CN113315632B - Method, system, device and communication equipment for determining key generator - Google Patents

Method, system, device and communication equipment for determining key generator Download PDF

Info

Publication number
CN113315632B
CN113315632B CN202110861612.XA CN202110861612A CN113315632B CN 113315632 B CN113315632 B CN 113315632B CN 202110861612 A CN202110861612 A CN 202110861612A CN 113315632 B CN113315632 B CN 113315632B
Authority
CN
China
Prior art keywords
key
secure element
external entity
key generator
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110861612.XA
Other languages
Chinese (zh)
Other versions
CN113315632A (en
Inventor
覃勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unigroup Tsingteng Microsystems Co Ltd
Original Assignee
Beijing Unigroup Tsingteng Microsystems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unigroup Tsingteng Microsystems Co Ltd filed Critical Beijing Unigroup Tsingteng Microsystems Co Ltd
Priority to CN202110861612.XA priority Critical patent/CN113315632B/en
Publication of CN113315632A publication Critical patent/CN113315632A/en
Application granted granted Critical
Publication of CN113315632B publication Critical patent/CN113315632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The application relates to the technical field of wireless communication, and discloses a method for determining a key generator, which is applied to an external entity side and comprises the following steps: sending a key tag request to the security element, and triggering the security element to feed back preset key tag data; and determining a key generator corresponding to the secure element according to the key label data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is enabled to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element. The application also discloses a system, a device and a communication device for determining the key generator.

Description

Method, system, device and communication equipment for determining key generator
Technical Field
The present application relates to the field of wireless communication technologies, and for example, to a method, a system, an apparatus, and a communication device for determining a key generator.
Background
Currently, when most external entities communicate with a Secure Element (SE), the external entities are required to match the Secure Element with a key generator corresponding to the Secure Element, compare respective symmetric keys, calculate a communication session key according to a preset key distribution rule, and perform Secure communication between the external entities and the Secure Element according to the communication session key. If the secure element does not correspond to the key generator, the secure element may not match the key generator due to different symmetric keys and different key distribution rules.
In the process of implementing the embodiments of the present disclosure, it is found that at least the following problems exist in the related art:
in the case where there are multiple key generators, the external entity cannot determine the key generator to which the secure element corresponds.
Disclosure of Invention
The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview nor is intended to identify key/critical elements or to delineate the scope of such embodiments but rather as a prelude to the more detailed description that is presented later.
The disclosed embodiment provides a method, a system, a device and a communication device for determining a key generator, so that an external entity can determine the key generator corresponding to a secure element.
In some embodiments, a method for determining a key generator, applied on an external entity side, the method comprises: sending a key tag request to a security element, and triggering the security element to feed back preset key tag data; and determining a key generator corresponding to the secure element according to the key label data fed back by the secure element.
In some embodiments, a method for determining a key generator, applied to a secure element side, the method comprises: under the condition of receiving a key tag request sent by an external entity, feeding back preset key tag data to the external entity, and triggering the external entity to determine a key generator corresponding to the secure element according to the key tag data.
In some embodiments, a system for determining a key generator, comprises: an external entity configured to send a key tag request to the secure element; determining a key generator corresponding to the secure element according to the key label data fed back by the secure element; sending a preset key request to a key generator corresponding to the secure element; under the condition of receiving the random code and the authentication code sent by the key generator corresponding to the secure element, sending a communication authentication request with the random code and the authentication code to the secure element; under the condition that the authentication result fed back by the secure element is successful, triggering a key generator corresponding to the secure element to generate a first session key; sending a first session key acquisition request to a key generator corresponding to the secure element; receiving a first session key fed back by a key generator corresponding to the secure element, and communicating with the secure element according to the first session key; the security element is configured to feed back preset key tag data to the external entity under the condition of receiving a key tag request sent by the external entity; under the condition of receiving a communication authentication request with a random code and an authentication code sent by an external entity, acquiring an authentication result according to the random code and the authentication code, and feeding back the authentication result to the external entity; the system comprises a plurality of key generators, a first symmetric key generator and a second symmetric key generator, wherein the key generators are respectively configured to generate a random code under the condition of receiving a preset key request sent by an external entity, encrypt the random code by using a preset first symmetric key to obtain an authentication code, and send the random code and the authentication code to the external entity; generating a first session key; and feeding back the first session key to the external entity under the condition of receiving the first session key acquisition request sent by the external entity.
In some embodiments, an apparatus for determining a key generator includes a processor and a memory storing program instructions, the processor being configured to, when executing the program instructions, perform the method for determining a key generator described above.
In some embodiments, the communication device comprises the above-described means for determining the key generator.
The method, the system, the device and the communication equipment for determining the key generator provided by the embodiment of the disclosure can realize the following technical effects: and the external entity triggers the security element to feed back preset key tag data by sending a key tag request to the security element, and determines a key generator corresponding to the security element according to the key tag data fed back by the security element. In this way, in the case where there are a plurality of key generators, the external entity is enabled to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
The foregoing general description and the following description are exemplary and explanatory only and are not restrictive of the application.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the accompanying drawings and not in limitation thereof, in which elements having the same reference numeral designations are shown as like elements and not in limitation thereof, and wherein:
FIG. 1 is a schematic diagram of a method for determining a key generator provided by an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of another method for determining a key generator provided by an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of another method for determining a key generator provided by an embodiment of the present disclosure;
FIG. 4 is a schematic diagram of another method for determining a key generator provided by an embodiment of the present disclosure;
FIG. 5 is a timing diagram of a method for determining a key generator provided by embodiments of the present disclosure;
FIG. 6 is a schematic diagram of a system for determining a key generator provided by embodiments of the present disclosure;
fig. 7 is a schematic diagram of an apparatus for determining a key generator according to an embodiment of the disclosure.
Detailed Description
So that the manner in which the features and elements of the disclosed embodiments can be understood in detail, a more particular description of the disclosed embodiments, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may be practiced without these details. In other instances, well-known structures and devices may be shown in simplified form in order to simplify the drawing.
The terms "first," "second," and the like in the description and in the claims, and the above-described drawings of embodiments of the present disclosure, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the present disclosure described herein may be made. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions.
The term "plurality" means two or more unless otherwise specified.
In the embodiment of the present disclosure, the character "/" indicates that the preceding and following objects are in an or relationship. For example, A/B represents: a or B.
The term "and/or" is an associative relationship that describes objects, meaning that three relationships may exist. For example, a and/or B, represents: a or B, or A and B.
The term "correspond" may refer to an association or binding relationship, and a corresponds to B refers to an association or binding relationship between a and B.
As shown in fig. 1, an embodiment of the present disclosure provides a method for determining a key generator, applied to an external entity, the method including:
step S101, an external entity sends a key tag request to a security element and triggers the security element to feed back preset key tag data;
and step S102, the external entity determines a key generator corresponding to the secure element according to the key label data fed back by the secure element.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the external entity sends the key tag request to the secure element, triggers the secure element to feed back the preset key tag data, and determines the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is enabled to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
Optionally, the secure element is a SIM (Subscriber Identity Module) Card, a UICC (Universal Integrated Circuit Card), an eUICC (embedded Universal Integrated Circuit Card), an UICC (Integrated Universal Integrated Circuit Card), or the like.
Optionally, the external entity is a secure environment management platform. Optionally, the secure environment management platform is a Trusted Service Manager (TSM) platform.
Optionally, the determining, by the external entity, a key generator corresponding to the secure element according to the key tag data fed back by the secure element includes: matching a key generator corresponding to the key label data in a preset key generator database by an external entity; the key generator database stores the corresponding relation between the key label data and the key generator; and the external entity determines the matched key generator as the key generator corresponding to the secure element. Optionally, the key tag data is a type of the key generator or an identification code corresponding to the key generator.
As shown in fig. 2, an embodiment of the present disclosure provides a method for determining a key generator, applied to an external entity, the method including:
step S201, an external entity sends a key tag request to a security element and triggers the security element to feed back preset key tag data;
step S202, an external entity determines a key generator corresponding to the secure element according to the key label data fed back by the secure element;
step S203, the external entity sends a preset key request to a key generator corresponding to the secure element, triggers the key generator to randomly generate a random code, encrypts the random code by using a preset first symmetric key to obtain an authentication code, and feeds back the random code and the authentication code to the external entity;
step S204, the external entity sends a communication authentication request with the random code and the authentication code to the secure element, triggers the secure element to obtain an authentication result according to the random code and the authentication code, and feeds back the authentication result to the external entity;
step S205, under the condition that the authentication result is successful, the external entity triggers the key generator to generate a first session key;
step S206, sending a first session key acquisition request to a key generator, and triggering the key generator to feed back the first session key;
in step S207, the external entity receives the first session key sent by the key generator and communicates with the secure element according to the first session key.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the external entity sends the key tag request to the secure element, triggers the secure element to feed back the preset key tag data, and determines the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element, and then match the secure element with the corresponding key generator, thereby establishing communication with the secure element. And the secure element is authenticated with the corresponding key generator, so that a hacker is prevented from maliciously matching the secure element or the key generator to steal the key, and the key leakage risk is reduced. Under the condition that a plurality of security elements and an external entity carry out data interaction, the external entity determines a key generator corresponding to each security element by acquiring key label data preset by each security element, so that the matching of the security elements and the key generators is realized, meanwhile, the original communication authentication process between the security elements and the key generators is not changed, and the threshold of technical debugging is reduced.
Optionally, the sending, by the external entity, a communication authentication request with the random code and the authentication code to the secure element, and triggering the secure element to obtain an authentication result according to the random code and the authentication code, includes: the method comprises the steps that an external entity sends a communication authentication request with a random code and an authentication code to a security element, the security element is triggered to receive the communication authentication request with the random code and the authentication code sent by the external entity, the random code is encrypted according to a preset second symmetric key to obtain an encryption result, the encryption result is compared with the authentication code, the authentication result is determined to be successful under the condition that the encryption result is the same as the authentication code, the authentication result is determined to be failed under the condition that the encryption result is not the same as the authentication code, and the authentication result is fed back to the external entity.
Optionally, in a case that the authentication result is that the authentication is successful, the external entity triggers the key generator to generate the first session key, including: and under The condition that The authentication result is successful, The external entity sends a request for generating The session key to The key generator, and The key generator is triggered to calculate a preset first key dispersion rule by utilizing a PBOC (The Peer's Bank Of China, China People Bank) key dispersion algorithm to obtain and store The first session key.
Optionally, the external entity communicates with the secure element according to the first session key, including: the external entity encrypts communication data of the external entity according to the first session key to obtain first encrypted communication data corresponding to the communication data; the external entity sends the first encrypted communication data to the secure element.
In some embodiments, the key generator communicates with the corresponding secure element through an external entity. Optionally, the external entity sends the second encrypted communication data to the corresponding secure element in case of receiving the second encrypted communication data sent by the key generator; the second encrypted communication data is obtained by encrypting the communication data of the key generator by the key generator according to the first session key.
The embodiment of the disclosure provides a method for determining a key generator, which is applied to a secure element side, and the method includes: the method comprises the steps that the safety element feeds back preset key label data to an external entity under the condition that a key label request sent by the external entity is received, and the external entity is triggered to determine a key generator corresponding to the safety element according to the key label data fed back by the safety element.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the secure element feeds back the preset key tag data to the external entity under the condition of receiving the key tag request sent by the external entity, and triggers the external entity to determine the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
As shown in fig. 3, an embodiment of the present disclosure provides a method for determining a key generator, which is applied to a secure element side, and the method includes:
step S301, under the condition that the secure element receives a key tag request sent by an external entity, feeding back preset key tag data to the external entity, and triggering the external entity to determine a key generator corresponding to the secure element according to the key tag data fed back by the secure element;
step S302, under the condition that the security element receives a communication authentication request with a random code and an authentication code sent by an external entity, the security element acquires an authentication result according to the random code and the authentication code and feeds back the authentication result to the external entity; the random code is randomly generated by a key generator; the authentication code is obtained by encrypting a random code according to a preset first symmetric key through a key generator.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the secure element feeds back the preset key tag data to the external entity under the condition of receiving the key tag request sent by the external entity, and triggers the external entity to determine the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
Optionally, the secure element obtains the authentication result according to the random code and the authentication code, and includes: the security element encrypts the random code according to a preset second symmetric key to obtain an encryption result; the security element compares the encryption result with the authentication code; determining that the authentication result is successful under the condition that the encryption result is the same as the authentication code; and under the condition that the encryption result is not identical to the authentication code, determining that the authentication result is authentication failure.
As shown in fig. 4, an embodiment of the present disclosure provides a method for determining a key generator, which is applied to a secure element side, and the method includes:
step S401, under the condition that the security element receives a key tag request sent by an external entity, feeding back preset key tag data to the external entity, and triggering the external entity to determine a key generator corresponding to the security element according to the key tag data fed back by the security element;
step S402, the secure element obtains and feeds back an authentication result to the external entity according to the random code and the authentication code under the condition of receiving a communication authentication request with the random code and the authentication code sent by the external entity; the authentication code is obtained by encrypting a random code through a key generator according to a preset first symmetric key;
step S403, if the authentication result is that the authentication is successful, the secure element generates a second session key according to a preset second key distribution rule;
in step S404, the secure element decrypts the first encrypted communication data according to the second session key when receiving the first encrypted communication data sent by the external entity, so as to obtain communication data corresponding to the first encrypted communication data.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the secure element feeds back the preset key tag data to the external entity under the condition of receiving the key tag request sent by the external entity, and triggers the external entity to determine the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element, and then match the secure element with the corresponding key generator, thereby establishing communication with the secure element. And the secure element is authenticated with the corresponding key generator, so that a hacker is prevented from maliciously matching the secure element or the key generator to steal the key, and the key leakage risk is reduced. Under the condition that a plurality of security elements and an external entity carry out data interaction, the external entity determines a key generator corresponding to each security element by acquiring key label data preset by each security element, so that the matching of the security elements and the key generators is realized, meanwhile, the original communication authentication process between the security elements and the key generators is not changed, and the threshold of technical debugging is reduced.
Optionally, the secure element, in the case of receiving second encrypted communication data sent by the external entity, decrypts the second encrypted communication data according to the second session key, to obtain communication data corresponding to the second encrypted communication data; the second encrypted communication data is obtained by encrypting the communication data of the key generator through the key generator according to the first session key; the first session key is generated by the key generator according to a preset first key distribution rule.
As shown in fig. 5, an embodiment of the present disclosure provides a method for determining a key generator, including:
step S501, an external entity sends a key tag request to a secure element;
step S502, the safety element feeds back preset key label data to an external entity;
step S503, the external entity determines a key generator corresponding to the secure element according to the key label data fed back by the secure element;
step S504, the external entity sends a preset key request to a key generator corresponding to the secure element;
step S505, a key generator corresponding to the secure element generates a random code;
step S506, a key generator corresponding to the secure element encrypts the random code by using a preset first symmetric key to obtain an authentication code;
step S507, the key generator corresponding to the secure element sends the random code and the authentication code to an external entity;
step S508, the external entity receives the random code and the authentication code sent by the key generator corresponding to the secure element, and generates a communication authentication request with the random code and the authentication code;
step S509, the external entity sends a communication authentication request with the random code and the authentication code to the secure element;
step S510, the secure element receives a communication authentication request with a random code and an authentication code sent by an external entity, and acquires an authentication result according to the random code and the authentication code;
step S511, the secure element sends the authentication result to an external entity;
step S512, the external entity sends a request for generating a session key to a key generator corresponding to the secure element when receiving that the authentication result sent by the secure element is successful;
step S513, in a case that the key generator corresponding to the secure element receives the request for generating the session key sent by the external entity, generating a first session key;
step S514, the external entity sends a first session key acquisition request to a key generator corresponding to the secure element;
step S515, the key generator corresponding to the secure element sends the first session key to the external entity when receiving the first session key acquisition request sent by the external entity;
in step S516, the external entity receives the first session key sent by the key generator corresponding to the secure element, and communicates with the secure element according to the first session key.
By adopting the method for determining the key generator provided by the embodiment of the disclosure, the external entity sends the key tag request to the secure element, the secure element feeds back the preset key tag data, and the external entity determines the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element, and then match the secure element with the corresponding key generator, thereby establishing communication with the secure element. And the secure element is authenticated with the corresponding key generator, so that a hacker is prevented from maliciously matching the secure element or the key generator to steal the key, and the key leakage risk is reduced. Under the condition that a plurality of security elements and an external entity carry out data interaction, the external entity determines a key generator corresponding to each security element by acquiring key label data preset by each security element, so that the matching of the security elements and the key generators is realized, meanwhile, the original communication authentication process between the security elements and the key generators is not changed, and the threshold of technical debugging is reduced.
As shown in connection with fig. 6, an embodiment of the present disclosure provides a system for determining a key generator, including an external entity 601, a secure element 602, and a plurality of key generators 603. The external entity 601 is configured to send a key tag request to the secure element; determining a key generator corresponding to the secure element according to the key label data fed back by the secure element; sending a preset key request to a key generator corresponding to the secure element; under the condition of receiving the random code and the authentication code sent by the key generator corresponding to the secure element, sending a communication authentication request with the random code and the authentication code to the secure element; under the condition that the authentication result fed back by the secure element is successful, triggering a key generator corresponding to the secure element to generate a first session key; sending a first session key acquisition request to a key generator corresponding to the secure element; and receiving a first session key fed back by a key generator corresponding to the secure element, and communicating with the secure element according to the first session key. The secure element 602 is configured to feed back preset key tag data to the external entity upon receiving a key tag request sent by the external entity; and under the condition of receiving a communication authentication request with a random code and an authentication code sent by an external entity, acquiring an authentication result according to the random code and the authentication code, and feeding back the authentication result to the external entity. The plurality of key generators 603 are respectively configured to generate a random code upon receiving a preset key request sent by an external entity, encrypt the random code with a preset first symmetric key, obtain an authentication code, and send the random code and the authentication code to the external entity; generating a first session key; and feeding back the first session key to the external entity under the condition of receiving the first session key acquisition request sent by the external entity.
By adopting the system for determining the key generator provided by the embodiment of the disclosure, the external entity sends the key tag request to the secure element, the secure element feeds back the preset key tag data, and the external entity determines the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element, and then match the secure element with the corresponding key generator, thereby establishing communication with the secure element. And the secure element is authenticated with the corresponding key generator, so that a hacker is prevented from maliciously matching the secure element or the key generator to steal the key, and the key leakage risk is reduced. Under the condition that a plurality of security elements and an external entity carry out data interaction, the external entity determines a key generator corresponding to each security element by acquiring key label data preset by each security element, so that the matching of the security elements and the key generators is realized, meanwhile, the original communication authentication process between the security elements and the key generators is not changed, and the threshold of technical debugging is reduced.
Optionally, the external entity and the secure element are connected by bluetooth, NFC (Near Field Communication), IrDA (Infrared Data Association) Communication technology, or the like. Optionally, the external entity is connected to each key generator via a data line.
Optionally, the key generator is further configured to: the generated first session key is stored.
Optionally, the key generator is further configured to: encrypting the communication data according to the first session key to obtain second encrypted communication data; the second encrypted communication data is sent to the external entity.
As shown in fig. 7, an apparatus for determining a key generator according to an embodiment of the present disclosure includes a processor (processor) 700 and a memory (memory) 701. Optionally, the apparatus may also include a Communication Interface 702 and a bus 703. The processor 700, the communication interface 702, and the memory 701 may communicate with each other via a bus 703. Communication interface 702 may be used for information transfer. The processor 700 may call logic instructions in the memory 701 to perform the method for determining a key generator of the above-described embodiments.
By adopting the device for determining the key generator provided by the embodiment of the disclosure, the external entity sends the key tag request to the secure element, the secure element feeds back the preset key tag data, and the external entity determines the key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
In addition, the logic instructions in the memory 701 may be implemented in the form of software functional units and may be stored in a computer readable storage medium when the logic instructions are sold or used as independent products.
The memory 701 is a computer-readable storage medium and can be used for storing software programs, computer-executable programs, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 700 executes functional applications and data processing, i.e. implements the method for determining a key generator in the above-described embodiments, by executing program instructions/modules stored in the memory 701.
The memory 701 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Further, memory 701 may include high speed random access memory, and may also include non-volatile memory.
The embodiment of the disclosure provides a communication device, which comprises the above device for determining the key generator.
Optionally, the communication device is an external entity, and the external entity includes a card reader, an NFC device, a tag reader, a POS machine, a notebook computer, a computer, and the like. The communication equipment triggers the security element to feed back preset key tag data by sending a key tag request to the security element, and determines a key generator corresponding to the security element according to the key tag data fed back by the security element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
Optionally, the communication device is a terminal device including a secure element, for example: mobile phones, tablet computers, smart watches, laptops, NFC devices, and the like. The communication equipment feeds back preset key tag data in the secure element to the external entity under the condition of receiving a key tag request sent by the external entity, and triggers the external entity to determine a key generator corresponding to the secure element according to the key tag data fed back by the secure element. In this way, in the case where there are a plurality of key generators, the external entity is caused to determine the key generator corresponding to the secure element from the key tag data fed back by the secure element.
Embodiments of the present disclosure provide a computer-readable storage medium storing computer-executable instructions configured to perform the above-described method for determining a key generator.
Embodiments of the present disclosure provide a computer program product comprising a computer program stored on a computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the above-described method for determining a key generator.
The computer-readable storage medium described above may be a transitory computer-readable storage medium or a non-transitory computer-readable storage medium.
The technical solution of the embodiments of the present disclosure may be embodied in the form of a software product, where the computer software product is stored in a storage medium and includes one or more instructions to enable a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present disclosure. And the aforementioned storage medium may be a non-transitory storage medium comprising: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes, and may also be a transient storage medium.
The above description and drawings sufficiently illustrate embodiments of the disclosure to enable those skilled in the art to practice them. Other embodiments may incorporate structural, logical, electrical, process, and other changes. The examples merely typify possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in or substituted for those of others. Furthermore, the words used in the specification are words of description only and are not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, the terms "comprises" and/or "comprising," when used in this application, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other like elements in a process, method or apparatus that comprises the element. In this document, each embodiment may be described with emphasis on differences from other embodiments, and the same and similar parts between the respective embodiments may be referred to each other. For methods, products, etc. of the embodiment disclosures, reference may be made to the description of the method section for relevance if it corresponds to the method section of the embodiment disclosure.
Those of skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software may depend upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments. It can be clearly understood by the skilled person that, for convenience and brevity of description, the specific working processes of the system, the apparatus and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments disclosed herein, the disclosed methods, products (including but not limited to devices, apparatuses, etc.) may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units may be merely a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to implement the present embodiment. In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than disclosed in the description, and sometimes there is no specific order between the different operations or steps. For example, two sequential operations or steps may in fact be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. Each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Claims (8)

1. A method for determining a key generator, applied to an external entity side, the method comprising:
sending a key tag request to a security element, and triggering the security element to feed back preset key tag data;
determining a key generator corresponding to the secure element according to the key label data fed back by the secure element;
after determining the key generator corresponding to the secure element according to the key tag data fed back by the secure element, the method further includes:
sending a preset key request to the key generator, triggering the key generator to randomly generate a random code, encrypting the random code by using a preset first symmetric key to obtain an authentication code, and feeding back the random code and the authentication code to the external entity;
sending a communication authentication request with the random code and the authentication code to the secure element, triggering the secure element to obtain an authentication result according to the random code and the authentication code, and feeding back the authentication result to the external entity;
under the condition that the authentication result is successful, triggering the key generator to generate a first session key;
sending a first session key acquisition request to the key generator, and triggering the key generator to feed back the first session key;
and receiving a first session key fed back by the key generator, and communicating with the secure element according to the first session key.
2. The method of claim 1, wherein communicating with the secure element based on the first session key comprises:
encrypting the communication data of the external entity according to the first session key to obtain first encrypted communication data corresponding to the communication data;
sending the first encrypted communication data to the secure element.
3. A method for determining a key generator, applied to a secure element side, the method comprising:
under the condition of receiving a key tag request sent by an external entity, feeding back preset key tag data to the external entity, and triggering the external entity to determine a key generator corresponding to the secure element according to the key tag data;
after feeding back the preset key tag data to the external entity, the method further comprises:
under the condition of receiving a communication authentication request with a random code and an authentication code sent by the external entity, acquiring an authentication result according to the random code and the authentication code, and feeding back the authentication result to the external entity; the random code is randomly generated by the key generator; the authentication code is obtained by encrypting the random code through the key generator according to a preset first symmetric key;
under the condition that the authentication result is successful, triggering the external entity to trigger the key generator to generate a first session key; triggering the external entity to send a first session key acquisition request to the key generator, and triggering the key generator to feed back the first session key to the external entity; and triggering the external entity to receive the first session key fed back by the key generator and communicate with the secure element according to the first session key.
4. The method of claim 3, wherein obtaining an authentication result based on the random code and the authentication code comprises:
encrypting the random code according to a preset second symmetric key to obtain an encryption result;
comparing the encryption result with the authentication code;
determining that the authentication result is successful under the condition that the encryption result is the same as the authentication code; and determining that the authentication result is authentication failure under the condition that the encryption result is different from the authentication code.
5. The method according to claim 3 or 4, wherein after obtaining the authentication result according to the random code and the authentication code, the method further comprises:
under the condition that the authentication result is successful, generating a second session key according to a preset second key dispersion rule;
and under the condition of receiving first encrypted communication data sent by the external entity, decrypting the first encrypted communication data according to the second session key to obtain communication data corresponding to the first encrypted communication data.
6. A system for determining a key generator, comprising:
an external entity configured to send a key tag request to the secure element; determining a key generator corresponding to the secure element according to the key label data fed back by the secure element; sending a preset key request to a key generator corresponding to the secure element; under the condition of receiving a random code and an authentication code sent by a key generator corresponding to the secure element, sending a communication authentication request with the random code and the authentication code to the secure element; under the condition that the authentication result fed back by the secure element is successful, triggering a key generator corresponding to the secure element to generate a first session key; sending a first session key acquisition request to a key generator corresponding to the secure element; receiving a first session key fed back by a key generator corresponding to the secure element, and communicating with the secure element according to the first session key;
the secure element is configured to feed back preset key tag data to the external entity when receiving a key tag request sent by the external entity; under the condition of receiving a communication authentication request with a random code and an authentication code sent by the external entity, acquiring the authentication result according to the random code and the authentication code, and feeding back the authentication result to the external entity;
a plurality of key generators respectively configured to generate the random code upon receiving a preset key request sent by the external entity, encrypt the random code with a preset first symmetric key, obtain the authentication code, and send the random code and the authentication code to the external entity; generating a first session key; and feeding back the first session key to the external entity under the condition of receiving a first session key acquisition request sent by the external entity.
7. An apparatus for determining a key generator, comprising a processor and a memory storing program instructions, characterized in that the processor is configured to perform the method for determining a key generator according to any of claims 1 to 5 when executing the program instructions.
8. A communication device comprising the means for determining a key generator of claim 7.
CN202110861612.XA 2021-07-29 2021-07-29 Method, system, device and communication equipment for determining key generator Active CN113315632B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110861612.XA CN113315632B (en) 2021-07-29 2021-07-29 Method, system, device and communication equipment for determining key generator

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110861612.XA CN113315632B (en) 2021-07-29 2021-07-29 Method, system, device and communication equipment for determining key generator

Publications (2)

Publication Number Publication Date
CN113315632A CN113315632A (en) 2021-08-27
CN113315632B true CN113315632B (en) 2021-11-02

Family

ID=77382066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110861612.XA Active CN113315632B (en) 2021-07-29 2021-07-29 Method, system, device and communication equipment for determining key generator

Country Status (1)

Country Link
CN (1) CN113315632B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1693982A2 (en) * 1999-03-11 2006-08-23 TECSEC, Inc. Method for establishing a secure communication channel
CN1883156A (en) * 2003-09-22 2006-12-20 因普希斯数字安全公司 Data communication security device and method
CN105792194A (en) * 2016-04-25 2016-07-20 中国联合网络通信集团有限公司 Base station legality authentication method, device and system and network device
CN105790938A (en) * 2016-05-23 2016-07-20 中国银联股份有限公司 System and method for generating safety unit key based on reliable execution environment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7567669B2 (en) * 1996-05-17 2009-07-28 Certicom Corp. Strengthened public key protocol
US8352749B2 (en) * 2010-12-17 2013-01-08 Google Inc. Local trusted services manager for a contactless smart card

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1693982A2 (en) * 1999-03-11 2006-08-23 TECSEC, Inc. Method for establishing a secure communication channel
CN1883156A (en) * 2003-09-22 2006-12-20 因普希斯数字安全公司 Data communication security device and method
CN105792194A (en) * 2016-04-25 2016-07-20 中国联合网络通信集团有限公司 Base station legality authentication method, device and system and network device
CN105790938A (en) * 2016-05-23 2016-07-20 中国银联股份有限公司 System and method for generating safety unit key based on reliable execution environment

Also Published As

Publication number Publication date
CN113315632A (en) 2021-08-27

Similar Documents

Publication Publication Date Title
US10146983B2 (en) Fingerprint decryption method and device
EP3255832B1 (en) Dynamic encryption method, terminal and server
US20170230365A1 (en) Method and system for securing electronic data exchange between an industrial programmable device and a portable programmable device
WO2017202025A1 (en) Terminal file encryption method, terminal file decryption method, and terminal
CN113329041B (en) Method, apparatus, electronic device and storage medium for controlling a secure element
US10387671B2 (en) Private data management system and method therefor
EP2835997B1 (en) Cell phone data encryption method and decryption method
CN111178884A (en) Information processing method, device, equipment and readable storage medium
CN103840942A (en) Data protection system and method
CN111586671B (en) Embedded user identification card configuration method and device, communication equipment and storage medium
CN108667784B (en) System and method for protecting internet identity card verification information
CN111132148B (en) Method and device for intelligent household appliance configuration network access and storage medium
CN106487758B (en) data security signature method, service terminal and private key backup server
CN105139205A (en) Payment verification method, terminal and server
CN104469736A (en) Data processing method, server and terminal
CN105933503B (en) Information processing method and electronic equipment
EP3905083A1 (en) Contactless card with multiple rotating security keys
KR101680536B1 (en) Method for Service Security of Mobile Business Data for Enterprise and System thereof
US9292992B2 (en) Simplified smartcard personalization method, and corresponding device
CN113315632B (en) Method, system, device and communication equipment for determining key generator
US11463251B2 (en) Method for secure management of secrets in a hierarchical multi-tenant environment
CN101159542B (en) Method and system for saving and/or obtaining authentication parameter on terminal network appliance
CN107690789A (en) The method being authenticated using local factor pair authenticating device communication with least one certificate server
CN104850811A (en) Method and system for carrying out authorization on software based on STK menu
KR102027815B1 (en) Pin-based file decryption method and apparatus for performing the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant