WO2007073623A1 - A method of downloading digital certification and key - Google Patents

A method of downloading digital certification and key Download PDF

Info

Publication number
WO2007073623A1
WO2007073623A1 PCT/CN2005/002359 CN2005002359W WO2007073623A1 WO 2007073623 A1 WO2007073623 A1 WO 2007073623A1 CN 2005002359 W CN2005002359 W CN 2005002359W WO 2007073623 A1 WO2007073623 A1 WO 2007073623A1
Authority
WO
WIPO (PCT)
Prior art keywords
download
key
message
feature information
information
Prior art date
Application number
PCT/CN2005/002359
Other languages
French (fr)
Chinese (zh)
Inventor
Guodong Hua
Junning Xu
Ji Lu
Guangde Liang
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to PCT/CN2005/002359 priority Critical patent/WO2007073623A1/en
Priority to CN200580052026.XA priority patent/CN101305542B/en
Publication of WO2007073623A1 publication Critical patent/WO2007073623A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to the field of network communication security technologies, and in particular, to encrypted download. Background technique
  • PKI public key infrastructure
  • the public-private key pair and the asymmetric encryption and decryption method are one of the most core foundations.
  • the security level of the private key actually determines the security of the entire PKI architecture, and because of this, how is the private key secure? Passing from the generator to the end user has always been one of the focus issues in security.
  • the transmission of the private key is mainly performed offline.
  • the typical method is to preset the key when the system is shipped or sold, and the private key is stored in the USB key and moved accordingly.
  • This type of method is highly secure because the storage medium and delivery environment of the key are always under control.
  • problems such as cumbersome procedures, high cost, and poor flexibility.
  • ft is not suitable.
  • US Patent No. US2003105965 "System and method for installing a remote credit card authorization on a system with a TCPA complaint chipset" proposes a method of transmitting a certificate and a key by using an email.
  • the efficiency has been improved, but there are still some shortcomings: First, the mail mode transmission, and is not issued to the final demand equipment, still need manual intervention; Second, the email transmission can not be substantially improved Security of the transmission.
  • any network encryption transmission method can be used for digital certificate and key download, but in order to improve the pertinence of content processing, enhance the cohesiveness of processing methods and improve transmission security, in the transmission mechanism It is also necessary to embed the certificate with the feature information related to the key download. Summary of the invention
  • the technical problem to be solved by the present invention is to provide a digital certificate and key downloading method, which improves the flexibility of encrypting and downloading a digital certificate and a key under the premise of meeting a moderate security level requirement.
  • the present invention provides a digital certificate and key downloading method, including the following steps:
  • the download requester performs digest processing on the first integrated information including at least the feature information of the self according to the first digest algorithm to generate a digest value of the feature information; generating a request message according to the first key generation algorithm for the digest value Encrypting the key, encrypting the feature information by using the key; and constructing a digital certificate and a key download request message according to the encrypted content and the digest value, and sending the message to the download service provider;
  • the download service provider decomposes the download request message, and generates an encryption key according to the first key generation algorithm for the digest value; and uses the encryption key to press the encrypted content in the message. Decrypting the corresponding decryption algorithm to obtain the feature information of the download requester; performing legality verification on the feature information according to the record in the system, and then performing step (c);
  • the download service provider queries the system for the corresponding digital certificate and the terminal private key according to the feature information, and generates a response according to the second key generation algorithm for the second comprehensive information including the feature information.
  • a message encryption key using the key to encrypt the queried digital certificate and the terminal private key, constructing a download response message with the encrypted content, and transmitting the message to the download requester;
  • the download requester after receiving the response message, the download requester generates an encryption key for the second integrated information according to the second key generation algorithm, and uses the key to decrypt the encrypted content in the response message to obtain the requested Digital certificate and key.
  • the feature information includes at least hardware feature information that characterizes the download requestor device and/or user feature information that can characterize the user of the download requestor.
  • the feature information further includes vendor information and/or software feature information.
  • the foregoing method may further have the following feature: the first integrated information and/or the second integrated information further includes additional information that is previously agreed by the download requesting party and the download service provider, and Does not appear in plain text or encrypted form in the body of the digital certificate and key download request message.
  • the foregoing method may further have the following features:
  • the download service provider performs legality verification on the feature information according to the record in the system, the corresponding feature information is extracted from the system. Additional information, and the extracted additional information and the feature information are digested by the first digest algorithm, and the digest value is obtained if the digest value is the same as the digest value decomposed from the download request message, if the system passes the verification If the feature information is not found or the two digest values are not the same, the download request message is discarded.
  • the foregoing method may further have the following features:
  • the download service provider performs pre-processing, and the pre-processed content includes at least replay attack protection or address. Limit the protection. After the pre-processing is passed, the subsequent processing is performed, otherwise the download request is discarded.
  • the above method may further have the following features:
  • a field is further added to save the X.509 format number of the download service provider.
  • the message is digitally signed by using a signature algorithm.
  • the download service provider is parsed from the message. X. 509 format digital certificate, and verify the validity of the download service provider digital certificate to the server, if valid, extract the public key of the download service provider from the download service provider digital certificate, and use the public key to digitally correspondingly
  • the signature verification algorithm verifies the signature, passes the verification, and performs subsequent processing.
  • the above method may further have the following features: in the step (b) or the step (c), if the download service provider accepts the request, but the processing is wrong due to its own reasons, the download is performed to the downloading The requester replies to the response to the failed download.
  • the foregoing method may further have the following features: the first key generation algorithm, the second key generation algorithm, and the first digest algorithm adopt a general algorithm or a private algorithm.
  • the invention provides a method for conveniently and flexibly encrypting and downloading and transmitting digital certificates and keys through network means, and is more suitable for the transmission occasions of medium and low value information with fast and flexible requirements.
  • the entire step can be completed by a request response process, and the security aspect is enhanced by using related information, using data digests, additional information, and the like, and under the premise of meeting the appropriate security level requirements, Increased application flexibility.
  • the present invention adopts a scalable design in terms of additional information, a digest unit, and a key generation unit: additional information may be provided or null; the digest algorithm and the key generation algorithm may employ a public algorithm, A proprietary algorithm can be used. Convenient design allows for flexible trade-offs based on application needs.
  • FIG. 1 is a schematic diagram of message interaction according to an embodiment of the present invention
  • FIG. 2 is a flowchart of generating a download requester request message in an embodiment of the present invention
  • FIG. 3 is a flowchart of a download service provider requesting a verification judgment and a response message in the embodiment of the present invention
  • FIG. 5 is a schematic diagram of message interaction of an example of the present invention in the field of Internet Television (IPTV) employing digital rights management (DRM) technology.
  • IPTV Internet Television
  • DRM digital rights management
  • the digital certificate described herein refers to a digital certificate conforming to the X.509 specification; the key described herein refers to The digital certificate related key, including the private key.
  • the digital certificate and key downloading method of the embodiment of the present invention involves two logical entities - a download requester 101, and the download requester 101 provides the download service according to specific application requirements.
  • the party 102 sends a digital certificate and a key download request, receives the response, and parses out the digital certificate and the key.
  • the download requester 101 must be a logical entity previously registered with the download service provider 102, i.e., its feature information must have been registered or equivalent to being registered with the download service provider 102.
  • the download service provider 102 sends the encrypted digital certificate and key to the legitimate download requester 101 upon request by the download requester 101.
  • the download service provider 102 only sends digital certificates and keys to logical entities that have been previously registered.
  • the download requester collects the information construct download request 111; sends the download request to the download service provider 112; the download service provider accepts the request and verifies the identity of the download requester And the legitimacy of the message 113; for a legitimate request, construct a response 114 containing the digital certificate and key; send to the download requester 115.
  • the download requester collects the information construct download request 121; sends the download request to the download service provider 122; the download service provider accepts the request and verifies the identity of the download requester and the legitimacy of the message 123; For illegal messages, the response to the download failure can be replied, but for security reasons, the request message can be discarded directly without any response 124.
  • the download requester collects the information construction download request 131; sends the download request to the download service provider 132; the download service provider accepts the request but the error occurs due to its own cause 133; Download the service provider Respond to the download failure response 134.
  • the process of downloading the requestor request message in this embodiment is as follows:
  • the feature information of the download requester includes hardware feature information 201 and user feature information 202.
  • the download requester sends the hardware feature information 201, the user feature information 202, and the additional information 203 to the summary unit 210.
  • the hardware feature information refers to inherent information related to the hardware of the download requester, such as a hardware serial number.
  • User feature information refers to information that is closely related to the user, such as a user name, a user feature code, and the like.
  • the additional information is mainly used to improve the security of the system, and depends on the prior agreement between the download requester and the download service provider, for example, the download service provider informs the download requester in advance of a feature string that can be used once within a limited time; or It is also possible to request that the first download does not use additional information, ie the additional information is empty.
  • the digest unit 210 performs digest processing on the sent information according to a preset digest algorithm to obtain a special
  • the message digest value 211, the specific digest algorithm can adopt either the public general algorithm or the private mode.
  • the digest unit sequentially concatenates the received information, and hashes the concatenated information string by using the SHA-1 digest algorithm to obtain a feature information digest value.
  • the feature information digest value 211 is sent to the key generation unit A 220 as a material for constructing the request message encryption key, and the request message encryption key 221 is obtained.
  • the specific key generation algorithm of the unit can also adopt the public general algorithm or its own private mode.
  • the key is generated using the KDF2 algorithm in the X9.44 standard.
  • the hardware feature information 201 and the user feature information 202 are encrypted in the encryption unit A 230 by using the request message encryption key 221; in other application scenarios having other requirements, other content that needs to be encrypted, such as vendor information and software features, may also be used. Additional data is encrypted for processing.
  • the specific encryption algorithm can also be selected according to actual needs, for example, AES, 3DES, etc. can be used.
  • the encrypted output includes encrypted hardware feature information 231, encrypted user feature information 232, and other encrypted results of the content to be encrypted.
  • the output result of the encryption unit A 230 is sent to the request message generation unit 240 together with the feature information digest 211, and a digital certificate and key download request message 241 is constructed.
  • the download service provider requests the verification judgment and the response message generation process as follows:
  • a replay attack protection mode is as follows: Set a buffer queue, and use the hash value of the message as the key value to record the number of times the message appears in the most recent period. If the check finds that it exceeds a certain limit, the current request message is discarded immediately. If the replay attack judging unit 305 detects the replay attack, the current message 306 is discarded.
  • An address restriction protection method is as follows: Prefix a download request permission address list, and after receiving the download request, determine whether the address of the download requester is in the download request permission address list, and if yes, continue processing, otherwise discard the current message.
  • the download service provider first parses the message in the request message decomposing unit 310, and extracts each feature data content, such as the feature information digest 311, the encrypted feature information, and the like.
  • the feature information that has been encrypted in this embodiment includes encrypted hardware feature information 312 and an encrypted user feature letter.
  • the feature information digest 311 will be sent to the key generation unit A 320 to generate the request message encryption key 321.
  • the specific algorithm of key generation unit A 320 must be the same as key generation unit A 220 of Figure 2 to ensure that the same input can generate a completely consistent key.
  • the encrypted hardware feature information 312 and the encrypted user feature information 313 are decrypted in the decryption unit A 330 by the request message encryption key 321 to obtain hardware feature information 331 and user feature information 332.
  • the algorithm of the decryption unit A 330 must match the encryption unit A 230 in Fig. 2 to ensure that any data is encrypted by the same key and then decrypted, and the result is still the same.
  • the decrypted hardware feature information 331 and the user feature information 332 are sent to the legality verification and additional information query unit 340, whether a corresponding record is recorded in the search system (eg, the operation support system) and the status of the record is legal, if If the search fails or the status is illegal, the request is considered to be incorrect, and the current message is discarded. If the search is successful and the status is legal, the additional information 341 corresponding to the record is queried. If the additional information is not agreed to be used, the additional information is found to be empty. Or if it is agreed in advance to use non-empty additional information and find a non-empty additional message, the query is considered successful, and the additional information 341 is output.
  • the search system eg, the operation support system
  • the additional information 341 and the hardware feature information 331 and the user feature information 332 are input to the digesting unit 350 to obtain a feature information digest 351.
  • the specific algorithm of digest unit 350 must be identical to digest unit 210 in Figure 2 to ensure that the same input can produce consistent digest results.
  • the feature information digest 351 generated by the digest unit 350 needs to be compared with the feature information digest 311 parsed in the request message 301. If the two are different, the integrity check of the request message fails, and the message may have been tampered with and needs to be discarded. ; Only two digests are identical, and the request message can be considered legitimate and ready for follow-up.
  • the hardware feature information 331 and the user feature information 332 are sent to the certificate key inquiry unit 365; and, if necessary, the input content may further include the additional information 341 or the like. If the corresponding digital certificate and the terminal private key are queried, the hardware feature information 331, the user feature information 332, and the additional information 341 are simultaneously sent to the key generation unit B 360 to obtain the response message encryption key 361; if the query fails, If the request is incorrect, discard the current message.
  • the specific algorithm of the key generation unit B 360 may be determined according to actual needs, and is not necessarily related to the specific algorithm selection of the key generation unit A 320 in FIG.
  • the certificate key information 366 obtained by the query is encrypted in the encryption unit B 370 by using the response message encryption key 361 obtained in the foregoing to obtain the encrypted certificate key information 371.
  • the specific algorithm selection of the encryption unit B 370 may be the same as the encryption unit A 230 in FIG. 2, or the encrypted certificate key information 371 may be finally sent to the response message generation unit 380 to construct a digital certificate and a key download response.
  • Message 381 is sent to the download requester and the system is notified to change the status of the user.
  • the download service provider can summarize the response message and then sign the private key of the download service provider, and provide the download service.
  • the X.509 format digital certificate of the public key is attached to the download service requester in the message.
  • the specific steps are as follows:
  • the response message generating unit 380 adds an input, the content is an X.509 format digital certificate of the download service provider, and when constructing the response message, a field is added to save the certificate; the response message generating unit 380 adds A message signing unit that digitally signs the constructed response message by selecting an appropriate signature algorithm as needed. This will provide a better guarantee of the source and integrity of the response message.
  • the process of downloading the requester's parsing response message in the embodiment of the present invention is as follows: After receiving the download response, the download requester includes, on the one hand, feature information of the hardware feature information 402 and the user feature information 403 and additional information 404.
  • the key generation unit B 415 is sent to derive the response message encryption key 416; on the other hand, the response message is sent to the parsing unit 410 to extract the encrypted certificate key information 411.
  • the algorithm of the key generation unit B 415 must be identical to the key generation unit B 360 in Fig. 3.
  • the encrypted certificate key information 411 is sent to the decryption unit B 420, and in combination with the response encryption key 416, the final required digital certificate and key information can be obtained.
  • the download requester may also perform corresponding legality check and verification work in advance when receiving the response message.
  • the steps for checking and verifying the validity of digital signatures are as follows: First, the X.509 format digital certificate of the download service provider is parsed from the message, if the download request party supports With the OCSP interface, the validity of the download service provider digital certificate can be verified to the 0CSP server; then the public key of the download service provider is extracted from the download service provider digital certificate, and the public key is used to verify the signature corresponding to the digital signature. The algorithm verifies the signature to confirm the integrity of the message and the identity of the sender of the message.
  • the user set-top box can download the server from the certificate management center certificate within the agreed time limit after the first use after purchase, the system is greatly upgraded, or the certificate expires. Automatically download a new digital certificate and terminal private key.
  • the terminal user After the agreed time limit is exceeded, the terminal user must apply for a certificate to download the additional code from the operator, and enter the additional code on the set-top box through the interface interaction within the new agreed time limit. Manually initiate the certificate and key download. process. If the new appointment time limit is exceeded, the user must repeat the process of applying for the additional code and downloading.
  • the set top box 501 firstly collects the set top box feature information and the additional information 511 when the certificate key download process is automatically initiated after the self-test or when the download process is initiated under user intervention.
  • the additional feature information is empty; for the user-initiated download process, the additional feature information is a certificate download additional code.
  • the set top box feature information includes a hardware feature identification string of the set top box and a user identification string.
  • the set top box certificate key downloading agent sequentially calculates the information digest value 512, generates a request message encryption key 513, encrypts the hardware feature identification string of the set top box and the user identification string, respectively, and constructs a download request message body 514.
  • the download request message body includes a hardware feature identification string and a user identification string encrypted with the request message encryption key, and a message digest value.
  • the certificate download server 502 After receiving the download request 520 sent from the set top box 501, the certificate download server 502 first performs a pre-processing 521 step of replay attack protection, etc., and then calculates a request message encryption key 522 according to the digest value in the message body, and encrypts the message. The hardware feature identification string and the user identification string are subjected to a decryption operation 523. Then, the certificate download server 502 transmits the hardware feature identification string and the user identification string to the operation support system 503 through the internal network connection. The operation support system 503 first searches for the presence of a corresponding record based on the received feature information, and determines whether the status of the record is legal 531.
  • the direct reply certificate download server 502 is in a normal state and the additional information is empty; for the status is waiting for the certificate download and the additional information is not empty.
  • the user status and the additional information query result are returned to the certificate download server 502; for other cases, the error code is directly replied.
  • the certificate download server 502 After receiving the response from the operation support system 503, the certificate download server 502 recalculates the digest value according to the local query result, and compares it with the digest value in the download request message, and if yes, continues to construct the response, otherwise discards the current request.
  • the certificate download server 502 Upon completion of the verification of the request message, the certificate download server 502 submits a certificate acquisition request 550 to the certificate management center 504 via the internal network connection.
  • the certificate acquisition request contains the corresponding feature information of the set top box.
  • the certificate management center obtains the pre-generated set-top box digital certificate and the terminal private key according to the configuration, or submits the set-top box feature information to the authentication center to generate the digital certificate and the terminal private key 551.
  • the digital certificate and the terminal private key are then placed in the certificate acquisition response 560 and sent to the certificate download server.
  • the certificate download server generates a response message encryption key 561 based on the set top box characteristic information and the additional information, and encrypts the digital certificate and the terminal private key obtained from the certificate management center to construct a download response message 562.
  • the certificate download server replies to the set-top box with a download response message 570 and notifies the operational support system to change the user status 580.
  • the set top box 501 After receiving the download response message, the set top box 501 calculates a response message encryption key 571 based on the local data, and then extracts the digital certificate and the terminal private key 572 in the download response message.
  • the invention can be applied to the field of network communication security technology, so that the digital certificate and the key can be packaged and encrypted conveniently and flexibly through the network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of downloading digital certification and key, a download request side creates the digest of the first synthesized information according to the first digest algorithm, uses the digest to generate a encryption key according to the first key generation algorithm and encrypts the attribute information of itself, then creates download a request message according to the encryption content and digest and sends it to a download serving side. After receiving the request message, the serving side uses the digest to generate the encryption key according to the first key generation algorithm, and decrypts the encryption content in the message, and gets the attribute information of the download request side. When the serving side confirms the validity of the attribute information, the serving side inquires the corresponded digital certification and terminal private key according to the attribute information, and uses the second synthesized information to generate the encryption key according to the second key algorithm. The serving side encrypts the digital certification and terminal private key, creates a download response message and sends it to the request side. After receiving the second synthesized information, the request side generates the encryption key according to the second key generation algorithm, decrypts the ecnryption content of the response message, and gets requested digital certification and key.

Description

一种数字证书与密钥下载方法  Digital certificate and key downloading method
技术领域 Technical field
本发明涉及网络通信安全技术领域, 尤其涉及加密下载。 背景技术  The present invention relates to the field of network communication security technologies, and in particular, to encrypted download. Background technique
随着因特网的高速发展, 各种信息的传递量与日俱增, 各种传输安全问 题日益突出。 为了保证网络信息交互安全, 各种安全保障机制被相继提出, 公共密钥基础设施 (PKI ) 体系结构是其中最重要的之一。 在 PKI体系结构 中, 公私钥对以及非对称加解密方法是最为核心的基础之一, 私钥的安全程 度实际上决定了整个 PKI体系结构的安全度, 也正因为如此, 私钥如何安全 的从生成器传递到最终使用方, 一直是安全方面的焦点问题之一。  With the rapid development of the Internet, the transmission of various kinds of information is increasing day by day, and various transmission security issues are becoming increasingly prominent. In order to ensure the security of network information interaction, various security mechanisms have been proposed, and the public key infrastructure (PKI) architecture is one of the most important. In the PKI architecture, the public-private key pair and the asymmetric encryption and decryption method are one of the most core foundations. The security level of the private key actually determines the security of the entire PKI architecture, and because of this, how is the private key secure? Passing from the generator to the end user has always been one of the focus issues in security.
目前的高安全级别应用中, 私钥的传送主要采用离线的方式进行, 典型 的方法有***出厂或出售时预置密钥, 私钥保存于 USB匙(USB Key) 中并 随之移动等。 这类方法由于密钥的存储介质和传送环境始终处于受控状态 下, 安全性较高。 但另一方面也存在着手续繁琐, 成本较高, 灵活性差等问 题。 对于许多既要求有适度安全手段保护, 又要求灵活快速大范围部署的应 用场合, ft显得不够合适。  In the current high security level applications, the transmission of the private key is mainly performed offline. The typical method is to preset the key when the system is shipped or sold, and the private key is stored in the USB key and moved accordingly. This type of method is highly secure because the storage medium and delivery environment of the key are always under control. On the other hand, there are problems such as cumbersome procedures, high cost, and poor flexibility. For many applications that require both moderate security protection and flexible and rapid deployment, ft is not suitable.
为了解决以上问题, 若干专利或专利申请也被相继提出。 专利号为 US2003105965的美国专利 "System and method for installing a remote credit card authorization on a system with a TCPA complaint chipset " 提出了一种利用电子邮件传送证书与密钥的方法。这虽然采用利用了网络传 输, 效率有一定提高, 但仍然存在不足: 一、 邮件方式传送, 并没有颁发传 递到最终需求设备中, 仍然需要人工干预; 二、 电子邮件传送并不能实质性 的提高传输的安全性。  In order to solve the above problems, several patents or patent applications have also been proposed. US Patent No. US2003105965, "System and method for installing a remote credit card authorization on a system with a TCPA complaint chipset" proposes a method of transmitting a certificate and a key by using an email. Although the use of network transmission, the efficiency has been improved, but there are still some shortcomings: First, the mail mode transmission, and is not issued to the final demand equipment, still need manual intervention; Second, the email transmission can not be substantially improved Security of the transmission.
在网络通讯安全领域, 数字证书私钥传输的安全性和便捷性一直是一对 矛盾实体, 极其严格的安全保证必然导致传送程序繁琐, 成本开销高昂, 非 常不利于业务的推广。 因此, 对于广大有着快速灵活需求的中低价值信息的 传送场合, 只要能够保证安全机制破解的成本大大高于破解后的利益, 且一 旦出现威胁,损害能够控制在一个极小的范围内,这种方案就是可以接受的。 因此, 适用上述场合的便捷数字证书与密钥下载方法是有必要的。 In the field of network communication security, the security and convenience of digital certificate private key transmission has always been a contradiction entity. The extremely strict security guarantee will inevitably lead to cumbersome transmission procedures and high cost, which is not conducive to the promotion of business. Therefore, for the majority of low-value information with fast and flexible demand In the case of transmission, as long as the cost of securing the security mechanism is much higher than the benefit after the crack, and the threat can be controlled within a very small range, such a scheme is acceptable. Therefore, it is necessary to apply a convenient digital certificate and key download method in the above case.
广义而言, 任何一种网络加密传输方法均可以用于数字证书和密钥的下 载, 但是为了提高内容处理的针对性, 增强处理方法的内聚性并提高传输安 全性, 在传输机制中内嵌证书与密钥下载相关的特征信息也是有必要的。 发明内容  Broadly speaking, any network encryption transmission method can be used for digital certificate and key download, but in order to improve the pertinence of content processing, enhance the cohesiveness of processing methods and improve transmission security, in the transmission mechanism It is also necessary to embed the certificate with the feature information related to the key download. Summary of the invention
本发明要解决的技术问题是提供一种数字证书与密钥下载方法, 在满足 适度安全级别要求的前提下, 提高加密下载数字证书与密钥的灵活性。  The technical problem to be solved by the present invention is to provide a digital certificate and key downloading method, which improves the flexibility of encrypting and downloading a digital certificate and a key under the premise of meeting a moderate security level requirement.
为了解决上述技术问题, 本发明提供了一种数字证书与密钥下载方法, 包括以下步骤:  In order to solve the above technical problem, the present invention provides a digital certificate and key downloading method, including the following steps:
( a ) 下载请求方根据第一摘要算法对至少包括自身的特征信息在内的 第一综合信息进行摘要处理, 生成特征信息的摘要值; 对该摘要值按第一密 钥生成算法生成请求消息加密密钥, 利用该密钥对所述特征信息加密; 再根 据加密后的内容和所述摘要值构造出数字证书与密钥下载请求消息, 发送给 下载服务提供方;  (a) the download requester performs digest processing on the first integrated information including at least the feature information of the self according to the first digest algorithm to generate a digest value of the feature information; generating a request message according to the first key generation algorithm for the digest value Encrypting the key, encrypting the feature information by using the key; and constructing a digital certificate and a key download request message according to the encrypted content and the digest value, and sending the message to the download service provider;
( b ) 所述下载服务提供方收到下载请求消息后对其进行分解, 对其中 的摘要值, 按第一密钥生成算法生成加密密钥; 利用该加密密钥对消息中的 加密内容按相应解密算法解密, 得到下载请求方的特征信息; 根据***中的 记录对该特征信息进行合法性校验通过后, 再执行步骤(c ) ;  (b) the download service provider decomposes the download request message, and generates an encryption key according to the first key generation algorithm for the digest value; and uses the encryption key to press the encrypted content in the message. Decrypting the corresponding decryption algorithm to obtain the feature information of the download requester; performing legality verification on the feature information according to the record in the system, and then performing step (c);
( c ) 所述下载服务提供方根据所述特征信息在***中查询相应的数字 证书和终端私钥, 并对至少包含该特征信息在内的第二综合信息按第二密钥 生成算法生成响应消息加密密钥; 利用该密钥对查询到的数字证书和终端私 钥加密, 以加密后的内容构造出下载响应消息, 发送到所述下载请求方; (c) the download service provider queries the system for the corresponding digital certificate and the terminal private key according to the feature information, and generates a response according to the second key generation algorithm for the second comprehensive information including the feature information. a message encryption key; using the key to encrypt the queried digital certificate and the terminal private key, constructing a download response message with the encrypted content, and transmitting the message to the download requester;
( d) 所述下载请求方收到响应消息后, 对所述第二综合信息按第二密 钥生成算法生成加密密钥, 利用该密钥对响应消息中的加密内容进行解密, 得到所请求的数字证书和密钥。 进一步地, 上述方法还可具有以下特点: 所述特征信息至少包括表征下 载请求方设备特征的硬件特征信息和 /或能够表征下载请求方用户身份的用 户特征信息。 (d) after receiving the response message, the download requester generates an encryption key for the second integrated information according to the second key generation algorithm, and uses the key to decrypt the encrypted content in the response message to obtain the requested Digital certificate and key. Further, the foregoing method may further have the following features: the feature information includes at least hardware feature information that characterizes the download requestor device and/or user feature information that can characterize the user of the download requestor.
进一步地, 上述方法还可具有以下特点: 所述特征信息还包括厂商信息 和 /或软件特征信息。  Further, the above method may further have the following features: The feature information further includes vendor information and/or software feature information.
进一步地, 上述方法还可具有以下特点: 所述第一综合信息和 /或第二 综合信息中还包括有附加信息, 该附加信息是所述下载请求方和下载服务提 供方事先约定的, 并且不以明文或加密方式出现在数字证书与密钥下载请求 消息体中。  Further, the foregoing method may further have the following feature: the first integrated information and/or the second integrated information further includes additional information that is previously agreed by the download requesting party and the download service provider, and Does not appear in plain text or encrypted form in the body of the digital certificate and key download request message.
进一步地, 上述方法还可具有以下特点: 所述步骤 (b) 中, 下载服务 提供方根据***中的记录对所述特征信息进行合法性校验时, 从***中提取 出该特征信息对应的附加信息, 并将该提取出的附加信息和所述特征信息按 第一摘要算法进行摘要处理, 得到摘要值如果和从下载请求消息中分解的摘 要值相同, 则合法性校验通过, 如果***中找不到所述特征信息或两个摘要 值不相同, 则丢弃所述下载请求消息。  Further, the foregoing method may further have the following features: In the step (b), when the download service provider performs legality verification on the feature information according to the record in the system, the corresponding feature information is extracted from the system. Additional information, and the extracted additional information and the feature information are digested by the first digest algorithm, and the digest value is obtained if the digest value is the same as the digest value decomposed from the download request message, if the system passes the verification If the feature information is not found or the two digest values are not the same, the download request message is discarded.
进一步地, 上述方法还可具有以下特点: 所述步骤 (b) 中, 所述下载 服务提供方收到所述下载请求后, 先进行预处理, 预处理的内容至少包括重 放攻击保护或地址限制保护, 预处理通过后, 再进行后续处理, 否则丢弃该 下载请求。  Further, the foregoing method may further have the following features: In the step (b), after receiving the download request, the download service provider performs pre-processing, and the pre-processed content includes at least replay attack protection or address. Limit the protection. After the pre-processing is passed, the subsequent processing is performed, otherwise the download request is discarded.
进一步地, 上述方法还可具有以下特点: 所述步骤(c) 中, 在以所述 加密后的内容构造出下载响应消息时, 还增加一个字段来保存下载服务提供 方的 X. 509格式数字证书, 并且构造好下载响应消息之后, 再采用签名算法 该消息进行数字签名; 所述步骤(d) 中, 所述下载请求方收到响应消息后, 先从消息中解析出下载服务提供方的 X. 509格式数字证书, 并向服务器验证 下载服务提供方数字证书的有效性, 如有效, 从下载服务提供方数字证书中 提取出下载服务提供方的公钥, 用此公钥采用数字签名对应的签名校验算法 对签名进行校验, 校验通过, 再进行后续处理。  Further, the above method may further have the following features: In the step (c), when constructing the download response message with the encrypted content, a field is further added to save the X.509 format number of the download service provider. After the certificate is configured, and the download response message is constructed, the message is digitally signed by using a signature algorithm. In the step (d), after the download requester receives the response message, the download service provider is parsed from the message. X. 509 format digital certificate, and verify the validity of the download service provider digital certificate to the server, if valid, extract the public key of the download service provider from the download service provider digital certificate, and use the public key to digitally correspondingly The signature verification algorithm verifies the signature, passes the verification, and performs subsequent processing.
进一步地, 上述方法还可具有以下特点: 所述步骤(b)或步骤(c)中, 如果下载服务提供方接受请求, 但处理时由于自身原因出错, 则向所述下载 请求方回复下载失败的响应。 Further, the above method may further have the following features: in the step (b) or the step (c), if the download service provider accepts the request, but the processing is wrong due to its own reasons, the download is performed to the downloading The requester replies to the response to the failed download.
进一步地, 上述方法还可具有以下特点: 所述第一密钥生成算法、 第二 密钥生成算法和第一摘要算法采用通用算法或私有算法。  Further, the foregoing method may further have the following features: the first key generation algorithm, the second key generation algorithm, and the first digest algorithm adopt a general algorithm or a private algorithm.
本发明提出了一种通过网络手段方便灵活地加密下载传送数字证书与 密钥的方法, 更加适合广大有着快速灵活需求的中低价值信息的传送场合。 在本发明中, 整个步骤通过一次请求响应过程就可以完成, 安全性方面则通 过关联特征信息, 采用数据摘要、 附加信息等多种手段加以增强, 在满足适 度安全级别要求的前提下, 极大的提高了应用的灵活性。 此外, 本发明在附 加信息、 摘要单元以及密钥生成单元方面采用了幵放式的设计: 附加信息既 可以具备, 也可以为空; 摘要算法和密钥生成算法既可以采用公开的算法, 也可以采用私有算法。 方便了设计时根据应用需要灵活取舍。  The invention provides a method for conveniently and flexibly encrypting and downloading and transmitting digital certificates and keys through network means, and is more suitable for the transmission occasions of medium and low value information with fast and flexible requirements. In the present invention, the entire step can be completed by a request response process, and the security aspect is enhanced by using related information, using data digests, additional information, and the like, and under the premise of meeting the appropriate security level requirements, Increased application flexibility. In addition, the present invention adopts a scalable design in terms of additional information, a digest unit, and a key generation unit: additional information may be provided or null; the digest algorithm and the key generation algorithm may employ a public algorithm, A proprietary algorithm can be used. Convenient design allows for flexible trade-offs based on application needs.
附图概述 BRIEF abstract
图 1是本发明实施例的消息交互示意图;  FIG. 1 is a schematic diagram of message interaction according to an embodiment of the present invention; FIG.
图 2是本发明实施例中下载请求方请求消息生成的流程图;  2 is a flowchart of generating a download requester request message in an embodiment of the present invention;
图 3是本发明实施例中下载服务提供方请求校验判断与响应消息生成的 流程图;  3 is a flowchart of a download service provider requesting a verification judgment and a response message in the embodiment of the present invention;
图 4是本发明实施例中下载请求方解析响应消息的流程图;  4 is a flowchart of downloading a requester parsing response message in an embodiment of the present invention;
图 5是本发明在采用数字权限管理(DRM)技术的网络电视(IPTV)领 域中一个实例的消息交互示意图。  Figure 5 is a schematic diagram of message interaction of an example of the present invention in the field of Internet Television (IPTV) employing digital rights management (DRM) technology.
本发明的最佳实施方式 BEST MODE FOR CARRYING OUT THE INVENTION
下面结合附图和实施例对本发明一种数字证书与密钥下载方法进行说 明, 这里所述的数字证书, 是指符合 X. 509规范标准的数字证书; 这里所述 的密钥, 是指包含私钥在内的数字证书相关密钥。  A digital certificate and a key downloading method of the present invention will be described below with reference to the accompanying drawings and embodiments. The digital certificate described herein refers to a digital certificate conforming to the X.509 specification; the key described herein refers to The digital certificate related key, including the private key.
如图 1所示, 本发明实施例的数字证书与密钥下载方法涉及到两个逻辑 实体- 下载请求方 101, 下载请求方 101根据具体应用需求, 向下载服务提供 方 102发送数字证书与密钥下载请求,接收响应,并解析出数字证书与密钥。 下载请求方 101必须是事先在下载服务提供方 102登记过的逻辑实体, 即其 特征信息必须已经登记在或等效于登记在下载服务提供方 102。 As shown in FIG. 1, the digital certificate and key downloading method of the embodiment of the present invention involves two logical entities - a download requester 101, and the download requester 101 provides the download service according to specific application requirements. The party 102 sends a digital certificate and a key download request, receives the response, and parses out the digital certificate and the key. The download requester 101 must be a logical entity previously registered with the download service provider 102, i.e., its feature information must have been registered or equivalent to being registered with the download service provider 102.
下载服务提供方 102,下载服务提供方 102根据下载请求方 101的请求, 向合法的下载请求方 101发送经过加密的数字证书与密钥。下载服务提供方 102只对事先登记过的逻辑实体发送数字证书与密钥。  The download service provider 102, the download service provider 102 sends the encrypted digital certificate and key to the legitimate download requester 101 upon request by the download requester 101. The download service provider 102 only sends digital certificates and keys to logical entities that have been previously registered.
如图所示, 在一种下载成功的流程 110中, 下载请求方收集信息构造下 载请求 111 ; 将下载请求发送给下载服务提供方 112; 下载服务提供方接受 请求并校验下载请求方的身份和消息的合法性 113; 对于合法的请求, 构造 包含数字证书与密钥的响应 114; 发送给下载请求方 115。  As shown, in a process 110 in which the download is successful, the download requester collects the information construct download request 111; sends the download request to the download service provider 112; the download service provider accepts the request and verifies the identity of the download requester And the legitimacy of the message 113; for a legitimate request, construct a response 114 containing the digital certificate and key; send to the download requester 115.
在一种下载失败的流程 120中,下载请求方收集信息构造下载请求 121 ; 将下载请求发送给下载服务提供方 122; 下载服务提供方接受请求并校验下 载请求方的身份和消息的合法性 123; 对于非法的消息可以回复下载失败的 响应, 但出于安全性考虑也可以直接丢弃请求消息不做任何回应 124。  In a process 120 in which the download fails, the download requester collects the information construct download request 121; sends the download request to the download service provider 122; the download service provider accepts the request and verifies the identity of the download requester and the legitimacy of the message 123; For illegal messages, the response to the download failure can be replied, but for security reasons, the request message can be discarded directly without any response 124.
在一种下载失败的流程 130中,下载请求方收集信息构造下载请求 131 ; 将下载请求发送给下载服务提供方 132; 下载服务提供方接受请求但处理时 由于自身原因出错 133; 下载服务提供方回复下载失败的响应 134。  In a process 130 in which the download fails, the download requester collects the information construction download request 131; sends the download request to the download service provider 132; the download service provider accepts the request but the error occurs due to its own cause 133; Download the service provider Respond to the download failure response 134.
如图 2所示, 本实施例中下载请求方请求消息生成的流程如下: 下载请求方的特征信息包括硬件特征信息 201和用户特征信息 202。 下 载请求方将硬件特征信息 201、 用户特征信息 202以及附加信息 203送入摘 要单元 210。 其中硬件特征信息是指与下载请求方的硬件相关的固有信息, 例如硬件序列号等。用户特征信息是指与用户密切相关的信息,例如用户名、 用户特征码等。 附加信息主要用于提高***的安全性, 且有赖于下载请求方 与下载服务提供方的事先约定, 比如下载服务提供方事先告知下载请求方一 个可以在限定时间内一次使用的特征串等; 或者也可以要求首次下载时不使 用附加信息, 即附加信息为空。 As shown in FIG. 2, the process of downloading the requestor request message in this embodiment is as follows: The feature information of the download requester includes hardware feature information 201 and user feature information 202. The download requester sends the hardware feature information 201, the user feature information 202, and the additional information 203 to the summary unit 210. The hardware feature information refers to inherent information related to the hardware of the download requester, such as a hardware serial number. User feature information refers to information that is closely related to the user, such as a user name, a user feature code, and the like. The additional information is mainly used to improve the security of the system, and depends on the prior agreement between the download requester and the download service provider, for example, the download service provider informs the download requester in advance of a feature string that can be used once within a limited time; or It is also possible to request that the first download does not use additional information, ie the additional information is empty.
摘要单元 210根据预设的摘要算法对送入的信息进行摘要处理, 得到特 征信息摘要值 211, 具体的摘要算法既可以采用公开的通用算法, 也可以采 用自己的私有方式。 例如, 摘要单元将收到的信息依次串接, 采用 SHA- 1摘 要算法对串接后的信息串进行散列, 得到特征信息摘要值。 The digest unit 210 performs digest processing on the sent information according to a preset digest algorithm to obtain a special The message digest value 211, the specific digest algorithm can adopt either the public general algorithm or the private mode. For example, the digest unit sequentially concatenates the received information, and hashes the concatenated information string by using the SHA-1 digest algorithm to obtain a feature information digest value.
特征信息摘要值 211作为构造请求消息加密密钥的原料被送入密钥生成 单元甲 220, 得到请求消息加密密钥 221。 该单元的具体密钥生成算法也同 样既可以采用公开的通用算法, 也可以采用自己的私有方式。 例如, 采用 X9. 44标准中的 KDF2算法生成密钥。  The feature information digest value 211 is sent to the key generation unit A 220 as a material for constructing the request message encryption key, and the request message encryption key 221 is obtained. The specific key generation algorithm of the unit can also adopt the public general algorithm or its own private mode. For example, the key is generated using the KDF2 algorithm in the X9.44 standard.
利用请求消息加密密钥 221对硬件特征信息 201和用户特征信息 202在 加密单元甲 230中进行加密; 在一些有其他需求的应用场景中还可以对其他 需要加密的内容, 例如厂商信息、 软件特征等额外的数据进行加密处理。 具 体的加密算法同样可以根据实际需要选择, 例如可以采用 AES、 3DES等。 加 密后的输出结果包括已加密的硬件特征信息 231、已加密的用户特征信息 232 以及其他需要加密的内容的加密结果。  The hardware feature information 201 and the user feature information 202 are encrypted in the encryption unit A 230 by using the request message encryption key 221; in other application scenarios having other requirements, other content that needs to be encrypted, such as vendor information and software features, may also be used. Additional data is encrypted for processing. The specific encryption algorithm can also be selected according to actual needs, for example, AES, 3DES, etc. can be used. The encrypted output includes encrypted hardware feature information 231, encrypted user feature information 232, and other encrypted results of the content to be encrypted.
加密单元甲 230的输出结果与特征信息摘要 211—起被送入请求消息生 成单元 240, 构造出数字证书与密钥下载请求消息 241。  The output result of the encryption unit A 230 is sent to the request message generation unit 240 together with the feature information digest 211, and a digital certificate and key download request message 241 is constructed.
如图 3所示, 本实施例中下载服务提供方请求校验判断与响应消息生成 的流程如下: As shown in FIG. 3, in the embodiment, the download service provider requests the verification judgment and the response message generation process as follows:
下载服务提供方接收到下载请求后, 可以作一些额外的预处理, 例如重 放攻击保护、 地址限制保护等。 一种重放攻击保护方式如下: 设置一个缓冲 队列, 以消息的散列值作为键值记录最近一段时间该消息出现的次数, 如果 检查发现超过一定限次则立即丢弃当前请求消息。 如果重放攻击判断单元 305检测到重放攻击, 则丢弃当前消息 306。 一种地址限制保护方法如下: 预置好一个下载请求许可地址列表, 收到下载请求后, 判断下载请求方的地 址是否在下载请求许可地址列表中,如果是则继续处理,否则丢弃当前消息。  After the download service provider receives the download request, it can perform some additional pre-processing, such as replay attack protection, address limit protection, and so on. A replay attack protection mode is as follows: Set a buffer queue, and use the hash value of the message as the key value to record the number of times the message appears in the most recent period. If the check finds that it exceeds a certain limit, the current request message is discarded immediately. If the replay attack judging unit 305 detects the replay attack, the current message 306 is discarded. An address restriction protection method is as follows: Prefix a download request permission address list, and after receiving the download request, determine whether the address of the download requester is in the download request permission address list, and if yes, continue processing, otherwise discard the current message.
下载服务提供方首先在请求消息分解单元 310对消息进行解析, 提取各 特征数据内容, 例如特征信息摘要 311、 已加密的特征信息等。 在本实施例 中已加密的特征信息包括已加密的硬件特征信息 312和已加密的用户特征信 息 313。 其中特征信息摘要 311将被送往密钥生成单元甲 320, 产生请求消 息加密密钥 321。 密钥生成单元甲 320的具体算法必须与图 2中的密钥生成 单元甲 220相同, 以保证同样的输入能够生成完全一致的密钥。 The download service provider first parses the message in the request message decomposing unit 310, and extracts each feature data content, such as the feature information digest 311, the encrypted feature information, and the like. The feature information that has been encrypted in this embodiment includes encrypted hardware feature information 312 and an encrypted user feature letter. Interest 313. The feature information digest 311 will be sent to the key generation unit A 320 to generate the request message encryption key 321. The specific algorithm of key generation unit A 320 must be the same as key generation unit A 220 of Figure 2 to ensure that the same input can generate a completely consistent key.
利用请求消息加密密钥 321在解密单元甲 330中分别对已加密的硬件特 征信息 312和已加密的用户特征信息 313进行解密, 得到硬件特征信息 331 和用户特征信息 332。 这里, 解密单元甲 330的算法必须与图 2中的加密单 元甲 230相匹配, 以保证任意数据采用同一密钥加密后再解密, 所得仍然与 原来相同。  The encrypted hardware feature information 312 and the encrypted user feature information 313 are decrypted in the decryption unit A 330 by the request message encryption key 321 to obtain hardware feature information 331 and user feature information 332. Here, the algorithm of the decryption unit A 330 must match the encryption unit A 230 in Fig. 2 to ensure that any data is encrypted by the same key and then decrypted, and the result is still the same.
解密后的硬件特征信息 331和用户特征信息 332被送往合法性验证和附 加信息查询单元 340, 查找*** (如, 运营支撑***) 中是否记录有相应的 记录且该记录的状态为合法, 如果査找失败或状态非法, 则认为请求有误, 丢弃当前消息; 如果査找成功且状态为合法, 再査询该记录对应的附加信息 341 , 如果事先约定不采用附加信息而查找到附加信息为空, 或者事先约定 采用非空附加信息且査找到非空的附加消息, 则认为查询成功, 输出附加信 息 341。  The decrypted hardware feature information 331 and the user feature information 332 are sent to the legality verification and additional information query unit 340, whether a corresponding record is recorded in the search system (eg, the operation support system) and the status of the record is legal, if If the search fails or the status is illegal, the request is considered to be incorrect, and the current message is discarded. If the search is successful and the status is legal, the additional information 341 corresponding to the record is queried. If the additional information is not agreed to be used, the additional information is found to be empty. Or if it is agreed in advance to use non-empty additional information and find a non-empty additional message, the query is considered successful, and the additional information 341 is output.
将附加信息 341与硬件特征信息 331和用户特征信息 332输入摘要单元 350, 得到特征信息摘要 351。 同样地, 摘要单元 350的具体算法必须和图 2 中的摘要单元 210完全相同, 以保证相同输入能够产生一致的摘要结果。  The additional information 341 and the hardware feature information 331 and the user feature information 332 are input to the digesting unit 350 to obtain a feature information digest 351. Similarly, the specific algorithm of digest unit 350 must be identical to digest unit 210 in Figure 2 to ensure that the same input can produce consistent digest results.
摘要单元 350产生的特征信息摘要 351需要与请求消息 301中解析出的 特征信息摘要 311进行比较,如果两者不同,则请求消息的完整性校验失败, 该消息可能已经被篡改, 需要被丢弃; 只有两个摘要完全相同, 才可以认为 请求消息合法, 准备后续操作。  The feature information digest 351 generated by the digest unit 350 needs to be compared with the feature information digest 311 parsed in the request message 301. If the two are different, the integrity check of the request message fails, and the message may have been tampered with and needs to be discarded. ; Only two digests are identical, and the request message can be considered legitimate and ready for follow-up.
请求消息合法性检查与校验完成后, 硬件特征信息 331和用户特征信息 332被送入证书密钥查询单元 365; 而且, 如果有必要的话, 输入的内容还 可以包括附加信息 341等。 如果查询到相应的数字证书和终端私钥, 则同时 将硬件特征信息 331、 用户特征信息 332和附加信息 341送入密钥生成单元 乙 360, 得到响应消息加密密钥 361 ; 如果查询失败, 则认为请求有误, 丢 弃当前消息。 密钥生成单元乙 360的具体算法可以根据实际需要而定, 与图 3中的密钥生成单元甲 320的具体算法选择没有必然联系。 利用前面得到的响应消息加密密钥 361对查询得到的证书密钥信息 366 在加密单元乙 370中进行加密处理, 得到已加密的证书密钥信息 371。 加密 单元乙 370的具体算法选择可以与图 2中的加密单元甲 230相同, 也可以相 最后将已加密的证书密钥信息 371送入响应消息生成单元 380, 构造出 数字证书与密钥下载响应消息 381发送到下载请求方, 并通知***变更该用 户的状态。 After the request message legality check and verification is completed, the hardware feature information 331 and the user feature information 332 are sent to the certificate key inquiry unit 365; and, if necessary, the input content may further include the additional information 341 or the like. If the corresponding digital certificate and the terminal private key are queried, the hardware feature information 331, the user feature information 332, and the additional information 341 are simultaneously sent to the key generation unit B 360 to obtain the response message encryption key 361; if the query fails, If the request is incorrect, discard the current message. The specific algorithm of the key generation unit B 360 may be determined according to actual needs, and is not necessarily related to the specific algorithm selection of the key generation unit A 320 in FIG. The certificate key information 366 obtained by the query is encrypted in the encryption unit B 370 by using the response message encryption key 361 obtained in the foregoing to obtain the encrypted certificate key information 371. The specific algorithm selection of the encryption unit B 370 may be the same as the encryption unit A 230 in FIG. 2, or the encrypted certificate key information 371 may be finally sent to the response message generation unit 380 to construct a digital certificate and a key download response. Message 381 is sent to the download requester and the system is notified to change the status of the user.
在构造下载响应的过程中, 还可以根据需要添加一些其他的额外步骤, 例如, 下载服务提供方可以对响应消息作摘要后再用下载服务提供方的私钥 进行签名, 同时把包含下载服务提供方公钥的 X. 509格式数字证书附在消息 中传递给下载服务请求方。 具体步骤如下: 响应消息生成单元 380增加一项 输入, 内容为下载服务提供方的 X. 509格式数字证书, 构造响应消息时, 增 加一个字段用以保存该证书; 响应消息生成单元 380之后再增加一个消息签 名单元, 根据需要选择合适的签名算法对已构造好的响应消息进行数字签 名。 这样可以对响应消息的来源和完整性做更好的保证。  In the process of constructing the download response, you can add some additional extra steps as needed. For example, the download service provider can summarize the response message and then sign the private key of the download service provider, and provide the download service. The X.509 format digital certificate of the public key is attached to the download service requester in the message. The specific steps are as follows: The response message generating unit 380 adds an input, the content is an X.509 format digital certificate of the download service provider, and when constructing the response message, a field is added to save the certificate; the response message generating unit 380 adds A message signing unit that digitally signs the constructed response message by selecting an appropriate signature algorithm as needed. This will provide a better guarantee of the source and integrity of the response message.
如图 4所示, 本发明实施例中下载请求方解析响应消息的流程如下: 下载请求方接收到下载响应后, 一方面将包括硬件特征信息 402和用户 特征信息 403的特征信息以及附加信息 404送入密钥生成单元乙 415, 导出 响应消息加密密钥 416; 另一方面将响应消息送解析单元 410, 提取出已加 密的证书密钥信息 411。 这里密钥生成单元乙 415的算法必须与图 3中的密 钥生成单元乙 360保持一致。 As shown in FIG. 4, the process of downloading the requester's parsing response message in the embodiment of the present invention is as follows: After receiving the download response, the download requester includes, on the one hand, feature information of the hardware feature information 402 and the user feature information 403 and additional information 404. The key generation unit B 415 is sent to derive the response message encryption key 416; on the other hand, the response message is sent to the parsing unit 410 to extract the encrypted certificate key information 411. Here, the algorithm of the key generation unit B 415 must be identical to the key generation unit B 360 in Fig. 3.
已加密的证书密钥信息 411被送入解密单元乙 420, 并结合响应加密密 钥 416, 可以得到最终需要的数字证书和密钥信息。  The encrypted certificate key information 411 is sent to the decryption unit B 420, and in combination with the response encryption key 416, the final required digital certificate and key information can be obtained.
另外, 如果事先还约定了其他额外的响应消息内容, 例如下载服务提供 方做了数字签名, 下载请求方还可以在收到响应消息时预先作相应的合法性 检査与校验工作。 数字签名的合法性检查与校验可以采用的步骤如下: 首先 从消息中解析出下载服务提供方的 X. 509格式数字证书, 如果下载请求方支 持 OCSP接口, 可以向 0CSP服务器验证下载服务提供方数字证书的有效性; 然后从下载服务提供方数字证书中提取出下载服务提供方的公钥, 用此公钥 采用数字签名对应的签名校验算法对签名进行校验, 以确认消息的完整性以 及消息发送者的身份。 In addition, if other additional response message content is also agreed in advance, for example, the download service provider performs digital signature, the download requester may also perform corresponding legality check and verification work in advance when receiving the response message. The steps for checking and verifying the validity of digital signatures are as follows: First, the X.509 format digital certificate of the download service provider is parsed from the message, if the download request party supports With the OCSP interface, the validity of the download service provider digital certificate can be verified to the 0CSP server; then the public key of the download service provider is extracted from the download service provider digital certificate, and the public key is used to verify the signature corresponding to the digital signature. The algorithm verifies the signature to confirm the integrity of the message and the identity of the sender of the message.
在采用数字权限管理 (DRM) 技术的网络电视 (IPTV)领域的一个实例 中, 用户机顶盒在购买后首次使用、 ***大幅升级或者证书过期后, 可以在 约定时限内从证书管理中心的证书下载服务器自动下载一份新的数字证书 和终端私钥。 为提高安全性, 在约定时限超出后, 终端用户必须向运营商申 请一份证书下载附加码, 并在新的约定时限内通过界面交互在机顶盒端输入 该附加码, 手工发起证书与密钥下载过程。 如果新的约定时限又被超出, 用 户必须重复申请附加码并下载的过程。 In an example of the Internet Television (IPTV) technology using digital rights management (DRM) technology, the user set-top box can download the server from the certificate management center certificate within the agreed time limit after the first use after purchase, the system is greatly upgraded, or the certificate expires. Automatically download a new digital certificate and terminal private key. To improve security, after the agreed time limit is exceeded, the terminal user must apply for a certificate to download the additional code from the operator, and enter the additional code on the set-top box through the interface interaction within the new agreed time limit. Manually initiate the certificate and key download. process. If the new appointment time limit is exceeded, the user must repeat the process of applying for the additional code and downloading.
上述实例中下载数字证书与密钥的消息交互如图 5·所示:  The message interaction between downloading the digital certificate and the key in the above example is shown in Figure 5:
机顶盒 501在自检后自动发起证书密钥下载流程或者在用户干预下发起 下载流程时, 首先收集机顶盒特征信息和附加信息 511。 对于自动发起下载 流程, 附加特征信息为空; 对于用户发起的下载流程, 附加特征信息为证书 下载附加码。 另外, 机顶盒特征信息包括机顶盒的硬件特征标识串和用户标 识串。 接着机顶盒证书密钥下载代理程序依次计算信息摘要值 512, 生成请 求消息加密密钥 513, 对机顶盒的硬件特征标识串以及用户标识串分别进行 加密并构造下载请求消息体 514。 下载请求消息体中包括了用请求消息加密 密钥加密后的硬件特征标识串和用户标识串, 以及信息摘要值。  The set top box 501 firstly collects the set top box feature information and the additional information 511 when the certificate key download process is automatically initiated after the self-test or when the download process is initiated under user intervention. For the automatic initiation of the download process, the additional feature information is empty; for the user-initiated download process, the additional feature information is a certificate download additional code. In addition, the set top box feature information includes a hardware feature identification string of the set top box and a user identification string. Then, the set top box certificate key downloading agent sequentially calculates the information digest value 512, generates a request message encryption key 513, encrypts the hardware feature identification string of the set top box and the user identification string, respectively, and constructs a download request message body 514. The download request message body includes a hardware feature identification string and a user identification string encrypted with the request message encryption key, and a message digest value.
证书下载服务器 502在收到机顶盒 501传来的下载请求 520后, 首先进 行重放攻击保护等预处理 521步骤, 接着根据消息体中的摘要值计算请求消 息加密密钥 522, 对消息中加密的硬件特征标识串和用户标识串进行解密运 算 523。 然后, 证书下载服务器 502通过内部网络连接将硬件特征标识串和 用户标识串发送给运营支撑*** 503。 运营支撑*** 503首先根据收到的特 征信息查找是否存在对应的记录, 并确定该记录的状态是否合法 531。 对于 状态为等待证书下载且附加信息为空的情况, 直接回复证书下载服务器 502 用户状态合法且附加信息为空; 对于状态为等待证书下载且附加信息非空的 情况, 查询附加信息后, 再回复用户状态与附加信息査询结果到证书下载服 务器 502; 对于其他情况, 直接回复错误码。 证书下载服务器 502在收到运 营支撑*** 503的响应后, 根据本地查询结果重新计算摘要值, 并与下载请 求消息中的摘要值进行比对,如果一致则继续构造响应,否则丢弃当前请求。 After receiving the download request 520 sent from the set top box 501, the certificate download server 502 first performs a pre-processing 521 step of replay attack protection, etc., and then calculates a request message encryption key 522 according to the digest value in the message body, and encrypts the message. The hardware feature identification string and the user identification string are subjected to a decryption operation 523. Then, the certificate download server 502 transmits the hardware feature identification string and the user identification string to the operation support system 503 through the internal network connection. The operation support system 503 first searches for the presence of a corresponding record based on the received feature information, and determines whether the status of the record is legal 531. For the case where the status is waiting for the certificate download and the additional information is empty, the direct reply certificate download server 502 is in a normal state and the additional information is empty; for the status is waiting for the certificate download and the additional information is not empty. In the case, after the additional information is queried, the user status and the additional information query result are returned to the certificate download server 502; for other cases, the error code is directly replied. After receiving the response from the operation support system 503, the certificate download server 502 recalculates the digest value according to the local query result, and compares it with the digest value in the download request message, and if yes, continues to construct the response, otherwise discards the current request.
证书下载服务器 502在完成请求消息的校验后, 通过内部网络连接向证 书管理中心 504提交证书获取请求 550。 该证书获取请求中包含了机顶盒的 相应特征信息。 证书管理中心根据配置情况, 或者查询获取预先生成好的机 顶盒数字证书和终端私钥, 或者将机顶盒特征信息提交认证中心生成数字证 书和终端私钥 551。然后将数字证书和终端私钥放置于证书获取响应 560中, 发送给证书下载服务器。 与此同时, 证书下载服务器根据机顶盒特征信息和 附加信息生成响应消息加密密钥 561, 并对从证书管理中心得到的数字证书 和终端私钥进行加密, 构造下载响应消息 562。 最后, 证书下载服务器向机 顶盒回复下载响应消息 570, 并通知运营支撑***变更用户状态 580。  Upon completion of the verification of the request message, the certificate download server 502 submits a certificate acquisition request 550 to the certificate management center 504 via the internal network connection. The certificate acquisition request contains the corresponding feature information of the set top box. The certificate management center obtains the pre-generated set-top box digital certificate and the terminal private key according to the configuration, or submits the set-top box feature information to the authentication center to generate the digital certificate and the terminal private key 551. The digital certificate and the terminal private key are then placed in the certificate acquisition response 560 and sent to the certificate download server. At the same time, the certificate download server generates a response message encryption key 561 based on the set top box characteristic information and the additional information, and encrypts the digital certificate and the terminal private key obtained from the certificate management center to construct a download response message 562. Finally, the certificate download server replies to the set-top box with a download response message 570 and notifies the operational support system to change the user status 580.
机顶盒 501在收到下载响应消息后, 根据本地数据计算出响应消息加密 密钥 571, 再据此提取出下载响应消息中的数字证书和终端私钥 572。  After receiving the download response message, the set top box 501 calculates a response message encryption key 571 based on the local data, and then extracts the digital certificate and the terminal private key 572 in the download response message.
工业实用性 Industrial applicability
本发明可以应用于网络通信安全技术领域, 使数字证书与密钥能通过网 络方便灵活地打包加密下载。  The invention can be applied to the field of network communication security technology, so that the digital certificate and the key can be packaged and encrypted conveniently and flexibly through the network.

Claims

权 利 要 求 书 Claim
1、 一种数字证书与密钥下载方法, 包括以下步骤: 1. A digital certificate and key downloading method, comprising the following steps:
( a ) 下载请求方根据第一摘要算法对至少包括自身的特征信息在内的 第一综合信息进行摘要处理, 生成特征信息的摘要值; 对该摘要值按第一密 钥生成算法生成请求消息加密密钥, 利用该密钥对所述特征信息加密; 再根 据加密后的内容和所述摘要值构造出数字证书与密钥下载请求消息, 发送给 下载服务提供方;  (a) the download requester performs digest processing on the first integrated information including at least the feature information of the self according to the first digest algorithm to generate a digest value of the feature information; generating a request message according to the first key generation algorithm for the digest value Encrypting the key, encrypting the feature information by using the key; and constructing a digital certificate and a key download request message according to the encrypted content and the digest value, and sending the message to the download service provider;
(b ) 所述下载服务提供方收到下载请求消息后对其进行分解, 对其中 的摘要值, 按第一密钥生成算法生成加密密钥; 利用该加密密钥对消息中的 力 Π密内容按相应解密算法解密, 得到下载请求方的特征信息; 根据***中的 记录对该特征信息进行合法性校验通过后, 再执行步骤(c ) ;  (b) the download service provider decomposes the download request message, and generates an encryption key according to the first key generation algorithm for the digest value; using the encryption key to force the message in the message The content is decrypted according to the corresponding decryption algorithm, and the feature information of the download requester is obtained; after the legality verification of the feature information is passed according to the record in the system, step (c) is performed;
( c ) 所述下载服务提供方根据所述特征信息在***中查询相应的数字 证书和终端私钥, 并对至少包含该特征信息在内的第二综合信息按第二密钥 生成算法生成响应消息加密密钥; 利用该密钥对査询到的数字证书和终端私 钥加密, 以加密后的内容构造出下载响应消息, 发送到所述下载请求方; (c) the download service provider queries the system for the corresponding digital certificate and the terminal private key according to the feature information, and generates a response according to the second key generation algorithm for the second comprehensive information including the feature information. a message encryption key; using the key to encrypt the queried digital certificate and the terminal private key, constructing a download response message with the encrypted content, and transmitting the message to the download requester;
( d) 所述下载请求方收到响应消息后, 对所述第二综合信息按第二密 钥生成算法生成加密密钥, 利用该密钥对响应消息中的加密内容进行解密, 得到所请求的数字证书和密钥。 (d) after receiving the response message, the download requester generates an encryption key for the second integrated information according to the second key generation algorithm, and uses the key to decrypt the encrypted content in the response message to obtain the requested Digital certificate and key.
2、 如权利要求 1所述的方法, 其特征在于, 所述特征信息至少包括表 征下载请求方设备特征的硬件特征信息和 /或能够表征下载请求方用户身份 的用户特征信息。  2. The method according to claim 1, wherein the feature information comprises at least hardware feature information of a feature of the download requestor device and/or user feature information capable of characterizing a user of the download requestor.
3、 如权利要求 2所述的方法, 其特征在于, 所述特征信息还包括厂商 信息和 /或软件特征信息。  3. The method of claim 2, wherein the feature information further comprises vendor information and/or software feature information.
4、 如权利要求 1所述的方法, 其特征在于, 所述第一综合信息和 /或第 二综合信息中还包括有附加信息, 该附加信息是所述下载请求方和下载服务 提供方事先约定的, 并且不以明文或加密方式出现在数字证书与密钥下载请 求消息体中。  The method according to claim 1, wherein the first integrated information and/or the second integrated information further includes additional information, where the additional information is the download requester and the download service provider. As agreed, and does not appear in plain text or encrypted form in the body of the digital certificate and key download request message.
5、 如权利要求 4所述的方法, 其特征在于, 所述步骤(b) 中, 下载服 务提供方根据***中的记录对所述特征信息进行合法性校验时, 从***中提 取出该特征信息对应的附加信息, 并将该提取出的附加信息和所述特征信息 按第一摘要算法进行摘要处理, 得到摘要值如果和从下载请求消息中分解的 摘要值相同, 则合法性校验通过, 如果***中找不到所述特征信息或两个摘 要值不相同, 则丢弃所述下载请求消息。 5. The method according to claim 4, wherein in the step (b), downloading the service When the service provider performs the legality verification on the feature information according to the record in the system, the additional information corresponding to the feature information is extracted from the system, and the extracted additional information and the feature information are first summarized. The algorithm performs digest processing to obtain the digest value. If the digest value is the same as the digest value decomposed from the download request message, the validity check is passed. If the feature information is not found in the system or the two digest values are different, the method discards the Download the request message.
6、 如权利要求 1所述的方法, 其特征在于, 所述步骤(b)中, 所述下 载服务提供方收到所述下载请求后, 先进行预处理, 预处理的内容至少包括 重放攻击保护或地址限制保护, 预处理通过后, 再进行后续处理, 否则丢弃 该下载请求。  The method according to claim 1, wherein in the step (b), after the download service provider receives the download request, the pre-processing is performed, and the pre-processed content includes at least replay. Attack protection or address restriction protection. After the pre-processing is passed, subsequent processing is performed, otherwise the download request is discarded.
7、 如权利要求 1所述的方法, 其特征在于, 所述步骤(c) 中, 在以所 述加密后的内容构造出下载响应消息时, 还增加一个字段来保存下载服务提 供方的 X. 509格式数字证书, 并且构造好下载响应消息之后, 再采用签名算 法该消息进行数字签名; 所述步骤 (d) 中, 所述下载请求方收到响应消息 后, 先从消息中解析出下载服务提供方的 X. 509格式数字证书, 并向服务器 验证下载服务提供方数字证书的有效性, 如有效, 从下载服务提供方数字证 书中提取出下载服务提供方的公钥, 用此公钥采用数字签名对应的签名校验 算法对签名进行校验, 校验通过, 再进行后续处理。  7. The method according to claim 1, wherein in the step (c), when the download response message is constructed with the encrypted content, a field is further added to save the X of the download service provider. After the 509 format digital certificate, and the download response message is constructed, the message is digitally signed by using a signature algorithm; in the step (d), after the download requester receives the response message, the download is parsed from the message. The service provider's X.509 format digital certificate, and verifying the validity of the download service provider digital certificate to the server, if valid, extracting the download service provider's public key from the download service provider digital certificate, using the public key The signature verification algorithm corresponding to the digital signature is used to verify the signature, pass the verification, and perform subsequent processing.
8、 如权利要求 1所述的方法, 其特征在于, 所述步骤(b)或步骤(c) 中, 如果下载服务提供方接受请求, 但处理时由于自身原因出错, 则向所述 下载请求方回复下载失败的响应。  The method according to claim 1, wherein in the step (b) or the step (c), if the download service provider accepts the request, but the processing is wrong due to its own reasons, the download request is The party replies to the response to the failed download.
9、 如权利要求 1所述的方法, 其特征在于, 所述第一密钥生成算法、 第二密钥生成算法和第一摘要算法采用通用算法或私有算法。  9. The method according to claim 1, wherein the first key generation algorithm, the second key generation algorithm, and the first digest algorithm employ a general algorithm or a private algorithm.
PCT/CN2005/002359 2005-12-29 2005-12-29 A method of downloading digital certification and key WO2007073623A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2005/002359 WO2007073623A1 (en) 2005-12-29 2005-12-29 A method of downloading digital certification and key
CN200580052026.XA CN101305542B (en) 2005-12-29 2005-12-29 Method for downloading digital certificate and cryptographic key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2005/002359 WO2007073623A1 (en) 2005-12-29 2005-12-29 A method of downloading digital certification and key

Publications (1)

Publication Number Publication Date
WO2007073623A1 true WO2007073623A1 (en) 2007-07-05

Family

ID=38217669

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2005/002359 WO2007073623A1 (en) 2005-12-29 2005-12-29 A method of downloading digital certification and key

Country Status (2)

Country Link
CN (1) CN101305542B (en)
WO (1) WO2007073623A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105977A1 (en) * 2008-02-29 2009-09-03 西安西电捷通无线网络通信有限公司 A method for realizing the remote management of a handset digital certificate by using the ota system
WO2013064063A1 (en) * 2011-11-02 2013-05-10 ***股份有限公司 Encryptor simulation test device and method
CN104065482A (en) * 2014-06-06 2014-09-24 宇龙计算机通信科技(深圳)有限公司 Method and device for improving terminalself-flashing safety through ciphertext handshaking
CN108667781A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment
CN111711938A (en) * 2020-06-16 2020-09-25 郑州信大捷安信息技术股份有限公司 Internet of vehicles safety communication method and system based on digital certificate
WO2021031087A1 (en) * 2019-08-19 2021-02-25 华为技术有限公司 Certificate management method and apparatus
CN114070592A (en) * 2021-11-09 2022-02-18 乐美科技股份私人有限公司 Resource downloading method, device, terminal and server
CN116668193A (en) * 2023-07-27 2023-08-29 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113541939B (en) * 2021-06-25 2022-12-06 上海吉大正元信息技术有限公司 Internet of vehicles digital certificate issuing method and system
CN115314226A (en) * 2022-09-13 2022-11-08 深圳市丛文安全电子有限公司 Low-cost asymmetric encryption certificate management method based on certificate queue

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6233341B1 (en) * 1998-05-19 2001-05-15 Visto Corporation System and method for installing and using a temporary certificate at a remote site
CN1312998A (en) * 1998-08-12 2001-09-12 凯博帕斯公司 Access control using attributes contained within public key certificates
KR20030023124A (en) * 2001-09-12 2003-03-19 에스케이 텔레콤주식회사 Public-key infrastructure based certification method in mobile communication system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2788649A1 (en) * 1999-01-18 2000-07-21 Schlumberger Systems & Service METHOD FOR THE SECURE LOADING OF DATA BETWEEN SECURITY MODULES
SE517116C2 (en) * 2000-08-11 2002-04-16 Ericsson Telefon Ab L M Method and device for secure communication services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6233341B1 (en) * 1998-05-19 2001-05-15 Visto Corporation System and method for installing and using a temporary certificate at a remote site
CN1312998A (en) * 1998-08-12 2001-09-12 凯博帕斯公司 Access control using attributes contained within public key certificates
KR20030023124A (en) * 2001-09-12 2003-03-19 에스케이 텔레콤주식회사 Public-key infrastructure based certification method in mobile communication system

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009105977A1 (en) * 2008-02-29 2009-09-03 西安西电捷通无线网络通信有限公司 A method for realizing the remote management of a handset digital certificate by using the ota system
WO2013064063A1 (en) * 2011-11-02 2013-05-10 ***股份有限公司 Encryptor simulation test device and method
CN104065482A (en) * 2014-06-06 2014-09-24 宇龙计算机通信科技(深圳)有限公司 Method and device for improving terminalself-flashing safety through ciphertext handshaking
CN108667781A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment
EP4016921A4 (en) * 2019-08-19 2022-08-24 Huawei Technologies Co., Ltd. Certificate management method and apparatus
WO2021031087A1 (en) * 2019-08-19 2021-02-25 华为技术有限公司 Certificate management method and apparatus
CN114223176A (en) * 2019-08-19 2022-03-22 华为技术有限公司 Certificate management method and device
CN114223176B (en) * 2019-08-19 2024-04-12 华为技术有限公司 Certificate management method and device
CN111711938B (en) * 2020-06-16 2022-02-11 郑州信大捷安信息技术股份有限公司 Internet of vehicles safety communication method and system based on digital certificate
CN111711938A (en) * 2020-06-16 2020-09-25 郑州信大捷安信息技术股份有限公司 Internet of vehicles safety communication method and system based on digital certificate
CN114070592A (en) * 2021-11-09 2022-02-18 乐美科技股份私人有限公司 Resource downloading method, device, terminal and server
CN116668193A (en) * 2023-07-27 2023-08-29 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium
CN116668193B (en) * 2023-07-27 2023-10-03 高新兴智联科技股份有限公司 Communication method of terminal equipment and server of Internet of things and computer readable storage medium

Also Published As

Publication number Publication date
CN101305542A (en) 2008-11-12
CN101305542B (en) 2011-01-26

Similar Documents

Publication Publication Date Title
WO2019233204A1 (en) Method, apparatus and system for key management, storage medium, and computer device
WO2007073623A1 (en) A method of downloading digital certification and key
CA2663241C (en) System, apparatus, method, and program product for authenticating communication partner using electonic certificate containing personal information
US9847880B2 (en) Techniques for ensuring authentication and integrity of communications
KR100925329B1 (en) Method and apparatus of mutual authentication and key distribution for downloadable conditional access system in digital cable broadcasting network
CA2475216C (en) Method and system for providing third party authentification of authorization
US9137017B2 (en) Key recovery mechanism
US20070118735A1 (en) Systems and methods for trusted information exchange
US20020144119A1 (en) Method and system for network single sign-on using a public key certificate and an associated attribute certificate
US20020144108A1 (en) Method and system for public-key-based secure authentication to distributed legacy applications
CN106713279B (en) video terminal identity authentication system
US20080086633A1 (en) Method to handle ssl certificate expiration and renewal
US20110035582A1 (en) Network authentication service system and method
KR20060003319A (en) Device authentication system
US8214644B2 (en) Method for installing rights object for content in memory card
WO2014026462A1 (en) Digital rights management method
WO2009138028A1 (en) User generated content registering method, apparatus and system
WO2022143498A1 (en) Access control method and apparatus, and network-side device, terminal and blockchain node
JP2005512395A (en) Method and system for authenticating electronic certificates
CN113656818B (en) Trusted-free third party cloud storage ciphertext deduplication method and system meeting semantic security
JP4599812B2 (en) Service providing system, service providing server, device authentication program, storage medium, terminal device, device authentication server, and public key confirmation information update program
JP2004159100A (en) Cipher communication program, server system for cipher communication system, cipher communication method, and cipher communication system
CN112491787B (en) Method and equipment for safety management of user data
CN113742700B (en) Cross-domain software system integration method based on portal
JP2003318889A (en) Method for authenticating user, communication system, authentication server device, server device, and user terminal equipment

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200580052026.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05846135

Country of ref document: EP

Kind code of ref document: A1