CN114065241A - Key safety processing system, method, equipment and medium - Google Patents
Key safety processing system, method, equipment and medium Download PDFInfo
- Publication number
- CN114065241A CN114065241A CN202111338040.3A CN202111338040A CN114065241A CN 114065241 A CN114065241 A CN 114065241A CN 202111338040 A CN202111338040 A CN 202111338040A CN 114065241 A CN114065241 A CN 114065241A
- Authority
- CN
- China
- Prior art keywords
- private key
- encrypted
- coordinate value
- key component
- component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The embodiment of the invention provides a system, a method, equipment and a medium for safely processing a secret key, which are used for solving the problem of unsafe encrypted secret key caused by issuing the encrypted secret key to a mobile terminal in the prior art. In the embodiment of the invention, when the CA server sends the encrypted private key, the cooperative end adopts the first preset algorithm to obtain the second private key component according to the encrypted private key and the first private key component generated by the mobile terminal, and when decrypting the data encrypted by the encrypted public key, the first private key component and the second private key component are adopted to decrypt, so that the occurrence of a complete encrypted private key in the decryption process is avoided, and the security of the encrypted private key is ensured.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a system, a method, a device, and a medium for secure key processing.
Background
With the development of society, the importance of data security is gradually revealed, and in order to ensure the security of data in the prior art, data to be transmitted is usually encrypted by an encryption public key, and after the encrypted data is received, the encrypted data is decrypted by an encryption private key corresponding to the encryption public key for encrypting the data, so that source data can be obtained, and the security of the data is ensured by transmitting the encrypted data. However, if the encrypted private key is lost, the security of the encrypted data cannot be ensured, and therefore, how to issue the encrypted private key after the encrypted private key is generated is very important to ensure the security of the encrypted private key.
In the implementation scheme of issuing the encryption private key in the prior art, the encryption private key is issued to the PC, however, since the PC can be inserted with the priority shield, the security of the encryption private key can be further ensured by the priority shield, thereby avoiding the loss of the encryption private key. However, the mobile terminal does not have an interface inserted with the key, so the scheme for issuing the encryption private key in the prior art is not suitable for the mobile terminal, and if the encryption private key is directly issued to the mobile terminal, the security of the encryption private key cannot be ensured due to the mobility of the mobile terminal.
Disclosure of Invention
The embodiment of the invention provides a system, a method, a device, equipment and a medium for safely processing a secret key, which are used for solving the problem of unsafe encrypted secret key caused by issuing the encrypted secret key to a mobile terminal in the prior art.
In a first aspect, an embodiment of the present invention provides a system for secure key processing, where the system includes: the system comprises a mobile terminal, a coordination terminal and a CA server;
the CA server is used for generating an encrypted public key and an encrypted private key and sending the encrypted private key to the cooperative end;
the mobile terminal is used for generating a first private key component and sending the first private key component to the coordination terminal;
the cooperation terminal is used for generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
Further, the cooperative end is specifically configured to subtract the first private key component from the encrypted private key to obtain a second private key component.
Further, the mobile terminal is further configured to generate a first public key and a first private key, and send the first public key to the cooperative terminal;
the cooperation terminal is specifically configured to generate a second public key and a second private key, multiply the first public key by the second private key to generate a first numerical value, subtract a preset elliptic curve base point from the first numerical value to generate a third public key, and send the third public key to the CA server, so that the CA server encrypts the encrypted private key by using the third public key.
Further, the CA server is further configured to encrypt the encrypted private key by using the third public key, and send the encrypted private key to the mobile terminal;
the mobile terminal is specifically configured to extract a first bit string in an encrypted private key, generate a first coordinate value corresponding to the first private key according to the first private key and the first bit string, and send the first coordinate value and the first bit string to the coordination terminal;
the coordination terminal is specifically configured to generate a second numerical value by multiplying the second private key by the first coordinate value, subtract the first bit string from the second numerical value to generate a second coordinate value, and decrypt the encrypted private key by using the second coordinate value to obtain the encrypted private key.
Further, the cooperative end is further configured to send the second public key to the mobile terminal;
the mobile terminal is further configured to encrypt the first private key component by using the second public key, and send the encrypted first private key component to the cooperative terminal;
and the cooperative end is further configured to decrypt the encrypted first private key component by using a second private key corresponding to the second public key to obtain the first private key component.
Further, the cooperative end is further configured to destroy the first private key component after the second private key component is generated;
the mobile terminal is further configured to extract a second bit string of the data if the data encrypted by the encrypted public key is received, and obtain a third coordinate value corresponding to the first private key component according to the first private key component and the second bit string; sending the second bit string, the third coordinate value and the data to the cooperative terminal;
the coordination terminal acquires a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
Further, the coordination terminal is specifically configured to obtain a target coordinate value corresponding to the encrypted private key by using the third coordinate value plus the fourth coordinate value.
In a second aspect, an embodiment of the present invention further provides a method for processing a key safely, where the method is applied to a cooperative end, and the method includes:
receiving an encrypted private key sent by a CA server side, and receiving a first private key component sent by a mobile terminal;
generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
Further, the generating, by using a first preset algorithm, a second private key component according to the encrypted private key and the first private key component includes:
and subtracting the first private key component from the encrypted private key to obtain a second private key component.
Further, before receiving the encrypted private key sent by the CA server, the method further includes:
receiving a first private key sent by the mobile terminal;
generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
Further, the method further comprises:
receiving a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string;
and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
Further, the method further comprises:
destroying the first private key component after the second private key component is generated;
receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string;
acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
Further, obtaining, by using a second preset algorithm, a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value includes:
and obtaining a target coordinate value corresponding to the encrypted private key by adding the third coordinate value and the fourth coordinate value.
In a third aspect, an embodiment of the present invention further provides a device for processing a key security, where the device includes:
the receiving module is used for receiving the encrypted private key sent by the CA server and receiving a first private key component sent by the mobile terminal;
and the processing module is used for generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm.
Further, the processing module is specifically configured to subtract the first private key component from the encrypted private key to obtain a second private key component.
Further, the processing module is further configured to receive a first private key sent by the mobile terminal; generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
Further, the processing module is further configured to receive a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string; and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
Further, the processing module is further configured to destroy the first private key component after generating the second private key component; receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string; acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
Further, the processing module is specifically configured to obtain a target coordinate value corresponding to the encrypted private key by using the third coordinate value plus the fourth coordinate value.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes at least a processor and a memory, and the processor is configured to implement the steps of the key security processing method according to any one of the above when executing a computer program stored in the memory.
In a fifth aspect, an embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the key security processing method according to any one of the above.
In the embodiment of the invention, when the CA server sends the encrypted private key, the cooperative end adopts the first preset algorithm to obtain the second private key component according to the encrypted private key and the first private key component generated by the mobile terminal, and when decrypting the data encrypted by the encrypted public key, the first private key component and the second private key component are adopted to decrypt, so that the occurrence of a complete encrypted private key in the decryption process is avoided, and the security of the encrypted private key is ensured.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a key security processing system according to an embodiment of the present invention;
fig. 2 is a schematic process diagram of a key security processing method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a key security processing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.
Example 1:
fig. 1 is a schematic structural diagram of a key security processing system according to an embodiment of the present invention, where the system includes a mobile terminal 101, a coordination end 102, and a Certificate Authority (CA) service end 103:
the CA server 103 is configured to generate an encrypted public key and an encrypted private key, and send the encrypted private key to the cooperative terminal 102;
the mobile terminal 101 is configured to generate a first private key component, and send the first private key component to the coordination terminal 102;
the cooperative end 102 is configured to generate a second private key component according to the encrypted private key and the first private key component by using a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
In order to ensure the security of the encryption private key, in the embodiment of the present invention, the CA server generates the encryption public key and the encryption private key, and sends the generated encryption private key to the coordination end. The mobile terminal generates and stores the first private key component, and sends the generated first private key component to the cooperation terminal. After receiving the encrypted private key and the first private key component, the cooperative terminal obtains a numerical value according to the encrypted private key and the first private key component by adopting a first preset algorithm, determines that the obtained numerical value is a second private key component, stores the second private key component, and decrypts data encrypted by the encrypted public key by adopting the first private key component and the second private key component, so that the occurrence of a complete encrypted private key is avoided, and the security of the encrypted private key is improved.
The process of generating the second private key component by using the first preset algorithm may be: and the cooperative terminal obtains a numerical value by adding the encrypted private key and the first private key component, and determines the numerical value as a second private key component. And the process of the mobile terminal generating the first private key component is as follows: the mobile terminal generates a random number, and determines the random number as a first private key component. Wherein the encryption private key plus the first private key component refers to a direct addition between the numerical values. Therefore, when the data encrypted by the encrypted public key is decrypted, the first private key component and the second private key component are used for decryption, so that the occurrence of a complete encrypted private key is avoided, and the security of the encrypted private key is further ensured. For example, the generated encryption private key is PRI-E, the generated first private key component is PRI-EC, and the second private key component PRI-ES may be equal to PRI-E plus PRI-EC.
In the embodiment of the invention, when the CA server sends the encrypted private key, the cooperative end adopts the first preset algorithm to obtain the second private key component according to the encrypted private key and the first private key component generated by the mobile terminal, and when decrypting the data encrypted by the encrypted public key, the first private key component and the second private key component are adopted to decrypt, so that the occurrence of the encrypted private key in the decryption process is avoided, and the security of the encrypted private key is ensured.
Example 2:
in order to accurately generate the second private key component, on the basis of the foregoing embodiments, in an embodiment of the present invention, the coordination terminal 102 is specifically configured to subtract the first private key component from the encrypted private key to obtain the second private key component.
In the embodiment of the present invention, a specific process of generating the second private key component by the coordination terminal according to the encrypted private key and the first private key component may be: subtracting the first private key component from the encrypted private key to obtain a value, and determining the value as the second private key component, wherein subtracting the first private key component from the encrypted private key means direct subtraction between the values, that is, the encrypted private key is also a value. For example, if the encryption private key is PRI-E, the first private key component PRI-EC, then the second private key component may be PRI-E-PRI-EC.
Of course, other first preset algorithms may be adopted to generate the second private key component according to the encrypted private key and the first private key component.
In order to further improve the security of the encrypted private key, on the basis of the foregoing embodiments, in an embodiment of the present invention, the mobile terminal 101 is further configured to generate a first public key and a first private key, and send the first public key to the cooperative end 102;
the cooperative end 102 is specifically configured to generate a second public key and a second private key, generate a first numerical value by multiplying the first public key by the second private key, generate a third public key by subtracting a preset elliptic curve base point from the first numerical value, and send the third public key to the CA server 103, so that the CA server 103 encrypts the encrypted private key by using the third public key.
In the embodiment of the invention, the mobile terminal generates the first public key and the first private key and sends the generated first public key to the cooperative terminal. The cooperative terminal generates a second public key and a second private key after receiving a first public key sent by the mobile terminal, and generates a first numerical value by multiplying the first public key by the second private key after generating the second public key and the second private key, subtracts a preset elliptic curve base point from the generated first numerical value to generate a third public key, and sends the generated third public key to the CA server after generating the third public key, and the subsequent CA server encrypts the encrypted private key by using the third public key, thereby ensuring the security of the encrypted private key.
In the embodiment of the present invention, the first public key and the first private key may be a terminal signature public key and a terminal signature private key. The second public key and the second private key may be a cooperative end signature public key and a cooperative end signature private key. If the first public key is a terminal signature public key and the second private key is a cooperative terminal signature private key, the generated third public key is a signature public key, that is, the generation process of the third public key is a process of generating a signature public key in the prior art.
On the basis of the foregoing embodiments, in the embodiment of the present invention, in order to decrypt the encrypted private key, the CA server 103 is further configured to encrypt the encrypted private key by using the third public key, and send the encrypted private key to the mobile terminal 101;
the mobile terminal 101 is specifically configured to extract a first bit string in an encrypted private key, generate a first coordinate value corresponding to the first private key according to the first private key and the first bit string, and send the first coordinate value and the first bit string to the coordination terminal 102;
the coordination terminal 102 is specifically configured to generate a second numerical value by multiplying the first coordinate value by a second private key, subtract the first bit string from the second numerical value to generate a second coordinate value, and decrypt the encrypted private key by using the second coordinate value to obtain the encrypted private key.
In the embodiment of the present invention, since the third public key for encrypting the encrypted private key is generated by the first public key and the second private key, when decrypting the encrypted private key, data related to the first public key and the second private key needs to be used, specifically, in the embodiment of the present invention, the first private key and the second private key corresponding to the first public key need to be used for decryption, and since the first private key is generated by the mobile terminal and the second private key is generated by the cooperation terminal, when decrypting the encrypted private key, the cooperation terminal and the mobile terminal need to decrypt together.
The specific process of decrypting the encrypted private key may be as follows: the CA server side sends the encrypted private key to the mobile terminal, the mobile terminal extracts a first bit string in the encrypted private key after receiving the encrypted private key, generates a first coordinate value corresponding to the first private key according to the first private key and the first bit string, and sends the first coordinate value and the first bit string to the cooperation side. After the coordination terminal receives the first coordinate value and the first bit string sent by the mobile terminal, the coordination terminal generates a second numerical value by multiplying the second private key by the first coordinate value, and after the second numerical value is generated, the coordination terminal subtracts the first bit string from the second numerical value to generate a second coordinate value, the second coordinate value is used as a coordinate value generated when the private key corresponding to the third public key is used for decryption, and the second coordinate value is used for subsequently decrypting the encrypted private key to obtain the encrypted private key. The second bit string refers to C1 in the encrypted private encryption key C ═ C1| | C3| | C2. It should be noted that, when decrypting the encrypted data, the second bit string in the encrypted data and the private key for decrypting the data are used to generate coordinate values, and then the coordinate values are used to decrypt the encrypted data, so that the private key for decrypting the data is not needed.
Taking a first private key PRI-SC generated by the mobile terminal as D1-1The first public key PUB-SC is D1-1G, the second private key PRI-SS generated by the cooperative terminal is D2-1The second public key PUB-SS is D2-1G is described as an example, it should be noted that in the embodiment of the present invention, G represents an elliptic curve point multiplication operation, G represents a base point of an elliptic curve, and if the private key is d, the public key is d × G. The first value when generating the third public key is therefore D2-1D1-1G, generating a third public key D2-1D1-1*G-G=(D1-1D2-1-1) G. That is to say, the third private key corresponding to the third public key is D1-1D2-1-1。
Taking the encrypted private key of C1C 3C 2 as an example, the mobile terminal adoptsWhen the encrypted private key encrypted by the third public key is decrypted, the first bit string C1 in the encrypted private key C1| | C3| | | C2 may be extracted first, and the first coordinate value D1 is generated according to the second private key and the first bit string-1C1, first coordinate value D1-1C1 and the first character string C1 are sent to the coordination end, the coordination end generates a second numerical value by multiplying the first coordinate value by a second private key, and the second numerical value is D2-1*(D1-1C1) and subtracting the first bit string from the second numerical value to generate a second coordinate value, which is D2-1*(D1-1C1) -C1, and the second coordinate value is equal to (D2)-1*D1-1-1) C1, if the coordination end stores a third private key corresponding to the third public key, the coordinate value obtained when the third private key is used for decryption is (D2)-1*D1-1-1) C1, equal to the second coordinate values obtained above, so that in an embodiment of the invention, the encrypted private key encrypted with the third public key can be decrypted while ensuring that the complete third private key is not generated. Specifically, how to decrypt according to the coordinate values and C2 and C3 in the encrypted private key, and how to obtain C1, C2, and C3 in the encrypted private key are all prior art, and are not described herein again.
In order to improve the security of the first private key component, on the basis of the foregoing embodiments, in an embodiment of the present invention, the cooperative end 102 is further configured to send the second public key to the mobile terminal 101;
the mobile terminal 101 is further configured to encrypt the first private key component by using the second public key, and send the encrypted first private key component to the cooperative terminal 102;
the cooperative end 102 is further configured to decrypt the encrypted first private key component by using a second private key corresponding to the second public key, so as to obtain the first private key component.
In the embodiment of the present invention, in order to ensure the security of the first private key component, the mobile terminal may encrypt the first private key component first, and send the encrypted first private key component to the coordination terminal. Specifically, the process may be: and the mobile terminal encrypts the first private key component by adopting the second public key after receiving the second public key and sends the encrypted first private key component to the coordination terminal, so that the safety of the first private key component in the transmission process is ensured. And after receiving the encrypted first private key component, the cooperative terminal decrypts the encrypted first private key component by adopting a second private key corresponding to the stored second public key to obtain the first private key component.
Example 3:
for accurate decryption, on the basis of the foregoing embodiments, in an embodiment of the present invention, the coordination terminal 102 is further configured to destroy the first private key component after generating the second private key component;
the mobile terminal 101 is further configured to, if data encrypted by using the encrypted public key is received, extract a second bit string of the data, and obtain a third coordinate value corresponding to the first private key component according to the first private key component and the second bit string; sending the second bit string, the third coordinate value and the data to the cooperative terminal 102;
the cooperative end 102 obtains a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
In the embodiment of the present invention, in order to avoid acquiring the encrypted private key by using the first private key component and the second private key component, the mobile terminal stores the first private key component, and the coordination terminal stores the second private key component, so that the coordination terminal destroys the received first private key component after generating the second private key component, thereby avoiding the first private key component and the second private key component existing in the coordination terminal at the same time.
And if the mobile terminal receives the data encrypted by the encrypted public key, in order to decrypt the encrypted data, extracting a second bit string contained in the encrypted data, acquiring a third coordinate value corresponding to the first private key component according to the first private key component and the second bit string, and sending the extracted second bit string, the generated third coordinate value and the received encrypted data to the coordination terminal. The second bit string refers to C1 in the encrypted data C ═ C1| | C3| | C2. Specifically, how to extract the second bit string included in the encrypted data and how to generate the corresponding coordinate value according to the private key and the encrypted data are prior art, and are not described herein again.
And after receiving the second bit string sent by the mobile terminal, the cooperative terminal acquires a fourth coordinate value corresponding to the second private key component according to the second bit string and the stored second private key component. And after the fourth coordinate value is obtained, a second preset algorithm is adopted, a target coordinate value corresponding to the encrypted private key is generated according to the third coordinate value and the fourth coordinate value, subsequent decryption can be performed through the target coordinate value, the occurrence of a complete encrypted private key is avoided in the decryption process, and the security of the encrypted private key is further ensured.
The second preset algorithm corresponds to the first preset algorithm, and if the cooperation terminal generates the second private key component by adopting the first preset algorithm, the encryption private key is added with the first private key component to obtain the second private key component. And when the coordination end generates a target coordinate value corresponding to the encrypted private key by adopting a second preset algorithm, subtracting the fourth coordinate value from the third coordinate value to obtain a coordinate value, wherein the coordinate value is the target coordinate value corresponding to the encrypted private key during decryption. Wherein the third coordinate value minus the fourth coordinate value means that the corresponding bits between the coordinate values are directly subtracted from each other. Specifically, how to subtract coordinate values is the prior art, and is not described herein again.
For example, the cooperation terminal generates a second private key component PRI-ES according to the encryption private key PRI-E and the first private key component PRI-EC, and destroys the first private key component. When the mobile terminal decrypts, the received encrypted data C ═ C1| | C3| | C2, the extracted first bit string is C1, and the generated third coordinate value is PRI-EC × C1; and the mobile terminal sends the third coordinate value PRI-EC 1 corresponding to the first private key component, the first bit string and the encrypted data to the coordination terminal, the coordination terminal generates a fourth coordinate value PRI-ES C1 corresponding to the second private key component according to the second private key component and the first bit string, the third coordinate value PRI-EC 1 is subtracted from the fourth coordinate value PRI-ES C1 to obtain a target coordinate value, and the target coordinate value is adopted to perform a subsequent decryption process. When the coordination terminal divides the encrypted private key into the first private key component and the second private key component, the coordination terminal adds the first private key component to the encrypted private key to obtain the second private key component, so that when the mobile terminal and the coordination terminal decrypt, the target coordinate value corresponding to the encrypted private key can be accurately generated by subtracting the third coordinate value corresponding to the first private key component from the fourth coordinate value corresponding to the second private key component, that is, PRI-ES C1-PRI-EC 1 (PRI-ES-PRI-EC) C1 (PRI-E-C1), and therefore the target coordinate value corresponding to the encrypted private key can be accurately determined, and subsequent decryption is performed.
In order to accurately generate the target coordinate value corresponding to the encryption private key, on the basis of the foregoing embodiments, in an embodiment of the present invention, the coordination terminal 102 is specifically configured to obtain the target coordinate value corresponding to the encryption private key by adding the fourth coordinate value to the third coordinate value.
In the embodiment of the present invention, when the coordination terminal generates the target coordinate value corresponding to the encrypted private key according to the second coordinate value and the third coordinate value, if the coordination terminal subtracts the first private key component from the encrypted private key, the second private key component is obtained. The specific process of the cooperative end generating the target coordinate value corresponding to the encrypted private key is as follows: and adding a third coordinate value corresponding to the first private key component and a fourth coordinate value corresponding to the second private key component to obtain a coordinate value, and determining that the coordinate value is a target coordinate value corresponding to the encryption private key, wherein the third coordinate value and the fourth coordinate value refer to addition of coordinate values on an elliptic curve in a decryption algorithm, and specifically, how the coordinate values on the elliptic curve are added is the prior art, which is not described herein again.
Of course, if the cooperative end generates the second private key component by using the other first preset algorithm, the cooperative end generates the target coordinate value corresponding to the encrypted private key by using the second preset algorithm corresponding to the first preset algorithm used by the cooperative end.
Example 4:
fig. 2 is a schematic process diagram of a key security processing method according to an embodiment of the present invention, where the process includes:
s201: receiving an encrypted private key sent by a CA server side, and receiving a first private key component sent by a mobile terminal;
s202: generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
In a possible implementation manner, the generating, by using a first preset algorithm, a second private key component according to the encrypted private key and the first private key component includes:
and subtracting the first private key component from the encrypted private key to obtain a second private key component.
In a possible implementation manner, before the receiving the encrypted private key sent by the CA server, the method further includes:
receiving a first private key sent by the mobile terminal;
generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
In one possible embodiment, the method further comprises:
receiving a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string;
and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
In one possible embodiment, the method further comprises:
destroying the first private key component after the second private key component is generated;
receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string;
acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
In a possible implementation manner, the obtaining, by using a second preset algorithm, a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value includes:
and obtaining a target coordinate value corresponding to the encrypted private key by adding the third coordinate value and the fourth coordinate value.
The method is applied to the cooperative end, and the specific process of executing the key security processing method by the cooperative end may refer to the other embodiments described above, and details are not described again.
Example 5:
fig. 3 is a schematic structural diagram of a key security processing apparatus according to an embodiment of the present invention, where the apparatus includes:
the receiving module 301 is configured to receive an encrypted private key sent by a CA server, and receive a first private key component sent by a mobile terminal;
the processing module 302 is configured to generate a second private key component according to the encrypted private key and the first private key component by using a first preset algorithm.
In a possible implementation manner, the processing module 302 is specifically configured to subtract the first private key component from the encrypted private key to obtain a second private key component.
In a possible implementation manner, the processing module 302 is further configured to receive a first private key sent by the mobile terminal; generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
In a possible implementation manner, the processing module 302 is further configured to receive a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string; and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
In a possible implementation manner, the processing module 302 is further configured to destroy the first private key component after generating the second private key component; receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string; acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
In a possible implementation manner, the processing module 302 is specifically configured to obtain a target coordinate value corresponding to the encrypted private key by using the third coordinate value plus the fourth coordinate value.
Example 6:
fig. 4 is a schematic structural diagram of an electronic device provided by the present invention, and on the basis of the foregoing embodiments, an embodiment of the present invention further provides an electronic device, as shown in fig. 4, including: the system comprises a processor 401, a communication interface 402, a memory 403 and a communication bus 404, wherein the processor 401, the communication interface 402 and the memory 403 complete mutual communication through the communication bus 404;
the memory 403 has stored therein a computer program which, when executed by the processor 401, causes the processor 401 to perform the steps of:
receiving an encrypted private key sent by a CA server side, and receiving a first private key component sent by a mobile terminal;
generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
In a possible implementation manner, the generating, by using a first preset algorithm, a second private key component according to the encrypted private key and the first private key component includes:
and subtracting the first private key component from the encrypted private key to obtain a second private key component.
In a possible implementation manner, before the receiving the encrypted private key sent by the CA server, the method further includes:
receiving a first private key sent by the mobile terminal;
generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
In one possible embodiment, the method further comprises:
receiving a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string;
and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
In one possible embodiment, the method further comprises:
destroying the first private key component after the second private key component is generated;
receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string;
acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
In a possible implementation manner, the obtaining, by using a second preset algorithm, a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value includes:
and obtaining a target coordinate value corresponding to the encrypted private key by adding the third coordinate value and the fourth coordinate value.
The communication bus mentioned in the above server may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.
Example 7:
on the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer-readable storage medium, in which a computer program executable by an electronic device is stored, and when the program is run on the electronic device, the electronic device is caused to execute the following steps:
the memory having stored therein a computer program that, when executed by the processor, causes the processor to perform the steps of:
receiving an encrypted private key sent by a CA server side, and receiving a first private key component sent by a mobile terminal;
generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
In a possible implementation manner, the generating, by using a first preset algorithm, a second private key component according to the encrypted private key and the first private key component includes:
and subtracting the first private key component from the encrypted private key to obtain a second private key component.
In a possible implementation manner, before the receiving the encrypted private key sent by the CA server, the method further includes:
receiving a first private key sent by the mobile terminal;
generating a second public key and a second private key, multiplying the first public key by the second private key to generate a first numerical value, subtracting a preset elliptic curve base point from the first numerical value to generate a third public key, and sending the third public key to the CA server, so that the CA server encrypts the encryption private key by using the third public key and sends the encrypted encryption private key to the mobile terminal.
In one possible embodiment, the method further comprises:
receiving a first coordinate value and a first bit string sent by the mobile terminal; the first bit string is extracted from a received encrypted private key by the mobile terminal, and the first coordinate value is a coordinate value corresponding to the first private key generated by the mobile terminal according to the first private key and the first bit string;
and multiplying a second private key by the first coordinate value to generate a second numerical value, subtracting the first bit string from the second numerical value to generate a second coordinate value, and decrypting the encrypted private key by using the second coordinate value to obtain the encrypted private key.
In one possible embodiment, the method further comprises:
destroying the first private key component after the second private key component is generated;
receiving a second bit string and a third coordinate value sent by the mobile terminal and data encrypted by an encryption public key corresponding to the encryption private key; the second bit string is extracted from the data by the mobile terminal, and the third coordinate value is a coordinate value corresponding to the first private key component obtained by the mobile terminal according to the first private key component and the second bit string;
acquiring a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
In a possible implementation manner, the obtaining, by using a second preset algorithm, a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value includes:
and obtaining a target coordinate value corresponding to the encrypted private key by adding the third coordinate value and the fourth coordinate value.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A key security processing system is characterized in that the system comprises a mobile terminal, a coordination end and a Certificate Authority (CA) service end:
the CA server is used for generating an encrypted public key and an encrypted private key and sending the encrypted private key to the cooperative end;
the mobile terminal is used for generating a first private key component and sending the first private key component to the coordination terminal;
the cooperation terminal is used for generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
2. The system according to claim 1, wherein the coordination side is specifically configured to subtract the first private key component from the encrypted private key to obtain a second private key component.
3. The system according to claim 1, wherein the mobile terminal is further configured to generate a first public key and a first private key, and send the first public key to the cooperative end;
the cooperation terminal is specifically configured to generate a second public key and a second private key, multiply the first public key by the second private key to generate a first numerical value, subtract a preset elliptic curve base point from the first numerical value to generate a third public key, and send the third public key to the CA server, so that the CA server encrypts the encrypted private key by using the third public key.
4. The system of claim 3, wherein the CA server is further configured to encrypt the encrypted private key using the third public key and send the encrypted private key to the mobile terminal;
the mobile terminal is specifically configured to extract a first bit string in an encrypted private key, generate a first coordinate value corresponding to the first private key according to the first private key and the first bit string, and send the first coordinate value and the first bit string to the coordination terminal;
the coordination terminal is specifically configured to generate a second numerical value by multiplying the second private key by the first coordinate value, subtract the first bit string from the second numerical value to generate a second coordinate value, and decrypt the encrypted private key by using the second coordinate value to obtain the encrypted private key.
5. The system according to claim 3, wherein the coordination end is further configured to send the second public key to the mobile terminal;
the mobile terminal is further configured to encrypt the first private key component by using the second public key, and send the encrypted first private key component to the cooperative terminal;
and the cooperative end is further configured to decrypt the encrypted first private key component by using a second private key corresponding to the second public key to obtain the first private key component.
6. The system according to claim 1, wherein the coordination end is further configured to destroy the first private key component after generating the second private key component;
the mobile terminal is further configured to extract a second bit string of the data if the data encrypted by the encrypted public key is received, and obtain a third coordinate value corresponding to the first private key component according to the first private key component and the second bit string; sending the second bit string, the third coordinate value and the data to the cooperative terminal;
the coordination terminal acquires a fourth coordinate value corresponding to the second private key component according to the second private key component and the second bit string; and obtaining a target coordinate value corresponding to the encrypted private key according to the third coordinate value and the fourth coordinate value by adopting a second preset algorithm, and decrypting the data by adopting the target coordinate value.
7. The system according to claim 6, wherein the coordination terminal is specifically configured to obtain a target coordinate value corresponding to the encryption private key by using the third coordinate value plus the fourth coordinate value.
8. A secret key security processing method is applied to a cooperative end, and comprises the following steps:
receiving an encrypted private key sent by a CA server of a certificate authority, and receiving a first private key component sent by a mobile terminal;
generating a second private key component according to the encrypted private key and the first private key component by adopting a first preset algorithm; so as to decrypt the data encrypted by the encrypted public key according to the first private key component and the second private key component.
9. An electronic device, characterized in that the electronic device comprises at least a processor and a memory, the processor being adapted to implement the steps of the key security processing method according to claim 8 when executing a computer program stored in the memory.
10. A computer-readable storage medium, characterized in that it stores a computer program which, when being executed by a processor, carries out the steps of the key security processing method according to claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111338040.3A CN114065241A (en) | 2021-11-11 | 2021-11-11 | Key safety processing system, method, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111338040.3A CN114065241A (en) | 2021-11-11 | 2021-11-11 | Key safety processing system, method, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114065241A true CN114065241A (en) | 2022-02-18 |
Family
ID=80275501
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111338040.3A Pending CN114065241A (en) | 2021-11-11 | 2021-11-11 | Key safety processing system, method, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114065241A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108471352A (en) * | 2018-03-16 | 2018-08-31 | 数安时代科技股份有限公司 | Processing method, system, computer equipment based on distributed private key and storage medium |
| CN108667625A (en) * | 2018-07-19 | 2018-10-16 | 数安时代科技股份有限公司 | Cooperate with the digital signature method of SM2 |
| CN108768636A (en) * | 2018-05-31 | 2018-11-06 | 上海万向区块链股份公司 | A method of restoring private key using multi-party collaboration |
| CN110391900A (en) * | 2019-07-04 | 2019-10-29 | 晋商博创(北京)科技有限公司 | Private key processing method, terminal and cipher key center based on SM2 algorithm |
| CN111314089A (en) * | 2020-02-18 | 2020-06-19 | 数据通信科学技术研究所 | SM 2-based two-party collaborative signature method and decryption method |
-
2021
- 2021-11-11 CN CN202111338040.3A patent/CN114065241A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108471352A (en) * | 2018-03-16 | 2018-08-31 | 数安时代科技股份有限公司 | Processing method, system, computer equipment based on distributed private key and storage medium |
| CN108768636A (en) * | 2018-05-31 | 2018-11-06 | 上海万向区块链股份公司 | A method of restoring private key using multi-party collaboration |
| CN108667625A (en) * | 2018-07-19 | 2018-10-16 | 数安时代科技股份有限公司 | Cooperate with the digital signature method of SM2 |
| CN110391900A (en) * | 2019-07-04 | 2019-10-29 | 晋商博创(北京)科技有限公司 | Private key processing method, terminal and cipher key center based on SM2 algorithm |
| CN111314089A (en) * | 2020-02-18 | 2020-06-19 | 数据通信科学技术研究所 | SM 2-based two-party collaborative signature method and decryption method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9584311B2 (en) | Decrypting data | |
| US11483161B2 (en) | Method for information processing and non-transitory computer readable storage medium | |
| EP3968597B1 (en) | Methods for encrypting and decrypting data | |
| CN107005577B (en) | Fingerprint data processing method and processing device | |
| CN108111622B (en) | Method, device and system for downloading white box library file | |
| CN108134673B (en) | Method and device for generating white box library file | |
| CN111970109B (en) | Data transmission method and system | |
| CN113572604B (en) | Method, device and system for sending secret key and electronic equipment | |
| GB2540220A (en) | Distributed encryption system and method | |
| CN111193741B (en) | Information sending method, information obtaining method, device and equipment | |
| CN114124364A (en) | Key security processing method, device, equipment and computer readable storage medium | |
| CN113326518B (en) | Data processing method and device | |
| KR101579696B1 (en) | System and method for obfuscating initiation values of a cryptography protocol | |
| US20230418911A1 (en) | Systems and methods for securely processing content | |
| CN111125788B (en) | Encryption calculation method, computer equipment and storage medium | |
| CN112737783B (en) | Decryption method and device based on SM2 elliptic curve | |
| CN112866216A (en) | Method and system for encrypting file | |
| WO2018033017A1 (en) | Terminal state conversion method and system for credit granting | |
| CN113676462B (en) | Key distribution and decryption method, device, equipment and medium | |
| CN114065241A (en) | Key safety processing system, method, equipment and medium | |
| CN115442046A (en) | Signature method, signature device, electronic equipment and storage medium | |
| CN114389790A (en) | Secure multi-party computing method and device | |
| CN112688909B (en) | Data transmission system, method, device, medium and equipment | |
| CN115529131B (en) | Data encryption and decryption method and device based on dynamic key | |
| CN114240428A (en) | Data transmission method and device, data transaction terminal and data supplier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220218 |