CN104253692A - SE-based (symmetric encryption based) key management method and device - Google Patents
SE-based (symmetric encryption based) key management method and device Download PDFInfo
- Publication number
- CN104253692A CN104253692A CN201410028406.0A CN201410028406A CN104253692A CN 104253692 A CN104253692 A CN 104253692A CN 201410028406 A CN201410028406 A CN 201410028406A CN 104253692 A CN104253692 A CN 104253692A
- Authority
- CN
- China
- Prior art keywords
- key
- publisher
- mac
- application side
- symmetric key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
An embodiment of the invention provides an SE-based (symmetric encryption based) key management method and device. The method includes the steps: an SE issuer initializes SE to generate an SE identifier and a MAC (media access control) key; an SE user or SE generates a symmetric key, and the MAC key is used to verify the symmetric key through the SE issuer; after the symmetric key passes verification, the SE and the SE user store the symmetric key. The defect that the private key is easily traced and forged and tampered during data transmission and easily leaks is overcome, and the risk that encrypted data leaks is reduced accordingly.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of key management method based on SE and device.
Background technology
Along with the development of computer, the safety problem in network is also on the rise.In transmission control protocol, the data of transmission are all expressly to transmit, so there is inherently safe defect, the important means addressed this problem is exactly data encryption, in modern network communication, the awareness of safety of people is more and more stronger, and cryptographic application is also more and more extensive.
Current encryption technology is the main security secrecy provision that ecommerce is taked, and is the most frequently used safe and secret means, utilizes technological means that important data are become mess code (encryption) and sends, again by identical or different means reduction (deciphering) behind arrival destination.Encryption technology comprises two elements: algorithm and key.Algorithm is the combination of common text (or understandable information) and being altered numeral (key), and produce the step of impenetrable ciphertext, key is used to a kind of algorithm data being carried out to Code And Decode.In safe and secret, ensure the information communication safety of network by suitable Key Encryption Technology and administrative mechanism.
The cryptographic system of Key Encryption Technology is divided into standard-key cryptography and Asymmetric encryption two kinds.Correspondingly, two classes are divided into the technology of data encryption, i.e. symmetric cryptography (private key cryptographic) and asymmetric encryption (public key encryption).Symmetric cryptography with DES(Data Encryption Standard, data encryption standard) algorithm is Typical Representative; Asymmetric encryption usually with RSA(Rivest Shamir Ad1eman, public key encryption algorithm) algorithm is representative.The encryption key of symmetric cryptography is identical with decruption key; And the encryption key of asymmetric encryption is different with decruption key, encryption key can disclose and decruption key need to be keep secret.
The above-mentioned shortcoming to the method that data are encrypted of the prior art is: use software to be encrypted data and to there is certain security risk, easily tracked in the data transmission thus be forged and distort, and private key is easily revealed.
Summary of the invention
For solving the problem, The embodiment provides a kind of key management method based on SE and device, to realize by hardware encipher data, reducing the risk that password is revealed.
Based on a key management method of SE, it is characterized in that, comprising:
SE publisher carries out initialization to described SE, generates mark and the MAC key of described SE;
SE application side or described SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify by described SE publisher;
After described symmetric key is verified, described symmetric key stores by described SE and described SE application side.
Described SE publisher carries out initialization to described SE, generates mark and the MAC key of described SE, comprising:
Described SE publisher sends the PKI of mark and described SE publisher to described SE;
Described mark is written in described SE by described SE, as the mark of described SE, and generates MAC key, uses the PKI of described SE publisher to be encrypted described MAC key, and the data after encryption are sent to described SE publisher;
Described SE publisher produces and generates unsymmetrical key request, and the request of described generation unsymmetrical key is sent to described SE;
Described SE generates unsymmetrical key pair according to described generation unsymmetrical key request, and the public key certificate application request comprising described unsymmetrical key is sent to described SE publisher.
Described SE is using the PKI of the key of in described unsymmetrical key as oneself.
Described SE application side or SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify, comprising by described SE publisher:
SE described in described SE application direction sends and carries the PKI of oneself and the generation symmetric key request of key parameter;
Described SE generates symmetric key according to the key parameter carried in the request of described generation symmetric key, the PKI of described SE application side is used to be encrypted by described symmetric key, and use described MAC cipher key calculation to go out corresponding MAC cipher key values the data after encryption, the data after described encryption and described MAC cipher key values are sent to described SE application side;
Data after the described encryption received and described MAC cipher key values are sent to described SE publisher by described SE application side, and described SE publisher verifies described MAC cipher key values;
After described SE publisher is verified described MAC cipher key values, sends and be verified Indication message to described SE application side;
After being verified Indication message described in described SE application side receives, using the private key of self to the decrypt data after described encryption, obtain described symmetric key, and store.
Described SE application side or SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify, comprising by described SE publisher:
SE described in described SE application direction sends and obtains PKI request;
The PKI that described SE sends self according to described acquisition PKI request is to described SE application side;
Described SE application side generates symmetric key, and uses the PKI of described SE to be encrypted described symmetric key, obtains the symmetric key after encrypting;
SE publisher described in described SE application direction sends the symmetric key after described encryption, symmetric key after described SE publisher utilizes encryption described in the MAC double secret key of described SE calculates MAC cipher key values, and described MAC cipher key values is sent to described SE application side;
Described SE application side uses the symmetric key after described encryption and described MAC cipher key values to generate key and imports request, and described key importing request is sent to described SE;
After described SE receives described key importing request, verify described MAC cipher key values, after being verified, the symmetric key after using the private key of self to decipher described encryption, obtains described symmetric key, and preserves.
Described SE comprises: Global Subscriber identification card, mobile terminal, safe digital card.
Based on a key management apparatus of SE, it is characterized in that, comprising: SE, SE publisher and SE application side,
Described SE publisher, for carrying out initialization to described SE, generates mark and the MAC key of described SE;
SE application side or described SE, for generating symmetric key, utilize symmetric key described in described MAC double secret key to verify by described SE publisher;
Described SE and described SE application side, also for after described symmetric key is verified, store described symmetric key.
Described SE publisher, for sending the PKI of mark and described SE publisher to described SE;
Described SE, for being written in described SE by described mark, as the mark of described SE, and generates MAC key, uses the PKI of described SE publisher to be encrypted described MAC key, and the data after encryption are sent to described SE publisher;
Described SE publisher, for generation of the request of generation unsymmetrical key, and sends to described SE by the request of described generation unsymmetrical key;
Described SE, for generating unsymmetrical key pair according to described generation unsymmetrical key request, sends to described SE publisher by the certificate request request comprising described unsymmetrical key right.
Described SE, also for using the PKI of the key of in described unsymmetrical key as oneself.
Described SE application side, carries the PKI of oneself and the generation symmetric key request of key parameter for sending to described SE;
Described SE, for generating symmetric key according to the key parameter carried in the request of described generation symmetric key, the PKI of described SE application side is used to be encrypted by described symmetric key, and use described MAC cipher key calculation to go out corresponding MAC cipher key values the data after encryption, the data after described encryption and described MAC cipher key values are sent to described SE application side;
Described SE application side, for sending to described SE publisher by the data after the described encryption received and described MAC cipher key values;
Described SE publisher, for verifying described MAC cipher key values, after described SE publisher being verified described MAC cipher key values, sending and being verified Indication message to described SE application side;
Described SE application side, after being verified Indication message described in receiving, using the private key of self to the decrypt data after described encryption, obtains described symmetric key, and store.
Described SE application side, obtains PKI request for sending to described SE;
Described SE, for send self according to described acquisition PKI request PKI to described SE application side,
Described SE application side, for generating symmetric key, and uses the PKI of described SE to be encrypted described symmetric key, obtains the symmetric key after encrypting, and the symmetric key after this encryption is sent to described SE publisher;
Described SE publisher, calculates MAC cipher key values for the symmetric key after utilizing encryption described in the MAC double secret key of described SE, and described MAC cipher key values is sent to described SE application side;
Described SE application side, generates key for using the symmetric key after described encryption and described MAC cipher key values and imports request, and described key importing request is sent to described SE;
Described SE, after receiving described key importing request, verify described MAC cipher key values, after being verified, the symmetric key after using the private key of self to decipher described encryption, obtains described symmetric key, and preserves.
Described SE comprises: Global Subscriber identification card, mobile terminal, safe digital card.
The technical scheme provided as can be seen from the embodiment of the invention described above, the embodiment of the present invention provides a kind of key management method based on SE, by SE publisher, initialization is carried out to described SE, SE application side or described SE generate symmetric key, verified by described SE publisher's symmetric key, described symmetric key stores by described SE and described SE application side.Thus reach prevent use software operation time, tracked in the process of transfer of data, key is decrypted; And the risk reducing private key to reveal and cause data stolen.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The process chart of a kind of key management method based on SE that Fig. 1 provides for the embodiment of the present invention one;
The initialization flowchart of a kind of SE that Fig. 2 provides for the embodiment of the present invention one;
A kind of SE that Fig. 3 provides for the embodiment of the present invention one generates symmetric key process chart;
The process chart of a kind of SE application side generation symmetric key that Fig. 4 provides for the embodiment of the present invention one;
The schematic diagram of a kind of key management apparatus based on SE that Fig. 5 provides for the embodiment of the present invention two.
Embodiment
For ease of the understanding to the embodiment of the present invention, be further explained explanation below in conjunction with accompanying drawing for specific embodiment, and each embodiment does not form the restriction to the embodiment of the present invention.
Embodiment one
The embodiment of the present invention one provides a kind of key management method based on SE, comprise: SE publisher carries out initialization to SE, above-mentioned SE application side or above-mentioned SE generate symmetric key, and utilize the above-mentioned symmetric key of MAC double secret key to verify by above-mentioned SE publisher, after being verified, above-mentioned symmetric key stores by above-mentioned SE and above-mentioned SE application side.By utilizing the PKI of the PKI in above-mentioned SE or above-mentioned SE application side to be encrypted above-mentioned symmetric key, thus strengthen the fail safe of data.Above-mentioned MAC key comprises MAC key.
Above-mentioned SE and safety element can exist in multiple hardwares; be included in SIM card, SD card or mobile terminal; this SE possesses operational capability; it can complete unsymmetrical key encryption and decryption and symmetric key encryption process, can provide safer protection to cryptographic key, encryption key, operator key, communication key.
Be described principle of the present invention and feature below in conjunction with accompanying drawing, example, only for explaining the present invention, is not intended to limit scope of the present invention.
The process chart that this embodiment offers a kind of key management method based on SE as shown in Figure 1, comprises following treatment step:
Step S11:SE publisher carries out initialization to above-mentioned SE, generates mark and the MAC key of above-mentioned SE.When needing to use SE Protective Key safe, first carry out initialization to this SE, initialization completes the step after just carrying out.
Step S12:SE application side or above-mentioned SE generate symmetric key, utilize the above-mentioned symmetric key of above-mentioned MAC double secret key to verify by above-mentioned SE publisher.When above-mentioned SE application side needs to use SE to ensure password or data security, need first on above-mentioned SE, to store symmetric key.Above-mentioned symmetric key comprises two kinds of generating modes, and one is generated by this SE, passes to above-mentioned SE application side; Another kind of mode is generated by above-mentioned SE application side, then imported in this SE by symmetric key.
Above-mentioned symmetric key stores by step S13: after above-mentioned symmetric key is verified, above-mentioned SE and above-mentioned SE application side.
The initialization flowchart of a kind of SE that the embodiment of the present invention one provides as shown in Figure 2, is namely further explained above-mentioned steps S11, comprises the steps:
Step S21: above-mentioned SE publisher sends the PKI of above-mentioned mark and above-mentioned SE publisher and relevant parameter to above-mentioned SE, and above-mentioned parameter comprises, the mark of this SE.Above-mentioned SE must carry out initialization by above-mentioned SE publisher to this SE before the use, and content comprises: the mark arranging SE, generates MAC key, generates unsymmetrical key pair.Arranging SE mark is to identify each SE above-mentioned SE publisher, generate MAC key be in order to, in data transmission procedure, carry out information authentication, thus ensure that data are not tampered and forge in transmitting procedure.
Step S22: above-mentioned mark is written in self by above-mentioned SE, as the mark of above-mentioned SE, and generates MAC key, uses the PKI of above-mentioned SE publisher to be encrypted the MAC key of generation, and the data after encryption are sent to above-mentioned SE publisher.After this SE writes mark, namely there is unique mark, so that above-mentioned SE publisher identifies each SE, and pass through the authenticity of the above-mentioned SE identity of MAC key authentication, and send to this SE publisher after using the PKI of above-mentioned SE publisher to be encrypted above-mentioned MAC key, to ensure the safety of data in process of transmitting.
Step S23: above-mentioned SE publisher produces and generates unsymmetrical key request, and the request of above-mentioned generation unsymmetrical key is sent to above-mentioned SE.Above-mentioned SE publisher needs to ask this SE to generate unsymmetrical key pair, and using the PKI of the key of in above-mentioned unsymmetrical key as oneself, to be encrypted symmetric key.The generation unsymmetrical key request that this SE publisher sends comprises: SE identifies, forces more new logo, algorithm mark, key length, PIN code, MAC cipher key index.
Step S24: the above-mentioned SE generation unsymmetrical key request generation unsymmetrical key pair sent according to above-mentioned SE publisher, and the certificate request request comprising above-mentioned unsymmetrical key right is sent to above-mentioned SE publisher.
A kind of SE that the embodiment of the present invention one provides generates symmetric key process chart as shown in Figure 3, specifically comprises the steps:
Step S31: above-mentioned SE application side has a pair unsymmetrical key, first the generation symmetric key request of the PKI and key parameter that carry oneself is sent to above-mentioned SE, ask this SE to generate symmetric key, above-mentioned key parameter comprises: the type of key and the length etc. of key.
Step S32: the above-mentioned SE generation symmetric key request sent according to above-mentioned SE application side and the key parameter carried generate symmetric key, and use the PKI of above-mentioned SE application side to be encrypted by above-mentioned symmetric key, and use the MAC cipher key calculation in above-mentioned SE to go out corresponding MAC cipher key values the data after encryption, again the data after above-mentioned encryption and above-mentioned MAC cipher key values are sent to above-mentioned SE application side, to complete the generation of above-mentioned symmetric key and to be encrypted this symmetric key, and ensure the safety of data in transmitting procedure by above-mentioned MAC key.
Step S33: the data after the above-mentioned encryption received and above-mentioned MAC cipher key values are sent to above-mentioned SE publisher by above-mentioned SE application side, so that above-mentioned SE publisher verifies above-mentioned MAC cipher key values, thus guarantee that data can not be tampered in transmitting procedure.
Above-mentioned SE generates symmetric key to be needed to verify MAC key by above-mentioned SE publisher, when this SE publisher needs to need input SE to identify when preserving data on this SE, and in order to prevent data be forged in transmitting procedure and distort, MAC cipher key values need be calculated.
Step S34: above-mentioned SE publisher verifies above-mentioned MAC cipher key values after receiving the data after above-mentioned encryption and above-mentioned MAC cipher key values, if the verification passes, then transmission is verified Indication message to above-mentioned SE application side by above-mentioned SE publisher; If checking is not passed through, then above-mentioned SE publisher sends authentication failed message to this SE application side, then this Symmetric key generation failure, and the data after above-mentioned encryption and above-mentioned MAC cipher key values abandon by SE application side.
Step S35: above-mentioned SE application side receive above-mentioned be verified Indication message after, use the private key of self to the decrypt data after above-mentioned encryption, obtain above-mentioned symmetric key, and stored by above-mentioned symmetric key, encipheror terminates.
The process chart that a kind of SE application side that the embodiment of the present invention one provides generates symmetric key is as above-mentioned in Fig. 4, specifically comprises the steps:
Step S41: first above-mentioned SE application side sends to above-mentioned SE and obtain PKI request, asks this SE that the PKI of self is sent to this SE application side, so that above-mentioned SE application side is encrypted symmetric key.
Step S42: above-mentioned SE receive above-mentioned SE application side send the request of above-mentioned acquisition PKI after, the PKI by self sends to above-mentioned SE application side.
Step S43: after above-mentioned SE application side receives the PKI of above-mentioned SE, generates symmetric key, and uses the PKI of this SE to be encrypted this symmetric key, to obtain the symmetric key after encrypting.
Step S44: the above-mentioned SE publisher of above-mentioned SE application direction sends the symmetric key after above-mentioned encryption, after above-mentioned SE publisher receives the symmetric key after encryption, utilize the symmetric key after the above-mentioned encryption of MAC double secret key of above-mentioned SE to calculate MAC cipher key values, and above-mentioned MAC cipher key values is sent to above-mentioned SE application side.
Step S45: above-mentioned SE application side uses the symmetric key after above-mentioned encryption and above-mentioned MAC cipher key values to generate key and imports request, and above-mentioned key importing request is sent to above-mentioned SE, so that importing to the symmetric-key security of above-mentioned generation in above-mentioned SE.
Step S46: above-mentioned SE receive above-mentioned key import request after, above-mentioned MAC cipher key values is verified, to identify the authenticity of above-mentioned data and identity, if the verification passes, symmetric key after then this SE uses the private key of self to decipher above-mentioned encryption, obtain above-mentioned symmetric key, and preserve; Otherwise will abandon the symmetric key after deciphering above-mentioned encryption, namely symmetric key imports unsuccessfully.
The embodiment of the present invention supports asymmetric-key encryption and symmetric key encryption and decryption.Wherein asymmetric encryption supports that many algorithms comprises: RSA, ECC, DSA, SM2; The algorithm of symmetric cryptography support comprises: DES, 3DES, AES, SM4.
Those skilled in the art will be understood that above-mentioned the lifted SE PKI that utilizes is only the technical scheme that the embodiment of the present invention is described better to the method that symmetric key is encrypted, but not to the restriction that the embodiment of the present invention is made.Any method be encrypted above-mentioned symmetric key, as being applicable to this patent, is all included in the scope of the embodiment of the present invention.
Embodiment two
This embodiment offers a kind of key management apparatus based on SE as shown in Figure 5, specifically can comprise following module: SE, SE publisher and SE application side.Above-mentioned SE publisher, for carrying out initialization to above-mentioned SE, generates mark and the MAC key of above-mentioned SE; SE application side or above-mentioned SE, for generating symmetric key, and utilize the above-mentioned symmetric key of above-mentioned MAC double secret key to verify by above-mentioned SE publisher; Further, above-mentioned SE and above-mentioned SE application side, also for after above-mentioned symmetric key is verified, store above-mentioned symmetric key.
Above-mentioned SE publisher, for sending the PKI of mark and above-mentioned SE publisher to above-mentioned SE; Above-mentioned SE, for being written in above-mentioned SE by above-mentioned mark, as the mark of above-mentioned SE, and generates MAC key, uses the PKI of above-mentioned SE publisher to be encrypted above-mentioned MAC key, and the data after encryption are sent to above-mentioned SE publisher.
Above-mentioned SE publisher, for generation of the request of generation unsymmetrical key, and sends to above-mentioned SE by above-mentioned unsymmetrical key request; Above-mentioned SE, for generating unsymmetrical key pair according to above-mentioned generation unsymmetrical key request, sends to above-mentioned SE publisher by the certificate request request comprising above-mentioned unsymmetrical key right.Above-mentioned SE, also for using the PKI of the key of in above-mentioned unsymmetrical key as oneself.
Above-mentioned SE application side, carries the PKI of oneself and the generation symmetric key request of key parameter for sending to above-mentioned SE; Above-mentioned SE, for generating symmetric key according to the key parameter carried in the request of above-mentioned generation symmetric key, the PKI of above-mentioned SE application side is used to be encrypted by above-mentioned symmetric key, and use above-mentioned MAC cipher key calculation to go out corresponding MAC cipher key values the data after encryption, the data after above-mentioned encryption and above-mentioned MAC cipher key values are sent to above-mentioned SE application side.
Above-mentioned SE application side, for sending to above-mentioned SE publisher by the data after the above-mentioned encryption received and above-mentioned MAC cipher key values; Above-mentioned SE publisher, for verifying above-mentioned MAC cipher key values, after above-mentioned SE publisher being verified above-mentioned MAC cipher key values, sending and being verified Indication message to above-mentioned SE application side; Above-mentioned SE application side, for receive above-mentioned be verified Indication message after, use the private key of self to the decrypt data after above-mentioned encryption, obtain above-mentioned symmetric key, and store.
Above-mentioned SE application side, obtains PKI request for sending to above-mentioned SE; Above-mentioned SE, for send self according to above-mentioned acquisition PKI request PKI to above-mentioned SE application side, above-mentioned SE application side, for generating symmetric key, and use the PKI of above-mentioned SE to be encrypted above-mentioned symmetric key, obtain the symmetric key after encrypting, and the symmetric key after this encryption is sent to above-mentioned SE publisher.
Above-mentioned SE publisher, calculates MAC cipher key values for the symmetric key after utilizing the above-mentioned encryption of MAC double secret key of above-mentioned SE, and above-mentioned MAC cipher key values is sent to above-mentioned SE application side; Above-mentioned SE application side, generates key for using the symmetric key after above-mentioned encryption and above-mentioned MAC cipher key values and imports request, and above-mentioned key importing request is sent to above-mentioned SE; Above-mentioned SE, after receiving above-mentioned key importing request, verify above-mentioned MAC cipher key values, after being verified, the symmetric key after using the private key of self to decipher above-mentioned encryption, obtains above-mentioned symmetric key, and preserves.
Similar to the generation of symmetric key, the detailed process of encrypting and decrypting and preceding method embodiment with the device of the embodiment of the present invention, repeat no more herein.
To sum up above-mentioned, the embodiment of the present invention carries out initialization by SE publisher to SE, and generate symmetric key by SE application side or this SE, then verified by above-mentioned SE publisher's symmetric key, above-mentioned symmetric key stores by last above-mentioned SE and above-mentioned SE application side.Thus reach prevent use software operation time, tracked in the process of transfer of data, key is decrypted; And the risk reducing private key to reveal and cause data stolen.
The present invention is operated by SE safety means, and the risk class be decrypted by key is down to minimum, guarantees the safety of key data.In addition, the present invention adopts hardware SE mode to reduce the risk of human factor for Information Security, and private key is stored in hardware the leakage avoiding private key simultaneously.Therefore, achieve the protection of fail safe to key data and authenticity well, protect the interests of user.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of an embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the above-mentioned method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this specification all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for device or system embodiment, because it is substantially similar to embodiment of the method, so describe fairly simple, relevant part illustrates see the part of embodiment of the method.Apparatus and system embodiment described above is only schematic, wherein the above-mentioned unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
Above-mentioned above; be only the present invention's preferably embodiment, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (12)
1. based on a key management method of SE, it is characterized in that, comprising:
SE publisher carries out initialization to described SE, generates mark and the MAC key of described SE;
SE application side or described SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify by described SE publisher;
After described symmetric key is verified, described symmetric key stores by described SE and described SE application side.
2. the key management method based on SE according to claim 1, is characterized in that, described SE publisher carries out initialization to described SE, generates mark and the MAC key of described SE, comprising:
Described SE publisher sends the PKI of mark and described SE publisher to described SE;
Described mark is written in described SE by described SE, as the mark of described SE, and generates MAC key, uses the PKI of described SE publisher to be encrypted described MAC key, and the data after encryption are sent to described SE publisher;
Described SE publisher produces and generates unsymmetrical key request, and the request of described generation unsymmetrical key is sent to described SE;
Described SE generates unsymmetrical key pair according to described generation unsymmetrical key request, and the public key certificate application request comprising described unsymmetrical key is sent to described SE publisher.
3. the key management method based on SE according to claim 2, is characterized in that, described SE is using the PKI of the key of in described unsymmetrical key as oneself.
4. the key management method based on SE according to claim 2, is characterized in that, described SE application side or SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify, comprising by described SE publisher:
SE described in described SE application direction sends and carries the PKI of oneself and the generation symmetric key request of key parameter;
Described SE generates symmetric key according to the key parameter carried in the request of described generation symmetric key, the PKI of described SE application side is used to be encrypted by described symmetric key, and use described MAC cipher key calculation to go out corresponding MAC cipher key values the data after encryption, the data after described encryption and described MAC cipher key values are sent to described SE application side;
Data after the described encryption received and described MAC cipher key values are sent to described SE publisher by described SE application side, and described SE publisher verifies described MAC cipher key values;
After described SE publisher is verified described MAC cipher key values, sends and be verified Indication message to described SE application side;
After being verified Indication message described in described SE application side receives, using the private key of self to the decrypt data after described encryption, obtain described symmetric key, and store.
5. the key management method based on SE according to claim 3, is characterized in that, described SE application side or SE generate symmetric key, utilize symmetric key described in described MAC double secret key to verify, comprising by described SE publisher:
SE described in described SE application direction sends and obtains PKI request;
The PKI that described SE sends self according to described acquisition PKI request is to described SE application side;
Described SE application side generates symmetric key, and uses the PKI of described SE to be encrypted described symmetric key, obtains the symmetric key after encrypting;
SE publisher described in described SE application direction sends the symmetric key after described encryption, symmetric key after described SE publisher utilizes encryption described in the MAC double secret key of described SE calculates MAC cipher key values, and described MAC cipher key values is sent to described SE application side;
Described SE application side uses the symmetric key after described encryption and described MAC cipher key values to generate key and imports request, and described key importing request is sent to described SE;
After described SE receives described key importing request, verify described MAC cipher key values, after being verified, the symmetric key after using the private key of self to decipher described encryption, obtains described symmetric key, and preserves.
6. the key management method based on SE according to any one of claim 1 to 5, is characterized in that, described SE comprises: Global Subscriber identification card, mobile terminal, safe digital card.
7. based on a key management apparatus of SE, it is characterized in that, comprising: SE, SE publisher and SE application side,
Described SE publisher, for carrying out initialization to described SE, generates mark and the MAC key of described SE;
SE application side or described SE, for generating symmetric key, utilize symmetric key described in described MAC double secret key to verify by described SE publisher;
Described SE and described SE application side, also for after described symmetric key is verified, store described symmetric key.
8. the key management apparatus based on SE according to claim 7, is characterized in that,
Described SE publisher, for sending the PKI of mark and described SE publisher to described SE;
Described SE, for being written in described SE by described mark, as the mark of described SE, and generates MAC key, uses the PKI of described SE publisher to be encrypted described MAC key, and the data after encryption are sent to described SE publisher;
Described SE publisher, for generation of the request of generation unsymmetrical key, and sends to described SE by the request of described generation unsymmetrical key;
Described SE, for generating unsymmetrical key pair according to described generation unsymmetrical key request, sends to described SE publisher by the certificate request request comprising described unsymmetrical key right.
9. the key management apparatus based on SE according to claim 8, is characterized in that: described SE, also for using the PKI of the key of in described unsymmetrical key as oneself.
10. the key management apparatus based on SE according to claim 8, is characterized in that,
Described SE application side, carries the PKI of oneself and the generation symmetric key request of key parameter for sending to described SE;
Described SE, for generating symmetric key according to the key parameter carried in the request of described generation symmetric key, the PKI of described SE application side is used to be encrypted by described symmetric key, and use described MAC cipher key calculation to go out corresponding MAC cipher key values the data after encryption, the data after described encryption and described MAC cipher key values are sent to described SE application side;
Described SE application side, for sending to described SE publisher by the data after the described encryption received and described MAC cipher key values;
Described SE publisher, for verifying described MAC cipher key values, after described SE publisher being verified described MAC cipher key values, sending and being verified Indication message to described SE application side;
Described SE application side, after being verified Indication message described in receiving, using the private key of self to the decrypt data after described encryption, obtains described symmetric key, and store.
11. key management apparatus based on SE according to claim 8, is characterized in that,
Described SE application side, obtains PKI request for sending to described SE;
Described SE, for send self according to described acquisition PKI request PKI to described SE application side,
Described SE application side, for generating symmetric key, and uses the PKI of described SE to be encrypted described symmetric key, obtains the symmetric key after encrypting, and the symmetric key after this encryption is sent to described SE publisher;
Described SE publisher, calculates MAC cipher key values for the symmetric key after utilizing encryption described in the MAC double secret key of described SE, and described MAC cipher key values is sent to described SE application side;
Described SE application side, generates key for using the symmetric key after described encryption and described MAC cipher key values and imports request, and described key importing request is sent to described SE;
Described SE, after receiving described key importing request, verify described MAC cipher key values, after being verified, the symmetric key after using the private key of self to decipher described encryption, obtains described symmetric key, and preserves.
12. key management apparatus based on SE according to any one of claim 7 to 11, it is characterized in that, described SE comprises: Global Subscriber identification card, mobile terminal, safe digital card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410028406.0A CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410028406.0A CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104253692A true CN104253692A (en) | 2014-12-31 |
| CN104253692B CN104253692B (en) | 2018-03-23 |
Family
ID=52188260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410028406.0A Expired - Fee Related CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253692B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107846274A (en) * | 2016-09-19 | 2018-03-27 | 中国移动通信有限公司研究院 | A kind of control method and terminal, server, processor |
| CN112016103A (en) * | 2019-05-29 | 2020-12-01 | 意法半导体公司 | Method and apparatus for cryptographic alignment and binding of a secure element with a host device |
| CN112771815A (en) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | Key processing method and device |
| CN113821835A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1833009A1 (en) * | 2006-03-09 | 2007-09-12 | First Data Corporation | Secure transaction computer network |
| CN101729244A (en) * | 2008-10-24 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
| CN102056077A (en) * | 2009-10-29 | 2011-05-11 | 中国移动通信集团公司 | Method and device for applying smart card by key |
| CN102609842A (en) * | 2012-01-19 | 2012-07-25 | 上海海基业高科技有限公司 | Payment cipher device based on hardware signature equipment, and application method of payment cipher device |
| CN103237005A (en) * | 2013-03-15 | 2013-08-07 | 福建联迪商用设备有限公司 | Method and system for key management |
-
2014
- 2014-01-21 CN CN201410028406.0A patent/CN104253692B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1833009A1 (en) * | 2006-03-09 | 2007-09-12 | First Data Corporation | Secure transaction computer network |
| CN101729244A (en) * | 2008-10-24 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
| CN102056077A (en) * | 2009-10-29 | 2011-05-11 | 中国移动通信集团公司 | Method and device for applying smart card by key |
| CN102609842A (en) * | 2012-01-19 | 2012-07-25 | 上海海基业高科技有限公司 | Payment cipher device based on hardware signature equipment, and application method of payment cipher device |
| CN103237005A (en) * | 2013-03-15 | 2013-08-07 | 福建联迪商用设备有限公司 | Method and system for key management |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107846274A (en) * | 2016-09-19 | 2018-03-27 | 中国移动通信有限公司研究院 | A kind of control method and terminal, server, processor |
| CN112016103A (en) * | 2019-05-29 | 2020-12-01 | 意法半导体公司 | Method and apparatus for cryptographic alignment and binding of a secure element with a host device |
| US11991276B2 (en) | 2019-05-29 | 2024-05-21 | Stmicroelectronics, Inc. | Method and apparatus for cryptographically aligning and binding a secure element with a host device |
| CN112771815A (en) * | 2020-03-31 | 2021-05-07 | 华为技术有限公司 | Key processing method and device |
| CN113821835A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
| CN113821835B (en) * | 2021-11-24 | 2022-02-08 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104253692B (en) | 2018-03-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10129020B2 (en) | Efficient methods for protecting identity in authenticated transmissions | |
| CN103067401B (en) | Method and system for key protection | |
| US10015159B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
| CN106656503B (en) | Method for storing cipher key, data encryption/decryption method, electric endorsement method and its device | |
| US9716591B2 (en) | Method for setting up a secure connection between clients | |
| CA2990656A1 (en) | Mutual authentication of confidential communication | |
| CN105553951A (en) | Data transmission method and data transmission device | |
| CN108347419A (en) | Data transmission method and device | |
| CN105307165A (en) | Communication method based on mobile application, server and client | |
| JP2020530726A (en) | NFC tag authentication to remote servers with applications that protect supply chain asset management | |
| CN103684766A (en) | Private key protection method and system for terminal user | |
| CN108632296B (en) | Dynamic encryption and decryption method for network communication | |
| CN105790938A (en) | System and method for generating safety unit key based on reliable execution environment | |
| CN103067160A (en) | Method and system of generation of dynamic encrypt key of encryption secure digital memory card (SD) | |
| CN103036880A (en) | Network information transmission method, transmission equipment and transmission system | |
| CN102801730A (en) | Information protection method and device for communication and portable devices | |
| CN104393993A (en) | A security chip for electricity selling terminal and the realizing method | |
| CN111769938A (en) | Key management system and data verification system of block chain sensor | |
| CN112600667B (en) | Key negotiation method, device, equipment and storage medium | |
| CN101808089A (en) | Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm | |
| CN104901803A (en) | Data interaction safety protection method based on CPK identity authentication technology | |
| CN104200154A (en) | Identity based installation package signing method and identity based installation package signing device | |
| CN105142134A (en) | Parameter obtaining and transmission methods/devices | |
| CN105407467A (en) | Short message encryption methods, devices and system | |
| CN104253692A (en) | SE-based (symmetric encryption based) key management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180323 Termination date: 20210121 |