CN101727551A - Method for computer to safely transfer secret key and private key - Google Patents
Method for computer to safely transfer secret key and private key Download PDFInfo
- Publication number
- CN101727551A CN101727551A CN200810228010A CN200810228010A CN101727551A CN 101727551 A CN101727551 A CN 101727551A CN 200810228010 A CN200810228010 A CN 200810228010A CN 200810228010 A CN200810228010 A CN 200810228010A CN 101727551 A CN101727551 A CN 101727551A
- Authority
- CN
- China
- Prior art keywords
- platform
- equipment
- computer
- key
- processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for a computer to safely transfer a secret key and a private key, relates to computer safety, in particular relating to that computer equipment safely transfers a secret key and a private key. The invention provides a platform sending request; the platform provides an intrinsic message and responses to the request; the platform provides a message requested by the equipment which is manufactured by one or a group of equipment manufacturers and is freely chosen by verification needed by the first requested platform. The invention has the technical scheme that the platform shows that the cipher message generated by the equipment manufacturer is owned thereby, and the platform extracts a reliable plain module TPM in a replied mode. The TPM is the cipher equipment manufactured by the equipment manufacturer and is sealed in the processor of small amounts of packaged on-chip-memories to be configured to the platform; the processor can be a microprocessor, a digital signal processor and a microcontroller.
Description
Technical field
The present invention relates to computer security, relates in particular to computer equipment and transmits cryptographic key safely.
Background technology
Some disposal system architecture of present computer security features requires special protection, software module can create with disposal system in the certified encrypted communication session of special protection hardware device.A kind of common method that is used for marking equipment and sets up encrypted communication session simultaneously, in this course, to devices allocation unique publicly-owned/privately owned because this verification process uses RSA or ECC key, therefore equipment has unique and evincible identity, and this may cause privacy concerns.Under worst case, these problems can cause lacking the support that structure is provided the credible equipment of this security.Their encrypted communication session own and foundation and trusted software module of protected/credible equipment authentication that Internet Key Exchange Protocol allows have been avoided creating any unique identity information in disposal system, and avoid introducing privacy concerns thus.Yet directly embedding in the equipment on production line directly has than the more protected non-volatile memories of other method on the proof private key requirement equipment, thereby has increased equipment cost.Be installed in method in the equipment by equipment itself, realize that minimizing to the amount of the required non-volatile memories of the key change based on direct proof of equipment can cause the more wide in range employing to this technology.The example of various types of communication links includes but not limited to or does not retrain torch line, optical fiber, cable, total line tracking or wireless signaling technology.
Summary of the invention:
For achieving the above object, the invention provides this a kind of platform and send request, platform provides the information about itself, in response to request, institute's information requested of the equipment of equipment manufacturers that platform provides that first platform of asking need verify to come freely to select or one group of equipment manufacturers' manufacturing of selection.
If according to above-mentioned described, technical scheme of the present invention is that platform has the encrypted message that is generated by equipment manufacturers so that it to be shown, platform is by carrying credible flat compound module TPM with the form of replying, TPM is the encryption device of being made by equipment manufacturers, be sealed in the processor of small amount of on-chip memory in the encapsulation and be configured to platform, processor is microprocessor, digital signal processor, microcontroller.
Beneficial effect of the present invention:
The configuration of computer system of the present invention is depended on such as numerous factors such as price constraints, performance requirement, other environment of technological improvement and different between each is realized." credible " software module of the special protection be stored in the primary memory mass-memory unit and carried out by processor is used in the computer system support; even also to carry out specific activities under the situation that in system, has other Malware; some need in these trusted software module certain not only to other platform; and to the one or more equipment in the identical platform, such as the protected access of equal " credible " of graphics controller.Generally speaking, ability or specific identity that this visiting demand trusted software module can marking equipment, set up then with the encryption session of this equipment to allow exchange and can not be monitored or the data of swindle by other software in the system.PKI can be delivered to software module together with certificate of certification.In the DH key exchange process, equipment uses its private key to sign message, and software module can use corresponding public key to verify this private key.
Description of drawings:
Fig. 1 is a system flowchart of the present invention;
Fig. 2 is the FB(flow block) of key of the present invention.
Embodiment:
Of the present invention on production line during production equipment, equipment manufacturers only are stored into pseudo random number in this equipment, use distribution CD to encrypt and transmit simultaneously, this process guarantees to have only appointed equipment could decipher and use the key of its signature, can be by transmitting the data structure that is called " key block " by the group record of equipment manufacturers' signature.And only just begin to handle the key block that is extracted after whole record is carried out grammatical analysis, the assailant just can't infer and selected key block based on regularly attacking.The protected system of device fabrication is included in the disposal system of using in the manufacturing setting up procedure before of equipment.Protected system can be by equipment manufacturers or other physical operation, so that the protected attack that is not subjected to from the hacker outside the device fabrication side of protected system.Manufacture system can use in the manufacturing of equipment.Key block comprises at least three data item, if to encrypt using stream cipher, then uses at the known method that stream cipher uses being used for.If use block encryption, then will make that thus each example of encrypting all is different as the part of the message that will encrypt to encrypting.
Take over what combination,, can use any suitable movable storage medium herein although CD is described to storage medium.Expectation use direct identification protocol carry out with system in the client computer system of the authentication of communication session of the equipment that comprises and key change can after in case CD is inserted in the CDROM drive of client computer system, promptly read selected group record the keyblob database from CD.Cipher key block data can obtain from group record, and is used to generate the localized keyblob that is used to realize direct identification protocol by equipment.Device driver software carries out initialization and opertaing device by client computer system.Equipment manufacturers can generate the Device keys of the number of appointment then.When being one group of equipment when having created the whole data set of key block, signing the keyblob database of this group at least and it is burnt on the common distribution CD, with each equipment distribution.Thus, group record is created by equipment manufacturers.Can be with the close silver bullion database that adds to through the group record of signature on the distribution CD.
Claims (1)
1. the method for computer to safely transfer secret key and private key, it has the encrypted message that is generated by equipment manufacturers to it is characterized in that platform, platform is by providing credible flat compound module TPM with the form of replying, TPM is the encryption device of being made by equipment manufacturers, is sealed in the processor that encapsulates interior small amount of on-chip memory and is configured to platform; Processor is microprocessor, digital signal processor, microcontroller.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810228010A CN101727551A (en) | 2008-10-10 | 2008-10-10 | Method for computer to safely transfer secret key and private key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810228010A CN101727551A (en) | 2008-10-10 | 2008-10-10 | Method for computer to safely transfer secret key and private key |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101727551A true CN101727551A (en) | 2010-06-09 |
Family
ID=42448431
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200810228010A Pending CN101727551A (en) | 2008-10-10 | 2008-10-10 | Method for computer to safely transfer secret key and private key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101727551A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107005407A (en) * | 2014-12-01 | 2017-08-01 | 微软技术许可有限责任公司 | Use the TPM of server remote password service |
-
2008
- 2008-10-10 CN CN200810228010A patent/CN101727551A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107005407A (en) * | 2014-12-01 | 2017-08-01 | 微软技术许可有限责任公司 | Use the TPM of server remote password service |
CN107005407B (en) * | 2014-12-01 | 2020-10-16 | 微软技术许可有限责任公司 | Remote password service using TPM of server |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1708942B (en) | Secure implementation and utilization of device-specific security data | |
CN108667608B (en) | Method, device and system for protecting data key | |
CN1926837B (en) | Method and apparatuses for sharing cryptographic key with an embedded agent on a network endpoint in a network domain | |
US8677144B2 (en) | Secure software and hardware association technique | |
EP3522580B1 (en) | Credential provisioning | |
JP4616345B2 (en) | A method for directly distributing a certification private key to a device using a distribution CD | |
CN110460439A (en) | Information transferring method, device, client, server-side and storage medium | |
US20160277933A1 (en) | Secure Data Communication system between IoT smart devices and a Network gateway under Internet of Thing environment | |
US20060013402A1 (en) | Method of delivering Direct Proof private keys to devices using an on-line service | |
US8051489B1 (en) | Secure configuration of a wireless sensor network | |
CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
WO2006019614A2 (en) | Method of delivering direct proof private keys in signed groups to devices using a distribution cd | |
CN102843232B (en) | Generate secure device secret key | |
US20130259227A1 (en) | Information processing device and computer program product | |
CN111371543B (en) | Internet of things equipment access control method based on double-block chain structure | |
EP2549784B1 (en) | Wireless communication apparatus and method of preventing leakage of a cryptographic key | |
CN108718233A (en) | A kind of encryption method, computer equipment and storage medium | |
CN103746815A (en) | Secure communication method and device | |
CN105262586B (en) | The method for distributing key and device of automobile burglar equipment | |
CN110383755A (en) | The network equipment and trusted third party's equipment | |
CN113591109B (en) | Method and system for communication between trusted execution environment and cloud | |
CN104618380A (en) | Secret key update method suitable for internet of things | |
CN107409043B (en) | Distributed processing of products based on centrally encrypted stored data | |
CN117119012A (en) | Urban lifeline data processing method and equipment | |
US10057054B2 (en) | Method and system for remotely keyed encrypting/decrypting data with prior checking a token |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20100609 |