CN111082928B - Key distribution method, key distribution system, and computer-readable storage medium - Google Patents
Key distribution method, key distribution system, and computer-readable storage medium Download PDFInfo
- Publication number
- CN111082928B CN111082928B CN201911104925.XA CN201911104925A CN111082928B CN 111082928 B CN111082928 B CN 111082928B CN 201911104925 A CN201911104925 A CN 201911104925A CN 111082928 B CN111082928 B CN 111082928B
- Authority
- CN
- China
- Prior art keywords
- key
- message data
- distributor
- terminal
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a key distribution method, a key distribution system and a computer-readable storage medium. The key distribution method comprises the following steps: receiving activation request message data; decrypting the message key by using a private key; decrypting the activation request message data by using the message key; checking the validity of the data of the activation request message and verifying the validity of a public key of the key distributor; after the public key of the key distributor is verified to be legal, a public key certificate of the key distributor is manufactured, the public key certificate is stored, a ciphertext key is generated, and a key check value is generated according to the message key and the secondary subkey; setting the state of a key distributor to be an activated state; generating activation response message data in response to the activation request message data; and sending activation response message data to the terminal equipment. The efficiency is improved, the flexibility is increased, and the distribution process of the terminal key is safer and more stable.
Description
Technical Field
The present invention relates to the technical field of key distribution, and in particular, to a key distribution method, a key distribution system, and a computer-readable storage medium.
Background
At present, the application of the Internet of things enters the aspects of life of people, and particularly relates to different fields of traffic, medical treatment, education and the like in the application of smart cities. Therefore, the safety requirements are more diversified, and the safety problems related to the Internet of things need to attract people's attention. When the internet of things equipment accesses the internet of things, activation authentication is needed, and the authentication process involves the distribution of keys.
However, the number of the devices in the internet of things is often huge, and the mutual information between the devices is easily intercepted and stolen, or the identity of the devices is easily counterfeited. Communication information between legal devices is intercepted or a hardware chip of the legal devices is directly cracked, so that the legal devices of the Internet of things are counterfeited, a communication network of the legal devices of the Internet of things is accessed, and key data and information are collected; more seriously, the leakage of the key information may even threaten the national security, causing great potential safety hazard. Therefore, making network security protection measures is a key to protect personal privacy and is important to protect the confidentiality of a country from being acquired by other countries.
In consideration of the huge number of the devices in the internet of things, the cloud platform generates the device codes in advance and then writes the device codes into each device, and the method is obviously unrealistic. In order to reduce the probability that communication information is intercepted and stolen and the equipment identity is counterfeited, before sending effective communication data, the identity authentication of the two parties is usually carried out to realize the following aims:
1) The unlicensed device cannot access the legitimate cloud platform;
2) Legitimate devices cannot access the unlicensed cloud platform.
The current key distribution is to embed the key into the chip or some other form of carrier, and the chip or the carrier may have some quality problems in the production process, which may cause the key to lose security and the key cannot be updated dynamically.
Therefore, there is a need to provide an improved technical solution to overcome the above technical problems in the prior art.
Disclosure of Invention
In order to solve the technical problems, the invention provides a key distribution method, a key distribution system and a computer-readable storage medium, which improve the efficiency and increase the flexibility, so that the distribution process of the terminal key is safer and more stable, meanwhile, illegal devices can be prevented from accessing a communication network, and some illegal devices are effectively processed to access a platform through the identification of some legal devices.
According to a key distribution method provided by the invention, the key distribution method is applied to a key distributor and comprises the following steps: receiving a first calling signal sent by terminal equipment; sending activation request message data to the terminal equipment according to the first calling signal; receiving activation response message data which is sent by the terminal equipment and responds to the activation request message data; decrypting the activation response message data to obtain a ciphertext key; decrypting the ciphertext key to obtain a terminal key; and distributing the terminal key to the terminal device.
Preferably, the activation response message data includes: the cipher text key, the key check value and the public key certificate.
Preferably, after receiving the activation response message data sent by the terminal device in response to the activation request message data, the method further includes: receiving a second calling signal sent by the terminal equipment; and storing the activation response message data according to the second calling signal.
Preferably, after receiving the activation response message data sent by the terminal device in response to the activation request message data, the method further includes: receiving a second calling signal sent by the terminal equipment; and storing the cipher text key according to the second calling signal.
Preferably, after receiving the activation response message data sent by the terminal device in response to the activation request message data, the method further includes: receiving a second calling signal sent by the terminal equipment; and storing the terminal key according to the second calling signal.
Preferably, before storing the activation response message data, the method further includes: randomly generating a protection factor, and generating a protection key through operation according to the activation request message data; and encrypting the activation response message data by adopting the protection key.
Preferably, before storing the ciphertext key, the method further includes: randomly generating a protection factor, and generating a protection key through operation according to the activation request message data; and encrypting the ciphertext key by adopting the protection key.
Preferably, before storing the terminal key, the method further comprises: randomly generating a protection factor, and generating a protection key through operation according to the activation request message data; and encrypting the terminal key by adopting the protection key.
Preferably, the activation request message data includes: and the manufacturer code, the equipment identification and the dispersion times of the terminal equipment.
According to a key distribution method provided by the invention, the key distribution method is applied to terminal equipment and comprises the following steps: sending a first call signal to the key distributor; receiving activation request message data sent by the key distributor; sending the activation request message data to a trusted management platform; receiving activation response message data which is sent by the trusted management platform and responds to the activation request message data; sending a second call signal and the activation response message data to the key distributor; and receiving the terminal key distributed by the key distributor, wherein the activation response message data comprises: the cipher text key, the key check value and the public key certificate, wherein the key check value is obtained by encrypting the secondary sub-key.
Preferably, the first call signal is used to call a first interface of the key distributor, and the activation request message data is transmitted through the first interface.
Preferably, the activation request message data includes: and the manufacturer code, the equipment identification and the dispersion times of the terminal equipment.
Preferably, the second invoking signal is used to invoke a second interface of the key distributor, and the activation response message data is transmitted through the second interface.
According to the key distribution method provided by the invention, the key distribution method is applied to a trusted management platform and comprises the following steps: receiving activation request message data sent by terminal equipment; decrypting the message key by using a private key; decrypting the activation request message data with the message key; checking the validity of the activation request message data and verifying the validity of a public key of a key distributor; after the public key of the key distributor is verified to be legal, a public key certificate of the key distributor is manufactured, the public key certificate is stored, a ciphertext key is generated, and a key check value is generated according to the message key and the secondary subkey; setting the state of a key distributor to be an activated state; generating activation response message data in response to the activation request message data, the activation response message data including the ciphertext key, the key check value, and the public key certificate; and sending activation response message data to the terminal equipment.
Preferably, generating the key check value according to the message key and the secondary sub-key comprises: encrypting the secondary sub-key by using the message key; and encrypting a group of hexadecimal data by using the secondary subkey, and taking partial bytes of an encryption result as a key check value.
Preferably, the activation request message data includes: and the manufacturer code, the equipment identification and the dispersion times of the terminal equipment.
Preferably, the private key and the key distributor public key are generated by a key distributor.
Preferably, the checking the validity of the activation request message data includes: and checking the validity of the activation request message data according to the equipment identifier in the activation request message data.
Preferably, verifying the legitimacy of the key distributor public key comprises: the validity of the public key of the key distributor is verified by verifying the integrity of the signature data of the key distributor.
According to the present invention, there is provided a key distribution system comprising: the terminal equipment is used for accessing the Internet of things according to the terminal key; the key distributor is used for storing the terminal key and distributing the terminal key to the terminal equipment; and the trusted management platform is used for generating the terminal key corresponding to the terminal equipment and encrypting the terminal key according to the secondary sub-key.
Preferably, the key distributor comprises: the service processing chip is used for distributing the terminal key to the terminal equipment; the safety processing chip is connected with the service processing chip and used for providing protection for the terminal key; and the built-in hardware is respectively connected with the business processing chip and the safety processing chip and is used for providing hardware support for the operation of the business processing chip and the safety processing chip.
Preferably, the service processing chip includes: and the key algorithm module is used for generating a protection factor to protect the terminal key.
According to the present invention, there is provided a computer-readable storage medium storing computer instructions which, when executed, implement the key distribution method as described above, the key distribution method being applied to a key distributor.
According to the present invention, there is provided a computer-readable storage medium storing computer instructions which, when executed, implement the key distribution method as described above, the key distribution method being applied to a terminal device.
According to the present invention, there is provided a computer readable storage medium storing computer instructions, which when executed, implement the key distribution method as described above, and the key distribution method is applied to a trusted management platform.
According to the present invention, there is provided an electronic apparatus comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute the key distribution method described above, which is applied to a key distributor.
According to the present invention, there is provided an electronic apparatus comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute the key distribution method described above, which is applied to a terminal device.
According to the present invention, there is provided an electronic apparatus comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute the key distribution method, and the key distribution method is applied to a trusted management platform.
The invention has the beneficial effects that: compared with the traditional key embedded in a chip, the terminal key generated by the key distribution system of the invention is a ciphertext subjected to encryption processing, and a secondary sub-key is generated, so that the efficiency is improved, the flexibility is increased, and meanwhile, a service processing chip and a safety processing chip are adopted to ensure that the distribution process of the key distributor is safer and more stable;
the private key of the platform is used for decrypting to obtain the message key and generating the certificate, so that the identities of the two parties can be verified, the signature result has non-tampering property, and the situation that the security data is obtained by using legal identification and counterfeit identities is avoided;
the terminal key is stored in the key distributor in a ciphertext mode, and the protection factor is generated through the key algorithm module, so that the risk of plaintext snooping is avoided.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent from the following description of the embodiments of the present invention with reference to the accompanying drawings.
FIG. 1 is a block diagram illustrating the structure of a key distribution system provided by an implementation of the present invention;
FIG. 2 illustrates a flow chart of a key distribution method provided by an implementation of the present invention;
fig. 3 shows a flow chart of a key distribution method provided by an implementation of the present invention.
Detailed Description
To facilitate an understanding of the invention, the invention will now be described more fully with reference to the accompanying drawings. Preferred embodiments of the present invention are shown in the drawings. The invention may, however, be embodied in different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
The present invention will be described in detail below with reference to the accompanying drawings.
Fig. 1 shows a block diagram of a key distribution system provided in the implementation of the present invention.
As shown in fig. 1, the key distribution system may be applied to a device accessing to the Internet of things, and includes a terminal device 100, a key distributor 200, and an IOT-TSM (Internet of things-Trusted Service Manager) platform 300, which is hereinafter referred to as a Trusted management platform.
The terminal device 100 is a main body for using the terminal key, and is an intelligent device produced by a qualified manufacturer that has undergone a verification on a platform. The manufacturer of the terminal device 100 is registered with the key distributor 200 and is a manufacturer with a certain production qualification. The trusted management platform 300 is configured to generate a terminal key for each terminal device 100. The key distributor 200 is configured to store the terminal key generated by the trusted management platform 300 and distribute the stored terminal key to the terminal device 100. The key distributor 200 transmits instructions between the trusted management platform 300 and the terminal device 100 through a promised protocol including a communication protocol and an instruction protocol customized to implement various functions. The terminal device 100 is configured to access the trusted management platform 300, i.e., the internet of things, according to the terminal key distributed by the key distributor, and perform data communication with the trusted management platform 300.
Further, the key distributor 200 includes a business processing chip 210, a secure processing chip 220, and built-in hardware 230. The service processing chip 210 is configured to distribute the terminal key to the terminal device 100; the security processing chip 220 is connected to the service processing chip 210, and is used for protecting the terminal key; the built-in hardware 230 is connected to the business processing chip 210 and the security processing chip 220, respectively, to provide hardware support for operations of the business processing chip 210 and the security processing chip 220.
Further, the secure processing chip 220 includes a key algorithm module for generating a protection factor to protect the terminal key and avoid snooping the plaintext.
In this embodiment, the service processing chip 210 and the security processing chip 220 are used to make the key distribution process more secure and stable.
Fig. 2 shows a flow chart of a key distribution method provided by the implementation of the present invention.
As shown in fig. 2, the key distribution method is applicable to the terminal device 100, the key distributor 200, and the trusted management platform 300.
When the key distribution method is applied to the key distributor 200, it includes performing steps S11 to S15:
in step S11, a first call signal transmitted by the terminal device is received.
In this step, the first interface of the key distributor 200 is called by the terminal device 100, and the key distributor 200 receives the first call signal transmitted by the terminal device 100 according to the called first interface.
In step S12, activation request message data is sent to the terminal device according to the first call signal.
In this step, when the key distributor 200 receives the first call signal, the key distributor 200 generates an activation request message data and sends the activation request message data to the terminal device 100 through the called first interface.
Further, the activation request message data includes a vendor code, a device identifier, and the number of scattering times of the terminal device 100.
Further, key distributor 200 generates and stores a public-private key pair: a public key and a private key, the private key being sent to the trusted management platform 300. In the transmitted activation request message data, the message data is encrypted by the message key, and at the same time, the message key is encrypted by the public key.
In step S13, the second call signal and the activation response message data sent by the terminal device are received.
In this step, the second interface of the key distributor 200 is called by the terminal device 100, and the key distributor 200 receives a second call signal and activation response message data sent by the terminal device 100 according to the called second interface, where the activation response message data is message data responding to the activation request message data.
Further, activating the content of the response message data includes: cipher key, key check value and public key certificate.
In step S14, the activation response message data is decrypted and the secure storage is activated according to the second call signal.
In this step, when the key distributor 200 receives the second call signal, the key distributor 200 may respond to the activation response message data received at the same time, and at this time, the key distributor 200 is in the activation state, decrypts the received activation response message data according to the message key to obtain the ciphertext key in the activation response message data, and decrypts the ciphertext key to obtain the terminal key.
Optionally, the key distributor 200 securely stores at least one of the activation response message data, the ciphertext key, and the terminal key.
Further, when storing the activation response message data, the key algorithm module in the key distributor 200 randomly generates a protection factor, and generates a protection key through operation according to the manufacturer code, the device identifier, and the dispersion number of the terminal device 100 in the activation request message data, and at the same time, encrypts the activation response message data using the protection key and stores the encrypted activation response message data.
When the ciphertext key is stored, the key algorithm module in the key distributor 200 randomly generates a protection factor, generates a protection key through operation according to the manufacturer code, the device identifier, and the distribution frequency of the terminal device 100 in the activation request message data, encrypts the ciphertext key by using the protection key, and stores the ciphertext key.
When the terminal key is stored, the key algorithm module in the key distributor 200 randomly generates a protection factor, generates a protection key through operation according to the manufacturer code, the device identifier and the dispersion times of the terminal device 100 in the activation request message data, encrypts the terminal key by using the protection key, and then stores the terminal key, thereby preventing the terminal key from being snooped by a plaintext.
In step S15, the terminal key is transmitted to the terminal device.
In this step, the key distributor 200 transmits the terminal key to the terminal device 100, so that the terminal device 100 performs data communication with the internet of things according to the distributed terminal key.
In one possible embodiment, the first interface and the second interface are herein different interfaces.
In another possible embodiment, the first interface and the second interface are herein the same interface.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the key distribution method when executing the computer program.
Based on the above method, an embodiment of the present invention further provides a computer-readable storage medium storing a computer program for executing the key distribution method.
When the key distribution method is applied to the terminal device 100, the steps S21 to S26 are performed:
in step S21, a first call signal is sent to the key distributor.
In this step, when the terminal device 100 first accesses the internet of things, a first interface of the key distributor 200 is called, and a first calling signal is sent to the key distributor 200 through the called first interface.
In step S22, activation request message data sent by the key distributor is received.
In this step, the terminal device 100 receives activation request message data sent by the key distributor 200 through the invoked first interface.
Further, the activation request message data includes a manufacturer code, a device identifier, and a dispersion number of the terminal device.
In step S23, the activation request message data is sent to the trusted management platform.
In this step, when the terminal device 100 acquires the activation request message data, the activation request message data is sent to the trusted management platform 300.
In step S24, activation response message data sent by the trusted management platform is received.
In this step, after the data content of the activation request message data is verified to be legitimate and the public key of the key distributor 200 is verified to be legitimate, the terminal device 100 receives the activation response message data sent by the trusted management platform 300. The activation response message data is message data in response to the activation request message data.
In step S25, the second invocation signal and the activation response message data are sent to the key distributor.
In this step, when the terminal device 100 receives the activation response message data, the second interface of the key distributor 200 is called, and simultaneously, the second call signal and the received activation response message data are sent to the key distributor 200 through the called second interface.
In step S26, the terminal key distributed by the key distributor is received.
In this step, the terminal device 100 receives the terminal key distributed by the key distributor 200, and accesses the internet of things device for data communication according to the terminal key.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the key distribution method when executing the computer program.
Based on the above method, an embodiment of the present invention further provides a computer-readable storage medium storing a computer program for executing the key distribution method.
When the key distribution method is applied to the trusted management platform, the method includes executing step S31 to step S38:
in step S31, the activation request message data sent by the terminal device is received.
In this step, the trusted management platform 300 receives activation request message data sent by the terminal device 100.
Further, the activation request message data is encrypted by the message key, while the message key is encrypted by the public key of the key distributor 200.
In step S32, the message key is decrypted with the private key.
In this step, the trusted management platform 300 decrypts the encrypted message key by using the private key sent by the key distributor 200, thereby obtaining the message key.
In step S33, the activation request message data is decrypted with the message key.
In this step, the trusted management platform 300 decrypts the activation request message data generated by the terminal device 100 by using the message key obtained in step S32, so as to obtain the specific content of the message data.
Further, the content of the activation request message data includes a manufacturer code, a device identifier, and a dispersion number of the terminal device.
In step S34, the validity of the activation request message data and the validity of the verification key distributor public key are checked.
In this step, the trusted management platform 300 checks the validity of the message data using the device identification in the message data.
Further, trusted management platform 300 verifies that the public key of key distributor 200 is legitimate by verifying the integrity of the data signed by key distributor 200. Such as: and signing the message key by using the private key to obtain corresponding signature data, then verifying the signature of the obtained signature data by using the public key, and if the signature passes, indicating that the public key is legal.
The private key and the public key may verify the legitimacy of both trusted management platform 300 and key issuer 200.
In step S35, when the public key of the key distributor is verified to be legal, a public key certificate is created, the public key certificate is saved, and a ciphertext key and a key check value are generated.
In this step, after the public key of the key distributor 200 is verified to be legal, the trusted management platform 300 may generate a public key certificate, a ciphertext key, and a key check value of the key distributor 200.
Further, the trusted management platform 300 generates a secondary sub-key corresponding to the key distributor 200 using the vendor code, the device identifier, and the distribution frequency of the terminal device carried in the activation request message data, and simultaneously performs ECB encryption on the secondary sub-key using the message key and encrypts a set of hexadecimal data, such as '0x00', using the secondary sub-key.
Further, a part of bytes of the encryption result, such as the first 3 bytes, is selected as the key check value.
The private key of the platform is used for decrypting to obtain the message key and generating the certificate, so that the identities of the two parties can be verified, the signature result has non-tampering property, and the situation that the security data is obtained by using legal identification and counterfeit identities is avoided.
In step S36, the key distributor state is set to the active state.
In this step, after the message data and the public key of the key distributor 200 are both verified to be legal, the trusted management platform 300 sets the state of the key distributor 200 to the activated state.
In step S37, the activation response message data is organized.
In this step, after the state of the key distributor 200 is set to the active state, the trusted management platform 300 organizes and generates a corresponding activation response message.
Further, the content of the activation response message includes: cipher text key, key check value and public key certificate.
In step S38, activation response message data is sent to the terminal device.
In this step, after the trusted management platform 300 generates the corresponding activation response packet data, the generated activation response packet data is sent to the terminal device 200 according to the agreed format.
Optionally, the agreed message sending format is agreed by the trusted management platform 300 and the terminal device 200 together, and the specific format has no fixed requirement and is diverse. For example, the activation response message may be sent in the following format:
4B10+ ciphertext key (SSauthKey) + 3-byte check value +4C10+ ciphertext key (SSmacKey) + 3-byte check value +4D10+ ciphertext key (SSdekKey) + 3-byte check value +48+ key distributor public key certificate length + key distributor public key certificate.
In this embodiment, the generated ciphertext key is the encrypted terminal key, which improves efficiency and increases flexibility compared to the conventional key embedded in a chip.
The embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the key distribution method when executing the computer program.
Based on the above method, an embodiment of the present invention further provides a computer-readable storage medium storing a computer program for executing the key distribution method.
Fig. 3 shows a flow chart of a key distribution method provided by an implementation of the present invention.
As shown in fig. 3, the key distribution method is applied to a key distribution system including a key distributor 200, a terminal device 100, and a trusted management platform 300. The method specifically comprises the following steps:
in step S01, the terminal device calls the key distributor interface to obtain activation request data, and sends the activation request data to the trusted management platform.
In step S02, after receiving the message, the trusted management platform decrypts the message key with the private key, and decrypts the activation request message data with the message key.
In step S03, the validity of the data is checked and the key distributor public key is verified.
In step S04, the internet of things device fails to access the network.
In step S05, the trusted management platform creates a public key certificate of the key distributor, stores the public key certificate, and generates a ciphertext key and a key check value.
In step S06, the trusted management platform sets the key distributor state to the activated state.
In step S07, the trusted management platform organizes the activation response packet.
In step S08, the device calls the key distributor interface to activate the secure storage in response to the message.
In step S09, the key distributor decrypts the activation response packet to obtain the terminal key, and distributes the terminal key to the device.
It should be noted that the device in the above description is a terminal device.
The present embodiment describes a flowchart of the interaction of the terminal device 100, the key distributor 200, and the trusted management platform 300. In step S03, if the data is checked to be invalid or the public key of the verification key distributor 200 is not passed, step S04 is executed. If the data is checked to be legitimate and the public key of the key distributor 200 is verified to be passed, step S05 is performed.
Further, step S01 corresponds to steps S11-S12 and steps S21-S23, steps S01-S07 corresponds to steps S31-S37, and step S01 corresponds to steps S24-25 and steps S13-S14, which are not described again.
It should be noted that, the key distributor 200 may also directly transmit the ciphertext key to the terminal device 100, and then decrypt the ciphertext key in the terminal device 100 to obtain the terminal key, thereby further reducing the risk of key transmission between the key distributor 200 and the terminal device 100.
In conclusion, the terminal key generated by the key distribution system is the ciphertext subjected to encryption processing, and the secondary sub-key is generated, so that compared with the traditional key embedded in a chip, the efficiency is improved, the flexibility is improved, and meanwhile, the service processing chip and the safety processing chip are adopted, so that the distribution process of the key distributor is safer and more stable;
the private key of the platform is used for decrypting to obtain the message key and generating the certificate, so that the identities of the two parties can be verified, the signature result has non-tampering property, and the situation that the security data is obtained by using legal identification and counterfeit identities is avoided.
The terminal key is stored in the key distributor in a ciphertext mode, and the protection factor is generated through the key algorithm module, so that the risk of plaintext snooping is avoided.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that, in this document, the contained terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
Finally, it should be noted that: it should be understood that the above examples are only for clearly illustrating the present invention and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the scope of the invention.
Claims (17)
1. A key distribution method, comprising:
sending, by the terminal device, a first call signal to the key distributor;
generating activation request message data by the key distributor according to the first calling signal;
the terminal equipment sends the activation request message data to a trusted management platform;
generating a cipher text key, a key check value and a public key certificate by the trusted management platform in response to the activation request message data;
setting the state of the key distributor to be an activation state by the trusted management platform, and generating activation response message data, wherein the activation response message data comprises the ciphertext key, the key check value and the public key certificate;
sending, by the terminal device, a second call signal and the activation response message data to the key distributor;
decrypting, by the key distributor, the activation response message data according to the second call signal to obtain the ciphertext key;
decrypting, by the key distributor, the ciphertext key to obtain a terminal key; and
distributing, by the key distributor, the terminal key to a terminal device.
2. The key distribution method according to claim 1, wherein the key distributor, after receiving the second invocation signal and the activation response message data, further comprises:
and storing the activation response message data according to the second calling signal.
3. The key distribution method according to claim 1, wherein the key distributor, after obtaining the ciphertext key, further comprises:
and storing the cipher text key according to the second calling signal.
4. The key distribution method according to claim 1, wherein the key distributor, after obtaining the terminal key, further comprises:
and storing the terminal key according to the second calling signal.
5. The key distribution method of claim 2, wherein the key distributor, prior to storing the activation response message data, further comprises:
randomly generating a protection factor, and generating a protection key through operation according to the activation request message data;
and encrypting the activation response message data by adopting the protection key.
6. The key distribution method according to claim 3, wherein the key distributor, before storing the ciphertext key, further comprises:
randomly generating a protection factor, and generating a protection key through operation according to the activation request message data;
and encrypting the ciphertext key by adopting the protection key.
7. The key distribution method according to claim 4, wherein the key distributor further comprises, before storing the terminal key:
randomly generating a protection factor, and generating a protection key through operation according to the activation request message data;
and encrypting the terminal key by adopting the protection key.
8. The key distribution method according to any of claims 1-7, wherein the activation request message data comprises: and the manufacturer code, the equipment identification and the dispersion times of the terminal equipment.
9. The key distribution method of claim 8, wherein generating, by the trusted management platform, the ciphertext key, the key check value, and the public key certificate in response to the activation request message data comprises:
decrypting the message key by using a private key;
decrypting the activation request message data with the message key;
checking the validity of the activation request message data and verifying the validity of a public key of a key distributor;
and after the public key of the key distributor is verified to be legal, manufacturing a public key certificate of the key distributor, storing the public key certificate, generating a ciphertext key, and generating a key check value according to the message key and the secondary subkey.
10. The key distribution method of claim 9, wherein generating the key check value according to the message key and the secondary subkey comprises:
encrypting the secondary sub-key by using the message key;
and encrypting a group of hexadecimal data by using the secondary sub-key, and taking part of bytes of an encryption result as a key check value.
11. The key distribution method of claim 9, wherein checking the validity of the activation request message data comprises:
and checking the validity of the activation request message data according to the equipment identifier in the activation request message data.
12. The key distribution method of claim 9, wherein verifying the validity of the key distributor public key comprises:
the public key of the key distributor is verified to be legitimate by verifying the integrity of the key distributor signature data.
13. A key distribution system, comprising:
the terminal equipment is used for accessing the Internet of things according to the terminal key;
the key distributor is used for storing the terminal key and distributing the terminal key to the terminal equipment; and
a trusted management platform for generating the terminal key corresponding to the terminal device and encrypting the terminal key,
when the key is distributed, the terminal device sends a first calling signal to the key distributor, the key distributor generates activation request message data according to the first calling signal, and the activation request message data are sent to the trusted management platform through the terminal device; the trusted management platform responds to the activation request message data to generate a cipher text key, a key check value and a public key certificate, sets the state of the key distributor to be an activation state, and generates activation response message data according to the cipher text key, the key check value and the public key certificate; and the terminal equipment sends a second calling signal and the activation response message data to the key distributor, and triggers the key distributor to decrypt the activation response message data according to the second calling signal and then sends a terminal key to the terminal equipment.
14. The key distribution system of claim 13, wherein the key distributor comprises:
the service processing chip is used for distributing the terminal key to the terminal equipment;
the safety processing chip is connected with the service processing chip and used for providing protection for the terminal key; and
and the built-in hardware is respectively connected with the business processing chip and the safety processing chip and is used for providing hardware support for the operation of the business processing chip and the safety processing chip.
15. The key distribution system of claim 14, wherein the traffic processing chip comprises:
and the key algorithm module is used for generating a protection factor to protect the terminal key.
16. A computer-readable storage medium, characterized in that it stores computer instructions that, when executed, implement the key distribution method of any of claims 1 to 12.
17. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the key distribution method of any one of claims 1 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911104925.XA CN111082928B (en) | 2019-11-13 | 2019-11-13 | Key distribution method, key distribution system, and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911104925.XA CN111082928B (en) | 2019-11-13 | 2019-11-13 | Key distribution method, key distribution system, and computer-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111082928A CN111082928A (en) | 2020-04-28 |
| CN111082928B true CN111082928B (en) | 2023-03-17 |
Family
ID=70310933
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911104925.XA Active CN111082928B (en) | 2019-11-13 | 2019-11-13 | Key distribution method, key distribution system, and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111082928B (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103475624A (en) * | 2012-06-06 | 2013-12-25 | 中兴通讯股份有限公司 | Internet of Things key management center system, key distribution system and method |
| CN107493167B (en) * | 2016-06-13 | 2021-01-29 | 广州江南科友科技股份有限公司 | Terminal key distribution system and terminal key distribution method thereof |
| CN107948183B (en) * | 2017-12-06 | 2021-02-02 | 深圳数字电视国家工程实验室股份有限公司 | Key distribution method and system suitable for Internet of things |
-
2019
- 2019-11-13 CN CN201911104925.XA patent/CN111082928B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111082928A (en) | 2020-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109858262B (en) | Process approval method, device and system based on block chain system and storage medium | |
| JP7364674B2 (en) | Secure over-the-air firmware upgrades | |
| CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
| CN103685138A (en) | Method and system for authenticating application software of Android platform on mobile internet | |
| CN107733636B (en) | Authentication method and authentication system | |
| US11831753B2 (en) | Secure distributed key management system | |
| CN104767731A (en) | Identity authentication protection method of Restful mobile transaction system | |
| CN109729080A (en) | Access attack guarding method and system based on block chain domain name system | |
| CN110933484A (en) | Management method and device of wireless screen projection equipment | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN108769029B (en) | Authentication device, method and system for application system | |
| CN105407467B (en) | Method for encrypting short message, device and system | |
| CN112765637A (en) | Data processing method, password service device and electronic equipment | |
| CN113901432A (en) | Block chain identity authentication method, equipment, storage medium and computer program product | |
| CN110519222B (en) | External network access identity authentication method and system based on disposable asymmetric key pair and key fob | |
| CN106992978B (en) | Network security management method and server | |
| CN115883154A (en) | Access certificate issuing method, block chain-based data access method and device | |
| CN113726733B (en) | Encryption intelligent contract privacy protection method based on trusted execution environment | |
| CN108667800B (en) | Access authority authentication method and device | |
| US20060272004A1 (en) | Granting an access to a computer-based object | |
| CN115348023A (en) | Data security processing method and device | |
| CN112733200A (en) | Information processing method, encryption machine and information processing system of service key | |
| CN112448958A (en) | Domain policy issuing method and device, electronic equipment and storage medium | |
| CN111082928B (en) | Key distribution method, key distribution system, and computer-readable storage medium | |
| CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20211129 Address after: Room 501, Jinqian block, 10 Hongyi Road, Xinwu District, Wuxi City, Jiangsu Province, 214028 Applicant after: Wuxi rongka Technology Co.,Ltd. Address before: 430000 No. 2-1, floor 4, zone 3, 3S geospatial information industry base, Wuda Science Park, Wuhan East Lake New Technology Development Zone, Wuhan City, Hubei Province Applicant before: WUHAN RONGCARD INTELLIGENT INFORMATION TECHNOLOGY CO.,LTD. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |