WO2018054144A1 - Method, apparatus, device and system for dynamically generating symmetric key - Google Patents

Method, apparatus, device and system for dynamically generating symmetric key Download PDF

Info

Publication number
WO2018054144A1
WO2018054144A1 PCT/CN2017/092995 CN2017092995W WO2018054144A1 WO 2018054144 A1 WO2018054144 A1 WO 2018054144A1 CN 2017092995 W CN2017092995 W CN 2017092995W WO 2018054144 A1 WO2018054144 A1 WO 2018054144A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
unique identifier
client
globally unique
symmetric key
Prior art date
Application number
PCT/CN2017/092995
Other languages
French (fr)
Chinese (zh)
Inventor
孙敏刚
白青松
Original Assignee
北京京东尚科信息技术有限公司
北京京东世纪贸易有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京京东尚科信息技术有限公司, 北京京东世纪贸易有限公司 filed Critical 北京京东尚科信息技术有限公司
Publication of WO2018054144A1 publication Critical patent/WO2018054144A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use

Definitions

  • the present invention relates to the field of computer network application technologies, and in particular, to a symmetric key dynamic generation method, device, device and system.
  • encryption hides plaintext information so that it is unreadable in the absence of special information.
  • the special information here refers to the key used for encryption.
  • the same symmetric key is used for both cryptographic and decryption operations. Its biggest advantage is that the encryption and decryption speed is fast, suitable for encrypting large amounts of data.
  • the commonly used symmetric encryption algorithm is simple and efficient, the symmetric key used is short and the decoding is difficult, so symmetric encryption is widely used in the system.
  • the security and reliability of the key generation and management process directly determine the security and reliability of the entire system.
  • the symmetric key is generated and does not change during the entire system life cycle. If it is captured by a third party, the entire encryption system has no security at all.
  • the present invention provides a method, a device, a device and a system for dynamically generating a symmetric key, which can dynamically generate a symmetric key used in a life cycle of the system, thereby improving system security and reliability.
  • a method for dynamically generating a symmetric key includes: receiving an initial global unique identifier generated when an interconnect device starts; recording an initial global unique identifier as a key global unique identifier; And performing the authorization, sending a first authorization indication message to the interconnection device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; and receiving a first authorization response message sent by the interconnection device; Determining a symmetric key based on the key global unique identifier and the first key parameter; updating the key global unique identifier as the first global unique identifier; and using the symmetric key pair communication data in subsequent communication with the interconnected device Perform encryption and decryption.
  • the method further includes: authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device And a second key parameter; receiving a second authorization response message sent by the interconnection device; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the globally unique identifier of the key to the second global A unique identifier; and the communication data is encrypted and decrypted using a new symmetric key in subsequent communications with the interconnected device.
  • determining the symmetric key according to the key global unique identifier and the first key parameter comprises: performing an exclusive OR operation on the key global unique identifier and the first key parameter, and performing an exclusive OR operation The result is a symmetric key; and/or, according to the key global unique identifier and the second key parameter, determining the new symmetric key comprises: performing an exclusive OR operation on the key global unique identifier and the second key parameter The result of the exclusive OR operation is taken as the new symmetric key.
  • a method for dynamically generating a symmetric key comprising: generating an initial global unique identifier at startup; broadcasting an initial global unique identifier to a client; and recording the initial global unique identifier as a key Globally unique identifier; receiving client And sending, by the first authorization indication message, the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; sending a first authorization response message to the client; A key parameter determines a symmetric key; the update key globally unique identifier is a first globally unique identifier; and the communication data is encrypted and decrypted using a symmetric key in subsequent communication with the client.
  • the method further includes: receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter; Transmitting a second authorization response message; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the key global unique identifier to the second global unique identifier; and subsequently communicating with the client
  • the communication data is encrypted and decrypted using a new symmetric key.
  • determining the symmetric key according to the key global unique identifier and the first key parameter comprises: performing an exclusive OR operation on the key global unique identifier and the first key parameter, and performing an exclusive OR operation The result is a symmetric key; and/or, according to the key global unique identifier and the second key parameter, determining the new symmetric key comprises: performing an exclusive OR operation on the key global unique identifier and the second key parameter The result of the exclusive OR operation is taken as the new symmetric key.
  • a client device for dynamic generation of symmetric keys comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute via execution
  • the instructions are configured to: receive an initial globally unique identifier generated when the interconnect device starts; record the initial globally unique identifier as a key globally unique identifier; authorize the interconnected device, and send a first authorization indication message to the interconnected device,
  • the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; receiving a first authorization response message sent by the interconnection device; and a globally unique identifier and a first key parameter according to the key Determining a symmetric key; updating the key globally unique identifier to be the first globally unique identifier; and encrypting the communication data using a symmetric key in subsequent communication with the interconnected device.
  • the operation further includes: re-authorizing the interconnection device, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device and a second key parameter; receiving a second authorization response message sent by the interconnection device; according to the key global unique identifier and the second key parameter, A new symmetric key; the update key globally unique identifier is a second globally unique identifier; and the communication data is encrypted and decrypted using a new symmetric key in subsequent communication with the interconnected device.
  • an interconnect device for dynamic generation of a symmetric key, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the executable instruction The following operations are performed: generating an initial global unique identifier at startup; broadcasting an initial global unique identifier to the client; recording the initial global unique identifier as a key global unique identifier; receiving the first authorization indication message sent by the client The first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; and sending a first authorization response message to the client; and the global unique identifier and the first key parameter according to the key Determining a symmetric key; updating the key globally unique identifier to be the first globally unique identifier; and encrypting the communication data using a symmetric key in subsequent communication with the client.
  • the operation further includes: receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a second global unique identifier and a second key parameter newly generated for the connected device;
  • the client sends a second authorization response message; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the key global unique identifier to the second global unique identifier; and subsequently following the client
  • the communication data is encrypted and decrypted using a new symmetric key.
  • a symmetric key dynamic generation system comprising: any one of the foregoing client devices and any one of the foregoing interconnection devices.
  • a symmetric key dynamic generation apparatus includes: a sending module, an identifier recording module, a receiving module, and a key determining module; wherein the receiving module receives an initial global unique generated when the interconnecting device starts An identifier; the identifier recording module records the initial global unique identifier as a key global unique identifier; the sending module authorizes the interconnected device, and sends a first authorization indication message to the interconnected device, where the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; the receiving module receives a first authorization response message sent by the interconnection device; and the key determining module determines the symmetric key according to the key global unique identifier and the first key parameter Key; identifier record module update key global unique identifier is the first global unique identifier; and the sending module and the receiving module are The communication data is encrypted and decrypted using a symmetric key in subsequent communication with the interconnected device.
  • the sending module further authorizes the interconnected device, and sends a second authorization indication message to the interconnecting device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device, and a second a key parameter; the receiving module receives a second authorization response message sent by the interconnection device; the key determination module determines a new symmetric key according to the key global unique identifier and the second key parameter; and the identifier recording module updates the key globally
  • the unique identifier is a second globally unique identifier; and the transmitting module and the receiving module encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the interconnected device.
  • a symmetric key dynamic generating apparatus includes: an identifier generating module, a sending module, a receiving module, an identifier recording module, and a key determining module; wherein the identifier generating module is started Generating an initial globally unique identifier; the sending module broadcasts an initial globally unique identifier to the client; the identifier recording module records the initial globally unique identifier as a key globally unique identifier; and the receiving module receives the first authorization indication sent by the client a message, the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; the sending module sends a first authorization response message to the client; the key determining module is configured according to the key global unique identifier a key parameter determining a symmetric key; the identifier record module updating the key global unique identifier as the first global unique identifier; and the transmitting module and the receiving module performing the communication data using the symmetric key in subsequent communication with the client Add and decrypt.
  • the receiving module receives a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter; the sending module sends the message to the client a second authorization response message; the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter; and the identifier recording module updates the key global unique identifier to a second global unique identifier; And the sending module and the receiving module encrypt and decrypt the communication data by using a new symmetric key in subsequent communication with the client.
  • the used local symmetric password can be dynamically updated each time the client device authorizes the connected device. Therefore, it is possible to dynamically update the symmetric key used in the life cycle of the system, thereby greatly improving the security and reliability of the system.
  • replace each time you generate a local symmetric password The key GUID for generating the local symmetric key, and the replaced key GUID is theoretically irreversibly generated, thus further improving the security of the symmetric key.
  • FIG. 1 is a schematic structural diagram of a symmetric key dynamic generation system according to an exemplary embodiment.
  • FIG. 2 is a flowchart of a method for dynamically generating a symmetric key according to an exemplary embodiment.
  • FIG. 3 is a flowchart of another symmetric key dynamic generation method according to an exemplary embodiment.
  • FIG. 4 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment.
  • FIG. 5 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment.
  • FIG. 6 is a block diagram of a symmetric key dynamic generation apparatus, according to an exemplary embodiment.
  • FIG. 7 is a block diagram of another symmetric key dynamic generation apparatus, according to an exemplary embodiment.
  • FIG. 1 is a schematic structural diagram of a symmetric key dynamic generation system according to an exemplary embodiment.
  • the system 1 includes a client 11 and an interconnect device 12.
  • the client 11 can be, for example, a terminal device loaded with client software, such as a smartphone, a PAD, or the like.
  • the interconnection device 12 can be, for example, a device that is connected to the client 11 and that is controlled by the client 11, such as a smart TV in a smart home, a smart refrigerator, a smart air conditioner, etc., but the invention is not limited thereto.
  • the data is encrypted and transmitted by the client 11 and the connected device 12 during communication.
  • the system 1 may further include: a cloud server 13 communicatively coupled to the client 11.
  • FIG. 2 is a flowchart of a method for dynamically generating a symmetric key according to an exemplary embodiment. The method can be applied to the client 11 shown in FIG. 1. As shown in FIG. 2, the method 10 includes:
  • step S102 an initial global unique identifier (GUID, Globally Unique Identifier) generated when the interconnect device is started is received.
  • GUID Globally Unique Identifier
  • the interconnect device 12 shown in FIG. 1 will generate an initial GUID (for example, can be recorded as GUID_I) for itself when it is first started, and the initial GUID is generated by the interconnect device 12 itself, with uniqueness and randomness.
  • an initial GUID for example, can be recorded as GUID_I
  • a GUID is a binary-length 128-bit numeric identifier generated by an algorithm that is primarily used in networks or systems that have multiple nodes, multiple computers. Ideally, no computer or computer cluster will generate two identical GUIDs. The total number of GUIDs can reach 2 ⁇ 128, and since non-random parameters (such as time) are usually added to the algorithm for generating GUIDs, the possibility of randomly generating two identical GUIDs is very small.
  • the initial GUID will be broadcasted through the network announcement message.
  • the network announcement message can be in addition to the initial GUID. Includes related interface information, etc.
  • step S104 the initial GUID is recorded as a key GUID.
  • the client 11 can locally set a key GUID and, after receiving the initial GUID broadcast by the interconnect device 12, record the value of the initial GUID in the key GUID.
  • step S106 the interconnection device is authorized to send a first authorization indication message to the interconnection device.
  • the client 11 will first authorize the service provided by the connected device 12 before using it.
  • the authorization operation is usually an activity initiated by the user, and the client 11 can perform multiple authorization operations on the connected device 12.
  • the client 11 sends a first authorization indication message to the interconnection device, where the message includes a first GUID and a first key parameter (acKey_1) newly generated by the client 11 for the interconnection device 12.
  • the first key parameter is used to generate a symmetric key.
  • the first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12.
  • the interconnection device 12 writes the new first GUID into its device.
  • step S108 the first authorization response message sent by the interconnection device is received.
  • the interconnection device 12 will correspondingly return an authorization response message to the client 11 to respond to the authorization operation initiated by the authorization client 11.
  • step S110 a local symmetric key is determined based on the recorded key GUID and the first key parameter.
  • the client 11 determines a local symmetric key (localKey) used in subsequent communication according to the currently recorded key GUID and the first key parameter.
  • localKey a local symmetric key
  • step S112 the update key GUID is the first GUID.
  • the initial GUID is overwritten with the first GUID
  • the key GUID is updated to the first GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
  • step S114 the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the interconnected device.
  • the client 11 After the local symmetric key is generated, the client 11 encrypts the transmitted data using the local symmetric password during subsequent communication with the interconnect device 12, and decrypts the received data using the local symmetric password.
  • FIG. 3 is a flowchart of another symmetric key dynamic generation method according to an exemplary embodiment. The method can be applied to the interconnection device 12 shown in FIG. 1. As shown in FIG. 3, the method 20 includes:
  • step S202 an initial GUID is generated upon startup.
  • the interconnect device 12 shown in FIG. 1 generates an initial GUID (which can be recorded as GUID_I) by itself when it is first started.
  • GUID_I an initial GUID
  • step S204 the initial GUID is broadcast to the client.
  • the interconnection device 12 broadcasts its initial GUID, for example, through a network announcement message, and the network announcement message may also include related interface information and the like.
  • step S206 the initial GUID is recorded as a key GUID.
  • the interconnect device 12 can locally set a key GUID for computing a local symmetric key. First, the interconnect device 12 records the value of the initial GUID as the key GUID.
  • step S208 the first authorization indication message sent by the client is received.
  • the client 11 When the client 11 authorizes the connected device 12, an authorization indication message is sent to the connected device 12.
  • the first authorization indication message includes a first GUID and a first key parameter (acKey_1) newly generated for the interconnection device 12.
  • the first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12.
  • the interconnection device 12 writes the new first GUID into its device.
  • step S210 a first authorization response message is sent to the client.
  • the interconnection device 12 transmits a first authorization response message to the client 11.
  • step S212 a local symmetric key is determined according to the key GUID and the first key parameter.
  • the interconnect device 12 calculates a local symmetric key based on the currently recorded key GUID and the first key parameter.
  • step S214 the update key GUID is the first GUID.
  • the initial GUID is overwritten with the first GUID, ie the key GUID is updated to the first GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
  • step S216 the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
  • the interconnect device 12 After the local symmetric key is generated, the interconnect device 12 encrypts the transmitted data using the local symmetric password during subsequent communication with the client 11, and decrypts the received data using the local symmetric password.
  • the symmetric key dynamic generation method provided by the embodiment of the present invention can dynamically update the used local symmetric password each time the client device authorizes the connected device. Therefore, it is possible to dynamically update the symmetric key used in the life cycle of the system, thereby greatly improving the security and reliability of the system.
  • the key GUID for generating the local symmetric key is replaced immediately after each generation of the local symmetric password, and the replaced key GUID is theoretically irreversibly generated, thereby further improving the security of the symmetric key. Sex.
  • FIG. 4 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment. This method can be applied to the client 11 shown in FIG. This method is used to generate a new local key during the next authorization process. As shown in FIG. 4, the method 30 includes:
  • step S302 the interconnection device is authorized again, and the second authorization indication message is sent to the interconnection device.
  • the second authorization indication message includes a second GUID (which can be recorded as GUID_2) and a second key parameter (which can be recorded as acKey_2) newly generated for the connected device 12.
  • the second GUID and the second key parameter newly generated for the interconnection device 12 are newly generated second GUIDs requested by the client 11 to the cloud server 13 for the interconnection device 12.
  • the interconnection device 12 writes the new second GUID into its device.
  • step S304 a second authorization response message sent by the interconnection device is received.
  • the client 11 receives the second authorization response message sent by the interconnect device 12 in response to the current authorization operation.
  • step S306 a new local symmetric key is determined according to the key GUID and the second key parameter.
  • the client 11 determines a new local symmetric key based on the currently recorded key GUID and the second key parameter.
  • the client 11 may XOR the second key parameter using the currently recorded key GUID and use the result of the exclusive OR operation as a local symmetric key.
  • GUID the first GUID
  • localKey GUIID_1 ⁇ acKey_2.
  • step S308 the update key GUID is the second GUID.
  • the first GUID is overwritten with the second GUID, ie the key GUID is updated to the second GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
  • step S310 the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the interconnected device.
  • the client 11 After the local symmetric key is generated, the client 11 encrypts the transmitted data using the local symmetric password during subsequent communication with the interconnect device 12, and decrypts the received data using the local symmetric password.
  • FIG. 5 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment.
  • the method can be applied to the interconnection device 12 shown in FIG. This method is used to generate a new local key during the next authorization process.
  • the method 40 includes:
  • step S402 a second authorization indication message sent by the client is received.
  • the interconnection device 12 receives the second authorization indication message sent by the client 11.
  • the message includes a second GUID (which can be written as GUID_2) and a second key parameter (acKey_2) that are newly generated for the connected device 12.
  • the second GUID and the second key parameter newly generated for the interconnection device 12 are newly generated second GUIDs requested by the client 11 to the cloud server 13 for the interconnection device 12.
  • the interconnection device 12 writes the new second GUID into its device.
  • step S404 a second authorization response message is sent to the client.
  • the interconnection device 12 transmits a second authorization response message to the client 11.
  • step S406 a new local symmetric key is determined according to the key GUID and the second key parameter.
  • the servant device 12 calculates a new local symmetric key based on the currently recorded GUID and the second key parameter.
  • the interconnect device 12 may XOR the second key parameter using the currently recorded key GUID and use the result of the exclusive OR operation as a new local symmetric key.
  • GUID the first GUID
  • localKey GUIID_1 ⁇ acKey_2.
  • step S408 the update key GUID is the second GUID.
  • the first GUID is overwritten with the second GUID, ie the key GUID is updated to the second GUID.
  • the key GUID used to generate the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced GUID Theoretically, it is irreversible, so the generated local symmetric key is safe, which improves the security of the system.
  • step S410 the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
  • the interconnect device 12 After the new local symmetric key is generated, the interconnect device 12 encrypts the transmitted data using the new local symmetric password during subsequent communication with the client 11, and uses the new local symmetric password pair to receive the received data. The data is decrypted.
  • FIG. 6 is a block diagram of a symmetric key dynamic generation apparatus, according to an exemplary embodiment.
  • the symmetric key dynamic generation apparatus can be applied to the client 11 shown in FIG. 1.
  • the apparatus 50 includes a receiving module 502, an identifier recording module 504, a transmitting module 506, and a key determining module 508.
  • the receiving module 502 receives an initial global unique identifier generated when the interconnect device starts.
  • the identifier record module 504 records the initial globally unique identifier as a key globally unique identifier.
  • the sending module 506 authorizes the interconnecting device, and sends a first authorization indication message to the interconnecting device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device.
  • the first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12.
  • the interconnection device 12 writes the new first GUID into its device.
  • the receiving module 502 receives the first authorization response message sent by the interconnection device.
  • the key determination module 508 determines the symmetric key based on the key global unique identifier and the first key parameter.
  • the identifier record module 504 updates the key globally unique identifier to the first globally unique identifier.
  • the transmitting module 506 and the receiving module 502 encrypt and decrypt the communication data using a symmetric key in subsequent communication with the interconnected device.
  • the sending module 506 authorizes the interconnect device again, and sends a second authorization indication message to the interconnect device, where the second authorization indication message includes: a second global unique identifier and a second secret newly generated for the connected device. Key parameter.
  • the receiving module 502 receives the second authorization response message sent by the interconnection device.
  • the key determination module 508 determines a new symmetric key based on the key global unique identifier and the second key parameter.
  • the identifier record module 504 updates the key globally unique identifier to a second globally unique identifier.
  • the transmitting module 506 and the receiving module 502 encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the interconnected device.
  • FIG. 7 is a block diagram of another symmetric key dynamic generation apparatus, according to an exemplary embodiment.
  • the symmetric key dynamic generation apparatus can be applied to the interconnection device 12 shown in FIG.
  • the apparatus 60 includes an identifier generating module 602, a transmitting module 604, a receiving module 606, an identifier recording module 608, and a key determining module 610.
  • the identifier generation module 602 generates an initial global unique identifier upon startup.
  • the sending module 604 broadcasts an initial globally unique identifier to the client.
  • the identifier record module 608 records the initial globally unique identifier as a key globally unique identifier.
  • the receiving module 606 receives the first authorization indication message sent by the client, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device.
  • the first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12.
  • the interconnection device 12 When guest When the client 11 transmits the newly applied first GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new first GUID into its device.
  • the sending module 604 sends a first authorization response message to the client.
  • the key determination module 610 determines the symmetric key based on the key global unique identifier and the first key parameter.
  • the identifier record module 608 updates the key globally unique identifier to a first globally unique identifier.
  • the sending module 604 and the receiving module 606 encrypt and decrypt the communication data using a symmetric key in subsequent communication with the client.
  • the receiving module 606 receives the second authorization indication message sent by the client, where the second authorization indication message includes: a second global unique identifier and a second key parameter newly generated for the connected device.
  • the sending module 604 sends a second authorization response message to the client.
  • the key determination module determines a new symmetric key based on the key global unique identifier and the second key parameter.
  • the identifier record module 608 updates the key globally unique identifier to a second globally unique identifier.
  • the sending module 604 and the receiving module 606 encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the client.
  • the technical solution according to the embodiment of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.) or on a network.
  • a non-volatile storage medium which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a number of instructions are included to cause a computing device (which may be a personal computer, server, mobile terminal, or network device, etc.) to perform a method in accordance with an embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed are a method, apparatus, device and system for dynamically generating a symmetric key. The method comprises: receiving an initial globally unique identifier generated when an interconnection device is started; recording the initial globally unique identifier as a key globally unique identifier; authorizing the interconnection device and sending a first authorization indication message to the interconnection device, the first authorization indication message comprising: a first globally unique identifier and a first key parameter which are newly generated for the interconnection device; receiving a first authorization response message sent by the interconnection device; determining a symmetric key according to the key globally unique identifier and the first key parameter; updating the key globally unique identifier with the first globally unique identifier; and encrypting/decrypting communication data by using the symmetric key in subsequent communication with the interconnection device. According to the method, the used symmetric key can be dynamically generated repeatedly in the system life cycle, thereby improving the security and reliability of the system.

Description

对称密钥动态生成方法、装置、设备及***Symmetric key dynamic generation method, device, device and system
相关申请的交叉引用Cross-reference to related applications
本申请要求于2016年9月26日提交的中国专利申请号为“201610849888.5”的优先权,其全部内容作为整体并入本申请中。The present application claims the priority of the Chinese Patent Application Serial No. PCT-A------
技术领域Technical field
本发明涉及计算机网络应用技术领域,具体而言,涉及一种对称密钥动态生成方法、装置、设备及***。The present invention relates to the field of computer network application technologies, and in particular, to a symmetric key dynamic generation method, device, device and system.
背景技术Background technique
随着物联网技术的普及,用户可以通过在终端设备(如智能手机、PAD等)上安装相应的客户端软件来实现对各种互联设备的控制。如智能家居技术中,可以通过客户端软件实现对家庭中电视、空调、冰箱等互联设备的控制。为了保证客户端与互联设备之间的通信安全,通常两者之间采用对称加密方式进行加密。With the popularity of the Internet of Things technology, users can control various interconnected devices by installing corresponding client software on terminal devices (such as smart phones, PADs, etc.). For example, in smart home technology, the control of connected devices such as TV, air conditioner, and refrigerator in the home can be realized through the client software. In order to ensure communication security between the client and the connected device, symmetric encryption is usually used between the two.
在密码学中,加密是将明文信息隐匿起来,使之在缺少特殊信息时不可读,这里的特殊信息即指用于加密的密钥。对于对称密码学,加密运算与解密运算使用相同的对称密钥。其最大的优势是加解密速度快,适合于对大数据量进行加密。通常使用的对称加密算法较简便高效、使用的对称密钥简短且破译难度大,因此对称加密在***中得到了广泛应用。In cryptography, encryption hides plaintext information so that it is unreadable in the absence of special information. The special information here refers to the key used for encryption. For symmetric cryptography, the same symmetric key is used for both cryptographic and decryption operations. Its biggest advantage is that the encryption and decryption speed is fast, suitable for encrypting large amounts of data. The commonly used symmetric encryption algorithm is simple and efficient, the symmetric key used is short and the decoding is difficult, so symmetric encryption is widely used in the system.
由于***的保密性取决于密钥的安全性,所以密钥生成、管理过程中的安全性、可靠性直接决定了整个***的安全性和可靠性。而在现有的对称密钥生成方法中,对称密钥生成后在整个***生存周期内都不会改变,如果一旦被第三方捕获,整个加密***也就没有安全性可言了。Since the confidentiality of the system depends on the security of the key, the security and reliability of the key generation and management process directly determine the security and reliability of the entire system. In the existing symmetric key generation method, the symmetric key is generated and does not change during the entire system life cycle. If it is captured by a third party, the entire encryption system has no security at all.
在所述背景技术部分公开的上述信息仅用于加强对本发明的背景的理解,因此它可以包括不构成对本领域普通技术人员已知的现有技术的信息。 The above information disclosed in the Background section is only for enhancement of understanding of the background of the invention, and thus it may include information that does not constitute the prior art known to those of ordinary skill in the art.
发明内容Summary of the invention
有鉴于此,本发明提供一种对称密钥动态生成方法、装置、设备及***,能够在***的生存周期内多次对使用的对称密钥进行动态生成,提高了***的安全性和可靠性。In view of this, the present invention provides a method, a device, a device and a system for dynamically generating a symmetric key, which can dynamically generate a symmetric key used in a life cycle of the system, thereby improving system security and reliability. .
本发明的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本发明的实践而习得。Other features and advantages of the present invention will be apparent from the description and appended claims.
根据本发明的一方面,提供一种对称密钥动态生成方法,包括:接收互联设备启动时生成的初始全局唯一标识符;将初始全局唯一标识符记录为密钥全局唯一标识符;对互联设备进行授权,向互联设备发送第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数;接收互联设备发送的第一授权响应消息;根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;更新密钥全局唯一标识符为第一全局唯一标识符;以及在后续与互联设备的通信中使用对称密钥对通信数据进行加解密。According to an aspect of the present invention, a method for dynamically generating a symmetric key includes: receiving an initial global unique identifier generated when an interconnect device starts; recording an initial global unique identifier as a key global unique identifier; And performing the authorization, sending a first authorization indication message to the interconnection device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; and receiving a first authorization response message sent by the interconnection device; Determining a symmetric key based on the key global unique identifier and the first key parameter; updating the key global unique identifier as the first global unique identifier; and using the symmetric key pair communication data in subsequent communication with the interconnected device Perform encryption and decryption.
根据本发明的一实施方式,上述方法还包括:再一次对互联设备进行授权,向互联设备发送第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数;接收互联设备发送的第二授权响应消息;根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥;更新密钥全局唯一标识符为第二全局唯一标识符;以及在后续与互联设备的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the method further includes: authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device And a second key parameter; receiving a second authorization response message sent by the interconnection device; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the globally unique identifier of the key to the second global A unique identifier; and the communication data is encrypted and decrypted using a new symmetric key in subsequent communications with the interconnected device.
根据本发明的一实施方式,根据密钥全局唯一标识符与第一密钥参数,确定对称密钥包括:对密钥全局唯一标识符与第一密钥参数进行异或运算,将异或运算的结果作为对称密钥;和/或,根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥包括:对密钥全局唯一标识符与第二密钥参数进行异或运算,将异或运算的结果作为新的对称密钥。According to an embodiment of the present invention, determining the symmetric key according to the key global unique identifier and the first key parameter comprises: performing an exclusive OR operation on the key global unique identifier and the first key parameter, and performing an exclusive OR operation The result is a symmetric key; and/or, according to the key global unique identifier and the second key parameter, determining the new symmetric key comprises: performing an exclusive OR operation on the key global unique identifier and the second key parameter The result of the exclusive OR operation is taken as the new symmetric key.
根据本发明的另一个方面,提供一种对称密钥动态生成方法,包括:启动时生成一初始全局唯一标识符;向客户端广播初始全局唯一标识符;将初始全局唯一标识符记录为密钥全局唯一标识符;接收客户端 发送的第一授权指示消息,第一授权指示消息包括:新生成的第一全局唯一标识符及第一密钥参数;向客户端发送第一授权响应消息;根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;更新密钥全局唯一标识符为第一全局唯一标识符;以及在后续与客户端的通信中使用对称密钥对通信数据进行加解密。According to another aspect of the present invention, a method for dynamically generating a symmetric key is provided, comprising: generating an initial global unique identifier at startup; broadcasting an initial global unique identifier to a client; and recording the initial global unique identifier as a key Globally unique identifier; receiving client And sending, by the first authorization indication message, the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; sending a first authorization response message to the client; A key parameter determines a symmetric key; the update key globally unique identifier is a first globally unique identifier; and the communication data is encrypted and decrypted using a symmetric key in subsequent communication with the client.
根据本发明的一实施方式,上述方法还包括:接收客户端发送的第二授权指示消息,第二授权指示消息包括:新生成的第二全局唯一标识符及第二密钥参数;向客户端发送第二授权响应消息;根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥;更新密钥全局唯一标识符为第二全局唯一标识符;以及在后续与客户端的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the method further includes: receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter; Transmitting a second authorization response message; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the key global unique identifier to the second global unique identifier; and subsequently communicating with the client The communication data is encrypted and decrypted using a new symmetric key.
根据本发明的一实施方式,根据密钥全局唯一标识符与第一密钥参数,确定对称密钥包括:对密钥全局唯一标识符与第一密钥参数进行异或运算,将异或运算的结果作为对称密钥;和/或,根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥包括:对密钥全局唯一标识符与第二密钥参数进行异或运算,将异或运算的结果作为新的对称密钥。According to an embodiment of the present invention, determining the symmetric key according to the key global unique identifier and the first key parameter comprises: performing an exclusive OR operation on the key global unique identifier and the first key parameter, and performing an exclusive OR operation The result is a symmetric key; and/or, according to the key global unique identifier and the second key parameter, determining the new symmetric key comprises: performing an exclusive OR operation on the key global unique identifier and the second key parameter The result of the exclusive OR operation is taken as the new symmetric key.
根据本发明的再一个方面,提供一种用于对称密钥动态生成的客户端设备,包括:处理器;以及存储器,用于存储处理器的可执行指令;其中处理器配置为经由执行可执行指令来执行以下操作:接收互联设备启动时生成的初始全局唯一标识符;将初始全局唯一标识符记录为密钥全局唯一标识符;对互联设备进行授权,向互联设备发送第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数;接收互联设备发送的第一授权响应消息;根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;更新密钥全局唯一标识符为第一全局唯一标识符;以及在后续与互联设备的通信中使用对称密钥对通信数据进行加解密。According to still another aspect of the present invention, a client device for dynamic generation of symmetric keys is provided, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute via execution The instructions are configured to: receive an initial globally unique identifier generated when the interconnect device starts; record the initial globally unique identifier as a key globally unique identifier; authorize the interconnected device, and send a first authorization indication message to the interconnected device, The first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; receiving a first authorization response message sent by the interconnection device; and a globally unique identifier and a first key parameter according to the key Determining a symmetric key; updating the key globally unique identifier to be the first globally unique identifier; and encrypting the communication data using a symmetric key in subsequent communication with the interconnected device.
根据本发明的一实施方式,操作还包括:再一次对互联设备进行授权,向互联设备发送第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数;接收互联设备发送的第二授权响应消息;根据密钥全局唯一标识符与第二密钥参数,确 定新的对称密钥;更新密钥全局唯一标识符为第二全局唯一标识符;以及在后续与互联设备的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the operation further includes: re-authorizing the interconnection device, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device and a second key parameter; receiving a second authorization response message sent by the interconnection device; according to the key global unique identifier and the second key parameter, A new symmetric key; the update key globally unique identifier is a second globally unique identifier; and the communication data is encrypted and decrypted using a new symmetric key in subsequent communication with the interconnected device.
根据本发明的再一个方面,提供一种用于对称密钥动态生成的互联设备,包括:处理器;以及存储器,用于存储处理器的可执行指令;其中处理器配置为经由执行可执行指令来执行以下操作:启动时生成一初始全局唯一标识符;向客户端广播初始全局唯一标识符;将初始全局唯一标识符记录为密钥全局唯一标识符;接收客户端发送的第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数;向客户端发送第一授权响应消息;根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;更新密钥全局唯一标识符为第一全局唯一标识符;以及在后续与客户端的通信中使用对称密钥对通信数据进行加解密。According to still another aspect of the present invention, there is provided an interconnect device for dynamic generation of a symmetric key, comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to execute the executable instruction The following operations are performed: generating an initial global unique identifier at startup; broadcasting an initial global unique identifier to the client; recording the initial global unique identifier as a key global unique identifier; receiving the first authorization indication message sent by the client The first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device; and sending a first authorization response message to the client; and the global unique identifier and the first key parameter according to the key Determining a symmetric key; updating the key globally unique identifier to be the first globally unique identifier; and encrypting the communication data using a symmetric key in subsequent communication with the client.
根据本发明的一实施方式,操作还包括:接收客户端发送的第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数;向客户端发送第二授权响应消息;根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥;更新密钥全局唯一标识符为第二全局唯一标识符;以及在后续与客户端的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the operation further includes: receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a second global unique identifier and a second key parameter newly generated for the connected device; The client sends a second authorization response message; determining a new symmetric key according to the key global unique identifier and the second key parameter; updating the key global unique identifier to the second global unique identifier; and subsequently following the client The communication data is encrypted and decrypted using a new symmetric key.
根据本发明的再一个方面,提供一种对称密钥动态生成***,包括:上述任一种客户端设备及上述任一种互联设备。According to still another aspect of the present invention, a symmetric key dynamic generation system is provided, comprising: any one of the foregoing client devices and any one of the foregoing interconnection devices.
根据本发明的再一个方面,提供一种对称密钥动态生成装置,包括:发送模块、标识符记录模块、接收模块及密钥确定模块;其中,接收模块接收互联设备启动时生成的初始全局唯一标识符;标识符记录模块将初始全局唯一标识符记录为密钥全局唯一标识符;发送模块对互联设备进行授权,向互联设备发送第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数;接收模块接收互联设备发送的第一授权响应消息;密钥确定模块根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;标识符记录模块更新密钥全局唯一标识符为第一全局唯一标识符;以及发送模块与接收模块在 后续与互联设备的通信中使用对称密钥对通信数据进行加解密。According to still another aspect of the present invention, a symmetric key dynamic generation apparatus includes: a sending module, an identifier recording module, a receiving module, and a key determining module; wherein the receiving module receives an initial global unique generated when the interconnecting device starts An identifier; the identifier recording module records the initial global unique identifier as a key global unique identifier; the sending module authorizes the interconnected device, and sends a first authorization indication message to the interconnected device, where the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; the receiving module receives a first authorization response message sent by the interconnection device; and the key determining module determines the symmetric key according to the key global unique identifier and the first key parameter Key; identifier record module update key global unique identifier is the first global unique identifier; and the sending module and the receiving module are The communication data is encrypted and decrypted using a symmetric key in subsequent communication with the interconnected device.
根据本发明的一实施方式,发送模块再一次对互联设备进行授权,向互联设备发送第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数;接收模块接收互联设备发送的第二授权响应消息;密钥确定模块根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥;标识符记录模块更新密钥全局唯一标识符为第二全局唯一标识符;以及发送模块与接收模块在后续与互联设备的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the sending module further authorizes the interconnected device, and sends a second authorization indication message to the interconnecting device, where the second authorization indication message includes: a second global unique identifier newly generated for the connected device, and a second a key parameter; the receiving module receives a second authorization response message sent by the interconnection device; the key determination module determines a new symmetric key according to the key global unique identifier and the second key parameter; and the identifier recording module updates the key globally The unique identifier is a second globally unique identifier; and the transmitting module and the receiving module encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the interconnected device.
根据本发明的再一个方面,提供一种对称密钥动态生成装置,包括:标识符生成模块、发送模块、接收模块、标识符记录模块及密钥确定模块;其中,标识符生成模块在启动时生成一初始全局唯一标识符;发送模块向客户端广播初始全局唯一标识符;标识符记录模块将初始全局唯一标识符记录为密钥全局唯一标识符;接收模块接收客户端发送的第一授权指示消息,第一授权指示消息包括:新生成的第一全局唯一标识符及第一密钥参数;发送模块向客户端发送第一授权响应消息;密钥确定模块根据密钥全局唯一标识符与第一密钥参数,确定对称密钥;标识符记录模块更新密钥全局唯一标识符为第一全局唯一标识符;以及发送模块与接收模块在后续与客户端的通信中使用对称密钥对通信数据进行加解密。According to still another aspect of the present invention, a symmetric key dynamic generating apparatus includes: an identifier generating module, a sending module, a receiving module, an identifier recording module, and a key determining module; wherein the identifier generating module is started Generating an initial globally unique identifier; the sending module broadcasts an initial globally unique identifier to the client; the identifier recording module records the initial globally unique identifier as a key globally unique identifier; and the receiving module receives the first authorization indication sent by the client a message, the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter; the sending module sends a first authorization response message to the client; the key determining module is configured according to the key global unique identifier a key parameter determining a symmetric key; the identifier record module updating the key global unique identifier as the first global unique identifier; and the transmitting module and the receiving module performing the communication data using the symmetric key in subsequent communication with the client Add and decrypt.
根据本发明的一实施方式,接收模块接收客户端发送的第二授权指示消息,第二授权指示消息包括:新生成的第二全局唯一标识符及第二密钥参数;发送模块向客户端发送第二授权响应消息;密钥确定模块根据密钥全局唯一标识符与第二密钥参数,确定新的对称密钥;标识符记录模块更新密钥全局唯一标识符为第二全局唯一标识符;以及发送模块与接收模块在后续与客户端的通信中使用新的对称密钥对通信数据进行加解密。According to an embodiment of the present invention, the receiving module receives a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter; the sending module sends the message to the client a second authorization response message; the key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter; and the identifier recording module updates the key global unique identifier to a second global unique identifier; And the sending module and the receiving module encrypt and decrypt the communication data by using a new symmetric key in subsequent communication with the client.
根据本发明的对称密钥动态生成方法,可以在每次由客户端设备向互联设备进行授权时,动态地更新所使用的本地对称密码。因此可以实现在***的生存周期内多次对使用的对称密钥进行动态更新,从而极大地提高了***的安全性和可靠性。此外,在每次生成本地对称密码后,立即替换 了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID理论上是不可逆生成的,因此进一步提高了对称密钥的安全性。According to the symmetric key dynamic generation method of the present invention, the used local symmetric password can be dynamically updated each time the client device authorizes the connected device. Therefore, it is possible to dynamically update the symmetric key used in the life cycle of the system, thereby greatly improving the security and reliability of the system. In addition, replace each time you generate a local symmetric password The key GUID for generating the local symmetric key, and the replaced key GUID is theoretically irreversibly generated, thus further improving the security of the symmetric key.
应当理解的是,以上的一般描述和后文的细节描述仅是示例性的,并不能限制本发明。The above general description and the following detailed description are merely exemplary and are not intended to limit the invention.
附图说明DRAWINGS
通过参照附图详细描述其示例实施例,本发明的上述和其它目标、特征及优点将变得更加显而易见。The above and other objects, features and advantages of the present invention will become more apparent from the embodiments of the invention.
图1是根据一示例性实施方式示出的一种对称密钥动态生成***的结构示意图。FIG. 1 is a schematic structural diagram of a symmetric key dynamic generation system according to an exemplary embodiment.
图2是根据一示例性实施方式示出的一种对称密钥动态生成方法的流程图。FIG. 2 is a flowchart of a method for dynamically generating a symmetric key according to an exemplary embodiment.
图3是根据一示例性实施方式示出的另一种对称密钥动态生成方法的流程图。FIG. 3 is a flowchart of another symmetric key dynamic generation method according to an exemplary embodiment.
图4是根据一示例性实施方式示出的再一种对称密钥动态生成方法的流程图。FIG. 4 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment.
图5是根据一示例性实施方式示出的再一种对称密钥动态生成方法的流程图。FIG. 5 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment.
图6是根据一示例性实施方式示出的一种对称密钥动态生成装置的框图。FIG. 6 is a block diagram of a symmetric key dynamic generation apparatus, according to an exemplary embodiment.
图7是根据一示例性实施方式示出的另一种对称密钥动态生成装置的框图。FIG. 7 is a block diagram of another symmetric key dynamic generation apparatus, according to an exemplary embodiment.
具体实施方式detailed description
现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本发明将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。附图仅为本发明的示意性图解,并非一定是按比例绘制。图中相同的附图标记表示相同或类似的部分,因而将省略对它们的重复描述。 Example embodiments will now be described more fully with reference to the accompanying drawings. However, the example embodiments can be embodied in a variety of forms and should not be construed as being limited to the examples set forth herein; rather, these embodiments are provided to make the invention more comprehensive and complete, and the embodiments of the example embodiments are fully conveyed. To those skilled in the art. The drawings are only schematic representations of the invention and are not necessarily to scale. The same reference numerals in the drawings denote the same or similar parts, and the repeated description thereof will be omitted.
此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施方式中。在下面的描述中,提供许多具体细节从而给出对本发明的实施方式的充分理解。然而,本领域技术人员将意识到,可以实践本发明的技术方案而省略所述特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知结构、方法、装置、实现、材料或者操作以避免喧宾夺主而使得本发明的各方面变得模糊。Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are set forth However, one skilled in the art will appreciate that the technical solution of the present invention may be practiced, and one or more of the specific details may be omitted, or other methods, components, devices, steps, etc. may be employed. In other instances, well-known structures, methods, devices, implementations, materials, or operations are not shown in detail to avoid obscuring aspects of the invention.
图1是根据一示例性实施方式示出的一种对称密钥动态生成***的结构示意图。如图1所示,该***1包括:客户端11与互联设备12。客户端11例如可以为装载了客户端软件的终端设备,如智能手机、PAD等。互联设备12例如可以为与客户端11互联的、接受客户端11控制的设备,如智能家居中的智能电视、智能冰箱、智能空调等,但本发明不限于此。其中,客户端11与互联设备12在通信时数据被加密传输。此外,***1还可以包括:与客户端11通信连接的云端服务器13。FIG. 1 is a schematic structural diagram of a symmetric key dynamic generation system according to an exemplary embodiment. As shown in FIG. 1, the system 1 includes a client 11 and an interconnect device 12. The client 11 can be, for example, a terminal device loaded with client software, such as a smartphone, a PAD, or the like. The interconnection device 12 can be, for example, a device that is connected to the client 11 and that is controlled by the client 11, such as a smart TV in a smart home, a smart refrigerator, a smart air conditioner, etc., but the invention is not limited thereto. The data is encrypted and transmitted by the client 11 and the connected device 12 during communication. In addition, the system 1 may further include: a cloud server 13 communicatively coupled to the client 11.
图2是根据一示例性实施方式示出的一种对称密钥动态生成方法的流程图。该方法可以应用于图1所示的客户端11,如图2所示,该方法10包括:FIG. 2 is a flowchart of a method for dynamically generating a symmetric key according to an exemplary embodiment. The method can be applied to the client 11 shown in FIG. 1. As shown in FIG. 2, the method 10 includes:
在步骤S102中,接收互联设备启动时生成的初始全局唯一标识符(GUID,Globally Unique Identifier)。In step S102, an initial global unique identifier (GUID, Globally Unique Identifier) generated when the interconnect device is started is received.
例如图1所示的互联设备12在首次启动时,会为其自身生成一个初始GUID(例如可记为GUID_I),该初始GUID由互联设备12自己产生,具有唯一性和随机性。For example, the interconnect device 12 shown in FIG. 1 will generate an initial GUID (for example, can be recorded as GUID_I) for itself when it is first started, and the initial GUID is generated by the interconnect device 12 itself, with uniqueness and randomness.
GUID是一种由算法生成的二进制长度128位的数字标识符,其主要应用于在拥有多个节点、多台计算机的网络或***中。在理想情况下,任何计算机和计算机集群都不会生成两个相同的GUID。GUID的总数可以达到2^128个,并且由于生成GUID的算法中通常都加入了非随机的参数(如时间),所以随机生成两个相同GUID的可能性非常小。A GUID is a binary-length 128-bit numeric identifier generated by an algorithm that is primarily used in networks or systems that have multiple nodes, multiple computers. Ideally, no computer or computer cluster will generate two identical GUIDs. The total number of GUIDs can reach 2^128, and since non-random parameters (such as time) are usually added to the algorithm for generating GUIDs, the possibility of randomly generating two identical GUIDs is very small.
互联设备12在首次生成其初始GUID后,会将该初始GUID进通过网络宣告消息进行广播。该网络宣告消息除了包括初始GUID后,还可以 包括相关接口信息等。After the interconnect device 12 first generates its initial GUID, the initial GUID will be broadcasted through the network announcement message. The network announcement message can be in addition to the initial GUID. Includes related interface information, etc.
在步骤S104中,将初始GUID记录为密钥GUID。In step S104, the initial GUID is recorded as a key GUID.
客户端11可以在本地设置一个密钥GUID,并在接收到互联设备12广播的初始GUID后,将该初始GUID的值记录在密钥GUID中。The client 11 can locally set a key GUID and, after receiving the initial GUID broadcast by the interconnect device 12, record the value of the initial GUID in the key GUID.
在步骤S106中,对互联设备进行授权,向互联设备发送第一授权指示消息。In step S106, the interconnection device is authorized to send a first authorization indication message to the interconnection device.
客户端11在使用互联设备12提供的服务之前,会先对其进行授权操作。授权操作通常是由用户主动发起的行为,并且客户端11可以对互联设备12进行多次授权操作。The client 11 will first authorize the service provided by the connected device 12 before using it. The authorization operation is usually an activity initiated by the user, and the client 11 can perform multiple authorization operations on the connected device 12.
在授权操作中,客户端11向互联设备发送第一授权指示消息,该消息中包括有客户端11为互联设备12新生成的第一GUID及第一密钥参数(acKey_1)。其中第一密钥参数用于生成对称密钥。In the authorization operation, the client 11 sends a first authorization indication message to the interconnection device, where the message includes a first GUID and a first key parameter (acKey_1) newly generated by the client 11 for the interconnection device 12. The first key parameter is used to generate a symmetric key.
其中为互联设备12新生成的第一GUID及第一密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第一GUID。当客户端11将新申请到的第一GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第一GUID写入其设备中。The first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12. When the client 11 passes the newly applied first GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new first GUID into its device.
在步骤S108中,接收互联设备发送的第一授权响应消息。In step S108, the first authorization response message sent by the interconnection device is received.
在授权过程中,互联设备12在接收到授权指示消息后,会相应地向客户端11返回授权响应消息,以对授权客户端11发起的授权操作进行响应。In the authorization process, after receiving the authorization indication message, the interconnection device 12 will correspondingly return an authorization response message to the client 11 to respond to the authorization operation initiated by the authorization client 11.
在步骤S110中,根据记录的密钥GUID及第一密钥参数,确定本地对称密钥。In step S110, a local symmetric key is determined based on the recorded key GUID and the first key parameter.
客户端11根据当前记录的密钥GUID及第一密钥参数,确定后续通信中使用的本地对称密钥(localKey)。The client 11 determines a local symmetric key (localKey) used in subsequent communication according to the currently recorded key GUID and the first key parameter.
在一些实施例中,客户端11可以使用密钥GUID与第一密钥参数进行异或运算,并将该异或运算的结果作为本地对称密钥。例如,当前记录在密钥GUID中的是互联设备12生成的初始GUID(GUID_I),因此localKey=GUID_I⊕acKey_1。In some embodiments, the client 11 may XOR the first key parameter using the key GUID and use the result of the exclusive OR operation as a local symmetric key. For example, what is currently recorded in the key GUID is the initial GUID (GUID_I) generated by the interconnect device 12, so localKey=GUID_I⊕acKey_1.
在步骤S112中,更新密钥GUID为第一GUID。In step S112, the update key GUID is the first GUID.
在生成了本地对称密钥后,立即使用第一GUID覆盖初始GUID,也 即将密钥GUID更新为第一GUID。由于生成了本地对称密钥之后,立即替换了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID理论上是不可逆生成的,因此所生成的本地对称密钥是安全的,从而提高了***的安全性。Immediately after the local symmetric key is generated, the initial GUID is overwritten with the first GUID, The key GUID is updated to the first GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
在步骤S114中,在后续与互联设备的通信中使用该本地对称密钥对通信数据进行加解密。In step S114, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the interconnected device.
在生成了该本地对称密钥后,客户端11在后续与互联设备12的通信过程中,使用该本地对称密码对发送的数据进行加密,并使用该本地对称密码对接收的数据进行解密。After the local symmetric key is generated, the client 11 encrypts the transmitted data using the local symmetric password during subsequent communication with the interconnect device 12, and decrypts the received data using the local symmetric password.
图3是根据一示例性实施方式示出的另一种对称密钥动态生成方法的流程图。该方法可以应用于图1所示的互联设备12,如图3所示,该方法20包括:FIG. 3 is a flowchart of another symmetric key dynamic generation method according to an exemplary embodiment. The method can be applied to the interconnection device 12 shown in FIG. 1. As shown in FIG. 3, the method 20 includes:
在步骤S202中,启动时生成初始GUID。In step S202, an initial GUID is generated upon startup.
例如图1所示的互联设备12在首次启动时,由其自身生成初始GUID(可记为GUID_I)。For example, the interconnect device 12 shown in FIG. 1 generates an initial GUID (which can be recorded as GUID_I) by itself when it is first started.
在步骤S204中,向客户端广播该初始GUID。In step S204, the initial GUID is broadcast to the client.
在生成了初始GUID后,互联设备12例如通过网络宣告消息广播其初始GUID,此外该网络宣告消息中还可以包括相关的接口信息等。After the initial GUID is generated, the interconnection device 12 broadcasts its initial GUID, for example, through a network announcement message, and the network announcement message may also include related interface information and the like.
在步骤S206中,将初始GUID记录为密钥GUID。In step S206, the initial GUID is recorded as a key GUID.
互联设备12可以在本地设置一个密钥GUID,用于计算本地对称密钥。首先,互联设备12将初始GUID的值记录为该密钥GUID。The interconnect device 12 can locally set a key GUID for computing a local symmetric key. First, the interconnect device 12 records the value of the initial GUID as the key GUID.
在步骤S208中,接收客户端发送的第一授权指示消息。In step S208, the first authorization indication message sent by the client is received.
当客户端11向互联设备12进行授权时,会向互联设备12发送授权指示消息。该第一授权指示消息中包括有为互联设备12新生成的第一GUID和第一密钥参数(acKey_1)。When the client 11 authorizes the connected device 12, an authorization indication message is sent to the connected device 12. The first authorization indication message includes a first GUID and a first key parameter (acKey_1) newly generated for the interconnection device 12.
其中为互联设备12新生成的第一GUID及第一密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第一GUID。当客户端11将新申请到的第一GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第一GUID写入其设备中。The first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12. When the client 11 passes the newly applied first GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new first GUID into its device.
在步骤S210中,向客户端发送第一授权响应消息。 In step S210, a first authorization response message is sent to the client.
作为对授权指示消息的响应,互联设备12向客户端11发送第一授权响应消息。In response to the authorization indication message, the interconnection device 12 transmits a first authorization response message to the client 11.
在步骤S212中,根据密钥GUID与第一密钥参数,确定本地对称密钥。In step S212, a local symmetric key is determined according to the key GUID and the first key parameter.
互联设备12根据当前记录的密钥GUID与第一密钥参数,计算本地对称密钥。The interconnect device 12 calculates a local symmetric key based on the currently recorded key GUID and the first key parameter.
在一些实施例中,互联设备12可以使用密钥GUID与第一密钥参数进行异或运算,并将该异或运算的结果作为本地对称密钥。例如,当前记录在密钥GUID中的是互联设备12生成的初始GUID(GUID_I),因此localKey=GUID_I⊕acKey_1。In some embodiments, the interconnect device 12 may XOR the first key parameter using the key GUID and use the result of the exclusive OR operation as a local symmetric key. For example, what is currently recorded in the key GUID is the initial GUID (GUID_I) generated by the interconnect device 12, so localKey=GUID_I⊕acKey_1.
在步骤S214中,更新密钥GUID为第一GUID。In step S214, the update key GUID is the first GUID.
在生成了本地对称密钥后,立即使用第一GUID覆盖初始GUID,也即将密钥GUID更新为第一GUID。由于生成了本地对称密钥之后,立即替换了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID理论上是不可逆生成的,因此所生成的本地对称密钥是安全的,从而提高了***的安全性。Immediately after the local symmetric key is generated, the initial GUID is overwritten with the first GUID, ie the key GUID is updated to the first GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
在步骤S216中,在后续与客户端的通信中使用该本地对称密钥对通信数据进行加解密。In step S216, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
在生成了该本地对称密钥后,互联设备12在后续与客户端11的通信过程中,使用该本地对称密码对发送的数据进行加密,并使用该本地对称密码对接收的数据进行解密。After the local symmetric key is generated, the interconnect device 12 encrypts the transmitted data using the local symmetric password during subsequent communication with the client 11, and decrypts the received data using the local symmetric password.
本发明实施方式提供的对称密钥动态生成方法,可以在每次由客户端设备向互联设备进行授权时,动态地更新所使用的本地对称密码。因此可以实现在***的生存周期内多次对使用的对称密钥进行动态更新,从而极大地提高了***的安全性和可靠性。此外,在每次生成本地对称密码后,立即替换了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID理论上是不可逆生成的,因此进一步提高了对称密钥的安全性。The symmetric key dynamic generation method provided by the embodiment of the present invention can dynamically update the used local symmetric password each time the client device authorizes the connected device. Therefore, it is possible to dynamically update the symmetric key used in the life cycle of the system, thereby greatly improving the security and reliability of the system. In addition, the key GUID for generating the local symmetric key is replaced immediately after each generation of the local symmetric password, and the replaced key GUID is theoretically irreversibly generated, thereby further improving the security of the symmetric key. Sex.
应清楚地理解,本发明描述了如何形成和使用特定示例,但本发明的原理不限于这些示例的任何细节。相反,基于本发明公开的内容的教导,这些原理能够应用于许多其它实施方式。 It will be clearly understood that the present invention describes how to make and use particular examples, but the principles of the invention are not limited to the details of the examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
图4是根据一示例性实施方式示出的再一种对称密钥动态生成方法的流程图。该方法可以应用于图1所示的客户端11。该方法用于在下一次授权过程中生成新的本地密钥。如图4所示,该方法30包括:FIG. 4 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment. This method can be applied to the client 11 shown in FIG. This method is used to generate a new local key during the next authorization process. As shown in FIG. 4, the method 30 includes:
在步骤S302中,再一次对互联设备进行授权,向互联设备发送第二授权指示消息。In step S302, the interconnection device is authorized again, and the second authorization indication message is sent to the interconnection device.
该第二授权指示消息包括:为互联设备12新生成的第二GUID(可以记为GUID_2)及第二密钥参数(可以记为acKey_2)。The second authorization indication message includes a second GUID (which can be recorded as GUID_2) and a second key parameter (which can be recorded as acKey_2) newly generated for the connected device 12.
其中为互联设备12新生成的第二GUID及第二密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第二GUID。当客户端11将新申请到的第二GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第二GUID写入其设备中。The second GUID and the second key parameter newly generated for the interconnection device 12 are newly generated second GUIDs requested by the client 11 to the cloud server 13 for the interconnection device 12. When the client 11 passes the newly applied second GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new second GUID into its device.
在步骤S304中,接收互联设备发送的第二授权响应消息。In step S304, a second authorization response message sent by the interconnection device is received.
客户端11接收互联设备12响应本次授权操作而发送的第二授权响应消息。The client 11 receives the second authorization response message sent by the interconnect device 12 in response to the current authorization operation.
在步骤S306中,根据密钥GUID与第二密钥参数,确定新的本地对称密钥。In step S306, a new local symmetric key is determined according to the key GUID and the second key parameter.
客户端11根据当前记录的密钥GUID与第二密钥参数,确定新的本地对称密钥。The client 11 determines a new local symmetric key based on the currently recorded key GUID and the second key parameter.
在一些实施例中,客户端11可以使用当前记录的密钥GUID与第二密钥参数进行异或运算,并将该异或运算的结果作为本地对称密钥。例如,当前记录在密钥GUID中的是客户端11在前次授权操作中为互联设备12生成的第一GUID(GUID_1),因此localKey=GUID_1⊕acKey_2。In some embodiments, the client 11 may XOR the second key parameter using the currently recorded key GUID and use the result of the exclusive OR operation as a local symmetric key. For example, what is currently recorded in the key GUID is the first GUID (GUID_1) generated by the client 11 for the connected device 12 in the previous authorization operation, so localKey=GUID_1⊕acKey_2.
在步骤S308中,更新密钥GUID为第二GUID。In step S308, the update key GUID is the second GUID.
在生成了本地对称密钥后,立即使用第二GUID覆盖第一GUID,也即将密钥GUID更新为第二GUID。由于生成了本地对称密钥之后,立即替换了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID理论上是不可逆生成的,因此所生成的本地对称密钥是安全的,从而提高了***的安全性。Immediately after the local symmetric key is generated, the first GUID is overwritten with the second GUID, ie the key GUID is updated to the second GUID. Since the key GUID for generating the local symmetric key is replaced immediately after the local symmetric key is generated, the replaced key GUID is theoretically irreversibly generated, so the generated local symmetric key is safe. , thus improving the security of the system.
在步骤S310中,在后续与互联设备的通信中使用该本地对称密钥对通信数据进行加解密。 In step S310, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the interconnected device.
在生成了该本地对称密钥后,客户端11在后续与互联设备12的通信过程中,使用该本地对称密码对发送的数据进行加密,并使用该本地对称密码对接收的数据进行解密。After the local symmetric key is generated, the client 11 encrypts the transmitted data using the local symmetric password during subsequent communication with the interconnect device 12, and decrypts the received data using the local symmetric password.
图5是根据一示例性实施方式示出的再一种对称密钥动态生成方法的流程图。该方法可以应用于图1所示的互联设备12。该方法用于在下一次授权过程中生成新的本地密钥。如图5所示,该方法40包括:FIG. 5 is a flowchart of still another method for dynamically generating a symmetric key according to an exemplary embodiment. The method can be applied to the interconnection device 12 shown in FIG. This method is used to generate a new local key during the next authorization process. As shown in FIG. 5, the method 40 includes:
在步骤S402中,接收客户端发送的第二授权指示消息。In step S402, a second authorization indication message sent by the client is received.
在新的授权过程中,互联设备12接收客户端11发送的第二授权指示消息。该消息中包括为互联设备12新生成的第二GUID(可记为GUID_2)及第二密钥参数(acKey_2)。In the new authorization process, the interconnection device 12 receives the second authorization indication message sent by the client 11. The message includes a second GUID (which can be written as GUID_2) and a second key parameter (acKey_2) that are newly generated for the connected device 12.
其中为互联设备12新生成的第二GUID及第二密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第二GUID。当客户端11将新申请到的第二GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第二GUID写入其设备中。The second GUID and the second key parameter newly generated for the interconnection device 12 are newly generated second GUIDs requested by the client 11 to the cloud server 13 for the interconnection device 12. When the client 11 passes the newly applied second GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new second GUID into its device.
在步骤S404中,向客户端发送第二授权响应消息。In step S404, a second authorization response message is sent to the client.
作为对接收到的第二授权指示消息的响应,互联设备12向客户端11发送第二授权响应消息。In response to the received second authorization indication message, the interconnection device 12 transmits a second authorization response message to the client 11.
在步骤S406中,根据密钥GUID与第二密钥参数,确定新的本地对称密钥。In step S406, a new local symmetric key is determined according to the key GUID and the second key parameter.
服务方设备12根据当前记录的GUID与第二密钥参数,计算新的本地对称密钥。The servant device 12 calculates a new local symmetric key based on the currently recorded GUID and the second key parameter.
在一些实施例中,互联设备12可以使用当前记录的密钥GUID与第二密钥参数进行异或运算,并将该异或运算的结果作为新的本地对称密钥。例如,当前记录在密钥GUID中的是客户端11为互联设备12在上一次授权过程中生成的第一GUID(GUID_1),因此localKey=GUID_1⊕acKey_2。In some embodiments, the interconnect device 12 may XOR the second key parameter using the currently recorded key GUID and use the result of the exclusive OR operation as a new local symmetric key. For example, what is currently recorded in the key GUID is the first GUID (GUID_1) generated by the client 11 for the interconnect device 12 during the last authorization process, so localKey=GUID_1⊕acKey_2.
在步骤S408中,更新密钥GUID为第二GUID。In step S408, the update key GUID is the second GUID.
在生成了新的本地对称密钥后,立即使用第二GUID覆盖第一GUID,也即将密钥GUID更新为第二GUID。由于生成了本地对称密钥之后,立即替换了用于生成本地对称密钥的密钥GUID,而被替换掉的密钥GUID 理论上是不可逆生成的,因此所生成的本地对称密钥是安全的,从而提高了***的安全性。Immediately after the new local symmetric key is generated, the first GUID is overwritten with the second GUID, ie the key GUID is updated to the second GUID. The key GUID used to generate the local symmetric key is replaced immediately after the local symmetric key is generated, and the replaced GUID Theoretically, it is irreversible, so the generated local symmetric key is safe, which improves the security of the system.
在步骤S410中,在后续与客户端的通信中使用该本地对称密钥对通信数据进行加解密。In step S410, the communication data is encrypted and decrypted using the local symmetric key in subsequent communication with the client.
在生成了新的本地对称密钥后,互联设备12在后续与客户端11的通信过程中,使用该新的本地对称密码对发送的数据进行加密,并使用该新的本地对称密码对接收的数据进行解密。After the new local symmetric key is generated, the interconnect device 12 encrypts the transmitted data using the new local symmetric password during subsequent communication with the client 11, and uses the new local symmetric password pair to receive the received data. The data is decrypted.
本领域技术人员可以理解实现上述实施方式的全部或部分步骤被实现为由CPU执行的计算机程序。在该计算机程序被CPU执行时,执行本发明提供的上述方法所限定的上述功能。所述的程序可以存储于一种计算机可读存储介质中,该存储介质可以是只读存储器,磁盘或光盘等。Those skilled in the art will appreciate that all or a portion of the steps to implement the above-described embodiments are implemented as a computer program executed by a CPU. When the computer program is executed by the CPU, the above-described functions defined by the above-described methods provided by the present invention are performed. The program may be stored in a computer readable storage medium, which may be a read only memory, a magnetic disk or an optical disk, or the like.
此外,需要注意的是,上述附图仅是根据本发明示例性实施方式的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。Further, it should be noted that the above-described drawings are merely illustrative of the processes included in the method according to the exemplary embodiments of the present invention, and are not intended to be limiting. It is easy to understand that the processing shown in the above figures does not indicate or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be performed synchronously or asynchronously, for example, in a plurality of modules.
下述为本发明装置实施例,可以用于执行本发明方法实施例。对于本发明装置实施例中未披露的细节,请参照本发明方法实施例。The following is an embodiment of the apparatus of the present invention, which can be used to carry out the method embodiments of the present invention. For details not disclosed in the embodiment of the device of the present invention, please refer to the method embodiment of the present invention.
图6是根据一示例性实施方式示出的一种对称密钥动态生成装置的框图。该对称密钥动态生成装置可以应用于图1所示的客户端11。如图6所示,该装置50包括:接收模块502、标识符记录模块504、发送模块506及密钥确定模块508。FIG. 6 is a block diagram of a symmetric key dynamic generation apparatus, according to an exemplary embodiment. The symmetric key dynamic generation apparatus can be applied to the client 11 shown in FIG. 1. As shown in FIG. 6, the apparatus 50 includes a receiving module 502, an identifier recording module 504, a transmitting module 506, and a key determining module 508.
其中,接收模块502接收互联设备启动时生成的初始全局唯一标识符。The receiving module 502 receives an initial global unique identifier generated when the interconnect device starts.
标识符记录模块504将初始全局唯一标识符记录为密钥全局唯一标识符。The identifier record module 504 records the initial globally unique identifier as a key globally unique identifier.
发送模块506对互联设备进行授权,向互联设备发送第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数。 The sending module 506 authorizes the interconnecting device, and sends a first authorization indication message to the interconnecting device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device.
其中为互联设备12新生成的第一GUID及第一密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第一GUID。当客户端11将新申请到的第一GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第一GUID写入其设备中。The first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12. When the client 11 passes the newly applied first GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new first GUID into its device.
接收模块502接收互联设备发送的第一授权响应消息。The receiving module 502 receives the first authorization response message sent by the interconnection device.
密钥确定模块508根据密钥全局唯一标识符与第一密钥参数,确定对称密钥。The key determination module 508 determines the symmetric key based on the key global unique identifier and the first key parameter.
标识符记录模块504更新密钥全局唯一标识符为所述第一全局唯一标识符。The identifier record module 504 updates the key globally unique identifier to the first globally unique identifier.
发送模块506与接收模块502在后续与互联设备的通信中使用对称密钥对通信数据进行加解密。The transmitting module 506 and the receiving module 502 encrypt and decrypt the communication data using a symmetric key in subsequent communication with the interconnected device.
在一些实施例中,发送模块506再一次对互联设备进行授权,向互联设备发送第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数。接收模块502接收互联设备发送的第二授权响应消息。密钥确定模块508根据密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥。标识符记录模块504更新密钥全局唯一标识符为第二全局唯一标识符。发送模块506与接收模块502在后续与互联设备的通信中使用新的对称密钥对通信数据进行加解密。In some embodiments, the sending module 506 authorizes the interconnect device again, and sends a second authorization indication message to the interconnect device, where the second authorization indication message includes: a second global unique identifier and a second secret newly generated for the connected device. Key parameter. The receiving module 502 receives the second authorization response message sent by the interconnection device. The key determination module 508 determines a new symmetric key based on the key global unique identifier and the second key parameter. The identifier record module 504 updates the key globally unique identifier to a second globally unique identifier. The transmitting module 506 and the receiving module 502 encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the interconnected device.
图7是根据一示例性实施方式示出的另一种对称密钥动态生成装置的框图。该对称密钥动态生成装置可以应用于图1所示的互联设备12。如图7所示,该装置60包括:标识符生成模块602、发送模块604、接收模块606、标识符记录模块608及密钥确定模块610。FIG. 7 is a block diagram of another symmetric key dynamic generation apparatus, according to an exemplary embodiment. The symmetric key dynamic generation apparatus can be applied to the interconnection device 12 shown in FIG. As shown in FIG. 7, the apparatus 60 includes an identifier generating module 602, a transmitting module 604, a receiving module 606, an identifier recording module 608, and a key determining module 610.
其中,标识符生成模块602在启动时生成一初始全局唯一标识符。The identifier generation module 602 generates an initial global unique identifier upon startup.
发送模块604向客户端广播初始全局唯一标识符。The sending module 604 broadcasts an initial globally unique identifier to the client.
标识符记录模块608将初始全局唯一标识符记录为密钥全局唯一标识符。The identifier record module 608 records the initial globally unique identifier as a key globally unique identifier.
接收模块606接收客户端发送的第一授权指示消息,第一授权指示消息包括:为互联设备新生成的第一全局唯一标识符及第一密钥参数。The receiving module 606 receives the first authorization indication message sent by the client, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the connected device.
其中为互联设备12新生成的第一GUID及第一密钥参数是由客户端11向云端服务器13为该互联设备12所申请的新生成的第一GUID。当客 户端11将新申请到的第一GUID在授权指示消息中传递给互联设备12时,互联设备12将该新的第一GUID写入其设备中。The first GUID and the first key parameter newly generated for the connected device 12 are the newly generated first GUID applied by the client 11 to the cloud server 13 for the connected device 12. When guest When the client 11 transmits the newly applied first GUID to the interconnection device 12 in the authorization indication message, the interconnection device 12 writes the new first GUID into its device.
发送模块604向客户端发送第一授权响应消息。The sending module 604 sends a first authorization response message to the client.
密钥确定模块610根据密钥全局唯一标识符与第一密钥参数,确定对称密钥。The key determination module 610 determines the symmetric key based on the key global unique identifier and the first key parameter.
标识符记录模块608更新密钥全局唯一标识符为第一全局唯一标识符。The identifier record module 608 updates the key globally unique identifier to a first globally unique identifier.
发送模块604与接收模块606在后续与客户端的通信中使用对称密钥对通信数据进行加解密。The sending module 604 and the receiving module 606 encrypt and decrypt the communication data using a symmetric key in subsequent communication with the client.
在一些实施例中,接收模块606接收客户端发送的第二授权指示消息,第二授权指示消息包括:为互联设备新生成的第二全局唯一标识符及第二密钥参数。发送模块604向客户端发送第二授权响应消息。密钥确定模块根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥。标识符记录模块608更新密钥全局唯一标识符为第二全局唯一标识符。发送模块604与接收模块606在后续与客户端的通信中使用新的对称密钥对通信数据进行加解密。In some embodiments, the receiving module 606 receives the second authorization indication message sent by the client, where the second authorization indication message includes: a second global unique identifier and a second key parameter newly generated for the connected device. The sending module 604 sends a second authorization response message to the client. The key determination module determines a new symmetric key based on the key global unique identifier and the second key parameter. The identifier record module 608 updates the key globally unique identifier to a second globally unique identifier. The sending module 604 and the receiving module 606 encrypt and decrypt the communication data using a new symmetric key in subsequent communication with the client.
需要注意的是,上述附图中所示的框图是功能实体,不一定必须与物理或逻辑上独立的实体相对应。可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。It should be noted that the block diagrams shown in the above figures are functional entities and do not necessarily have to correspond to physically or logically independent entities. These functional entities may be implemented in software, or implemented in one or more hardware modules or integrated circuits, or implemented in different network and/or processor devices and/or microcontroller devices.
通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本发明实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本发明实施方式的方法。Through the description of the above embodiments, those skilled in the art will readily understand that the example embodiments described herein may be implemented by software or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiment of the present invention may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.) or on a network. A number of instructions are included to cause a computing device (which may be a personal computer, server, mobile terminal, or network device, etc.) to perform a method in accordance with an embodiment of the present invention.
以上具体地示出和描述了本发明的示例性实施方式。应可理解的是,本发明不限于这里描述的详细结构、设置方式或实现方法;相反, 本发明意图涵盖包含在所附权利要求的精神和范围内的各种修改和等效设置。 The exemplary embodiments of the present invention have been particularly shown and described above. It should be understood that the present invention is not limited to the detailed structures, arrangements, or implementations described herein; rather, The invention is intended to cover various modifications and equivalents

Claims (16)

  1. 一种对称密钥动态生成方法,其特征在于,包括:A method for dynamically generating a symmetric key, comprising:
    接收互联设备启动时生成的初始全局唯一标识符;Receiving an initial globally unique identifier generated when the interconnect device starts up;
    将所述初始全局唯一标识符记录为密钥全局唯一标识符;Recording the initial globally unique identifier as a key globally unique identifier;
    对所述互联设备进行授权,向所述互联设备发送第一授权指示消息,所述第一授权指示消息包括:为所述互联设备新生成的第一全局唯一标识符及第一密钥参数;Authorizing the interconnection device, and sending a first authorization indication message to the interconnection device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the interconnection device;
    接收所述互联设备发送的第一授权响应消息;Receiving a first authorization response message sent by the interconnection device;
    根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥;Determining a symmetric key according to the key global unique identifier and the first key parameter;
    更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及Updating the key globally unique identifier to the first globally unique identifier;
    在后续与所述互联设备的通信中使用所述对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the symmetric key in subsequent communication with the interconnected device.
  2. 根据权利要求1所述的方法,其特征在于,还包括:The method of claim 1 further comprising:
    再一次对所述互联设备进行授权,向所述互联设备发送第二授权指示消息,所述第二授权指示消息包括:为所述互联设备新生成的第二全局唯一标识符及第二密钥参数;Authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier and a second key newly generated for the interconnection device parameter;
    接收所述互联设备发送的第二授权响应消息;Receiving a second authorization response message sent by the interconnection device;
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;Determining a new symmetric key according to the key global unique identifier and the second key parameter;
    更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及Updating the key globally unique identifier to the second globally unique identifier;
    在后续与所述互联设备的通信中使用所述新的对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the new symmetric key in subsequent communication with the interconnected device.
  3. 根据权利要求2所述的方法,其特征在于,根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥包括:对所述密钥全局唯一标识符与所述第一密钥参数进行异或运算,将所述异或运算的结果作为所述对称密钥;和/或,The method according to claim 2, wherein determining the symmetric key according to the key global unique identifier and the first key parameter comprises: globally unique identifier and the first Performing an exclusive OR operation on a key parameter, using the result of the exclusive OR operation as the symmetric key; and/or,
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥包括:对所述密钥全局唯一标识符与所述第二密钥参数进行异或运算,将所述异或运算的结果作为所述新的对称密钥。 Determining a new symmetric key according to the key global unique identifier and the second key parameter, comprising: performing an exclusive OR operation on the key global unique identifier and the second key parameter, The result of the exclusive OR operation is described as the new symmetric key.
  4. 一种对称密钥动态生成方法,其特征在于,包括:A method for dynamically generating a symmetric key, comprising:
    启动时生成一初始全局唯一标识符;Generate an initial globally unique identifier at startup;
    向客户端广播所述初始全局唯一标识符;Broadcasting the initial globally unique identifier to a client;
    将所述初始全局唯一标识符记录为密钥全局唯一标识符;Recording the initial globally unique identifier as a key globally unique identifier;
    接收所述客户端发送的第一授权指示消息,所述第一授权指示消息包括:新生成的第一全局唯一标识符及第一密钥参数;Receiving a first authorization indication message sent by the client, where the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter;
    向所述客户端发送第一授权响应消息;Sending a first authorization response message to the client;
    根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥;Determining a symmetric key according to the key global unique identifier and the first key parameter;
    更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及Updating the key globally unique identifier to the first globally unique identifier;
    在后续与所述客户端的通信中使用所述对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the symmetric key in subsequent communication with the client.
  5. 根据权利要求4所述的方法,其特征在于,还包括:The method of claim 4, further comprising:
    接收所述客户端发送的第二授权指示消息,所述第二授权指示消息包括:新生成的第二全局唯一标识符及第二密钥参数;Receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter;
    向所述客户端发送第二授权响应消息;Sending a second authorization response message to the client;
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;Determining a new symmetric key according to the key global unique identifier and the second key parameter;
    更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及Updating the key globally unique identifier to the second globally unique identifier;
    在后续与所述客户端的通信中使用所述新的对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the new symmetric key in subsequent communication with the client.
  6. 根据权利要求5所述的方法,其特征在于,根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥包括:对所述密钥全局唯一标识符与所述第一密钥参数进行异或运算,将所述异或运算的结果作为所述对称密钥;和/或,The method according to claim 5, wherein determining the symmetric key according to the key global unique identifier and the first key parameter comprises: globally unique identifier and the first Performing an exclusive OR operation on a key parameter, using the result of the exclusive OR operation as the symmetric key; and/or,
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥包括:对所述密钥全局唯一标识符与所述第二密钥参数进行异或运算,将所述异或运算的结果作为所述新的对称密钥。Determining a new symmetric key according to the key global unique identifier and the second key parameter, comprising: performing an exclusive OR operation on the key global unique identifier and the second key parameter, The result of the exclusive OR operation is described as the new symmetric key.
  7. 一种用于对称密钥动态生成的客户端设备,其特征在于,包括:A client device for dynamic generation of a symmetric key, comprising:
    处理器;以及Processor;
    存储器,用于存储所述处理器的可执行指令; a memory for storing executable instructions of the processor;
    其中所述处理器配置为经由执行所述可执行指令来执行以下操作:Wherein the processor is configured to perform the following operations by executing the executable instructions:
    接收互联设备启动时生成的初始全局唯一标识符;Receiving an initial globally unique identifier generated when the interconnect device starts up;
    将所述初始全局唯一标识符记录为密钥全局唯一标识符;Recording the initial globally unique identifier as a key globally unique identifier;
    对所述互联设备进行授权,向所述互联设备发送第一授权指示消息,所述第一授权指示消息包括:为所述互联设备新生成的第一全局唯一标识符及第一密钥参数;Authorizing the interconnection device, and sending a first authorization indication message to the interconnection device, where the first authorization indication message includes: a first global unique identifier and a first key parameter newly generated for the interconnection device;
    接收所述互联设备发送的第一授权响应消息;Receiving a first authorization response message sent by the interconnection device;
    根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥;Determining a symmetric key according to the key global unique identifier and the first key parameter;
    更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及Updating the key globally unique identifier to the first globally unique identifier;
    在后续与所述互联设备的通信中使用所述对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the symmetric key in subsequent communication with the interconnected device.
  8. 根据权利要求7所述的客户端设备,其特征在于,所述操作还包括:The client device according to claim 7, wherein the operation further comprises:
    再一次对所述互联设备进行授权,向所述互联设备发送第二授权指示消息,所述第二授权指示消息包括:为所述互联设备新生成的第二全局唯一标识符及第二密钥参数;Authorizing the interconnection device again, and sending a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier and a second key newly generated for the interconnection device parameter;
    接收所述互联设备发送的第二授权响应消息;Receiving a second authorization response message sent by the interconnection device;
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;Determining a new symmetric key according to the key global unique identifier and the second key parameter;
    更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及Updating the key globally unique identifier to the second globally unique identifier;
    在后续与所述互联设备的通信中使用所述新的对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the new symmetric key in subsequent communication with the interconnected device.
  9. 一种用于对称密钥动态生成的互联设备,其特征在于,包括:An interconnected device for dynamic generation of a symmetric key, comprising:
    处理器;以及Processor;
    存储器,用于存储所述处理器的可执行指令;a memory for storing executable instructions of the processor;
    其中所述处理器配置为经由执行所述可执行指令来执行以下操作:Wherein the processor is configured to perform the following operations by executing the executable instructions:
    启动时生成一初始全局唯一标识符;Generate an initial globally unique identifier at startup;
    向客户端广播所述初始全局唯一标识符;Broadcasting the initial globally unique identifier to a client;
    将所述初始全局唯一标识符记录为密钥全局唯一标识符;Recording the initial globally unique identifier as a key globally unique identifier;
    接收所述客户端发送的第一授权指示消息,所述第一授权指示消 息包括:为所述互联设备新生成的第一全局唯一标识符及第一密钥参数;Receiving a first authorization indication message sent by the client, where the first authorization indication is The information includes: a first global unique identifier and a first key parameter newly generated for the interconnected device;
    向所述客户端发送第一授权响应消息;Sending a first authorization response message to the client;
    根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥;Determining a symmetric key according to the key global unique identifier and the first key parameter;
    更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及Updating the key globally unique identifier to the first globally unique identifier;
    在后续与所述客户端的通信中使用所述对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the symmetric key in subsequent communication with the client.
  10. 根据权利要求9所述的互联设备,其特征在于,所述操作还包括:The interconnection device according to claim 9, wherein the operation further comprises:
    接收所述客户端发送的第二授权指示消息,所述第二授权指示消息包括:为所述互联设备新生成的第二全局唯一标识符及第二密钥参数;Receiving a second authorization indication message sent by the client, where the second authorization indication message includes: a second global unique identifier and a second key parameter newly generated for the interconnection device;
    向所述客户端发送第二授权响应消息;Sending a second authorization response message to the client;
    根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;Determining a new symmetric key according to the key global unique identifier and the second key parameter;
    更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及Updating the key globally unique identifier to the second globally unique identifier;
    在后续与所述客户端的通信中使用所述新的对称密钥对通信数据进行加解密。The communication data is encrypted and decrypted using the new symmetric key in subsequent communication with the client.
  11. 一种对称密钥动态生成***,其特征在于,包括:根据权利要求7或8所述的客户端设备及根据权利要求9或10所述的互联设备。A symmetric key dynamic generation system, comprising: the client device according to claim 7 or 8 and the interconnection device according to claim 9 or 10.
  12. 一种对称密钥动态生成装置,其特征在于,包括:发送模块、标识符记录模块、接收模块及密钥确定模块;A symmetric key dynamic generating device, comprising: a sending module, an identifier recording module, a receiving module, and a key determining module;
    其中,所述接收模块接收互联设备启动时生成的初始全局唯一标识符;The receiving module receives an initial global unique identifier generated when the interconnect device starts;
    所述标识符记录模块将所述初始全局唯一标识符记录为密钥全局唯一标识符;The identifier recording module records the initial global unique identifier as a key global unique identifier;
    所述发送模块对所述互联设备进行授权,向所述互联设备发送第一授权指示消息,所述第一授权指示消息包括:为所述互联设备新生成的第一全局唯一标识符及第一密钥参数;The sending module authorizes the connected device, and sends a first authorization indication message to the interconnecting device, where the first authorization indication message includes: a first global unique identifier newly generated for the connected device, and a first Key parameter
    所述接收模块接收所述互联设备发送的第一授权响应消息;Receiving, by the receiving module, a first authorization response message sent by the interconnection device;
    所述密钥确定模块根据所述密钥全局唯一标识符与所述第一密钥参 数,确定对称密钥;The key determining module is configured according to the key global unique identifier and the first key Number, determine the symmetric key;
    所述标识符记录模块更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及The identifier recording module updates the key globally unique identifier to the first globally unique identifier;
    所述发送模块与所述接收模块在后续与所述互联设备的通信中使用所述对称密钥对通信数据进行加解密。The sending module and the receiving module encrypt and decrypt the communication data by using the symmetric key in subsequent communication with the interconnect device.
  13. 根据权利要求12所述的装置,其特征在于,The device according to claim 12, characterized in that
    所述发送模块再一次对所述互联设备进行授权,向所述互联设备发送第二授权指示消息,所述第二授权指示消息包括:为所述互联设备新生成的第二全局唯一标识符及第二密钥参数;The sending module further authorizes the interconnection device, and sends a second authorization indication message to the interconnection device, where the second authorization indication message includes: a second global unique identifier newly generated for the interconnection device and Second key parameter;
    所述接收模块接收所述互联设备发送的第二授权响应消息;Receiving, by the receiving module, a second authorization response message sent by the interconnection device;
    所述密钥确定模块根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;The key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter;
    所述标识符记录模块更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及The identifier recording module updates the key globally unique identifier to the second globally unique identifier;
    所述发送模块与所述接收模块在后续与所述互联设备的通信中使用所述新的对称密钥对通信数据进行加解密。The sending module and the receiving module encrypt and decrypt the communication data by using the new symmetric key in subsequent communication with the interconnect device.
  14. 一种对称密钥动态生成装置,其特征在于,包括:标识符生成模块、发送模块、接收模块、标识符记录模块及密钥确定模块;A symmetric key dynamic generating device, comprising: an identifier generating module, a sending module, a receiving module, an identifier recording module, and a key determining module;
    其中,所述标识符生成模块在启动时生成一初始全局唯一标识符;Wherein the identifier generating module generates an initial global unique identifier upon startup;
    所述发送模块向客户端广播所述初始全局唯一标识符;Transmitting module broadcasts the initial global unique identifier to a client;
    所述标识符记录模块将所述初始全局唯一标识符记录为密钥全局唯一标识符;The identifier recording module records the initial global unique identifier as a key global unique identifier;
    所述接收模块接收所述客户端发送的第一授权指示消息,所述第一授权指示消息包括:新生成的第一全局唯一标识符及第一密钥参数;Receiving, by the receiving module, the first authorization indication message sent by the client, where the first authorization indication message includes: a newly generated first global unique identifier and a first key parameter;
    所述发送模块向所述客户端发送第一授权响应消息;Sending, by the sending module, a first authorization response message to the client;
    所述密钥确定模块根据所述密钥全局唯一标识符与所述第一密钥参数,确定对称密钥;The key determining module determines a symmetric key according to the key global unique identifier and the first key parameter;
    所述标识符记录模块更新所述密钥全局唯一标识符为所述第一全局唯一标识符;以及The identifier recording module updates the key globally unique identifier to the first globally unique identifier;
    所述发送模块与所述接收模块在后续与所述客户端的通信中使用所 述对称密钥对通信数据进行加解密。The sending module and the receiving module are used in subsequent communication with the client The symmetric key encrypts and decrypts the communication data.
  15. 根据权利要求14所述的装置,其特征在于,The device of claim 14 wherein:
    所述接收模块接收所述客户端发送的第二授权指示消息,所述第二授权指示消息包括:新生成的第二全局唯一标识符及第二密钥参数;The receiving module receives a second authorization indication message sent by the client, where the second authorization indication message includes: a newly generated second global unique identifier and a second key parameter;
    所述发送模块向所述客户端发送第二授权响应消息;The sending module sends a second authorization response message to the client;
    所述密钥确定模块根据所述密钥全局唯一标识符与所述第二密钥参数,确定新的对称密钥;The key determining module determines a new symmetric key according to the key global unique identifier and the second key parameter;
    所述标识符记录模块更新所述密钥全局唯一标识符为所述第二全局唯一标识符;以及The identifier recording module updates the key globally unique identifier to the second globally unique identifier;
    所述发送模块与所述接收模块在后续与所述客户端的通信中使用所述新的对称密钥对通信数据进行加解密。The sending module and the receiving module encrypt and decrypt the communication data by using the new symmetric key in subsequent communication with the client.
  16. 一种非易失性计算机存储介质,所述计算机存储介质存储有能够被处理器执行的计算机可读指令,当所述计算机可读指令被处理器执行时,所述处理器执行如权利要求1-6中任一项所述的方法。 A non-volatile computer storage medium storing computer readable instructions executable by a processor, the processor executing as claimed in claim 1 The method of any of -6.
PCT/CN2017/092995 2016-09-26 2017-07-14 Method, apparatus, device and system for dynamically generating symmetric key WO2018054144A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610849888.5 2016-09-26
CN201610849888.5A CN107872312B (en) 2016-09-26 2016-09-26 Method, device, equipment and system for dynamically generating symmetric key

Publications (1)

Publication Number Publication Date
WO2018054144A1 true WO2018054144A1 (en) 2018-03-29

Family

ID=61690111

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/092995 WO2018054144A1 (en) 2016-09-26 2017-07-14 Method, apparatus, device and system for dynamically generating symmetric key

Country Status (2)

Country Link
CN (1) CN107872312B (en)
WO (1) WO2018054144A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114024724B (en) * 2021-10-25 2023-06-13 四川启睿克科技有限公司 Symmetric key dynamic generation method based on Internet of things
CN117597891A (en) * 2022-06-17 2024-02-23 北京小米移动软件有限公司 Data communication method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110258437A1 (en) * 2010-04-16 2011-10-20 Microsoft Corporation Secure local update of content management software
CN103268456A (en) * 2013-05-31 2013-08-28 杭州华三通信技术有限公司 Method and device for file safety control
CN104065652A (en) * 2014-06-09 2014-09-24 韩晟 Method, device and system for identity verification and related device
CN105100052A (en) * 2015-05-29 2015-11-25 北京奇虎科技有限公司 Server, mobile phone terminal and account and equipment binding execution and control methods thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110258437A1 (en) * 2010-04-16 2011-10-20 Microsoft Corporation Secure local update of content management software
CN103268456A (en) * 2013-05-31 2013-08-28 杭州华三通信技术有限公司 Method and device for file safety control
CN104065652A (en) * 2014-06-09 2014-09-24 韩晟 Method, device and system for identity verification and related device
CN105100052A (en) * 2015-05-29 2015-11-25 北京奇虎科技有限公司 Server, mobile phone terminal and account and equipment binding execution and control methods thereof

Also Published As

Publication number Publication date
CN107872312A (en) 2018-04-03
CN107872312B (en) 2020-02-07

Similar Documents

Publication Publication Date Title
TWI641258B (en) Data transmission method, device and system
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN104094267B (en) Method, apparatus and system for secure sharing of media content from a source device
TW201814496A (en) Data storage method, data acquisition method, device and system wherein security of both the data key and the data ciphertext is ensured because the data key shared by the first device and the second device is protected under the storage root key of the respective trusted platform modules
TW201417546A (en) Instant messaging method and system
JP2019514314A (en) Method, system and medium for using dynamic public key infrastructure to send and receive encrypted messages
WO2020155812A1 (en) Data storage method and device, and apparatus
KR20170111022A (en) Apparatus for encryption and search and method thereof
CN114793184B (en) Security chip communication method and device based on third-party key management node
US8751819B1 (en) Systems and methods for encoding data
TWI827906B (en) Message transmitting system, user device and hardware security module for use therein
WO2018054144A1 (en) Method, apparatus, device and system for dynamically generating symmetric key
US11216571B2 (en) Credentialed encryption
US20160148002A1 (en) Key storage apparatus, key storage method and program therefor
US10057054B2 (en) Method and system for remotely keyed encrypting/decrypting data with prior checking a token
CN114553557B (en) Key calling method, device, computer equipment and storage medium
KR101812311B1 (en) User terminal and data sharing method of user terminal based on attributed re-encryption
CN115022057A (en) Security authentication method, device and equipment and storage medium
KR102539418B1 (en) Apparatus and method for mutual authentication based on physical unclonable function
CN111431846B (en) Data transmission method, device and system
CN113874857A (en) Method and apparatus for encryption key management for optimal information theory security
TWI828558B (en) Message transmitting system, user device and hardware security module for use therein
US11831756B2 (en) Sharing access to data externally
CN116599771B (en) Data hierarchical protection transmission method and device, storage medium and terminal
US11652612B2 (en) Sharing access to data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17852215

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 27.08.2019) 2ND TIME.

122 Ep: pct application non-entry in european phase

Ref document number: 17852215

Country of ref document: EP

Kind code of ref document: A1