment of the present application. The signature service component corresponds to the signature service device 2, the private key authorization service component corresponds to the private key authorization device 3, and the private key management tool corresponds to the private key management device 1. The cfs 1 correspond to the first encryption factor, the cfs 2 correspond to the random encryption factor, the machine-code corresponds to the hardware code, and the fkp corresponds to the pseudo private key package. Steps 1 to 16 jointly generate fkp through the signing service component, the private key authorization service component and the private key management tool, and steps 18 to 26 acquire fkp the carried private key at the signing service component.
Compared with the prior art, this application is through obtaining the hardware code ciphertext that signature service equipment sent, wherein, the hardware code ciphertext is passed through signature service equipment confirms after encrypting the hardware code based on first encryption factor, and based on first encryption factor is right hardware code ciphertext deciphering is confirmed to correspond the hardware code to obtain the hardware code hash value that the hardware code corresponds and will hardware code hash value sends private key authorization equipment, so that private key authorization equipment is based on hardware code hash value generates corresponding random encryption factor, then, receives the random encryption factor that private key authorization equipment sent, and based on first encryption factor, random encryption factor and the hardware code generates the pseudo-private key package, wherein, pass through the pseudo-private key package can confirm the corresponding private key that is used for the signature. By the method, the safety risk caused by human intervention can be avoided, and the private key is prevented from being leaked.
Furthermore, the embodiment of the present application also provides a computer readable medium, on which computer readable instructions are stored, and the computer readable instructions can be executed by a processor to implement the foregoing method.
An embodiment of the present application further provides a private key protection management device for signature service, where the device includes:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the foregoing method.
For example, the computer readable instructions, when executed, cause the one or more processors to: acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by encrypting a hardware code by the signature service equipment based on a first encryption factor; decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code; sending the hardware code hash value to a private key authorization device so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value; and receiving a random encryption factor sent by the private key authorization device, and generating a pseudo private key packet based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
In addition, an embodiment of the present application further provides a private key protection authorization device for signing services, where the device includes:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the foregoing method.
For example, the computer readable instructions, when executed, cause the one or more processors to: receiving a hardware code hash value sent by private key management equipment, wherein the hardware code hash value is determined after the private key management equipment decrypts a hardware code ciphertext based on a first encryption factor; binding a randomly generated random encryption factor with the hardware code hash value; and sending the random encryption factor to the private key management device so that the private key management device generates a pseudo private key packet based on the random encryption factor, the first encryption factor and a hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
In addition, an embodiment of the present application further provides a private key parsing device for signature service, where the device includes:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the foregoing method.
For example, the computer readable instructions, when executed, cause the one or more processors to: acquiring a pseudo private key packet and an operation and maintenance personnel authorization code for determining a private key, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code; when the operation and maintenance personnel authorization code passes verification, acquiring a hardware code hash value corresponding to the hardware code; acquiring a corresponding random encryption factor from the private key authorization equipment based on the hardware code hash value, wherein the private key authorization equipment stores a corresponding relation between the hardware code hash value and the random encryption factor; the first encryption factor, the random encryption factor and the hardware code are aggregated to decrypt the pseudo private key packet so as to determine a private key for signing services through the pseudo private key packet.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Claims (10)
1. A private key protection method for a signature service at a private key management device, wherein the method comprises:
acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by encrypting a hardware code by the signature service equipment based on a first encryption factor;
decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code;
sending the hardware code hash value to a private key authorization device so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value;
and receiving a random encryption factor sent by the private key authorization device, and generating a pseudo private key packet based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
2. The method of claim 1, wherein the sending the hardware code hash value to a private key authorization device comprises:
and sending the hardware code hash value and the administrator authorization code to a private key authorization device so that the private key authorization device verifies based on the administrator authorization code and generates a corresponding random encryption factor based on the hardware code hash value after the verification is passed.
3. The method of claim 1 or 2, wherein the generating a pseudo private key package based on the first cryptographic factor, a random cryptographic factor, and the hardware code:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on the encryption key using a pseudorandom seed based on a preset rule;
and generating a pseudo private key packet based on the pseudo random seeds corresponding to the plurality of private keys, the public key of the private key and a preset rule.
4. A private key protection method for signature service at a private key authorization device side, wherein the method comprises the following steps:
receiving a hardware code hash value sent by private key management equipment, wherein the hardware code hash value is determined after the private key management equipment decrypts a hardware code ciphertext based on a first encryption factor;
binding a randomly generated random encryption factor with the hardware code hash value;
and sending the random encryption factor to the private key management device so that the private key management device generates a pseudo private key packet based on the random encryption factor, the first encryption factor and a hardware code, wherein a corresponding private key for signature can be determined through the pseudo private key packet.
5. The method of claim 4, wherein the receiving the hardware code hash value sent by the private key management device comprises:
receiving a hardware code hash value and an administrator authorization code sent by private key management equipment;
wherein the method further comprises:
performing verification based on the administrator authorization code, wherein the binding the randomly generated random encryption factor to the hardware code hash value comprises:
and when the verification is passed, binding the randomly generated random encryption factor with the hardware code hash value.
6. A private key analysis method for signature service at a signature service device side is disclosed, wherein the method comprises the following steps:
acquiring a pseudo private key packet and an operation and maintenance personnel authorization code for determining a private key, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code;
when the operation and maintenance personnel authorization code passes verification, acquiring a hardware code hash value corresponding to the hardware code;
acquiring a corresponding random encryption factor from the private key authorization equipment based on the hardware code hash value, wherein the private key authorization equipment stores a corresponding relation between the hardware code hash value and the random encryption factor;
the first encryption factor, the random encryption factor and the hardware code are aggregated to decrypt the pseudo private key packet so as to determine a private key for signing services through the pseudo private key packet.
7. A computer readable medium having computer readable instructions stored thereon which are executable by a processor to implement the method of any one of claims 1 to 6.
8. A private key protection management apparatus for a signature service, wherein the apparatus comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of any of claims 1 to 3.
9. A private key protection authorization device for signing services, wherein the device comprises:
one or more processors; and
memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of claim 4 or 5.
10. A private key resolving device for a signature service, wherein the device comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146909.2A CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146909.2A CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499888A true CN114499888A (en) | 2022-05-13 |
| CN114499888B CN114499888B (en) | 2024-02-02 |
Family
ID=81483290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210146909.2A Active CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499888B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070019790A (en) * | 2004-07-14 | 2007-02-15 | 인텔 코오퍼레이션 | Method of delivering direct proof private keys in signed groups to devices using a distribution cd |
| US20180375655A1 (en) * | 2017-06-21 | 2018-12-27 | Microsoft Technology Licensing, Llc | Authorization key escrow |
| CN109697603A (en) * | 2018-12-27 | 2019-04-30 | ***通信集团江苏有限公司 | Guard method, device, equipment and the medium of E-seal |
| KR20190097998A (en) * | 2018-02-12 | 2019-08-21 | 주식회사 한컴위드 | User authentication apparatus supporting secure storage of private key and operating method thereof |
| CN111611552A (en) * | 2020-05-21 | 2020-09-01 | 浩云科技股份有限公司 | License authorization method and device based on combination of software and hardware |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
| WO2021238954A1 (en) * | 2020-05-27 | 2021-12-02 | 支付宝(杭州)信息技术有限公司 | Installation management of applet applications |
| WO2021244447A1 (en) * | 2020-05-30 | 2021-12-09 | 华为技术有限公司 | Information protection method and system, and communication apparatus |
-
2022
- 2022-02-17 CN CN202210146909.2A patent/CN114499888B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070019790A (en) * | 2004-07-14 | 2007-02-15 | 인텔 코오퍼레이션 | Method of delivering direct proof private keys in signed groups to devices using a distribution cd |
| US20180375655A1 (en) * | 2017-06-21 | 2018-12-27 | Microsoft Technology Licensing, Llc | Authorization key escrow |
| KR20190097998A (en) * | 2018-02-12 | 2019-08-21 | 주식회사 한컴위드 | User authentication apparatus supporting secure storage of private key and operating method thereof |
| CN109697603A (en) * | 2018-12-27 | 2019-04-30 | ***通信集团江苏有限公司 | Guard method, device, equipment and the medium of E-seal |
| CN111611552A (en) * | 2020-05-21 | 2020-09-01 | 浩云科技股份有限公司 | License authorization method and device based on combination of software and hardware |
| WO2021238954A1 (en) * | 2020-05-27 | 2021-12-02 | 支付宝(杭州)信息技术有限公司 | Installation management of applet applications |
| WO2021244447A1 (en) * | 2020-05-30 | 2021-12-09 | 华为技术有限公司 | Information protection method and system, and communication apparatus |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499888B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102077213B (en) | Techniques for ensuring authentication and integrity of communications | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| CN109728914B (en) | Digital signature verification method, system, device and computer readable storage medium | |
| EP2947812B1 (en) | Segmented secret-key storage system, segment storage apparatus segmented secret-key storage method | |
| CN113497709A (en) | Trusted data source management method based on block chain, signature device and verification device | |
| US11075753B2 (en) | System and method for cryptographic key fragments management | |
| CN111404892B (en) | Data supervision method and device and server | |
| US11128455B2 (en) | Data encryption method and system using device authentication key | |
| US8346742B1 (en) | Remote verification of file protections for cloud data storage | |
| CN111079157A (en) | Secret fragmentation trusteeship platform based on block chain, equipment and medium | |
| Lee et al. | How to securely record logs based on ARM trustzone | |
| CN117061126A (en) | System and method for managing encryption and decryption of cloud disk files | |
| CN112528309A (en) | Data storage encryption and decryption method and device | |
| CN116132041A (en) | Key processing method and device, storage medium and electronic equipment | |
| CN112579112B (en) | Mirror image security processing and deploying method, device and storage medium | |
| CN114499888B (en) | Private key protection and analysis method and device for signature service | |
| JP2020155801A (en) | Information management system and method therefor | |
| CN115292378A (en) | Secret query system based on trusted execution environment and accidental transmission | |
| CN114091072A (en) | Data processing method and device | |
| CN114788221A (en) | Wrapping key with access control predicates | |
| CN112733166A (en) | license authentication and authorization function realization method and system | |
| CN113111360A (en) | File processing method | |
| CN117938546B (en) | Verification and data access method of electronic account | |
| CN116743461B (en) | Commodity data encryption method and device based on time stamp | |
| US11683159B2 (en) | Hybrid content protection architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |