CN111901098A - Method, system and readable storage medium for managing key - Google Patents

Method, system and readable storage medium for managing key Download PDF

Info

Publication number
CN111901098A
CN111901098A CN201910372776.9A CN201910372776A CN111901098A CN 111901098 A CN111901098 A CN 111901098A CN 201910372776 A CN201910372776 A CN 201910372776A CN 111901098 A CN111901098 A CN 111901098A
Authority
CN
China
Prior art keywords
key
information
target slave
host
initial key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910372776.9A
Other languages
Chinese (zh)
Other versions
CN111901098B (en
Inventor
王一豪
叶长
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN201910372776.9A priority Critical patent/CN111901098B/en
Publication of CN111901098A publication Critical patent/CN111901098A/en
Application granted granted Critical
Publication of CN111901098B publication Critical patent/CN111901098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W52/00Power management, e.g. TPC [Transmission Power Control], power saving or power classes
    • H04W52/02Power saving arrangements
    • H04W52/0209Power saving arrangements in terminal devices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The application discloses a method, a system and a readable storage medium for managing keys, belonging to the technical field of wireless transmission. The method comprises the following steps: the host end receives the update information sent by the target slave end and determines whether the initial key needs to be updated according to the update information; if the initial key needs to be updated, acquiring a new key based on the updating information; and sending the new key to the target slave end so that the target slave end replaces the initial key with the new key to complete key management. According to the method and the device, whether the initial key needs to be updated or not is determined through the updating information sent by the target slave end, so that the process that the host end sends a wake-up instruction to the slave end is omitted, and the power consumption required for updating the initial key is reduced.

Description

Method, system and readable storage medium for managing key
Technical Field
The present application relates to the field of wireless transmission technologies, and in particular, to a method, a system, and a readable storage medium for managing a key.
Background
In wireless transmission technology, a signal carrying information needs to be encrypted by a key to avoid information leakage in the process of transmitting the signal. Therefore, how to manage the secret key is a key to ensure the security of wireless transmission.
The related art provides a method for managing a key, which first obtains an initial key through negotiation between a host end and a slave end. And after receiving response information returned by the slave end aiming at the awakening instruction, the new key is sent to the slave end so that the slave end replaces the initial key with the new key, thereby completing the updating of the initial key.
It can be seen that, in the related art, the initial key update can be realized only by sending a wake-up instruction from the host to the slave, so that the power consumption required by the related art is high.
Content of application
The embodiment of the application provides a method, a system, a device, equipment and a readable storage medium for managing a key, so as to solve the problem of high power consumption required by the related technology. The technical scheme is as follows:
in one aspect, a method for managing keys is provided, the method including:
the host receives the update information sent by the target slave, and determines whether the initial key needs to be updated according to the update information;
if the initial key needs to be updated, acquiring a new key based on the updating information;
and sending the new key to the target slave end so that the target slave end replaces the initial key with the new key.
Optionally, the determining whether the initial key needs to be updated according to the update information includes:
and if the times of receiving the updating information is not less than the reference times, determining that the initial key needs to be updated.
Optionally, the update information comprises a rolling code;
the obtaining a new key based on the update information includes:
and calculating the rolling code according to a reference mode to obtain a calculation result, and taking the calculation result as the new key.
Optionally, the receiving, by the host, the update information sent by the target slave, includes:
and the host end receives an update package sent by the target slave end, wherein the update package carries the update information.
Optionally, after sending the new key to the target slave end, the method further includes:
receiving reply information aiming at the new key sent by the target slave end;
and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave terminal again.
Optionally, before the host receives the update information sent by the target slave, the method further includes:
acquiring a sequence number, and taking a slave end indicated by the sequence number as the target slave end;
and acquiring the initial key based on the target slave end.
Optionally, the obtaining the initial key based on the target slave side includes:
sending host key information to the target slave terminal, wherein the host key information comprises the product of a host numerical value and a base point, and the base point is any point on a reference elliptic curve;
receiving slave key information sent by the target slave end, wherein the slave key information comprises a product of a slave numerical value and the base point;
and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as the initial key.
Optionally, after obtaining the initial key based on the target slave side, the method further includes:
sending registration information to the target slave terminal, wherein the registration information comprises host information encrypted according to the initial key;
receiving response information aiming at the registration information sent by the target slave end, wherein the response information comprises slave information encrypted according to the initial key;
and decrypting the response message according to the initial key to complete the registration with the target slave end.
In one aspect, a system for managing keys is provided, the system comprising:
the host side is used for receiving the updating information sent by the target slave side and determining whether the initial key needs to be updated according to the updating information; if the initial key needs to be updated, acquiring a new key based on the updating information; sending the new key to the target slave;
and the target slave end is used for sending update information to the host end, receiving a new key sent by the host end and replacing the initial key with the new key.
Optionally, the host is configured to determine that the initial key needs to be updated if the number of times of receiving the update information is not less than the reference number of times.
Optionally, the update information comprises a rolling code; and the host end is used for calculating the rolling code according to a reference mode to obtain a calculation result, and the calculation result is used as the new key.
Optionally, the host side is configured to receive an update package sent by the target slave side, where the update package carries the update information.
Optionally, the host side is further configured to receive reply information for the new key sent by the target slave side; and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave terminal again.
Optionally, the host side is further configured to obtain a sequence number, and use a slave side indicated by the sequence number as the target slave side; and acquiring the initial key based on the target slave end.
Optionally, the host side is configured to send host key information to the target slave side, where the host key information includes a product of a host numerical value and a base point, and the base point is any point on a reference elliptic curve; receiving slave key information sent by the target slave end, wherein the slave key information comprises a product of a slave numerical value and the base point; and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as the initial key.
Optionally, the host side is further configured to send registration information to the target slave side, where the registration information includes host information encrypted according to the initial key; receiving response information aiming at the registration information sent by the target slave end, wherein the response information comprises slave information encrypted according to the initial key; and decrypting the response message according to the initial key to complete the registration with the target slave end.
In one aspect, an apparatus for managing keys is provided, the apparatus including:
the receiving module is used for receiving the updating information sent by the target slave end by the host end;
the determining module is used for determining whether the initial key needs to be updated according to the updating information;
a first obtaining module, configured to obtain a new key based on the update information if the initial key needs to be updated;
a first sending module, configured to send the new key to the target slave end, so that the target slave end replaces the initial key with the new key.
Optionally, the determining module is configured to determine that the initial key needs to be updated if the number of times of receiving the update information is not less than the reference number of times.
Optionally, the update information comprises a rolling code;
and the first obtaining module is used for calculating the rolling code according to a reference mode to obtain a calculation result, and the calculation result is used as the new key.
Optionally, the receiving module is configured to receive, by the host, an update package sent by the target slave, where the update package carries the update information.
Optionally, the apparatus further comprises:
the second sending module is used for receiving reply information aiming at the new key sent by the target slave terminal; and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave terminal again.
Optionally, the apparatus further comprises:
a second obtaining module, configured to obtain a sequence number, and use a slave end indicated by the sequence number as the target slave end; and acquiring the initial key based on the target slave end.
Optionally, the second obtaining module is configured to send host key information to the target slave, where the host key information includes a product of a host numerical value and a base point, and the base point is any point on a reference elliptic curve; receiving slave key information sent by the target slave end, wherein the slave key information comprises a product of a slave numerical value and the base point; and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as the initial key.
Optionally, the apparatus further comprises:
the registration module is used for sending registration information to the target slave terminal, wherein the registration information comprises host information encrypted according to the initial key; receiving response information aiming at the registration information sent by the target slave end, wherein the response information comprises slave information encrypted according to the initial key; and decrypting the response message according to the initial key to complete the registration with the target slave end.
In one aspect, an apparatus for managing keys is provided, the apparatus comprising a memory and a processor; the memory stores at least one instruction, and the at least one instruction is loaded and executed by the processor to implement the method for managing keys provided by the embodiment of the application.
In another aspect, a readable storage medium is provided, where at least one instruction is stored, and the instruction is loaded and executed by a processor to implement the method for managing a key provided in this application.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
according to the embodiment of the application, whether the initial key needs to be updated or not is determined through the updating information sent by the target slave end, so that the process that the host end sends a wake-up instruction to the slave end is omitted, and the power consumption required for updating the initial key is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present application;
FIG. 2 is a flow chart of a method for managing keys provided by an embodiment of the present application;
FIG. 3 is a diagram of a package format provided by an embodiment of the present application;
FIG. 4 is a diagram of a package format provided by an embodiment of the present application;
FIG. 5 is an interaction diagram for managing keys provided by embodiments of the present application;
FIG. 6 is a schematic diagram of a reference elliptic curve provided by an embodiment of the present application;
FIG. 7 is a diagram of a package format provided by an embodiment of the present application;
FIG. 8 is an interaction diagram for managing keys provided by embodiments of the present application;
FIG. 9 is an interaction diagram for managing keys provided by embodiments of the present application;
fig. 10 is a schematic structural diagram of an apparatus for managing a key according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
In wireless transmission technology, a channel for transmitting signals between two end devices is called a channel. Since the channel is wireless, the channel may be intercepted or interfered by a third party other than the two-end device, and the signal transmitted by the channel is captured, thereby causing information carried by the signal to leak.
Therefore, the signal carrying the information needs to be encrypted by the key, so that even if the third party captures the encrypted signal, the third party cannot decrypt the encrypted signal, that is, the third party cannot acquire the information carried by the encrypted signal, thereby avoiding the information leakage. It can be seen that how to manage the secret key is the key to ensure the security of wireless transmission.
The related art provides a method for managing a key, which can be applied to wireless transmission between a host side and a slave side. The method comprises the following steps: first, an initial key is obtained through negotiation between a host end and a slave end. And after receiving response information returned by the slave end aiming at the awakening instruction, the new key is sent to the slave end so that the slave end replaces the initial key with the new key, thereby completing the updating of the initial key.
However, in the related art, a wake-up command needs to be sent from the host to the slave, and the initial key can be updated after the response message returned from the slave is received. Therefore, in the related art, the number of interactions between the host side and the slave side is large, and the process of updating the initial key is complex, so that the power consumption required by the related art is high.
The embodiment of the application provides a method for managing a secret key, which can be applied to the implementation environment of a wireless alarm system as shown in fig. 1. The wireless alarm system is used for alarm detection and consists of one or more slave terminals 11, a host terminal 12 and a client terminal 13. In fig. 1, the slave end 13 may be communicatively connected with the host end 12 to interact with the host end 12 through sub-g wireless transmission. In addition, the host end 12 is also connected with the client end 13 in communication through a wired or mobile grid to realize interaction with the client end 13.
The slave end 11 includes a wireless detector, a wireless auxiliary device and a wireless output device, and the master end 12 includes an alarm master. The wireless detector comprises a displacement detector, an emergency button, an infrared detector, a door magnet, a smoke-sensitive gas-sensitive detector and a temperature-sensitive water-immersed detector. The wireless auxiliary equipment comprises a repeater and a remote controller, and the wireless output equipment comprises a wireless alarm signal and a wireless alarm lamp. The host 12 obtains the detection result of the wireless detector based on the wireless auxiliary device, determines whether to control the wireless output device to perform sound and light warning according to the detection result, and sends the detection result to the client 13. Since the slave end 11 can be powered by a battery, low power consumption considerations are needed for wireless transmission without loss of security.
Those skilled in the art should understand that the above-mentioned wireless alarm system is only an example, and the method provided in the embodiment of the present application may be applied to other wireless alarm systems besides the wireless alarm system shown in fig. 1, or other systems with key management requirements, which is not limited in the embodiment of the present application.
Based on the implementation environment shown in fig. 1, referring to fig. 2, an embodiment of the present application provides a method for managing a key, which can be applied to the host 12 shown in fig. 1. As shown in fig. 2, the method includes:
step 201, the host receives the update information sent by the target slave, and determines whether the initial key needs to be updated according to the update information.
Wherein the target slave end is a slave end which can be switched between a sleep state and an awake state. When the target slave end in the dormant state is awakened, the target slave end is switched to the awakening state, and the target slave end in the awakening state can send update information to the host end. After the target slave end sends the update information to the host end, the host end receives the update information sent by the target slave end, and the update information is used for the host end to determine whether the initial key needs to be updated.
In this embodiment, the update information includes, but is not limited to, heartbeat information at the target slave. In the wireless transmission technology, if information transmission is not performed between the host side and the target slave side, the target slave side is in a dormant state, so as to avoid wasting power consumption. In the process that the target slave end is in the dormant state, the target slave end can automatically wake up at regular time and actively report information for indicating the normal state of the target slave end to the host end, wherein the information is heartbeat information.
It can be seen that, in this embodiment, the process of periodically and automatically waking up the target slave is utilized, and the heartbeat information sent by the target slave is used as the update information, so that the host can determine whether the initial key needs to be updated according to the heartbeat information. Compared with the related art, the host needs to send the wake-up instruction to the target slave first, and wakes up the target slave in the dormant state to update the initial key.
Of course, besides the heartbeat information, the update information may also be other information actively reported by the target slave in the awake state, or other information periodically and automatically woken up and reported by the target slave in the sleep state, and the step of sending the wake-up instruction may be omitted.
It should be noted that the initial key is a key obtained by negotiation for the first time after the host side is in communication connection with the target slave side. After the initial key is obtained and before the initial key is updated, the host end and the target slave end can transmit information through the initial key. When information is transmitted, one party serving as a sending end encrypts original information according to an initial key to obtain encrypted information and sends the encrypted information to the other party serving as a receiving end; the other party as the receiving end also decrypts the encrypted information according to the initial key, and restores the encrypted information to the original information, thereby completing information transmission. For example, the update information received by the host side and transmitted by the target slave side is encrypted by the initial key.
In this embodiment, the host determines the update time of the initial key by updating the information, so as to ensure the security of information transmission. Optionally, determining whether the initial key needs to be updated according to the update information includes: and if the times of receiving the updating information is not less than the reference times, determining that the initial key needs to be updated.
After the initial key is obtained, the target slave end sends the update information encrypted according to the initial key to the host end every reference time, and the host end can indirectly confirm the used time of the initial key according to the times accumulated until the update information is received. If the number of times that the host receives the update information is not less than the reference number of times, it indicates that the time that the initial key has been used is long enough, and it can be determined that the initial key needs to be updated.
It should be noted that, the shorter the reference time between two times of sending the update information by the target slave end, that is, the higher the frequency of sending the update information by the target slave end, the more opportunities are provided by the host end to determine whether the initial key needs to be updated, so as to ensure that the initial key can be updated in time. The reference time may be empirically selected, and the implementation is not limited herein.
In addition, in addition to determining whether the initial key needs to be updated according to the number of times the update information is received, a time interval between a point of time when the update information is received and a point of time when the initial key is acquired may be acquired, and whether the initial key needs to be updated may be determined according to the time interval. The host end is provided with a reference interval for indicating that updating is initially needed, and for any received updating information, if the difference value between the time interval and the reference interval is not greater than a threshold value, the initial key can be determined to need to be updated.
Further, if the update information is not received after the reference interval is exceeded, the update of the initial key can be realized by combining a mode that the host end sends a wake-up instruction to the target slave end in the related art, so that the initial key can be ensured to be updated in time. In this way, compared with the prior art that the target slave is awakened by the host side each time the initial key is updated, the scheme awakens the target slave by the host side only when the update information is not received after the reference interval is exceeded, and the key update can be performed through the update information in other situations, so that the frequency of awakening the target slave by the host side is reduced, the interaction times are still reduced, and the power consumption is reduced.
Optionally, for a manner that the host receives the update information sent by the target slave, the method includes: and the host end receives the update package sent by the target slave end, and the update package carries update information. In this way, the target slave side sends an update package to the host side, which can still be encrypted by the initial key. After receiving the update package, the host can parse the update package to obtain the update information carried in the update package.
After determining whether the initial key needs to be updated according to the update information, if the determination result is that the initial key does not need to be updated, the host side continues to wait for receiving the update information sent by the target slave side next time, and when receiving the update information next time, repeatedly determining whether the initial key needs to be updated according to the method. If the determination result is that the initial key needs to be updated, the host end can be further triggered to acquire a new key.
In step 202, if the initial key needs to be updated, a new key is obtained based on the update information.
In this embodiment, if the initial key needs to be updated, the host obtains a new key based on the received update information. Optionally, the update information comprises a rolling code. Obtaining a new key based on the update information, including: and calculating the rolling code according to a reference mode to obtain a calculation result, and taking the calculation result as a new key.
Next, the rolling code will be explained: the rolling code is a rolling accumulated digital code, when information is transmitted between a host terminal and a target slave terminal, one party serving as a transmitting terminal transmits the rolling code and information to be transmitted to one party serving as a receiving terminal, and after the rolling code is received by one party serving as the receiving terminal, the rolling code synchronization at the transmitting and receiving ends is completed. When the next information transmission is performed, the side serving as the transmitting side increases the value of the currently synchronized rolling code, and then transmits the rolling code according to the above description.
For example, taking the target slave as the sending end as an example, the target slave sends the rolling code 1 and the information to be transmitted to the host, and after the host receives the rolling code 1, the target slave and the sending end are both synchronized. When information is transmitted next time, taking the host end as an example of a transmitting end, the host end increases the value of the rolling code 1 of the current synchronization, for example, increases 1 to 2, and then transmits the rolling code 2 and the information to be transmitted to the target slave end, and the rolling code 2 is synchronized after the target slave end receives the information, and the synchronization process can be performed for multiple times.
It can be seen that the rolling code value increases during the multiple synchronization processes, i.e. the rolling code used for each information transmission is unique. Therefore, the present embodiment can obtain the new key based on the rolling code, that is, the rolling code is calculated according to the reference manner to obtain the calculation result, and the calculation result is used as the new key, which also has uniqueness, so that the security of the new key is strong. Wherein the reference means includes, but is not limited to, a pseudo-random algorithm.
Both the update information and the rolling code can be carried by the update package, the format of which can be seen in fig. 3. The updating group package comprises a data head and a data main body. The data header includes package information and sequence number, the package information is communication protocol information used for communication between the host end and the target slave end, and the sequence number includes host end sequence number and target slave end sequence number and is used for identifying the source and destination of the update package.
The data main body is a data segment for carrying update information, and the data main body comprises the update information, the rolling code and the reserved segment. The update information is already described, and is not described herein again. If the number of the rolling code is increased in the process of multiple information transmission, so that the length of the bytes occupied by the rolling code is larger than the length of the reference bytes, the rolling code can be initialized, the bytes occupied by the rolling code are reduced, and the normal use of the rolling code is ensured. The reserved section is a blank data section and can be used for carrying a reference communication protocol defined by a target slave end. If the reserved segment carries the reference communication protocol, the host end and the target slave end communicate through the group package information and the reference communication protocol.
In this embodiment, the data header may perform plaintext transmission, and the data body needs to be encrypted according to the initial key and then transmitted, so as to ensure the security of the update package. For the bytes occupied by the data header and the data body, the data header can occupy 12 bytes, the data body can occupy 16 bytes, and the adjustment can be performed according to other requirements.
After the host acquires the new key based on the update information, the new key can be triggered to be sent to the target slave end, so that the target slave end can complete the update of the initial key.
Step 203, sending the new key to the target slave end, so that the target slave end replaces the initial key with the new key, thereby completing key management.
Alternatively, the master may send the new key to the target slave by using a new key package, and the format of the new key package is shown in fig. 4. The format of the data header is the same as that of the update package shown in fig. 3, and the data body encrypted by the initial key includes the new key obtained by the host on the basis of the update information, the response information, the rolling code, and the reserved segment. The response information is response information for the update information transmitted from the target slave. The rolling code is a new rolling code obtained by adding a value to the rolling code used for obtaining the new key, where the added value may be a reference positive integer, for example, in the present embodiment, the added value is 1, 2, or 3.
After sending the new key to the target slave end, the target slave end replaces the initial key with the new key, thereby completing the key management. However, since the replacement process is executed by the target slave and there is a possibility of failure in the replacement process, the master needs to check whether the replacement process is successfully executed by the target slave to ensure completion of key management. Therefore, optionally, the method provided in this embodiment further includes:
and receiving reply information aiming at the new key sent by the target slave end, and if the reply information is not the information encrypted by the new key, resending the new key to the target slave end.
After receiving the new key sent by the host, the target slave will replace the original key with the new key. Referring to fig. 5, if the replacement process is successfully performed, the target slave side sends the information encrypted by the new key to the host side as a reply information. After the host end receives the reply message encrypted according to the new key, the host end can confirm that the reply message is the message encrypted by the new key through detection, so that the target slave end is confirmed to successfully execute a replacing process, namely, the updating of the initial key is completed.
Correspondingly, if the replacing process fails to be executed, the target slave end still obtains reply information through the initial key encryption information and sends the reply information to the host end. The host side confirms that the reply information is not the information encrypted by the new key through detection, so that the target slave side is confirmed not to finish updating the initial key, and the new key is sent to the target slave side once or for multiple times again, and normal information interaction between the target slave side and the host side is ensured.
If the target slave end cannot update the initial key after the host end sends the new key to the target slave end again, the embodiment further provides the following method: the target slave end and the host end still carry out information interaction through the initial key, and the initial key is updated after the host end receives the updated information sent by the target slave end next time.
In addition, after the target slave successfully replaces the initial key with the new key, the target slave needs to call a conversion algorithm to convert the new key before using the new key for information transmission. The reason for this is that the byte length of the new key generated at the host end is often small in order to reduce the power consumption required for transmitting the new key, and therefore, the byte length of the new key needs to be increased by conversion so that the converted new key can meet the key byte length required by different types of encryption standards. For example, the new key is 4 bytes, and the key used in AES (Advanced Encryption Standard) -128 is 128 bits (8 bits is 1 byte, i.e. 16 bytes), a conversion algorithm needs to be called to convert the new key from 4 bytes to 16 bytes, so as to ensure normal use of the new key. Next, taking the new key of 4 bytes as 1234 as an example, a description will be given to a process of converting the new key of 4 bytes into a key of 16 bytes by using a conversion algorithm:
wherein bytes 1-4 in the 16-byte key keep the byte position of the new key unchanged, i.e. bytes 1-4 are 1234. Bytes 5-8 are the digital interchange of the odd byte and the even byte of the new key, i.e. bytes 5-8 are 2143. Bytes 9-12 are the first 2 bytes and the last 2 bytes of the new key, which are digitally interchanged, i.e., bytes 9-12 are 3412. Bytes 13-16 still keep the byte position of the new key unchanged, i.e. bytes 13-16 are 1234. Thus, the conversion of 4 bytes of new key 1234 to 16 bytes of key 1234, 2134, 3412, 1234 is complete.
Of course, the above conversion algorithm is only an example, and other conversion algorithms may be invoked according to the difference between the byte length of the new key and the byte length of the key required by the encryption standard, which is not limited in this embodiment. No matter which conversion algorithm is called to complete conversion, in the subsequent information transmission process, the target slave end and the host end can transmit information to each other through the converted new key.
Next, a method of negotiating an initial key between the host and the target slave will be described. Optionally, before the host receives the update information sent by the target slave, the method provided in this embodiment further includes:
acquiring a serial number, and taking a slave machine end indicated by the serial number as a target slave machine end; the initial key is obtained based on the target slave side.
The master end can use the slave end indicated by the sequence number as a target slave end by obtaining the sequence number, so as to establish communication connection with the target slave end, and negotiate with the target slave end to obtain an initial key.
Optionally, the host side obtains the serial number in the following two ways:
the first way to obtain the serial number: when a user inputs a serial number into a host end through a client, the host end broadcasts a packet to a plurality of slave ends after detecting the input serial number, and accordingly the slave end indicated by the serial number is obtained as a target slave end. This approach is used for telecommunications.
The second way to obtain the serial number: the slave end reports the sequence number to the master end, and the master end receives the sequence number and takes the slave end which sends the sequence number, namely the slave end indicated by the sequence number, as a target slave end. This approach is used for local communication. Because the mode is initiated by the slave end firstly, the process that the host end broadcasts the package to a plurality of slave ends is omitted, and the required power consumption is low.
In any way, after the slave indicated by the serial number is taken as the target slave, the initial key may be further obtained based on the target slave. Optionally, the method for obtaining the initial key includes: sending host key information to a target slave computer end, wherein the host key information comprises the product of a host numerical value and a base point, and the base point is a point on a reference elliptic curve; receiving slave key information sent by a target slave end, wherein the slave key information comprises a product of a slave numerical value and a base point; and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as an initial key.
For example, the reference elliptic curve and the base point are respectively input into the host end and the target slave end, and the host end and the target slave end directly call the reference elliptic curve and the base point in the process of acquiring the initial key. The method of performing calculation based on the reference Elliptic Curve and the base point is called an ECDH algorithm, that is, a key exchange algorithm of DH (Diffie-Hellman) based on ECC (Elliptic Curve cryptosystem). Optionally, the ECDH algorithm adopted in this embodiment is the secp128r1 algorithm.
Value r of the hostBIs a random number generated by the host end, and the base point P is any point on the reference elliptic curve, the host key information KBCan be represented as KB=rBX P. Taking the reference elliptic curve shown in FIG. 6 as an example, theThe manner in which the host data is multiplied by the base point will be explained:
in the reference elliptic curve, rBX P means rBP are added. The tangent line of the reference elliptic curve is taken as the transition point P, the tangent line intersects the reference elliptic curve at a first transition point 2P', and the symmetrical point of the first transition point about the abscissa is the addition result 2P of P and P. The connecting line of the point P and the point 2P is also crossed with the reference elliptic curve at a second transition point 3P', and the symmetrical point of the second transition point about the abscissa is the addition result 3P of the point P and the point 2P. According to the same method, a point 4P can be obtained according to the point 3P and the point P, a point 5P can be obtained according to the point 4P and the point P, and the like, and finally r is obtainedBX P, i.e. KB. It can be seen that KBAlso a point on the reference elliptic curve.
In obtaining the key information K of the hostBThen, the host end sends the host key information KB. After the target slave end receives, a random number is also generated as a slave value rACalculating the slave key information K according to the method based on the reference elliptic curveA=rAxPP, and slave key information KAAnd returning to the host side.
Then, the host end calculates the host value r based on the reference elliptic curveBAnd slave key information KAAs the initial key, i.e. the initial key Ke2 ═ rB×KA. Correspondingly, the slave end also calculates the slave value r based on the elliptic curveAAnd host key information KBAs the initial key, i.e. the initial key Ke1 ═ rA×KB. Since Ke2 ═ rB×KA==rB×rA×P=rA×rB×P=rA×KBSince Ke1, the same initial key is obtained by the master and the target slave, the initial key is obtained.
For the obtained initial key, in addition to encrypting the transmitted information by the initial key in the period after the initial key is obtained and before the initial key is updated, the initial key can also be applied to the process of sending a new key to the target slave end by the host end each time. The reason for this is that the initial key is calculated and therefore has good security, and the use of the initial key to send a new key improves the security of updating the key.
The set of packets used to transmit information in obtaining the initial key can be seen in fig. 7. When the host side sends information to the target slave side, the data main body is host key information KBWhen the target slave end sends information to the host end, the data main body is the slave key information KA
The group packets shown in fig. 7 may be transmitted by unencrypted transmission. This is because, even if a third party other than the master and the target slave obtains the master key information and the slave key information, if the third party wants to obtain the initial key, it is necessary to calculate a master value based on the master key information and the base point (or calculate a slave value based on the slave key information and the base point), and then obtain the initial key based on the master value and the slave key information (or obtain the initial key based on the slave value and the master key information).
The process of calculating the master data (or the slave numerical values) faces the discrete logarithm problem on the elliptic curve, the calculation process is difficult, and the difficulty can be understood as: the time required for calculation is longer than the time of using the initial key, that is, the initial key is replaced by a new key before the initial key is calculated by a third party, so that the calculation by the third party does not cause information leakage, that is, the unencrypted transmission mode is feasible.
Optionally, after obtaining the initial key, the method further includes: sending registration information to a target slave terminal; receiving response information aiming at the registration information sent by a target slave end; and decrypting the response message according to the initial key so as to complete the registration with the target slave terminal.
The registration information sent from the host side to the target slave side comprises host information encrypted according to an initial key, after the target slave side receives the registration information, the host information can be obtained by decrypting the registration information according to the initial key, and the host information can be stored by the target slave side. And then, the response information sent from the target slave end to the host end comprises the slave information encrypted according to the initial key, and the host end decrypts the response information according to the initial key after receiving the response information to obtain the slave information and stores the slave information, so that the registration between the host end and the target slave end is completed.
Of course, in addition to the registration being completed by the host sending the registration information to the target slave and the target slave returning the response information to the registration information, the registration may be completed by the target slave sending the registration information to the host (in this case, the registration information is the slave information encrypted by the initial key) and the host returning the response information to the registration information (in this case, the response information is the host information encrypted by the initial key).
It should be noted that the registration information and the response information may be transmitted by the packet package shown in fig. 3. When the group package in fig. 3 is used to transmit the registration information, the registration information is substituted for the update information; and when the response information is transmitted, the response information is used for replacing the updating information, so that the transmission is realized.
Further, registration can be divided into remote registration and local registration. Referring to fig. 8, the remote registration process adopts the first way of obtaining the serial number. The local registration process is shown in fig. 9, and it adopts the second way of obtaining the serial number. After the host end and the target slave end are registered, corresponding alarm logic functions can be started, so that the host end and the target slave end can be applied to a wireless alarm system, and the interaction between the host end and the target slave end is transmitted through sub-g wireless.
In summary, in the embodiments of the present application, whether the initial key needs to be updated is determined by the update information sent by the target slave, so that a process of sending a wake-up instruction from the host to the slave is omitted, and power consumption required for updating the initial key is reduced.
The alarm system takes safety as the first premise, and the key management method provided by the embodiment of the application can ensure the safety in the aspect of encryption algorithm and make up the leakage risk of the symmetric encryption algorithm in the aspect of key. In addition, the method is a secret key management mechanism which can be applied to a single chip microcomputer, does not occupy excessive code space, and has instantaneity in operation and processing and short delay waiting time. The method provided by the embodiment also considers the low power consumption performance of the equipment, the exchange and update time of the key is very short, and the rest time is in a dormant state by default.
Based on the same conception, the embodiment of the application provides a system for managing keys, which comprises:
the host side is used for receiving the updating information sent by the target slave side and determining whether the initial key needs to be updated according to the updating information; if the initial key needs to be updated, acquiring a new key based on the updating information; sending a new key to the target slave;
and the target slave end is used for sending the update information to the host end, receiving the new key sent by the host end and replacing the initial key with the new key.
Optionally, the host is configured to determine that the initial key needs to be updated if the number of times of receiving the update information is not less than the reference number of times.
Optionally, the update information comprises a rolling code; and the host terminal is used for calculating the rolling code according to a reference mode to obtain a calculation result, and the calculation result is used as a new key.
Optionally, the host is configured to receive an update package sent by the target slave, where the update package carries update information.
Optionally, the host is further configured to receive reply information for the new key sent by the target slave; and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave again.
Optionally, the host side is further configured to obtain a sequence number, and use the slave side indicated by the sequence number as a target slave side; the initial key is obtained based on the target slave side.
Optionally, the host is configured to send host key information to the target slave, where the host key information includes a product of a host numerical value and a base point, and the base point is any point on the reference elliptic curve; receiving slave key information sent by a target slave end, wherein the slave key information comprises a product of a slave numerical value and a base point; and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as an initial key.
It should be noted that, each step executed by the host and the target slave included in the system and information and the like related to each step can refer to relevant contents in the above method for managing the key, and are not described in detail here.
In summary, in the embodiments of the present application, whether the initial key needs to be updated is determined by the update information sent by the target slave, so that a process of sending a wake-up instruction from the host to the slave is omitted, and power consumption required for updating the initial key is reduced.
Based on the same concept, the embodiment of the present application provides an apparatus for managing a key, referring to fig. 10, the apparatus including:
a receiving module 1001, configured to receive, by a host, update information sent by a target slave;
a determining module 1002, configured to determine whether the initial key needs to be updated according to the update information;
a first obtaining module 1003, configured to, if the initial key needs to be updated, obtain a new key based on the update information;
a first sending module 1004, configured to send the new key to the target slave, so that the target slave replaces the initial key with the new key, thereby completing key management.
Optionally, the determining module 1002 is configured to determine that the initial key needs to be updated if the number of times of receiving the update information is not less than the reference number of times.
Optionally, the update information comprises a rolling code;
the first obtaining module 1003 is configured to calculate the rolling code according to a reference manner, obtain a calculation result, and use the calculation result as a new key.
Optionally, the receiving module 1001 is configured to receive, by the host, an update package sent by the target slave, where the update package carries update information.
Optionally, the apparatus further comprises:
the second sending module is used for receiving reply information aiming at the new key sent by the target slave end; and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave again.
Optionally, the apparatus further comprises:
the second acquisition module is used for acquiring the serial number and taking the slave terminal indicated by the serial number as a target slave terminal; the initial key is obtained based on the target slave side.
Optionally, the second obtaining module is configured to send the master key information, a base point and a reference elliptic curve to the target slave, where the master key information includes a product of a master value and the base point, and the base point is any point on the reference elliptic curve; receiving slave key information sent by a target slave end, wherein the slave key information comprises a product of a slave numerical value and a base point; and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as an initial key.
Optionally, the apparatus further comprises:
the registration module is used for sending registration information to the target slave terminal, wherein the registration information comprises host information encrypted according to the initial key; receiving response information aiming at the registration information sent by a target slave end, wherein the response information comprises slave information encrypted according to an initial key; and decrypting the response message according to the initial key so as to complete the registration with the target slave terminal.
In summary, in the embodiments of the present application, whether the initial key needs to be updated is determined by the update information sent by the target slave, so that a process of sending a wake-up instruction from the host to the slave is omitted, and power consumption required for updating the initial key is reduced.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Based on the same conception, the embodiment of the application provides a device for managing the key, and the device comprises a memory and a processor; the memory stores at least one instruction, and the at least one instruction is loaded and executed by the processor to implement the method for managing the key provided by the embodiment of the application.
Based on the same conception, the embodiment of the present application also provides a computer-readable storage medium, in which at least one instruction is stored, and the instruction is loaded and executed by a processor to implement the method for managing a key provided by the embodiment of the present application.
All the above optional technical solutions may be combined arbitrarily to form optional embodiments of the present application, and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (10)

1. A method for managing keys, the method comprising:
the host receives the update information sent by the target slave, and determines whether the initial key needs to be updated according to the update information;
if the initial key needs to be updated, acquiring a new key based on the updating information;
and sending the new key to the target slave end so that the target slave end replaces the initial key with the new key.
2. The method of claim 1, wherein the determining whether the initial key needs to be updated according to the update information comprises:
and if the times of receiving the updating information is not less than the reference times, determining that the initial key needs to be updated.
3. The method of claim 2, wherein the updated information comprises a rolling code;
the obtaining a new key based on the update information includes:
and calculating the rolling code according to a reference mode to obtain a calculation result, and taking the calculation result as the new key.
4. A method according to any of claims 1-3, wherein the receiving, by the host, the update information sent by the target slave comprises:
and the host end receives an update package sent by the target slave end, wherein the update package carries the update information.
5. A method according to any of claims 1-3, wherein after said sending of said new key to said target slave, said method further comprises:
receiving reply information aiming at the new key sent by the target slave end;
and if the reply message is not the message encrypted by the new key, the new key is sent to the target slave terminal again.
6. A method according to any of claims 1-3, wherein before the host side receives the update information sent by the target slave side, the method further comprises:
acquiring a sequence number, and taking a slave end indicated by the sequence number as the target slave end;
and acquiring the initial key based on the target slave end.
7. The method of claim 6, wherein said obtaining the initial key based on the target slave side comprises:
sending host key information to the target slave terminal, wherein the host key information comprises the product of a host numerical value and a base point, and the base point is any point on a reference elliptic curve;
receiving slave key information sent by the target slave end, wherein the slave key information comprises a product of a slave numerical value and the base point;
and acquiring the product of the host numerical value and the slave key information based on the reference elliptic curve, and taking the product of the host numerical value and the slave key information as the initial key.
8. The method of claim 6, wherein after the obtaining of the initial key based on the target slave end, the method further comprises:
sending registration information to the target slave terminal, wherein the registration information comprises host information encrypted according to the initial key;
receiving response information aiming at the registration information sent by the target slave end, wherein the response information comprises slave information encrypted according to the initial key;
and decrypting the response message according to the initial key to complete the registration with the target slave end.
9. A system for managing keys, the system comprising:
the host side is used for receiving the updating information sent by the target slave side and determining whether the initial key needs to be updated according to the updating information; if the initial key needs to be updated, acquiring a new key based on the updating information; sending the new key to the target slave;
and the target slave end is used for sending update information to the host end, receiving a new key sent by the host end and replacing the initial key with the new key.
10. A computer-readable storage medium having stored therein at least one instruction which is loaded and executed by a processor to implement a method of managing keys as claimed in any one of claims 1-8.
CN201910372776.9A 2019-05-06 2019-05-06 Method, system and readable storage medium for managing key Active CN111901098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910372776.9A CN111901098B (en) 2019-05-06 2019-05-06 Method, system and readable storage medium for managing key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910372776.9A CN111901098B (en) 2019-05-06 2019-05-06 Method, system and readable storage medium for managing key

Publications (2)

Publication Number Publication Date
CN111901098A true CN111901098A (en) 2020-11-06
CN111901098B CN111901098B (en) 2023-03-24

Family

ID=73169493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910372776.9A Active CN111901098B (en) 2019-05-06 2019-05-06 Method, system and readable storage medium for managing key

Country Status (1)

Country Link
CN (1) CN111901098B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112566116A (en) * 2020-12-15 2021-03-26 浙江三维万易联科技有限公司 Method and device for determining key, storage medium and electronic device
CN112788012A (en) * 2020-12-30 2021-05-11 深圳市欢太科技有限公司 Log file encryption method and device, storage medium and electronic equipment
CN114614985A (en) * 2022-05-12 2022-06-10 施维智能计量系统服务(长沙)有限公司 Communication key updating method, key server and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080310337A1 (en) * 2007-06-18 2008-12-18 Gainspan, Inc. Periodic heartbeat communication between devices and a control point
US20130238794A1 (en) * 2010-11-23 2013-09-12 Juniper Networks, Inc Enhanced high availability for group vpn in broadcast environment
CN104283674A (en) * 2014-10-27 2015-01-14 北海市蕴芯电子科技有限公司 TTF RFID with both rolling code and secret key encrypted
CN106341908A (en) * 2016-08-24 2017-01-18 福州瑞芯微电子股份有限公司 Method and system for maintaining long connection of mobile network
CN106656923A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Device association method, key update method and apparatuses
CN107370751A (en) * 2017-08-18 2017-11-21 深圳市鑫宇鹏电子科技有限公司 One kind session key update method in smart device communication

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080310337A1 (en) * 2007-06-18 2008-12-18 Gainspan, Inc. Periodic heartbeat communication between devices and a control point
US20130238794A1 (en) * 2010-11-23 2013-09-12 Juniper Networks, Inc Enhanced high availability for group vpn in broadcast environment
CN104283674A (en) * 2014-10-27 2015-01-14 北海市蕴芯电子科技有限公司 TTF RFID with both rolling code and secret key encrypted
CN106656923A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Device association method, key update method and apparatuses
CN106341908A (en) * 2016-08-24 2017-01-18 福州瑞芯微电子股份有限公司 Method and system for maintaining long connection of mobile network
CN107370751A (en) * 2017-08-18 2017-11-21 深圳市鑫宇鹏电子科技有限公司 One kind session key update method in smart device communication

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112566116A (en) * 2020-12-15 2021-03-26 浙江三维万易联科技有限公司 Method and device for determining key, storage medium and electronic device
CN112566116B (en) * 2020-12-15 2022-08-16 三维通信股份有限公司 Method and device for determining key, storage medium and electronic device
CN112788012A (en) * 2020-12-30 2021-05-11 深圳市欢太科技有限公司 Log file encryption method and device, storage medium and electronic equipment
CN114614985A (en) * 2022-05-12 2022-06-10 施维智能计量系统服务(长沙)有限公司 Communication key updating method, key server and readable storage medium

Also Published As

Publication number Publication date
CN111901098B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
CN111901098B (en) Method, system and readable storage medium for managing key
KR101553488B1 (en) Method and apparatus for virtual pairing with a group of semi-connected devices
US8631254B2 (en) Secure wake-up method, wake-up authentication code generation and updating method of a network device and a network control device in a wireless body area network
CN107836095B (en) Method for generating a secret or key in a network
US11051247B2 (en) Transmission/ reception device with wake-up radio resistant to attacks by denial of sleep
US20240048949A1 (en) Remote control method and apparatus
KR20110053351A (en) Techniques for solving overhearing problems of body area network medium access control protocols
CN115104282B (en) Key updating method and related device
CN107820277B (en) Parent node device for wireless network, terminal device and data transmission method thereof
WO2018054169A1 (en) Channel switching method and device
CN113328919A (en) CAN bus identifier, communication method and communication system
CN115362693A (en) Wireless protocol for sensing systems
CN106487761B (en) Message transmission method and network equipment
CN111556588A (en) Connection configuration method and system for Bluetooth MESH network, electronic equipment and storage medium
CN113364869B (en) Block chain message transmission method, equipment and storage medium
US20230403735A1 (en) Message Transmission Method, Terminal and Storage Medium
US20180123786A1 (en) Method for Generating a Secret or a Key in a Network
KR20220043904A (en) Method for performing bmca of 5g system operating as tsn bridge
WO2015193968A1 (en) Communication apparatus, wireless multi-hop network system, and frame counter setting method
CN108141358B (en) Method for generating a cryptographic key in a circuit arrangement
EP4109234A1 (en) Wireless device monitoring method and apparatus
CN114189333B (en) Sensing node security management method, electronic device and computer readable storage medium
CN113852955B (en) Method for secure data transmission and legal node authentication in wireless sensing network
CN111193596B (en) Block generation system, method, server and workload verification device
CN113452515B (en) Communication method, key configuration method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant