CN114422261A - Management method, management system, computer device, and computer-readable storage medium - Google Patents
Management method, management system, computer device, and computer-readable storage medium Download PDFInfo
- Publication number
- CN114422261A CN114422261A CN202210138256.3A CN202210138256A CN114422261A CN 114422261 A CN114422261 A CN 114422261A CN 202210138256 A CN202210138256 A CN 202210138256A CN 114422261 A CN114422261 A CN 114422261A
- Authority
- CN
- China
- Prior art keywords
- key
- server
- client
- equipment
- administrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 50
- 238000004422 calculation algorithm Methods 0.000 claims description 31
- 238000004590 computer program Methods 0.000 claims description 10
- 230000008676 import Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 7
- 101100520142 Caenorhabditis elegans pin-2 gene Proteins 0.000 claims description 2
- 101150037009 pin1 gene Proteins 0.000 claims description 2
- 239000000126 substance Substances 0.000 claims description 2
- 238000002715 modification method Methods 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 102000005591 NIMA-Interacting Peptidylprolyl Isomerase Human genes 0.000 description 1
- 108010059419 NIMA-Interacting Peptidylprolyl Isomerase Proteins 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a management method, a management system, a computer device and a computer-readable storage medium for managing a device authentication key and an administrator PIN of a smart cryptographic key, wherein the management method comprises one or more of the following methods: the method A is a method for initializing the intelligent password key, and comprises the steps of setting an equipment authentication key and setting an administrator personal identification code; method B, a using method of the equipment authentication key and the administrator personal identification code; and the method C is a modification method of the equipment authentication key and the administrator personal identification code. In the management method, the equipment authentication key and the administrator PIN are generated by the server and can be changed, so that the problems that the equipment authentication key and the administrator PIN are unsafe and easy to leak and the like are effectively solved, and the use safety of the intelligent password key is greatly improved.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a management method, a management system, a computer device, and a computer-readable storage medium.
Background
An intelligent KEY (USB KEY, also called an intelligent KEY) is a terminal device under a Public KEY Infrastructure (PKI) system, provides services such as identity authentication, digital certificates, data protection and the like for users, and is widely applied to the fields of internet banking, electronic signature and the like. The interface specification of the intelligent password key conforms to the GB/T35291 application interface specification of the intelligent password key for information security technology.
The smart cryptographic key authenticates an application that calls the smart cryptographic key by using a device authentication key (DevAuthKey) (see GB/T35291, the device authentication key is a key for device authentication). The device authentication key is typically a 16 byte SM4 key. After the application program completes the equipment authentication through the equipment authentication key, the application in the intelligent password key can be managed by new creation, deletion and the like.
There may be a plurality of applications in the smart key [ see GB/T35291, where a device authentication key and a plurality of applications exist in one device, the applications are independent of each other, and the applications are composed of an administrator (Admin) Personal Identification Number (PIN), a user PIN, a file, and a container ]. Among other things, containers (see GB/T35291, which is a unique storage space divided in a cryptographic device for holding keys) are used to hold key data and digital certificates. The user PIN is used for verifying the identity of the user to open the container, and the related interface is called to use the key in the container to carry out the cryptographic operation. In practical application, if the user PIN and the administrator PIN are input repeatedly and mistakenly, the user PIN and the administrator PIN are locked, although the administrator PIN can be used for unlocking and setting a new user PIN after the user PIN is locked, if the administrator PIN is locked, the application cannot be used any more. Accordingly, in consideration of the importance of the administrator PIN, it needs to be strictly protected and managed.
In the existing information system, the device authentication key is generally set to a fixed value by a manufacturer of the smart key, the user PIN is managed by the user, and for the administrator PIN, the existing information system is also generally managed by the user at the same time, or some information systems uniformly set the fixed value and then managed by a system administrator of the information system.
The above management methods for the device authentication key and the administrator PIN have the following disadvantages: 1. a fixed value for the device authentication key may result in applications within the key fob being maliciously deleted. 2. The management administrator PIN is not frequently used, and if the management administrator PIN is handed to a user for management, the management administrator PIN is easy to forget, so that the intelligent password key cannot be used any more once being locked; 3. if the administrator PIN uses a fixed value, the administrator PIN is not easy to replace regularly, and once the administrator PIN of all the intelligent password keys is leaked, the administrator PIN of all the intelligent password keys is leaked. Therefore, how to provide an efficient and secure mechanism to manage the device authentication key and the administrator PIN is a problem to be solved urgently.
Disclosure of Invention
In view of the above problems, the present invention provides a management method for managing a device authentication key and an administrator PIN.
The management method provided by the invention comprises one or more of the following methods:
the method A is a method for initializing the intelligent password key, and comprises the steps of setting an equipment authentication key and setting an administrator personal identification code;
method B, a using method of the equipment authentication key and the administrator personal identification code;
method C, a method for modifying the equipment authentication key and the administrator personal identification number,
wherein the content of the first and second substances,
the method A comprises the following steps:
AB. The client acquires the equipment information in the intelligent password key and takes out the serial number SN in the equipment information;
AC. The server randomly generates an equipment tag, calculates the equipment authentication key and the personal identification number of the administrator according to the serial number SN and the application name AppName, and then sends the equipment authentication key and the personal identification number of the administrator to the client;
AD. The client modifies the equipment label and the equipment authentication key in the intelligent password key, establishes a new application,
the method B comprises the following steps:
BB. The client acquires a serial number SN and an equipment label in equipment information in the intelligent password key and sends the serial number SN, the equipment label and an application name AppName to the server;
BC. The server calculates the equipment authentication key and the administrator personal identification number and sends the equipment authentication key and the administrator personal identification number to the client,
the method C comprises the following steps:
CB. The client acquires a current equipment authentication key and an administrator personal identification code;
CC. The client applies for calculation to the server to obtain a new equipment label NewLabel, a new equipment authentication key NewDevAuthKey and a new administrator personal identification number NewAdminPIN;
CD. And the client updates the equipment label, the equipment authentication key and the administrator personal identification code.
Further, in the present invention,
before the step AB, the following steps are performed:
and the client side performs equipment authentication by using the factory equipment authentication key and is connected with the intelligent key.
Further, in the present invention,
the step AB comprises the following steps:
and the client calls an equipment information acquisition interface to acquire the equipment information of the intelligent key, and takes out the serial number SN in the equipment information.
Further, in the present invention,
in the step AC, if the connection between the client and the server is a trusted channel, the following steps are performed:
the client sends the serial number SN and the application name AppName to the server;
the server generates a 32-byte random number as a first device Label1, and then byte splicing is performed on the first device Label1 and a serial number SN to obtain first data 1: data1 ═ Label1| | | SN, where | | | | represents concatenation of bytes;
the server side calls a server cipher machine, uses a SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server side calls the server cipher machine, uses the session key handle and encrypts the first data1 by using an SM4 encryption algorithm to obtain a first ciphertext C1;
the server calculates a first SM3 hash value S01 of the C1| | | ID to SM3(C1| | | ID) to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string or null of an information system, and the server is a server of the information system;
the server side takes the first 16 bytes of the SM3 hash value S01 as a first device authentication key DevAuthKey 1: DevAuthKey1 ═ S01[0:16], it is assumed that each byte constituting the string D has a subscript (which is an integer), and the subscripts of each byte are used to sequentially identify the order of the corresponding bytes from front to back in the string D, D [ m: n ] denotes that bytes from subscript m (initial subscript) to subscript n-1 are taken for the string D, m and n are integers, and m < n, the initial subscript m in S01 is 0;
the server calculates S1 ═ SM3(S01| | | AppName), and S2 ═ Base64(S1), resulting in 44 byte printable string S2, Base64(E) indicating that binary data E is converted into 44 printable characters using Base64 encoding;
the server takes the first 16 bytes of the printable string S2 as a first administrator pin 1: AdminPIN1 ═ S2[0:16 ];
the server sends the first device Label1, the first device authentication key DevAuthKey1 and the first administrator personal identification number adminPIN1 to the client;
the client modifies the first device Label1 and the first device authentication key DevAuthKey1 and establishes a new application using the first administrator PIN AdminPIN1 and the user PIN entered by the user.
Further, in the present invention,
in the step AC, if the connection between the client and the server is an untrusted channel, the following steps are performed:
the client establishes a new temporary application, and a temporary user personal identification code and a temporary administrator personal identification code of the temporary application are randomly generated by the client;
the client establishes a temporary container by using the temporary application;
the client generates an elliptic curve encryption algorithm signature key pair in the temporary container and outputs a temporary signature public key TempSignPubKey in the elliptic curve encryption algorithm signature key pair;
the client sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server;
the server generates a 32-byte random number as a second device Label2, and performs byte splicing on the second device Label2 and the serial number SN to obtain second data 2: data2 ═ Label2| | | SN;
the server side calls a server cipher machine, uses a SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server side calls the server cipher machine, uses the session key handle, and encrypts the second data2 by using an SM4 encryption algorithm to obtain a second ciphertext C2;
the server calculates a second SM3 hash value S02 of the C2| | | ID to SM3(C2| | | ID) to obtain a second SM3 hash value S02 of 32 bytes, wherein the ID is a fixed identification character string of the information system or null;
the server side takes the first 16 bytes of the second SM3 hash value S02 as a second device authentication key DevAuthKey 2: DevAuthKey2 ═ S02[0:16 ];
the server calculates S11 ═ SM3(S02| | | AppName), and S21 ═ Base64(S11), resulting in 44-byte printable string S21;
the server side takes the first 16 bytes of the printable character string S21 as a second administrator pin: AdminPIN2 ═ S21[0:16 ];
the server generates a temporary session key TempSessionKey, and encrypts combined data by using the temporary session key TempSessionKey and SM4 algorithm
Label2 DevAuthKey2 AdminPIN2 obtains encrypted data EncrypttedData:
EncryptedData is SM4(TempSessionKey, Label2| | | DevAuthKey2| | | AdminPIN2), where SM4(K, D1) represents a ciphertext obtained by encrypting data D1 using an SM4 encryption algorithm using a key K;
the server generates an SM2 encryption key pair (TempEncPrivateKey, TempEncPubKey), encrypts the temporary session key TempSessionKey with the TempEncPubKey to obtain a digital envelope EnveledSessionKey:
enveloppedsissionkey is SM2(TempEncPubKey, TempSessionKey), where SM2(PubKey, D2) indicates a ciphertext obtained by using SM2 public key PubKey and encrypting data D2 by using SM2 encryption algorithm;
the server side encrypts the encryption key TempEncPrivateKey by using a temporary signature public key TempSignPubKey of the client side and forms an elliptic curve encryption key pair protection structure EnvelopedKeyBlob;
the server side sends the elliptic curve encryption key pair protection structure EnvelopedKeyBlob, the digital envelope EnvelopedSessionKey and the encrypted data EncryptedData to the client side;
the client uses an imported elliptic curve encryption key pair interface to import an elliptic curve encryption key pair protection structure EnvelopedKeyBlob into the temporary container;
the client uses an import session key interface to import the digital envelope EnvelopedSessioncoKey into the temporary container and obtains a session key handle;
the client decrypts the encrypted data EncryptedData by using the session key handle and the single-group data decryption interface to obtain combined data Label2 DevAuthKey2 AdminPIN2, and respectively intercepts the combined data Label2, the second equipment authentication key DevAuthKey2 and the second administrator personal identification number AdminPIN2 according to the data length.
Further, in the present invention,
the step AD comprises the following steps:
after the client obtains the first device Label1, the first device authentication key DevAuthKey1, the first administrator personal identification number admini pin1 or the second device Label2, the second device authentication key DevAuthKey2, the second administrator personal identification number admini pin2, the device Label and the device authentication key are modified to establish a new application, which comprises the following steps:
writing the first device Label1 or the second device Label2 in the string of the device Label of the smart key;
modifying the device authentication key into the first device authentication key DevAuthKey1 or a second device authentication key DevAuthKey2 by using a modified device authentication key interface;
establishing a new application, and setting the administrator personal identification number as a first administrator personal identification number adminPIN1 or a second administrator personal identification number adminPIN2, wherein the user personal identification number is input by a user;
and after the new application is established, deleting the temporary application.
Further, in the present invention,
the step BB comprises:
the client calls an equipment information obtaining interface to obtain the equipment information of the intelligent key, and a serial number SN and an equipment Label in the equipment information are taken out;
and the client sends the serial number SN, the equipment Label Label and the application name AppName to the server.
Further, in the present invention,
the step BC includes:
the server side calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, an SM2 encrypted ciphertext KeyCipher in the session key is imported by using an internal elliptic curve encrypted private key decryption interface, and a session key handle is obtained;
the server side calls the server cipher machine, and encrypts Label (SN) by using the session key handle and an SM4 encryption algorithm to obtain a ciphertext C;
the server calculates a third SM3 hash value S03| | | ID (C | | | ID) of C | | | ID to SM3, and obtains a 32-byte third SM3 hash value S03;
the server side takes the first 16 bytes of the third SM3 hash value S03 as a third device authentication key DevAuthKey 3: DevAuthKey3 ═ S03[0:16 ];
the server calculates SS1 ═ SM3(S03| | | AppName), and SS2 ═ Base64(SS1), resulting in 44-byte printable string SS 2;
the server takes the first 16 bytes of the printable string SS2 as a third administrator pin 3: AdminPIN3 ═ SS2[0:16 ];
the server sends the third device authentication key DevAuthKey3 and the third administrator personal identification number AdminPIN3 to the client.
Further, in the present invention,
the step CB, the steps BB to BC, the client obtaining the current device authentication key: fourth device authentication key DevAuthKey4 and current fourth administrator pin: a fourth administrator PIN AdminPIN 4.
Further, in the present invention,
and step CC and step AC, the client applies for calculation to the server to obtain a new equipment label NewLabel, a new equipment authentication key NewDevAuthKey and a new administrator personal identification number NewAdminPIN.
Further, in the present invention,
the step CD comprises the following steps:
the client side uses the fourth device authentication key DevAuthKey4 to perform device authentication, and after the authentication is successful, the client side uses a modified device authentication key interface to modify the fourth device authentication key DevAuthKey4 into the new device authentication key NewDevAuthKey;
the client modifies the fourth administrator pin AdminPIN4 to a new administrator pin using a modify pin interface;
and the client writes the new equipment label NewLabel into the equipment label character string of the intelligent key by using a set equipment label interface.
The invention also provides a management system, which is used for realizing the management method and comprises a client, an intelligent password key and a server.
The present invention also provides a computer device comprising a memory, a first processor and a first computer program stored on the memory and executable on the first processor, the first computer program implementing the steps of the management method described above when executed by the first processor.
The present invention also provides a computer-readable storage medium, which stores a second computer program executable by at least one second processor to cause the at least one second processor to perform the steps of the management method described above.
In the management method, the equipment authentication key and the administrator PIN are generated by the server and can be changed, so that the problems that the equipment authentication key and the administrator PIN are unsafe and easy to leak and the like are effectively solved, and the use safety of the intelligent password key is greatly improved. The generation elements of the equipment authentication key and the administrator PIN are composed of a client, an intelligent password key, a server and the like, and the safety is further improved. When the equipment authentication key and the administrator PIN are used, the client side of the information system operates after identity authentication is carried out on the information system, so that the equipment authentication key and the administrator PIN of the intelligent password key used in the information system can be effectively and safely managed and controlled in a centralized manner.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 illustrates a flow diagram of a method for initializing a smart cryptographic key in accordance with an embodiment of the present invention;
FIG. 2 illustrates a flow diagram of a method for using a device authentication key and an administrator PIN according to an embodiment of the present invention;
fig. 3 shows a flowchart of a method for modifying a device authentication key and an administrator PIN according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," "third," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different elements and not necessarily for describing a particular sequential or chronological order. The appearances of "a plurality" in this application are intended to mean more than two (including two).
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The information system adopting the intelligent key comprises a client and a server. The client can be an executable program, a browser plug-in and the like, and the intelligent key is called by using an interface in GB/T35291 and 2017 Intelligent cipher key application interface Specification of information security technology. The server is an information system server, and executes cryptographic services such as encryption and decryption by calling a server cryptographic machine, and the calling server cryptographic machine follows GB/T36322-.
Before the information system runs, the server side distributes an SM2 key with a key index of index to the information system on a server cipher machine, calls an SM2 encrypted ciphertext KeyCipher (the KeyCipher is an SM2 encrypted ciphertext obtained by encrypting the session key by using an SM2 public key) which generates a session key and outputs the session key, stores the SM2 encrypted ciphertext KeyCipher to a database or a disk, namely the session key is encrypted by using an SM2 public key and then is exported and stored in a database or a disk in a ciphertext mode, and when the session key is needed to be used, the SM2 encrypted ciphertext KeyCipher of the session key is imported into the cipher machine for decryption and then is used. Where session keys are used for data encryption and decryption and Message Authentication Codes (MAC) operations, the session keys are typically 16-byte symmetric keys, such as SM4 keys.
The key has the advantages that the key can be used for multiple applications, but in practical use, only one application is established by one key, so that the invention aims at the condition that only one application is established by one key.
The embodiment of the invention provides a management method for managing an authentication key of intelligent password key equipment and a Personal Identification Number (PIN). The management method comprises the following steps:
the method A is a method for initializing the intelligent password key, and comprises the steps of setting an equipment authentication key and establishing an application setting administrator PIN;
method B, a method for using the equipment authentication key and the administrator PIN;
and a method C for modifying the equipment authentication key and the administrator PIN.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
A user of the information system uses a factory-set intelligent password key to perform initialization operation of the intelligent key at a client, the operation is to set an equipment authentication key for the intelligent password key, establish an application with an application name AppName and set an administrator PIN and a user PIN of the application. Wherein the device authentication key and the administrator PIN are generated by the information system and the user PIN is entered by the user.
FIG. 1 illustrates a flow chart of a method of initializing a smart cryptographic key of the present invention. Referring to fig. 1, the method a relates to a Serial Number (SN), a device tag (Label), and a key of a server cryptographic engine in device information of a smart key, and specifically, the method of initializing the smart key includes:
AA. The client side performs equipment authentication (namely authentication of the intelligent password key on the application program) by using the factory equipment authentication key, and is connected with the intelligent key;
AB. The client acquires the equipment information in the intelligent password key, and takes out the serial number SN in the equipment information, and the method comprises the following steps:
the client calls an equipment information acquisition interface (SKF _ GetDevInfo interface) to acquire the equipment information of the intelligent key, and takes out a serial number SN in the equipment information, wherein the serial number is written by a manufacturer, and the serial numbers of the intelligent key are different, wherein the equipment information comprises a version number, equipment manufacturer information, equipment release information, an equipment label, a serial number and the like;
AC. The method comprises the following steps that a server randomly generates an equipment label, calls a server cipher machine, calculates an equipment authentication key and an administrator PIN for a client according to a serial number SN and an application name AppName, and then sends the equipment authentication key and the administrator PIN to the client, and comprises the following steps:
ACa, if the connection between the client and the server is a trusted channel, executing the following steps:
the ACa1 sends the serial number SN and the application name AppName to the server side by the client side;
the ACa2 and the server generate a 32-byte random number as a first device Label1, and then byte splicing is performed on the first device Label1 and the serial number SN to obtain first data 1:
data1=Label1||SN,
in the invention, a 32-byte random number generated by a server is generated by calling a server cipher machine by the server and is stored in a Label field of equipment information of the intelligent key, and the server does not store the random number;
the ACa3 and the server call the server cipher machine, use the SM2 key with the key index in the server cipher machine, import the session key by using the import session key and using the internal ECC private key decryption interface (SDF _ ImportKeyWithISK _ ECC interface), and obtain the session key handle, the specific process is as follows: after the SDF _ ImportKeyWithISK _ ECC interface inputs the index and the SM2 encrypted ciphertext keyCipher, the server cipher machine decrypts the SM2 encrypted ciphertext keyCipher by using an SM2 private key of the index bit of the cipher machine index to obtain a session key, stores the session key in the server cipher machine, generates a session key handle and returns the session key handle to the caller. The caller can not directly obtain the session key, when the caller needs to encrypt, the caller sends the encrypted data and the session key handle to the server cipher machine, and the server cipher machine encrypts the encrypted data to obtain a ciphertext and then sends the ciphertext back to the caller;
the ACa4 and the server call the server cipher machine, the first data1 is encrypted by using the SM4 encryption algorithm by using the session key handle, and a first ciphertext C1 is obtained;
the ACa5 and the server side calculate a first SM3 hash value S01 ═ SM3(C1| | | ID) of C1| |, so as to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string of the information system and can also be null, and the calculation of the hash value refers to 7.6.40-7.6.43 of GB/T35291 | -2017;
the ACa6, the first 16 bytes of the SM3 hash value S01 taken by the server are the first device authentication key DevAuthKey 1: DevAuthKey1 ═ S01[0:16], it is assumed that each byte constituting the string D has a subscript (which is an integer), and the subscripts of each byte are used to sequentially identify the order of the corresponding bytes from front to back in the string D, D [ m: n ] denotes that bytes from subscript m (initial subscript) to subscript n-1 are taken for the string D, m and n are integers, and m < n, the initial subscript m in S01 is 0;
for example, if the SM hash value S of 32 bytes is {0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x, 0x, 0x, 0x, 0x, 0x1, 0x1, 0x1, 0x1 }, DevAuthKey ═ 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x, 0x0, 0x0 }.0 }.
ACa7, server side calculation S1 ═ SM3(S01| | | AppName), and S2 ═ Base64(S1), resulting in 44 byte printable string S2, Base64(E) indicating that binary data E was converted into printable characters, i.e., bytes, using Base64 encoding.
For example, if S1 is {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f }, then the data is transmitted to the mobile station via the internet or the internet via the internet, and the mobile station is transmitted via the internet
S2=AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=;
ACa8, the first 16 bytes of S2 taken by the server as the first administrator PIN AdminPIN 1: AdminPIN1 ═ S2[0:16 ];
the ACa9 and the server side send a first device Label1, a first device authentication key DevAuthKey1 and a first administrator PIN adminPIN1 to the client side;
the ACa10, the client modifies the first device Label1 and the first device authentication key DevAuthKey1, and uses the first administrator PIN adminPIN1 and the user PIN entered by the user to establish a new application, the modification aims at changing the original device Label in the smart key to the first device Label1 and changing the original device authentication key in the smart key to the first device authentication key DevAuthKey 1. The idea of the invention is that the first device authentication key DevAuthKey1 and the first administrator PIN AdminPIN1 are calculated from the first device tag Label1, the serial number SN and the session key. Wherein, the first device Label1, the serial number SN is stored on the ukey, and the session key is stored (encrypted) at the server. Thus, when the first device authentication key DevAuthKey1 and the first administrator PIN AdminPIN1 are to be used, they must be temporarily calculated by the client through the server.
Note that if a trusted channel exists between the client and the server, the SM4 key of the server crypto-engine is an SM2 encrypted ciphertext of the session key output by an internal ECC public key encryption output interface (SDF _ GenerateKeyWithIPK _ ECC interface) after the server calls the crypto-engine to generate the session key. The SM4 key, namely the SM2 encrypted ciphertext of the session key, is stored in a database or a disk, when the SM2 encrypted ciphertext of the SM4 key is required to be used, the session key is imported into the cipher machine by the server cipher machine, an internal ECC private key decryption interface (SDF _ ImportKeyWithISK _ ECC interface) is used, the SM2 encrypted ciphertext imported with the session key is used for obtaining a session key handle, and the SM4 encryption and decryption are called through the session key handle.
If the connection between the client and the server is an untrusted channel, the ACb executes the following steps:
the ACb1 and the client establish a new temporary application, and the temporary user PIN and the temporary administrator PIN of the temporary application are randomly generated for the client;
ACb2, the client establishes a temporary container by using a temporary application;
the ACb3 and the client generate an ECC signature key pair in the temporary container and output a temporary signature public key TempSignPubKey in the ECC signature key pair;
the ACb4 sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server side by the client side;
the ACb5 and the server generate a 32-byte random number as a second device Label 2. Carrying out byte splicing on the Label2 and the serial number SN to obtain second data 2: data2 ═ Label2| | | SN;
ACb6, which is the same as the foregoing step ACa3, that is, the server calls the server crypto, uses the SM2 key with the key index of index in the server crypto, and introduces the session key by using the introduced session key and using the internal ECC private key decryption interface (SDF _ inportkeywithisk _ ECC interface), and obtains the session key handle;
the ACb7 and the server call the server cipher machine, the second data2 is encrypted by using the SM4 encryption algorithm by using the session key handle, and a second ciphertext C2 is obtained;
ACb8, the server calculates a second SM3 hash value S02 ═ SM3(C2| | ID) of C2| | | ID to obtain a second SM3 hash value S02 of 32 bytes, where ID is a fixed identification string of the information system, and may also be null;
ACb9, the first 16 bytes of the second SM3 hash value S02 are taken by the server as the second device authentication key DevAuthKey 2: DevAuthKey2 ═ S02[0:16 ];
a3b10, the server calculates S11 ═ SM3(S02| | | AppName), and S21 ═ Base64(S11), resulting in 44-byte printable string S21;
ACb11, the server side takes the first 16 bytes of S21 as the second administrator PIN: AdminPIN2 ═ S21[0:16 ];
ACb12, the server generates a temporary session key TempSessionKey, and encrypts the combined data by using the temporary session key TempSessionKey and SM4 algorithm
Label2 DevAuthKey2 AdminPIN2 obtains encrypted data EncrypttedData:
EncryptedData=SM4(TempSessionKey,Label2||DevAuthKey2||AdminPIN2);
wherein, SM4(K, D1) represents a cipher text obtained by encrypting data D1 by using an SM4 encryption algorithm by using a key K, and the SM4 algorithm is referred to GB/T32907- & 2016 & ltinformation security technology SM4 block cipher algorithm & gt. The ciphertext Encryptdata is a binary string.
ACb13, the server generates SM2 encryption key pair (TempEncPrivateKey, TempEncPubKey), and encrypts the temporary session key TempSessionKey with the encryption key TempEncPubKey to obtain a digital envelope envelopdsessionkey:
EnvelopedSessionKey=SM2(TempEncPubKey,TempSessionKey);
wherein, SM2(PubKey, D2) indicates a ciphertext obtained by encrypting data D2 by using SM2 encryption algorithm using SM2 public key PubKey, and SM2 encryption algorithm refers to GB/T32918.4-2016 section 4 of information security SM2 elliptic curve public key cryptography algorithm: public key encryption algorithm. The ciphertext EnvelopedSessioncoKey is a binary string.
The ACb14 and the server encrypt the encryption key TempEncPrivateKey by using the temporary signature public key TempSignPubKey of the client, and form an ECC encryption key (elliptic curve encryption key) pair protection structure enveloppedkeyblob.
The ECC encryption key pair protection structure and the encryption process are referred to section 6.4.10 of GB/T35291-2017 Intelligent cipher Key application interface Specification for information Security technology.
ACb15, and service side protection structure for ECC encryption key pair
The EnvelopedKeyBlob, the digital envelope EnvelopedSessionKey and the encrypted data EncryptedData are sent to the client;
the ACb16 is characterized in that the client uses an introduced ECC key pair interface (SKF _ ImportECCKeyPair interface) to introduce an ECC key pair protection structure EnvelopedKeyBlob into a temporary container;
the ACb17 and the client use an import session key interface (SKF _ ImportSessionKey interface) to import the digital envelope EnvelopedSessionKey into the temporary container and obtain a session key handle;
the ACb18 and the client side decrypt the encrypted data EncrypttedData by using the session key handle and the single-group data decryption interface to obtain combined data Label2| | DevAuthKey2| | adminPIN2, and respectively intercept and obtain Label2, DevAuthKey2 and adminPIN2 according to the data length.
In summary, if the server and the client are an insecure channel, the client needs to establish a temporary application and a temporary container in the intelligent password key, generate an SM2 temporary signature key, and send the SM2 temporary signature key, the SN, and the AppName to the server. The server side encrypts an SM2 temporary encryption key generated by the server side by using an SM2 temporary signing key, encrypts a temporary session key by using an SM2 temporary encryption key, and encrypts Label2, DevAuthKey2 and adminPIN2 data generated by the server side by using the temporary session key, so that eavesdropping on a channel can be prevented.
AD. After the client obtains a first device Label1, a first device authentication key DevAuthKey1, a first administrator PINAdmin PIN1 or a second device Label2, a second device authentication key DevAuthKey2 and a second administrator PIN adminPIN2, the client modifies the device Label and the device authentication key in the intelligent key to establish a new application, and the method comprises the following steps:
AD1, writing the first device tag Label1 or the second device tag Label2 into the character string of the device tag of the smart key by setting the device tag (SKF _ SetLabel);
an AD2, modifying the device authentication key into a first device authentication key DevAuthKey1 or a second device authentication key DevAuthKey2 by using a modified device authentication key interface (SKF _ ChangeDevAuthKey interface);
the AD3, establishing a new application, and setting an administrator PIN to be a first administrator PIN adminPIN1 or a second administrator PIN adminPIN2, wherein a user PIN is input by a user;
and the AD4, if the connection between the client and the server is an untrusted channel, deleting the temporary application.
AE. The initialization setting of the smart key is completed.
Fig. 2 is a flow chart of a method of using the device authentication key and administrator PIN of the present invention. Referring to fig. 2, the method B, i.e., the method for using the device authentication key and the administrator PIN, includes the steps of:
BA. A user submits an application at a client and is approved by an information system administrator;
BB. The client acquires a serial number SN and an equipment Label Label in the equipment information, and sends the serial number SN, the equipment Label Label and an application name AppName to the server, wherein the method comprises the following steps:
BB1, calling an equipment information acquisition interface (SKF _ GetDevInfo interface) by the client to acquire the equipment information of the intelligent key, and taking out a serial number SN and an equipment Label in the equipment information;
BB2, the client sends the serial number SN, the equipment Label Label and the application name AppName to the server;
BC. The server side computing equipment authentication key and the administrator personal identification number are sent to the client side, and the method comprises the following steps:
BC1, a server side calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, and an SM2 encryption ciphertext KeyCipher in the session key is imported by using an internal ECC private key decryption interface (SDF _ ImportKeyWithISK _ ECC interface) to obtain a session key handle;
the BC2 and the server call a server cipher machine, and the Label (I) SN is encrypted by using the session key handle and the SM4 encryption algorithm to obtain a ciphertext C;
BC3, the server calculates a third SM3 hash value S03 of C | | | ID ═ SM3(C | | | ID), to obtain a 32-byte third SM3 hash value S03;
the BC4 and the server take the first 16 bytes of the third SM3 hash value S03 as the third device authentication key DevAuthKey 3: DevAuthKey3 is S03[0:16 ].
BC5, the service side calculates SS1 ═ SM3(S03| | | AppName), and SS2 ═ Base64(SS1), resulting in 44-byte printable string SS 2;
the BC6, the service side, takes the first 16 bytes of the SS2 as the third administrator PIN AdminPIN 3: AdminPIN3 ═ SS2[0:16 ];
the BC7, the server side sends the third device authentication key DevAuthKey3 and the third administrator PIN AdminPIN3 to the client side.
Fig. 3 is a flow chart of a method of modifying a device authentication key and administrator PIN of the present invention. Referring to fig. 3, the method C, i.e., the method for modifying the device authentication key and the administrator PIN, includes the following steps:
CA. A user submits an application at a client and is approved by an information system administrator;
CB. As in the above step BB-BC, the client acquires the current DevAuthKey (referred to as fourth device authentication key DevAuthKey4) and administrator PIN (referred to as fourth administrator PIN AdminPIN 4).
CC. The client applies for calculation to the server to obtain a new equipment label NewLabel, a new equipment authentication key NewDevAuthKey and a new administrator PIN NewAdminPIN;
CD. The client updates the equipment label, the equipment authentication key and the administrator personal identification number, and comprises the following steps:
the CD1 and the client use the fourth device authentication key DevAuthKey4 to perform device authentication, after the authentication is successful, the client uses a modified device authentication key interface (SKF _ ChangeDevAuthKey interface) to modify the fourth device authentication key DevAuthKey4 into a new device authentication key NewDevAuthKey;
the CD2 modifies a fourth administrator PIN AdminPIN4 in the smart key into a new administrator PIN NewAdminPIN by using a modified PIN interface (SKF _ Change PIN interface) by the client;
the CD3, the client, writes a new device tag NewLabel into the device tag string of the smart key using the set device tag interface (SKF _ SetLabel interface).
The invention also provides a management system for managing the authentication key of the intelligent password key equipment and the PIN of the administrator, and the management system is used for realizing the management method and comprises a client, the intelligent password key and a server.
The invention also provides a computer device, which comprises a storage, a first processor and a first computer program which is stored on the storage and can run on the first processor, wherein the first computer program realizes the management method when being executed by the first processor.
The present invention also provides a computer-readable storage medium for storing a second computer program executable by at least one second processor for causing the at least one second processor to perform the above-mentioned management method.
In the management method, the equipment authentication key and the administrator PIN are generated by the server and can be changed, so that the problems that the equipment authentication key and the administrator PIN are unsafe and easy to leak and the like are effectively solved, and the use safety of the intelligent password key is greatly improved. The generation elements of the equipment authentication key and the administrator PIN are composed of a client, an intelligent password key, a server and the like, and the safety is further improved. When the equipment authentication key and the administrator PIN are used, the client side of the information system operates after identity authentication is carried out on the information system, so that the equipment authentication key and the administrator PIN of the intelligent password key used in the information system can be effectively and safely managed and controlled in a centralized manner.
Although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (14)
1. The management method is characterized by comprising one or more of the following methods:
the method A is a method for initializing the intelligent password key, and comprises the steps of setting an equipment authentication key and setting an administrator personal identification code;
method B, a using method of the equipment authentication key and the administrator personal identification code;
method C, a method for modifying the equipment authentication key and the administrator personal identification number,
wherein the content of the first and second substances,
the method A comprises the following steps:
AB. The client acquires the equipment information in the intelligent password key and takes out the serial number SN in the equipment information;
AC. The server randomly generates an equipment tag, calculates the equipment authentication key and the personal identification number of the administrator according to the serial number SN and the application name AppName, and then sends the equipment authentication key and the personal identification number of the administrator to the client;
AD. The client modifies the equipment label and the equipment authentication key in the intelligent password key, establishes a new application,
the method B comprises the following steps:
BB. The client acquires a serial number SN and an equipment label in equipment information in the intelligent password key and sends the serial number SN, the equipment label and an application name AppName to the server;
BC. The server calculates the equipment authentication key and the administrator personal identification number and sends the equipment authentication key and the administrator personal identification number to the client,
the method C comprises the following steps:
CB. The client acquires a current equipment authentication key and an administrator personal identification code;
CC. The client applies for calculation to the server to obtain a new equipment label NewLabel, a new equipment authentication key NewDevAuthKey and a new administrator personal identification number NewAdminPIN;
CD. And the client updates the equipment label, the equipment authentication key and the administrator personal identification code.
2. The management method according to claim 1,
before the step AB, the following steps are performed:
and the client side performs equipment authentication by using the factory equipment authentication key and is connected with the intelligent key.
3. The management method according to claim 2,
the step AB comprises the following steps:
and the client calls an equipment information acquisition interface to acquire the equipment information of the intelligent key, and takes out the serial number SN in the equipment information.
4. The management method according to claim 3,
in the step AC, if the connection between the client and the server is a trusted channel, the following steps are performed:
the client sends the serial number SN and the application name AppName to the server;
the server generates a 32-byte random number as a first device Label1, and then byte splicing is performed on the first device Label1 and a serial number SN to obtain first data 1: data1 ═ Label1| | | SN, where | | | | represents concatenation of bytes;
the server side calls a server cipher machine, uses a SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server side calls the server cipher machine, uses the session key handle and encrypts the first data1 by using an SM4 encryption algorithm to obtain a first ciphertext C1;
the server calculates a first SM3 hash value S01 of the C1| | | ID to SM3(C1| | | ID) to obtain a 32-byte SM3 hash value S01, wherein the ID is a fixed identification character string or null of an information system, and the server is a server of the information system;
the server side takes the first 16 bytes of the SM3 hash value S01 as a first device authentication key DevAuthKey 1: DevAuthKey1 ═ S01[0:16], it is assumed that each byte constituting the string D has a subscript (which is an integer), and the subscripts of each byte are used to sequentially identify the order of the corresponding bytes from front to back in the string D, D [ m: n ] denotes that bytes from subscript m (initial subscript) to subscript n-1 are taken for the string D, m and n are integers, and m < n, the initial subscript m in S01 is 0;
the server calculates S1 ═ SM3(S01| | | AppName), and S2 ═ Base64(S1), resulting in 44 byte printable string S2, Base64(E) indicating that binary data E is converted into 44 printable characters using Base64 encoding;
the server takes the first 16 bytes of the printable string S2 as a first administrator pin 1: AdminPIN1 ═ S2[0:16 ];
the server sends the first device Label1, the first device authentication key DevAuthKey1 and the first administrator personal identification number adminPIN1 to the client;
the client modifies the first device Label1 and the first device authentication key DevAuthKey1 and establishes a new application using the first administrator PIN AdminPIN1 and the user PIN entered by the user.
5. The management method according to claim 4,
in the step AC, if the connection between the client and the server is an untrusted channel, the following steps are performed:
the client establishes a new temporary application, and a temporary user personal identification code and a temporary administrator personal identification code of the temporary application are randomly generated by the client;
the client establishes a temporary container by using the temporary application;
the client generates an elliptic curve encryption algorithm signature key pair in the temporary container and outputs a temporary signature public key TempSignPubKey in the elliptic curve encryption algorithm signature key pair;
the client sends the serial number SN, the application name AppName and the temporary signature public key TempSignPubKey to the server;
the server generates a 32-byte random number as a second device Label2, and performs byte splicing on the second device Label2 and the serial number SN to obtain second data 2: data2 ═ Label2| | | SN;
the server side calls a server cipher machine, uses a SM2 key with a key index of index in the server cipher machine, and introduces a session key by using an introduced session key and an internal elliptic curve encryption algorithm private key decryption interface, and obtains a session key handle;
the server side calls the server cipher machine, uses the session key handle, and encrypts the second data2 by using an SM4 encryption algorithm to obtain a second ciphertext C2;
the server calculates a second SM3 hash value S02 of the C2| | | ID to SM3(C2| | | ID) to obtain a second SM3 hash value S02 of 32 bytes, wherein the ID is a fixed identification character string of the information system or null;
the server side takes the first 16 bytes of the second SM3 hash value S02 as a second device authentication key DevAuthKey 2: DevAuthKey2 ═ S02[0:16 ];
the server calculates S11 ═ SM3(S02| | | AppName), and S21 ═ Base64(S11), resulting in 44-byte printable string S21;
the server side takes the first 16 bytes of the printable character string S21 as a second administrator pin: AdminPIN2 ═ S21[0:16 ];
the server generates a temporary session key TempSessionKey, and encrypts the combined data Label2| | DevAuthKey2| | | adminPIN2 by using algorithms of the temporary session key TempSessionKey and SM4 to obtain encrypted data EncrypttedData:
EncryptedData is SM4(TempSessionKey, Label2| | | DevAuthKey2| | | AdminPIN2), where SM4(K, D1) represents a ciphertext obtained by encrypting data D1 using an SM4 encryption algorithm using a key K;
the server generates an SM2 encryption key pair (TempEncPrivateKey, TempEncPubKey), encrypts the temporary session key TempSessionKey with the TempEncPubKey to obtain a digital envelope EnveledSessionKey:
enveloppedsissionkey is SM2(TempEncPubKey, TempSessionKey), where SM2(PubKey, D2) indicates a ciphertext obtained by using SM2 public key PubKey and encrypting data D2 by using SM2 encryption algorithm;
the server side encrypts the encryption key TempEncPrivateKey by using a temporary signature public key TempSignPubKey of the client side and forms an elliptic curve encryption key pair protection structure EnvelopedKeyBlob;
the server side sends the elliptic curve encryption key pair protection structure EnvelopedKeyBlob, the digital envelope EnvelopedSessionKey and the encrypted data EncryptedData to the client side;
the client uses an imported elliptic curve encryption key pair interface to import an elliptic curve encryption key pair protection structure EnvelopedKeyBlob into the temporary container;
the client uses an import session key interface to import the digital envelope EnvelopedSessioncoKey into the temporary container and obtains a session key handle;
the client decrypts the encrypted data EncryptedData by using the session key handle and the single-group data decryption interface to obtain combined data Label2 DevAuthKey2 AdminPIN2, and respectively intercepts the combined data Label2, the second equipment authentication key DevAuthKey2 and the second administrator personal identification number AdminPIN2 according to the data length.
6. The management method according to claim 5,
the step AD comprises the following steps:
after the client obtains the first device Label1, the first device authentication key DevAuthKey1, the first administrator personal identification number admini pin1 or the second device Label2, the second device authentication key DevAuthKey2, the second administrator personal identification number admini pin2, the device Label and the device authentication key are modified to establish a new application, which comprises the following steps:
writing the first device Label1 or the second device Label2 in the string of the device Label of the smart key;
modifying the device authentication key into the first device authentication key DevAuthKey1 or a second device authentication key DevAuthKey2 by using a modified device authentication key interface;
establishing a new application, and setting the administrator personal identification number as a first administrator personal identification number adminPIN1 or a second administrator personal identification number adminPIN2, wherein the user personal identification number is input by a user;
and after the new application is established, deleting the temporary application.
7. The management method according to claim 6,
the step BB comprises:
the client calls an equipment information obtaining interface to obtain the equipment information of the intelligent key, and a serial number SN and an equipment Label in the equipment information are taken out;
and the client sends the serial number SN, the equipment Label Label and the application name AppName to the server.
8. The management method according to claim 7,
the step BC includes:
the server side calls a server cipher machine, a session key is imported by using an SM2 key with a key index of index, an SM2 encrypted ciphertext KeyCipher in the session key is imported by using an internal elliptic curve encrypted private key decryption interface, and a session key handle is obtained;
the server side calls the server cipher machine, and encrypts Label (SN) by using the session key handle and an SM4 encryption algorithm to obtain a ciphertext C;
the server calculates a third SM3 hash value S03| | | ID (C | | | ID) of C | | | ID to SM3, and obtains a 32-byte third SM3 hash value S03;
the server side takes the first 16 bytes of the third SM3 hash value S03 as a third device authentication key DevAuthKey 3: DevAuthKey3 ═ S03[0:16 ];
the server calculates SS1 ═ SM3(S03| | | AppName), and SS2 ═ Base64(SS1), resulting in 44-byte printable string SS 2;
the server takes the first 16 bytes of the printable string SS2 as a third administrator pin 3: AdminPIN3 ═ SS2[0:16 ];
the server sends the third device authentication key DevAuthKey3 and the third administrator personal identification number AdminPIN3 to the client.
9. The management method according to any one of claims 1 to 8,
the step CB, the steps BB to BC, the client obtaining the current device authentication key: fourth device authentication key DevAuthKey4 and current fourth administrator pin: the fourth administrator PINAdmin PIN 4.
10. The management method according to claim 9,
and step CC and step AC, the client applies for calculation to the server to obtain a new equipment label NewLabel, a new equipment authentication key NewDevAuthKey and a new administrator personal identification number NewAdminPIN.
11. The management method according to claim 10,
the step CD comprises the following steps:
the client side uses the fourth device authentication key DevAuthKey4 to perform device authentication, and after the authentication is successful, the client side uses a modified device authentication key interface to modify the fourth device authentication key DevAuthKey4 into the new device authentication key NewDevAuthKey;
the client modifies the fourth administrator pin AdminPIN4 to a new administrator pin using a modify pin interface;
and the client writes the new equipment label NewLabel into the equipment label character string of the intelligent key by using a set equipment label interface.
12. The management system is used for realizing the management method of any one of claims 1 to 11 and is characterized by comprising a client, a smart password key and a server.
13. Computer arrangement comprising a memory, a first processor and a first computer program stored on said memory and executable on said first processor, characterized in that said first computer program, when executed by the first processor, carries out the steps of the management method according to any of claims 1-11.
14. Computer-readable storage medium, characterized in that a second computer program is stored, which second computer program is executable by at least one second processor for causing the at least one second processor to carry out the steps of the management method according to any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210138256.3A CN114422261A (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210138256.3A CN114422261A (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114422261A true CN114422261A (en) | 2022-04-29 |
Family
ID=81260696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210138256.3A Pending CN114422261A (en) | 2022-02-15 | 2022-02-15 | Management method, management system, computer device, and computer-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114422261A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115062330A (en) * | 2022-08-18 | 2022-09-16 | 麒麟软件有限公司 | TPM-based intelligent cipher key and cipher application interface realization method |
| CN117155709A (en) * | 2023-10-30 | 2023-12-01 | 翼方健数(北京)信息科技有限公司 | Multi-party identity authentication method, system and medium using hardware security key |
| CN117411643A (en) * | 2023-12-11 | 2024-01-16 | 四川省数字证书认证管理中心有限公司 | PIN code security system and method for on-line UKEY |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
| CN101872399A (en) * | 2010-07-01 | 2010-10-27 | 武汉理工大学 | Dynamic digital copyright protection method based on dual identity authentication |
| CN109067766A (en) * | 2018-08-30 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of identity identifying method, server end and client |
| CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
-
2022
- 2022-02-15 CN CN202210138256.3A patent/CN114422261A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
| CN101872399A (en) * | 2010-07-01 | 2010-10-27 | 武汉理工大学 | Dynamic digital copyright protection method based on dual identity authentication |
| CN109067766A (en) * | 2018-08-30 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of identity identifying method, server end and client |
| CN109728909A (en) * | 2019-03-21 | 2019-05-07 | 郑建建 | Identity identifying method and system based on USBKey |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115062330A (en) * | 2022-08-18 | 2022-09-16 | 麒麟软件有限公司 | TPM-based intelligent cipher key and cipher application interface realization method |
| CN115062330B (en) * | 2022-08-18 | 2022-11-11 | 麒麟软件有限公司 | TPM-based intelligent password key password application interface implementation method |
| CN117155709A (en) * | 2023-10-30 | 2023-12-01 | 翼方健数(北京)信息科技有限公司 | Multi-party identity authentication method, system and medium using hardware security key |
| CN117155709B (en) * | 2023-10-30 | 2024-01-26 | 翼方健数(北京)信息科技有限公司 | Multi-party identity authentication method, system and medium using hardware security key |
| CN117411643A (en) * | 2023-12-11 | 2024-01-16 | 四川省数字证书认证管理中心有限公司 | PIN code security system and method for on-line UKEY |
| CN117411643B (en) * | 2023-12-11 | 2024-02-27 | 四川省数字证书认证管理中心有限公司 | PIN code security system and method for on-line UKEY |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114422261A (en) | Management method, management system, computer device, and computer-readable storage medium | |
| US8499156B2 (en) | Method for implementing encryption and transmission of information and system thereof | |
| CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
| US11716206B2 (en) | Certificate based security using post quantum cryptography | |
| WO2009143749A1 (en) | Data encryption and decryption method, device and communications system | |
| CN106067874B (en) | It is a kind of by the method for data record to server end, terminal and server | |
| CN111131278A (en) | Data processing method and device, computer storage medium and electronic equipment | |
| US11757625B2 (en) | Multi-factor-protected private key distribution | |
| US11632246B2 (en) | Hybrid key derivation to secure data | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| WO2024012517A1 (en) | End-to-end data transmission method, and device and medium | |
| JP2017112604A (en) | Method for improving encryption/decryption speed by complexly applying symmetric key encryption and asymmetric key double encryption | |
| CN109672521A (en) | Safe storage system and method based on encription algorithms approved by the State Password Administration Committee Office engine implementation | |
| CN113055376A (en) | Block chain data protection system | |
| CN113452705B (en) | Encrypted communication method, device, electronic equipment and storage medium | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN114338648A (en) | SFTP multi-terminal file secure transmission method and system based on state cryptographic algorithm | |
| CN114037447A (en) | Method and device for off-line transaction | |
| CN111901287B (en) | Method and device for providing encryption information for light application and intelligent equipment | |
| Sandoval et al. | Pakemail: authentication and key management in decentralized secure email and messaging via pake | |
| CN114143098B (en) | Data storage method and data storage device | |
| CN113422753B (en) | Data processing method, device, electronic equipment and computer storage medium | |
| CN114285557A (en) | Communication encryption method, system and device | |
| RU2707398C1 (en) | Method and system for secure storage of information in file storages of data | |
| CN111723405A (en) | Decentralized multiple digital signature/electronic signature method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |