CN116208324A - Cross-platform collaborative key synchronization method and system - Google Patents

Cross-platform collaborative key synchronization method and system Download PDF

Info

Publication number
CN116208324A
CN116208324A CN202310045233.2A CN202310045233A CN116208324A CN 116208324 A CN116208324 A CN 116208324A CN 202310045233 A CN202310045233 A CN 202310045233A CN 116208324 A CN116208324 A CN 116208324A
Authority
CN
China
Prior art keywords
application
key
synchronization
collaborative
mobile
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310045233.2A
Other languages
Chinese (zh)
Inventor
王杰勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing One Identity Express Information Technology Co ltd
Original Assignee
Nanjing One Identity Express Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing One Identity Express Information Technology Co ltd filed Critical Nanjing One Identity Express Information Technology Co ltd
Priority to CN202310045233.2A priority Critical patent/CN116208324A/en
Publication of CN116208324A publication Critical patent/CN116208324A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a cross-platform collaborative key synchronization method and a system. The cross-platform collaborative key synchronization method comprises the following steps: s1, a PC side applies key synchronization application: after the mobile terminal application generates a sub-private key D1, encrypting by a user PIN password to obtain a ciphertext CD1 of the sub-private key; the PC end application initiates a key synchronization application, and hopes that keys between the PC end application and the mobile end application are kept consistent; s2, the mobile terminal applies the secret key synchronous response: the collaborative server pushes a key synchronization application initiated by the PC application to the mobile application; in the application of the mobile terminal, carrying out operation processing on the key synchronous application, and sending a response result back to the collaborative server; s3, PC end secret key synchronization processing: after the PC side application initiates the key synchronization application, the PC side application starts to wait for the response result of the mobile side application key synchronization, and performs operation processing to complete the key synchronization after obtaining the mobile side application key synchronization response.

Description

Cross-platform collaborative key synchronization method and system
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a cross-platform collaborative key synchronization method and system.
Background
The digital signature technology is an application of asymmetric key encryption technology and digital digest technology, and mainly comprises an information signature of a sender and an information signature authentication of a receiver.
Digital signature is an important technology for realizing signature authentication, and can provide security services such as identity verification, data integrity, non-repudiation and the like. Meanwhile, the security of the transmission of the information is ensured, the digital signature is encrypted, and an attacker is prevented from masquerading the signature.
Modern cryptosystem is asymmetric cryptosystem, each communication party needs two keys, namely public key and private key, which can be mutually encrypted and decrypted. The public key is public and does not require privacy, while the private key is self-contained by an individual and must be kept and kept in mind. The security of the private key is the basis for the security and reliability of the digital signature.
At present, a common method for protecting the security of a private key is to use a password module meeting the security secondary requirement of the security technical requirement of a GM/T0028-2014 password module as a security storage medium of the private key, wherein the password module meeting the security secondary and above requirements mainly comprises hardware password devices such as a password card, a password machine, an intelligent password key and the like, and also comprises a software password security module based on a collaborative signature technology.
At present, a password card and a password machine are commonly used in a B-end application, and different solutions are often adopted at a PC end and a mobile end for a C-end user.
Patent "signature and decryption method and system based on SM2 algorithm suitable for cloud computing" (patent number CN 104243456B) proposes: the cooperative operation technology is that the communication parties respectively store partial private keys, the two parties can jointly carry out signing or decryption and other operations on the information, the communication parties can not acquire any information of the other party private keys, so that an attacker can not forge the signature or decrypt the ciphertext under the condition of invading any one party, and the security of the private keys in the cloud computing environment is improved.
A digital certificate using an intelligent password key (also called UKey) as a storage medium is usually used at a PC end and is commonly used in some application fields requiring strong authentication, such as online banking, online tax return, public accumulation payment service, public resource bidding and the like; the mobile certificate which uses the software password security module based on the collaborative signature technology as a storage medium is started to be more used at the mobile terminal, and is commonly used in the fields of mobile terminal identity authentication, OA office approval, online transaction and the like.
The UKey certificate uses the UKey as a storage medium, and although the security of a private key is ensured, the UKey certificate has some defects in actual use:
(1) High use cost and inconvenient use. The UKey is a physical hardware product, requires the cost of tens to hundreds of yuan, is inconvenient to carry and store, is easy to lose, and is easy to damage when being frequently plugged into and pulled out of a PC;
(2) The UKey drive is complex in maintenance and easy to fail. The use of UKey of different brands requires that corresponding driving software is installed at the PC end, and when a plurality of different UKey driving software are installed at one PC, the situation that the UKey cannot be used due to driving conflict can be brought;
compared with the UKey certificate, the mobile certificate based on the collaborative signature technology software password security module has low use cost, does not need maintenance drive, and has good user experience, but the requirement of the prior art for signing or decrypting by using the same private key at the mobile terminal and the PC terminal is difficult to support or meet, and a solution of combining the UKey certificate at the PC terminal and the mobile certificate at the mobile terminal is often adopted.
Disclosure of Invention
Aiming at the technical problems, the invention provides a cross-platform collaborative key synchronization method and a system, which can realize the user private key synchronization safely between the cross-PC end application and the mobile end application, and meet the requirements of low use cost, convenient user experience and the use of the same private key at both ends of a user.
In order to achieve the above purpose, the invention adopts the following technical scheme: a cross-platform collaborative key synchronization method comprises the following specific steps:
the method comprises the steps that a cooperative client side and a cooperative server side are included, a self sub-private key D1 is generated at the cooperative client side, and a self sub-private key D2 is generated at the cooperative server side; after the generation of the D1, encrypting and protecting the integrity of the user PIN password to obtain a ciphertext CD1 of the sub-private key, and storing the CD1 in a cooperative client password module; and decrypting the CD1 into D1 through the PIN password, and signing and decrypting the D2 interaction operation of the cooperative server.
The main flow is as follows:
s1, a PC side applies key synchronization application: the PC side application initiates a key synchronization application, and hopes that keys between the PC side application and the mobile side application are consistent. Key synchronization refers to the user's own synchronization of the sub-private key D1 between the mobile-side application and the PC-side application.
S2, the mobile terminal applies the secret key synchronous response: and the collaborative server pushes the key synchronization application initiated by the PC application to the mobile application. Performing operation processing on the key synchronous application in a key security module applied by the mobile terminal, and finally sending a response result back to the collaborative server;
s3, PC end secret key synchronization processing: after the PC side application initiates the key synchronization application, the PC side application starts to wait for the response result of the mobile side application key synchronization, obtains the mobile side application key synchronization response, and carries out operation processing in the key security module to complete the key synchronization.
Further, S1 specifically includes the following steps:
s1.1, a user logs in a PC end application, the identity of the user needs to be verified in login, verification means comprise but are not limited to biological identification authentication, account password verification, short message verification code verification and the like, if the verification is passed, the operation is continued, otherwise, the operation is terminated;
s1.2, a user initiates a synchronous key, a self-defined key synchronous encryption password sec is input, a PC end application encrypts sec by using a user public key certificate to obtain a ciphertext Csec, and then the Csec is sent to a collaborative server end to request for key synchronization with a mobile end application;
s1.3, pushing the synchronous key synchronous request of the PC side application to the mobile side application by the cooperative service side. Push means include, but are not limited to, short message push, APP message push, etc.
Further, S2 specifically includes the following steps:
s2.1, the mobile terminal application receives push information of the collaborative server;
s2.2, the user logs in the mobile terminal application, the identity of the user needs to be verified in login, verification means comprise but are not limited to biological identification authentication, account password verification and the like, if the verification is passed, the operation is continued, otherwise, the operation is terminated;
s2.3, the mobile terminal application displays key synchronization request details, if the user agrees to key synchronization, the mobile terminal application enters key synchronization processing logic, namely, S2.4-S2.6 is continued, otherwise, the mobile terminal application is terminated;
s2.4, the mobile terminal application receives the private key protection PIN password, calls the private key of the user to decrypt Csec, obtains the secret key synchronous encryption password sec set by the user at the PC terminal application, and derives the symmetric secret key SKsec by using the sec;
s2.5, the mobile terminal encrypts the CD1 by using SKsec to obtain CCD1, and then hashes the CD1 to obtain a hash value H1;
and S2.6, the mobile terminal application sends the CCD1 and the H1 to the collaborative service terminal.
Further, the key synchronization request details include, but are not limited to, service type, service identification, timestamp, mobile end identification, etc.
Further, S3 specifically includes the following steps:
s3.1, after the PC side application initiates a key synchronization application, requesting to a collaborative server side to acquire a mobile side key synchronization response;
s3.2, the cooperative server side inquires the key synchronous service according to the request, and returns a service processing result to the PC side application;
s3.3, the PC end uses the same key derivation algorithm as the collaborative mobile end, and derives a symmetric key SKsec from the key synchronous encryption password sec;
s3.4, the PC end uses SKsec to decrypt the CCD1 to obtain CD1, then calculates the hash value of the CD1 to obtain H1', and compares the H1 and the H1', if the H1 and the H1' are the same, the synchronization is successful.
The user completes key synchronization at the mobile terminal and the PC terminal, namely the user simultaneously has the ciphertext CD1 of the same sub private key D1 at the mobile terminal and the PC terminal, and D1 can be decrypted in the cryptographic module only by inputting a correct PIN when the private key is called for signature, so that the digital signature is interacted with the collaborative server terminal to complete the digital signature in a collaborative mode.
Further, the request mode for requesting to obtain the mobile terminal key synchronous response from the cooperative service terminal is as follows: the PC side application polls the cooperative service side request at certain time intervals to obtain the key synchronous response.
Further, the request mode for requesting to obtain the mobile terminal key synchronous response from the cooperative service terminal is as follows: and the PC end application establishes a long link with the cooperative server end, and the cooperative server end pushes a secret key synchronous response.
The invention also discloses a cross-platform collaborative key synchronization system, which comprises a mobile terminal application, a PC terminal application and a collaborative server terminal, and realizes a cross-platform collaborative key synchronization method;
the mobile terminal application and the PC terminal application are respectively integrated with a cooperative client terminal password security module; the cooperative client password security module comprises a cooperative operation function: the method is used for realizing the functions of collaborative key generation, random number generation, collaborative signature, public key encryption, symmetric encryption, private key decryption and key import through interaction with a collaborative server;
the PC side applies key synchronization application: after the mobile terminal application generates a sub-private key D1, encrypting and protecting the integrity by a user PIN password to obtain a ciphertext CD1 of the sub-private key; the PC end application initiates a key synchronization application, and hopes that keys between the PC end application and the mobile end application are kept consistent;
the mobile terminal applies a key synchronization response: the collaborative server pushes a key synchronization application initiated by the PC application to the mobile application; performing operation processing on the key synchronous application in the mobile terminal application, and finally sending a response result back to the collaborative server;
and (3) carrying out key synchronization processing on the PC side: after the PC side application initiates the key synchronization application, the PC side application starts to wait for the response result of the mobile side application key synchronization, and performs operation processing to complete the key synchronization after obtaining the mobile side application key synchronization response.
The invention provides a method, under the premise of ensuring the safety of the private key of the user, by means of the key synchronization of the PC end application and the mobile end application, the user can use the digital certificate on the PC end application as conveniently as the mobile end application, and the scheme also has the following advantages:
(1) The initiation and the processing of the key synchronization request are completed by the same user, so that malicious attack can be effectively avoided.
(2) In the key synchronization process, the key synchronization encryption password sec is only known by the user and is encrypted by the public key of the user and transmitted, so that the key synchronization encryption password sec cannot be cracked or stolen.
(3) The secret key synchronous encryption password sec encrypted by the public key can only be decrypted by the corresponding private key, and only the user knows that the private key protects the PIN password, so that malicious attacks can be effectively avoided.
(4) The cipher text sub private key CD1 of the user is encrypted by adopting a symmetric key SKsec derived based on a key synchronous encryption password sec, and cannot be cracked in the transmission process and the storage at the cooperative server.
(5) The use cost of the UKey is greatly saved. Based on 8373 ten thousand UKey sales in 2011, if 25% of the proposal of the invention is adopted, hundreds of millions of yuan can be saved as a whole, and the economic value is huge.
(6) The PC end does not need to install and maintain the driving software of the UKey, but can use the same private key as the application of the mobile end to sign and decrypt, so that the user experience is more convenient.
Drawings
Fig. 1 is a flowchart of a PC-side application key synchronization application of a cross-platform collaborative key synchronization method according to an embodiment of the present invention.
Fig. 2 is a flowchart of a mobile terminal application key synchronization response of a cross-platform collaborative key synchronization method according to an embodiment of the present invention.
Fig. 3 is a flowchart of a process for synchronizing a PC-side key in a cross-platform collaborative key synchronization method according to an embodiment of the present invention.
Detailed Description
The present invention will be further described with reference to examples and drawings for the purpose of facilitating understanding to those skilled in the art.
After the mobile terminal application generates the sub private key D1, the ciphertext CD1 of the sub private key is stored, so that a user can use the same secret key to perform signing and decryption operations on the PC terminal and the mobile terminal as long as the CD1 can be synchronized to the PC terminal application through a safe technical means.
The main flow is as follows:
s1, PC end application key synchronous application
As shown in fig. 1, a PC-side application initiates a key synchronization application, and hopes that keys between the PC-side application and a mobile-side application are consistent, and the operations related to signature and encryption during the period are completed in a cooperative client-side password security module, which mainly comprises the following steps:
s1.1, a user logs in a PC end application, the identity of the user needs to be verified in login, verification means comprise but are not limited to biological identification authentication, account password verification, short message verification code verification and the like, if the verification is passed, the operation is continued, otherwise, the operation is terminated;
s1.2, a user clicks a synchronous key, a self-defined key synchronous encryption password sec is input, a PC end application encrypts sec by using a user public key certificate to obtain a ciphertext Csec, and then the Csec is sent to a collaborative server end to request for key synchronization with a mobile end application;
s1.3, pushing synchronous key synchronous requests of the PC side application to the mobile side application by the cooperative service side, wherein pushing means comprise but are not limited to short message pushing, APP message pushing and the like.
3.2 Mobile side application Key synchronization response
As shown in fig. 2, the collaboration server pushes a key synchronization application initiated by the user at the PC application to the mobile application. The user carries out operation processing on the key synchronous application in a key safety module applied by the mobile terminal, and finally sends a response result back to the cooperative server, and the main steps are as follows:
1. the mobile terminal application receives push information of the collaborative server and prompts a user to respond;
2. the user logs in the mobile terminal application, the identity of the user needs to be verified in login, the verification means comprise but are not limited to biological identification authentication, account number password verification and the like, if the verification is passed, the operation is continued, otherwise, the operation is terminated;
3. the mobile terminal application displays key synchronization request details (including but not limited to service types, service identifiers, time stamps, mobile terminal identifiers and the like), if the user agrees to key synchronization, clicks to confirm, enters key synchronization processing logic, and otherwise, terminates;
4. the mobile terminal application guides the user to input a private key protection PIN password, calls the private key of the user to decrypt Csec, obtains a secret key synchronous encryption password sec set by the user at the PC terminal application, and derives a symmetric secret key SKsec by using the sec;
5. the mobile terminal encrypts the CD1 by using SKec to obtain CCD1, and then hashes the CD1 to obtain a hash value H1;
the mobile terminal application sends the CCD1 and the H1 to the collaborative server.
3.3 synchronization of PC-side Key
As shown in fig. 3, after a user initiates a key synchronization application at a PC side, the PC side application starts to wait for a response result of the key synchronization of the mobile side application, obtains a key synchronization response of the mobile side application, and performs an operation process in a key security module to complete the key synchronization, which mainly includes the following steps:
after the PC side application initiates the key synchronization application, the PC side application requests the collaborative server side to acquire the mobile side key synchronization response. The request may be a polling at a certain time interval (in this embodiment, the time interval is 5 seconds, and may be set to an arbitrary time interval according to practical situations) in cooperation with the request of the server to obtain the key synchronization response, or may establish a long link with the server, and the server pushes the key synchronization response. The specific connection modes are various and are not in the scope of the present discussion.
2. And the collaborative server inquires the key synchronous service according to the request and returns a service processing result to the PC end application.
The PC end uses the same key derivation algorithm as the mobile end to derive a symmetric key SKsec from the key synchronous encryption password sec;
and 4, the PC end uses SKsec to decrypt the CCD1 to obtain CD1, calculates a hash value of the CD1 to obtain H1', and compares the H1 and the H1', if the H1 and the H1' are the same, the synchronization is successful.
The user completes key synchronization at the mobile terminal and the PC terminal, namely the user simultaneously has the ciphertext CD1 of the same sub private key D1 at the mobile terminal and the PC terminal, and D1 can be decrypted in the cryptographic module only by inputting a correct PIN when the private key is called for signature, so that the digital signature is interacted with the collaborative server terminal to complete the digital signature in a collaborative mode.
The user can sign or decrypt by using the private key after inputting the correct PIN password in the PC terminal application. In the above flow, the following key points are:
(1) Key synchronization refers to the user's own synchronization of the sub-private key D1 between the mobile-side application and the PC-side application.
(2) The initiation and the processing of the key synchronization request are completed by the same user, so that malicious attack can be effectively avoided.
(3) In the key synchronization process, the key synchronization encryption password sec is only known by the user and is encrypted by the public key of the user and transmitted, so that the key synchronization encryption password sec cannot be cracked or stolen.
(4) The secret key synchronous encryption password sec encrypted by the public key can only be decrypted by the corresponding private key, and only the user knows that the private key protects the PIN password, so that malicious attacks can be effectively avoided.
(5) The cipher text sub private key CD1 of the user is encrypted by adopting a symmetric key SKsec derived based on a key synchronous encryption password sec, and cannot be cracked in the transmission process and the storage at the cooperative server.
The cross-platform collaborative key synchronization system of the embodiment comprises:
1. collaborative server
The core functions of the system are as follows:
(1) User management: the user registers in the system in a manner including, but not limited to, an account number (phone number, email, user name, etc.) password, biometric features, etc. After the user is successfully registered, the user can log in by using the same account number in the mobile terminal application, the PC terminal application and the Web browser respectively.
(2) Application management: the system supports creation of applications, the application types can be mobile terminal applications and PC terminal applications, and each application is distributed with different AppKey and AppSecret.
(3) Collaborative services API: the cooperative service end provides cooperative service APIs (application program interfaces) for cooperative key (asymmetric public key cryptographic algorithm) generation, random number generation, cooperative signature, key synchronization and the like, and the cooperative service APIs perform authentication control based on the AppKey and the AppSecret of the application.
2 developing mobile terminal application and PC terminal application
The mobile terminal application and the PC terminal application are respectively integrated with a cooperative client terminal password security module;
the core functions of the mobile terminal application and the PC terminal application are as follows:
(1) User login: the user uses the account registered in the collaborative server to authenticate and log in the mobile terminal application and the PC terminal application, and the authentication mode includes but is not limited to account (mobile phone number, email, user name, etc.) password, biological identification feature, etc.
(2) Digital certificate full lifecycle management: including initiating digital certificate applications, updates, freezes, thaws, deregisters, etc. to the CA authorities.
(3) Cryptographic operation function: the integrated cooperative client password security module provides functions of digital certificate encryption, random number generation, cooperative signature, symmetric encryption, private key decryption, key import and the like.
The cooperative client password security module has the following core functions:
(1) And the cooperative operation function: the module supports the interaction with the cooperative service end to realize the functions of cooperative key (asymmetric public key cryptographic algorithm) generation, random number generation, cooperative signature, public key encryption, symmetric encryption, private key decryption, key import and the like.
(2) Certificate and client terminal key security keeping function: the full life cycle management of the digital certificate is supported, and the subkey D1 of the user at the client is protected through a safety technical means.
The invention has the following beneficial effects: the invention provides a method, under the premise of ensuring the safety of the private key of the user, by means of the key synchronization of the PC end application and the mobile end application, the user can use the digital certificate on the PC end application as conveniently as the mobile end application, and the scheme also has the following advantages:
(1) The use cost of the UKey is greatly saved. Based on 8373 ten thousand UKey sales in 2011, if 25% of the proposal of the invention is adopted, hundreds of millions of yuan can be saved as a whole, and the economic value is huge.
(2) The PC end does not need to install and maintain the driving software of the UKey, but can use the same private key as the application of the mobile end to sign and decrypt, so that the user experience is more convenient.
The above embodiments are only for illustrating the technical idea of the present invention, and the protection scope of the present invention is not limited thereto, and any modification made on the basis of the technical scheme according to the technical idea of the present invention falls within the protection scope of the present invention.

Claims (8)

1. The cross-platform collaborative key synchronization method is characterized by comprising the following steps:
s1, a PC side applies key synchronization application: after the mobile terminal application generates a sub-private key D1, encrypting and protecting the integrity by a user PIN password to obtain a ciphertext CD1 of the sub-private key; the PC end application initiates a key synchronization application, and hopes that keys between the PC end application and the mobile end application are kept consistent;
s2, the mobile terminal applies the secret key synchronous response: the collaborative server pushes a key synchronization application initiated by the PC application to the mobile application; performing operation processing on the key synchronous application in the mobile terminal application, and finally sending a response result back to the collaborative server;
s3, PC end secret key synchronization processing: after the PC side application initiates the key synchronization application, the PC side application starts to wait for the response result of the mobile side application key synchronization, and performs operation processing to complete the key synchronization after obtaining the mobile side application key synchronization response.
2. The method for synchronizing the collaborative key across platforms according to claim 1, wherein S1 comprises the steps of:
s1.1, a user logs in a PC end application, the login needs to verify the identity of the user, if the user passes the verification, the operation is continued, and if not, the operation is terminated;
s1.2, a user initiates a synchronous key, a self-defined key synchronous encryption password sec is input, a PC end application encrypts sec by using a user public key certificate to obtain a ciphertext Csec, and then the Csec is sent to a collaborative server end to request for key synchronization with a mobile end application;
s1.3, pushing the synchronous key synchronous request of the PC side application to the mobile side application by the cooperative service side.
3. The cross-platform collaborative key synchronization method according to claim 1 or 2, wherein S2 specifically comprises the steps of:
s2.1, the mobile terminal application receives push information of the collaborative server;
s2.2, the user logs in the mobile terminal application, the identity of the user needs to be verified in the login, if the user passes the verification, the operation is continued, and if not, the operation is terminated;
s2.3, the mobile terminal application displays key synchronization request details, if the user agrees to key synchronization, S2.4 is entered, otherwise, the mobile terminal application is terminated;
s2.4, the mobile terminal application receives the private key protection PIN password, calls the private key of the user to decrypt Csec, obtains the secret key synchronous encryption password sec set by the user at the PC terminal application, and derives the symmetric secret key SKsec by using the sec;
s2.5, the mobile terminal encrypts the CD1 by using SKsec to obtain CCD1, and then hashes the CD1 to obtain a hash value H1;
and S2.6, the mobile terminal application sends the CCD1 and the H1 to the collaborative service terminal.
4. A cross-platform collaborative key synchronization method according to claim 3, wherein:
the key synchronization request details comprise a service type, a service identifier, a time stamp and a mobile terminal identifier.
5. The method for synchronizing the cross-platform collaborative key according to claim 3, wherein S3 specifically comprises the steps of:
s3.1, after the PC side application initiates a key synchronization application, requesting to a collaborative server side to acquire a mobile side key synchronization response;
s3.2, the cooperative server side inquires the key synchronous service according to the request, and returns a service processing result to the PC side application;
s3.3, the PC end uses the same key derivation algorithm as the collaborative mobile end, and derives a symmetric key SKsec from the key synchronous encryption password sec;
s3.4, the PC end uses SKsec to decrypt the CCD1 to obtain CD1, then calculates the hash value of the CD1 to obtain H1', and compares the H1 and the H1', if the H1 and the H1' are the same, the synchronization is successful.
6. The cross-platform collaborative key synchronization method according to claim 5, wherein:
the request mode for requesting to obtain the mobile terminal key synchronous response from the cooperative service terminal is as follows: the PC side application polls the cooperative service side request at certain time intervals to obtain the key synchronous response.
7. The cross-platform collaborative key synchronization method according to claim 5, wherein:
the request mode for requesting to obtain the mobile terminal key synchronous response from the cooperative service terminal is as follows: and the PC end application establishes a long link with the cooperative server end, and the cooperative server end pushes a secret key synchronous response.
8. A cross-platform collaborative key synchronization system is characterized in that:
the method comprises a mobile terminal application, a PC terminal application and a cooperative service terminal, and realizes the cross-platform cooperative key synchronization method according to any one of claims 1 to 7;
the mobile terminal application and the PC terminal application are respectively integrated with a cooperative client terminal password security module; the cooperative client password security module comprises a cooperative operation function: the method is used for realizing the functions of collaborative key generation, random number generation, collaborative signature, public key encryption, symmetric encryption, private key decryption and key import through interaction with a collaborative server;
the PC side applies key synchronization application: after the mobile terminal application generates a sub-private key D1, encrypting and protecting the integrity by a user PIN password to obtain a ciphertext CD1 of the sub-private key; the PC end application initiates a key synchronization application, and hopes that keys between the PC end application and the mobile end application are kept consistent;
the mobile terminal applies a key synchronization response: the collaborative server pushes a key synchronization application initiated by the PC application to the mobile application; performing operation processing on the key synchronous application in the mobile terminal application, and finally sending a response result back to the collaborative server;
and (3) carrying out key synchronization processing on the PC side: after the PC side application initiates the key synchronization application, the PC side application starts to wait for the response result of the mobile side application key synchronization, and performs operation processing to complete the key synchronization after obtaining the mobile side application key synchronization response.
CN202310045233.2A 2023-01-30 2023-01-30 Cross-platform collaborative key synchronization method and system Pending CN116208324A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310045233.2A CN116208324A (en) 2023-01-30 2023-01-30 Cross-platform collaborative key synchronization method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310045233.2A CN116208324A (en) 2023-01-30 2023-01-30 Cross-platform collaborative key synchronization method and system

Publications (1)

Publication Number Publication Date
CN116208324A true CN116208324A (en) 2023-06-02

Family

ID=86516517

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310045233.2A Pending CN116208324A (en) 2023-01-30 2023-01-30 Cross-platform collaborative key synchronization method and system

Country Status (1)

Country Link
CN (1) CN116208324A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117852004A (en) * 2024-03-07 2024-04-09 中建三局集团华南有限公司 Modeling method, device and equipment for building curtain wall and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117852004A (en) * 2024-03-07 2024-04-09 中建三局集团华南有限公司 Modeling method, device and equipment for building curtain wall and storage medium
CN117852004B (en) * 2024-03-07 2024-05-28 中建三局集团华南有限公司 Modeling method, device and equipment for building curtain wall and storage medium

Similar Documents

Publication Publication Date Title
US11799656B2 (en) Security authentication method and device
CN108810029B (en) Authentication system and optimization method between micro-service architecture services
CN109728909B (en) Identity authentication method and system based on USBKey
US5737419A (en) Computer system for securing communications using split private key asymmetric cryptography
US20080034216A1 (en) Mutual authentication and secure channel establishment between two parties using consecutive one-time passwords
CN113472793B (en) Personal data protection system based on hardware password equipment
US20100017604A1 (en) Method, system and device for synchronizing between server and mobile device
EP1277299A1 (en) Method for securing communications between a terminal and an additional user equipment
CN110225050B (en) JWT token management method
CN102984127A (en) User-centered mobile internet identity managing and identifying method
WO2022022009A1 (en) Message processing method and apparatus, device, and storage medium
CN111884811B (en) Block chain-based data evidence storing method and data evidence storing platform
CN108809936B (en) Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof
CN111080299B (en) Anti-repudiation method for transaction information, client and server
CN103906052A (en) Mobile terminal authentication method, service access method and equipment
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN112437044B (en) Instant messaging method and device
CN112765626A (en) Authorization signature method, device and system based on escrow key and storage medium
US20020018570A1 (en) System and method for secure comparison of a common secret of communicating devices
CN114362946B (en) Key agreement method and system
CN111698264A (en) Method and apparatus for maintaining user authentication sessions
CN116208324A (en) Cross-platform collaborative key synchronization method and system
Chen et al. An efficient nonce-based authentication scheme with key agreement
CN111901335B (en) Block chain data transmission management method and system based on middle station
WO2023174350A1 (en) Identity authentication method, apparatus and device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination