WO2021159818A1 - Secret key access control method and apparatus - Google Patents

Secret key access control method and apparatus Download PDF

Info

Publication number
WO2021159818A1
WO2021159818A1 PCT/CN2020/132720 CN2020132720W WO2021159818A1 WO 2021159818 A1 WO2021159818 A1 WO 2021159818A1 CN 2020132720 W CN2020132720 W CN 2020132720W WO 2021159818 A1 WO2021159818 A1 WO 2021159818A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
secret key
platform
information
identifier
Prior art date
Application number
PCT/CN2020/132720
Other languages
French (fr)
Chinese (zh)
Inventor
方习文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021159818A1 publication Critical patent/WO2021159818A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • This application relates to the field of computer technology, and in particular to a method and device for controlling access to a secret key.
  • a secret key can only be used by the application corresponding to the secret key.
  • the secret key management module Before the application uses the secret key, it needs to send a secret key use request to the secret key management module, and the secret key management module verifies the secret key use request of the application through the secret key access control method.
  • the secret key access control method includes: the secret key management module is based on the identification information of the application in the operating system where the application is located (such as the user identification (UID) of the application, or the package of the application in the operating system where the application is located).
  • the combination of name and signature determines the application to which the secret key requested by the key use request belongs. If the application sending the secret key use request is consistent with the application to which the secret key requested by the secret key use request belongs, the key use request verification is passed .
  • an application needs to transmit the application secret key on multiple computer devices to encrypt or decrypt data of the application on multiple devices.
  • a home application may need to transmit the secret key of the home application on multiple devices, so as to use the secret key of the application to sign on multiple devices to control the home Internet of things (IOT).
  • IOT Internet of things
  • the secret key management module determines the application to which the secret key requested by the secret key use request belongs according to the UID of the application, after the secret key of the application is transmitted from the source computer device to the target computer device, the UIDs used in different computer devices are different Therefore, in the target computer device, the secret key management module will not be able to determine which application the secret key requested by the secret key use request belongs to, and the secret key use request of the application will not pass the verification.
  • the UID of the application 1 in the source computer device is UID1
  • the UID of the application 1 in the target computer device is UID2
  • the secret key 1 is the secret key of the application whose UID is UID1.
  • the target computer equipment does not recognize UID1. Therefore, application 1 requests secret key 1’s secret key use request in the target computer equipment. Will not pass the verification.
  • the key management module determines the application to which the key requested by the key use request belongs according to the combination of the package name and signature of the application, because the combination of the package name and signature of the application is different in different operating systems, if the source computer equipment Different from the operating system used by the target computer device, in the target computer device, the secret key management module will not be able to determine which application the secret key requested by the secret key use request belongs to, and the secret key use request of the application cannot pass the verification.
  • the package name and signature of application 1 in the source computer device are package name 1 and signature 1
  • the package name and signature of application 1 in the target computer device are package name 2 and signature 2
  • secret key 1 is the package name The secret key of the application signed with package name 1 and signature 1.
  • application 1 After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment does not recognize the package name 1 and signature 1. Therefore, application 1 requests secret key 1 in the target computer equipment. The request to use the key will not be verified.
  • the embodiments of the present application provide a method and device for controlling access to a secret key, so that after a secret key is transmitted between different computer devices or different operating systems, the secret key usage request of a legitimate application can still be verified.
  • a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application.
  • the method includes: generating a secret key use request based on the first application.
  • the secret key use request includes the first secret key identifier and the signature information to be verified of the first application.
  • the reference signed information of the first application is obtained.
  • the reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identification.
  • the single-platform information of an application includes the single-platform identification of the first application in the operating system of the target computer device.
  • the signature information to be verified of the first application is verified to obtain a verification result, which is used to indicate whether the secret key use request is verified.
  • the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information to determine the application to which the secret key indicated by the key identification belongs.
  • the single-platform information comes from the target computer equipment, which can increase security.
  • the target computer device cannot determine the application to which the secret key indicated by the secret key identifier belongs based on the single-platform information of the application, and the source cannot be made legal.
  • the application's secret key usage request is verified.
  • obtaining the reference signed information of the first application according to the identification of the first application and the identification of the first secret key includes: using the identification of the first application Obtain the single-platform information of the first application.
  • the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application.
  • the reference signed information of the first application is acquired.
  • the first application is acquired based on the single-platform information of the first application and the first cross-platform identifier
  • the reference signed information includes: based on the single-platform information of the first application and the first cross-platform identifier, the hash algorithm is used to generate the reference signed information of the first application. In this way, the security of key access control can be increased.
  • the first application is acquired based on the single-platform information of the first application and the first cross-platform identifier
  • the reference signed information includes: according to the single-platform information of the first application and the first cross-platform identifier, from the corresponding relationship between each of the multiple reference signed information and the first information of the application,
  • the reference signed information corresponding to both the single-platform information of the first application and the first cross-platform identifier is used as the reference signed information of the first application.
  • the first information of the application includes the single-platform information of the application and the cross-platform identification of the application. In this way, the first information of the application and the reference signed information of the application are stored, and the reference signed information of the application is obtained by query, which can save the computing resources of the computer device.
  • the single-platform information of the first application further includes: the application signature of the first application and the first application. At least one of the single-platform signature public keys of the application.
  • the application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application.
  • the single-platform signature public key of the first application is used to verify the application signature of the first application. In this way, the security of key access control can be increased.
  • the first The verification of the signature information to be verified of the application includes: obtaining the verification signature public key of the first application from the corresponding relationship between the multiple secret key identifiers and each secret key identifier and the verification signature public key according to the first secret key identifier; The verification signature public key of the first application and the reference signed information of the first application verify the to-be-verified signature information of the first application.
  • the method further includes: generating a correspondence between the second key identifier and the first cross-platform identifier relation.
  • the second secret key identifier is a secret key identifier of the first application that is different from the first secret key identifier.
  • the secret key use request of the first application that includes the second secret key identifier can also be verified in the second computer device.
  • the method further includes: generating a second secret key identifier and the verification signature of the first application. Correspondence of the key. The corresponding relationship between the second secret key identifier and the verification signature public key of the first application is sent to the second computer device.
  • a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes: generating a secret key use request based on the first application; The secret key use request includes the first secret key identifier.
  • the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application.
  • the single-platform information of the first application includes the single-platform identification of the first application in the operating system of the target computer device.
  • the second cross-platform identifier corresponding to the single-platform information of the first application is obtained from the correspondence between the single-platform information and the cross-platform identifier of each of the multiple applications. If the first cross-platform identification is the same as the second cross-platform identification, it is determined that the verification of the key use request is passed. In this way, according to the cross-platform identification of the application, the application to which the secret key indicated by the first secret key identification belongs is determined to overcome in the prior art, after the secret key is transmitted between computer devices of different operating systems, the target computer equipment cannot The platform information determines the application to which the secret key indicated by the secret key identifier belongs, but the secret key usage request of the application whose source is legitimate cannot be verified.
  • the method further includes: generating a correspondence between the second key identifier and the first cross-platform identifier.
  • the second secret key identifier is a secret key identifier of the first application that is different from the first secret key identifier. Send the corresponding relationship between the second key identifier and the first cross-platform identifier to the second computer device, where the second computer device is a computer device different from the target computer device. In this way, the secret key use request of the first application that includes the second secret key identifier can also be verified in the second computer device.
  • a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes: generating a secret key use request based on the first application.
  • the secret key use request includes the first secret key identifier and the signature information to be verified of the first application.
  • the reference signed information of the first application is obtained, and the reference signed information of the first application is generated based on the first cross-platform identifier.
  • the signature information to be verified of the first application is verified to obtain a verification result, which is used to indicate whether the secret key use request is verified.
  • the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information to determine the application to which the secret key indicated by the key identification belongs.
  • the target computer device after the secret key is transmitted between computer devices with different operating systems, the target computer device cannot determine the application to which the secret key indicated by the secret key identifier belongs according to the single-platform information of the application, and cannot make the source legal. The application's secret key usage request is verified.
  • a secret key access control device is provided, which is used to implement the method provided in any one of the possible implementation manners provided in the first to third aspects.
  • the secret key access control device can be a computer device or a chip.
  • the secret key access control device includes various modules for executing the method provided in any one of the possible implementation manners provided in the first aspect to the third aspect.
  • the secret key access control device includes a memory and a processor, the memory is used to store computer program instructions, and the processor is used to call the computer program instructions to execute any one of the first to third aspects.
  • a computer-readable storage medium such as a non-transitory computer-readable storage medium.
  • a computer program (or instruction) is stored thereon, and when the computer program (or instruction) runs on a computer, the computer executes any one of the possible implementations of the first aspect to the third aspect. method.
  • a computer program product which when running on a computer, enables any method provided by any one of the possible implementation manners of the first aspect to the third aspect to be executed.
  • a chip including a processor, configured to call and run a computer program stored in the memory from a memory, and execute any of the possible implementation manners of the first aspect to the third aspect. a way.
  • FIG. 1 is a schematic diagram of a system architecture applicable to an embodiment of the present application
  • Fig. 2 is a software structure diagram of a computer device applicable to an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of a computing device to which the technical solution provided by this application is applicable;
  • FIG. 4 is a schematic flowchart of a method for controlling access to a secret key provided by an embodiment of this application;
  • FIG. 5 is a schematic flowchart of another key access control method provided by an embodiment of this application.
  • FIG. 6 is a schematic flowchart of a method for obtaining a secret key record according to an embodiment of the application
  • FIG. 7 is a schematic structural diagram of a secret key access control device provided by an embodiment of the application.
  • FIG. 1 it is a schematic diagram of a system architecture applicable to the embodiments of the present application.
  • the system shown in FIG. 1 includes an application server 201 and multiple computer devices 202.
  • the application server 201 in FIG. 1 can be connected to multiple computer devices 202 (for example, computer device 1 and computer device 2).
  • the application server 201 is a server corresponding to the application in the computer device 202.
  • the application server 201 may be a WeChat server, a QQ server, or the like.
  • the key management module 20 manages the keys of multiple applications 10.
  • the secret key management module 20 can access the secret key record in the storage module 30, and verify the secret key use request of the application 10, so as to realize the management of the secret key record of the application 10 access.
  • FIG. 3 it is a schematic structural diagram of a computing device 100 to which the technical solution provided in this application is applicable.
  • the application server 201 and the computer device 202 in FIG. 1 may be the computing device 100 in FIG. 3.
  • the computing device 100 shown in FIG. 3 may include at least one processor 101, a communication line 102, a memory 103, and at least one communication interface 104.
  • the processor 101 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more programs for controlling the execution of the program of this application. integrated circuit.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • the communication line 102 may include at least one path, such as a data bus, and/or a control bus, for transmitting information between the aforementioned components (such as at least one processor 101, communication line 102, memory 103, and at least one communication interface 104).
  • a path such as a data bus, and/or a control bus, for transmitting information between the aforementioned components (such as at least one processor 101, communication line 102, memory 103, and at least one communication interface 104).
  • the communication interface 104 uses any device such as a transceiver to communicate with other devices or communication networks, such as wide area networks (WAN), local area networks (LAN), and so on.
  • WAN wide area networks
  • LAN local area networks
  • the memory 103 can be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM), or other types that can store information and instructions.
  • the type of dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), or other optical disk storage, optical discs Storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be used by Any other medium accessed by the computer, but not limited to this.
  • EEPROM electrically erasable programmable read-only memory
  • CD-ROM compact disc read-only memory
  • optical discs Storage including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.
  • magnetic disk storage media or other magnetic storage devices or can be used to carry or store
  • the memory 103 may exist independently, and is connected to the processor 101 through a communication line 102.
  • the memory 103 may also be integrated with the processor 101.
  • the memory 103 provided by the embodiment of the present application generally includes a non-volatile memory. Among them, the memory 103 is used to store computer instructions for executing the solution of the present application, and the processor 101 controls the execution.
  • the processor 101 is configured to execute computer instructions stored in the memory 103, so as to implement the method provided in the following embodiments of the present application.
  • the storage 103 includes a memory and a hard disk.
  • the computer instructions in the embodiments of the present application may also be referred to as application program codes or systems, which are not specifically limited in the embodiments of the present application.
  • the computing device 100 may include multiple processors, and each of these processors may be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor. )processor.
  • the processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
  • the computing apparatus 100 may further include an output device 105 and/or an input device 106.
  • the output device 105 communicates with the processor 101 and can display information in a variety of ways.
  • the output device 105 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait.
  • the input device 106 communicates with the processor 101 and can receive user input in a variety of ways.
  • the input device 106 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
  • the computing device shown in FIG. 3 is only an example, and it does not limit the applicable computer equipment or application server of the embodiment of the present application.
  • the computer device or application server may include more or less devices or devices than those shown in FIG. 3.
  • the function of the key management module 20 in FIG. 2 may be implemented by the processor 101 in FIG. 3 executing a program in the memory 103.
  • the storage module 30 in FIG. 2 may be the memory 103 in FIG. 3.
  • the platform is an operating system, such as an Apple operating system (iOS) or an Android operating system.
  • iOS Apple operating system
  • Android Android operating system
  • the single-platform identification of the application is the identification information of the application in a certain operating system.
  • the single-platform identity of the application can be defined by the developer of the application.
  • the single-platform identification of WeChat in the Android operating system may be at least one of the package name of WeChat in the Android system (such as com.tencent.xin) or the signature of WeChat in the Android system.
  • the single-platform identification of WeChat in the Apple operating system may be at least one of the package name of WeChat in the Apple operating system (for example: com.tencent.mm) or the signature of WeChat in the Apple operating system.
  • An application has a unique single-platform identifier on one platform, and different single-platform identifiers on different platforms.
  • the cross-platform identification of the application is the unified identification information of the application in different operating systems.
  • the cross-platform identity of the application can be defined by the developer of the application.
  • the cross-platform identifier of WeChat may be weixin
  • the cross-platform identifier of Weibo may be weibo, etc.
  • An application has a unique cross-platform identification in different operating systems.
  • the secret key refers to the secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification.
  • symmetric cryptography or secret key cryptography
  • the encryption key and the decryption key are the same, so the secret key needs to be kept secret.
  • public key cryptography or asymmetric cryptography
  • the encryption key and the decryption key are different: usually one is public, called the public key (such as the public key for verifying the signature); the other is confidential, It is called the private key (such as the signature private key).
  • the encryption key is the public key
  • the decryption key is the private key.
  • the encryption key is the private key
  • the decryption key is the public key.
  • Signature is a cryptographic application in public key cryptography, used for identity verification or data integrity verification.
  • the signature is used to verify the identity of the secret key use request.
  • the signing process may include: the application or the application server uses the signature private key of the application to perform a signature operation on the signed information of the application to obtain the signature information of the application.
  • the signed information of the application refers to the information to be executed for the signature operation.
  • This application does not limit the method of obtaining the signed information.
  • the computer device can use the first algorithm to calculate the cross-platform identification of the application and the single-platform information of the application to obtain the signed information.
  • the first algorithm may be an algorithm of "combining the cross-platform identification of the application and the single-platform information of the application to obtain character string information, and using the character string information as the signed information".
  • the combination manner may be to connect the cross-platform identification of the application and the single-platform information of the application. This application does not limit the order in which the cross-platform identification of the application and the single-platform information of the application are connected.
  • the combination method can be to connect the cross-platform identification of the application, the single-platform information of the application, and a predefined character string (such as "#123***"). The order in which the logo, the application's single-platform information, and the predefined string are connected is not limited.
  • the first algorithm can be "combine the cross-platform identification of the application and the single-platform information of the application to obtain string information, and use a hash algorithm to hash the string information to obtain The hash value corresponding to the character string information, and the hash value is used as the algorithm of the signed information.
  • the hash algorithm may include, but is not limited to, SHA256 or SHA1.
  • the signature information of the application is the information obtained by using the signature private key to perform the signature calculation on the signed information of the application according to the signature algorithm.
  • the application signature of the application and the signature information to be verified are involved.
  • the application signature of an application is information obtained by performing a signature operation on the first signed information of the application using the first signature private key according to the first signature algorithm.
  • the first signed information includes installation package information of the application.
  • the application signature of an application is the information generated when the installation package file is generated before the application is installed on the platform.
  • the application signature of the application is used to reduce the risk of tampering with the installation file of the application. If any file in the installation package is changed when the application is installed compared to the file in the first signed information of the application, the application verification fails and the application cannot be successfully installed.
  • the signature information to be verified of the application is information obtained by performing a signature operation on the second signed information of the application using the second signature private key according to the second signature algorithm.
  • the application's signature information to be verified is used to verify whether the application's single-platform information corresponds to the application's cross-platform identification, thereby enhancing the security of the application's cross-platform key management.
  • the second signed information includes: the application's cross-platform identification and the application's single-platform information, where the application's single-platform information includes: the application's single-platform identification, optionally, the application's single-platform information includes the The application signature of the application and the single-platform signature public key of the application.
  • the single-platform information of the application includes the application signature of the application, which can improve the security of secret key management.
  • the single-platform signature public key of the application is used to verify the application signature of the application.
  • the signature information to be verified of the application may be preset in the computer device, for example, it is preset in the computer device by the application developer, or the application server sends the signature information to be verified of the application to the computer device.
  • the application server may include a signature module configured to perform a signature operation on the second signed information of the application using the second signature private key according to the second signature algorithm to obtain the signature information to be verified of the application.
  • first signature algorithm and the second signature algorithm may be the same or different.
  • any one of the first signature algorithm and the second signature algorithm may be an asymmetric encryption algorithm (RSA) or an elliptic curve digital signature algorithm (ECDSA) or the like.
  • first signature private key and the second signature private key may be the same or different, which is not limited in this application.
  • the verification algorithm is an algorithm that judges whether the signature information to be verified is correct by inputting the signature information to be verified, the verification signature public key, and the signed information into the verification algorithm.
  • words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner.
  • At least one refers to one or more.
  • Multiple means two or more.
  • "and/or” is merely an association relationship describing associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean that A exists alone, and A and A exist at the same time. B, there are three cases of B alone.
  • the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
  • the computer device stores the application's cross-platform identification, the application's signature information to be verified, the application's single-platform information, the application's first signature private key, the application's second signature private key, and the second signature private key The corresponding second verification signature public key, etc.
  • the following is the correspondence between the secret key identifier and the application's cross-platform identifier, the correspondence between the secret key identifier and the second signed information, the correspondence between the secret key identifier and the second verification signature public key, and the secret key identifier and the application's single platform
  • the correspondence of information is illustrated by taking the form of secret key record as an example.
  • Secret key transmission means that the source computer device transmits the secret key record of the application stored in the source computer device to the target computer device, and the target computer device stores the secret key record of the application.
  • the secret key record includes: secret key identification, secret key value, and cross-platform identification of the application.
  • the secret key record may also include the second signed information, the second verification signature public key, and the single platform information of the application.
  • a secret key record includes a secret key identifier, and different secret key records include different secret key identifiers.
  • the cross-platform identifier of the application in the secret key record is used to characterize the application to which the secret key indicated by the secret key identifier included in the secret key record belongs. Different data generated by an application can be encrypted or decrypted with different secret keys. Therefore, an application can correspond to one or more secret key records.
  • the cross-platform identities of the applications in the multiple secret key records are the same, the second verification signature public keys in the multiple secret key records may be the same or different, and the second signed information in the multiple secret key records may be the same It can also be different.
  • the embodiment of the present application does not limit the method for obtaining the secret key record stored in the computer device.
  • the secret key record is preset in the storage module of the computer device.
  • the secret key record is transmitted from another computer device (for example, the secret key record in the target computer device comes from the source computer device).
  • the computer device obtains the secret key record by using the method in the second embodiment.
  • the cross-platform identifier of the application is the cross-platform identifier of the application 1
  • the second verification signature public key of the application 1 is the second verification signature public key.
  • the second signed information of the application 1 is the second signed information of the application 1.
  • the single-platform information of the application 1 is the single-platform information of the application 1.
  • the technical solution of the secret key access control method of the present application is described.
  • the operating system of the target computer device and the operating system of the source computer device may be the same or different.
  • FIG. 4 it is a schematic flowchart of a key access control method provided by an embodiment of this application. Exemplarily, this embodiment may be applied to the computer device shown in FIG. 2.
  • the method shown in FIG. 4 may include the following steps:
  • Application 1 generates a secret key use request.
  • the key use request is used by the application 1 to request a service from the key management module.
  • application 1 is any application in the target computer device.
  • the secret key use request includes: the signature information to be verified of the application 1 and the first secret key identifier.
  • the service requested by the secret key use request includes: obtaining the first secret key value, encrypting the data of the application 1 using the first secret key value, or using the first secret key value to access the application 1 according to the third signature algorithm
  • the third signed information performs signature calculations and so on.
  • the third signed information may be information in application 1 that needs to be signed.
  • the third signed information can be the same as or different from the second signed information.
  • the algorithm service based on the secret key requested by the secret key use request may also be other services, which are not limited in the embodiment of the present application.
  • the secret key use request may include: the first secret key identifier and the signature information of the application 1 to be verified.
  • the secret key use request may include: the first secret key identifier, the signature information to be verified of the application 1, and encryption The identification information of the algorithm and the data of the application 1.
  • the secret key use request may include: the first secret key The identification, the signature information to be verified of the application 1, the identification information of the third signature algorithm, and the third signed information of the application 1.
  • the identifier of the application 1 is an identifier that can be recognized by the operating system where the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through the functions provided by the operating system.
  • the identity of the application 1 is different from the single-platform identity of the application 1 and the cross-platform identity of the application 1.
  • the secret key value corresponding to the first secret key identifier is the first secret key value.
  • the embodiment of the present application does not limit the trigger condition for the application 1 to generate the secret key use request. For example, when the application 1 needs to encrypt the data of the application 1, the secret key use request is generated. The service requested by the secret key use request is to encrypt the data of the application 1 using the first secret key value.
  • Application 1 sends the secret key use request to the secret key management module.
  • the secret key management module obtains the first single platform information of the application 1 according to the identification of the application 1.
  • the first single-platform information is the single-platform information of the application 1 in the operating system of the target computer device.
  • Single-platform information of multiple applications is preset in the target computer device where the application 1 is located.
  • the key management module uses the package manager service (PMS) in the platform to obtain the identity of the application 1, and uses the identity of the application 1 to obtain the identity of the application corresponding to the identity of the application 1.
  • PMS package manager service
  • Single-platform information, and the obtained single-platform information of the application is used as the first single-platform information of application 1.
  • the key management module obtains the cross-platform identification in the key record where the first key identification is located, and uses the cross-platform identification as the first cross-platform identification of the application 1.
  • the key management module obtains the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identification of the application 1.
  • the embodiment of the present application does not limit the specific implementation manner in which the key management module obtains the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identification of the application 1.
  • the key management module obtains the first single-platform information of each of the multiple applications stored in the corresponding relationship between the cross-platform identification of the application and the reference signed information.
  • a single platform information and the reference signed information corresponding to the first cross-platform identification of the application 1 are referred to, and the obtained reference signed information is used as the reference signed information of the application 1.
  • the reference signed information of application 1 can be obtained in the following manner:
  • Step 1 Determine the first algorithm according to the identification of the application 1.
  • the first algorithm is a predefined algorithm used in generating the second signed information of the application 1 in the computer device.
  • the computer device prestores the correspondence between the identification of each of the multiple applications and the identification information of the first algorithm
  • the secret key management module can use the correspondence between the identification of the application and the identification information of the first algorithm to:
  • the identification information of the first algorithm corresponding to the identification of the application 1 is acquired, and the first algorithm corresponding to the acquired identification information of the first algorithm is taken as the first algorithm of the application 1.
  • Step 2 Use the first algorithm of the application 1, the first cross-platform identification of the application 1, and the first single-platform information of the application 1 to generate signed information, and use the generated signed information as a reference to the application 1 to be signed information.
  • the above-mentioned method of obtaining the reference signed information of the application 1 can be used when the operating system of the source computer device and the operating system of the target computer device are the same or different; when the operating system of the source computer device is the same as that of the target computer device
  • the first single-platform information of application 1 is the same as the second single-platform information of application 1, where the second single-platform information of application 1 is the secret key record where the first secret key is identified (that is, the source computer equipment
  • the single-platform information of application 1 in the secret key record sent to the target computer device.
  • the key management module can also obtain the second signed information of the application in the key record where the first key identifier is located, and use the obtained second signed information of the application as the reference signed information of the application 1. In this way, it helps to save computing resource overhead.
  • the secret key management module obtains the second verification signature public key corresponding to the first secret key identity according to the first secret key identity, and uses the obtained second verification signature public key as the second verification signature public key of the application 1. .
  • the key management module obtains the second verification signature public key in the key record where the first secret key identifier is located, and uses the obtained second verification signature public key as the second verification signature public key of the application 1.
  • the secret key record includes the corresponding relationship between the first secret key identifier, the first secret key value, the cross-platform identifier of application 1 and the second verification signature public key of application 1.
  • the secret key record may also include the second signed information of Application 1 and the single-platform information of Application 1.
  • the secret key management module obtains the verification algorithm of the second signature algorithm of the application 1 according to the identification of the application 1.
  • a verification algorithm of the second signature algorithm of the application 1 is defined in the key management module.
  • the embodiment of the present application does not limit the execution order of S102 and S103.
  • S102 may be executed after S103 is executed.
  • the embodiment of the present application does not limit the execution order of S104, S105, and S106. For example, after S105 is executed, S106 is executed, and then S104 is executed.
  • the secret key management module uses the verification algorithm of the second signature algorithm of application 1 to obtain the verification result of the signature information to be verified of application 1 according to the second verification signature public key of application 1 and the reference signed information of application 1, and the verification result Including: verification passed or verification failed.
  • the key management module can input the signature information to be verified of the application 1, the second verification signature public key of the application 1, and the reference signed information of the application 1 into the verification algorithm of the second signature algorithm of the application 1, to obtain Application 1's verification result of the signature information to be verified.
  • the second signature algorithm is the signature algorithm used when obtaining the signature information to be verified.
  • the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. Specifically, when the service requested by the secret key use request is to obtain the first secret key value, the secret key management module obtains the secret key value in the secret key record where the first secret key identifier is located, and uses the obtained secret key value as the first secret key value. A secret key value, and send the secret key value to the application 1.
  • the secret key management module obtains the secret key value in the secret key record where the first secret key identifier is located, and uses the obtained secret key value as The first secret key value, using the first secret key value as the private key, use the encryption algorithm in the secret key use request, encrypt the secret key use the data of the application 1 carried in the request, and use the encrypted data of the application 1 Send to the application 1.
  • the secret key management module obtains the first secret key Identify the secret key value in the secret key record where it is located, and use the obtained secret key value as the first secret key value.
  • the third signature algorithm use the first secret key value as the signature private key for the third signed application 1
  • the information performs a signature operation to obtain the third signature information, and the obtained third signature information is sent to the application 1.
  • the secret key management module If the verification result is that the verification fails, it means that the secret key use request of Application 1 is illegal. Subsequently, the secret key management module generates a notification message, which indicates that the verification of the secret key use request fails. The key management module sends the notification message to the application 1.
  • the key management module verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information from the secret key record, and the secret key can be determined
  • the secret key included in the record identifies the application to which the secret key belongs.
  • the single-platform information of the application comes from the target computer device, which can increase security.
  • the secret key management module cannot determine the secret indicated by the secret key identifier included in the secret key record according to the single-platform information in the secret key record.
  • the cross-platform identification of application 1 in the source computer device is cross-platform identification 1
  • the cross-platform identification of application 1 in the target computer device is cross-platform identification 1
  • secret key 1 is the cross-platform identification as cross-platform identification 1.
  • FIG. 5 it is a schematic flowchart of another method for controlling access to a secret key provided by an embodiment of this application.
  • this embodiment may be applied to the computer device shown in FIG. 2.
  • the method shown in FIG. 5 may include the following steps:
  • Application 1 generates a secret key use request.
  • the key use request is used by the application 1 to request a service from the key management module.
  • application 1 is any application in the target computer device.
  • the secret key use request includes: the first secret key identifier.
  • the secret key use request further includes: signature information to be verified of the application 1.
  • the identifier of the application 1 is an identifier that can be recognized by the operating system where the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through the functions provided by the operating system.
  • the identity of the application 1 is different from the single-platform identity of the application 1 and the cross-platform identity of the application 1.
  • the secret key value corresponding to the first secret key identifier is the first secret key value.
  • the embodiment of the present application does not limit the trigger condition for the application 1 to generate the secret key use request. For example, when the application 1 needs to encrypt the data of the application 1, the secret key use request is generated. The service requested by the secret key use request is to encrypt the data of the application 1 using the first secret key value.
  • Application 1 sends the secret key use request to the secret key management module.
  • the key management module obtains the cross-platform identification in the key record where the first key identification is located, and uses the cross-platform identification as the first cross-platform identification of the application 1.
  • the secret key management module obtains the first single platform information of the application 1.
  • the first single-platform information is the single-platform information of the application 1 in the operating system of the target computer device.
  • Single-platform information of multiple applications is preset in the target computer device where the application 1 is located.
  • the key management module uses the package manager service (PMS) in the platform to obtain the identity of the application 1, and uses the identity of the application 1 to obtain the identity of the application corresponding to the identity of the application 1.
  • PMS package manager service
  • Single-platform information, and the obtained single-platform information of the application is used as the first single-platform information of application 1.
  • the secret key management module obtains the second cross-platform identifier of the application 1 according to the first single-platform information of the application 1.
  • the second cross-platform identifier of the application 1 is used by the key management module to determine the secret key record belonging to the application 1.
  • the secret key management module obtains the cross-platform identity corresponding to the first single-platform information from the stored correspondence between the cross-platform identity of each of the multiple applications and the single-platform information, and obtains the obtained cross-platform identity As the second cross-platform identity of application 1.
  • S202 is executed after S203 to S204 are executed.
  • S205 The key management module judges whether the first cross-platform identification of application 1 is the same as the second cross-platform identification of application 1.
  • S206 The key management module provides the application 1 with the service requested by the key use request.
  • the key management module obtains the result of the service requested by the key use request, and sends the result to the application 1.
  • the secret key management module generates a notification message.
  • the notification message indicates that the key use request verification fails.
  • the key management module sends the notification message to the application 1.
  • S204 to S205 in this embodiment are optional steps.
  • the secret key use request also includes the signature information to be verified of the application 1
  • the signature information to be verified of the application 1 is in accordance with the second signature algorithm
  • Use the second signature private key to sign the first cross-platform identity of the application.
  • the reference of application 1 can be obtained in combination with the method in S104 in the first embodiment.
  • the signed information at this time, the reference to the signed information includes only the first cross-platform identifier.
  • the secret key management module executes S105 to obtain the second verification signature public key of the application 1.
  • the key management module executes S106 to obtain the verification algorithm of the second signature algorithm of the application 1.
  • the key management module uses the verification algorithm of the second signature algorithm of the application 1 to obtain the verification result of the signature information to be verified of the application 1 according to the second verification signature public key of the application 1 and the reference signed information of the application 1.
  • the verification results include: verification passed or verification failed. If the verification result is that the verification is passed, it means that the secret key use request of application 1 is legal. Subsequently, the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. If the verification result is that the verification fails, it means that the secret key use request of Application 1 is illegal. Subsequently, the secret key management module generates a notification message, which indicates that the verification of the secret key use request fails. The key management module sends the notification message to the application 1.
  • the key management module can determine the application to which the secret key indicated by the secret key identifier included in each secret key record belongs according to the cross-platform identifier of the application included in each secret key record stored, to Overcome in the prior art, after the secret key is transmitted between computer devices with different operating systems, the secret key management module cannot determine the secret key indicated by the secret key identifier included in the secret key record according to the single-platform information in the secret key record. It is a problem that the application to which it belongs, but cannot make the request for the use of the key of a legitimate application pass the verification.
  • the cross-platform identification of application 1 in the source computer device is cross-platform identification 1
  • the cross-platform identification of application 1 in the target computer device is cross-platform identification 1
  • secret key 1 is the cross-platform identification as cross-platform identification 1.
  • the secret key of application 1. After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment can still recognize the cross-platform identification 1 as the cross-platform identification of application 1. Therefore, application 1 is in the target computer equipment. The key use request in request key 1 can be verified.
  • FIG. 6 it is a schematic flowchart of a method for obtaining a secret key record according to an embodiment of this application. Illustratively, this embodiment can be applied to the computer device shown in FIG. 2.
  • the method shown in FIG. 6 may include the following steps:
  • Application 1 generates a storage request for secret key record 1.
  • application 1 is any one of the applications in the computer device.
  • the storage request of the secret key record 1 includes the first identification information, and at least one of the cross-platform identification of the application 1 or the identification of the application 1.
  • the storage request of the secret key record 1 further includes: at least one of the length of the secret key or the second verification signature public key of the application 1.
  • the first identification information is used to indicate the algorithm for generating the secret key value and secret key identifier of the secret key record 1.
  • the key length is used to identify the security strength of the key value used to generate the key record 1.
  • the second verification signature public key of application 1 is the second verification signature public key of the application corresponding to the second signature private key of this application 1, and the second verification signature public key of application 1 is used for the secret key management module to verify application 1. Signature information to be verified. For details, refer to S107 in Embodiment 1, which will not be repeated here.
  • the storage request of the secret key record 1 further includes: the second signed information of the application 1 and the single-platform information of the application 1.
  • the platform of the application 1 may be an Android operating system
  • the application 1 may be WeChat
  • the cross-platform identification of the application in the storage request of the key record 1 generated by the application 1 may be weixin.
  • the embodiment of the present application does not limit the trigger condition of the storage request for the application 1 to generate the secret key record 1.
  • the application 1 generates the storage request for the secret key record 1 when generating the data to be encrypted.
  • S302 The application 1 sends a storage request of the secret key record 1 to the secret key management module.
  • the secret key management module generates the secret key identifier and secret key value of the secret key record 1 according to the first identification information.
  • the secret key management module when the storage request of the secret key record 1 also includes the secret key length, the secret key management module generates the secret key identifier and the secret key value of the secret key record 1 according to the first identification information and the secret key length.
  • the embodiment of the application does not limit the method for generating the secret key identifier and secret key value of the secret key record 1.
  • the algorithm indicated by the first identification information defined in the secret key management module defines multiple lengths of generation. The rules of the secret key value.
  • the secret key management module inputs the secret key length into the second algorithm to execute the method of generating the secret key value of the secret key length to generate the secret key value.
  • the secret key management module can generate a unique serial code as the secret key identifier of the secret key value.
  • the secret key management module obtains the cross-platform identity of application 1 according to the identity of application 1.
  • the key management module obtains the single-platform information of application 1 according to the identity of application 1, and obtains the application corresponding to the single-platform information of application 1 according to the correspondence between the single-platform information of application 1 and the cross-platform identity of application 1. 1 cross-platform logo.
  • the embodiment of the present application does not limit the method for obtaining the cross-platform identification of the application 1 corresponding to the single-platform information of the application 1 according to the correspondence between the single-platform information of the application 1 and the cross-platform identification of the application 1.
  • the query server (such as a cloud server) of the secret key management module stores the correspondence between the single-platform information of application 1 and the cross-platform identification of application 1, and the secret key management module can send application 1 to the query server.
  • the single-platform information of the application 1 is used to query the cross-platform identification of the application 1 corresponding to the single-platform information of the application 1.
  • the storage module is preset with the corresponding relationship between the single-platform information of Application 1 and the cross-platform identification of Application 1.
  • the corresponding relationship can be obtained by querying the server for downloading, or it can be obtained when the computer equipment is produced.
  • the secret key management module may send the single-platform information of application 1 to the storage module to query the cross-platform identification of application 1 corresponding to the single-platform information of application 1.
  • S304 is an optional step.
  • S304 does not need to be executed.
  • S304 needs to be executed.
  • the embodiment of this application does not limit the execution order of S303 and S304. For example, S303 is executed after S304 is executed. .
  • the secret key management module generates the secret key record 1 of the application 1.
  • the secret key record 1 includes the secret key identifier of the secret key record 1, the secret key value, and the cross-platform identifier of the application 1.
  • the secret key record 1 may also include the second verification signature public key of the application 1 and the second signed information of the application 1. Or at least one of application 1’s single-platform information.
  • the steps of generating the secret key identifier and secret key value of the secret key record 1 can be generated by the secret key management module as shown in the second embodiment above.
  • the key identifier and key value of the key record 1 can also be generated by the application.
  • the storage request of the secret key record 1 in S301 also includes the secret key identifier and the secret key value of the secret key record 1.
  • the key management module generates a key record 1 according to the information in the storage request of the key record 1, and stores it.
  • the embodiment of the present application may divide the computer equipment into functional modules according to the foregoing method examples.
  • each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
  • the secret key access control device 70 can be used to execute the functions performed by the computer equipment in any one of the above embodiments (the embodiment shown in FIG. 4 or FIG. 6).
  • the key access control device 70 includes a plurality of applications, and the plurality of applications includes a first application.
  • the secret key access control device 70 further includes: a generation module 701 and a secret key management module 702. Wherein, the generating module 701 is configured to generate a secret key use request based on the first application.
  • the secret key use request includes the first secret key identifier and the signature information to be verified of the first application.
  • the secret key management module 702 is configured to obtain the reference signed information of the first application according to the identity of the first application and the identity of the first secret key.
  • the reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identification.
  • the single-platform information of the first application includes the single-platform information of the first application in the operating system of the key access control device 70.
  • the platform identifier verifies the to-be-verified signature information of the first application according to the first secret key identifier and the reference signed information of the first application to obtain the verification result.
  • the verification result is used to indicate whether the secret key use request is verified. For example, in conjunction with FIG.
  • the generation module 701 may be used to perform S100, and the secret key management module 702 may be used to perform S102 to S107.
  • the generation module 701 can be used to perform S301, and the key management module 702 can be used to perform S303-S305.
  • the secret key management module 702 is specifically configured to: use the identifier of the first application to obtain the single-platform information of the first application.
  • the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application.
  • the reference signed information of the first application is acquired.
  • the secret key management module 702 is specifically configured to use a hash algorithm to generate the reference signed information of the first application based on the single-platform information of the first application and the first cross-platform identification.
  • the secret key management module 702 is specifically configured to: refer to the signed information and the first information of the application from each of the multiple reference signed information according to the single-platform information of the first application and the first cross-platform identifier.
  • the reference signed information corresponding to both the single-platform information of the first application and the first cross-platform identifier is used as the reference signed information of the first application.
  • the first information of the application includes the single-platform information of the application and the cross-platform identification of the application.
  • the single-platform information of the first application further includes: the application signature of the first application and the single-platform signature public key of the first application.
  • the application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application.
  • the secret key management module 702 is specifically configured to: according to the first secret key identifier, obtain the verification signature public key of the first application from the correspondence between multiple secret key identifiers and each secret key identifier and the verification signature public key . According to the verification signature public key of the first application and the reference signed information of the first application, the signature information to be verified of the first application is verified.
  • the single-platform signature public key of the first application is used to verify the application signature of the first application.
  • the generating module 701 is further configured to: generate a corresponding relationship between the second secret key identifier and the first cross-platform identifier.
  • the secret key access control device 70 further includes a sending module 703, configured to send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to the second computer device.
  • the second computer device is a device different from the secret key access control device 70.
  • the generating module 701 is further configured to generate a correspondence between the second secret key identifier and the verification signature public key of the first application.
  • the sending module 703 is further configured to send the corresponding relationship between the second secret key identifier and the verification signature public key of the first application to the second computer device.
  • the above-mentioned sending module 703 can be implemented by the communication interface 104 in FIG. 3; the generation module 701 and the secret key management module 702 can both be called by the processor 101 in FIG. Program implementation.
  • the secret key access control device 70 can be used to execute the functions performed by the computer equipment in any of the above embodiments (the embodiment shown in FIG. 5).
  • the key access control device 70 includes a plurality of applications, and the plurality of applications includes a first application.
  • the secret key access control device 70 further includes: a generation module 701 and a secret key management module 702. Wherein, the generating module 701 is configured to generate a secret key use request based on the first application.
  • the secret key use request includes the first secret key identifier.
  • the secret key management module 702 is configured to obtain the first application corresponding to the first secret key identifier from the correspondence between each secret key identifier in the plurality of secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier The first cross-platform logo. Obtain the single-platform information of the first application.
  • the single-platform information of the first application includes the single-platform identification of the first application in the operating system of the key access control device 70.
  • the second cross-platform identifier corresponding to the single-platform information of the first application is obtained from the correspondence between the single-platform information and the cross-platform identifier of each of the multiple applications.
  • the generating module 701 may be used to perform S200, and the key management module 702 may be used to perform S202 to S207.
  • the generating module 701 is further configured to: generate a corresponding relationship between the second secret key identifier and the first cross-platform identifier.
  • the secret key access control device 70 further includes a sending module 703, configured to send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to the second computer device.
  • the second computer device is a device different from the secret key access control device 70.
  • the above-mentioned sending module 703 can be implemented by the communication interface 104 in FIG. 3; the generation module 701 and the secret key management module 702 can both be called by the processor 101 in FIG. Program implementation.
  • the embodiment of the present application also provides a device (such as a computer device or a chip), including: a memory and a processor; the memory is used to store a computer program, and the processor is used to call the computer program to execute any of the above-provided computer programs. Actions or steps mentioned in the embodiment.
  • the embodiments of the present application also provide a computer-readable storage medium with a computer program stored on the computer-readable storage medium.
  • the computer program runs on a computer, the computer executes any of the above-provided embodiments. The action or step mentioned.
  • the embodiment of the application also provides a chip.
  • the chip integrates a circuit and one or more interfaces for realizing the functions of the above-mentioned computer equipment.
  • the functions supported by the chip may include processing actions based on the embodiments described in FIG. 4 to FIG. 6, which will not be repeated here.
  • a person of ordinary skill in the art can understand that all or part of the steps for implementing the above-mentioned embodiments can be completed by a program instructing related hardware.
  • the program can be stored in a computer-readable storage medium.
  • the aforementioned storage medium may be a read-only memory, a random access memory, and the like.
  • the aforementioned processing unit or processor may be a central processing unit, a general-purpose processor, an application specific integrated circuit (ASIC), a microprocessor (digital signal processor, DSP), and a field programmable gate array (field programmable gate array).
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • field programmable gate array field programmable gate array
  • FPGA field programmable gate array
  • the embodiments of the present application also provide a computer program product containing instructions, which when the instructions run on a computer, cause the computer to execute any one of the methods in the foregoing embodiments.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part.
  • the computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. Computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • computer instructions can be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or may include one or more data storage devices such as a server or a data center that can be integrated with the medium.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
  • the foregoing devices for storing computer instructions or computer programs provided in the embodiments of the present application are non-transitory. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A secret key access control method and apparatus, relating to the technical field of computers, and used for enabling a secret key use request of an application having a legitimate source to still pass verification after a secret key is transmitted between different operating systems or different computer devices. The method is applied to a target computer device, the target computer device comprises a first application, and the method comprises: generating a secret key use request on the basis of the first application, the secret key use request comprising a first secret key identifier and signature information to be verified of the first application; obtaining reference signed information of the first application, the reference signed information of the first application being generated on the basis of single-platform information of the first application and a first cross-platform identifier; and verifying the signature information to be verified of the first application according to the first secret key identifier and the reference signed information of the first application to obtain a verification result, the verification result being used for indicating whether the secret key use request passes verification.

Description

秘钥访问控制方法和装置Secret key access control method and device
本申请要求于2020年02月14日提交国家知识产权局、申请号为202010092581.1、申请名称为“秘钥访问控制方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office on February 14, 2020, the application number is 202010092581.1, and the application name is "Secret Key Access Control Method and Device", the entire content of which is incorporated into this application by reference middle.
技术领域Technical field
本申请涉及计算机技术领域,尤其涉及秘钥访问控制方法和装置。This application relates to the field of computer technology, and in particular to a method and device for controlling access to a secret key.
背景技术Background technique
随着终端技术的不断发展,越来越多的应用(application,APP)被开发和安装使用。为了使用安全,不同的应用使用不同的秘钥加密或解密应用的数据。一个秘钥只能由该秘钥对应的应用使用。应用使用秘钥前,需要向秘钥管理模块发送秘钥使用请求,秘钥管理模块通过秘钥访问控制方法对应用的秘钥使用请求进行验证。With the continuous development of terminal technology, more and more applications (application, APP) are developed and installed. In order to use security, different applications use different keys to encrypt or decrypt application data. A secret key can only be used by the application corresponding to the secret key. Before the application uses the secret key, it needs to send a secret key use request to the secret key management module, and the secret key management module verifies the secret key use request of the application through the secret key access control method.
当前,秘钥访问控制方法包括:秘钥管理模块根据应用在该应用所在操作***中的标识信息(如该应用的用户身份证明(user identification,UID),或者该应用在所在操作***中的包名与签名的组合)确定秘钥使用请求所请求的秘钥所属的应用,若发送秘钥使用请求的应用与秘钥使用请求所请求的秘钥所属的应用一致,则秘钥使用请求验证通过。Currently, the secret key access control method includes: the secret key management module is based on the identification information of the application in the operating system where the application is located (such as the user identification (UID) of the application, or the package of the application in the operating system where the application is located). The combination of name and signature) determines the application to which the secret key requested by the key use request belongs. If the application sending the secret key use request is consistent with the application to which the secret key requested by the secret key use request belongs, the key use request verification is passed .
当用户有多个计算机设备时,存在秘钥传输的需求,例如:一个应用需要在多个计算机设备上传输该应用的秘钥,以在多个设备上加密或解密该应用的数据。又如:家居应用可能需要在多个设备上传输该家居应用的秘钥,以在多个设备上使用该应用的秘钥进行签名,来控制家庭物联网设备(internet of things,IOT)。When a user has multiple computer devices, there is a need for secret key transmission. For example, an application needs to transmit the application secret key on multiple computer devices to encrypt or decrypt data of the application on multiple devices. In another example, a home application may need to transmit the secret key of the home application on multiple devices, so as to use the secret key of the application to sign on multiple devices to control the home Internet of things (IOT).
当秘钥管理模块根据应用的UID确定秘钥使用请求所请求的秘钥所属的应用时,在应用的秘钥由源计算机设备传输至目标计算机设备后,由于应用在不同计算机设备中的UID不同,因此,在目标计算机设备中,秘钥管理模块将不能确定秘钥使用请求所请求的秘钥属于哪个应用,应用的秘钥使用请求将不能通过验证。示例性的,应用1在源计算机设备中的UID为UID1,应用1在目标计算机设备中的UID为UID2,秘钥1是UID为UID1的应用的秘钥。该秘钥1传输到目标计算机设备中之后,应用1在目标计算机设备中请求秘钥1,目标计算机设备并不能识别UID1,因此,应用1在目标计算机设备中请求秘钥1的秘钥使用请求将不能通过验证。When the secret key management module determines the application to which the secret key requested by the secret key use request belongs according to the UID of the application, after the secret key of the application is transmitted from the source computer device to the target computer device, the UIDs used in different computer devices are different Therefore, in the target computer device, the secret key management module will not be able to determine which application the secret key requested by the secret key use request belongs to, and the secret key use request of the application will not pass the verification. Exemplarily, the UID of the application 1 in the source computer device is UID1, the UID of the application 1 in the target computer device is UID2, and the secret key 1 is the secret key of the application whose UID is UID1. After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment does not recognize UID1. Therefore, application 1 requests secret key 1’s secret key use request in the target computer equipment. Will not pass the verification.
当秘钥管理模块根据应用的包名与签名的组合确定秘钥使用请求所请求的秘钥所属的应用时,由于应用的包名与签名的组合在不同的操作***中不同,若源计算机设备与目标计算机设备使用的操作***不同,则在目标计算机设备中,秘钥管理模块将不能确定秘钥使用请求所请求的秘钥属于哪个应用,则该应用的秘钥使用请求不能通过验证。示例性的,应用1在源计算机设备中的包名与签名为包名1和签名1,应用1在目标计算机设备中的包名与签名为包名2和签名2,秘钥1是包名与签名为包名1和签名1的应用的秘钥。该秘钥1传输到目标计算机设备中之后,应用1在目标计算机设备中请求秘钥1,目标计算机设备并不能识别包名1和签名1,因此,应用1在目标计算机设备中请求秘钥1的秘钥使用请求将不能通过验证。When the key management module determines the application to which the key requested by the key use request belongs according to the combination of the package name and signature of the application, because the combination of the package name and signature of the application is different in different operating systems, if the source computer equipment Different from the operating system used by the target computer device, in the target computer device, the secret key management module will not be able to determine which application the secret key requested by the secret key use request belongs to, and the secret key use request of the application cannot pass the verification. Exemplarily, the package name and signature of application 1 in the source computer device are package name 1 and signature 1, the package name and signature of application 1 in the target computer device are package name 2 and signature 2, and secret key 1 is the package name The secret key of the application signed with package name 1 and signature 1. After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment does not recognize the package name 1 and signature 1. Therefore, application 1 requests secret key 1 in the target computer equipment. The request to use the key will not be verified.
因此,需要提供新的秘钥访问控制方法。Therefore, it is necessary to provide a new key access control method.
发明内容Summary of the invention
本申请的实施例提供秘钥访问控制方法和装置,使得秘钥在不同的计算机设备或不同的操作***之间传输后,仍然能够使来源合法的应用的秘钥使用请求通过验证。The embodiments of the present application provide a method and device for controlling access to a secret key, so that after a secret key is transmitted between different computer devices or different operating systems, the secret key usage request of a legitimate application can still be verified.
为达到上述目的,本申请的实施例采用如下技术方案:In order to achieve the foregoing objectives, the following technical solutions are adopted in the embodiments of the present application:
第一方面,提供一种秘钥访问控制方法,应用于目标计算机设备,该目标计算机设备包括多个应用,多个应用包括第一应用。该方法包括:基于第一应用生成秘钥使用请求。该秘钥使用请求包括第一秘钥标识和第一应用的待验证签名信息。根据第一应用的标识和第一秘钥标识,获取第一应用的参照被签名信息,第一应用的参照被签名信息是基于第一应用的单平台信息和第一跨平台标识生成的,第一应用的单平台信息包括第一应用在目标计算机设备的操作***中的单平台标识。根据第一秘钥标识和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证,得到验证结果,验证结果用于指示该秘钥使用请求是否验证通过。这样,目标计算机设备通过参照被签名信息,来验证秘钥使用请求中的待验证签名信息,参照被签名信息中的应用的跨平台标识可以确定秘钥标识所指示的秘钥所属的应用,应用的单平台信息来自于目标计算机设备,可以增加安全性。以克服现有技术中,秘钥在不同操作***的计算机设备间传输之后,因目标计算机设备不能根据应用的单平台信息确定秘钥标识所指示的的秘钥所属的应用,而不能使来源合法的应用的秘钥使用请求通过验证的问题。In a first aspect, a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application. The method includes: generating a secret key use request based on the first application. The secret key use request includes the first secret key identifier and the signature information to be verified of the first application. According to the identification of the first application and the first secret key identification, the reference signed information of the first application is obtained. The reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identification. The single-platform information of an application includes the single-platform identification of the first application in the operating system of the target computer device. According to the first secret key identifier and the reference signed information of the first application, the signature information to be verified of the first application is verified to obtain a verification result, which is used to indicate whether the secret key use request is verified. In this way, the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information to determine the application to which the secret key indicated by the key identification belongs. The single-platform information comes from the target computer equipment, which can increase security. In order to overcome the problem in the prior art, after the secret key is transmitted between computer devices with different operating systems, the target computer device cannot determine the application to which the secret key indicated by the secret key identifier belongs based on the single-platform information of the application, and the source cannot be made legal. The application's secret key usage request is verified.
根据第一方面,在第一方面的第一种可能的实现方式中,根据第一应用的标识和第一秘钥标识,获取第一应用的参照被签名信息,包括:使用第一应用的标识获取第一应用的单平台信息。根据第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取第一秘钥标识对应的第一应用的第一跨平台标识。基于第一应用的单平台信息和第一跨平台标识,获取第一应用的参照被签名信息。According to the first aspect, in the first possible implementation manner of the first aspect, obtaining the reference signed information of the first application according to the identification of the first application and the identification of the first secret key includes: using the identification of the first application Obtain the single-platform information of the first application. According to the first key identification, the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application. Based on the single-platform information of the first application and the first cross-platform identifier, the reference signed information of the first application is acquired.
根据第一方面、第一方面的第一种可能的实现方式,在第一方面的第二种可能的实现方式中,基于第一应用的单平台信息和第一跨平台标识,获取第一应用的参照被签名信息,包括:基于第一应用的单平台信息和第一跨平台标识,采用哈希算法生成第一应用的参照被签名信息。这样,可以增加秘钥访问控制的安全性。According to the first aspect and the first possible implementation of the first aspect, in the second possible implementation of the first aspect, the first application is acquired based on the single-platform information of the first application and the first cross-platform identifier The reference signed information includes: based on the single-platform information of the first application and the first cross-platform identifier, the hash algorithm is used to generate the reference signed information of the first application. In this way, the security of key access control can be increased.
根据第一方面至第一方面的第二种可能的实现方式,在第一方面的第三种可能的实现方式中,基于第一应用的单平台信息和第一跨平台标识,获取第一应用的参照被签名信息,包括:根据第一应用的单平台信息和第一跨平台标识,从多个参照被签名信息中的每个参照被签名信息与应用的第一信息的对应关系中,将与第一应用的单平台信息和第一跨平台标识均对应的参照被签名信息作为第一应用的参照被签名信息。应用的第一信息包括应用的单平台信息和应用的跨平台标识。这样,将应用的第一信息与应用的参照被签名信息存储下来,通过查询的方式获取应用的参照被签名信息,可以节省计算机设备的计算资源。According to the first aspect to the second possible implementation manner of the first aspect, in the third possible implementation manner of the first aspect, the first application is acquired based on the single-platform information of the first application and the first cross-platform identifier The reference signed information includes: according to the single-platform information of the first application and the first cross-platform identifier, from the corresponding relationship between each of the multiple reference signed information and the first information of the application, The reference signed information corresponding to both the single-platform information of the first application and the first cross-platform identifier is used as the reference signed information of the first application. The first information of the application includes the single-platform information of the application and the cross-platform identification of the application. In this way, the first information of the application and the reference signed information of the application are stored, and the reference signed information of the application is obtained by query, which can save the computing resources of the computer device.
根据第一方面至第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,第一应用的单平台信息还包括:第一应用的应用签名和第一应用的单平台签名公钥中的至少一种。第一应用的应用签名,是对第一应用的安装包信息进行签名运算,得到的信息。第一应用的单平台签名公钥用于对第一应用的应用签名进行验证。这样,可以增加秘钥访问控制的安全性。According to the first aspect to the third possible implementation manner of the first aspect, in the fourth possible implementation manner of the first aspect, the single-platform information of the first application further includes: the application signature of the first application and the first application. At least one of the single-platform signature public keys of the application. The application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application. The single-platform signature public key of the first application is used to verify the application signature of the first application. In this way, the security of key access control can be increased.
根据第一方面至第一方面的第四种可能的实现方式,在第一方面的第五种可能的实现方式中,根据第一秘钥标识和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证,包括:根据第一秘钥标识,从多个秘钥标识与每个秘钥标识与验证签名公钥的对应关系中获取第一应用的验证签名公钥;根据第一应用的验证签名公钥和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证。According to the first aspect to the fourth possible implementation manner of the first aspect, in the fifth possible implementation manner of the first aspect, according to the first key identifier and the reference signed information of the first application, the first The verification of the signature information to be verified of the application includes: obtaining the verification signature public key of the first application from the corresponding relationship between the multiple secret key identifiers and each secret key identifier and the verification signature public key according to the first secret key identifier; The verification signature public key of the first application and the reference signed information of the first application verify the to-be-verified signature information of the first application.
根据第一方面至第一方面的第五种可能的实现方式,在第一方面的第六种可能的实现方式中,该方法还包括:生成第二秘钥标识与第一跨平台标识的对应关系。其中,第二秘钥标识是第一应用的不同于第一秘钥标识的一个秘钥标识。向第二计算机设备发送第二秘钥标识与第一跨平台标识的对应关系,其中,第二计算机设备是与目标计算机设备不同的计算机设备。这样,第一应用的包含第二秘钥标识的秘钥使用请求在第二计算机设备中也可以通过验证。According to the first aspect to the fifth possible implementation manner of the first aspect, in the sixth possible implementation manner of the first aspect, the method further includes: generating a correspondence between the second key identifier and the first cross-platform identifier relation. Wherein, the second secret key identifier is a secret key identifier of the first application that is different from the first secret key identifier. Send the corresponding relationship between the second key identifier and the first cross-platform identifier to the second computer device, where the second computer device is a computer device different from the target computer device. In this way, the secret key use request of the first application that includes the second secret key identifier can also be verified in the second computer device.
根据第一方面至第一方面的第六种可能的实现方式,在第一方面的第七种可能的实现方式中,该方法还包括:生成第二秘钥标识与第一应用的验证签名公钥的对应关系。向第二计算机设备发送第二秘钥标识与第一应用的验证签名公钥的对应关系。According to the first aspect to the sixth possible implementation manner of the first aspect, in the seventh possible implementation manner of the first aspect, the method further includes: generating a second secret key identifier and the verification signature of the first application. Correspondence of the key. The corresponding relationship between the second secret key identifier and the verification signature public key of the first application is sent to the second computer device.
第二方面,提供一种秘钥访问控制方法,应用于目标计算机设备,该目标计算机设备包括多个应用,多个应用包括第一应用;该方法包括:基于第一应用生成秘钥使用请求;该秘钥使用请求包括第一秘钥标识。根据第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取第一秘钥标识对应的第一应用的第一跨平台标识。获取第一应用的单平台信息。第一应用的单平台信息包括第一应用在目标计算机设备的操作***中的单平台标识。根据第一应用的单平台信息,从多个应用中的每个应用的单平台信息与跨平台标识的对应关系中,获取第一应用的单平台信息对应的第二跨平台标识。若第一跨平台标识与第二跨平台标识相同,则确定该秘钥使用请求验证通过。这样,根据应用的跨平台标识,确定第一秘钥标识所指示的秘钥所属的应用,以克服现有技术中,秘钥在不同操作***的计算机设备间传输之后,目标计算机设备不能根据单平台信息确定秘钥标识所指示的的秘钥所属的应用,而不能使来源合法的应用的秘钥使用请求通过验证的问题。In a second aspect, a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes: generating a secret key use request based on the first application; The secret key use request includes the first secret key identifier. According to the first key identification, the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application. Obtain the single-platform information of the first application. The single-platform information of the first application includes the single-platform identification of the first application in the operating system of the target computer device. According to the single-platform information of the first application, the second cross-platform identifier corresponding to the single-platform information of the first application is obtained from the correspondence between the single-platform information and the cross-platform identifier of each of the multiple applications. If the first cross-platform identification is the same as the second cross-platform identification, it is determined that the verification of the key use request is passed. In this way, according to the cross-platform identification of the application, the application to which the secret key indicated by the first secret key identification belongs is determined to overcome in the prior art, after the secret key is transmitted between computer devices of different operating systems, the target computer equipment cannot The platform information determines the application to which the secret key indicated by the secret key identifier belongs, but the secret key usage request of the application whose source is legitimate cannot be verified.
根据第二方面,在第二方面的第一种可能的实现方式中,该方法还包括:生成第二秘钥标识与第一跨平台标识的对应关系。其中,第二秘钥标识是第一应用的不同于第一秘钥标识的一个秘钥标识。向第二计算机设备发送第二秘钥标识与第一跨平台标识的对应关系,其中,第二计算机设备是与目标计算机设备不同的计算机设备。这样,第一应用的包含第二秘钥标识的秘钥使用请求在第二计算机设备中也可以通过验证。According to the second aspect, in the first possible implementation manner of the second aspect, the method further includes: generating a correspondence between the second key identifier and the first cross-platform identifier. Wherein, the second secret key identifier is a secret key identifier of the first application that is different from the first secret key identifier. Send the corresponding relationship between the second key identifier and the first cross-platform identifier to the second computer device, where the second computer device is a computer device different from the target computer device. In this way, the secret key use request of the first application that includes the second secret key identifier can also be verified in the second computer device.
第三方面,提供一种秘钥访问控制方法,应用于目标计算机设备,该目标计算机设备包括多个应用,多个应用包括第一应用;该方法包括:基于第一应用生成秘钥使用请求。该秘钥使用请求包括第一秘钥标识和第一应用的待验证签名信息。根据第一应用的标识和第一秘钥标识,获取第一应用的参照被签名信息,第一应用的参照被签名信息是基于第一跨平台标识生成的。根据第一秘钥标识和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证,得到验证结果,验证结果用于指示该秘钥使用请求是否验证通过。这样,目标计算机设备通过参照被签名信息,来验证秘钥使用请求中的待验证签名信息,参照被签名信息中的应用的跨平台标识可以确定秘钥 标识所指示的秘钥所属的应用。以克服现有技术中,秘钥在不同操作***的计算机设备间传输之后,目标计算机设备不能根据应用的单平台信息确定秘钥标识所指示的的秘钥所属的应用,而不能使来源合法的应用的秘钥使用请求通过验证的问题。In a third aspect, a key access control method is provided, which is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes: generating a secret key use request based on the first application. The secret key use request includes the first secret key identifier and the signature information to be verified of the first application. According to the identifier of the first application and the first key identifier, the reference signed information of the first application is obtained, and the reference signed information of the first application is generated based on the first cross-platform identifier. According to the first secret key identifier and the reference signed information of the first application, the signature information to be verified of the first application is verified to obtain a verification result, which is used to indicate whether the secret key use request is verified. In this way, the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information to determine the application to which the secret key indicated by the key identification belongs. In order to overcome the problem in the prior art, after the secret key is transmitted between computer devices with different operating systems, the target computer device cannot determine the application to which the secret key indicated by the secret key identifier belongs according to the single-platform information of the application, and cannot make the source legal. The application's secret key usage request is verified.
第四方面,提供了一种秘钥访问控制装置,用于执行上述第一方面至第三方面提供的任一种可能的实现方式提供的方法。该秘钥访问控制装置可以是计算机设备或芯片等。In a fourth aspect, a secret key access control device is provided, which is used to implement the method provided in any one of the possible implementation manners provided in the first to third aspects. The secret key access control device can be a computer device or a chip.
在一种可能的设计中,该秘钥访问控制装置包括用于执行第一方面至第三方面提供的任一种可能的实现方式提供的方法的各个模块。In a possible design, the secret key access control device includes various modules for executing the method provided in any one of the possible implementation manners provided in the first aspect to the third aspect.
在一种可能的设计中,该秘钥访问控制装置包括存储器和处理器,存储器用于存储计算机程序指令,处理器用于调用该计算机程序指令,以执行第一方面至第三方面提供的任一种可能的实现方式提供的方法。In a possible design, the secret key access control device includes a memory and a processor, the memory is used to store computer program instructions, and the processor is used to call the computer program instructions to execute any one of the first to third aspects. The methods provided by one possible implementation.
第五方面,提供了一种计算机可读存储介质,如计算机非瞬态的可读存储介质。其上储存有计算机程序(或指令),当该计算机程序(或指令)在计算机上运行时,使得该计算机执行上述第一方面至第三方面的任一种可能的实现方式提供的任一种方法。In a fifth aspect, a computer-readable storage medium is provided, such as a non-transitory computer-readable storage medium. A computer program (or instruction) is stored thereon, and when the computer program (or instruction) runs on a computer, the computer executes any one of the possible implementations of the first aspect to the third aspect. method.
第六方面,提供了一种计算机程序产品,当其在计算机上运行时,使得第一方面至第三方面的任一种可能的实现方式提供的任一种方法被执行。In a sixth aspect, a computer program product is provided, which when running on a computer, enables any method provided by any one of the possible implementation manners of the first aspect to the third aspect to be executed.
第七方面,提供了一种芯片,包括:处理器,用于从存储器中调用并运行该存储器中存储的计算机程序,执行第一方面至第三方面的任一种可能的实现方式提供的任一种方法。In a seventh aspect, a chip is provided, including a processor, configured to call and run a computer program stored in the memory from a memory, and execute any of the possible implementation manners of the first aspect to the third aspect. a way.
可以理解的是,上述提供的任一种计算机设备、计算机存储介质、计算机程序产品或芯片等均可以应用于上文所提供的对应的方法,因此,其所能达到的有益效果可参考对应的方法中的有益效果,此处不再赘述。It can be understood that any of the computer equipment, computer storage media, computer program products, or chips provided above can be applied to the corresponding methods provided above. Therefore, the beneficial effects that can be achieved can refer to the corresponding The beneficial effects of the method will not be repeated here.
附图说明Description of the drawings
图1为可适用于本申请实施例的***架构示意图;FIG. 1 is a schematic diagram of a system architecture applicable to an embodiment of the present application;
图2为可适用于本申请实施例的计算机设备的软件结构图;Fig. 2 is a software structure diagram of a computer device applicable to an embodiment of the present application;
图3为本申请提供的技术方案所适用的一种计算装置的结构示意图;FIG. 3 is a schematic structural diagram of a computing device to which the technical solution provided by this application is applicable;
图4为本申请实施例提供的一种秘钥访问控制方法的流程示意图;4 is a schematic flowchart of a method for controlling access to a secret key provided by an embodiment of this application;
图5为本申请实施例提供的另一种秘钥访问控制方法的流程示意图;FIG. 5 is a schematic flowchart of another key access control method provided by an embodiment of this application;
图6为本申请实施例提供的一种获取秘钥记录的方法的流程示意图;FIG. 6 is a schematic flowchart of a method for obtaining a secret key record according to an embodiment of the application;
图7为本申请实施例提供的一种秘钥访问控制装置的结构示意图。FIG. 7 is a schematic structural diagram of a secret key access control device provided by an embodiment of the application.
具体实施方式Detailed ways
如图1所示,为可适用于本申请实施例的***架构示意图,图1所示的***中包括应用服务器201和多个计算机设备202。图1中应用服务器201可以与多个计算机设备202(如:计算机设备1和计算机设备2)相连接。其中,应用服务器201是计算机设备202中的应用对应的服务器。应用服务器201可以是微信服务器、QQ服务器等。As shown in FIG. 1, it is a schematic diagram of a system architecture applicable to the embodiments of the present application. The system shown in FIG. 1 includes an application server 201 and multiple computer devices 202. The application server 201 in FIG. 1 can be connected to multiple computer devices 202 (for example, computer device 1 and computer device 2). Among them, the application server 201 is a server corresponding to the application in the computer device 202. The application server 201 may be a WeChat server, a QQ server, or the like.
如图2所示,为可适用于本申请实施例的计算机设备的软件结构图。图2中,秘钥管理模块20管理多个应用10的秘钥。秘钥管理模块20可以访问存储模块30中的秘钥记录,并对应用10的秘钥使用请求进行验证,以实现对应用10访问秘钥记录的 管理。As shown in FIG. 2, it is a software structure diagram of a computer device applicable to the embodiment of the present application. In FIG. 2, the key management module 20 manages the keys of multiple applications 10. The secret key management module 20 can access the secret key record in the storage module 30, and verify the secret key use request of the application 10, so as to realize the management of the secret key record of the application 10 access.
如图3所示,为本申请提供的技术方案所适用的一种计算装置100的结构示意图。在一个示例中,从硬件结构角度来说,图1中的应用服务器201和计算机设备202可以是图3中的计算装置100。图3所示的计算装置100可以包括至少一个处理器101,通信线路102,存储器103以及至少一个通信接口104。As shown in FIG. 3, it is a schematic structural diagram of a computing device 100 to which the technical solution provided in this application is applicable. In an example, from the perspective of hardware structure, the application server 201 and the computer device 202 in FIG. 1 may be the computing device 100 in FIG. 3. The computing device 100 shown in FIG. 3 may include at least one processor 101, a communication line 102, a memory 103, and at least one communication interface 104.
处理器101可以是一个通用中央处理器(central processing unit,CPU),微处理器,特定应用集成电路(application-specific integrated circuit,ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。The processor 101 can be a general-purpose central processing unit (central processing unit, CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more programs for controlling the execution of the program of this application. integrated circuit.
通信线路102可包括至少一条通路,比如数据总线,和/或控制总线,用于在上述组件(如至少一个处理器101,通信线路102,存储器103以及至少一个通信接口104)之间传送信息。The communication line 102 may include at least one path, such as a data bus, and/or a control bus, for transmitting information between the aforementioned components (such as at least one processor 101, communication line 102, memory 103, and at least one communication interface 104).
通信接口104,使用任何收发器一类的装置,用于与其他设备或通信网络通信,如广域网(wide area network,WAN),局域网(local area networks,LAN)等。The communication interface 104 uses any device such as a transceiver to communicate with other devices or communication networks, such as wide area networks (WAN), local area networks (LAN), and so on.
存储器103,可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。存储器103可以是独立存在,通过通信线路102与处理器101相连接。存储器103也可以和处理器101集成在一起。本申请实施例提供的存储器103通常包括非易失性存储器。其中,存储器103用于存储执行本申请方案的计算机指令,并由处理器101来控制执行。处理器101用于执行存储器103中存储的计算机指令,从而实现本申请下述实施例提供的方法。The memory 103 can be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM), or other types that can store information and instructions. The type of dynamic storage device can also be electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), or other optical disk storage, optical discs Storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be used by Any other medium accessed by the computer, but not limited to this. The memory 103 may exist independently, and is connected to the processor 101 through a communication line 102. The memory 103 may also be integrated with the processor 101. The memory 103 provided by the embodiment of the present application generally includes a non-volatile memory. Among them, the memory 103 is used to store computer instructions for executing the solution of the present application, and the processor 101 controls the execution. The processor 101 is configured to execute computer instructions stored in the memory 103, so as to implement the method provided in the following embodiments of the present application.
存储器103包括内存和硬盘。The storage 103 includes a memory and a hard disk.
可选的,本申请实施例中的计算机指令也可以称之为应用程序代码或***,本申请实施例对此不作具体限定。Optionally, the computer instructions in the embodiments of the present application may also be referred to as application program codes or systems, which are not specifically limited in the embodiments of the present application.
在具体实现中,作为一种实施例,计算装置100可以包括多个处理器,这些处理器中的每一个可以是一个单核(single-CPU)处理器,也可以是一个多核(multi-CPU)处理器。这里的处理器可以指一个或多个设备、电路、和/或用于处理数据(例如计算机程序指令)的处理核。In a specific implementation, as an embodiment, the computing device 100 may include multiple processors, and each of these processors may be a single-CPU (single-CPU) processor or a multi-core (multi-CPU) processor. )processor. The processor here may refer to one or more devices, circuits, and/or processing cores for processing data (for example, computer program instructions).
在具体实现中,作为一种实施例,计算装置100还可以包括输出设备105和/或输入设备106。输出设备105和处理器101通信,可以以多种方式来显示信息。例如,输出设备105可以是液晶显示器(liquid crystal display,LCD),发光二级管(light emitting diode,LED)显示设备,阴极射线管(cathode ray tube,CRT)显示设备,或投影仪(projector)等。输入设备106和处理器101通信,可以以多种方式接收用户的输入。例如,输入设备106可以是鼠标、键盘、触摸屏设备或传感设备等。In a specific implementation, as an embodiment, the computing apparatus 100 may further include an output device 105 and/or an input device 106. The output device 105 communicates with the processor 101 and can display information in a variety of ways. For example, the output device 105 may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector (projector) Wait. The input device 106 communicates with the processor 101 and can receive user input in a variety of ways. For example, the input device 106 may be a mouse, a keyboard, a touch screen device, a sensor device, or the like.
需要说明的是,图3所示的计算装置仅为示例,其不对本申请实施例可适用的计 算机设备或应用服务器构成限定。实际实现时,计算机设备或应用服务器可以包括比图3中所示的更多或更少的设备或器件。It should be noted that the computing device shown in FIG. 3 is only an example, and it does not limit the applicable computer equipment or application server of the embodiment of the present application. In actual implementation, the computer device or application server may include more or less devices or devices than those shown in FIG. 3.
在一个示例中,结合图3,图2中的秘钥管理模块20的功能可以由图3中的处理器101执行存储器103中的程序实现。图2中的存储模块30可以是图3中的存储器103。In an example, with reference to FIG. 3, the function of the key management module 20 in FIG. 2 may be implemented by the processor 101 in FIG. 3 executing a program in the memory 103. The storage module 30 in FIG. 2 may be the memory 103 in FIG. 3.
以下,对本申请中涉及的部分术语进行解释说明:The following explains some terms involved in this application:
1)、平台1), platform
平台,为操作***,例如苹果操作***(iOS)或安卓操作***等。The platform is an operating system, such as an Apple operating system (iOS) or an Android operating system.
2)、应用的单平台标识和应用的跨平台标识2), the single-platform identification of the application and the cross-platform identification of the application
应用的单平台标识,为应用在某一操作***中的标识信息。应用的单平台标识可以由应用的开发者定义。The single-platform identification of the application is the identification information of the application in a certain operating system. The single-platform identity of the application can be defined by the developer of the application.
示例性的,微信在安卓操作***中的单平台标识可以为微信在安卓***中的包名(如:com.tencent.xin)或微信在安卓***中的签名中的至少一种。微信在苹果操作***中的单平台标识可以为微信在苹果操作***中的包名(如:com.tencent.mm)或微信在苹果操作***中的签名中的至少一种。一个应用在一个平台中有唯一的单平台标识,在不同平台中有不同的单平台标识。Exemplarily, the single-platform identification of WeChat in the Android operating system may be at least one of the package name of WeChat in the Android system (such as com.tencent.xin) or the signature of WeChat in the Android system. The single-platform identification of WeChat in the Apple operating system may be at least one of the package name of WeChat in the Apple operating system (for example: com.tencent.mm) or the signature of WeChat in the Apple operating system. An application has a unique single-platform identifier on one platform, and different single-platform identifiers on different platforms.
应用的跨平台标识,为应用在不同操作***中的统一标识信息。应用的跨平台标识可以由应用的开发者定义。例如:微信的跨平台标识可以为weixin,微博的跨平台标识可以为weibo等。一个应用在不同操作***中有唯一的跨平台标识。The cross-platform identification of the application is the unified identification information of the application in different operating systems. The cross-platform identity of the application can be defined by the developer of the application. For example, the cross-platform identifier of WeChat may be weixin, and the cross-platform identifier of Weibo may be weibo, etc. An application has a unique cross-platform identification in different operating systems.
3)、秘钥3), secret key
秘钥是指用来完成加密、解密、完整性验证等密码学应用的秘密信息。在对称密码学(或称秘钥密码学)中,加密秘钥和解密秘钥相同,因此秘钥需要保密。而在公钥密码学(或称非对称密码学)中,加密秘钥和解密秘钥不同:通常一个是公开的,称为公钥(如:验证签名公钥);另一个是保密的,称为私钥(如:签名私钥)。例如,加密秘钥是公钥,解密秘钥是私钥。或者,加密秘钥是私钥,解密秘钥是公钥。The secret key refers to the secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification. In symmetric cryptography (or secret key cryptography), the encryption key and the decryption key are the same, so the secret key needs to be kept secret. In public key cryptography (or asymmetric cryptography), the encryption key and the decryption key are different: usually one is public, called the public key (such as the public key for verifying the signature); the other is confidential, It is called the private key (such as the signature private key). For example, the encryption key is the public key, and the decryption key is the private key. Or, the encryption key is the private key, and the decryption key is the public key.
4)、签名4), signature
签名是公钥密码学中的一种密码学应用,用于身份验证或数据完整性验证。本申请实施例中签名用于对秘钥使用请求进行身份验证。Signature is a cryptographic application in public key cryptography, used for identity verification or data integrity verification. In the embodiment of this application, the signature is used to verify the identity of the secret key use request.
签名过程可以包括:应用或应用服务器使用该应用的签名私钥,对该应用的被签名信息执行签名运算,得到该应用的签名信息。The signing process may include: the application or the application server uses the signature private key of the application to perform a signature operation on the signed information of the application to obtain the signature information of the application.
5)、应用的被签名信息5), the signed information of the application
应用的被签名信息,是指待执行签名运算的信息。The signed information of the application refers to the information to be executed for the signature operation.
本申请对被签名信息的获取方式不进行限定,例如,计算机设备可以使用第一算法对应用的跨平台标识和应用的单平台信息进行运算,得到被签名信息。This application does not limit the method of obtaining the signed information. For example, the computer device can use the first algorithm to calculate the cross-platform identification of the application and the single-platform information of the application to obtain the signed information.
在一种实现方式中,第一算法可以为“对应用的跨平台标识和应用的单平台信息进行组合,得到字符串信息,并将该字符串信息作为被签名信息”的算法。需要说明的是,上述进行组合的组合方式可以有多种形式,本申请对此不进行限定。在一种实现方式中,组合方式可以是将应用的跨平台标识和应用的单平台信息进行连接。本申请对应用的跨平台标识和应用的单平台信息连接的顺序不进行限定。在另一种实现方 式中,组合方式可以是将应用的跨平台标识、应用的单平台信息和预定义字符串(如:“#123***”)进行连接,本申请对应用的跨平台标识、应用的单平台信息和预定义字符串连接的顺序不进行限定。In an implementation manner, the first algorithm may be an algorithm of "combining the cross-platform identification of the application and the single-platform information of the application to obtain character string information, and using the character string information as the signed information". It should be noted that the above-mentioned combination method may have various forms, which are not limited in this application. In an implementation manner, the combination manner may be to connect the cross-platform identification of the application and the single-platform information of the application. This application does not limit the order in which the cross-platform identification of the application and the single-platform information of the application are connected. In another implementation manner, the combination method can be to connect the cross-platform identification of the application, the single-platform information of the application, and a predefined character string (such as "#123***"). The order in which the logo, the application's single-platform information, and the predefined string are connected is not limited.
在另一种实现方式中,第一算法可以为“对应用的跨平台标识和应用的单平台信息进行组合,得到字符串信息,并使用哈希算法对该字符串信息进行哈希处理,得到与该字符串信息对应的哈希值,并将该哈希值作为被签名信息”的算法。其中,哈希算法可以包括但不限于SHA256或SHA1等。In another implementation, the first algorithm can be "combine the cross-platform identification of the application and the single-platform information of the application to obtain string information, and use a hash algorithm to hash the string information to obtain The hash value corresponding to the character string information, and the hash value is used as the algorithm of the signed information. Among them, the hash algorithm may include, but is not limited to, SHA256 or SHA1.
6)、应用的签名信息6), application signature information
应用的签名信息,是按照签名算法使用签名私钥对应用的被签名信息进行签名运算,得到的信息。在本申请实施例中,涉及到应用的应用签名和待验证签名信息。The signature information of the application is the information obtained by using the signature private key to perform the signature calculation on the signed information of the application according to the signature algorithm. In the embodiment of this application, the application signature of the application and the signature information to be verified are involved.
应用的应用签名,是按照第一签名算法使用第一签名私钥对该应用的第一被签名信息进行签名运算,得到的信息。第一被签名信息包括该应用的安装包信息。应用的应用签名是应用在安装到平台之前,生成安装包文件时生成的信息。应用的应用签名用于降低应用的安装文件被篡改的风险。若应用在安装时,安装包中的任何一个文件与该应用的第一被签名信息中的该文件相比被改变,则该应用验证失败,该应用将不能安装成功。The application signature of an application is information obtained by performing a signature operation on the first signed information of the application using the first signature private key according to the first signature algorithm. The first signed information includes installation package information of the application. The application signature of an application is the information generated when the installation package file is generated before the application is installed on the platform. The application signature of the application is used to reduce the risk of tampering with the installation file of the application. If any file in the installation package is changed when the application is installed compared to the file in the first signed information of the application, the application verification fails and the application cannot be successfully installed.
应用的待验证签名信息,是按照第二签名算法使用第二签名私钥对该应用的第二被签名信息进行签名运算,得到的信息。应用的待验证签名信息用于验证应用的单平台信息是否对应该应用的跨平台标识,从而增强应用跨平台的秘钥管理的安全性。该情况下,第二被签名信息包括:应用的跨平台标识和应用的单平台信息,其中,应用的单平台信息包括:该应用的单平台标识,可选的,应用的单平台信息包括该应用的应用签名和应用的单平台签名公钥。应用的单平台信息包括该应用的应用签名,可以提高秘钥管理的安全性。应用的单平台签名公钥用于对应用的应用签名进行验证。The signature information to be verified of the application is information obtained by performing a signature operation on the second signed information of the application using the second signature private key according to the second signature algorithm. The application's signature information to be verified is used to verify whether the application's single-platform information corresponds to the application's cross-platform identification, thereby enhancing the security of the application's cross-platform key management. In this case, the second signed information includes: the application's cross-platform identification and the application's single-platform information, where the application's single-platform information includes: the application's single-platform identification, optionally, the application's single-platform information includes the The application signature of the application and the single-platform signature public key of the application. The single-platform information of the application includes the application signature of the application, which can improve the security of secret key management. The single-platform signature public key of the application is used to verify the application signature of the application.
应用的待验证签名信息可以是预置在计算机设备中的,例如,由应用开发者预置在计算机设备中,或者,由应用服务器将应用的待验证签名信息下发至计算机设备。应用服务器可以包括一个签名模块,该签名模块用于按照第二签名算法使用第二签名私钥对应用的第二被签名信息进行签名运算,得到该应用的待验证签名信息。The signature information to be verified of the application may be preset in the computer device, for example, it is preset in the computer device by the application developer, or the application server sends the signature information to be verified of the application to the computer device. The application server may include a signature module configured to perform a signature operation on the second signed information of the application using the second signature private key according to the second signature algorithm to obtain the signature information to be verified of the application.
上述第一签名算法与第二签名算法可以相同或不同。作为示例,第一签名算法和第二签名算法其中的任一种可以是非对称加密算法(RSA)或椭圆曲线数字签名算法(elliptic curve digital signature algorithm,ECDSA)等。The above-mentioned first signature algorithm and the second signature algorithm may be the same or different. As an example, any one of the first signature algorithm and the second signature algorithm may be an asymmetric encryption algorithm (RSA) or an elliptic curve digital signature algorithm (ECDSA) or the like.
上述第一签名私钥与第二签名私钥可以相同,也可以不同,本申请对此不进行限制。The above-mentioned first signature private key and the second signature private key may be the same or different, which is not limited in this application.
7)、验证算法7), verification algorithm
验证算法是通过将待验证的签名信息、验证签名公钥和被签名信息输入验证算法判断待验证的签名信息是否正确的算法。The verification algorithm is an algorithm that judges whether the signature information to be verified is correct by inputting the signature information to be verified, the verification signature public key, and the signed information into the verification algorithm.
8)、其他术语8), other terms
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的” 或者“例如”等词旨在以具体方式呈现相关概念。In the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations, or illustrations. Any embodiment or design solution described as "exemplary" or "for example" in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as "exemplary" or "for example" are used to present related concepts in a specific manner.
在本申请实施例中,“至少一个”是指一个或多个。“多个”是指两个或两个以上。In the embodiments of the present application, "at least one" refers to one or more. "Multiple" means two or more.
在本申请实施例中,“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In the embodiments of the present application, "and/or" is merely an association relationship describing associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean that A exists alone, and A and A exist at the same time. B, there are three cases of B alone. In addition, the character "/" in this text generally indicates that the associated objects before and after are in an "or" relationship.
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
需要说明的是,计算机设备中存储有应用的跨平台标识、应用的待验证签名信息、应用的单平台信息、应用的第一签名私钥、应用的第二签名私钥和第二签名私钥对应的第二验证签名公钥等。以下以秘钥标识与应用的跨平台标识的对应关系、秘钥标识与第二被签名信息的对应关系、秘钥标识与第二验证签名公钥的对应关系和秘钥标识与应用的单平台信息的对应关系以秘钥记录的形式体现为例进行说明。It should be noted that the computer device stores the application's cross-platform identification, the application's signature information to be verified, the application's single-platform information, the application's first signature private key, the application's second signature private key, and the second signature private key The corresponding second verification signature public key, etc. The following is the correspondence between the secret key identifier and the application's cross-platform identifier, the correspondence between the secret key identifier and the second signed information, the correspondence between the secret key identifier and the second verification signature public key, and the secret key identifier and the application's single platform The correspondence of information is illustrated by taking the form of secret key record as an example.
当用户有多个计算机设备时,存在秘钥传输的需求。秘钥传输是指:源计算机设备向目标计算机设备传输源计算机设备中存储的应用的秘钥记录,目标计算机设备存储该应用的秘钥记录。其中,秘钥记录包括:秘钥标识、秘钥值和应用的跨平台标识。可选的,秘钥记录中还可以包括第二被签名信息、第二验证签名公钥和应用的单平台信息。When users have multiple computer devices, there is a need for secret key transmission. Secret key transmission means that the source computer device transmits the secret key record of the application stored in the source computer device to the target computer device, and the target computer device stores the secret key record of the application. Among them, the secret key record includes: secret key identification, secret key value, and cross-platform identification of the application. Optionally, the secret key record may also include the second signed information, the second verification signature public key, and the single platform information of the application.
一条秘钥记录包括一个秘钥标识,不同秘钥记录包括的秘钥标识不同。秘钥记录中的应用的跨平台标识,用于表征该条秘钥记录所包括的秘钥标识所指示的秘钥所属的应用。一个应用所产生的不同数据可以使用不同的秘钥进行加密或解密,因此,一个应用可以对应一条或多条秘钥记录。该多条秘钥记录中的应用的跨平台标识相同,该多条秘钥记录中的第二验证签名公钥可以相同也可以不同,该多条秘钥记录中的第二被签名信息可以相同也可以不同。A secret key record includes a secret key identifier, and different secret key records include different secret key identifiers. The cross-platform identifier of the application in the secret key record is used to characterize the application to which the secret key indicated by the secret key identifier included in the secret key record belongs. Different data generated by an application can be encrypted or decrypted with different secret keys. Therefore, an application can correspond to one or more secret key records. The cross-platform identities of the applications in the multiple secret key records are the same, the second verification signature public keys in the multiple secret key records may be the same or different, and the second signed information in the multiple secret key records may be the same It can also be different.
本申请实施例对计算机设备中存储的秘钥记录的获取方式不进行限定,在一种实现方式中,秘钥记录预置在计算机设备的存储模块中。在另一种实现方式中,秘钥记录由另一个计算机设备传输而来(如:目标计算机设备中的秘钥记录来自于源计算机设备)。在另一种实现方式中,计算机设备通过实施例二中的方法获取秘钥记录。The embodiment of the present application does not limit the method for obtaining the secret key record stored in the computer device. In an implementation manner, the secret key record is preset in the storage module of the computer device. In another implementation, the secret key record is transmitted from another computer device (for example, the secret key record in the target computer device comes from the source computer device). In another implementation manner, the computer device obtains the secret key record by using the method in the second embodiment.
示例性的,计算机设备中的多个应用的秘钥记录如下表1所示。Exemplarily, the secret key records of multiple applications in the computer device are shown in Table 1 below.
表1Table 1
Figure PCTCN2020132720-appb-000001
Figure PCTCN2020132720-appb-000001
基于表1中的示例,秘钥标识为秘钥标识2的秘钥记录中,应用的跨平台标识为应用1的跨平台标识,该应用1的第二验证签名公钥为第二验证签名公钥2。该应用1的第二被签名信息是应用1的第二被签名信息。该应用1的单平台信息为应用1的单平台信息。Based on the example in Table 1, in the secret key record with the secret key identifier as the secret key identifier 2, the cross-platform identifier of the application is the cross-platform identifier of the application 1, and the second verification signature public key of the application 1 is the second verification signature public key. Key 2. The second signed information of the application 1 is the second signed information of the application 1. The single-platform information of the application 1 is the single-platform information of the application 1.
以下实施例一中,以目标计算机设备中的秘钥记录由源计算机设备传输得到为例,说明本申请秘钥访问控制方法的技术方案。其中,目标计算机设备的操作***与源计算机设备的操作***可以相同,也可以不同。In the following embodiment 1, taking the secret key record in the target computer device transmitted by the source computer device as an example, the technical solution of the secret key access control method of the present application is described. The operating system of the target computer device and the operating system of the source computer device may be the same or different.
实施例一Example one
如图4所示,为本申请实施例提供的一种秘钥访问控制方法的流程示意图。示例性的,本实施例可以应用于图2所示的计算机设备。图4所示的方法可以包括以下步骤:As shown in FIG. 4, it is a schematic flowchart of a key access control method provided by an embodiment of this application. Exemplarily, this embodiment may be applied to the computer device shown in FIG. 2. The method shown in FIG. 4 may include the following steps:
S100:应用1生成秘钥使用请求。该秘钥使用请求用于该应用1向秘钥管理模块请求服务。其中,应用1是目标计算机设备中的任意一个应用。该秘钥使用请求中包括:该应用1的待验证签名信息和第一秘钥标识。S100: Application 1 generates a secret key use request. The key use request is used by the application 1 to request a service from the key management module. Among them, application 1 is any application in the target computer device. The secret key use request includes: the signature information to be verified of the application 1 and the first secret key identifier.
其中,该秘钥使用请求所请求的服务包括:获取第一秘钥值、使用第一秘钥值加密该应用1的数据,或按照第三签名算法使用第一秘钥值对该应用1的第三被签名信息进行签名运算等。其中,第三被签名信息可以是应用1中需要被签名的信息。第三被签名信息可以与第二被签名信息相同,也可以不同。当然,该秘钥使用请求所请求的基于该秘钥的算法服务还可以是其他服务,本申请实施例对此不进行限定。Wherein, the service requested by the secret key use request includes: obtaining the first secret key value, encrypting the data of the application 1 using the first secret key value, or using the first secret key value to access the application 1 according to the third signature algorithm The third signed information performs signature calculations and so on. Wherein, the third signed information may be information in application 1 that needs to be signed. The third signed information can be the same as or different from the second signed information. Of course, the algorithm service based on the secret key requested by the secret key use request may also be other services, which are not limited in the embodiment of the present application.
当该秘钥使用请求所请求的服务是获取第一秘钥值时,该秘钥使用请求中可以包括:第一秘钥标识和该应用1的待验证签名信息。当该秘钥使用请求所请求的服务是使用第一秘钥值加密该应用1的数据时,该秘钥使用请求中可以包括:第一秘钥标识、该应用1的待验证签名信息、加密算法的标识信息和该应用1的数据。当该秘钥使用请求所请求的服务是按照第三签名算法使用第一秘钥值对该应用1的第三被签名信息进行签名运算时,该秘钥使用请求中可以包括:第一秘钥标识、该应用1的待验证签名信息、第三签名算法的标识信息和该应用1的第三被签名信息。When the service requested by the secret key use request is to obtain the first secret key value, the secret key use request may include: the first secret key identifier and the signature information of the application 1 to be verified. When the service requested by the secret key use request is to use the first secret key value to encrypt the data of the application 1, the secret key use request may include: the first secret key identifier, the signature information to be verified of the application 1, and encryption The identification information of the algorithm and the data of the application 1. When the service requested by the secret key use request is to perform a signature operation on the third signed information of the application 1 using the first secret key value according to the third signature algorithm, the secret key use request may include: the first secret key The identification, the signature information to be verified of the application 1, the identification information of the third signature algorithm, and the third signed information of the application 1.
该应用1的标识是能够被该应用1所在的操作***所识别的标识,用于秘钥管理模块通过该操作***提供的功能获取该应用1的单平台信息。该应用1的标识与应用1的单平台标识和应用1的跨平台标识均不相同。第一秘钥标识对应的秘钥值是第一秘钥值。The identifier of the application 1 is an identifier that can be recognized by the operating system where the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through the functions provided by the operating system. The identity of the application 1 is different from the single-platform identity of the application 1 and the cross-platform identity of the application 1. The secret key value corresponding to the first secret key identifier is the first secret key value.
本申请实施例对应用1生成秘钥使用请求的触发条件不进行限定,示例性的,应用1在需要对该应用1的数据进行加密时,生成秘钥使用请求。该秘钥使用请求所请求的服务是使用第一秘钥值加密该应用1的数据。The embodiment of the present application does not limit the trigger condition for the application 1 to generate the secret key use request. For example, when the application 1 needs to encrypt the data of the application 1, the secret key use request is generated. The service requested by the secret key use request is to encrypt the data of the application 1 using the first secret key value.
S101:应用1向秘钥管理模块发送该秘钥使用请求。S101: Application 1 sends the secret key use request to the secret key management module.
S102:秘钥管理模块根据该应用1的标识,获取该应用1的第一单平台信息。其中,第一单平台信息是应用1在目标计算机设备的操作***中的单平台信息。该应用1所在的目标计算机设备中预置有多个应用的单平台信息。S102: The secret key management module obtains the first single platform information of the application 1 according to the identification of the application 1. Among them, the first single-platform information is the single-platform information of the application 1 in the operating system of the target computer device. Single-platform information of multiple applications is preset in the target computer device where the application 1 is located.
示例性的,安卓***中,秘钥管理模块使用平台中的包管理服务(package manager service,PMS),获取该应用1的标识,并使用该应用1的标识获取应用1的标识对应的应用的单平台信息,并将获取的应用的单平台信息作为应用1的第一单平台信息。Exemplarily, in the Android system, the key management module uses the package manager service (PMS) in the platform to obtain the identity of the application 1, and uses the identity of the application 1 to obtain the identity of the application corresponding to the identity of the application 1. Single-platform information, and the obtained single-platform information of the application is used as the first single-platform information of application 1.
S103:秘钥管理模块获取第一秘钥标识所在的秘钥记录中的跨平台标识,并将该跨平台标识作为该应用1的第一跨平台标识。S103: The key management module obtains the cross-platform identification in the key record where the first key identification is located, and uses the cross-platform identification as the first cross-platform identification of the application 1.
S104:秘钥管理模块根据应用1的第一单平台信息和应用1的第一跨平台标识获取应用1的参照被签名信息。S104: The key management module obtains the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identification of the application 1.
本申请实施例对秘钥管理模块根据应用1的第一单平台信息和应用1的第一跨平台标识获取应用1的参照被签名信息的具体实现方式不进行限定。The embodiment of the present application does not limit the specific implementation manner in which the key management module obtains the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identification of the application 1.
在一种实现方式中,秘钥管理模块从存储的多个应用中的每个应用的第一单平台信息、该应用的跨平台标识与参照被签名信息的对应关系中,获取应用1的第一单平台信息和应用1的第一跨平台标识对应的参照被签名信息,并将获取的参照被签名信息作为应用1的参照被签名信息。In one implementation, the key management module obtains the first single-platform information of each of the multiple applications stored in the corresponding relationship between the cross-platform identification of the application and the reference signed information. A single platform information and the reference signed information corresponding to the first cross-platform identification of the application 1 are referred to, and the obtained reference signed information is used as the reference signed information of the application 1.
在另一种实现方式中,应用1的参照被签名信息可以通过如下方式获取:In another implementation manner, the reference signed information of application 1 can be obtained in the following manner:
步骤一:根据该应用1的标识,确定第一算法。其中,第一算法是计算机设备中预定义的生成应用1的第二被签名信息时所采用的算法。Step 1: Determine the first algorithm according to the identification of the application 1. Among them, the first algorithm is a predefined algorithm used in generating the second signed information of the application 1 in the computer device.
具体的,计算机设备中预存有多个应用中的每个应用的标识与第一算法的标识信息的对应关系,秘钥管理模块可以从应用的标识与第一算法的标识信息的对应关系中,获取该应用1的标识对应的第一算法的标识信息,将获取的第一算法的标识信息对应的第一算法作为该应用1的第一算法。Specifically, the computer device prestores the correspondence between the identification of each of the multiple applications and the identification information of the first algorithm, and the secret key management module can use the correspondence between the identification of the application and the identification information of the first algorithm to: The identification information of the first algorithm corresponding to the identification of the application 1 is acquired, and the first algorithm corresponding to the acquired identification information of the first algorithm is taken as the first algorithm of the application 1.
步骤二:使用该应用1的第一算法、该应用1的第一跨平台标识和该应用1的第一单平台信息生成被签名信息,并将生成的被签名信息作为应用1的参照被签名信息。Step 2: Use the first algorithm of the application 1, the first cross-platform identification of the application 1, and the first single-platform information of the application 1 to generate signed information, and use the generated signed information as a reference to the application 1 to be signed information.
需要说明的是,上述获取应用1的参照被签名信息的方式在源计算机设备的操作***与目标计算机设备的操作***相同或不同时都可以使用;当源计算机设备的操作***与目标计算机设备的操作***相同时,即应用1的第一单平台信息与应用1的第二单平台信息相同,其中,应用1的第二单平台信息为第一秘钥标识所在秘钥记录(即源计算机设备发送给目标计算机设备的秘钥记录)中的应用1的单平台信息。秘钥管理模块还可以获取第一秘钥标识所在的秘钥记录中的应用的第二被签名信息,并将获 取的应用的第二被签名信息作为应用1的参照被签名信息。这样,有助于节省计算资源开销。It should be noted that the above-mentioned method of obtaining the reference signed information of the application 1 can be used when the operating system of the source computer device and the operating system of the target computer device are the same or different; when the operating system of the source computer device is the same as that of the target computer device When the operating system is the same, that is, the first single-platform information of application 1 is the same as the second single-platform information of application 1, where the second single-platform information of application 1 is the secret key record where the first secret key is identified (that is, the source computer equipment The single-platform information of application 1 in the secret key record sent to the target computer device. The key management module can also obtain the second signed information of the application in the key record where the first key identifier is located, and use the obtained second signed information of the application as the reference signed information of the application 1. In this way, it helps to save computing resource overhead.
S105:秘钥管理模块根据第一秘钥标识,获取第一秘钥标识对应的第二验证签名公钥,并将所获取的第二验证签名公钥作为该应用1的第二验证签名公钥。S105: The secret key management module obtains the second verification signature public key corresponding to the first secret key identity according to the first secret key identity, and uses the obtained second verification signature public key as the second verification signature public key of the application 1. .
具体的,秘钥管理模块获取第一秘钥标识所在秘钥记录中的第二验证签名公钥,并将所获取的第二验证签名公钥作为该应用1的第二验证签名公钥。其中,该秘钥记录包括第一秘钥标识、第一秘钥值、应用1的跨平台标识和应用1的第二验证签名公钥的对应关系。该秘钥记录中还可以包括应用1的第二被签名信息和应用1的单平台信息。Specifically, the key management module obtains the second verification signature public key in the key record where the first secret key identifier is located, and uses the obtained second verification signature public key as the second verification signature public key of the application 1. Wherein, the secret key record includes the corresponding relationship between the first secret key identifier, the first secret key value, the cross-platform identifier of application 1 and the second verification signature public key of application 1. The secret key record may also include the second signed information of Application 1 and the single-platform information of Application 1.
S106:秘钥管理模块根据应用1的标识,获取该应用1的第二签名算法的验证算法。S106: The secret key management module obtains the verification algorithm of the second signature algorithm of the application 1 according to the identification of the application 1.
具体的,秘钥管理模块中定义有该应用1的第二签名算法的验证算法。Specifically, a verification algorithm of the second signature algorithm of the application 1 is defined in the key management module.
需要说明的是,本申请实施例对S102、S103的执行顺序不进行限制,示例性的,可以执行了S103之后再执行S102。本申请实施例对S104、S105与S106的执行顺序不进行限定,示例性的,在执行S105之后,执行S106,再执行S104。It should be noted that the embodiment of the present application does not limit the execution order of S102 and S103. For example, S102 may be executed after S103 is executed. The embodiment of the present application does not limit the execution order of S104, S105, and S106. For example, after S105 is executed, S106 is executed, and then S104 is executed.
S107:秘钥管理模块根据应用1的第二验证签名公钥和应用1的参照被签名信息,采用应用1的第二签名算法的验证算法获取应用1的待验证签名信息的验证结果,验证结果包括:验证通过或验证不通过。S107: The secret key management module uses the verification algorithm of the second signature algorithm of application 1 to obtain the verification result of the signature information to be verified of application 1 according to the second verification signature public key of application 1 and the reference signed information of application 1, and the verification result Including: verification passed or verification failed.
具体的,秘钥管理模块可以将该应用1的待验证签名信息、该应用1的第二验证签名公钥和应用1的参照被签名信息输入该应用1的第二签名算法的验证算法,得到应用1的待验证签名信息的验证结果。其中,第二签名算法是获得待验证签名信息时所采用的签名算法。Specifically, the key management module can input the signature information to be verified of the application 1, the second verification signature public key of the application 1, and the reference signed information of the application 1 into the verification algorithm of the second signature algorithm of the application 1, to obtain Application 1's verification result of the signature information to be verified. Wherein, the second signature algorithm is the signature algorithm used when obtaining the signature information to be verified.
若验证结果为验证通过,则说明应用1的秘钥使用请求合法。后续,秘钥管理模块为该应用1提供该秘钥使用请求所请求的服务,并向该应用1发送该结果。具体的,当该秘钥使用请求所请求的服务是获取第一秘钥值时,秘钥管理模块获取第一秘钥标识所在秘钥记录中的秘钥值,将获取的秘钥值作为第一秘钥值,并向该应用1发送该秘钥值。当该秘钥使用请求所请求的服务是使用秘钥值加密该应用1的数据时,秘钥管理模块获取第一秘钥标识所在秘钥记录中的秘钥值,将获取的秘钥值作为第一秘钥值,并将该第一秘钥值作为私钥使用秘钥使用请求中的加密算法,加密秘钥使用请求中携带的该应用1的数据,并将加密后的应用1的数据发送给该应用1。当该秘钥使用请求所请求的服务是按照第三签名算法使用秘钥值对该应用1的第三被签名信息进行签名运算,得到第三签名信息时,秘钥管理模块获取第一秘钥标识所在秘钥记录中的秘钥值,将获取的秘钥值作为第一秘钥值,按照第三签名算法,使用该第一秘钥值作为签名私钥对该应用1的第三被签名信息进行签名运算,得到第三签名信息,并将得到的第三签名信息发送给该应用1。If the verification result is that the verification is passed, it means that the secret key use request of application 1 is legal. Subsequently, the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. Specifically, when the service requested by the secret key use request is to obtain the first secret key value, the secret key management module obtains the secret key value in the secret key record where the first secret key identifier is located, and uses the obtained secret key value as the first secret key value. A secret key value, and send the secret key value to the application 1. When the service requested by the secret key use request is to use the secret key value to encrypt the data of the application 1, the secret key management module obtains the secret key value in the secret key record where the first secret key identifier is located, and uses the obtained secret key value as The first secret key value, using the first secret key value as the private key, use the encryption algorithm in the secret key use request, encrypt the secret key use the data of the application 1 carried in the request, and use the encrypted data of the application 1 Send to the application 1. When the service requested by the secret key use request is to perform a signature operation on the third signed information of the application 1 using the secret key value according to the third signature algorithm to obtain the third signature information, the secret key management module obtains the first secret key Identify the secret key value in the secret key record where it is located, and use the obtained secret key value as the first secret key value. According to the third signature algorithm, use the first secret key value as the signature private key for the third signed application 1 The information performs a signature operation to obtain the third signature information, and the obtained third signature information is sent to the application 1.
若验证结果为验证不通过,则说明应用1的秘钥使用请求不合法。后续,秘钥管理模块生成通知消息,该通知消息指示该秘钥使用请求验证不通过。秘钥管理模块向该应用1发送该通知消息。If the verification result is that the verification fails, it means that the secret key use request of Application 1 is illegal. Subsequently, the secret key management module generates a notification message, which indicates that the verification of the secret key use request fails. The key management module sends the notification message to the application 1.
本申请实施例中,秘钥管理模块通过参照被签名信息,来验证秘钥使用请求中的 待验证签名信息,参照被签名信息中的应用的跨平台标识来自于秘钥记录,可以确定秘钥记录所包括的秘钥标识所指示的秘钥所属的应用,应用的单平台信息来自于目标计算机设备,可以增加安全性。以克服现有技术中,秘钥在不同操作***的计算机设备间传输之后,因秘钥管理模块不能根据秘钥记录中的单平台信息确定秘钥记录所包括的秘钥标识所指示的的秘钥所属的应用,而不能使来源合法的应用的秘钥使用请求通过验证的问题。示例性的,应用1在源计算机设备中的跨平台标识为跨平台标识1,应用1在目标计算机设备中的跨平台标识为跨平台标识1,秘钥1是跨平台标识为跨平台标识1的应用1的秘钥。该秘钥1传输到目标计算机设备中之后,应用1在目标计算机设备中请求秘钥1,目标计算机设备仍然能够识别跨平台标识1为应用1的跨平台标识,因此,应用1在目标计算机设备中请求秘钥1的秘钥使用请求,能够通过验证。In the embodiment of this application, the key management module verifies the signature information to be verified in the key use request by referring to the signed information, and refers to the cross-platform identification of the application in the signed information from the secret key record, and the secret key can be determined The secret key included in the record identifies the application to which the secret key belongs. The single-platform information of the application comes from the target computer device, which can increase security. In order to overcome the problem in the prior art, after the secret key is transmitted between computer devices with different operating systems, the secret key management module cannot determine the secret indicated by the secret key identifier included in the secret key record according to the single-platform information in the secret key record. The problem that the application to which the key belongs can not pass the verification of the request for the use of the key of an application with a legitimate source. Exemplarily, the cross-platform identification of application 1 in the source computer device is cross-platform identification 1, the cross-platform identification of application 1 in the target computer device is cross-platform identification 1, and secret key 1 is the cross-platform identification as cross-platform identification 1. The secret key of application 1. After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment can still recognize the cross-platform identification 1 as the cross-platform identification of application 1. Therefore, application 1 is in the target computer equipment. The key use request in request key 1 can be verified.
实施例二Example two
如图5所示,为本申请实施例提供的另一种秘钥访问控制方法的流程示意图。示例性的,本实施例可以应用于图2所示的计算机设备。图5所示的方法可以包括以下步骤:As shown in FIG. 5, it is a schematic flowchart of another method for controlling access to a secret key provided by an embodiment of this application. Exemplarily, this embodiment may be applied to the computer device shown in FIG. 2. The method shown in FIG. 5 may include the following steps:
S200:应用1生成秘钥使用请求。该秘钥使用请求用于该应用1向秘钥管理模块请求服务。其中,应用1是目标计算机设备中的任意一个应用。该秘钥使用请求中包括:第一秘钥标识。S200: Application 1 generates a secret key use request. The key use request is used by the application 1 to request a service from the key management module. Among them, application 1 is any application in the target computer device. The secret key use request includes: the first secret key identifier.
可选的,该秘钥使用请求中还包括:该应用1的待验证签名信息。Optionally, the secret key use request further includes: signature information to be verified of the application 1.
应用1向秘钥管理模块请求服务的具体描述参考实施例一中S100,不再赘述。For a specific description of the application 1 requesting a service from the key management module, refer to S100 in the first embodiment, which will not be repeated.
该应用1的标识是能够被该应用1所在的操作***所识别的标识,用于秘钥管理模块通过该操作***提供的功能获取该应用1的单平台信息。该应用1的标识与应用1的单平台标识和应用1的跨平台标识均不相同。第一秘钥标识对应的秘钥值是第一秘钥值。The identifier of the application 1 is an identifier that can be recognized by the operating system where the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through the functions provided by the operating system. The identity of the application 1 is different from the single-platform identity of the application 1 and the cross-platform identity of the application 1. The secret key value corresponding to the first secret key identifier is the first secret key value.
本申请实施例对应用1生成秘钥使用请求的触发条件不进行限定,示例性的,应用1在需要对该应用1的数据进行加密时,生成秘钥使用请求。该秘钥使用请求所请求的服务是使用第一秘钥值加密该应用1的数据。The embodiment of the present application does not limit the trigger condition for the application 1 to generate the secret key use request. For example, when the application 1 needs to encrypt the data of the application 1, the secret key use request is generated. The service requested by the secret key use request is to encrypt the data of the application 1 using the first secret key value.
S201:应用1向秘钥管理模块发送该秘钥使用请求。S201: Application 1 sends the secret key use request to the secret key management module.
S202:秘钥管理模块获取第一秘钥标识所在的秘钥记录中的跨平台标识,并将该跨平台标识作为该应用1的第一跨平台标识。S202: The key management module obtains the cross-platform identification in the key record where the first key identification is located, and uses the cross-platform identification as the first cross-platform identification of the application 1.
S203:秘钥管理模块获取该应用1的第一单平台信息。其中,第一单平台信息是应用1在目标计算机设备的操作***中的单平台信息。该应用1所在的目标计算机设备中预置有多个应用的单平台信息。S203: The secret key management module obtains the first single platform information of the application 1. Among them, the first single-platform information is the single-platform information of the application 1 in the operating system of the target computer device. Single-platform information of multiple applications is preset in the target computer device where the application 1 is located.
示例性的,安卓***中,秘钥管理模块使用平台中的包管理服务(package manager service,PMS),获取该应用1的标识,并使用该应用1的标识获取应用1的标识对应的应用的单平台信息,并将获取的应用的单平台信息作为应用1的第一单平台信息。Exemplarily, in the Android system, the key management module uses the package manager service (PMS) in the platform to obtain the identity of the application 1, and uses the identity of the application 1 to obtain the identity of the application corresponding to the identity of the application 1. Single-platform information, and the obtained single-platform information of the application is used as the first single-platform information of application 1.
S204:秘钥管理模块根据应用1的第一单平台信息获取应用1的第二跨平台标识。应用1的第二跨平台标识用于秘钥管理模块确定属于该应用1的秘钥记录。S204: The secret key management module obtains the second cross-platform identifier of the application 1 according to the first single-platform information of the application 1. The second cross-platform identifier of the application 1 is used by the key management module to determine the secret key record belonging to the application 1.
具体的,秘钥管理模块从存储的多个应用中的每个应用的跨平台标识与单平台信 息的对应关系中,获取第一单平台信息对应的跨平台标识,并将获取的跨平台标识作为应用1的第二跨平台标识。Specifically, the secret key management module obtains the cross-platform identity corresponding to the first single-platform information from the stored correspondence between the cross-platform identity of each of the multiple applications and the single-platform information, and obtains the obtained cross-platform identity As the second cross-platform identity of application 1.
需要说明的是,本申请实施例对S202与S203~S204的执行顺序不进行限定,示例性的,在执行了S203~S204之后再执行S202。It should be noted that the embodiment of the present application does not limit the execution sequence of S202 and S203 to S204. For example, S202 is executed after S203 to S204 are executed.
S205:秘钥管理模块判断应用1的第一跨平台标识与应用1的第二跨平台标识是否相同。S205: The key management module judges whether the first cross-platform identification of application 1 is the same as the second cross-platform identification of application 1.
若是,说明第一秘钥标识所在的秘钥记录所包括的秘钥标识所指示的秘钥属于应用1,则执行S206。若否,说明第一秘钥标识所在的秘钥记录所包括的秘钥标识所指示的秘钥不属于应用1,则执行S207。If yes, it indicates that the secret key indicated by the secret key identifier included in the secret key record where the first secret key identifier is located belongs to application 1, and then execute S206. If not, it means that the secret key indicated by the secret key identifier included in the secret key record where the first secret key identifier is located does not belong to application 1, and then execute S207.
S206:秘钥管理模块为该应用1提供该秘钥使用请求所请求的服务。S206: The key management module provides the application 1 with the service requested by the key use request.
后续,秘钥管理模块获取该秘钥使用请求所请求的服务的结果,并向该应用1发送该结果。Subsequently, the key management module obtains the result of the service requested by the key use request, and sends the result to the application 1.
S207:秘钥管理模块生成通知消息。该通知消息指示该秘钥使用请求验证不通过。S207: The secret key management module generates a notification message. The notification message indicates that the key use request verification fails.
后续,秘钥管理模块向该应用1发送该通知消息。Subsequently, the key management module sends the notification message to the application 1.
需要说明的是,本实施例中S204~S205是可选的步骤,当秘钥使用请求中还包括该应用1的待验证签名信息,且该应用1的待验证签名信息是按照第二签名算法使用第二签名私钥对该应用的第一跨平台标识进行签名运算,得到的信息时,秘钥管理模块执行了S200~S203之后,可以结合实施例一中S104中的方法获取应用1的参照被签名信息,此时参照被签名信息中仅包括第一跨平台标识。秘钥管理模块执行S105获取该应用1的第二验证签名公钥。秘钥管理模块执行S106获取应用1的第二签名算法的验证算法。然后,秘钥管理模块根据应用1的第二验证签名公钥和应用1的参照被签名信息,采用应用1的第二签名算法的验证算法获取应用1的待验证签名信息的验证结果。验证结果包括:验证通过或验证不通过。若验证结果为验证通过,则说明应用1的秘钥使用请求合法。后续,秘钥管理模块为该应用1提供该秘钥使用请求所请求的服务,并向该应用1发送该结果。若验证结果为验证不通过,则说明应用1的秘钥使用请求不合法。后续,秘钥管理模块生成通知消息,该通知消息指示该秘钥使用请求验证不通过。秘钥管理模块向该应用1发送该通知消息。It should be noted that S204 to S205 in this embodiment are optional steps. When the secret key use request also includes the signature information to be verified of the application 1, and the signature information to be verified of the application 1 is in accordance with the second signature algorithm Use the second signature private key to sign the first cross-platform identity of the application. When the information is obtained, after the key management module executes S200-S203, the reference of application 1 can be obtained in combination with the method in S104 in the first embodiment. The signed information, at this time, the reference to the signed information includes only the first cross-platform identifier. The secret key management module executes S105 to obtain the second verification signature public key of the application 1. The key management module executes S106 to obtain the verification algorithm of the second signature algorithm of the application 1. Then, the key management module uses the verification algorithm of the second signature algorithm of the application 1 to obtain the verification result of the signature information to be verified of the application 1 according to the second verification signature public key of the application 1 and the reference signed information of the application 1. The verification results include: verification passed or verification failed. If the verification result is that the verification is passed, it means that the secret key use request of application 1 is legal. Subsequently, the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. If the verification result is that the verification fails, it means that the secret key use request of Application 1 is illegal. Subsequently, the secret key management module generates a notification message, which indicates that the verification of the secret key use request fails. The key management module sends the notification message to the application 1.
本申请实施例中,秘钥管理模块可以根据存储的每条秘钥记录所包括的应用的跨平台标识,确定该条秘钥记录所包括的秘钥标识所指示的秘钥所属的应用,以克服现有技术中,秘钥在不同操作***的计算机设备间传输之后,因秘钥管理模块不能根据秘钥记录中的单平台信息确定秘钥记录所包括的秘钥标识所指示的的秘钥所属的应用,而不能使来源合法的应用的秘钥使用请求通过验证的问题。示例性的,应用1在源计算机设备中的跨平台标识为跨平台标识1,应用1在目标计算机设备中的跨平台标识为跨平台标识1,秘钥1是跨平台标识为跨平台标识1的应用1的秘钥。该秘钥1传输到目标计算机设备中之后,应用1在目标计算机设备中请求秘钥1,目标计算机设备仍然能够识别跨平台标识1为应用1的跨平台标识,因此,应用1在目标计算机设备中请求秘钥1的秘钥使用请求,能够通过验证。In the embodiment of the present application, the key management module can determine the application to which the secret key indicated by the secret key identifier included in each secret key record belongs according to the cross-platform identifier of the application included in each secret key record stored, to Overcome in the prior art, after the secret key is transmitted between computer devices with different operating systems, the secret key management module cannot determine the secret key indicated by the secret key identifier included in the secret key record according to the single-platform information in the secret key record. It is a problem that the application to which it belongs, but cannot make the request for the use of the key of a legitimate application pass the verification. Exemplarily, the cross-platform identification of application 1 in the source computer device is cross-platform identification 1, the cross-platform identification of application 1 in the target computer device is cross-platform identification 1, and secret key 1 is the cross-platform identification as cross-platform identification 1. The secret key of application 1. After the secret key 1 is transmitted to the target computer equipment, application 1 requests secret key 1 in the target computer equipment. The target computer equipment can still recognize the cross-platform identification 1 as the cross-platform identification of application 1. Therefore, application 1 is in the target computer equipment. The key use request in request key 1 can be verified.
实施例三Example three
如图6所示,为本申请实施例提供的一种获取秘钥记录的方法的流程示意图。示 例性的,本实施例可以应用于图2所示的计算机设备。图6所示的方法可以包括以下步骤:As shown in FIG. 6, it is a schematic flowchart of a method for obtaining a secret key record according to an embodiment of this application. Illustratively, this embodiment can be applied to the computer device shown in FIG. 2. The method shown in FIG. 6 may include the following steps:
S301:应用1生成秘钥记录1的存储请求。其中,应用1是计算机设备中的应用中的任意一个应用。该秘钥记录1的存储请求中包括第一标识信息,以及该应用1的跨平台标识或应用1的标识中的至少一种。S301: Application 1 generates a storage request for secret key record 1. Among them, application 1 is any one of the applications in the computer device. The storage request of the secret key record 1 includes the first identification information, and at least one of the cross-platform identification of the application 1 or the identification of the application 1.
可选的,秘钥记录1的存储请求中还包括:秘钥长度或应用1的第二验证签名公钥中的至少一种。其中,第一标识信息用于指示生成秘钥记录1的秘钥值与秘钥标识的算法。秘钥长度用于标识生成秘钥记录1的秘钥值的安全强度。应用1的第二验证签名公钥为与该应用1的第二签名私钥对应的应用的第二验证签名公钥,应用1的第二验证签名公钥用于秘钥管理模块验证应用1的待验证签名信息。具体参考实施例一中的S107,不再赘述。Optionally, the storage request of the secret key record 1 further includes: at least one of the length of the secret key or the second verification signature public key of the application 1. Wherein, the first identification information is used to indicate the algorithm for generating the secret key value and secret key identifier of the secret key record 1. The key length is used to identify the security strength of the key value used to generate the key record 1. The second verification signature public key of application 1 is the second verification signature public key of the application corresponding to the second signature private key of this application 1, and the second verification signature public key of application 1 is used for the secret key management module to verify application 1. Signature information to be verified. For details, refer to S107 in Embodiment 1, which will not be repeated here.
可选的,秘钥记录1的存储请求中还包括:应用1的第二被签名信息和应用1的单平台信息。Optionally, the storage request of the secret key record 1 further includes: the second signed information of the application 1 and the single-platform information of the application 1.
示例性的,该应用1的平台可以是安卓操作***,该应用1可以是微信,该应用1生成的秘钥记录1的存储请求中的应用的跨平台标识可以是weixin。Exemplarily, the platform of the application 1 may be an Android operating system, the application 1 may be WeChat, and the cross-platform identification of the application in the storage request of the key record 1 generated by the application 1 may be weixin.
本申请实施例对应用1生成秘钥记录1的存储请求的触发条件不进行限定,示例性的,该应用1在生成待加密数据时,生成秘钥记录1的存储请求。The embodiment of the present application does not limit the trigger condition of the storage request for the application 1 to generate the secret key record 1. As an example, the application 1 generates the storage request for the secret key record 1 when generating the data to be encrypted.
S302:该应用1向秘钥管理模块发送该秘钥记录1的存储请求。S302: The application 1 sends a storage request of the secret key record 1 to the secret key management module.
S303:秘钥管理模块根据第一标识信息,生成秘钥记录1的秘钥标识和秘钥值。S303: The secret key management module generates the secret key identifier and secret key value of the secret key record 1 according to the first identification information.
可替换的,当秘钥记录1的存储请求中还包括秘钥长度时,秘钥管理模块根据第一标识信息和秘钥长度,生成秘钥记录1的秘钥标识和秘钥值。Alternatively, when the storage request of the secret key record 1 also includes the secret key length, the secret key management module generates the secret key identifier and the secret key value of the secret key record 1 according to the first identification information and the secret key length.
本申请实施例对秘钥记录1的秘钥标识和秘钥值的生成方法不进行限制,示例性的,秘钥管理模块中定义的第一标识信息所指示的算法中定义了生成多种长度的秘钥值的规则。秘钥管理模块将秘钥长度输入第二算法可以执行生成该秘钥长度的秘钥值的方法,生成秘钥值。秘钥管理模块可以生成一个唯一的序列码作为该秘钥值的秘钥标识。The embodiment of the application does not limit the method for generating the secret key identifier and secret key value of the secret key record 1. For example, the algorithm indicated by the first identification information defined in the secret key management module defines multiple lengths of generation. The rules of the secret key value. The secret key management module inputs the secret key length into the second algorithm to execute the method of generating the secret key value of the secret key length to generate the secret key value. The secret key management module can generate a unique serial code as the secret key identifier of the secret key value.
S304:秘钥管理模块根据应用1的标识获取应用1的跨平台标识。S304: The secret key management module obtains the cross-platform identity of application 1 according to the identity of application 1.
具体的,秘钥管理模块根据应用1的标识,获取应用1的单平台信息,并根据应用1的单平台信息与应用1的跨平台标识的对应关系,获取应用1的单平台信息对应的应用1的跨平台标识。Specifically, the key management module obtains the single-platform information of application 1 according to the identity of application 1, and obtains the application corresponding to the single-platform information of application 1 according to the correspondence between the single-platform information of application 1 and the cross-platform identity of application 1. 1 cross-platform logo.
本申请实施例对根据应用1的单平台信息与应用1的跨平台标识的对应关系,获取应用1的单平台信息对应的应用1的跨平台标识的获取方式不进行限定。The embodiment of the present application does not limit the method for obtaining the cross-platform identification of the application 1 corresponding to the single-platform information of the application 1 according to the correspondence between the single-platform information of the application 1 and the cross-platform identification of the application 1.
在一种实现方式中,秘钥管理模块的查询服务器(如:云端服务器)中存储应用1的单平台信息与应用1的跨平台标识的对应关系,秘钥管理模块可以向查询服务器发送应用1的单平台信息,以查询该应用1的单平台信息对应的应用1的跨平台标识。In one implementation, the query server (such as a cloud server) of the secret key management module stores the correspondence between the single-platform information of application 1 and the cross-platform identification of application 1, and the secret key management module can send application 1 to the query server. The single-platform information of the application 1 is used to query the cross-platform identification of the application 1 corresponding to the single-platform information of the application 1.
在另一种实现方式中,存储模块中预置了应用1的单平台信息与应用1的跨平台标识的对应关系,该对应关系可以通过查询服务器下载的方式获取,也可以是计算机设备生产时预置在存储模块中。秘钥管理模块可以向存储模块发送应用1的单平台信息,以查询该应用1的单平台信息对应的应用1的跨平台标识。In another implementation, the storage module is preset with the corresponding relationship between the single-platform information of Application 1 and the cross-platform identification of Application 1. The corresponding relationship can be obtained by querying the server for downloading, or it can be obtained when the computer equipment is produced. Preset in the storage module. The secret key management module may send the single-platform information of application 1 to the storage module to query the cross-platform identification of application 1 corresponding to the single-platform information of application 1.
需要说明的是,S304是可选的步骤,当秘钥记录1的存储请求中包括应用1的跨平台标识时,不需要执行S304。当秘钥记录1的存储请求中不包括应用1的跨平台标识时,需要执行S304,本申请实施例对S303与S304的执行顺序不进行限定,示例性的,在执行了S304之后再执行S303。It should be noted that S304 is an optional step. When the storage request of the secret key record 1 includes the cross-platform identification of the application 1, S304 does not need to be executed. When the storage request of key record 1 does not include the cross-platform identification of application 1, S304 needs to be executed. The embodiment of this application does not limit the execution order of S303 and S304. For example, S303 is executed after S304 is executed. .
S305:秘钥管理模块生成该应用1的秘钥记录1。该秘钥记录1包括该秘钥记录1的秘钥标识、秘钥值和该应用1的跨平台标识。S305: The secret key management module generates the secret key record 1 of the application 1. The secret key record 1 includes the secret key identifier of the secret key record 1, the secret key value, and the cross-platform identifier of the application 1.
可选的,当秘钥记录1的存储请求中包括应用1的第二被签名信息时,该秘钥记录1还可以包括应用1的第二验证签名公钥、应用1的第二被签名信息或应用1的单平台信息中的至少一种。Optionally, when the storage request of the secret key record 1 includes the second signed information of the application 1, the secret key record 1 may also include the second verification signature public key of the application 1 and the second signed information of the application 1. Or at least one of application 1’s single-platform information.
需要说明的是,该秘钥记录1的秘钥标识以及秘钥值的生成步骤可以由秘钥管理模块生成如上述实施例二中所示。该秘钥记录1的秘钥标识以及秘钥值也可以由应用生成。由应用生成时,上述S301中的秘钥记录1的存储请求中还包括:秘钥记录1的秘钥标识以及秘钥值。后续,秘钥管理模块根据该秘钥记录1的存储请求中的信息生成秘钥记录1,并存储。It should be noted that the steps of generating the secret key identifier and secret key value of the secret key record 1 can be generated by the secret key management module as shown in the second embodiment above. The key identifier and key value of the key record 1 can also be generated by the application. When generated by the application, the storage request of the secret key record 1 in S301 also includes the secret key identifier and the secret key value of the secret key record 1. Subsequently, the key management module generates a key record 1 according to the information in the storage request of the key record 1, and stores it.
上述主要从方法的角度对本申请实施例提供的方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的方法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。The foregoing mainly introduces the solutions provided in the embodiments of the present application from the perspective of methods. In order to realize the above-mentioned functions, it includes hardware structures and/or software modules corresponding to the respective functions. Those skilled in the art should easily realize that in combination with the method steps of the examples described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
本申请实施例可以根据上述方法示例对计算机设备进行功能模块的划分,例如可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本申请实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiment of the present application may divide the computer equipment into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware or software functional modules. It should be noted that the division of modules in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.
如图7所示,为本申请实施例提供的一种秘钥访问控制装置的结构示意图。该秘钥访问控制装置70可以用于执行上文中任意一个实施例(如图4或图6所示的实施例)中计算机设备所执行的功能。秘钥访问控制装置70包括多个应用,多个应用包括第一应用。秘钥访问控制装置70还包括:生成模块701、秘钥管理模块702。其中,生成模块701用于基于第一应用生成秘钥使用请求。该秘钥使用请求包括第一秘钥标识和第一应用的待验证签名信息。秘钥管理模块702,用于根据第一应用的标识和第一秘钥标识,获取第一应用的参照被签名信息。第一应用的参照被签名信息是基于第一应用的单平台信息和第一跨平台标识生成的,第一应用的单平台信息包括第一应用在秘钥访问控制装置70的操作***中的单平台标识,根据第一秘钥标识和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证,得到验证结果。该验证结果用于指示该秘钥使用请求是否验证通过。例如,结合图4,生成模块701可以用于执行S100,秘钥管理模块702可以用于执行S102~S107。结合图6,生成模块701可以用于执行S301,秘钥管理模块702可以用于执行S303~S305。As shown in FIG. 7, it is a schematic structural diagram of a secret key access control device provided by an embodiment of this application. The secret key access control device 70 can be used to execute the functions performed by the computer equipment in any one of the above embodiments (the embodiment shown in FIG. 4 or FIG. 6). The key access control device 70 includes a plurality of applications, and the plurality of applications includes a first application. The secret key access control device 70 further includes: a generation module 701 and a secret key management module 702. Wherein, the generating module 701 is configured to generate a secret key use request based on the first application. The secret key use request includes the first secret key identifier and the signature information to be verified of the first application. The secret key management module 702 is configured to obtain the reference signed information of the first application according to the identity of the first application and the identity of the first secret key. The reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identification. The single-platform information of the first application includes the single-platform information of the first application in the operating system of the key access control device 70. The platform identifier verifies the to-be-verified signature information of the first application according to the first secret key identifier and the reference signed information of the first application to obtain the verification result. The verification result is used to indicate whether the secret key use request is verified. For example, in conjunction with FIG. 4, the generation module 701 may be used to perform S100, and the secret key management module 702 may be used to perform S102 to S107. With reference to FIG. 6, the generation module 701 can be used to perform S301, and the key management module 702 can be used to perform S303-S305.
可选的,秘钥管理模块702具体用于:使用第一应用的标识获取第一应用的单平台信息。根据第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取第一秘钥标识对应的第一应用的第一跨平台标识。基于第一应用的单平台信息和第一跨平台标识,获取第一应用的参照被签名信息。Optionally, the secret key management module 702 is specifically configured to: use the identifier of the first application to obtain the single-platform information of the first application. According to the first key identification, the first cross-platform identification of the first application corresponding to the first key identification is obtained from the correspondence between each key identification of the plurality of key identifications and the cross-platform identification of the application. Based on the single-platform information of the first application and the first cross-platform identifier, the reference signed information of the first application is acquired.
可选的,秘钥管理模块702具体用于:基于第一应用的单平台信息和第一跨平台标识,采用哈希算法生成第一应用的参照被签名信息。Optionally, the secret key management module 702 is specifically configured to use a hash algorithm to generate the reference signed information of the first application based on the single-platform information of the first application and the first cross-platform identification.
可选的,秘钥管理模块702具体用于:根据第一应用的单平台信息和第一跨平台标识,从多个参照被签名信息中的每个参照被签名信息与应用的第一信息的对应关系中,将与第一应用的单平台信息和第一跨平台标识均对应的参照被签名信息作为第一应用的参照被签名信息。应用的第一信息包括应用的单平台信息和应用的跨平台标识。Optionally, the secret key management module 702 is specifically configured to: refer to the signed information and the first information of the application from each of the multiple reference signed information according to the single-platform information of the first application and the first cross-platform identifier. In the corresponding relationship, the reference signed information corresponding to both the single-platform information of the first application and the first cross-platform identifier is used as the reference signed information of the first application. The first information of the application includes the single-platform information of the application and the cross-platform identification of the application.
可选的,第一应用的单平台信息还包括:第一应用的应用签名和第一应用的单平台签名公钥。第一应用的应用签名,是对第一应用的安装包信息进行签名运算,得到的信息。Optionally, the single-platform information of the first application further includes: the application signature of the first application and the single-platform signature public key of the first application. The application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application.
可选的,秘钥管理模块702具体用于:根据第一秘钥标识,从多个秘钥标识与每个秘钥标识与验证签名公钥的对应关系中获取第一应用的验证签名公钥。根据第一应用的验证签名公钥和第一应用的参照被签名信息,对第一应用的待验证签名信息进行验证。第一应用的单平台签名公钥用于对第一应用的应用签名进行验证。Optionally, the secret key management module 702 is specifically configured to: according to the first secret key identifier, obtain the verification signature public key of the first application from the correspondence between multiple secret key identifiers and each secret key identifier and the verification signature public key . According to the verification signature public key of the first application and the reference signed information of the first application, the signature information to be verified of the first application is verified. The single-platform signature public key of the first application is used to verify the application signature of the first application.
可选的,生成模块701还用于:生成第二秘钥标识与第一跨平台标识的对应关系。秘钥访问控制装置70还包括发送模块703,用于向第二计算机设备发送第二秘钥标识与第一跨平台标识的对应关系。其中,第二计算机设备是与秘钥访问控制装置70不同的装置。Optionally, the generating module 701 is further configured to: generate a corresponding relationship between the second secret key identifier and the first cross-platform identifier. The secret key access control device 70 further includes a sending module 703, configured to send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to the second computer device. Among them, the second computer device is a device different from the secret key access control device 70.
可选的,生成模块701还用于:生成第二秘钥标识与第一应用的验证签名公钥的对应关系。发送模块703还用于:向第二计算机设备发送第二秘钥标识与第一应用的验证签名公钥的对应关系。Optionally, the generating module 701 is further configured to generate a correspondence between the second secret key identifier and the verification signature public key of the first application. The sending module 703 is further configured to send the corresponding relationship between the second secret key identifier and the verification signature public key of the first application to the second computer device.
在一个示例中,参见图3,上述发送模块703可以由图3中的通信接口104实现;生成模块701和秘钥管理模块702均可以由图1中的处理器101调用存储器103中存储的计算机程序实现。In an example, referring to FIG. 3, the above-mentioned sending module 703 can be implemented by the communication interface 104 in FIG. 3; the generation module 701 and the secret key management module 702 can both be called by the processor 101 in FIG. Program implementation.
如图7所示,为本申请实施例提供的一种秘钥访问控制装置的结构示意图。该秘钥访问控制装置70可以用于执行上文中任意一个实施例(如图5所示的实施例)中计算机设备所执行的功能。秘钥访问控制装置70包括多个应用,多个应用包括第一应用。秘钥访问控制装置70还包括:生成模块701、秘钥管理模块702。其中,生成模块701用于基于第一应用生成秘钥使用请求。秘钥使用请求包括第一秘钥标识。秘钥管理模块702,用于根据第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取第一秘钥标识对应的第一应用的第一跨平台标识。获取第一应用的单平台信息。第一应用的单平台信息包括第一应用在秘钥访问控制装置70的操作***中的单平台标识。根据第一应用的单平台信息,从多个应用中的每个应用的单平台信息与跨平台标识的对应关系中,获取第一应用的单平台信息对应的第二跨平台标识。若第一跨平台标识与第二跨平台标识相同,则确定该秘钥使用请求验证通过,若第一跨平台标识与第二跨平台标识不同,则确定该秘钥使用请求验证不通过。 例如,结合图5,生成模块701可以用于执行S200,秘钥管理模块702可以用于执行S202~S207。As shown in FIG. 7, it is a schematic structural diagram of a secret key access control device provided by an embodiment of this application. The secret key access control device 70 can be used to execute the functions performed by the computer equipment in any of the above embodiments (the embodiment shown in FIG. 5). The key access control device 70 includes a plurality of applications, and the plurality of applications includes a first application. The secret key access control device 70 further includes: a generation module 701 and a secret key management module 702. Wherein, the generating module 701 is configured to generate a secret key use request based on the first application. The secret key use request includes the first secret key identifier. The secret key management module 702 is configured to obtain the first application corresponding to the first secret key identifier from the correspondence between each secret key identifier in the plurality of secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier The first cross-platform logo. Obtain the single-platform information of the first application. The single-platform information of the first application includes the single-platform identification of the first application in the operating system of the key access control device 70. According to the single-platform information of the first application, the second cross-platform identifier corresponding to the single-platform information of the first application is obtained from the correspondence between the single-platform information and the cross-platform identifier of each of the multiple applications. If the first cross-platform identification is the same as the second cross-platform identification, it is determined that the verification of the key use request is passed, and if the first cross-platform identification is different from the second cross-platform identification, it is determined that the verification of the key use request fails. For example, in conjunction with FIG. 5, the generating module 701 may be used to perform S200, and the key management module 702 may be used to perform S202 to S207.
可选的,生成模块701还用于:生成第二秘钥标识与第一跨平台标识的对应关系。该秘钥访问控制装置70还包括发送模块703,用于向第二计算机设备发送第二秘钥标识与第一跨平台标识的对应关系。其中,第二计算机设备是与该秘钥访问控制装置70不同的装置。Optionally, the generating module 701 is further configured to: generate a corresponding relationship between the second secret key identifier and the first cross-platform identifier. The secret key access control device 70 further includes a sending module 703, configured to send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to the second computer device. Among them, the second computer device is a device different from the secret key access control device 70.
在一个示例中,参见图3,上述发送模块703可以由图3中的通信接口104实现;生成模块701和秘钥管理模块702均可以由图1中的处理器101调用存储器103中存储的计算机程序实现。In an example, referring to FIG. 3, the above-mentioned sending module 703 can be implemented by the communication interface 104 in FIG. 3; the generation module 701 and the secret key management module 702 can both be called by the processor 101 in FIG. Program implementation.
关于上述可选方式的具体描述参见前述的方法实施例,此处不再赘述。此外,上述提供的任一种秘钥访问控制装置70的解释以及有益效果的描述均可参考上述对应的方法实施例,不再赘述。For specific descriptions of the foregoing optional manners, refer to the foregoing method embodiments, which are not repeated here. In addition, for the explanation and the description of the beneficial effects of any of the key access control devices 70 provided above, reference may be made to the corresponding method embodiment described above, and details are not repeated here.
需要说明的是,上述各个模块对应执行的动作仅是具体举例,各个模块实际执行的动作参照上述基于图4、图5或图6所述的实施例的描述中提及的动作或步骤。It should be noted that the actions corresponding to each module described above are only specific examples, and the actions actually performed by each module refer to the actions or steps mentioned in the description of the embodiment based on FIG. 4, FIG. 5, or FIG. 6.
本申请实施例还提供了一种装置(如计算机设备或芯片),包括:存储器和处理器;该存储器用于存储计算机程序,该处理器用于调用该计算机程序,以执行上文提供的任一实施例中提及的动作或步骤。The embodiment of the present application also provides a device (such as a computer device or a chip), including: a memory and a processor; the memory is used to store a computer program, and the processor is used to call the computer program to execute any of the above-provided computer programs. Actions or steps mentioned in the embodiment.
本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,当该计算机程序在计算机上运行时,使得该计算机执行上文提供的任一实施例中提及的动作或步骤。The embodiments of the present application also provide a computer-readable storage medium with a computer program stored on the computer-readable storage medium. When the computer program runs on a computer, the computer executes any of the above-provided embodiments. The action or step mentioned.
本申请实施例还提供了一种芯片。该芯片中集成了用于实现上述计算机设备的功能的电路和一个或者多个接口。可选的,该芯片支持的功能可以包括基于图4-图6所述的实施例中的处理动作,此处不再赘述。本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可通过程序来指令相关的硬件完成。所述的程序可以存储于一种计算机可读存储介质中。上述提到的存储介质可以是只读存储器,随机接入存储器等。上述处理单元或处理器可以是中央处理器,通用处理器、特定集成电路(application specific integrated circuit,ASIC)、微处理器(digital signal processor,DSP),现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。The embodiment of the application also provides a chip. The chip integrates a circuit and one or more interfaces for realizing the functions of the above-mentioned computer equipment. Optionally, the functions supported by the chip may include processing actions based on the embodiments described in FIG. 4 to FIG. 6, which will not be repeated here. A person of ordinary skill in the art can understand that all or part of the steps for implementing the above-mentioned embodiments can be completed by a program instructing related hardware. The program can be stored in a computer-readable storage medium. The aforementioned storage medium may be a read-only memory, a random access memory, and the like. The aforementioned processing unit or processor may be a central processing unit, a general-purpose processor, an application specific integrated circuit (ASIC), a microprocessor (digital signal processor, DSP), and a field programmable gate array (field programmable gate array). FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof.
本申请实施例还提供了一种包含指令的计算机程序产品,当该指令在计算机上运行时,使得计算机执行上述实施例中的任意一种方法。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可以用介质集成的服务器、 数据中心等数据存储设备。可用介质可以是磁性介质(例如,软盘、硬盘、磁带),光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。The embodiments of the present application also provide a computer program product containing instructions, which when the instructions run on a computer, cause the computer to execute any one of the methods in the foregoing embodiments. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices. Computer instructions can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, computer instructions can be transmitted from a website, computer, server, or data center through a cable (such as Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center. The computer-readable storage medium may be any available medium that can be accessed by a computer or may include one or more data storage devices such as a server or a data center that can be integrated with the medium. The usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a DVD), or a semiconductor medium (for example, a solid state disk (SSD)).
应注意,本申请实施例提供的上述用于存储计算机指令或者计算机程序的器件,例如但不限于,上述存储器、计算机可读存储介质和通信芯片等,均具有非易失性(non-transitory)。It should be noted that the foregoing devices for storing computer instructions or computer programs provided in the embodiments of the present application, such as but not limited to, the foregoing memory, computer-readable storage medium, and communication chip, are non-transitory. .
在实施所要求保护的本申请过程中,本领域技术人员通过查看附图、公开内容、以及所附权利要求书,可理解并实现公开实施例的其他变化。在权利要求中,“包括”(comprising)一词不排除其他组成部分或步骤,“一”或“一个”不排除多个的情况。单个处理器或其他单元可以实现权利要求中列举的若干项功能。相互不同的从属权利要求中记载了某些措施,但这并不表示这些措施不能组合起来产生良好的效果。In the process of implementing the claimed application, those skilled in the art can understand and implement other changes in the disclosed embodiments by looking at the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other components or steps, and "a" or "one" does not exclude a plurality. A single processor or other unit may implement several functions listed in the claims. Certain measures are described in mutually different dependent claims, but this does not mean that these measures cannot be combined to produce good results.
尽管结合具体特征及其实施例对本申请进行了描述,在不脱离本申请的精神和范围的情况下,可对其进行各种修改和组合。相应地,本说明书和附图仅仅是所附权利要求所界定的本申请的示例性说明,且视为已覆盖本申请范围内的任意和所有修改、变化、组合或等同物。Although the application has been described in combination with specific features and embodiments, various modifications and combinations can be made without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely exemplary descriptions of the application as defined by the appended claims, and are deemed to cover any and all modifications, changes, combinations or equivalents within the scope of the application.

Claims (20)

  1. 一种秘钥访问控制方法,其特征在于,应用于目标计算机设备,所述目标计算机设备包括多个应用,所述多个应用包括第一应用;所述方法包括:A secret key access control method, characterized in that it is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes:
    基于所述第一应用生成秘钥使用请求;所述秘钥使用请求包括第一秘钥标识和所述第一应用的待验证签名信息;Generating a secret key use request based on the first application; the secret key use request includes a first secret key identifier and signature information to be verified of the first application;
    根据所述第一应用的标识和所述第一秘钥标识,获取所述第一应用的参照被签名信息;所述第一应用的参照被签名信息是基于所述第一应用的单平台信息和第一跨平台标识生成的,所述第一应用的单平台信息包括所述第一应用在所述目标计算机设备的操作***中的单平台标识;Obtain the reference signed information of the first application according to the identifier of the first application and the first secret key identifier; the reference signed information of the first application is based on the single platform information of the first application And generated by the first cross-platform identification, the single-platform information of the first application includes the single-platform identification of the first application in the operating system of the target computer device;
    根据所述第一秘钥标识和所述第一应用的参照被签名信息,对所述第一应用的待验证签名信息进行验证,得到验证结果;所述验证结果用于指示所述秘钥使用请求是否验证通过。According to the first secret key identifier and the reference signed information of the first application, verify the signature information to be verified of the first application to obtain a verification result; the verification result is used to indicate the use of the secret key Whether the request is verified.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述第一应用的标识和所述第一秘钥标识,获取所述第一应用的参照被签名信息,包括:The method according to claim 1, wherein the obtaining the reference signed information of the first application according to the identification of the first application and the identification of the first secret key comprises:
    使用所述第一应用的标识获取所述第一应用的单平台信息;Acquiring the single-platform information of the first application by using the identifier of the first application;
    根据所述第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取所述第一秘钥标识对应的所述第一应用的第一跨平台标识;According to the first secret key identifier, from the correspondence between each secret key identifier in the plurality of secret key identifiers and the cross-platform identifier of the application, the first application corresponding to the first secret key identifier is obtained. A cross-platform logo;
    基于所述第一应用的单平台信息和所述第一跨平台标识,获取所述第一应用的参照被签名信息。Based on the single-platform information of the first application and the first cross-platform identifier, obtain the reference signed information of the first application.
  3. 根据权利要求2所述的方法,其特征在于,所述基于所述第一应用的单平台信息和所述第一跨平台标识,获取所述第一应用的参照被签名信息,包括:The method according to claim 2, wherein the obtaining the reference signed information of the first application based on the single-platform information of the first application and the first cross-platform identifier comprises:
    基于所述第一应用的单平台信息和所述第一跨平台标识,采用哈希算法生成所述第一应用的参照被签名信息。Based on the single-platform information of the first application and the first cross-platform identifier, a hash algorithm is used to generate the reference signed information of the first application.
  4. 根据权利要求2所述的方法,其特征在于,所述基于所述第一应用的单平台信息和所述第一跨平台标识,获取所述第一应用的参照被签名信息,包括:The method according to claim 2, wherein the obtaining the reference signed information of the first application based on the single-platform information of the first application and the first cross-platform identifier comprises:
    根据所述第一应用的单平台信息和所述第一跨平台标识,从多个参照被签名信息中的每个参照被签名信息与应用的第一信息的对应关系中,将与所述第一应用的单平台信息和所述第一跨平台标识均对应的参照被签名信息作为所述第一应用的参照被签名信息;所述应用的第一信息包括应用的单平台信息和应用的跨平台标识。According to the single-platform information of the first application and the first cross-platform identifier, the corresponding relationship between each of the multiple reference signed information and the first information of the application will be compared with the first information of the application. The reference signed information corresponding to the single-platform information of an application and the first cross-platform identifier is used as the reference signed information of the first application; the first information of the application includes the single-platform information of the application and the cross-platform information of the application. Platform ID.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述第一应用的单平台信息还包括:所述第一应用的应用签名和所述第一应用的单平台签名公钥;所述第一应用的应用签名,是对所述第一应用的安装包信息进行签名运算,得到的信息;所述第一应用的单平台签名公钥用于对所述第一应用的应用签名进行验证。The method according to any one of claims 1-4, wherein the single-platform information of the first application further comprises: the application signature of the first application and the single-platform signature public key of the first application The application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application; the single-platform signature public key of the first application is used for the application of the first application The signature is verified.
  6. 根据权利要求1-5任一项所述的方法,其特征在于,所述根据所述第一秘钥标识和所述第一应用的参照被签名信息,对所述第一应用的待验证签名信息进行验证,包括:The method according to any one of claims 1-5, wherein the signature to be verified of the first application is performed according to the first secret key identifier and the reference signed information of the first application Information is verified, including:
    根据所述第一秘钥标识,从多个秘钥标识与每个秘钥标识与验证签名公钥的对应关系中获取所述第一应用的验证签名公钥;Acquiring, according to the first secret key identifier, the verification signature public key of the first application from a plurality of secret key identifiers and the corresponding relationship between each secret key identifier and the verification signature public key;
    根据所述第一应用的验证签名公钥和所述第一应用的参照被签名信息,对所述第 一应用的待验证签名信息进行验证。The signature information to be verified of the first application is verified according to the verification signature public key of the first application and the reference signed information of the first application.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1-6, wherein the method further comprises:
    生成第二秘钥标识与所述第一跨平台标识的对应关系;Generating a corresponding relationship between the second secret key identifier and the first cross-platform identifier;
    向第二计算机设备发送所述第二秘钥标识与所述第一跨平台标识的对应关系,其中,所述第二计算机设备是与所述目标计算机设备不同的计算机设备。Send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to a second computer device, where the second computer device is a computer device different from the target computer device.
  8. 根据权利要求7所述的方法,其特征在于,所述方法还包括:The method according to claim 7, wherein the method further comprises:
    生成所述第二秘钥标识与所述第一应用的验证签名公钥的对应关系;Generating a correspondence between the second secret key identifier and the verification signature public key of the first application;
    向所述第二计算机设备发送所述第二秘钥标识与所述第一应用的验证签名公钥的对应关系。Sending the corresponding relationship between the second secret key identifier and the verification signature public key of the first application to the second computer device.
  9. 一种秘钥访问控制方法,其特征在于,应用于目标计算机设备,所述目标计算机设备包括多个应用,所述多个应用包括第一应用;所述方法包括:A secret key access control method, characterized in that it is applied to a target computer device, the target computer device includes multiple applications, and the multiple applications include a first application; the method includes:
    基于所述第一应用生成秘钥使用请求;所述秘钥使用请求包括第一秘钥标识;Generate a secret key use request based on the first application; the secret key use request includes a first secret key identifier;
    根据所述第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取所述第一秘钥标识对应的所述第一应用的第一跨平台标识;According to the first secret key identifier, from the correspondence between each secret key identifier in the plurality of secret key identifiers and the cross-platform identifier of the application, the first application corresponding to the first secret key identifier is obtained. A cross-platform logo;
    获取所述第一应用的单平台信息;所述第一应用的单平台信息包括所述第一应用在所述目标计算机设备的操作***中的单平台标识;Acquiring the single-platform information of the first application; the single-platform information of the first application includes the single-platform identification of the first application in the operating system of the target computer device;
    根据所述第一应用的单平台信息,从多个应用中的每个应用的单平台信息与跨平台标识的对应关系中,获取所述第一应用的单平台信息对应的第二跨平台标识;According to the single-platform information of the first application, the second cross-platform identifier corresponding to the single-platform information of the first application is obtained from the corresponding relationship between the single-platform information of each of the multiple applications and the cross-platform identifier ;
    若所述第一跨平台标识与所述第二跨平台标识相同,则确定所述秘钥使用请求验证通过;若所述第一跨平台标识与所述第二跨平台标识不同,则确定所述秘钥使用请求验证不通过。If the first cross-platform identification is the same as the second cross-platform identification, it is determined that the key use request verification is passed; if the first cross-platform identification is different from the second cross-platform identification, it is determined that all The key usage request verification failed.
  10. 一种计算机设备,其特征在于,所述计算机设备包括多个应用,所述多个应用包括第一应用;所述计算机设备还包括:A computer device, wherein the computer device includes multiple applications, and the multiple applications include a first application; the computer device further includes:
    生成模块,基于所述第一应用生成秘钥使用请求;所述秘钥使用请求包括第一秘钥标识和所述第一应用的待验证签名信息;A generating module, which generates a secret key use request based on the first application; the secret key use request includes a first secret key identifier and signature information to be verified of the first application;
    秘钥管理模块,用于根据所述第一应用的标识和所述第一秘钥标识,获取所述第一应用的参照被签名信息;所述第一应用的参照被签名信息是基于所述第一应用的单平台信息和第一跨平台标识生成的,所述第一应用的单平台信息包括所述第一应用在所述计算机设备的操作***中的单平台标识;根据所述第一秘钥标识和所述第一应用的参照被签名信息,对所述第一应用的待验证签名信息进行验证,得到验证结果;所述验证结果用于指示所述秘钥使用请求是否验证通过。The secret key management module is configured to obtain the reference signed information of the first application according to the identity of the first application and the first secret key identity; the reference signed information of the first application is based on the The single-platform information of the first application and the first cross-platform identification are generated, and the single-platform information of the first application includes the single-platform identification of the first application in the operating system of the computer device; The secret key identifier and the reference signed information of the first application verify the signature information to be verified of the first application to obtain a verification result; the verification result is used to indicate whether the secret key use request is verified.
  11. 根据权利要求10所述的计算机设备,其特征在于,所述秘钥管理模块具体用于:The computer device according to claim 10, wherein the secret key management module is specifically configured to:
    使用所述第一应用的标识获取所述第一应用的单平台信息;Acquiring the single-platform information of the first application by using the identifier of the first application;
    根据所述第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取所述第一秘钥标识对应的所述第一应用的第一跨平台标识;According to the first secret key identifier, from the correspondence between each secret key identifier in the plurality of secret key identifiers and the cross-platform identifier of the application, the first application corresponding to the first secret key identifier is obtained. A cross-platform logo;
    基于所述第一应用的单平台信息和所述第一跨平台标识,获取所述第一应用的参照被签名信息。Based on the single-platform information of the first application and the first cross-platform identifier, obtain the reference signed information of the first application.
  12. 根据权利要求11所述的计算机设备,其特征在于,所述秘钥管理模块具体用 于:The computer device according to claim 11, wherein the secret key management module is specifically used for:
    基于所述第一应用的单平台信息和所述第一跨平台标识,采用哈希算法生成所述第一应用的参照被签名信息。Based on the single-platform information of the first application and the first cross-platform identifier, a hash algorithm is used to generate the reference signed information of the first application.
  13. 根据权利要求11所述的计算机设备,其特征在于,所述秘钥管理模块具体用于:The computer device according to claim 11, wherein the secret key management module is specifically configured to:
    根据所述第一应用的单平台信息和所述第一跨平台标识,从多个参照被签名信息中的每个参照被签名信息与应用的第一信息的对应关系中,将与所述第一应用的单平台信息和所述第一跨平台标识均对应的参照被签名信息作为所述第一应用的参照被签名信息;所述应用的第一信息包括应用的单平台信息和应用的跨平台标识。According to the single-platform information of the first application and the first cross-platform identifier, the corresponding relationship between each of the multiple reference signed information and the first information of the application will be compared with the first information of the application. The reference signed information corresponding to the single-platform information of an application and the first cross-platform identifier is used as the reference signed information of the first application; the first information of the application includes the single-platform information of the application and the cross-platform information of the application. Platform ID.
  14. 根据权利要求10-13任一项所述的计算机设备,其特征在于,所述第一应用的单平台信息还包括:所述第一应用的应用签名和所述第一应用的单平台签名公钥;所述第一应用的应用签名,是对所述第一应用的安装包信息进行签名运算,得到的信息;所述第一应用的单平台签名公钥用于对所述第一应用的应用签名进行验证。The computer device according to any one of claims 10-13, wherein the single-platform information of the first application further comprises: the application signature of the first application and the single-platform signature of the first application. Key; the application signature of the first application is information obtained by performing a signature calculation on the installation package information of the first application; the single-platform signature public key of the first application is used for the first application Apply the signature for verification.
  15. 根据权利要求10-14任一项所述的计算机设备,其特征在于,所述秘钥管理模块具体用于:The computer device according to any one of claims 10-14, wherein the secret key management module is specifically configured to:
    根据所述第一秘钥标识,从多个秘钥标识与每个秘钥标识与验证签名公钥的对应关系中获取所述第一应用的验证签名公钥;Acquiring, according to the first secret key identifier, the verification signature public key of the first application from a plurality of secret key identifiers and the corresponding relationship between each secret key identifier and the verification signature public key;
    根据所述第一应用的验证签名公钥和所述第一应用的参照被签名信息,对所述第一应用的待验证签名信息进行验证。According to the verification signature public key of the first application and the reference signed information of the first application, verify the signature information to be verified of the first application.
  16. 根据权利要求10-15任一项所述的计算机设备,其特征在于,The computer device according to any one of claims 10-15, wherein:
    所述生成模块还用于:生成第二秘钥标识与所述第一跨平台标识的对应关系;The generating module is further configured to: generate a corresponding relationship between the second secret key identifier and the first cross-platform identifier;
    所述计算机设备还包括发送模块,用于向第二计算机设备发送所述第二秘钥标识与所述第一跨平台标识的对应关系,其中,所述第二计算机设备是与所述计算机设备不同的计算机设备。The computer device further includes a sending module, configured to send the corresponding relationship between the second secret key identifier and the first cross-platform identifier to a second computer device, wherein the second computer device is related to the computer device Different computer equipment.
  17. 根据权利要求16所述的计算机设备,其特征在于,The computer device of claim 16, wherein:
    所述生成模块还用于:生成所述第二秘钥标识与所述第一应用的验证签名公钥的对应关系;The generating module is further configured to: generate a corresponding relationship between the second secret key identifier and the verification signature public key of the first application;
    所述发送模块还用于:向所述第二计算机设备发送所述第二秘钥标识与所述第一应用的验证签名公钥的对应关系。The sending module is further configured to send the corresponding relationship between the second secret key identifier and the verification signature public key of the first application to the second computer device.
  18. 一种计算机设备,其特征在于,所述计算机设备包括多个应用,所述多个应用包括第一应用;所述计算机设备还包括:A computer device, wherein the computer device includes multiple applications, and the multiple applications include a first application; the computer device further includes:
    生成模块,基于所述第一应用生成秘钥使用请求;所述秘钥使用请求包括第一秘钥标识;A generating module, which generates a secret key use request based on the first application; the secret key use request includes a first secret key identifier;
    秘钥管理模块,用于根据所述第一秘钥标识,从多个秘钥标识中的每个秘钥标识与应用的跨平台标识的对应关系中,获取所述第一秘钥标识对应的所述第一应用的第一跨平台标识;获取所述第一应用的单平台信息;所述第一应用的单平台信息包括所述第一应用在所述计算机设备的操作***中的单平台标识;根据所述第一应用的单平台信息,从多个应用中的每个应用的单平台信息与跨平台标识的对应关系中,获取所述第一应用的单平台信息对应的第二跨平台标识;若所述第一跨平台标识与所述第二跨 平台标识相同,则确定所述秘钥使用请求验证通过;若所述第一跨平台标识与所述第二跨平台标识不同,则确定所述秘钥使用请求验证不通过。The secret key management module is configured to obtain the corresponding first secret key identifier from the correspondence between each secret key identifier of the multiple secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier The first cross-platform identification of the first application; the single platform information of the first application is acquired; the single platform information of the first application includes the single platform of the first application in the operating system of the computer device Identification; according to the single-platform information of the first application, from the correspondence between the single-platform information and the cross-platform identification of each of the multiple applications, obtain the second cross-platform corresponding to the single-platform information of the first application Platform identification; if the first cross-platform identification is the same as the second cross-platform identification, it is determined that the verification of the key use request is passed; if the first cross-platform identification is different from the second cross-platform identification, It is determined that the verification of the secret key use request fails.
  19. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行权利要求1-9任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is run on a computer, the computer executes any one of claims 1-9. The method described.
  20. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现权利要求1-9任一项所述方法的步骤。A computer device, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor implements any one of claims 1-9 when the program is executed Method steps.
PCT/CN2020/132720 2020-02-14 2020-11-30 Secret key access control method and apparatus WO2021159818A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010092581.1 2020-02-14
CN202010092581.1A CN111414640B (en) 2020-02-14 2020-02-14 Key access control method and device

Publications (1)

Publication Number Publication Date
WO2021159818A1 true WO2021159818A1 (en) 2021-08-19

Family

ID=71490937

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/132720 WO2021159818A1 (en) 2020-02-14 2020-11-30 Secret key access control method and apparatus

Country Status (2)

Country Link
CN (1) CN111414640B (en)
WO (1) WO2021159818A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111414640B (en) * 2020-02-14 2022-07-22 华为技术有限公司 Key access control method and device
CN113051630B (en) * 2021-03-31 2024-07-23 联想(北京)有限公司 Control method and electronic equipment
CN114285581B (en) * 2021-12-07 2024-05-14 西安广和通无线通信有限公司 Application management method and related product

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130036301A1 (en) * 2005-03-30 2013-02-07 Wells Fargo Bank, N.A. Distributed Cryptographic Management for Computer Systems
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
CN105678192A (en) * 2015-12-29 2016-06-15 北京数码视讯科技股份有限公司 Smart card based secret key application method and application apparatus
CN109982150A (en) * 2017-12-27 2019-07-05 国家新闻出版广电总局广播科学研究院 The trust chain method for building up and Intelligent television terminal of Intelligent television terminal
CN111414640A (en) * 2020-02-14 2020-07-14 华为技术有限公司 Key access control method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107145769B (en) * 2017-03-31 2020-04-28 华为技术有限公司 Digital Rights Management (DRM) method, equipment and system
CN109525396B (en) * 2018-09-30 2021-02-23 华为技术有限公司 Method and device for processing identity key and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130036301A1 (en) * 2005-03-30 2013-02-07 Wells Fargo Bank, N.A. Distributed Cryptographic Management for Computer Systems
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
CN105678192A (en) * 2015-12-29 2016-06-15 北京数码视讯科技股份有限公司 Smart card based secret key application method and application apparatus
CN109982150A (en) * 2017-12-27 2019-07-05 国家新闻出版广电总局广播科学研究院 The trust chain method for building up and Intelligent television terminal of Intelligent television terminal
CN111414640A (en) * 2020-02-14 2020-07-14 华为技术有限公司 Key access control method and device

Also Published As

Publication number Publication date
CN111414640B (en) 2022-07-22
CN111414640A (en) 2020-07-14

Similar Documents

Publication Publication Date Title
US10484185B2 (en) Method and system for distributing attestation key and certificate in trusted computing
WO2022095730A1 (en) Service communication method, system and apparatus, and electronic device
WO2021159818A1 (en) Secret key access control method and apparatus
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
JP2016519540A (en) Method and system for secure communication authentication in distributed environment
US20220124122A1 (en) Attestation service for enforcing payload security policies in a data center
WO2021073375A1 (en) Remote authentication mode negotiation method for combined device, and related device
KR20230078706A (en) Certificate-based security using post-quantum cryptography
US8612753B2 (en) Method and apparatus for protected code execution on clients
WO2018112482A1 (en) Method and system for distributing attestation key and certificate in trusted computing
US11418329B1 (en) Shared secret implementation of proxied cryptographic keys
US11722303B2 (en) Secure enclave implementation of proxied cryptographic keys
US11804957B2 (en) Exporting remote cryptographic keys
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
WO2019242163A1 (en) Data security verification method, apparatus and system, and computer device and storage medium
WO2021008490A1 (en) Remote attestation method and apparatus
CN114372245A (en) Block chain-based Internet of things terminal authentication method, system, device and medium
CN116561820B (en) Trusted data processing method and related device
WO2024060756A1 (en) Computer device and running method thereof, and security chip
WO2023004261A1 (en) Remote attestation transport layer security and split trust encryption
CN116226932A (en) Service data verification method and device, computer medium and electronic equipment
CN114553570A (en) Method and device for generating token, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20918559

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20918559

Country of ref document: EP

Kind code of ref document: A1